Proto device is not thread safe. Its `ioctl` handler in particular exposes multiple exploitable race condition bugs (such as double free UaF).
None of the commands take locks, leading to multiple race condition bugs. For example, `PROTO_IOC_BUSDMA_MEM_FREE` command presents double linked list removal and double free race conditions, since it leads to calling `proto_busdma_md_destroy_internal` with no locks taken:
proto_busdma_md_destroy_internal(struct proto_busdma *busdma,
struct proto_md *md)
if (md->virtaddr != NULL)
bus_dmamem_free(md->bd_tag, md->virtaddr, md->bd_map);
Since this device is created with permission `0666`, these bugs can be used for privilege escalation.
This can be fixed by taking the giant mutex on all method calls, by adding the `D_NEEDGIANT` flag.