Date: Wed, 22 Aug 2001 15:59:17 -0400 (EDT) From: The Anarcat <anarcat@anarcat.dyndns.org> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/29964: Setting iotcl SNDCTL_DSP_CHANNELS to an unaccepted value sets it to another unaccepted value Message-ID: <20010822195917.BFA2120AFC@shall.anarcat.dyndns.org>
next in thread | raw e-mail | index | archive | help
>Number: 29964 >Category: kern >Synopsis: Setting iotcl SNDCTL_DSP_CHANNELS to an unaccepted value sets it to another unaccepted value >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Aug 22 13:00:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: The Anarcat >Release: FreeBSD 4.4-RC i386 >Organization: Nada, Inc. >Environment: System: FreeBSD shall.anarcat.dyndns.org 4.4-RC FreeBSD 4.4-RC #4: Wed Aug 22 12:21:57 EDT 2001 anarcat@shall.anarcat.dyndns.org:/usr/obj/usr/src/sys/SHALL i386 FreeBSD Audio Driver (newpcm) Aug 22 2001 12:19:11 Installed devices: pcm0: <SB16 DSP 4.16> at io 0x220 irq 5 drq 1:5 (1p/1r/0v channels duplex) >Description: Using a test program (rec: http://anarcat.dyndns.org/ftp/pub/FreeBSD/local/src/rec.tar.gz), setting the number of read channels to 4 on a soundcard that supports only 2 (my soundblaster) sets the number of channels to 0, which is non-sensical. >How-To-Repeat: anarcat@shall [rec]$ ./rec -c 4 test.raw recording until INT (control-c). number of channels (4) not supported, falling back to 0 Device: /dev/dsp Output format: 44100 Hz, 0 channels, 16 bits signed little-endian Floating point exception (core dumped) >Fix: I tried to dig around in the newpcm driver a bit, but it's a bit harsh for me, as I have no knowledge of FreeBSD kernel drivers internals. The SNDCTL_DSP_CHANNELS (or SOUND_PCM_WRITE_CHANNELS) ioctl is handled in: $FreeBSD: src/sys/dev/sound/pcm/dsp.c,v 1.15.2.9 2001/08/15 00:34:59 cg Exp $, line 673. Now there, a few things happen that i do not understand. Problem 1: if (*arg_i == 1 || *arg_i == 2) { ... } else *arg_i = 0; That means that we do not support channel counts != 1 or 2, right? Then we should instead change *arg_i to a sane value, *not* 0! Fix 1: if arg_i is not 1 or 2, make it 2. --- /sys/dev/sound/pcm/dsp.c Tue Aug 21 13:14:47 2001 +++ /home/anarcat/dsp.c.new Wed Aug 22 15:31:12 2001 @@ -672,25 +672,25 @@ case SOUND_PCM_WRITE_CHANNELS: /* case SNDCTL_DSP_CHANNELS: ( == SOUND_PCM_WRITE_CHANNELS) */ - if (*arg_i == 1 || *arg_i == 2) { - tmp = 0; - *arg_i = (*arg_i == 2)? AFMT_STEREO : 0; - if (wrch) { - CHN_LOCK(wrch); - ret = chn_setformat(wrch, (wrch->format & ~AFMT_STEREO) | *arg_i); - tmp = (wrch->format & AFMT_STEREO)? 2 : 1; - CHN_UNLOCK(wrch); - } - if (rdch && ret == 0) { - CHN_LOCK(rdch); - ret = chn_setformat(rdch, (rdch->format & ~AFMT_STEREO) | *arg_i); - if (tmp == 0) - tmp = (rdch->format & AFMT_STEREO)? 2 : 1; - CHN_UNLOCK(rdch); - } - *arg_i = tmp; - } else - *arg_i = 0; + if (*arg_i != 1 && *arg_i != 2) { + *arg_i = 2; + } + tmp = 0; + *arg_i = (*arg_i == 2)? AFMT_STEREO : 0; + if (wrch) { + CHN_LOCK(wrch); + ret = chn_setformat(wrch, (wrch->format & ~AFMT_STEREO) | *arg_i); + tmp = (wrch->format & AFMT_STEREO)? 2 : 1; + CHN_UNLOCK(wrch); + } + if (rdch && ret == 0) { + CHN_LOCK(rdch); + ret = chn_setformat(rdch, (rdch->format & ~AFMT_STEREO) | *arg_i); + if (tmp == 0) + tmp = (rdch->format & AFMT_STEREO)? 2 : 1; + CHN_UNLOCK(rdch); + } + *arg_i = tmp; break; case SOUND_PCM_READ_CHANNELS: Problem 2: Now this might be the core of the problem, and obviously, the most uncomprehensible. :) From what I can understand here, tmp = 0; *arg_i = (*arg_i == 2)? AFMT_STEREO : 0; if (wrch) { CHN_LOCK(wrch); ret = chn_setformat(wrch, (wrch->format & ~AFMT_STEREO) | *arg_i); tmp = (wrch->format & AFMT_STEREO)? 2 : 1; CHN_UNLOCK(wrch); } if (rdch && ret == 0) { CHN_LOCK(rdch); ret = chn_setformat(rdch, (rdch->format & ~AFMT_STEREO) | *arg_i); if (tmp == 0) tmp = (rdch->format & AFMT_STEREO)? 2 : 1; CHN_UNLOCK(rdch); } *arg_i = tmp; if !wrch, then the second if will rely on an undefine value of ret. If that value is not 0, the second if will not be executed, and therefore tmp = *arg_i will be 0! Shouldn't ret be initialized (to 0) at the beginning of the case? I think there are many of these around the switch, so I don't know if I'm wrong here. So my "fix" here would be to add ret = 0; at the beginning of the case. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010822195917.BFA2120AFC>