bpobj_iterate_impl(): Close a refcount leak iterating on a sublist.

If bpobj_space() returned non-zero here, the sublist would have been left open, along with the bonus buffer hold it requires. This call does not invoke any calls to bpobj_close() itself. This bug doesn't have any known vector, but was found on inspection. MFC after: 1 week Sponsored by: Spectra Logic Affects: All ZFS versions starting 21 May 2010 (illumos cde58dbc) MFSpectraBSD: r1050998 on 2014/03/26
author: will <will@FreeBSD.org> 2014-09-18 15:37:53 +0000
committer: will <will@FreeBSD.org> 2014-09-18 15:37:53 +0000
commit: 7288f5d2fcfc7e772a285573fa4a96957b72f3e5 (patch)
tree: c880133ae3cfdb5dafecf0e4658757f485032f66 /sys
parent: 6ba0e2415e7e6f6b66c7e87335473bd2d53ae1c0 (diff)
download: FreeBSD-src-7288f5d2fcfc7e772a285573fa4a96957b72f3e5.zip
FreeBSD-src-7288f5d2fcfc7e772a285573fa4a96957b72f3e5.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/bpobj.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/bpobj.c
index e75ae72..b19df1a 100644
--- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/bpobj.c
+++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/bpobj.c
@@ -301,8 +301,10 @@ bpobj_iterate_impl(bpobj_t *bpo, bpobj_itor_t func, void *arg, dmu_tx_t *tx,
 		if (free) {
 			err = bpobj_space(&sublist,
 			    &used_before, &comp_before, &uncomp_before);
-			if (err)
+			if (err != 0) {
+				bpobj_close(&sublist);
 				break;
+			}
 		}
 		err = bpobj_iterate_impl(&sublist, func, arg, tx, free);
 		if (free) {
author	will <will@FreeBSD.org>	2014-09-18 15:37:53 +0000
committer	will <will@FreeBSD.org>	2014-09-18 15:37:53 +0000
commit	7288f5d2fcfc7e772a285573fa4a96957b72f3e5 (patch)
tree	c880133ae3cfdb5dafecf0e4658757f485032f66 /sys
parent	6ba0e2415e7e6f6b66c7e87335473bd2d53ae1c0 (diff)
download	FreeBSD-src-7288f5d2fcfc7e772a285573fa4a96957b72f3e5.zip FreeBSD-src-7288f5d2fcfc7e772a285573fa4a96957b72f3e5.tar.gz