[src/trunk]: src/sys/kern autoconf(9): Avoid potential ABA bug in config_make...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/kern autoconf(9): Avoid potential ABA bug in config_make...
From: riastradh <riastradh%NetBSD.org@localhost>
Date: Sun, 16 Apr 2023 14:17:38 +0000

details:   https://anonhg.NetBSD.org/src/rev/7add57e4572e
branches:  trunk
changeset: 374271:7add57e4572e
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sun Apr 16 11:14:58 2023 +0000

description:
autoconf(9): Avoid potential ABA bug in config_makeroom.

When we unlock alldevs_lock to allocate a new cd_devs array nsp,
other threads may have:

1. freed the old one (osp),
2. done some other memory allocation,
3. allocated a new _larger_ array whose address happens to concide
   with osp (e.g., in (2) the page was recycled for a different pool
   cache), and
4. updated cd_devs back to osp but increased cd_ndevs.

In that case, the memory may be corrupted: we try to copy the wrong
number of device_t pointers into nsp and we free osp with the wrong
(stale) length.

Avoid this by checking whether cd_ndevs has changed too -- if not,
osp might have been recycled but at least the lengths we're about to
copy and free are still correct so there's no harm in an ABA
situation.

XXX pullup-8
XXX pullup-9
XXX pullup-10

diffstat:

 sys/kern/subr_autoconf.c |  6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diffs (27 lines):

diff -r eee2bf1e4184 -r 7add57e4572e sys/kern/subr_autoconf.c
--- a/sys/kern/subr_autoconf.c  Sun Apr 16 04:52:19 2023 +0000
+++ b/sys/kern/subr_autoconf.c  Sun Apr 16 11:14:58 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_autoconf.c,v 1.307 2023/02/22 17:00:16 riastradh Exp $ */
+/* $NetBSD: subr_autoconf.c,v 1.308 2023/04/16 11:14:58 riastradh Exp $ */
 
 /*
  * Copyright (c) 1996, 2000 Christopher G. Demetriou
@@ -77,7 +77,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_autoconf.c,v 1.307 2023/02/22 17:00:16 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_autoconf.c,v 1.308 2023/04/16 11:14:58 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ddb.h"
@@ -1357,7 +1357,7 @@ config_makeroom(int n, struct cfdriver *
                 * If another thread moved the array while we did
                 * not hold alldevs_lock, try again.
                 */
-               if (cd->cd_devs != osp) {
+               if (cd->cd_devs != osp || cd->cd_ndevs != ondevs) {
                        mutex_exit(&alldevs_lock);
                        kmem_free(nsp, sizeof(device_t) * nndevs);
                        mutex_enter(&alldevs_lock);

Prev by Date: [src/trunk]: src/sys/kern pserialize(9): Fix buggy assertion inside assertion.
Next by Date: [src/trunk]: src/sys/kern autoconf(9): Assert alldevs_lock held in config_uni...
Previous by Thread: [src/trunk]: src/sys/kern pserialize(9): Fix buggy assertion inside assertion.
Next by Thread: [src/trunk]: src/sys/kern autoconf(9): Assert alldevs_lock held in config_uni...
Indexes:

Home | Main Index | Thread Index | Old Index