audio

Taylor R Campbell Thu, 25 Aug 2022 04:16:41 -0700

Module Name:    src
Committed By:   riastradh
Date:           Thu Aug 25 11:16:34 UTC 2022


Modified Files:
        src/sys/dev/audio: audio.c

Log Message:
audio(4): Fix bug in detaching audio16 and beyond.

The minor numbers have only four bits for the unit number, so unit
numbers past 15 can't be represented as is.  Attempting to revoke
them was once harmless, when the system made no attempt to avoid
open/detach races; now it crashes because vdevgone assumes that the
minor number can be mapped back to an autoconf device, but it's the
wrong one.  With this change, we stop trying to revoke units beyond
15, because they can't be opened anyway (which may be a bug in its
own right, requiring expansion of the minor number encoding!).

Reported-by: syzbot+6634ffd48997ae9b1...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=db40a795a0b078f9b3b9fa0d3b7a9addcd2534de

Reported-by: syzbot+d2df39bb3f72975c0...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=cbdd598287529cff9a8c4230263f7414df88db4b

Reported-by: syzbot+1404969f68424f8f6...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=6e4782408d0351769215fe433986f1844a546774

Reported-by: syzbot+2a4174a65609b3a00...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=886bbee544c2337683e24c801f9b632630a24681

Reported-by: syzbot+c0d9e49f22e571650...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=7fb2e5576ebae731e859283f85c97747d2824f35

Reported-by: syzbot+583ba2cdb8aa6e59a...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=2af44f5245eba572ebfb222070b9fd1378854303


To generate a diff of this commit:
cvs rdiff -u -r1.135 -r1.136 src/sys/dev/audio/audio.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/audio/audio.c
diff -u src/sys/dev/audio/audio.c:1.135 src/sys/dev/audio/audio.c:1.136
--- src/sys/dev/audio/audio.c:1.135	Sat Aug 13 06:47:41 2022
+++ src/sys/dev/audio/audio.c	Thu Aug 25 11:16:33 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: audio.c,v 1.135 2022/08/13 06:47:41 isaki Exp $	*/
+/*	$NetBSD: audio.c,v 1.136 2022/08/25 11:16:33 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -181,7 +181,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.135 2022/08/13 06:47:41 isaki Exp $");
+__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.136 2022/08/25 11:16:33 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "audio.h"
@@ -1363,13 +1363,22 @@ audiodetach(device_t self, int flags)
 
 	/*
 	 * Prevent new opens and wait for existing opens to complete.
+	 *
+	 * At the moment there are only four bits in the minor for the
+	 * unit number, so we only revoke if the unit number could be
+	 * used in a device node.
+	 *
+	 * XXX If we want more audio units, we need to encode them
+	 * more elaborately in the minor space.
 	 */
 	maj = cdevsw_lookup_major(&audio_cdevsw);
 	mn = device_unit(self);
-	vdevgone(maj, mn|SOUND_DEVICE, mn|SOUND_DEVICE, VCHR);
-	vdevgone(maj, mn|AUDIO_DEVICE, mn|AUDIO_DEVICE, VCHR);
-	vdevgone(maj, mn|AUDIOCTL_DEVICE, mn|AUDIOCTL_DEVICE, VCHR);
-	vdevgone(maj, mn|MIXER_DEVICE, mn|MIXER_DEVICE, VCHR);
+	if (mn <= 0xf) {
+		vdevgone(maj, mn|SOUND_DEVICE, mn|SOUND_DEVICE, VCHR);
+		vdevgone(maj, mn|AUDIO_DEVICE, mn|AUDIO_DEVICE, VCHR);
+		vdevgone(maj, mn|AUDIOCTL_DEVICE, mn|AUDIOCTL_DEVICE, VCHR);
+		vdevgone(maj, mn|MIXER_DEVICE, mn|MIXER_DEVICE, VCHR);
+	}
 
 	/*
 	 * This waits currently running sysctls to finish if exists.

CVS commit: src/sys/dev/audio

Reply via email to