Janusz Krzysztofik

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.9.0 **Description** The issue is related to a potential use-after-free (UAF) vulnerability in the Linux kernel's drm/i915/gt module. The vulnerability can be triggered by a race condition between the revocation of fence registers and the sequential execution of signal callbacks invoked on completion of a request that was using them. This can lead to a kernel bug and potentially allow an attacker to elevate their privileges. The vulnerability is caused by a missing wait for idleness of `vma->fence->active` in the `i915 vma revoke fence()` function. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the vulnerability, which involves waiting for idleness of `vma->fence->active` in the `i915 vma revoke fence()` function. As a temporary workaround, consider disabling the `i915 vma revoke fence()` function until a patch is available. However, this may have performance implications and should be carefully evaluated before implementation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** The issue is related to a use-after-free vulnerability in the Linux kernel's drm/i915/vma module. Object debugging tools were reporting attempts to free a still active i915 VMA object when parking a GT believed to be idle. This occurred due to a race condition between the deactivation of the VMA inside the active retire() helper and the reporting of the VMA's object deactivation to the object debugging tool. The vulnerability was introduced by a commit that removed the VMA refcount and was later made visible by a fix for a bug in i915 active. To address the issue, a wakeref is acquired for the VMA's GT when activating it and released only after the VMA is deactivated, excluding global GTT to prevent the GPU from never going idle. The fix also involves using an async variant of wakeref put to avoid circular locking dependency. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.37 or later. This update includes the fix for the use-after-free vulnerability in the drm/i915/vma module. Ensure that all systems using the Linux kernel are updated to this version or later to prevent potential exploitation of this vulnerability.