Module Name: src
Committed By: riastradh
Date: Tue Apr 19 09:19:53 UTC 2022
Modified Files:
src/sys/dev/audio: audio.c
Log Message:
audio(4): Wait for opens to drain in detach.
Otherwise detach may barge ahead and start freeing things before open
has finished and is about to use them after free.
Reported-by: syzbot+31d2619e72c2c8436...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.123 -r1.124 src/sys/dev/audio/audio.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/audio/audio.c
diff -u src/sys/dev/audio/audio.c:1.123 src/sys/dev/audio/audio.c:1.124
--- src/sys/dev/audio/audio.c:1.123 Sat Apr 9 23:35:58 2022
+++ src/sys/dev/audio/audio.c Tue Apr 19 09:19:53 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: audio.c,v 1.123 2022/04/09 23:35:58 riastradh Exp $ */
+/* $NetBSD: audio.c,v 1.124 2022/04/19 09:19:53 riastradh Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -181,7 +181,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.123 2022/04/09 23:35:58 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.124 2022/04/19 09:19:53 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "audio.h"
@@ -1344,6 +1344,7 @@ audiodetach(device_t self, int flags)
{
struct audio_softc *sc;
struct audio_file *file;
+ int maj, mn;
int error;
sc = device_private(self);
@@ -1359,6 +1360,16 @@ audiodetach(device_t self, int flags)
return error;
/*
+ * Prevent new opens and wait for existing opens to complete.
+ */
+ maj = cdevsw_lookup_major(&audio_cdevsw);
+ mn = device_unit(self);
+ vdevgone(maj, mn|SOUND_DEVICE, mn|SOUND_DEVICE, VCHR);
+ vdevgone(maj, mn|AUDIO_DEVICE, mn|AUDIO_DEVICE, VCHR);
+ vdevgone(maj, mn|AUDIOCTL_DEVICE, mn|AUDIOCTL_DEVICE, VCHR);
+ vdevgone(maj, mn|MIXER_DEVICE, mn|MIXER_DEVICE, VCHR);
+
+ /*
* This waits currently running sysctls to finish if exists.
* After this, no more new sysctls will come.
*/
