Michel DÃnzer wrote:
On Mon, 2004-11-01 at 14:21 +0100, Thomas HellstrÃm wrote:
Hmm, correct me If I'm wrong, but after a brief check in the code, it
seems like the current _DRM_LOCK_IS_HELD() used in dma buffer
submission IOCTLS just checks that the lock is indeed held, but not if
it is held by the current caller. Thus any authorized client should be
able to sneek in DMA commands while the lock is held by another client
or the X server. -> potential system crash.
Hence _DRM_LOCK_IS_HELD() always seems to be (supposed to be)
accompanied by another test that verifies the ownership.
Michael,
I just checked i830_dma.c, i915_dma.c and via_dma.c, and
_DRM_LOCK_IS_HELD() is used without such a test, AFAICT.
The correct macro to call seems to be
LOCK_TEST_WITH_RETURN()
which does incorporate such a test.
In fact, the use of _DRM_LOCK_IS_HELD() here should allow
malfunctioning or malicious SMP dri clients to modify internal drm data
structures and DMA ring-buffers simultaneously?
/Thomas
|
