Re: [PATCH] drm: Fix authentication kernel crash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/24/2012 03:47 PM, Daniel Vetter wrote:
On Tue, Jan 24, 2012 at 10:31:46AM +0100, Thomas Hellstrom wrote:
If the master tries to authenticate a client using drm_authmagic and
that client has already closed its drm file descriptor,
either wilfully or because it was terminated, the
call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory
and corrupt it.

Typically this results in a hard system hang.

This patch fixes that problem by removing any authentication tokens
(struct drm_magic_entry) open for a file descriptor when that file
descriptor is closed.

Signed-off-by: Thomas Hellstrom<thellstrom@xxxxxxxxxx>
Ok, I've wandered around a bit in this and noticed that the locking is the
usual convoluted disaster. We seem to randomly grab dev->struct_mutex in
the auth and master ioctl, but all the real protect seems to be due to
taking the global mutex in all relevant paths.

I guess I can't volunteer you to clean this up ;-)

It would be pretty easy to make thos ioctls unlocked (we should probably also have an idr managing the magic number)
but my wife is having twins in a couple of weeks and
I've got a long list of bugs to fix before that for the vmwgfx launch so I
unfortunately have to pass this time.

/Thomas

_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel


[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux