Show plain JSON{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41092", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-12T12:17:45.636Z", "datePublished": "2024-07-29T15:48:05.853Z", "dateUpdated": "2025-05-04T09:21:54.366Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:21:54.366Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix potential UAF by revoke of fence registers\n\nCI has been sporadically reporting the following issue triggered by\nigt@i915_selftest@live@hangcheck on ADL-P and similar machines:\n\n<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence\n...\n<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled\n<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled\n<3> [414.070354] Unable to pin Y-tiled fence; err:-4\n<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))\n...\n<4>[ 609.603992] ------------[ cut here ]------------\n<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!\n<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1\n<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]\n<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]\n...\n<4>[ 609.604271] Call Trace:\n<4>[ 609.604273] <TASK>\n...\n<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]\n<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]\n<4>[ 609.604977] force_unbind+0x24/0xa0 [i915]\n<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]\n<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]\n<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]\n<4>[ 609.605440] process_scheduled_works+0x351/0x690\n...\n\nIn the past, there were similar failures reported by CI from other IGT\ntests, observed on other platforms.\n\nBefore commit 63baf4f3d587 (\"drm/i915/gt: Only wait for GPU activity\nbefore unbinding a GGTT fence\"), i915_vma_revoke_fence() was waiting for\nidleness of vma->active via fence_update(). That commit introduced\nvma->fence->active in order for the fence_update() to be able to wait\nselectively on that one instead of vma->active since only idleness of\nfence registers was needed. But then, another commit 0d86ee35097a\n(\"drm/i915/gt: Make fence revocation unequivocal\") replaced the call to\nfence_update() in i915_vma_revoke_fence() with only fence_write(), and\nalso added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.\nNo justification was provided on why we might then expect idleness of\nvma->fence->active without first waiting on it.\n\nThe issue can be potentially caused by a race among revocation of fence\nregisters on one side and sequential execution of signal callbacks invoked\non completion of a request that was using them on the other, still\nprocessed in parallel to revocation of those fence registers. Fix it by\nwaiting for idleness of vma->fence->active in i915_vma_revoke_fence().\n\n(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c"], "versions": [{"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1", "lessThan": "f771b91f21c46ad1217328d05e72a2c7e3add535", "status": "affected", "versionType": "git"}, {"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1", "lessThan": "29c0fdf49078ab161570d3d1c6e13d66f182717d", "status": "affected", "versionType": "git"}, {"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1", "lessThan": "ca0fabd365a27a94a36e68a7a02df8ff3c13dac6", "status": "affected", "versionType": "git"}, {"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1", "lessThan": "06dec31a0a5112a91f49085e8a8fa1a82296d5c7", "status": "affected", "versionType": "git"}, {"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1", "lessThan": "414f4a31f7a811008fd9a33b06216b060bad18fc", "status": "affected", "versionType": "git"}, {"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1", "lessThan": "996c3412a06578e9d779a16b9e79ace18125ab50", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c"], "versions": [{"version": "5.8", "status": "affected"}, {"version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.221", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.162", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.97", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.37", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9.8", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.10.221"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.15.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.1.97"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.6.37"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.9.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.10"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535"}, {"url": "https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d"}, {"url": "https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6"}, {"url": "https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7"}, {"url": "https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc"}, {"url": "https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50"}], "title": "drm/i915/gt: Fix potential UAF by revoke of fence registers", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:46:52.416Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41092", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:20:35.535942Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:32:56.013Z"}}]}}