sound: Address race between pcm_unregister() and dsp_close()
AbandonedPublic
Actions

Authored by christos on Nov 20 2025, 3:19 PM.

Details

Reviewers

markj
emaste
kib
imp

Summary

There is an easily reproducable case (see modification in tests), where
pcm_unregister() will clear SD_F_REGISTERED and start killing channels
(pcm_killchans()), right before dsp_close() acquires the PCM lock, which
will can lead to a panic in dsp_close().

The fix is rather hacky and ugly, but it does the job for now.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 68769
Build 65652: arc lint + arc unit

Event Timeline

christos requested review of this revision.Nov 20 2025, 3:19 PM

christos created this revision.

Harbormaster completed remote builds in B68769: Diff 166853.Nov 20 2025, 3:19 PM

christos added a parent revision: D53614: sound tests: Test hot-unload.Nov 20 2025, 3:20 PM

christos retitled this revision from sound: Address race in dsp_close() to sound: Address race between pcm_unregister() and dsp_close().

Abandoning. It seems similar races exist across most syscalls, especially dsp_ioctl(). They can be triggered by running the test suite (with the patch here included) with -v parallelism=8.

christos abandoned this revision.Nov 20 2025, 3:43 PM

christos mentioned this in D53851: sound: Simplify locking in sysctl_dev_pcm_bitperfect().Nov 21 2025, 10:13 AM