Re: kern/54282: kernel panic when 'sysctl hw.audio0'

To: gnats-bugs%netbsd.org@localhost
Subject: Re: kern/54282: kernel panic when 'sysctl hw.audio0'
From: Tetsuya Isaki <isaki%pastel-flower.jp@localhost>
Date: Sat, 08 Jun 2019 13:35:34 +0900

At Fri,  7 Jun 2019 02:20:01 +0000 (UTC),
coypu%sdf.org@localhost wrote:
> [ 40243.607036] fatal protection fault in supervisor mode
> [ 40243.617050] trap type 4 code 0 rip 0xffffffff807a48ad cs 0x8 rflags 0x10206 cr2 0x7f7fffff4ff8 ilevel 0 rsp 0xffff96017f7a3dd0
> [ 40243.617050] curlwp 0xfffffe54ee54b0a0 pid 17473.1 lowest kstack 0xffff96017f7a02c0

What's in 0xffffffff807a48ad in this kernel?
# Although I'm not familiar with amd64 processor.

At Fri,  7 Jun 2019 02:25:01 +0000 (UTC),
coypu%sdf.org@localhost wrote:
>  It looks like sc->sc_pmixer can be freed in normal use.
>  
>  ioctl AUDIO_SETFORMAT
>  audio_mixers_set_format
>  audio_mixers_init {
>  ...
>  	audio_mixer_destroy(sc, sc->sc_pmixer);
>  	kmem_free(sc->sc_pmixer, sizeof(*sc->sc_pmixer));
>  
>  }
>  This holds a lock, but audio_sysctl_volume dereferences
>  sc_pmixer without a lock.
>  
>          if (sc->sc_pmixer)
>                  t = sc->sc_pmixer->volume;
>  
>  This sounds racy.

I will see about it later anyway, but it's not related to this PR.
sc->sc_pmixer is only freed by AUDIO_SETFORMAT called by audiocfg(8).
Freeing never happens during playback/recording is running.

Thanks,
---
Tetsuya Isaki <isaki%pastel-flower.jp@localhost / isaki%NetBSD.org@localhost>

References:
- kern/54282: kernel panic when 'sysctl hw.audio0'
  - From: coypu

Prev by Date: Re: kern/54289: wd1 fails to be identified properly
Next by Date: Re: kern/54282: kernel panic when 'sysctl hw.audio0'
Previous by Thread: kern/54282: kernel panic when 'sysctl hw.audio0'
Next by Thread: Re: kern/54282: kernel panic when 'sysctl hw.audio0'
Indexes:

Home | Main Index | Thread Index | Old Index