freebsd-skq/sys/dev/sound/isa
ariff 2de8168c3f Fix severe out-of-bound mtx "type" pointer, causing WITNESS refcount
confusions and panic provided that the following conditions are met:

  1) WITNESS is enabled (watch/trace).
  2) Using modules, instead of statically linked (Not a strict
     requirement, but easier to reproduce this way).
  3) 2 or more modules share the same mtx type ("sound softc").
     - They might share the same name (strcmp() == 0), but it always
       point to different address.
  4) Repetitive kldunload/load on any module that shares the same mtx
     type (Not a strict requirement, but easier to reproduce this way).

     Consider module A and module B:
     - From enroll() - subr_witness.c:
       * Load module A. Everything seems fine right now.
         wA-w_refcount == 1 ; wA-w_name = "sound softc"
       * Load module B.
       * w->w_name == description will always fail.
         ("sound softc" from A and B point to different address).
       * wA->w_refcount > 0 && strcmp(description, wA->w_name) == 0
       * enroll() will return wA instead of returning (possibly unique)
         wB.
         wA->w_refcount++ , == 2.
       * Unload module A, mtx_destroy(), wA->w_name become invalid,
         but wA->w_refcount-- become 1 instead of 0. wA will not be
         removed from witness list.
       * Some other places call mtx_init(), iterating witness list,
         found wA, failed on wA->w_name == description
       * wA->w_refcount > 0 && strcmp(description, wA->w_name)
       * Panic on strcmp() since wA->w_name no longer point to valid
         address.

Note that this could happened in other places as well, not just sound
(eg. consider lots of drivers that share simmilar MTX_NETWORK_LOCK).

Solutions (for sound case):
  1) Provide unique mtx type string for each mutex creation (chosen)
  or
  2) Put "sound softc" global variable somewhere and use it.
2007-03-15 16:41:27 +00:00
..
ad1816.c Fix severe out-of-bound mtx "type" pointer, causing WITNESS refcount 2007-03-15 16:41:27 +00:00
ad1816.h Remove dead email address. 2007-02-02 13:44:09 +00:00
ess.c MFp4 (114068): 2007-02-23 13:47:34 +00:00
gusc.c - Compile time compatibility for pre/post newbus API (intr filter) 2007-02-23 19:40:13 +00:00
mss.c Fix severe out-of-bound mtx "type" pointer, causing WITNESS refcount 2007-03-15 16:41:27 +00:00
mss.h Remove dead email address. 2007-02-02 13:44:09 +00:00
sb8.c MFp4 (114068): 2007-02-23 13:47:34 +00:00
sb16.c MFp4 (114068): 2007-02-23 13:47:34 +00:00
sb.h Add a standard BSD license to these files. 2007-02-02 13:33:35 +00:00
sbc.c Fix severe out-of-bound mtx "type" pointer, causing WITNESS refcount 2007-03-15 16:41:27 +00:00
sndbuf_dma.c Start each of the license/copyright comments with /*-, minor shuffle of lines 2005-01-06 01:43:34 +00:00