CVE-2024-26937 - Linux Kernel drm/i915/gt Preempt-to-Busy Race Condition Explained

CVE-2024-26937 represents a subtle but critical vulnerability in the Linux kernel's Intel i915 GPU driver — specifically within the graphics engine scheduling code around power management and request prioritization. If improperly addressed, this race condition could cause system instability, data loss, or even privilege escalation. In this post, we’ll break down the issue in plain language, walk through some affected code, and review how the fix works.

Where?

- Subsystem: drivers/gpu/drm/i915/gt/

Affected Kernel Version: Before Linux 6.8

- Main Issue: Race condition in engine parking logic when using preempt-to-busy feature on Intel GPUs

Underlying Problem

In the normal execution flow for the i915 driver, the queue_priority_hint field should be set to the minimum (MIN) value when the engine is not executing any requests (i.e., when it's "parked" or idle). However, a race could occur:

- When a request is preempted (interrupted for a higher priority task), the hardware may finish and retire the request before the preemption is fully processed in software.
- This could leave queue_priority_hint set incorrectly (not reset to MIN), violating driver assumptions.

If a "heartbeat" check (for keeping the GPU alive) coincides with this race, the bug is exposed. Upon engine parking, i915 expects that queue_priority_hint is MIN. If it's not, the kernel will hit a fatal assertion (GEM_BUG_ON), leading to a crash or other undefined behavior.

A real example shows the assertion failure

__engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~U >> 1)) - 1))
...
kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!
invalid opcode: 000 [#1] PREEMPT SMP NOPTI
...
CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G        W          6.8.-rc2-CI_DRM_14193-gc655efd2804+ #1

This indicates the precondition is violated, often resulting in a kernel panic.

Technical Breakdown

- Preempt-to-busy means the GPU driver supports preempting active workloads with higher-priority ones, but there is a timing gap.
- If an active request completes before software finishes preemption handling, the *queue priority hint* may not reset.
- The engine idling logic (engine_park) then fails an assertion because it sees the "wrong" priority value.

Practical Exploitability

- Local denial of service: By stressing the GPU with carefully-timed workloads, local users could intentionally trigger a kernel panic, taking the system offline.
- Potential privilege escalation: In rare cases, kernel memory corruption or logic bugs arising from this bug might be exploited for more serious attacks, although concrete proof-of-concept exploits are not public so far.

Here is a simplified excerpt of the issue—

// When parking the engine, queue_priority_hint must be MIN
void __engine_park(struct intel_engine_cs *engine) {
    GEM_BUG_ON(engine->sched_engine->queue_priority_hint != MIN_PRIORITY);
    // ...other code...
}

The problem: Under the described race, queue_priority_hint was left at a high value, not reset to MIN.

The fix simply resets the priority hint as part of the parking sequence

// Patch: reset priority hint on engine park
void __engine_park(struct intel_engine_cs *engine) {
    engine->sched_engine->queue_priority_hint = MIN_PRIORITY; // <-- Fix
    GEM_BUG_ON(engine->sched_engine->queue_priority_hint != MIN_PRIORITY);
    // ...other code...
}

Source reference: drm/i915/gt: Reset queue_priority_hint on parking

Proof-of-Concept (DoS)

Although this race is subtle and not trivially triggered, a crafted stress test that floods the Intel GPU with preempted requests *could* trigger the bug. Here’s a (hypothetical) outline:

// Pseudocode: Stress-test i915 preemption logic
while (true) {
    submit_low_prio_gpu_job();
    submit_high_prio_gpu_job();
    // Use heartbeat or power mgmt tricks to force park/unpark
}

*Real-life exploit scripts would need precise timing and kernel fuzzing to race the hardware vs software preemption handling.*

Mitigation

- Upgrade: Users should upgrade to Linux 6.8 or newer, or apply this commit to any custom kernels.
- Workarounds: None practical for older kernels, other than disabling preempt-to-busy (which reduces performance).

References

- Kernel Patch Commit
- Linux Kernel CVE entry
- drm/i915 documentation

Summary

CVE-2024-26937 is a race condition bug in the Linux i915 GPU driver, resolved in Linux 6.8, that could allow denial of service or possibly worse if an attacker can force engine preemption at the right time. The fix is simple but critical — always reset the queue_priority_hint before parking the engine. Users and Linux distributions are advised to apply the fix as soon as possible.

Stay current with kernel security updates and always apply timely patches to avoid such subtle but serious bugs.


*Have more questions? Discuss on the kernel mailing list.*

Timeline

Published on: 05/01/2024 06:15:08 UTC
Last modified on: 05/04/2025 09:00:11 UTC