HomeFreeBSD
Diffusion FreeBSD src repository 7982e7a46543

Fix severe 8bit integer overflow during channel creation and destruction,
7982e7a46543
Actions

Description

Fix severe 8bit integer overflow during channel creation and destruction,
especially for vchans. It turns out that channel numbering always depend
on d->devcount counter (which keep increasing), while PCMMKMINOR() truncate
everything to 8bit length. At some point the truncation cause the newly
created character device overlapped with the existence one, causing erratic
overall system behaviour and panic. Easily reproduce with something like:

(Luckily, only root can reproduce this)

while : ; do

		sysctl hw.snd.pcm0.vchans=200
		sysctl hw.snd.pcm0.vchans=100

done

  • Enforce channel/chardev numbering within 8bit boundary. Return E2BIG if necessary.
  • Traverse d->channels SLIST and try to reclaim "free" counter during channel creation. Don't rely on d->devcount at all.
  • Destroy vchans in reverse order.

Anyway, this is not the fault of vchans. It is just that vchans are so cute
and begging to be abused ;) . Don't blame her.

Old, hidden bugs.. sigh..

MFC after: 3 days

Details

Provenance
Ariff Abdullah <ariff@FreeBSD.org>Authored on Mar 16 2006, 4:12 AM
Parents
rGabaa31b2e904: Remove the nls/*/charset files to the exclude list. These files
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (3)

PathSize
sys/
dev/
sound/
pcm/

rG7982e7a46543

View Options

sys/dev/sound/pcm/sound.c

Loading...
View Options

sys/dev/sound/pcm/sound.h

Loading...
View Options

sys/dev/sound/pcm/vchan.c

Loading...