Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 20 Oct 2011 21:48:10 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject:   svn commit: r226588 - stable/8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs
Message-ID:  <201110202148.p9KLmAnp093099@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: delphij
Date: Thu Oct 20 21:48:09 2011
New Revision: 226588
URL: http://svn.freebsd.org/changeset/base/226588

Log:
  MFC r226483:
  
  Fix a bug in sa_find_sizes() which could lead to panic:
  When calculating space needed for SA_BONUS buffers,
  hdrsize is always rounded up to next 8-aligned boundary.
  However, in two places the round up was done against
  sum of 'total' plus hdrsize.  On the other hand,
  hdrsize increments by 4 each time, which means in
  certain conditions, we would end up returning with
  will_spill == 0 and (total + hdrsize) larger than
  full_space, leading to a failed assertion because
  it's invalid for dmu_set_bonus.
  
  Sponsored by:	iXsystems, Inc.
  Reviewed by:	mm

Modified:
  stable/8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/sa.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)

Modified: stable/8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/sa.c
==============================================================================
--- stable/8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/sa.c	Thu Oct 20 21:15:43 2011	(r226587)
+++ stable/8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/sa.c	Thu Oct 20 21:48:09 2011	(r226588)
@@ -605,14 +605,14 @@ sa_find_sizes(sa_os_t *sa, sa_bulk_attr_
 		 * and spill buffer.
 		 */
 		if (buftype == SA_BONUS && *index == -1 &&
-		    P2ROUNDUP(*total + hdrsize, 8) >
+		    (*total + P2ROUNDUP(hdrsize, 8)) >
 		    (full_space - sizeof (blkptr_t))) {
 			*index = i;
 			done = B_TRUE;
 		}
 
 next:
-		if (P2ROUNDUP(*total + hdrsize, 8) > full_space &&
+		if ((*total + P2ROUNDUP(hdrsize, 8)) > full_space &&
 		    buftype == SA_BONUS)
 			*will_spill = B_TRUE;
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201110202148.p9KLmAnp093099>