MFC r298814 (by asomers): Fix a use-after-free when "zpool import" fails

clear vd->vdev_tsd in vdev_geom_close_locked instead of vdev_geom_detach.
In the latter function, it would fail to happen in certain circumstances
where cp->private was unset.  Ideally, the latter should never happen, but
it can happen when vdev open fails, or where spares are involved.

1 files changed, 2 insertions, 4 deletions

diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_geom.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_geom.c
index 08fd5e7..8c88745 100644
--- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_geom.c
+++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_geom.c
@@ -278,10 +278,6 @@ vdev_geom_detach(struct g_consumer *cp, boolean_t open_for_read)
 	    cp->provider && cp->provider->name ? cp->provider->name : "NULL");
 
 	vd = cp->private;
-	if (vd != NULL) {
-		vd->vdev_tsd = NULL;
-		vd->vdev_delayed_close = B_FALSE;
-	}
 	cp->private = NULL;
 
 	gp = cp->geom;
@@ -313,6 +309,8 @@ vdev_geom_close_locked(vdev_t *vd)
 	g_topology_assert();
 
 	cp = vd->vdev_tsd;
+	vd->vdev_tsd = NULL;
+	vd->vdev_delayed_close = B_FALSE;
 	if (cp == NULL)
 		return;