On Tue, Jan 24, 2012 at 10:31:46AM +0100, Thomas Hellstrom wrote: > If the master tries to authenticate a client using drm_authmagic and > that client has already closed its drm file descriptor, > either wilfully or because it was terminated, the > call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory > and corrupt it. > > Typically this results in a hard system hang. > > This patch fixes that problem by removing any authentication tokens > (struct drm_magic_entry) open for a file descriptor when that file > descriptor is closed. > > Signed-off-by: Thomas Hellstrom <thellstrom@xxxxxxxxxx> Ok, I've wandered around a bit in this and noticed that the locking is the usual convoluted disaster. We seem to randomly grab dev->struct_mutex in the auth and master ioctl, but all the real protect seems to be due to taking the global mutex in all relevant paths. I guess I can't volunteer you to clean this up ;-) Otherwise I couldn't poke a hole into this, so Reviewed-by: Daniel Vetter <daniel.vetter@xxxxxxxx> > ---- Daniel Vetter Mail: daniel@xxxxxxxx Mobile: +41 (0)79 365 57 48 _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel
