fkie_cve-2023-53087
Vulnerability from fkie_nvd
Published
2025-05-02 16:15
Modified
2025-05-05 20:54
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/active: Fix misuse of non-idle barriers as fence trackers
Users reported oopses on list corruptions when using i915 perf with a
number of concurrently running graphics applications. Root cause analysis
pointed at an issue in barrier processing code -- a race among perf open /
close replacing active barriers with perf requests on kernel context and
concurrent barrier preallocate / acquire operations performed during user
context first pin / last unpin.
When adding a request to a composite tracker, we try to reuse an existing
fence tracker, already allocated and registered with that composite. The
tracker we obtain may already track another fence, may be an idle barrier,
or an active barrier.
If the tracker we get occurs a non-idle barrier then we try to delete that
barrier from a list of barrier tasks it belongs to. However, while doing
that we don't respect return value from a function that performs the
barrier deletion. Should the deletion ever fail, we would end up reusing
the tracker still registered as a barrier task. Since the same structure
field is reused with both fence callback lists and barrier tasks list,
list corruptions would likely occur.
Barriers are now deleted from a barrier tasks list by temporarily removing
the list content, traversing that content with skip over the node to be
deleted, then populating the list back with the modified content. Should
that intentionally racy concurrent deletion attempts be not serialized,
one or more of those may fail because of the list being temporary empty.
Related code that ignores the results of barrier deletion was initially
introduced in v5.4 by commit d8af05ff38ae ("drm/i915: Allow sharing the
idle-barrier from other kernel requests"). However, all users of the
barrier deletion routine were apparently serialized at that time, then the
issue didn't exhibit itself. Results of git bisect with help of a newly
developed igt@gem_barrier_race@remote-request IGT test indicate that list
corruptions might start to appear after commit 311770173fac ("drm/i915/gt:
Schedule request retirement when timeline idles"), introduced in v5.5.
Respect results of barrier deletion attempts -- mark the barrier as idle
only if successfully deleted from the list. Then, before proceeding with
setting our fence as the one currently tracked, make sure that the tracker
we've got is not a non-idle barrier. If that check fails then don't use
that tracker but go back and try to acquire a new, usable one.
v3: use unlikely() to document what outcome we expect (Andi),
- fix bad grammar in commit description.
v2: no code changes,
- blame commit 311770173fac ("drm/i915/gt: Schedule request retirement
when timeline idles"), v5.5, not commit d8af05ff38ae ("drm/i915: Allow
sharing the idle-barrier from other kernel requests"), v5.4,
- reword commit description.
(cherry picked from commit 506006055769b10d1b2b4e22f636f3b45e0e9fc7)
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/active: Fix misuse of non-idle barriers as fence trackers\n\nUsers reported oopses on list corruptions when using i915 perf with a\nnumber of concurrently running graphics applications. Root cause analysis\npointed at an issue in barrier processing code -- a race among perf open /\nclose replacing active barriers with perf requests on kernel context and\nconcurrent barrier preallocate / acquire operations performed during user\ncontext first pin / last unpin.\n\nWhen adding a request to a composite tracker, we try to reuse an existing\nfence tracker, already allocated and registered with that composite. The\ntracker we obtain may already track another fence, may be an idle barrier,\nor an active barrier.\n\nIf the tracker we get occurs a non-idle barrier then we try to delete that\nbarrier from a list of barrier tasks it belongs to. However, while doing\nthat we don\u0027t respect return value from a function that performs the\nbarrier deletion. Should the deletion ever fail, we would end up reusing\nthe tracker still registered as a barrier task. Since the same structure\nfield is reused with both fence callback lists and barrier tasks list,\nlist corruptions would likely occur.\n\nBarriers are now deleted from a barrier tasks list by temporarily removing\nthe list content, traversing that content with skip over the node to be\ndeleted, then populating the list back with the modified content. Should\nthat intentionally racy concurrent deletion attempts be not serialized,\none or more of those may fail because of the list being temporary empty.\n\nRelated code that ignores the results of barrier deletion was initially\nintroduced in v5.4 by commit d8af05ff38ae (\"drm/i915: Allow sharing the\nidle-barrier from other kernel requests\"). However, all users of the\nbarrier deletion routine were apparently serialized at that time, then the\nissue didn\u0027t exhibit itself. Results of git bisect with help of a newly\ndeveloped igt@gem_barrier_race@remote-request IGT test indicate that list\ncorruptions might start to appear after commit 311770173fac (\"drm/i915/gt:\nSchedule request retirement when timeline idles\"), introduced in v5.5.\n\nRespect results of barrier deletion attempts -- mark the barrier as idle\nonly if successfully deleted from the list. Then, before proceeding with\nsetting our fence as the one currently tracked, make sure that the tracker\nwe\u0027ve got is not a non-idle barrier. If that check fails then don\u0027t use\nthat tracker but go back and try to acquire a new, usable one.\n\nv3: use unlikely() to document what outcome we expect (Andi),\n - fix bad grammar in commit description.\nv2: no code changes,\n - blame commit 311770173fac (\"drm/i915/gt: Schedule request retirement\n when timeline idles\"), v5.5, not commit d8af05ff38ae (\"drm/i915: Allow\n sharing the idle-barrier from other kernel requests\"), v5.4,\n - reword commit description.\n\n(cherry picked from commit 506006055769b10d1b2b4e22f636f3b45e0e9fc7)"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/i915/active: Arregla el mal uso de barreras no inactivas como rastreadores de vallas Los usuarios informaron errores en las corrupciones de listas al usar i915 perf con varias aplicaciones gr\u00e1ficas que se ejecutan simult\u00e1neamente. El an\u00e1lisis de la causa ra\u00edz apunt\u00f3 a un problema en el c\u00f3digo de procesamiento de barreras: una ejecuci\u00f3n entre la apertura/cierre de perf que reemplaza las barreras activas con solicitudes de perf en el contexto del kernel y las operaciones de preasignaci\u00f3n/adquisici\u00f3n de barreras simult\u00e1neas realizadas durante el primer pin/\u00faltimo desanclaje del contexto del usuario. Al agregar una solicitud a un rastreador compuesto, intentamos reutilizar un rastreador de vallas existente, ya asignado y registrado con ese compuesto. El rastreador que obtenemos puede que ya rastree otra valla, puede ser una barrera inactiva o una barrera activa. Si el rastreador que obtenemos ocurre con una barrera no inactiva, entonces intentamos eliminar esa barrera de una lista de tareas de barrera a la que pertenece. Sin embargo, mientras hacemos eso no respetamos el valor de retorno de una funci\u00f3n que realiza la eliminaci\u00f3n de la barrera. Si la eliminaci\u00f3n falla, terminar\u00edamos reutilizando el rastreador a\u00fan registrado como tarea de barrera. Dado que el mismo campo de estructura se reutiliza tanto con las listas de devoluci\u00f3n de llamadas de valla como con la lista de tareas de barrera, es probable que se produzcan da\u00f1os en la lista. Ahora, las barreras se eliminan de una lista de tareas de barrera eliminando temporalmente su contenido, recorri\u00e9ndolo con la omisi\u00f3n del nodo que se va a eliminar y, a continuaci\u00f3n, rellenando la lista con el contenido modificado. Si estos intentos de eliminaci\u00f3n concurrentes, intencionalmente agresivos, no se serializan, uno o m\u00e1s de ellos podr\u00edan fallar debido a que la lista est\u00e1 temporalmente vac\u00eda. El c\u00f3digo relacionado que ignora los resultados de la eliminaci\u00f3n de barrera se introdujo inicialmente en la versi\u00f3n 5.4 mediante el commit d8af05ff38ae (\"drm/i915: Permitir compartir la barrera inactiva con otras solicitudes del kernel\"). Sin embargo, todos los usuarios de la rutina de eliminaci\u00f3n de barrera aparentemente estaban serializados en ese momento, por lo que el problema no se manifest\u00f3. Los resultados de git bisect con la ayuda de una prueba IGT igt@gem_barrier_race@remote-request recientemente desarrollada indican que podr\u00edan aparecer corrupciones en la lista despu\u00e9s deel commit 311770173fac (\"drm/i915/gt: Retirada de solicitud de programaci\u00f3n cuando la l\u00ednea de tiempo est\u00e1 inactiva\"), introducida en la v5.5. Respetar los resultados de los intentos de eliminaci\u00f3n de barreras: marcar la barrera como inactiva solo si se elimina correctamente de la lista. Luego, antes de configurar nuestra barrera como la que se rastrea actualmente, asegurarse de que el rastreador que tenemos no sea una barrera no inactiva. Si la comprobaci\u00f3n falla, no usar ese rastreador, sino volver atr\u00e1s e intentar obtener uno nuevo y utilizable. v3: usar Unlikely() para documentar el resultado esperado (Andi). Corregir errores gramaticales en la descripci\u00f3n de la confirmaci\u00f3n. v2: sin cambios de c\u00f3digo, - culpar a el commit 311770173fac (\"drm/i915/gt: Programar el retiro de solicitudes cuando la l\u00ednea de tiempo est\u00e1 inactiva\"), v5.5, no confirmar d8af05ff38ae (\"drm/i915: Permitir compartir la barrera de inactividad con otras solicitudes del kernel\"), v5.4, - reformular la descripci\u00f3n deel commit. (Seleccionado de la confirmaci\u00f3n 506006055769b10d1b2b4e22f636f3b45e0e9fc7)"
}
],
"id": "CVE-2023-53087",
"lastModified": "2025-05-05T20:54:45.973",
"metrics": {},
"published": "2025-05-02T16:15:27.667",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/5c7591b8574c52c56b3994c2fbef1a3a311b5715"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/5e784a7d07af42057c0576fb647b482f4cb0dc2c"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/6ab7d33617559cced63d467928f478ea5c459021"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/9159db27fb19bbf1c91b5c9d5285e66cc96cc5ff"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/e0e6b416b25ee14716f3549e0cbec1011b193809"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…