Date: Wed, 14 Jan 2004 13:13:03 +0100 From: Stefan Ehmann <shoesoft@gmx.net> To: Don Lewis <truckman@FreeBSD.org> Cc: current@FreeBSD.org Subject: Re: sound/pcm/* bugs (was: Re: page fault panic tracked down (selwakeuppri()) - really sound/pcm/*) Message-ID: <1074082382.914.11.camel@shoeserv.freebsd> In-Reply-To: <200401140616.i0E6G17E038163@gw.catspoiler.org> References: <200401140616.i0E6G17E038163@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2004-01-14 at 07:16, Don Lewis wrote: > I stared at the code some more and cranked out another patch. I think > the problem is in chn_setblocksize(). In the case of the csa driver, > blksz is hardwired to 2048. If the client of one of the vchans attempts > to set blksz to something smaller than that, the vchan will notify its > parent, which will call chn_setblocksize() with smaller requested value. > chn_setblocksize() will resize its bufsoft to the smaller size, but > bufhard will stay at 2048. This will trigger the buffer overflow in > feed_vchan_s16(). > > The following patch changes chn_setblocksize() to resize bufsoft after > bufhard so that their bufsz values match. It would also be possible to > modify the code to resize bufsoft to the larger of the the bufhard bufsz > or the requested value, but I don't see any advantage to this. I don't > think that the code will do the right thing if a vchan is configured > with a smaller bufsz than its parent since the vchan won't be able to > fill the parent buffer each time it is polled, but at least this should > get rid of the buffer overflow. > > I'm tempted to go ahead and commit the CHN_LOCKASSERT() and KASSERT() -> > panic() changes so that I don't have to carry them around anymore. No luck - again... panic: mutex pcm0:fake not owned at /usr/src/sys/dev/sound/pcm/channel.c:834 at boottime
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1074082382.914.11.camel>