Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/dev/audio audio(4): Fix bug in detaching audio16 and bey...



details:   https://anonhg.NetBSD.org/src/rev/67ceef79cf17
branches:  trunk
changeset: 369637:67ceef79cf17
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Thu Aug 25 11:16:33 2022 +0000

description:
audio(4): Fix bug in detaching audio16 and beyond.

The minor numbers have only four bits for the unit number, so unit
numbers past 15 can't be represented as is.  Attempting to revoke
them was once harmless, when the system made no attempt to avoid
open/detach races; now it crashes because vdevgone assumes that the
minor number can be mapped back to an autoconf device, but it's the
wrong one.  With this change, we stop trying to revoke units beyond
15, because they can't be opened anyway (which may be a bug in its
own right, requiring expansion of the minor number encoding!).

Reported-by: syzbot+6634ffd48997ae9b1eb0%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=db40a795a0b078f9b3b9fa0d3b7a9addcd2534de

Reported-by: syzbot+d2df39bb3f72975c0a97%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=cbdd598287529cff9a8c4230263f7414df88db4b

Reported-by: syzbot+1404969f68424f8f6e4b%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=6e4782408d0351769215fe433986f1844a546774

Reported-by: syzbot+2a4174a65609b3a00abb%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=886bbee544c2337683e24c801f9b632630a24681

Reported-by: syzbot+c0d9e49f22e571650736%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=7fb2e5576ebae731e859283f85c97747d2824f35

Reported-by: syzbot+583ba2cdb8aa6e59a4bf%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=2af44f5245eba572ebfb222070b9fd1378854303

diffstat:

 sys/dev/audio/audio.c |  21 +++++++++++++++------
 1 files changed, 15 insertions(+), 6 deletions(-)

diffs (45 lines):

diff -r 002793b12080 -r 67ceef79cf17 sys/dev/audio/audio.c
--- a/sys/dev/audio/audio.c     Thu Aug 25 09:15:14 2022 +0000
+++ b/sys/dev/audio/audio.c     Thu Aug 25 11:16:33 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: audio.c,v 1.135 2022/08/13 06:47:41 isaki Exp $        */
+/*     $NetBSD: audio.c,v 1.136 2022/08/25 11:16:33 riastradh Exp $    */
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -181,7 +181,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.135 2022/08/13 06:47:41 isaki Exp $");
+__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.136 2022/08/25 11:16:33 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "audio.h"
@@ -1363,13 +1363,22 @@
 
        /*
         * Prevent new opens and wait for existing opens to complete.
+        *
+        * At the moment there are only four bits in the minor for the
+        * unit number, so we only revoke if the unit number could be
+        * used in a device node.
+        *
+        * XXX If we want more audio units, we need to encode them
+        * more elaborately in the minor space.
         */
        maj = cdevsw_lookup_major(&audio_cdevsw);
        mn = device_unit(self);
-       vdevgone(maj, mn|SOUND_DEVICE, mn|SOUND_DEVICE, VCHR);
-       vdevgone(maj, mn|AUDIO_DEVICE, mn|AUDIO_DEVICE, VCHR);
-       vdevgone(maj, mn|AUDIOCTL_DEVICE, mn|AUDIOCTL_DEVICE, VCHR);
-       vdevgone(maj, mn|MIXER_DEVICE, mn|MIXER_DEVICE, VCHR);
+       if (mn <= 0xf) {
+               vdevgone(maj, mn|SOUND_DEVICE, mn|SOUND_DEVICE, VCHR);
+               vdevgone(maj, mn|AUDIO_DEVICE, mn|AUDIO_DEVICE, VCHR);
+               vdevgone(maj, mn|AUDIOCTL_DEVICE, mn|AUDIOCTL_DEVICE, VCHR);
+               vdevgone(maj, mn|MIXER_DEVICE, mn|MIXER_DEVICE, VCHR);
+       }
 
        /*
         * This waits currently running sysctls to finish if exists.



Home | Main Index | Thread Index | Old Index