Module Name: src
Committed By: riastradh
Date: Tue Jun 1 21:14:52 UTC 2021
Modified Files:
src/sys/dev/audio: audio.c
Log Message:
audio(4): Grab sc->sc_cred under sc->sc_lock before freeing.
Otherwise we may race with open, leaking a cred no longer in use and
freeing a cred still in use.
To generate a diff of this commit:
cvs rdiff -u -r1.98 -r1.99 src/sys/dev/audio/audio.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/audio/audio.c
diff -u src/sys/dev/audio/audio.c:1.98 src/sys/dev/audio/audio.c:1.99
--- src/sys/dev/audio/audio.c:1.98 Tue Jun 1 21:12:47 2021
+++ src/sys/dev/audio/audio.c Tue Jun 1 21:14:52 2021
@@ -1,4 +1,4 @@
-/* $NetBSD: audio.c,v 1.98 2021/06/01 21:12:47 riastradh Exp $ */
+/* $NetBSD: audio.c,v 1.99 2021/06/01 21:14:52 riastradh Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -138,7 +138,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.98 2021/06/01 21:12:47 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.99 2021/06/01 21:14:52 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "audio.h"
@@ -2584,6 +2584,7 @@ audio_close(struct audio_softc *sc, audi
int
audio_unlink(struct audio_softc *sc, audio_file_t *file)
{
+ kauth_cred_t cred = NULL;
int error;
mutex_enter(sc->sc_lock);
@@ -2655,11 +2656,13 @@ audio_unlink(struct audio_softc *sc, aud
sc->hw_if->close(sc->hw_hdl);
mutex_exit(sc->sc_intr_lock);
}
+ cred = sc->sc_cred;
+ sc->sc_cred = NULL;
}
mutex_exit(sc->sc_lock);
- if (sc->sc_popens + sc->sc_ropens == 0)
- kauth_cred_free(sc->sc_cred);
+ if (cred)
+ kauth_cred_free(cred);
TRACE(3, "done");
