Module Name: src Committed By: riastradh Date: Tue Jun 1 21:14:52 UTC 2021
Modified Files: src/sys/dev/audio: audio.c Log Message: audio(4): Grab sc->sc_cred under sc->sc_lock before freeing. Otherwise we may race with open, leaking a cred no longer in use and freeing a cred still in use. To generate a diff of this commit: cvs rdiff -u -r1.98 -r1.99 src/sys/dev/audio/audio.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/dev/audio/audio.c diff -u src/sys/dev/audio/audio.c:1.98 src/sys/dev/audio/audio.c:1.99 --- src/sys/dev/audio/audio.c:1.98 Tue Jun 1 21:12:47 2021 +++ src/sys/dev/audio/audio.c Tue Jun 1 21:14:52 2021 @@ -1,4 +1,4 @@ -/* $NetBSD: audio.c,v 1.98 2021/06/01 21:12:47 riastradh Exp $ */ +/* $NetBSD: audio.c,v 1.99 2021/06/01 21:14:52 riastradh Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -138,7 +138,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.98 2021/06/01 21:12:47 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.99 2021/06/01 21:14:52 riastradh Exp $"); #ifdef _KERNEL_OPT #include "audio.h" @@ -2584,6 +2584,7 @@ audio_close(struct audio_softc *sc, audi int audio_unlink(struct audio_softc *sc, audio_file_t *file) { + kauth_cred_t cred = NULL; int error; mutex_enter(sc->sc_lock); @@ -2655,11 +2656,13 @@ audio_unlink(struct audio_softc *sc, aud sc->hw_if->close(sc->hw_hdl); mutex_exit(sc->sc_intr_lock); } + cred = sc->sc_cred; + sc->sc_cred = NULL; } mutex_exit(sc->sc_lock); - if (sc->sc_popens + sc->sc_ropens == 0) - kauth_cred_free(sc->sc_cred); + if (cred) + kauth_cred_free(cred); TRACE(3, "done");