[PATCH] drm: Fix authentication kernel crash
Daniel Vetter
daniel at ffwll.ch
Tue Jan 24 06:47:43 PST 2012
On Tue, Jan 24, 2012 at 10:31:46AM +0100, Thomas Hellstrom wrote:
> If the master tries to authenticate a client using drm_authmagic and
> that client has already closed its drm file descriptor,
> either wilfully or because it was terminated, the
> call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory
> and corrupt it.
>
> Typically this results in a hard system hang.
>
> This patch fixes that problem by removing any authentication tokens
> (struct drm_magic_entry) open for a file descriptor when that file
> descriptor is closed.
>
> Signed-off-by: Thomas Hellstrom <thellstrom at vmware.com>
Ok, I've wandered around a bit in this and noticed that the locking is the
usual convoluted disaster. We seem to randomly grab dev->struct_mutex in
the auth and master ioctl, but all the real protect seems to be due to
taking the global mutex in all relevant paths.
I guess I can't volunteer you to clean this up ;-)
Otherwise I couldn't poke a hole into this, so
Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>
> ----
Daniel Vetter
Mail: daniel at ffwll.ch
Mobile: +41 (0)79 365 57 48
More information about the dri-devel
mailing list