[PATCH] drm: Fix authentication kernel crash
Thomas Hellstrom
thellstrom at vmware.com
Wed Jan 25 09:26:55 PST 2012
On 01/24/2012 03:47 PM, Daniel Vetter wrote:
> On Tue, Jan 24, 2012 at 10:31:46AM +0100, Thomas Hellstrom wrote:
>> If the master tries to authenticate a client using drm_authmagic and
>> that client has already closed its drm file descriptor,
>> either wilfully or because it was terminated, the
>> call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory
>> and corrupt it.
>>
>> Typically this results in a hard system hang.
>>
>> This patch fixes that problem by removing any authentication tokens
>> (struct drm_magic_entry) open for a file descriptor when that file
>> descriptor is closed.
>>
>> Signed-off-by: Thomas Hellstrom<thellstrom at vmware.com>
> Ok, I've wandered around a bit in this and noticed that the locking is the
> usual convoluted disaster. We seem to randomly grab dev->struct_mutex in
> the auth and master ioctl, but all the real protect seems to be due to
> taking the global mutex in all relevant paths.
>
> I guess I can't volunteer you to clean this up ;-)
It would be pretty easy to make thos ioctls unlocked (we should probably
also have an idr managing the magic number)
but my wife is having twins in a couple of weeks and
I've got a long list of bugs to fix before that for the vmwgfx launch so I
unfortunately have to pass this time.
/Thomas
More information about the dri-devel
mailing list