diff options
| author | ariff <ariff@FreeBSD.org> | 2006-03-16 04:12:49 +0000 |
|---|---|---|
| committer | ariff <ariff@FreeBSD.org> | 2006-03-16 04:12:49 +0000 |
| commit | 865b6c5d997ec0ccc6b93fe7d64bcd86bf666e10 (patch) | |
| tree | 75e8cb4510297130c31b89f23ab16dd3af1caaca /lib/libc/stdlib/hcreate.c | |
| parent | cf500594609f358a3564f3c9ca3f3d9c68bfdad4 (diff) | |
| download | FreeBSD-src-865b6c5d997ec0ccc6b93fe7d64bcd86bf666e10.zip FreeBSD-src-865b6c5d997ec0ccc6b93fe7d64bcd86bf666e10.tar.gz | |
Fix severe 8bit integer overflow during channel creation and destruction,
especially for vchans. It turns out that channel numbering always depend
on d->devcount counter (which keep increasing), while PCMMKMINOR() truncate
everything to 8bit length. At some point the truncation cause the newly
created character device overlapped with the existence one, causing erratic
overall system behaviour and panic. Easily reproduce with something like:
(Luckily, only root can reproduce this)
while : ; do
sysctl hw.snd.pcm0.vchans=200
sysctl hw.snd.pcm0.vchans=100
done
- Enforce channel/chardev numbering within 8bit boundary. Return E2BIG
if necessary.
- Traverse d->channels SLIST and try to reclaim "free" counter during channel
creation. Don't rely on d->devcount at all.
- Destroy vchans in reverse order.
Anyway, this is not the fault of vchans. It is just that vchans are so cute
and begging to be abused ;) . Don't blame her.
Old, hidden bugs.. sigh..
MFC after: 3 days
Diffstat (limited to 'lib/libc/stdlib/hcreate.c')
0 files changed, 0 insertions, 0 deletions
