git: 187afc58791c - main - osd: Fix racy assertions
Mark Johnston
markj at FreeBSD.org
Thu Sep 9 14:14:42 UTC 2021
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=187afc58791cd877c8ba0573b7826c31db8c6f73
commit 187afc58791cd877c8ba0573b7826c31db8c6f73
Author: Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2021-09-09 13:50:27 +0000
Commit: Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-09-09 14:11:02 +0000
osd: Fix racy assertions
osd_register(9) may reallocate and expand the destructor array for a
given object type if no space is available for a new key. This happens
with the object lock held. Thus, when verifying that a given slot in
the array is occupied, we need to hold the object lock to avoid racing
with a reallocation.
Reported by: syzbot+69ce54c7d7d813315dd3 at syzkaller.appspotmail.com
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
---
sys/kern/kern_osd.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/sys/kern/kern_osd.c b/sys/kern/kern_osd.c
index e15ffde5d7bc..9e318b27c250 100644
--- a/sys/kern/kern_osd.c
+++ b/sys/kern/kern_osd.c
@@ -156,10 +156,11 @@ osd_deregister(u_int type, u_int slot)
KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type."));
KASSERT(slot > 0, ("Invalid slot."));
- KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot."));
sx_xlock(&osdm[type].osd_module_lock);
rm_wlock(&osdm[type].osd_object_lock);
+ KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot."));
+
/*
* Free all OSD for the given slot.
*/
@@ -222,9 +223,10 @@ osd_set_reserved(u_int type, struct osd *osd, u_int slot, void **rsv,
KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type."));
KASSERT(slot > 0, ("Invalid slot."));
- KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot."));
rm_rlock(&osdm[type].osd_object_lock, &tracker);
+ KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot."));
+
if (slot > osd->osd_nslots) {
void **newptr;
@@ -300,9 +302,10 @@ osd_get(u_int type, struct osd *osd, u_int slot)
KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type."));
KASSERT(slot > 0, ("Invalid slot."));
- KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot."));
rm_rlock(&osdm[type].osd_object_lock, &tracker);
+ KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot."));
+
if (slot > osd->osd_nslots) {
value = NULL;
OSD_DEBUG("Slot doesn't exist (type=%u, slot=%u).", type, slot);
More information about the dev-commits-src-all
mailing list