diff options
| author | Thomas Hellstrom <thellstrom@vmware.com> | 2012-01-24 12:54:21 -0500 |
|---|---|---|
| committer | Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com> | 2012-02-13 15:15:01 -0500 |
| commit | ee728aa6aeba82d58e34c9569b200a82546eef58 (patch) | |
| tree | 15418574b15893ca8f562c6e676828b7f98b55c4 /drivers/gpu/drm/drm_auth.c | |
| parent | 86580cdc4d82039c2210799f10f6adfb21127724 (diff) | |
drm: Fix authentication kernel crash
BugLink: http://bugs.launchpad.net/bugs/926309
commit 598781d71119827b454fd75d46f84755bca6f0c6 upstream.
If the master tries to authenticate a client using drm_authmagic and
that client has already closed its drm file descriptor,
either wilfully or because it was terminated, the
call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory
and corrupt it.
Typically this results in a hard system hang.
This patch fixes that problem by removing any authentication tokens
(struct drm_magic_entry) open for a file descriptor when that file
descriptor is closed.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Diffstat (limited to 'drivers/gpu/drm/drm_auth.c')
| -rw-r--r-- | drivers/gpu/drm/drm_auth.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c index 3f46772f0cb..ba23790450e 100644 --- a/drivers/gpu/drm/drm_auth.c +++ b/drivers/gpu/drm/drm_auth.c | |||
| @@ -101,7 +101,7 @@ static int drm_add_magic(struct drm_master *master, struct drm_file *priv, | |||
| 101 | * Searches and unlinks the entry in drm_device::magiclist with the magic | 101 | * Searches and unlinks the entry in drm_device::magiclist with the magic |
| 102 | * number hash key, while holding the drm_device::struct_mutex lock. | 102 | * number hash key, while holding the drm_device::struct_mutex lock. |
| 103 | */ | 103 | */ |
| 104 | static int drm_remove_magic(struct drm_master *master, drm_magic_t magic) | 104 | int drm_remove_magic(struct drm_master *master, drm_magic_t magic) |
| 105 | { | 105 | { |
| 106 | struct drm_magic_entry *pt; | 106 | struct drm_magic_entry *pt; |
| 107 | struct drm_hash_item *hash; | 107 | struct drm_hash_item *hash; |
| @@ -136,6 +136,8 @@ static int drm_remove_magic(struct drm_master *master, drm_magic_t magic) | |||
| 136 | * If there is a magic number in drm_file::magic then use it, otherwise | 136 | * If there is a magic number in drm_file::magic then use it, otherwise |
| 137 | * searches an unique non-zero magic number and add it associating it with \p | 137 | * searches an unique non-zero magic number and add it associating it with \p |
| 138 | * file_priv. | 138 | * file_priv. |
| 139 | * This ioctl needs protection by the drm_global_mutex, which protects | ||
| 140 | * struct drm_file::magic and struct drm_magic_entry::priv. | ||
| 139 | */ | 141 | */ |
| 140 | int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv) | 142 | int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv) |
| 141 | { | 143 | { |
| @@ -173,6 +175,8 @@ int drm_getmagic(struct drm_device *dev, void *data, struct drm_file *file_priv) | |||
| 173 | * \return zero if authentication successed, or a negative number otherwise. | 175 | * \return zero if authentication successed, or a negative number otherwise. |
| 174 | * | 176 | * |
| 175 | * Checks if \p file_priv is associated with the magic number passed in \arg. | 177 | * Checks if \p file_priv is associated with the magic number passed in \arg. |
| 178 | * This ioctl needs protection by the drm_global_mutex, which protects | ||
| 179 | * struct drm_file::magic and struct drm_magic_entry::priv. | ||
| 176 | */ | 180 | */ |
| 177 | int drm_authmagic(struct drm_device *dev, void *data, | 181 | int drm_authmagic(struct drm_device *dev, void *data, |
| 178 | struct drm_file *file_priv) | 182 | struct drm_file *file_priv) |