zfs receive -> unable to handle kernel NULL pointer dereference

Fix a pair of conditions in which a concurrent umount can cause NULl pointer dereferences: zfs_sb_teardown - prevent a NULL dereference by not calling dmu_objset_pool with a null z_os. zfs_resume_fs - don't try to unmount with a null z_os. This change makes the ZoL code more consistent with both Illumos and FreeBSD.
dweeezil · Jun 25, 2013 · 47a432c · 47a432c
1 parent 389cf73
commit 47a432c
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/module/zfs/zfs_vfsops.c b/module/zfs/zfs_vfsops.c
@@ -1056,10 +1056,12 @@ zfs_sb_teardown(zfs_sb_t *zsb, boolean_t unmounting)
 	}
 
 	/*
-	 * Drain the iput_taskq to ensure all active references to the
+	 * If someone has not already unmounted this file system,
+	 * drain the iput_taskq to ensure all active references to the
 	 * zfs_sb_t have been handled only then can it be safely destroyed.
 	 */
-	taskq_wait(dsl_pool_iput_taskq(dmu_objset_pool(zsb->z_os)));
+	if (zsb->z_os)
+		taskq_wait(dsl_pool_iput_taskq(dmu_objset_pool(zsb->z_os)));
 
 	/*
 	 * Close the zil. NB: Can't close the zil while zfs_inactive
@@ -1480,10 +1482,11 @@ zfs_resume_fs(zfs_sb_t *zsb, const char *osname)
 
 	if (err) {
 		/*
-		 * Since we couldn't reopen zfs_sb_t, force
-		 * unmount this file system.
+		 * Since we couldn't reopen zfs_sb_t or, setup the
+		 * sa framework, force unmount this file system.
 		 */
-		(void) zfs_umount(zsb->z_sb);
+		if (zsb->z_os)
+			(void) zfs_umount(zsb->z_sb);
 	}
 	return (err);
 }