From 7f8e90f2ba4985242ad735cf15182e0f277d36ec Mon Sep 17 00:00:00 2001
From: avg <avg@FreeBSD.org>
Date: Fri, 14 Apr 2017 18:43:10 +0000
Subject: [PATCH] 5814 bpobj_iterate_impl(): Close a refcount leak iterating on
 a sublist.

illumos/illumos-gate@b67dde11a73a9455d641403cbbb65ec2add41b41
https://github.com/illumos/illumos-gate/commit/b67dde11a73a9455d641403cbbb65ec2add41b41

https://www.illumos.org/issues/5814
  Lets pull in this patch from freebsd:
  http://svnweb.freebsd.org/base?view=revision&revision=271781
  bpobj_iterate_impl(): Close a refcount leak iterating on a sublist.
  If bpobj_space() returned non-zero here, the sublist would have been
  left open, along with the bonus buffer hold it requires. This call
  does not invoke any calls to bpobj_close() itself.
  This bug doesn't have any known vector, but was found on inspection.
  MFC after: 1 week
  Sponsored by: Spectra Logic
  Affects: All ZFS versions starting 21 May 2010 (illumos cde58dbc)
  MFSpectraBSD: r1050998 on 2014/03/26
  Fix bpobj_iterate_impl() to properly call bpobj_close() if bpobj_space()
  returns an error.

Reviewed by: Prakash Surya <prakash.surya@delphix.com>
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed by: Paul Dagnelie <paul.dagnelie@delphix.com>
Reviewed by: Simon Klinkert <simon.klinkert@gmail.com>
Approved by: Gordon Ross <gwr@nexenta.com>
Author: Will Andrews <will@freebsd.org>
---
 uts/common/fs/zfs/bpobj.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/uts/common/fs/zfs/bpobj.c b/uts/common/fs/zfs/bpobj.c
index da8e633ee389..19e97cbabf30 100644
--- a/uts/common/fs/zfs/bpobj.c
+++ b/uts/common/fs/zfs/bpobj.c
@@ -301,8 +301,10 @@ bpobj_iterate_impl(bpobj_t *bpo, bpobj_itor_t func, void *arg, dmu_tx_t *tx,
 		if (free) {
 			err = bpobj_space(&sublist,
 			    &used_before, &comp_before, &uncomp_before);
-			if (err)
+			if (err != 0) {
+				bpobj_close(&sublist);
 				break;
+			}
 		}
 		err = bpobj_iterate_impl(&sublist, func, arg, tx, free);
 		if (free) {