Bug #5870
closed
dmu_recv_end_check() leaks origin_head hold if error happens in drc_force branch
100%
Description
In the `!drc_newfs` branch of `dmu_recv_end_check()` we first take a hold on `drc_tofs` (as origin_head).
If the `drc_force` branch is entered and there is any error in it, then we return from `dmu_recv_end_check()` without releasing the origin_head hold.
This can happen if the dataset has a newer snapshot that has to be destroyed, but the snapshot is user-held or it is an origin for a cloned filesystem.
In those cases `dsl_destroy_snapshot_check_impl` would return an error. After that a snapshot hold is released, but the dataset hold is not released.
Updated by Andriy Gapon over 6 years ago
In the !drc_newfs branch of dmu_recv_end_check() we first take a hold on drc_tofs (as origin_head).
If the drc_force branch is entered and there is any error in it, then we return from dmu_recv_end_check() without releasing the origin_head hold.
This can happen if the dataset has a newer snapshot that has to be destroyed, but the snapshot is user-held or it is an origin for a cloned filesystem.
In those cases dsl_destroy_snapshot_check_impl would return an error. After that a snapshot hold is released, but the dataset hold is not released.
Updated by Electric Monk about 6 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
git commit beddaa9ce797b9deaafc22b4f156d23f9b45c32d
commit beddaa9ce797b9deaafc22b4f156d23f9b45c32d
Author: Andriy Gapon <avg@freebsd.org>
Date: 2015-05-27T14:27:43.000Z
5870 dmu_recv_end_check() leaks origin_head hold if error happens in drc_force branch
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed by: Andrew Stormont <andyjstormont@gmail.com>
Approved by: Dan McDonald <danmcd@omniti.com>