From mboxrd@z Thu Jan 1 00:00:00 1970 From: Greg KH Subject: Re: [PATCH] drm: Fix authentication kernel crash Date: Tue, 24 Jan 2012 09:12:55 -0800 Message-ID: <20120124171255.GC26908@kroah.com> References: <1327397506-2979-1-git-send-email-thellstrom@vmware.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) by gabe.freedesktop.org (Postfix) with ESMTP id 582B19E831 for ; Tue, 24 Jan 2012 09:19:23 -0800 (PST) Received: from compute6.internal (compute6.nyi.mail.srv.osa [10.202.2.46]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 3780B214D9 for ; Tue, 24 Jan 2012 12:19:22 -0500 (EST) Content-Disposition: inline In-Reply-To: <1327397506-2979-1-git-send-email-thellstrom@vmware.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org To: Thomas Hellstrom Cc: airlied@redhat.com, stable@vger.kernel.org, dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org On Tue, Jan 24, 2012 at 10:31:46AM +0100, Thomas Hellstrom wrote: > If the master tries to authenticate a client using drm_authmagic and > that client has already closed its drm file descriptor, > either wilfully or because it was terminated, the > call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory > and corrupt it. > > Typically this results in a hard system hang. > > This patch fixes that problem by removing any authentication tokens > (struct drm_magic_entry) open for a file descriptor when that file > descriptor is closed. > > Signed-off-by: Thomas Hellstrom > --- > Please review. This should also go into stable kernels. This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read Documentation/stable_kernel_rules.txt for how to do this properly.