On 01/24/2012 03:47 PM, Daniel Vetter wrote: > On Tue, Jan 24, 2012 at 10:31:46AM +0100, Thomas Hellstrom wrote: >> If the master tries to authenticate a client using drm_authmagic and >> that client has already closed its drm file descriptor, >> either wilfully or because it was terminated, the >> call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory >> and corrupt it. >> >> Typically this results in a hard system hang. >> >> This patch fixes that problem by removing any authentication tokens >> (struct drm_magic_entry) open for a file descriptor when that file >> descriptor is closed. >> >> Signed-off-by: Thomas Hellstrom<thellstrom at vmware.com> > Ok, I've wandered around a bit in this and noticed that the locking is the > usual convoluted disaster. We seem to randomly grab dev->struct_mutex in > the auth and master ioctl, but all the real protect seems to be due to > taking the global mutex in all relevant paths. > > I guess I can't volunteer you to clean this up ;-)
It would be pretty easy to make thos ioctls unlocked (we should probably also have an idr managing the magic number) but my wife is having twins in a couple of weeks and I've got a long list of bugs to fix before that for the vmwgfx launch so I unfortunately have to pass this time. /Thomas
