diff options
author | mm <mm@FreeBSD.org> | 2012-02-02 16:18:40 +0000 |
---|---|---|
committer | mm <mm@FreeBSD.org> | 2012-02-02 16:18:40 +0000 |
commit | e7a864dc46ea387fd7797edb7096fc9d224f9b04 (patch) | |
tree | 965ad5815deb6c172a5449e4e8bbe5c036ee931c /sys/cddl/contrib | |
parent | 4e4b60548c088add1437d6162304b72a543c9c3e (diff) | |
download | FreeBSD-src-e7a864dc46ea387fd7797edb7096fc9d224f9b04.zip FreeBSD-src-e7a864dc46ea387fd7797edb7096fc9d224f9b04.tar.gz |
Fix out of bounds write causing random panics,
uncovered by the change in r230256
Reviewed by: pluknet@
MFC after: 3 days
Diffstat (limited to 'sys/cddl/contrib')
-rw-r--r-- | sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dnode.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dnode.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dnode.c index ca2b69a..910164b 100644 --- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dnode.c +++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dnode.c @@ -993,7 +993,7 @@ dnode_buf_pageout(dmu_buf_t *db, void *arg) dnh->dnh_dnode = NULL; } kmem_free(children_dnodes, sizeof (dnode_children_t) + - (epb - 1) * sizeof (dnode_handle_t)); + epb * sizeof (dnode_handle_t)); } /* @@ -1078,7 +1078,7 @@ dnode_hold_impl(objset_t *os, uint64_t object, int flag, int i; dnode_children_t *winner; children_dnodes = kmem_zalloc(sizeof (dnode_children_t) + - (epb - 1) * sizeof (dnode_handle_t), KM_SLEEP); + epb * sizeof (dnode_handle_t), KM_SLEEP); children_dnodes->dnc_count = epb; dnh = &children_dnodes->dnc_children[0]; for (i = 0; i < epb; i++) { @@ -1088,7 +1088,7 @@ dnode_hold_impl(objset_t *os, uint64_t object, int flag, if (winner = dmu_buf_set_user(&db->db, children_dnodes, NULL, dnode_buf_pageout)) { kmem_free(children_dnodes, sizeof (dnode_children_t) + - (epb - 1) * sizeof (dnode_handle_t)); + epb * sizeof (dnode_handle_t)); children_dnodes = winner; } } |