NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/54282: kernel panic when 'sysctl hw.audio0'



The following reply was made to PR kern/54282; it has been noted by GNATS.

From: coypu%sdf.org@localhost
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/54282: kernel panic when 'sysctl hw.audio0'
Date: Fri, 7 Jun 2019 02:24:45 +0000

 It looks like sc->sc_pmixer can be freed in normal use.
 
 ioctl AUDIO_SETFORMAT
 audio_mixers_set_format
 audio_mixers_init {
 ...
 	audio_mixer_destroy(sc, sc->sc_pmixer);
 	kmem_free(sc->sc_pmixer, sizeof(*sc->sc_pmixer));
 
 }
 This holds a lock, but audio_sysctl_volume dereferences
 sc_pmixer without a lock.
 
         if (sc->sc_pmixer)
                 t = sc->sc_pmixer->volume;
 
 This sounds racy.
 


Home | Main Index | Thread Index | Old Index