CVE-2024-26939

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.37

Description The issue is related to a use-after-free vulnerability in the Linux kernel's drm/i915/vma module. Object debugging tools were reporting attempts to free a still active i915 VMA object when parking a GT believed to be idle. This occurred due to a race condition between the deactivation of the VMA inside the active retire() helper and the reporting of the VMA's object deactivation to the object debugging tool. The vulnerability was introduced by a commit that removed the VMA refcount and was later made visible by a fix for a bug in i915 active.

To address the issue, a wakeref is acquired for the VMA's GT when activating it and released only after the VMA is deactivated, excluding global GTT to prevent the GPU from never going idle. The fix also involves using an async variant of wakeref put to avoid circular locking dependency.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.37 or later. This update includes the fix for the use-after-free vulnerability in the drm/i915/vma module. Ensure that all systems using the Linux kernel are updated to this version or later to prevent potential exploitation of this vulnerability.