From owner-cvs-src@FreeBSD.ORG Thu Mar 16 04:12:50 2006 Return-Path: X-Original-To: cvs-src@FreeBSD.org Delivered-To: cvs-src@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74FE916A401; Thu, 16 Mar 2006 04:12:50 +0000 (UTC) (envelope-from ariff@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4338D43D49; Thu, 16 Mar 2006 04:12:50 +0000 (GMT) (envelope-from ariff@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id k2G4CoK6022706; Thu, 16 Mar 2006 04:12:50 GMT (envelope-from ariff@repoman.freebsd.org) Received: (from ariff@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id k2G4Co44022705; Thu, 16 Mar 2006 04:12:50 GMT (envelope-from ariff) Message-Id: <200603160412.k2G4Co44022705@repoman.freebsd.org> From: Ariff Abdullah Date: Thu, 16 Mar 2006 04:12:49 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: src/sys/dev/sound/pcm sound.c sound.h vchan.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 04:12:50 -0000 ariff 2006-03-16 04:12:49 UTC FreeBSD src repository Modified files: sys/dev/sound/pcm sound.c sound.h vchan.c Log: Fix severe 8bit integer overflow during channel creation and destruction, especially for vchans. It turns out that channel numbering always depend on d->devcount counter (which keep increasing), while PCMMKMINOR() truncate everything to 8bit length. At some point the truncation cause the newly created character device overlapped with the existence one, causing erratic overall system behaviour and panic. Easily reproduce with something like: (Luckily, only root can reproduce this) while : ; do sysctl hw.snd.pcm0.vchans=200 sysctl hw.snd.pcm0.vchans=100 done - Enforce channel/chardev numbering within 8bit boundary. Return E2BIG if necessary. - Traverse d->channels SLIST and try to reclaim "free" counter during channel creation. Don't rely on d->devcount at all. - Destroy vchans in reverse order. Anyway, this is not the fault of vchans. It is just that vchans are so cute and begging to be abused ;) . Don't blame her. Old, hidden bugs.. sigh.. MFC after: 3 days Revision Changes Path 1.99 +73 -32 src/sys/dev/sound/pcm/sound.c 1.67 +11 -6 src/sys/dev/sound/pcm/sound.h 1.23 +15 -6 src/sys/dev/sound/pcm/vchan.c