Re: kern/54282: kernel panic when 'sysctl hw.audio0'

[Tetsuya Isaki <isaki%pastel-flower.jp@localhost>]

The following reply was made to PR kern/54282; it has been noted by GNATS.

From: Tetsuya Isaki <isaki%pastel-flower.jp@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: kern-bug-people%netbsd.org@localhost,
	gnats-admin%netbsd.org@localhost,
	netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/54282: kernel panic when 'sysctl hw.audio0'
Date: Sat, 08 Jun 2019 13:35:34 +0900

 At Fri,  7 Jun 2019 02:20:01 +0000 (UTC),
 coypu%sdf.org@localhost wrote:
 > [ 40243.607036] fatal protection fault in supervisor mode
 > [ 40243.617050] trap type 4 code 0 rip 0xffffffff807a48ad cs 0x8 rflags 0x10206 cr2 0x7f7fffff4ff8 ilevel 0 rsp 0xffff96017f7a3dd0
 > [ 40243.617050] curlwp 0xfffffe54ee54b0a0 pid 17473.1 lowest kstack 0xffff96017f7a02c0
 
 What's in 0xffffffff807a48ad in this kernel?
 # Although I'm not familiar with amd64 processor.
 
 At Fri,  7 Jun 2019 02:25:01 +0000 (UTC),
 coypu%sdf.org@localhost wrote:
 >  It looks like sc->sc_pmixer can be freed in normal use.
 >  
 >  ioctl AUDIO_SETFORMAT
 >  audio_mixers_set_format
 >  audio_mixers_init {
 >  ...
 >  	audio_mixer_destroy(sc, sc->sc_pmixer);
 >  	kmem_free(sc->sc_pmixer, sizeof(*sc->sc_pmixer));
 >  
 >  }
 >  This holds a lock, but audio_sysctl_volume dereferences
 >  sc_pmixer without a lock.
 >  
 >          if (sc->sc_pmixer)
 >                  t = sc->sc_pmixer->volume;
 >  
 >  This sounds racy.
 
 I will see about it later anyway, but it's not related to this PR.
 sc->sc_pmixer is only freed by AUDIO_SETFORMAT called by audiocfg(8).
 Freeing never happens during playback/recording is running.
 
 Thanks,
 ---
 Tetsuya Isaki <isaki%pastel-flower.jp@localhost / isaki%NetBSD.org@localhost>