Ariff Abdullah 4582b3a100 Fix severe out-of-bound mtx "type" pointer, causing WITNESS refcount
confusions and panic provided that the following conditions are met:

  1) WITNESS is enabled (watch/trace).
  2) Using modules, instead of statically linked (Not a strict
     requirement, but easier to reproduce this way).
  3) 2 or more modules share the same mtx type ("sound softc").
     - They might share the same name (strcmp() == 0), but it always
       point to different address.
  4) Repetitive kldunload/load on any module that shares the same mtx
     type (Not a strict requirement, but easier to reproduce this way).

     Consider module A and module B:
     - From enroll() - subr_witness.c:
       * Load module A. Everything seems fine right now.
         wA-w_refcount == 1 ; wA-w_name = "sound softc"
       * Load module B.
       * w->w_name == description will always fail.
         ("sound softc" from A and B point to different address).
       * wA->w_refcount > 0 && strcmp(description, wA->w_name) == 0
       * enroll() will return wA instead of returning (possibly unique)
         wB.
         wA->w_refcount++ , == 2.
       * Unload module A, mtx_destroy(), wA->w_name become invalid,
         but wA->w_refcount-- become 1 instead of 0. wA will not be
         removed from witness list.
       * Some other places call mtx_init(), iterating witness list,
         found wA, failed on wA->w_name == description
       * wA->w_refcount > 0 && strcmp(description, wA->w_name)
       * Panic on strcmp() since wA->w_name no longer point to valid
         address.

Note that this could happened in other places as well, not just sound
(eg. consider lots of drivers that share simmilar MTX_NETWORK_LOCK).

Solutions (for sound case):
  1) Provide unique mtx type string for each mutex creation (chosen)
  or
  2) Put "sound softc" global variable somewhere and use it.
2007-03-15 16:41:27 +00:00
..