From d661b1c7e38bf1d9497ff8d8446e3ce8aeaae13e Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Sat, 16 Apr 2022 11:33:17 +0000
Subject: [PATCH] audio(4): Wait for opens to drain in detach.

Otherwise detach may barge ahead and start freeing things before open
has finished and is about to use them after free.

Reported-by: syzbot+31d2619e72c2c8436cc9@syzkaller.appspotmail.com
---
 sys/dev/audio/audio.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/sys/dev/audio/audio.c b/sys/dev/audio/audio.c
index 06aeec99070f..0d24a1e42b23 100644
--- a/sys/dev/audio/audio.c
+++ b/sys/dev/audio/audio.c
@@ -1344,6 +1344,7 @@ audiodetach(device_t self, int flags)
 {
 	struct audio_softc *sc;
 	struct audio_file *file;
+	int maj, mn;
 	int error;
 
 	sc = device_private(self);
@@ -1358,6 +1359,16 @@ audiodetach(device_t self, int flags)
 	if (error)
 		return error;
 
+	/*
+	 * Prevent new opens and wait for existing opens to complete.
+	 */
+	maj = cdevsw_lookup_major(&audio_cdevsw);
+	mn = device_unit(self);
+	vdevgone(maj, mn|SOUND_DEVICE, mn|SOUND_DEVICE, VCHR);
+	vdevgone(maj, mn|AUDIO_DEVICE, mn|AUDIO_DEVICE, VCHR);
+	vdevgone(maj, mn|AUDIOCTL_DEVICE, mn|AUDIOCTL_DEVICE, VCHR);
+	vdevgone(maj, mn|MIXER_DEVICE, mn|MIXER_DEVICE, VCHR);
+
 	/*
 	 * This waits currently running sysctls to finish if exists.
 	 * After this, no more new sysctls will come.