DragonFlyBSD Kernel Audit
← dashboard
DF-0064

Unsynchronized data race on desc->total_objects (statistics-only, no security impact)

Field Value
ID DF-0064
Status new
Severity Info
CVSS 3.1 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N
CWE CWE-362 Race Condition
File sys/kern/kern_objcache.c
Lines 357-375
Area kern
Confidence likely
Discovered 2026-06-30
Reported pending

Summary

objcache_set_cluster_limit updates depot->unallocated_objects under depot->spin (:368) but writes oc->desc->total_objects += delta outside the lock (:373). total_objects is read by sysctl_ocstats (:971) under a different lock (objcachelist_spin), and two concurrent set_cluster_limit callers also race on the field with no mutual lock — a genuine unsynchronized read-modify-write (UB in C). On x86 the int accesses are atomic so no torn values, but lost updates can drift the displayed oc_limit statistic.

Impact is strictly cosmetic: total_objects gates nothing in the allocator path (only unallocated_objects does, at :508); it is only emitted via sysctl kern.objcache.stats. No memory-safety, privilege, or DoS consequence.

--- a/sys/kern/kern_objcache.c
+++ b/sys/kern/kern_objcache.c
@@ -367,6 +367,7 @@
        delta = cluster_limit - depot->cluster_limit;
        depot->unallocated_objects += delta;
        depot->cluster_limit = cluster_limit;
+       oc->desc->total_objects += delta;
        spin_unlock(&depot->spin);
        wakeup(depot);
-
-       oc->desc->total_objects += delta;

(Move the total_objects update inside the depot->spin critical section.)

Timeline

  • 2026-06-30 Discovered during automated file-by-file audit of sys/kern/kern_objcache.c.
  • pending Reported to DragonFlyBSD security contact.