cvs commit: src/sys/dev/sound/isa ad1816.c mss.c sbc.c
src/sys/dev/sound/pci als4000.c atiixp.c cmi.c ds1.c emu10k1.c
emu10kx-pcm.c envy24.c envy24ht.c es137x.c ich.c maestro.c
maestro3.c solo.c t4dwave.c via8233.c via82c686.c ...
Ariff Abdullah
ariff at FreeBSD.org
Thu Mar 15 16:41:28 UTC 2007
ariff 2007-03-15 16:41:27 UTC
FreeBSD src repository
Modified files:
sys/dev/sound/isa ad1816.c mss.c sbc.c
sys/dev/sound/pci als4000.c atiixp.c cmi.c ds1.c emu10k1.c
emu10kx-pcm.c envy24.c envy24ht.c
es137x.c ich.c maestro.c maestro3.c
solo.c t4dwave.c via8233.c via82c686.c
sys/dev/sound/sbus cs4231.c
Log:
Fix severe out-of-bound mtx "type" pointer, causing WITNESS refcount
confusions and panic provided that the following conditions are met:
1) WITNESS is enabled (watch/trace).
2) Using modules, instead of statically linked (Not a strict
requirement, but easier to reproduce this way).
3) 2 or more modules share the same mtx type ("sound softc").
- They might share the same name (strcmp() == 0), but it always
point to different address.
4) Repetitive kldunload/load on any module that shares the same mtx
type (Not a strict requirement, but easier to reproduce this way).
Consider module A and module B:
- From enroll() - subr_witness.c:
* Load module A. Everything seems fine right now.
wA-w_refcount == 1 ; wA-w_name = "sound softc"
* Load module B.
* w->w_name == description will always fail.
("sound softc" from A and B point to different address).
* wA->w_refcount > 0 && strcmp(description, wA->w_name) == 0
* enroll() will return wA instead of returning (possibly unique)
wB.
wA->w_refcount++ , == 2.
* Unload module A, mtx_destroy(), wA->w_name become invalid,
but wA->w_refcount-- become 1 instead of 0. wA will not be
removed from witness list.
* Some other places call mtx_init(), iterating witness list,
found wA, failed on wA->w_name == description
* wA->w_refcount > 0 && strcmp(description, wA->w_name)
* Panic on strcmp() since wA->w_name no longer point to valid
address.
Note that this could happened in other places as well, not just sound
(eg. consider lots of drivers that share simmilar MTX_NETWORK_LOCK).
Solutions (for sound case):
1) Provide unique mtx type string for each mutex creation (chosen)
or
2) Put "sound softc" global variable somewhere and use it.
Revision Changes Path
1.42 +2 -1 src/sys/dev/sound/isa/ad1816.c
1.108 +1 -1 src/sys/dev/sound/isa/mss.c
1.48 +2 -1 src/sys/dev/sound/isa/sbc.c
1.24 +1 -1 src/sys/dev/sound/pci/als4000.c
1.11 +1 -1 src/sys/dev/sound/pci/atiixp.c
1.40 +1 -1 src/sys/dev/sound/pci/cmi.c
1.49 +1 -1 src/sys/dev/sound/pci/ds1.c
1.65 +1 -1 src/sys/dev/sound/pci/emu10k1.c
1.7 +1 -1 src/sys/dev/sound/pci/emu10kx-pcm.c
1.10 +1 -3 src/sys/dev/sound/pci/envy24.c
1.10 +2 -3 src/sys/dev/sound/pci/envy24ht.c
1.63 +1 -1 src/sys/dev/sound/pci/es137x.c
1.72 +1 -1 src/sys/dev/sound/pci/ich.c
1.35 +1 -1 src/sys/dev/sound/pci/maestro.c
1.32 +1 -6 src/sys/dev/sound/pci/maestro3.c
1.41 +1 -1 src/sys/dev/sound/pci/solo.c
1.50 +1 -1 src/sys/dev/sound/pci/t4dwave.c
1.30 +2 -1 src/sys/dev/sound/pci/via8233.c
1.39 +2 -1 src/sys/dev/sound/pci/via82c686.c
1.7 +1 -6 src/sys/dev/sound/sbus/cs4231.c
More information about the cvs-src
mailing list