[src/trunk]: src/sys/kern disk(9): Fix use-after-free race with concurrent di...

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/f17b09430de0
branches:  trunk
changeset: 374386:f17b09430de0
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Fri Apr 21 18:30:04 2023 +0000

description:
disk(9): Fix use-after-free race with concurrent disk_set_info.

This can happen with dk(4), which allows wedges to have their size
increased without destroying and recreating the device instance.

Drivers which allow concurrent disk_set_info and disk_ioctl must
serialize disk_set_info with dk_openlock.

diffstat:

 sys/kern/subr_disk.c |  27 ++++++++++++++++++++++-----
 1 files changed, 22 insertions(+), 5 deletions(-)

diffs (57 lines):

diff -r 3f3d41d24864 -r f17b09430de0 sys/kern/subr_disk.c
--- a/sys/kern/subr_disk.c      Fri Apr 21 18:29:43 2023 +0000
+++ b/sys/kern/subr_disk.c      Fri Apr 21 18:30:04 2023 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: subr_disk.c,v 1.134 2022/03/28 12:33:59 riastradh Exp $        */
+/*     $NetBSD: subr_disk.c,v 1.135 2023/04/21 18:30:04 riastradh Exp $        */
 
 /*-
  * Copyright (c) 1996, 1997, 1999, 2000, 2009 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_disk.c,v 1.134 2022/03/28 12:33:59 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_disk.c,v 1.135 2023/04/21 18:30:04 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -530,11 +530,20 @@ disk_ioctl(struct disk *dk, dev_t dev, u
 #endif
 
        switch (cmd) {
-       case DIOCGDISKINFO:
-               if (dk->dk_info == NULL)
+       case DIOCGDISKINFO: {
+               prop_dictionary_t disk_info;
+               int error;
+
+               mutex_enter(&dk->dk_openlock);
+               if ((disk_info = dk->dk_info) == NULL)
                        return ENOTSUP;
-               return prop_dictionary_copyout_ioctl(data, cmd, dk->dk_info);
+               prop_object_retain(disk_info);
+               mutex_exit(&dk->dk_openlock);
 
+               error = prop_dictionary_copyout_ioctl(data, cmd, disk_info);
+               prop_object_release(disk_info);
+               return error;
+       }
        case DIOCGSECTORSIZE:
                *(u_int *)data = dk->dk_geom.dg_secsize;
                return 0;
@@ -649,6 +658,14 @@ disk_ioctl(struct disk *dk, dev_t dev, u
        }
 }
 
+/*
+ * disk_set_info --
+ *     Canonicalize dk->dk_geom and set some parameters.
+ *
+ *     If disk_set_info can happen concurrently with disk_ioctl in a
+ *     driver, the driver must serialize calls to disk_set_info with
+ *     dk_openlock.
+ */
 void
 disk_set_info(device_t dev, struct disk *dk, const char *type)
 {