git: f0ebed6a313b - stable/13 - kern: osd: avoid dereferencing freed slots

From: Kyle Evans <>
Date: Fri, 18 Aug 2023 04:03:57 UTC
The branch stable/13 has been updated by kevans:


commit f0ebed6a313b8cdd91859287aad8015392352bc1
Author:     Kyle Evans <>
AuthorDate: 2023-08-10 17:32:33 +0000
Commit:     Kyle Evans <>
CommitDate: 2023-08-18 04:02:46 +0000

    kern: osd: avoid dereferencing freed slots
    If a slot is freed that isn't the last one, we'll set its destructor to
    NULL to indicate that it's been freed and leave a hole in the slot map.
    Check osd_destructors in osd_call() to avoid dereferencing a method that
    is potentially from a module that's been unloaded.
    This scenario would most commonly surface when two modules are loaded
    that osd_register(), then the earlier one deregisters and an osd_call()
    is made after the fact.  In the specific report that triggered the
    investigation, kldload if_wg -> kldload linux* -> kldunload if_wg ->
    destroy a jail -> panic.
    Noted in the review, but left for follow-up work, is that the realloc
    that may happen in osd_deregister() should likely go away and the
    assumption that reallocating to a smaller size cannot fail is actually
    not correct.
    Reported by:    dim
    (cherry picked from commit 2bd446d7f1a03fbf6d98ace4548f8793599f48fb)
 sys/kern/kern_osd.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys/kern/kern_osd.c b/sys/kern/kern_osd.c
index 23178731b899..ced6df31cf44 100644
--- a/sys/kern/kern_osd.c
+++ b/sys/kern/kern_osd.c
@@ -396,6 +396,9 @@ osd_call(u_int type, u_int method, void *obj, void *data)
 	error = 0;
 	for (i = 0; i < osdm[type].osd_ntslots; i++) {
+		/* Hole in the slot map; avoid dereferencing. */
+		if (osdm[type].osd_destructors[i] == NULL)
+			continue;
 		methodfun = osdm[type].osd_methods[i * osdm[type].osd_nmethods +
 		if (methodfun != NULL && (error = methodfun(obj, data)) != 0)