CVE-2024-26937 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Reset queue_priority_hint on parking Originally, with strict in order execution, we could complete execution only when the queue was empty. Preempt-to-busy allows replacement of an active request that may complete before the preemption is processed by HW. If that happens, the request is retired from the queue, but the queue_priority_hint remains set, preventing direct submission until after the next CS interrupt is processed. This preempt-to-busy race can be triggered by the heartbeat, which will also act as the power-management barrier and upon completion allow us to idle the HW. We may process the completion of the heartbeat, and begin parking the engine before the CS event that restores the queue_priority_hint, causing us to fail the assertion that it is MIN. <3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 166.210781] Dumping ftrace buffer: <0>[ 166.210795] --------------------------------- ... <0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 } <0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646 <0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0 <0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659 <0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40 <0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 } <0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2 <0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin <0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2 <0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin <0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660 <0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns } <0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked <0>[ 167.303534] <idle>-0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040 <0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns } <0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns } <0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 167.303811] --------------------------------- <4>[ 167.304722] ------------[ cut here ]------------ <2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283! <4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI <4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1 <4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022 <4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915] <4>[ 16 ---truncated---

Reserved 2024-02-19 | Published 2024-05-01 | Updated 2025-05-04 | Assigner Linux

Product status

Default status

unaffected

22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 before 67944e6db656bf1e986aa2a359f866f851091f8a

affected

22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 before fe34587acc995e7b1d7a5d3444a0736721ec32b3

affected

22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 before ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f

affected

22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 before 7eab7b021835ae422c38b968d5cc60e99408fb62

affected

22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 before 3b031e4fcb2740988143c303f81f69f18ce86325

affected

22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 before aed034866a08bb7e6e34d50a5629a4d23fe83703

affected

22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 before 8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c

affected

22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 before 4a3859ea5240365d21f6053ee219bb240d520895

affected

Default status

affected

5.4

affected

Any version before 5.4

unaffected

5.4.274

unaffected

5.10.215

unaffected

5.15.154

unaffected

6.1.84

unaffected

6.6.24

unaffected

6.7.12

unaffected

6.8.3

unaffected

6.9

unaffected

References

git.kernel.org/...c/67944e6db656bf1e986aa2a359f866f851091f8a

git.kernel.org/...c/fe34587acc995e7b1d7a5d3444a0736721ec32b3

git.kernel.org/...c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f

git.kernel.org/...c/7eab7b021835ae422c38b968d5cc60e99408fb62

git.kernel.org/...c/3b031e4fcb2740988143c303f81f69f18ce86325

git.kernel.org/...c/aed034866a08bb7e6e34d50a5629a4d23fe83703

git.kernel.org/...c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c

git.kernel.org/...c/4a3859ea5240365d21f6053ee219bb240d520895

cve.org (CVE-2024-26937)

nvd.nist.gov (CVE-2024-26937)

Download JSON