From mboxrd@z Thu Jan  1 00:00:00 1970
From: Thomas Hellstrom <thellstrom@vmware.com>
Subject: Re: [PATCH] drm: Fix authentication kernel crash
Date: Wed, 25 Jan 2012 18:26:55 +0100
Message-ID: <4F203B5F.3030006@vmware.com>
References: <1327397506-2979-1-git-send-email-thellstrom@vmware.com>
	<20120124144743.GE3980@phenom.ffwll.local>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org>
Received: from smtp-outbound-1.vmware.com (smtp-outbound-1.vmware.com
	[208.91.2.12])
	by gabe.freedesktop.org (Postfix) with ESMTP id AE2539ED82
	for <dri-devel@lists.freedesktop.org>;
	Wed, 25 Jan 2012 09:26:58 -0800 (PST)
In-Reply-To: <20120124144743.GE3980@phenom.ffwll.local>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org

On 01/24/2012 03:47 PM, Daniel Vetter wrote:
> On Tue, Jan 24, 2012 at 10:31:46AM +0100, Thomas Hellstrom wrote:
>> If the master tries to authenticate a client using drm_authmagic and
>> that client has already closed its drm file descriptor,
>> either wilfully or because it was terminated, the
>> call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory
>> and corrupt it.
>>
>> Typically this results in a hard system hang.
>>
>> This patch fixes that problem by removing any authentication tokens
>> (struct drm_magic_entry) open for a file descriptor when that file
>> descriptor is closed.
>>
>> Signed-off-by: Thomas Hellstrom<thellstrom@vmware.com>
> Ok, I've wandered around a bit in this and noticed that the locking is the
> usual convoluted disaster. We seem to randomly grab dev->struct_mutex in
> the auth and master ioctl, but all the real protect seems to be due to
> taking the global mutex in all relevant paths.
>
> I guess I can't volunteer you to clean this up ;-)

It would be pretty easy to make thos ioctls unlocked (we should probably 
also have an idr managing the magic number)
but my wife is having twins in a couple of weeks and
I've got a long list of bugs to fix before that for the vmwgfx launch so I
unfortunately have to pass this time.

/Thomas