Rocky Linux: CVE-2024-41092: kernel-rt (Multiple Advisories)

Rocky Linux: CVE-2024-41092: kernel-rt (Multiple Advisories)

Severity

7

CVSS

(AV:L/AC:L/Au:S/C:C/I:C/A:C)

Published

07/29/2024

Created

11/21/2024

Added

11/19/2024

Modified

01/30/2025

Description

In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix potential UAF by revoke of fence registers CI has been sporadically reporting the following issue triggered by igt@i915_selftest@live@hangcheck on ADL-P and similar machines: <6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence ... <6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled <6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled <3> [414.070354] Unable to pin Y-tiled fence; err:-4 <3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active)) ... <4>[609.603992] ------------[ cut here ]------------ <2>[609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301! <4>[609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI <4>[609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G UW6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1 <4>[609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 <4>[609.604010] Workqueue: i915 __i915_gem_free_work [i915] <4>[609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915] ... <4>[609.604271] Call Trace: <4>[609.604273]<TASK> ... <4>[609.604716]__i915_vma_evict+0x2e9/0x550 [i915] <4>[609.604852]__i915_vma_unbind+0x7c/0x160 [i915] <4>[609.604977]force_unbind+0x24/0xa0 [i915] <4>[609.605098]i915_vma_destroy+0x2f/0xa0 [i915] <4>[609.605210]__i915_gem_object_pages_fini+0x51/0x2f0 [i915] <4>[609.605330]__i915_gem_free_objects.isra.0+0x6a/0xc0 [i915] <4>[609.605440]process_scheduled_works+0x351/0x690 ... In the past, there were similar failures reported by CI from other IGT tests, observed on other platforms. Before commit 63baf4f3d587 ("drm/i915/gt: Only wait for GPU activity before unbinding a GGTT fence"), i915_vma_revoke_fence() was waiting for idleness of vma->active via fence_update(). That commit introduced vma->fence->active in order for the fence_update() to be able to wait selectively on that one instead of vma->active since only idleness of fence registers was needed.But then, another commit 0d86ee35097a ("drm/i915/gt: Make fence revocation unequivocal") replaced the call to fence_update() in i915_vma_revoke_fence() with only fence_write(), and also added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front. No justification was provided on why we might then expect idleness of vma->fence->active without first waiting on it. The issue can be potentially caused by a race among revocation of fence registers on one side and sequential execution of signal callbacks invoked on completion of a request that was using them on the other, still processed in parallel to revocation of those fence registers.Fix it by waiting for idleness of vma->fence->active in i915_vma_revoke_fence(). (cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)

Solution(s)

• rocky-upgrade-bpftool
• rocky-upgrade-bpftool-debuginfo
• rocky-upgrade-kernel
• rocky-upgrade-kernel-core
• rocky-upgrade-kernel-cross-headers
• rocky-upgrade-kernel-debug
• rocky-upgrade-kernel-debug-core
• rocky-upgrade-kernel-debug-debuginfo
• rocky-upgrade-kernel-debug-devel
• rocky-upgrade-kernel-debug-modules
• rocky-upgrade-kernel-debug-modules-extra
• rocky-upgrade-kernel-debuginfo
• rocky-upgrade-kernel-debuginfo-common-x86_64
• rocky-upgrade-kernel-devel
• rocky-upgrade-kernel-headers
• rocky-upgrade-kernel-modules
• rocky-upgrade-kernel-modules-extra
• rocky-upgrade-kernel-rt
• rocky-upgrade-kernel-rt-core
• rocky-upgrade-kernel-rt-debug
• rocky-upgrade-kernel-rt-debug-core
• rocky-upgrade-kernel-rt-debug-debuginfo
• rocky-upgrade-kernel-rt-debug-devel
• rocky-upgrade-kernel-rt-debug-kvm
• rocky-upgrade-kernel-rt-debug-modules
• rocky-upgrade-kernel-rt-debug-modules-extra
• rocky-upgrade-kernel-rt-debuginfo
• rocky-upgrade-kernel-rt-debuginfo-common-x86_64
• rocky-upgrade-kernel-rt-devel
• rocky-upgrade-kernel-rt-kvm
• rocky-upgrade-kernel-rt-modules
• rocky-upgrade-kernel-rt-modules-extra
• rocky-upgrade-kernel-tools
• rocky-upgrade-kernel-tools-debuginfo
• rocky-upgrade-kernel-tools-libs
• rocky-upgrade-kernel-tools-libs-devel
• rocky-upgrade-perf
• rocky-upgrade-perf-debuginfo
• rocky-upgrade-python3-perf
• rocky-upgrade-python3-perf-debuginfo

References

• https://attackerkb.com/topics/cve-2024-41092
• CVE - 2024-41092
• https://errata.rockylinux.org/RLSA-2024:8856
• https://errata.rockylinux.org/RLSA-2024:8870