Date: Thu, 16 Sep 2021 12:41:39 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 1cce9f8fecf2 - stable/13 - osd: Fix racy assertions Message-ID: <202109161241.18GCfdAK033969@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=1cce9f8fecf2ccf8fe908815aa8568727df37c81 commit 1cce9f8fecf2ccf8fe908815aa8568727df37c81 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-09-09 13:50:27 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-09-16 12:37:15 +0000 osd: Fix racy assertions osd_register(9) may reallocate and expand the destructor array for a given object type if no space is available for a new key. This happens with the object lock held. Thus, when verifying that a given slot in the array is occupied, we need to hold the object lock to avoid racing with a reallocation. Reported by: syzbot+69ce54c7d7d813315dd3@syzkaller.appspotmail.com Sponsored by: The FreeBSD Foundation (cherry picked from commit 187afc58791cd877c8ba0573b7826c31db8c6f73) --- sys/kern/kern_osd.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/kern/kern_osd.c b/sys/kern/kern_osd.c index e15ffde5d7bc..9e318b27c250 100644 --- a/sys/kern/kern_osd.c +++ b/sys/kern/kern_osd.c @@ -156,10 +156,11 @@ osd_deregister(u_int type, u_int slot) KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); sx_xlock(&osdm[type].osd_module_lock); rm_wlock(&osdm[type].osd_object_lock); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + /* * Free all OSD for the given slot. */ @@ -222,9 +223,10 @@ osd_set_reserved(u_int type, struct osd *osd, u_int slot, void **rsv, KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); rm_rlock(&osdm[type].osd_object_lock, &tracker); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + if (slot > osd->osd_nslots) { void **newptr; @@ -300,9 +302,10 @@ osd_get(u_int type, struct osd *osd, u_int slot) KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); rm_rlock(&osdm[type].osd_object_lock, &tracker); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + if (slot > osd->osd_nslots) { value = NULL; OSD_DEBUG("Slot doesn't exist (type=%u, slot=%u).", type, slot);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109161241.18GCfdAK033969>