Module Name: src Committed By: nat Date: Sat Jan 21 22:54:11 UTC 2017
Modified Files: src/sys/dev: audio.c Log Message: Don't release/reacquire thread lock during open in setup_[p/r]filters. This can lead to panics and/or unpredictable behaviour. Found by maya@ Addresses PR kern/51746. To generate a diff of this commit: cvs rdiff -u -r1.292 -r1.293 src/sys/dev/audio.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/dev/audio.c diff -u src/sys/dev/audio.c:1.292 src/sys/dev/audio.c:1.293 --- src/sys/dev/audio.c:1.292 Sat Jan 21 22:22:41 2017 +++ src/sys/dev/audio.c Sat Jan 21 22:54:11 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: audio.c,v 1.292 2017/01/21 22:22:41 nat Exp $ */ +/* $NetBSD: audio.c,v 1.293 2017/01/21 22:54:11 nat Exp $ */ /*- * Copyright (c) 2016 Nathanial Sloss <nathanialsl...@yahoo.com.au> @@ -148,7 +148,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.292 2017/01/21 22:22:41 nat Exp $"); +__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.293 2017/01/21 22:54:11 nat Exp $"); #include "audio.h" #if NAUDIO > 0 @@ -1186,7 +1186,6 @@ audio_setup_pfilters(struct audio_softc vc = sc->sc_vchan[m]; /* Construct new filters. */ - mutex_exit(sc->sc_lock); memset(pf, 0, sizeof(pf)); memset(ps, 0, sizeof(ps)); from_param = pp; @@ -1210,10 +1209,8 @@ audio_setup_pfilters(struct audio_softc pf[i]->dtor(pf[i]); audio_stream_dtor(&ps[i]); } - mutex_enter(sc->sc_lock); return EINVAL; } - mutex_enter(sc->sc_lock); /* Swap in new filters. */ mutex_enter(sc->sc_intr_lock); @@ -1237,12 +1234,10 @@ audio_setup_pfilters(struct audio_softc mutex_exit(sc->sc_intr_lock); /* Destroy old filters. */ - mutex_exit(sc->sc_lock); for (i = 0; i < onfilters; i++) { of[i]->dtor(of[i]); audio_stream_dtor(&os[i]); } - mutex_enter(sc->sc_lock); #ifdef AUDIO_DEBUG printf("%s: HW-buffer=%p pustream=%p\n", @@ -1273,7 +1268,6 @@ audio_setup_rfilters(struct audio_softc vc = sc->sc_vchan[m]; /* Construct new filters. */ - mutex_exit(sc->sc_lock); memset(rf, 0, sizeof(rf)); memset(rs, 0, sizeof(rs)); for (i = 0; i < rfilters->req_size; i++) { @@ -1302,10 +1296,8 @@ audio_setup_rfilters(struct audio_softc rf[i]->dtor(rf[i]); audio_stream_dtor(&rs[i]); } - mutex_enter(sc->sc_lock); return EINVAL; } - mutex_enter(sc->sc_lock); /* Swap in new filters. */ mutex_enter(sc->sc_intr_lock); @@ -1340,12 +1332,10 @@ audio_setup_rfilters(struct audio_softc #endif /* AUDIO_DEBUG */ /* Destroy old filters. */ - mutex_exit(sc->sc_lock); for (i = 0; i < onfilters; i++) { of[i]->dtor(of[i]); audio_stream_dtor(&os[i]); } - mutex_enter(sc->sc_lock); return 0; } @@ -1784,8 +1774,7 @@ audio_initbufs(struct audio_softc *sc, i DPRINTF(("audio_initbufs: mode=0x%x\n", sc->sc_vchan[n]->sc_mode)); vc = sc->sc_vchan[0]; hw = sc->hw_if; - if ((audio_can_capture(sc) && n == 0) || - (sc->sc_vchan[n]->sc_open & AUOPEN_READ)) { + if (audio_can_capture(sc) || (sc->sc_vchan[n]->sc_open & AUOPEN_READ)) { audio_init_ringbuffer(sc, &sc->sc_vchan[n]->sc_mrr, AUMODE_RECORD); if (sc->sc_opens == 0 && hw->init_input && @@ -1797,8 +1786,8 @@ audio_initbufs(struct audio_softc *sc, i } } - if ((audio_can_playback(sc) && n == 0) || - (sc->sc_vchan[n]->sc_open & AUOPEN_WRITE)) { + if (audio_can_playback(sc) || + (sc->sc_vchan[n]->sc_open & AUOPEN_WRITE)) { audio_init_ringbuffer(sc, &sc->sc_vchan[n]->sc_mpr, AUMODE_PLAY); sc->sc_vchan[n]->sc_sil_count = 0; @@ -1937,6 +1926,8 @@ audio_open(dev_t dev, struct audio_softc return error; } + audio_initbufs(sc, n); + if (sc->sc_opens == 0) { if (hw->open != NULL) { mutex_enter(sc->sc_intr_lock); @@ -3204,9 +3195,7 @@ audio_mmap(struct audio_softc *sc, off_t } } - mutex_exit(sc->sc_lock); rv = (paddr_t)(uintptr_t)(cb->s.start + off); - mutex_enter(sc->sc_lock); return rv; }