CVE-2024-41092

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/gt: Fix potential UAF by revoke of fence registers<br /> <br /> CI has been sporadically reporting the following issue triggered by<br /> igt@i915_selftest@live@hangcheck on ADL-P and similar machines:<br /> <br /> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence<br /> ...<br /> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled<br /> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled<br /> [414.070354] Unable to pin Y-tiled fence; err:-4<br /> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&amp;fence-&gt;active))<br /> ...<br /> [ 609.603992] ------------[ cut here ]------------<br /> [ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!<br /> [ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> [ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1<br /> [ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023<br /> [ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]<br /> [ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]<br /> ...<br /> [ 609.604271] Call Trace:<br /> [ 609.604273] <br /> ...<br /> [ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]<br /> [ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]<br /> [ 609.604977] force_unbind+0x24/0xa0 [i915]<br /> [ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]<br /> [ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]<br /> [ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]<br /> [ 609.605440] process_scheduled_works+0x351/0x690<br /> ...<br /> <br /> In the past, there were similar failures reported by CI from other IGT<br /> tests, observed on other platforms.<br /> <br /> Before commit 63baf4f3d587 ("drm/i915/gt: Only wait for GPU activity<br /> before unbinding a GGTT fence"), i915_vma_revoke_fence() was waiting for<br /> idleness of vma-&gt;active via fence_update(). That commit introduced<br /> vma-&gt;fence-&gt;active in order for the fence_update() to be able to wait<br /> selectively on that one instead of vma-&gt;active since only idleness of<br /> fence registers was needed. But then, another commit 0d86ee35097a<br /> ("drm/i915/gt: Make fence revocation unequivocal") replaced the call to<br /> fence_update() in i915_vma_revoke_fence() with only fence_write(), and<br /> also added that GEM_BUG_ON(!i915_active_is_idle(&amp;fence-&gt;active)) in front.<br /> No justification was provided on why we might then expect idleness of<br /> vma-&gt;fence-&gt;active without first waiting on it.<br /> <br /> The issue can be potentially caused by a race among revocation of fence<br /> registers on one side and sequential execution of signal callbacks invoked<br /> on completion of a request that was using them on the other, still<br /> processed in parallel to revocation of those fence registers. Fix it by<br /> waiting for idleness of vma-&gt;fence-&gt;active in i915_vma_revoke_fence().<br /> <br /> (cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)