14982 zfs: Fix use-after-free in btree code

Reviewed by: Andy Stormont <andyjstormont@gmail.com> Reviewed by: Gordon Ross <Gordon.W.Ross@gmail.com> Reviewed by: Paul Zuchowski <p.zuchowski98@gmail.com> Approved by: Dan McDonald <danmcd@mnx.io>
illumos · Dec 2, 2022 · d80dfda · d80dfda
1 parent 616aa2d
commit d80dfda
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/usr/src/uts/common/fs/zfs/btree.c b/usr/src/uts/common/fs/zfs/btree.c
@@ -1608,8 +1608,8 @@ zfs_btree_remove_from_node(zfs_btree_t *tree, zfs_btree_core_t *node,
 	zfs_btree_poison_node_at(tree, keep_hdr, keep_hdr->bth_count, 1);
 
 	new_rm_hdr->bth_count = 0;
-	zfs_btree_node_destroy(tree, new_rm_hdr);
 	zfs_btree_remove_from_node(tree, parent, new_rm_hdr);
+	zfs_btree_node_destroy(tree, new_rm_hdr);
 }
 
 /* Remove the element at the specific location. */
@@ -1817,10 +1817,10 @@ zfs_btree_remove_idx(zfs_btree_t *tree, zfs_btree_index_t *where)
 
 	/* Move our elements to the left neighbor. */
 	bt_transfer_leaf(tree, rm, 0, rm_hdr->bth_count, keep, k_count + 1);
-	zfs_btree_node_destroy(tree, rm_hdr);
 
 	/* Remove the emptied node from the parent. */
 	zfs_btree_remove_from_node(tree, parent, rm_hdr);
+	zfs_btree_node_destroy(tree, rm_hdr);
 	zfs_btree_verify(tree);
 }