a ZFS SA bug and my patch

[James Pan]

Hi,
I hit a ZFS SA problem on FreeBSD 9.2, but I believe the issue exists on other platform too. Here is the description of the bug.


PROBLEM:
run the attached script on a ZFS, after a few seconds, run zdb -vvv on the ZFS, zdb will crash at the following assertion:


Assertion failed: (IS_SA_BONUSTYPE(bonustype) && SA_HDR_SIZE_MATCH_LAYOUT(hdr, tb) || !IS_SA_BONUSTYPE(bonustype) || (IS_SA_BONUSTYPE(bonustype) && hdr->sa_layout_info == 0)), file /usr/src/cddl/lib/libzpool/../../../sys/cddl/contrib/opensolaris/uts/common/fs/zfs/sa.c, line 1509.
Abort (core dumped)

the reason is the SA's header size does not match its layout.


ROOT CAUSE:
The issue will be hit when a file has more than 2 variable-length SA and the total SA size is larger than the bonus buffer's length -  sizeof (blkptr_t), but less the bonus buffer's length.

in sa_find_sizes(), done is set to TRUE if the SA size + header > the bonus buffer's length - sizeof (blkptr_t), then hdrsize += sizeof (uint16_t) will be skipped for the second variable-length SA. If finally all SA can fit in the bonus buffer and no spill block is needed, we will get a wrong hdrsize.

MY FIX:
I've also attached my simple fix for this issue, anyone who might have interest could you please take a look? Thanks a lot!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sa.c.diff
Type: application/octet-stream
Size: 2458 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/zfs-devel/attachments/20131120/c54afeb8/attachment.obj>