Mark Johnston 564070c417 sound: Fix software buffer lifetime issues ... The channel buffer mapped by dsp_mmap_single() may be freed when the device handle is closed, but the mapping persists beyond that, allowing userspace to read or write memory owned by a different consumer. Fix the problem by adding a reference counter to the sound buffer. Define pager ops for the VM object returned by dsp_mmap_single() and use them to manage the extra reference. Add a regression test. Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-49417 Reported by: Lexpl0it, 75Acol, Liyw979, Rob1n Reviewed by kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57393		2026-06-10 08:42:35 +02:00
..
fdt	Revert "sound: Make device registration more intuitive"	2024-11-14 17:25:41 +01:00
isa	sys: Remove $FreeBSD$: two-line .h pattern	2023-08-16 11:54:11 -06:00
macio	chore: replace {0, 0} with {DEV,KOBJ}METHOD_END	2026-04-30 07:39:21 +02:00
midi	sound: Do not check for NULL if sbuf is allocated with SBUF_AUTOEXTEND	2024-10-20 13:21:06 +02:00
pci	chore: replace {0, 0} with {DEV,KOBJ}METHOD_END	2026-04-30 07:39:21 +02:00
pcm	sound: Fix software buffer lifetime issues	2026-06-10 08:42:35 +02:00
usb	snd_uaudio: Remove undefined functions	2025-03-04 16:46:06 +01:00
driver.c	sound: Include ai2s and davbus for PowerPC	2024-11-19 01:19:20 +00:00
dummy.c	sound: Update COPYRIGHT notices	2025-03-17 19:29:17 +01:00