Date: Thu, 9 Sep 2021 14:14:41 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 187afc58791c - main - osd: Fix racy assertions Message-ID: <202109091414.189EEfFc017965@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=187afc58791cd877c8ba0573b7826c31db8c6f73 commit 187afc58791cd877c8ba0573b7826c31db8c6f73 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-09-09 13:50:27 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-09-09 14:11:02 +0000 osd: Fix racy assertions osd_register(9) may reallocate and expand the destructor array for a given object type if no space is available for a new key. This happens with the object lock held. Thus, when verifying that a given slot in the array is occupied, we need to hold the object lock to avoid racing with a reallocation. Reported by: syzbot+69ce54c7d7d813315dd3@syzkaller.appspotmail.com MFC after: 1 week Sponsored by: The FreeBSD Foundation --- sys/kern/kern_osd.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/kern/kern_osd.c b/sys/kern/kern_osd.c index e15ffde5d7bc..9e318b27c250 100644 --- a/sys/kern/kern_osd.c +++ b/sys/kern/kern_osd.c @@ -156,10 +156,11 @@ osd_deregister(u_int type, u_int slot) KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); sx_xlock(&osdm[type].osd_module_lock); rm_wlock(&osdm[type].osd_object_lock); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + /* * Free all OSD for the given slot. */ @@ -222,9 +223,10 @@ osd_set_reserved(u_int type, struct osd *osd, u_int slot, void **rsv, KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); rm_rlock(&osdm[type].osd_object_lock, &tracker); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + if (slot > osd->osd_nslots) { void **newptr; @@ -300,9 +302,10 @@ osd_get(u_int type, struct osd *osd, u_int slot) KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); rm_rlock(&osdm[type].osd_object_lock, &tracker); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + if (slot > osd->osd_nslots) { value = NULL; OSD_DEBUG("Slot doesn't exist (type=%u, slot=%u).", type, slot);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109091414.189EEfFc017965>