When paused (or overrun), the record ring pointers are not incremented

properly in audio_rint(), the periodic boundary conditions aren't met. This
causes, later read(2) to return EFAULT while trying to access unmapped
regions of the kernel address space. Fix this by using the correct pointer
arithmetic.

ok jakemsr@

diff --git a/sys/dev/audio.c b/sys/dev/audio.c
index 7fba234..3cea132 100644 (file)
--- a/sys/dev/audio.c
+++ b/sys/dev/audio.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: audio.c,v 1.95 2008/04/21 00:32:42 jakemsr Exp $      */
+/*     $OpenBSD: audio.c,v 1.96 2008/07/29 05:59:11 ratchov Exp $      */
 /*     $NetBSD: audio.c,v 1.119 1999/11/09 16:50:47 augustss Exp $     */
 
 /*
@@ -2227,11 +2227,15 @@ audio_rint(void *v)
                DPRINTFN(1, ("audio_rint: pdrops %lu\n", cb->pdrops));
                cb->pdrops += blksize;
                cb->outp += blksize;
+               if (cb->outp >= cb->end)
+                       cb->outp = cb->start;
                cb->used -= blksize;
        } else if (cb->used >= cb->usedhigh && !cb->copying) {
                DPRINTFN(1, ("audio_rint: drops %lu\n", cb->drops));
                cb->drops += blksize;
                cb->outp += blksize;
+               if (cb->outp >= cb->end)
+                       cb->outp = cb->start;
                cb->used -= blksize;
        }