Fix prev_hdr use-after-free in l2arc_write_sublist

prev_hdr is dereferenced after the sublist lock is dropped for write I/O
but nothing prevents it from being freed during that window. Refresh
prev_hdr from the local marker's neighbor after reacquiring the lock,
since markers cannot be evicted. Add a NULL guard for the case where the
marker is at the list boundary.

Signed-off-by: Ameer Hamza <ahamza@ixsystems.com>

Author: ixhamza

module/zfs/arc.c

@@ -9829,10 +9829,15 @@ l2arc_write_sublist(spa_t *spa, l2arc_dev_t *dev, int pass, int sublist_idx,
 
 next:
 		multilist_sublist_lock(mls);
-		if (scan_from_head)
+		if (scan_from_head) {
 			hdr = multilist_sublist_next(mls, local_marker);
-		else
+			prev_hdr = multilist_sublist_prev(mls,
+			    local_marker);
+		} else {
 			hdr = multilist_sublist_prev(mls, local_marker);
+			prev_hdr = multilist_sublist_next(mls,
+			    local_marker);
+		}
 		multilist_sublist_remove(mls, local_marker);
 	}
 
@@ -9854,7 +9859,7 @@ l2arc_write_sublist(spa_t *spa, l2arc_dev_t *dev, int pass, int sublist_idx,
 		multilist_sublist_insert_tail(mls, persistent_marker);
 		spa->spa_l2arc_info.l2arc_sublist_reset[pass][sublist_idx] =
 		    B_FALSE;
-	} else if (save_position &&
+	} else if (save_position && prev_hdr != NULL &&
 	    multilist_link_active(&prev_hdr->b_l1hdr.b_arc_node)) {
 		if (hdr != NULL) {
 			/*