Drop sequencer mutex around uiomove() and make sure we don't move more bytes

than is available, else a panic might happen.

Found by:		Peter Holm <peter@holm.cc>
MFC after:		3 days
Sponsored by:		Mellanox Technologies

sys/dev/sound/midi/sequencer.c

@@ -921,7 +921,9 @@ mseq_read(struct cdev *i_dev, struct uio *uio, int ioflag)
 
 		SEQ_DEBUG(8, printf("midiread: uiomove cc=%d\n", used));
 		MIDIQ_DEQ(scp->in_q, buf, used);
+		mtx_unlock(&scp->seq_lock);
 		retval = uiomove(buf, used, uio);
+		mtx_lock(&scp->seq_lock);
 		if (retval)
 			goto err1;
 	}
@@ -996,7 +998,9 @@ mseq_write(struct cdev *i_dev, struct uio *uio, int ioflag)
 			retval = ENXIO;
 			goto err0;
 		}
+		mtx_unlock(&scp->seq_lock);
 		retval = uiomove(event, used, uio);
+		mtx_lock(&scp->seq_lock);
 		if (retval)
 			goto err0;
 
@@ -1034,7 +1038,9 @@ mseq_write(struct cdev *i_dev, struct uio *uio, int ioflag)
 			SEQ_DEBUG(2,
 			   printf("seq_write: SEQ_FULLSIZE flusing buffer.\n"));
 			while (uio->uio_resid > 0) {
-				retval = uiomove(event, EV_SZ, uio);
+				mtx_unlock(&scp->seq_lock);
+				retval = uiomove(event, MIN(EV_SZ, uio->uio_resid), uio);
+				mtx_lock(&scp->seq_lock);
 				if (retval)
 					goto err0;
 
@@ -1045,6 +1051,7 @@ mseq_write(struct cdev *i_dev, struct uio *uio, int ioflag)
 		}
 		retval = EINVAL;
 		if (ev_code >= 128) {
+			int error;
 
 			/*
 			 * Some sort of an extended event. The size is eight
@@ -1054,7 +1061,13 @@ mseq_write(struct cdev *i_dev, struct uio *uio, int ioflag)
 				SEQ_DEBUG(2, printf("seq_write: invalid level two event %x.\n", ev_code));
 				goto err0;
 			}
-			if (uiomove((caddr_t)&event[4], 4, uio)) {
+			mtx_unlock(&scp->seq_lock);
+			if (uio->uio_resid < 4)
+				error = EINVAL;
+			else
+				error = uiomove((caddr_t)&event[4], 4, uio);
+			mtx_lock(&scp->seq_lock);
+			if (error) {
 				SEQ_DEBUG(2,
 				   printf("seq_write: user memory mangled?\n"));
 				goto err0;