Linux Kernel Race Condition Vulnerability in DRM Scheduler SPSC Queue Handling

A race condition vulnerability has been identified in the Linux kernel's Direct Rendering Manager (DRM) scheduler, specifically within the single-producer, single-consumer (SPSC) queue management. This vulnerability arises because the function responsible for pushing jobs onto the SPSC queue can return a 'not-first' status while the job execution worker has already paused, due to the job count being zero. When this race condition occurs, it disrupts the job scheduling process, causing the system to hang while waiting for the job's Direct Memory Access (DMA) fences to be released. This issue was observed in a DRM-tip 6.16-rc1 build using the Xe driver, during a Shared Virtual Memory (SVM) test case.

Impact

Exploitation of this vulnerability leads to a deadlock situation, where the system hangs indefinitely while waiting for DMA fences, disrupting normal job scheduling and execution.

Reproduction

The vulnerability can be reproduced by using the Xe driver in a DRM-tip 6.16-rc1 build, and running a test case that involves Shared Virtual Memory (SVM) processing. This will create the conditions for the race condition to occur, as the job count can drop to zero, causing the job worker to idle while the SPSC queue management function attempts to push a new job onto the queue.

Remediation

The vulnerability has been addressed by modifying the SPSC queue management to increment the job count before adding a new job to the queue. Users should update to the latest version of the Linux kernel where this fix has been applied.