Linux Kernel GGTT MMIO Access Protection Vulnerability in DRM/xe Component

A vulnerability in the Linux kernel's handling of Graphics Translation Table (GGTT) Memory-Mapped I/O (MMIO) access within the Direct Rendering Manager (DRM) Xe component has been addressed. The issue arose because GGTT MMIO access relied on hotplug events, which only functioned correctly when the driver loaded successfully. In cases of driver load failure, the necessary unplugging process was not executed, leaving a gap in protection. Furthermore, the device management release functions could not ensure that all Buffer Objects (BOs) with GGTT mappings were cleared before the GGTT MMIO region was removed, as some BOs might be released asynchronously by worker threads. This vulnerability could potentially be exploited by manipulating the timing of BO releases in relation to GGTT MMIO region removals.

Impact

Exploitation of this vulnerability could lead to improper management of GGTT MMIO access, potentially allowing for unauthorized modifications or accesses in the graphics memory management system, which could be exploited to cause instability or crashes in graphics-intensive applications or processes.

Reproduction

The vulnerability can be reproduced by loading a driver that interacts with the GGTT MMIO access in the DRM Xe component. If the driver load fails, the protection mechanism does not activate, leaving GGTT MMIO access unguarded. This can be further exploited by asynchronously freeing Buffer Objects with GGTT mappings, creating a race condition that takes advantage of the lack of proper MMIO access protection.

Remediation

The vulnerability has been fixed by introducing an open-coded flag that is protected by the GGTT lock, which now guards GGTT MMIO access. This flag is cleared during the device management release process to ensure that MMIO access is disabled before the GGTT region is removed. Users should update to the latest version of the Linux kernel where this fix has been applied.