kern/52195: segfault in audio_fill_silence()

[bouyer%antioche.eu.org@localhost]

>Number:         52195
>Category:       kern
>Synopsis:       segfault in audio_fill_silence()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 25 21:15:00 +0000 2017
>Originator:     Manuel Bouyer
>Release:        HEAD as of 21 Apr
>Organization:
-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--
>Environment:
System: NetBSD chartplotter 7.99.70 NetBSD 7.99.70 (CHARTPLOTTER) #7: Fri Apr 21 18:57:58 MEST 2017 evbarm
Architecture: earmv7hf
Machine: evbarm
>Description:
	Playing a .wav with audioplay, and then with mplayer,
	I ended up with a trap fault in audio_fill_silence().
	This is after the useland program claused the device.
	Last message was (hand-copied):
audio_drain: chan=1, used=9600, drops=0

uvm_fault(...)
stopped in pid 0.30 at netbsd:audio_fill_silence+0x80
backtrace is:
audio_fill_silence+0x80
audio_mix.part.27+0x61c
audio_play_thread+0x90

audio_fill_silence+0x80 translates to:
0x802074a4 is in audio_fill_silence (/local/armandeche1/can/src/sys/dev/audio.c:2686).
2681                    auzero0 = 0;
2682                    break;
2683            }
2684            if (nfill == 1) {
2685                    while (--n >= 0)
2686                            *p++ = auzero0; /* XXX memset */
2687            } else /* nfill must no longer be 2 */ {
2688                    if (params->encoding == AUDIO_ENCODING_ULINEAR_LE) {
2689                            int k = nfill;
2690                            while (--k > 0)



>How-To-Repeat:
	audioplay a
	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 22050 Hz
	with audioplay, and then mplayer. It may not be reproductible;
	I'll try to reproduce with a serial console.
>Fix: