From owner-dev-commits-src-branches@freebsd.org Thu Sep 16 12:41:39 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B7DDB67A794; Thu, 16 Sep 2021 12:41:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H9GtC4j6Mz4VXL; Thu, 16 Sep 2021 12:41:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8177E21A52; Thu, 16 Sep 2021 12:41:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 18GCfdmM033970; Thu, 16 Sep 2021 12:41:39 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 18GCfdAK033969; Thu, 16 Sep 2021 12:41:39 GMT (envelope-from git) Date: Thu, 16 Sep 2021 12:41:39 GMT Message-Id: <202109161241.18GCfdAK033969@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 1cce9f8fecf2 - stable/13 - osd: Fix racy assertions MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 1cce9f8fecf2ccf8fe908815aa8568727df37c81 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Sep 2021 12:41:39 -0000 The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=1cce9f8fecf2ccf8fe908815aa8568727df37c81 commit 1cce9f8fecf2ccf8fe908815aa8568727df37c81 Author: Mark Johnston AuthorDate: 2021-09-09 13:50:27 +0000 Commit: Mark Johnston CommitDate: 2021-09-16 12:37:15 +0000 osd: Fix racy assertions osd_register(9) may reallocate and expand the destructor array for a given object type if no space is available for a new key. This happens with the object lock held. Thus, when verifying that a given slot in the array is occupied, we need to hold the object lock to avoid racing with a reallocation. Reported by: syzbot+69ce54c7d7d813315dd3@syzkaller.appspotmail.com Sponsored by: The FreeBSD Foundation (cherry picked from commit 187afc58791cd877c8ba0573b7826c31db8c6f73) --- sys/kern/kern_osd.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/kern/kern_osd.c b/sys/kern/kern_osd.c index e15ffde5d7bc..9e318b27c250 100644 --- a/sys/kern/kern_osd.c +++ b/sys/kern/kern_osd.c @@ -156,10 +156,11 @@ osd_deregister(u_int type, u_int slot) KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); sx_xlock(&osdm[type].osd_module_lock); rm_wlock(&osdm[type].osd_object_lock); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + /* * Free all OSD for the given slot. */ @@ -222,9 +223,10 @@ osd_set_reserved(u_int type, struct osd *osd, u_int slot, void **rsv, KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); rm_rlock(&osdm[type].osd_object_lock, &tracker); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + if (slot > osd->osd_nslots) { void **newptr; @@ -300,9 +302,10 @@ osd_get(u_int type, struct osd *osd, u_int slot) KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); rm_rlock(&osdm[type].osd_object_lock, &tracker); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + if (slot > osd->osd_nslots) { value = NULL; OSD_DEBUG("Slot doesn't exist (type=%u, slot=%u).", type, slot);