drm/i915/gt: Reset queue_priority_hint on parking

Summary

CVE	CVE-2024-26937
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2024-05-01 06:15:08 UTC
Updated	2026-05-12 12:16:27 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Reset queue_priority_hint on parking Originally, with strict in order execution, we could complete execution only when the queue was empty. Preempt-to-busy allows replacement of an active request that may complete before the preemption is processed by HW. If that happens, the request is retired from the queue, but the queue_priority_hint remains set, preventing direct submission until after the next CS interrupt is processed. This preempt-to-busy race can be triggered by the heartbeat, which will also act as the power-management barrier and upon completion allow us to idle the HW. We may process the completion of the heartbeat, and begin parking the engine before the CS event that restores the queue_priority_hint, causing us to fail the assertion that it is MIN. <3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 166.210781] Dumping ftrace buffer: <0>[ 166.210795] --------------------------------- ... <0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 } <0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646 <0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0 <0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659 <0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40 <0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 } <0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2 <0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin <0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2 <0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin <0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660 <0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns } <0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked <0>[ 167.303534] <idle>-0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040 <0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns } <0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns } <0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 167.303811] --------------------------------- <4>[ 167.304722] ------------[ cut here ]------------ <2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283! <4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI <4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1 <4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022 <4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915] <4>[ 16 ---truncated---

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-617

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 67944e6db656bf1e986aa2a359f866f851091f8a git	Not specified
CNA	Linux	Linux	affected 22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 fe34587acc995e7b1d7a5d3444a0736721ec32b3 git	Not specified
CNA	Linux	Linux	affected 22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f git	Not specified
CNA	Linux	Linux	affected 22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 7eab7b021835ae422c38b968d5cc60e99408fb62 git	Not specified
CNA	Linux	Linux	affected 22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 3b031e4fcb2740988143c303f81f69f18ce86325 git	Not specified
CNA	Linux	Linux	affected 22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 aed034866a08bb7e6e34d50a5629a4d23fe83703 git	Not specified
CNA	Linux	Linux	affected 22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c git	Not specified
CNA	Linux	Linux	affected 22b7a426bbe1ebe1520f92da4cd1617d1e1b5fc4 4a3859ea5240365d21f6053ee219bb240d520895 git	Not specified
CNA	Linux	Linux	affected 5.4	Not specified
CNA	Linux	Linux	unaffected 5.4 semver	Not specified
CNA	Linux	Linux	unaffected 5.4.274 5.4.* semver	Not specified
CNA	Linux	Linux	unaffected 5.10.215 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.154 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.84 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.24 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.7.12 6.7.* semver	Not specified
CNA	Linux	Linux	unaffected 6.8.3 6.8.* semver	Not specified
CNA	Linux	Linux	unaffected 6.9 * original_commit_for_fix	Not specified
ADP	Siemens	SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem	affected * custom	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
lists.debian.org/debian-lts-announce/2024/06/msg00017.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Third Party Advisory
git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
cert-portal.siemens.com/productcert/html/ssa-265688.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.