From 62471cd2ebd7adbb9c360bdb7e2970a59e0745f0 Mon Sep 17 00:00:00 2001
From: Thomas Hellstrom <thellstrom@vmware.com>
Date: Tue, 24 Jan 2012 18:54:21 +0100
Subject: drm: Fix authentication kernel crash

commit 598781d71119827b454fd75d46f84755bca6f0c6 upstream.

If the master tries to authenticate a client using drm_authmagic and
that client has already closed its drm file descriptor,
either wilfully or because it was terminated, the
call to drm_authmagic will dereference a stale pointer into kmalloc'ed memory
and corrupt it.

Typically this results in a hard system hang.

This patch fixes that problem by removing any authentication tokens
(struct drm_magic_entry) open for a file descriptor when that file
descriptor is closed.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: Icbba107e666306a34a621955458091410da3956a
Reviewed-on: http://git-master/r/79654
Reviewed-by: Automatic_Commit_Validation_User
---
 include/drm/drmP.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'include/drm')

diff --git a/include/drm/drmP.h b/include/drm/drmP.h
index 9b7c2bb4bb44..4397cb062b28 100644
--- a/include/drm/drmP.h
+++ b/include/drm/drmP.h
@@ -1325,6 +1325,7 @@ extern int drm_getmagic(struct drm_device *dev, void *data,
 			struct drm_file *file_priv);
 extern int drm_authmagic(struct drm_device *dev, void *data,
 			 struct drm_file *file_priv);
+extern int drm_remove_magic(struct drm_master *master, drm_magic_t magic);
 
 /* Cache management (drm_cache.c) */
 void drm_clflush_pages(struct page *pages[], unsigned long num_pages);
-- 
cgit v1.2.3