On Tue, Jan 24, 2012 at 10:31:46AM +0100, Thomas Hellstrom wrote:
If the master tries to authenticate a client using drm_authmagic and that client has already closed its drm file descriptor, either wilfully or because it was terminated, the call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory and corrupt it.
Typically this results in a hard system hang.
This patch fixes that problem by removing any authentication tokens (struct drm_magic_entry) open for a file descriptor when that file descriptor is closed.
Signed-off-by: Thomas Hellstrom thellstrom@vmware.com
Ok, I've wandered around a bit in this and noticed that the locking is the usual convoluted disaster. We seem to randomly grab dev->struct_mutex in the auth and master ioctl, but all the real protect seems to be due to taking the global mutex in all relevant paths.
I guess I can't volunteer you to clean this up ;-)
Otherwise I couldn't poke a hole into this, so Reviewed-by: Daniel Vetter daniel.vetter@ffwll.ch
Daniel Vetter Mail: daniel@ffwll.ch Mobile: +41 (0)79 365 57 48