CVE-2024-44943: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm: gup: stop abusing try_grab_folio A kernel warning was reported when pinning folio in CMA memory when launching SEV virtual machine. The splat looks like: [ 464.325306] WARNING: CPU: 13 PID: 6734 at mm/gup.c:1313 __get_user_pages+0x423/0x520 [ 464.325464] CPU: 13 PID: 6734 Comm: qemu-kvm Kdump: loaded Not tainted 6.6.33+ #6 [ 464.325477] RIP: 0010:__get_user_pages+0x423/0x520 [ 464.325515] Call Trace: [ 464.325520] <TASK> [ 464.325523] ? __get_user_pages+0x423/0x520 [ 464.325528] ? __warn+0x81/0x130 [ 464.325536] ? __get_user_pages+0x423/0x520 [ 464.325541] ? report_bug+0x171/0x1a0 [ 464.325549] ? handle_bug+0x3c/0x70 [ 464.325554] ? exc_invalid_op+0x17/0x70 [ 464.325558] ? asm_exc_invalid_op+0x1a/0x20 [ 464.325567] ? __get_user_pages+0x423/0x520 [ 464.325575] __gup_longterm_locked+0x212/0x7a0 [ 464.325583] internal_get_user_pages_fast+0xfb/0x190 [ 464.325590] pin_user_pages_fast+0x47/0x60 [ 464.325598] sev_pin_memory+0xca/0x170 [kvm_amd] [ 464.325616] sev_mem_enc_register_region+0x81/0x130 [kvm_amd] Per the analysis done by yangge, when starting the SEV virtual machine, it will call pin_user_pages_fast(..., FOLL_LONGTERM, ...) to pin the memory. But the page is in CMA area, so fast GUP will fail then fallback to the slow path due to the longterm pinnalbe check in try_grab_folio(). The slow path will try to pin the pages then migrate them out of CMA area. But the slow path also uses try_grab_folio() to pin the page, it will also fail due to the same check then the above warning is triggered. In addition, the try_grab_folio() is supposed to be used in fast path and it elevates folio refcount by using add ref unless zero. We are guaranteed to have at least one stable reference in slow path, so the simple atomic add could be used. The performance difference should be trivial, but the misuse may be confusing and misleading. Redefined try_grab_folio() to try_grab_folio_fast(), and try_grab_page() to try_grab_folio(), and use them in the proper paths. This solves both the abuse and the kernel warning. The proper naming makes their usecase more clear and should prevent from abusing in the future. peterx said: : The user will see the pin fails, for gpu-slow it further triggers the WARN : right below that failure (as in the original report): : : folio = try_grab_folio(page, page_increm - 1, : foll_flags); : if (WARN_ON_ONCE(!folio)) { <------------------------ here : /* : * Release the 1st page ref if the : * folio is problematic, fail hard. : */ : gup_put_folio(page_folio(page), 1, : foll_flags); : ret = -EFAULT; : goto out; : } [1] https://lore.kernel.org/linux-mm/1719478388-31917-1-git-send-email-yangge1116@126.com/ [shy828301@gmail.com: fix implicit declaration of function try_grab_folio_fast]
AI Analysis
Technical Summary
CVE-2024-44943 is a vulnerability in the Linux kernel related to improper handling of page pinning in the memory management subsystem, specifically within the get_user_pages (GUP) functionality. The issue arises when pinning folios (groups of pages) in the Contiguous Memory Allocator (CMA) area during the launch of Secure Encrypted Virtualization (SEV) virtual machines. The vulnerability is triggered because the kernel incorrectly uses the try_grab_folio() function in both fast and slow paths of pinning memory pages. try_grab_folio() is intended for fast-path usage and performs a conditional reference count increment, which can fail when used in the slow path where a stable reference is guaranteed. This misuse leads to kernel warnings and potential pinning failures. Specifically, when SEV virtual machines attempt to pin memory pages with pin_user_pages_fast(..., FOLL_LONGTERM, ...), the fast path fails for pages in CMA memory, falling back to the slow path. However, the slow path also uses try_grab_folio(), which fails due to the same checks, causing kernel warnings and pinning failures. The patch redefines try_grab_folio() as try_grab_folio_fast() for fast-path usage and introduces a proper try_grab_folio() for slow-path usage, correcting the misuse and preventing the kernel warnings. This fix clarifies the intended use cases of these functions and prevents future confusion or misuse. While the vulnerability does not directly cause memory corruption or privilege escalation, it affects the stability and reliability of SEV virtual machine launches by causing pinning failures and kernel warnings. This can impact virtualization environments relying on SEV and CMA memory, potentially leading to degraded performance or failed VM startups.
Potential Impact
For European organizations, especially those utilizing Linux-based virtualization infrastructures with AMD SEV technology, this vulnerability can lead to operational disruptions. SEV is widely used for confidential computing to protect VM memory, and failures in memory pinning can cause virtual machines to fail to launch or operate correctly. This impacts cloud service providers, data centers, and enterprises relying on secure virtualization for sensitive workloads. The kernel warnings and pinning failures may also complicate troubleshooting and system stability, potentially increasing downtime or maintenance overhead. Although no direct exploitation for privilege escalation or data breach is reported, the inability to properly pin memory in CMA areas can degrade the security guarantees of SEV VMs and affect the availability of critical services. Organizations with high reliance on Linux kernels that include CMA and SEV support, such as those running private clouds, HPC clusters, or secure multi-tenant environments, are at risk of service interruptions and reduced trust in their virtualization security posture.
Mitigation Recommendations
1. Apply the official Linux kernel patch that redefines try_grab_folio() and try_grab_folio_fast() functions to their proper usage contexts, as described in the patch notes and mailing list discussions. This is the definitive fix to prevent the kernel warnings and pinning failures. 2. For organizations unable to immediately patch, consider disabling SEV virtual machines temporarily or avoiding configurations that heavily rely on CMA memory pinning until the patch is applied. 3. Monitor kernel logs for warnings related to __get_user_pages and try_grab_folio to detect potential occurrences of this issue. 4. Test virtualization workloads in staging environments after patching to ensure SEV VM launches succeed without warnings or failures. 5. Collaborate with Linux distribution vendors to prioritize backporting and distributing the fix in stable kernel releases used in production. 6. Review and update virtualization management tools and hypervisors (e.g., QEMU-KVM) to ensure compatibility with the patched kernel behavior. 7. Educate system administrators about this specific kernel warning to avoid misinterpretation as unrelated hardware or software faults.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-44943: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm: gup: stop abusing try_grab_folio A kernel warning was reported when pinning folio in CMA memory when launching SEV virtual machine. The splat looks like: [ 464.325306] WARNING: CPU: 13 PID: 6734 at mm/gup.c:1313 __get_user_pages+0x423/0x520 [ 464.325464] CPU: 13 PID: 6734 Comm: qemu-kvm Kdump: loaded Not tainted 6.6.33+ #6 [ 464.325477] RIP: 0010:__get_user_pages+0x423/0x520 [ 464.325515] Call Trace: [ 464.325520] <TASK> [ 464.325523] ? __get_user_pages+0x423/0x520 [ 464.325528] ? __warn+0x81/0x130 [ 464.325536] ? __get_user_pages+0x423/0x520 [ 464.325541] ? report_bug+0x171/0x1a0 [ 464.325549] ? handle_bug+0x3c/0x70 [ 464.325554] ? exc_invalid_op+0x17/0x70 [ 464.325558] ? asm_exc_invalid_op+0x1a/0x20 [ 464.325567] ? __get_user_pages+0x423/0x520 [ 464.325575] __gup_longterm_locked+0x212/0x7a0 [ 464.325583] internal_get_user_pages_fast+0xfb/0x190 [ 464.325590] pin_user_pages_fast+0x47/0x60 [ 464.325598] sev_pin_memory+0xca/0x170 [kvm_amd] [ 464.325616] sev_mem_enc_register_region+0x81/0x130 [kvm_amd] Per the analysis done by yangge, when starting the SEV virtual machine, it will call pin_user_pages_fast(..., FOLL_LONGTERM, ...) to pin the memory. But the page is in CMA area, so fast GUP will fail then fallback to the slow path due to the longterm pinnalbe check in try_grab_folio(). The slow path will try to pin the pages then migrate them out of CMA area. But the slow path also uses try_grab_folio() to pin the page, it will also fail due to the same check then the above warning is triggered. In addition, the try_grab_folio() is supposed to be used in fast path and it elevates folio refcount by using add ref unless zero. We are guaranteed to have at least one stable reference in slow path, so the simple atomic add could be used. The performance difference should be trivial, but the misuse may be confusing and misleading. Redefined try_grab_folio() to try_grab_folio_fast(), and try_grab_page() to try_grab_folio(), and use them in the proper paths. This solves both the abuse and the kernel warning. The proper naming makes their usecase more clear and should prevent from abusing in the future. peterx said: : The user will see the pin fails, for gpu-slow it further triggers the WARN : right below that failure (as in the original report): : : folio = try_grab_folio(page, page_increm - 1, : foll_flags); : if (WARN_ON_ONCE(!folio)) { <------------------------ here : /* : * Release the 1st page ref if the : * folio is problematic, fail hard. : */ : gup_put_folio(page_folio(page), 1, : foll_flags); : ret = -EFAULT; : goto out; : } [1] https://lore.kernel.org/linux-mm/1719478388-31917-1-git-send-email-yangge1116@126.com/ [shy828301@gmail.com: fix implicit declaration of function try_grab_folio_fast]
AI-Powered Analysis
Technical Analysis
CVE-2024-44943 is a vulnerability in the Linux kernel related to improper handling of page pinning in the memory management subsystem, specifically within the get_user_pages (GUP) functionality. The issue arises when pinning folios (groups of pages) in the Contiguous Memory Allocator (CMA) area during the launch of Secure Encrypted Virtualization (SEV) virtual machines. The vulnerability is triggered because the kernel incorrectly uses the try_grab_folio() function in both fast and slow paths of pinning memory pages. try_grab_folio() is intended for fast-path usage and performs a conditional reference count increment, which can fail when used in the slow path where a stable reference is guaranteed. This misuse leads to kernel warnings and potential pinning failures. Specifically, when SEV virtual machines attempt to pin memory pages with pin_user_pages_fast(..., FOLL_LONGTERM, ...), the fast path fails for pages in CMA memory, falling back to the slow path. However, the slow path also uses try_grab_folio(), which fails due to the same checks, causing kernel warnings and pinning failures. The patch redefines try_grab_folio() as try_grab_folio_fast() for fast-path usage and introduces a proper try_grab_folio() for slow-path usage, correcting the misuse and preventing the kernel warnings. This fix clarifies the intended use cases of these functions and prevents future confusion or misuse. While the vulnerability does not directly cause memory corruption or privilege escalation, it affects the stability and reliability of SEV virtual machine launches by causing pinning failures and kernel warnings. This can impact virtualization environments relying on SEV and CMA memory, potentially leading to degraded performance or failed VM startups.
Potential Impact
For European organizations, especially those utilizing Linux-based virtualization infrastructures with AMD SEV technology, this vulnerability can lead to operational disruptions. SEV is widely used for confidential computing to protect VM memory, and failures in memory pinning can cause virtual machines to fail to launch or operate correctly. This impacts cloud service providers, data centers, and enterprises relying on secure virtualization for sensitive workloads. The kernel warnings and pinning failures may also complicate troubleshooting and system stability, potentially increasing downtime or maintenance overhead. Although no direct exploitation for privilege escalation or data breach is reported, the inability to properly pin memory in CMA areas can degrade the security guarantees of SEV VMs and affect the availability of critical services. Organizations with high reliance on Linux kernels that include CMA and SEV support, such as those running private clouds, HPC clusters, or secure multi-tenant environments, are at risk of service interruptions and reduced trust in their virtualization security posture.
Mitigation Recommendations
1. Apply the official Linux kernel patch that redefines try_grab_folio() and try_grab_folio_fast() functions to their proper usage contexts, as described in the patch notes and mailing list discussions. This is the definitive fix to prevent the kernel warnings and pinning failures. 2. For organizations unable to immediately patch, consider disabling SEV virtual machines temporarily or avoiding configurations that heavily rely on CMA memory pinning until the patch is applied. 3. Monitor kernel logs for warnings related to __get_user_pages and try_grab_folio to detect potential occurrences of this issue. 4. Test virtualization workloads in staging environments after patching to ensure SEV VM launches succeed without warnings or failures. 5. Collaborate with Linux distribution vendors to prioritize backporting and distributing the fix in stable kernel releases used in production. 6. Review and update virtualization management tools and hypervisors (e.g., QEMU-KVM) to ensure compatibility with the patched kernel behavior. 7. Educate system administrators about this specific kernel warning to avoid misinterpretation as unrelated hardware or software faults.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T05:34:56.665Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0cea
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 10:56:11 PM
Last updated: 8/13/2025, 6:48:05 PM
Views: 13
Related Threats
CVE-2025-8951: SQL Injection in PHPGurukul Teachers Record Management System
MediumCVE-2025-8950: SQL Injection in Campcodes Online Recruitment Management System
MediumCVE-2025-27388: CWE-20 Improper Input Validation in OPPO OPPO HEALTH APP
HighCVE-2025-8949: Stack-based Buffer Overflow in D-Link DIR-825
HighCVE-2025-8948: SQL Injection in projectworlds Visitor Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.