Re: [PATCH] drm: Fix authentication kernel crash
On 01/24/2012 03:47 PM, Daniel Vetter wrote: On Tue, Jan 24, 2012 at 10:31:46AM +0100, Thomas Hellstrom wrote: If the master tries to authenticate a client using drm_authmagic and that client has already closed its drm file descriptor, either wilfully or because it was terminated, the call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory and corrupt it. Typically this results in a hard system hang. This patch fixes that problem by removing any authentication tokens (struct drm_magic_entry) open for a file descriptor when that file descriptor is closed. Signed-off-by: Thomas Hellstromthellst...@vmware.com Ok, I've wandered around a bit in this and noticed that the locking is the usual convoluted disaster. We seem to randomly grab dev-struct_mutex in the auth and master ioctl, but all the real protect seems to be due to taking the global mutex in all relevant paths. I guess I can't volunteer you to clean this up ;-) It would be pretty easy to make thos ioctls unlocked (we should probably also have an idr managing the magic number) but my wife is having twins in a couple of weeks and I've got a long list of bugs to fix before that for the vmwgfx launch so I unfortunately have to pass this time. /Thomas ___ dri-devel mailing list dri-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: [PATCH] drm: Fix authentication kernel crash
On Tue, Jan 24, 2012 at 10:31:46AM +0100, Thomas Hellstrom wrote: If the master tries to authenticate a client using drm_authmagic and that client has already closed its drm file descriptor, either wilfully or because it was terminated, the call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory and corrupt it. Typically this results in a hard system hang. This patch fixes that problem by removing any authentication tokens (struct drm_magic_entry) open for a file descriptor when that file descriptor is closed. Signed-off-by: Thomas Hellstrom thellst...@vmware.com Ok, I've wandered around a bit in this and noticed that the locking is the usual convoluted disaster. We seem to randomly grab dev-struct_mutex in the auth and master ioctl, but all the real protect seems to be due to taking the global mutex in all relevant paths. I guess I can't volunteer you to clean this up ;-) Otherwise I couldn't poke a hole into this, so Reviewed-by: Daniel Vetter daniel.vet...@ffwll.ch Daniel Vetter Mail: dan...@ffwll.ch Mobile: +41 (0)79 365 57 48 ___ dri-devel mailing list dri-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: [PATCH] drm: Fix authentication kernel crash
On Tue, Jan 24, 2012 at 10:31:46AM +0100, Thomas Hellstrom wrote: If the master tries to authenticate a client using drm_authmagic and that client has already closed its drm file descriptor, either wilfully or because it was terminated, the call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory and corrupt it. Typically this results in a hard system hang. This patch fixes that problem by removing any authentication tokens (struct drm_magic_entry) open for a file descriptor when that file descriptor is closed. Signed-off-by: Thomas Hellstrom thellst...@vmware.com --- Please review. This should also go into stable kernels. formletter This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read Documentation/stable_kernel_rules.txt for how to do this properly. /formletter ___ dri-devel mailing list dri-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/dri-devel
