CVE-2024-26939 - Deep Dive into Linux Kernel UAF in i915 VMA — How It Happened, How It Was Fixed

On recent Linux kernel versions, a critical vulnerability — now known as CVE-2024-26939 — was found and resolved in the i915 (Intel integrated graphics) driver, specifically within the virtual memory area (VMA) management code. This bug could result in a use-after-free (UAF) scenario, which is both a reliability and security risk. In this article, we’ll explain how the bug arose, how it could have been exploited, and how it’s been addressed. We’ll also include code snippets and references to the official fixes.

What Was the Vulnerability?

The bug resided in the drm/i915/vma code, responsible for managing GPU VMA lifecycles. Under rare race conditions, the code could free a VMA object that was still in use by another thread. This resulted in kernel object debugging tools (like ODEBUG) reporting attempts to free "still active" objects, with possible kernel memory corruption or exploitation.

Here’s a typical error log that might pop up

ODEBUG: free active (active state ) object: ffff88811643b958 object type: i915_active hint: __i915_vma_active+x/x50 [i915]
WARNING: CPU: 5 PID: 276 at lib/debugobjects.c:514 debug_print_object+x80/xb
Workqueue: i915-unordered __intel_wakeref_put_work [i915]
...
debug_object_free+xeb/x110
i915_active_fini+x14/x130 [i915]
release_references+xfe/x1f [i915]
i915_vma_parked+x1db/x380 [i915]

This race appeared when

- Thread A was deactivating the VMA inside __active_retire() _after_ the VMA’s active counter went to zero, but _before_ the kernel's object debugging tools were notified.

This sometimes led to a use-after-free: one thread would use data that another had already freed.

The root cause was a lack of proper serialization/locking between the deactivation and destruction code paths.

Commits That Introduced and Revealed the Bug

- Commit d93939730347: Moved i915_active_fini() to a different path, making VMA freeing happen after GT wakeref release, not when its refcount hit .
- Commit e92eb246feb9: Fixed a bug that previously hid the race from debugging tools, suddenly making the issue visible.

References:

- Fix commit
- Commit d93939730347
- Commit e92eb246feb9

How Was It Fixed?

The fix involved getting a wakeref for the VMA’s GT when activating the VMA, and only releasing that wakeref after the VMA is fully deactivated. This ensures the GT and its resources, including VMA, _cannot be freed while still in use_, as wakeref semantics guarantee the GPU is considered alive.

1. Take Wakeref at VMA Activation

if (!i915_vm_is_global(vm)) // avoid circular lock
    intel_gt_pm_get_untracked(gt); // Hold GT wakeref

2. Drop Wakeref at VMA Deactivation, Asynchronously

if (!i915_vm_is_global(vm))
    intel_gt_pm_put_async_untracked(gt); // Release GT wakeref

4. Never Hold Wakeref for Global GTT

- For the global GTT, holding the wakeref indefinitely would prevent the GPU from ever idling, so this code path skips it.

Corrected Code Snippet (Simplified for Context)

static int __i915_vma_active(struct i915_vma *vma)
{
    struct intel_gt *gt = vma->vm->gt;

    // Take a power management wakeref to prevent GT being parked
    if (!i915_vm_is_global(vma->vm))
        intel_gt_pm_get_untracked(gt);

    return ;
}

static void __i915_vma_retire(struct i915_vma *vma)
{
    struct intel_gt *gt = vma->vm->gt;

    // Do your VMA retirement logic...

    // Release wakeref asynchronously (safe in atomic context)
    if (!i915_vm_is_global(vma->vm))
        intel_gt_pm_put_async_untracked(gt);
}

Can This Be Exploited?

In principle, yes. If an attacker can reliably trigger VMA creation and destruction under certain workloads, and forcibly schedule operations to manipulate object destruction order, a skillful exploit could theoretically cause use-after-free, leading to privilege escalation or Denial of Service (DoS).

However: This particular bug is

- Only reachable from kernel/DRM space (not directly from a regular application!);
- The race is subtle and dependent on GPU workloads/timing;

Tracking and References

- Linux Kernel Patch Fix
- CVE-2024-26939 Cve List
- i915 Driver Development

Conclusion

CVE-2024-26939 is a prime example of how thread and object lifetime management in kernel drivers must be extremely robust — especially in paths involving hardware power management and reference counting. Even a small oversight can create opportunities for memory safety bugs, possibly exposing systems to exploitation.

If you’re running Intel GPUs on Linux, watch for distro security advisories and kernel updates — or patch yourself from upstream. Bugs like these are why regular security patches are essential!

Timeline

Published on: 05/01/2024 06:15:09 UTC
Last modified on: 04/08/2025 18:55:49 UTC