CVE-2024-26937
drm/i915/gt: Reset queue_priority_hint on parking
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gt: Reset queue_priority_hint on parking
Originally, with strict in order execution, we could complete execution
only when the queue was empty. Preempt-to-busy allows replacement of an
active request that may complete before the preemption is processed by
HW. If that happens, the request is retired from the queue, but the
queue_priority_hint remains set, preventing direct submission until
after the next CS interrupt is processed.
This preempt-to-busy race can be triggered by the heartbeat, which will
also act as the power-management barrier and upon completion allow us to
idle the HW. We may process the completion of the heartbeat, and begin
parking the engine before the CS event that restores the
queue_priority_hint, causing us to fail the assertion that it is MIN.
<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))
<0>[ 166.210781] Dumping ftrace buffer:
<0>[ 166.210795] ---------------------------------
...
<0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }
<0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646
<0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0
<0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659
<0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40
<0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }
<0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2
<0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin
<0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2
<0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin
<0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660
<0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }
<0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked
<0>[ 167.303534] <idle>-0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040
<0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }
<0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }
<0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))
<0>[ 167.303811] ---------------------------------
<4>[ 167.304722] ------------[ cut here ]------------
<2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!
<4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
<4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1
<4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022
<4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]
<4>[ 16
---truncated---
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/i915/gt: Restablecer queue_priority_hint al estacionar Originalmente, con ejecución en orden estricto, podíamos completar la ejecución solo cuando la cola estaba vacía. La preferencia por ocupación permite el reemplazo de una solicitud activa que puede completarse antes de que HW procese la preferencia. Si eso sucede, la solicitud se retira de la cola, pero queue_priority_hint permanece configurada, lo que impide el envío directo hasta después de que se procese la siguiente interrupción de CS. Esta ejecución de prioridad a ocupación puede ser desencadenada por el latido del corazón, que también actuará como barrera de administración de energía y, al finalizar, nos permitirá dejar el HW inactivo. Podemos procesar la finalización del latido y comenzar a estacionar el motor antes del evento CS que restaura queue_priority_hint, lo que hace que falle la afirmación de que es MIN. <3>[ 166.210729] __engine_park:283 GEM_BUG_ON(motor->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 166.210781] Volviendo buffer ftrace: <0 >[ 166.210795] --------------------------------- ... <0>[ 167.302811] drm_fdin-1097 2 ..s1. 165741070us: trace_ports: 0000:00:02.0 rcs0: promover { ccid:20 1217:2 prio 0 } <0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us: execlists_submission_tasklet: 0000:00:02.0 rcs0: apropiación del último = 1217:2, prio = 0, sugerencia = 2147483646 <0> [167.302928] drm_fdin-1097 2d.s2. 165741072us: __i915_request_unsubmit: 0000:00:02.0 rcs0: valla 1217:2, actual 0 <0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us: __i915_request_submit: 0000:00:02.0 rcs0: valla 3:4660, actual 4659 <0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us: execlists_submission_tasklet: 0000:00:02.0 rcs0: contexto:3 programación de entrada, ccid:40 <0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us: trace_ports: 0000:00:02.0 rcs0: enviar { ccid:40 3:4660* prio 2147483646 } <0>[ 167.303159] kworker/-89 11..... 165741139us: i915_request_retire.part.0: 0000:00 :02.0 rcs0: valla c90:2, actual 2 <0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: contexto:c90 desanclar <0>[ 167.303272] kworker/ -89 11..... 165741159us: i915_request_retire.part.0: 0000:00:02.0 rcs0: valla 1217:2, actual 2 <0>[ 167.303321] kworker/-89 11..... 165741166us: __intel_context_do_unpin: 0000:00:02.0 rcs0: contexto:1217 desanclar <0>[ 167.303384] kworker/-89 11..... 165741170us: i915_request_retire.part.0: 0000:00:02.0 rcs0: valla 3:4660, actual 4660 < 0>[ 167.303434] ktrabajador/-89 11d..1. 165741172us: __intel_context_retire: 0000:00:02.0 rcs0: contexto:1216 retirar tiempo de ejecución: { total:56028ns, avg:56028ns } <0>[ 167.303484] kworker/-89 11..... 165741198us: __engine_park: 0000:00: 02.0 rcs0: estacionado <0>[ 167.303534] -0 5d.H3. 165741207us: execlists_irq_handler: 0000:00:02.0 rcs0: rendimiento del semáforo: 00000040 <0>[ 167.303583] kworker/-89 11..... 165741397us: __intel_context_retire: 0000:00:02.0 s0: contexto: 1217 retirar el tiempo de ejecución: {total :325575ns, promedio:0ns } <0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: contexto:c90 retirar tiempo de ejecución: { total:0ns, promedio:0ns } < 0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(motor->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1) ) <0>[ 167.303811] --------------------------------- <4>[ 167.304722] ---- --------[ cortar aquí ]------------ <2>[ 167.304725] ERROR del kernel en drivers/gpu/drm/i915/gt/intel_engine_pm.c:283! <4>[ 167.304731] código de operación no válido: 0000 [#1] PREEMPT SMP NOPTI <4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Contaminado: GW 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1 <4>[ 167.304736] ---truncado---
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-19 CVE Reserved
- 2024-05-01 CVE Published
- 2024-05-01 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 | Vuln. Introduced | |
| https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 5.4.274" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 5.10.215" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 5.15.154" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4 < 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 6.1.84" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4 < 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 6.6.24" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 6.7.12" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4 < 6.8.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 6.8.3" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 6.9" | en |
Affected
| ||||||