CVE-2024-26937

{"id": "CVE-2024-26937", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-01T06:15:08.960", "references": [{"url": "https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-617"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Reset queue_priority_hint on parking\n\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\n\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\n\n<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 166.210781] Dumping ftrace buffer:\n<0>[ 166.210795] ---------------------------------\n...\n<0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n<0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n<0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n<0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n<0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n<0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n<0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n<0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n<0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n<0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n<0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n<0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n<0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n<0>[ 167.303534] <idle>-0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n<0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n<0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n<0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 167.303811] ---------------------------------\n<4>[ 167.304722] ------------[ cut here ]------------\n<2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n<4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n<4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n<4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n<4>[ 16\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: drm/i915/gt: Restablecer queue_priority_hint al estacionar Originalmente, con ejecuci\u00f3n en orden estricto, pod\u00edamos completar la ejecuci\u00f3n solo cuando la cola estaba vac\u00eda. La preferencia por ocupaci\u00f3n permite el reemplazo de una solicitud activa que puede completarse antes de que HW procese la preferencia. Si eso sucede, la solicitud se retira de la cola, pero queue_priority_hint permanece configurada, lo que impide el env\u00edo directo hasta despu\u00e9s de que se procese la siguiente interrupci\u00f3n de CS. Esta ejecuci\u00f3n de prioridad a ocupaci\u00f3n puede ser desencadenada por el latido del coraz\u00f3n, que tambi\u00e9n actuar\u00e1 como barrera de administraci\u00f3n de energ\u00eda y, al finalizar, nos permitir\u00e1 dejar el HW inactivo. Podemos procesar la finalizaci\u00f3n del latido y comenzar a estacionar el motor antes del evento CS que restaura queue_priority_hint, lo que hace que falle la afirmaci\u00f3n de que es MIN. &lt;3&gt;[ 166.210729] __engine_park:283 GEM_BUG_ON(motor-&gt;sched_engine-&gt;queue_priority_hint != (-((int)(~0U &gt;&gt; 1)) - 1)) &lt;0&gt;[ 166.210781] Volviendo buffer ftrace: &lt;0 &gt;[ 166.210795] --------------------------------- ... &lt;0&gt;[ 167.302811] drm_fdin-1097 2 ..s1. 165741070us: trace_ports: 0000:00:02.0 rcs0: promover { ccid:20 1217:2 prio 0 } &lt;0&gt;[ 167.302861] drm_fdin-1097 2d.s2. 165741072us: execlists_submission_tasklet: 0000:00:02.0 rcs0: apropiaci\u00f3n del \u00faltimo = 1217:2, prio = 0, sugerencia = 2147483646 &lt;0&gt; [167.302928] drm_fdin-1097 2d.s2. 165741072us: __i915_request_unsubmit: 0000:00:02.0 rcs0: valla 1217:2, actual 0 &lt;0&gt;[ 167.302992] drm_fdin-1097 2d.s2. 165741073us: __i915_request_submit: 0000:00:02.0 rcs0: valla 3:4660, actual 4659 &lt;0&gt;[ 167.303044] drm_fdin-1097 2d.s1. 165741076us: execlists_submission_tasklet: 0000:00:02.0 rcs0: contexto:3 programaci\u00f3n de entrada, ccid:40 &lt;0&gt;[ 167.303095] drm_fdin-1097 2d.s1. 165741077us: trace_ports: 0000:00:02.0 rcs0: enviar { ccid:40 3:4660* prio 2147483646 } &lt;0&gt;[ 167.303159] kworker/-89 11..... 165741139us: i915_request_retire.part.0: 0000:00 :02.0 rcs0: valla c90:2, actual 2 &lt;0&gt;[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: contexto:c90 desanclar &lt;0&gt;[ 167.303272] kworker/ -89 11..... 165741159us: i915_request_retire.part.0: 0000:00:02.0 rcs0: valla 1217:2, actual 2 &lt;0&gt;[ 167.303321] kworker/-89 11..... 165741166us: __intel_context_do_unpin: 0000:00:02.0 rcs0: contexto:1217 desanclar &lt;0&gt;[ 167.303384] kworker/-89 11..... 165741170us: i915_request_retire.part.0: 0000:00:02.0 rcs0: valla 3:4660, actual 4660 &lt; 0&gt;[ 167.303434] ktrabajador/-89 11d..1. 165741172us: __intel_context_retire: 0000:00:02.0 rcs0: contexto:1216 retirar tiempo de ejecuci\u00f3n: { total:56028ns, avg:56028ns } &lt;0&gt;[ 167.303484] kworker/-89 11..... 165741198us: __engine_park: 0000:00: 02.0 rcs0: estacionado &lt;0&gt;[ 167.303534] -0 5d.H3. 165741207us: execlists_irq_handler: 0000:00:02.0 rcs0: rendimiento del sem\u00e1foro: 00000040 &lt;0&gt;[ 167.303583] kworker/-89 11..... 165741397us: __intel_context_retire: 0000:00:02.0 s0: contexto: 1217 retirar el tiempo de ejecuci\u00f3n: {total :325575ns, promedio:0ns } &lt;0&gt;[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: contexto:c90 retirar tiempo de ejecuci\u00f3n: { total:0ns, promedio:0ns } &lt; 0&gt;[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(motor-&gt;sched_engine-&gt;queue_priority_hint != (-((int)(~0U &gt;&gt; 1)) - 1) ) &lt;0&gt;[ 167.303811] --------------------------------- &lt;4&gt;[ 167.304722] ---- --------[ cortar aqu\u00ed ]------------ &lt;2&gt;[ 167.304725] ERROR del kernel en drivers/gpu/drm/i915/gt/intel_engine_pm.c:283! &lt;4&gt;[ 167.304731] c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP NOPTI &lt;4&gt;[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Contaminado: GW 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1 &lt;4&gt;[ 167.304736] ---truncado---"}], "lastModified": "2025-12-23T18:55:15.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B385716-1A12-4CDF-BD13-2C372D712BF4", "versionEndExcluding": "5.4.274", "versionStartIncluding": "5.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9CD5894E-58E9-4B4A-B0F4-3E6BC134B8F5", "versionEndExcluding": "5.10.215", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "577E212E-7E95-4A71-9B5C-F1D1A3AFFF46", "versionEndExcluding": "5.15.154", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "834D9BD5-42A6-4D74-979E-4D6D93F630FD", "versionEndExcluding": "6.1.84", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8018C1D0-0A5F-48D0-BC72-A2B33FDDA693", "versionEndExcluding": "6.6.24", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BE9771A-BAFD-4624-95F9-58D536540C53", "versionEndExcluding": "6.7.12", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C59BBC3-6495-4A77-9C82-55EC7CDF5E02", "versionEndExcluding": "6.8.3", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}