CVE-2024-26937

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/gt: Reset queue_priority_hint on parking<br /> <br /> Originally, with strict in order execution, we could complete execution<br /> only when the queue was empty. Preempt-to-busy allows replacement of an<br /> active request that may complete before the preemption is processed by<br /> HW. If that happens, the request is retired from the queue, but the<br /> queue_priority_hint remains set, preventing direct submission until<br /> after the next CS interrupt is processed.<br /> <br /> This preempt-to-busy race can be triggered by the heartbeat, which will<br /> also act as the power-management barrier and upon completion allow us to<br /> idle the HW. We may process the completion of the heartbeat, and begin<br /> parking the engine before the CS event that restores the<br /> queue_priority_hint, causing us to fail the assertion that it is MIN.<br /> <br /> [ 166.210729] __engine_park:283 GEM_BUG_ON(engine-&gt;sched_engine-&gt;queue_priority_hint != (-((int)(~0U &gt;&gt; 1)) - 1))<br /> [ 166.210781] Dumping ftrace buffer:<br /> [ 166.210795] ---------------------------------<br /> ...<br /> [ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }<br /> [ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646<br /> [ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0<br /> [ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659<br /> [ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40<br /> [ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }<br /> [ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2<br /> [ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin<br /> [ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2<br /> [ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin<br /> [ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660<br /> [ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }<br /> [ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked<br /> [ 167.303534] -0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040<br /> [ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }<br /> [ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }<br /> [ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine-&gt;sched_engine-&gt;queue_priority_hint != (-((int)(~0U &gt;&gt; 1)) - 1))<br /> [ 167.303811] ---------------------------------<br /> [ 167.304722] ------------[ cut here ]------------<br /> [ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!<br /> [ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> [ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1<br /> [ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022<br /> [ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]<br /> [ 16<br /> ---truncated---