cvs commit: src/sys/dev/sound/pcm sound.c sound.h vchan.c
Ariff Abdullah
ariff at FreeBSD.org
Thu Mar 16 04:12:50 UTC 2006
ariff 2006-03-16 04:12:49 UTC
FreeBSD src repository
Modified files:
sys/dev/sound/pcm sound.c sound.h vchan.c
Log:
Fix severe 8bit integer overflow during channel creation and destruction,
especially for vchans. It turns out that channel numbering always depend
on d->devcount counter (which keep increasing), while PCMMKMINOR() truncate
everything to 8bit length. At some point the truncation cause the newly
created character device overlapped with the existence one, causing erratic
overall system behaviour and panic. Easily reproduce with something like:
(Luckily, only root can reproduce this)
while : ; do
sysctl hw.snd.pcm0.vchans=200
sysctl hw.snd.pcm0.vchans=100
done
- Enforce channel/chardev numbering within 8bit boundary. Return E2BIG
if necessary.
- Traverse d->channels SLIST and try to reclaim "free" counter during channel
creation. Don't rely on d->devcount at all.
- Destroy vchans in reverse order.
Anyway, this is not the fault of vchans. It is just that vchans are so cute
and begging to be abused ;) . Don't blame her.
Old, hidden bugs.. sigh..
MFC after: 3 days
Revision Changes Path
1.99 +73 -32 src/sys/dev/sound/pcm/sound.c
1.67 +11 -6 src/sys/dev/sound/pcm/sound.h
1.23 +15 -6 src/sys/dev/sound/pcm/vchan.c
More information about the cvs-src
mailing list