CVE-2024-44943

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: gup: stop abusing try_grab_folio<br /> <br /> A kernel warning was reported when pinning folio in CMA memory when<br /> launching SEV virtual machine. The splat looks like:<br /> <br /> [ 464.325306] WARNING: CPU: 13 PID: 6734 at mm/gup.c:1313 __get_user_pages+0x423/0x520<br /> [ 464.325464] CPU: 13 PID: 6734 Comm: qemu-kvm Kdump: loaded Not tainted 6.6.33+ #6<br /> [ 464.325477] RIP: 0010:__get_user_pages+0x423/0x520<br /> [ 464.325515] Call Trace:<br /> [ 464.325520] <br /> [ 464.325523] ? __get_user_pages+0x423/0x520<br /> [ 464.325528] ? __warn+0x81/0x130<br /> [ 464.325536] ? __get_user_pages+0x423/0x520<br /> [ 464.325541] ? report_bug+0x171/0x1a0<br /> [ 464.325549] ? handle_bug+0x3c/0x70<br /> [ 464.325554] ? exc_invalid_op+0x17/0x70<br /> [ 464.325558] ? asm_exc_invalid_op+0x1a/0x20<br /> [ 464.325567] ? __get_user_pages+0x423/0x520<br /> [ 464.325575] __gup_longterm_locked+0x212/0x7a0<br /> [ 464.325583] internal_get_user_pages_fast+0xfb/0x190<br /> [ 464.325590] pin_user_pages_fast+0x47/0x60<br /> [ 464.325598] sev_pin_memory+0xca/0x170 [kvm_amd]<br /> [ 464.325616] sev_mem_enc_register_region+0x81/0x130 [kvm_amd]<br /> <br /> Per the analysis done by yangge, when starting the SEV virtual machine, it<br /> will call pin_user_pages_fast(..., FOLL_LONGTERM, ...) to pin the memory. <br /> But the page is in CMA area, so fast GUP will fail then fallback to the<br /> slow path due to the longterm pinnalbe check in try_grab_folio().<br /> <br /> The slow path will try to pin the pages then migrate them out of CMA area.<br /> But the slow path also uses try_grab_folio() to pin the page, it will<br /> also fail due to the same check then the above warning is triggered.<br /> <br /> In addition, the try_grab_folio() is supposed to be used in fast path and<br /> it elevates folio refcount by using add ref unless zero. We are guaranteed<br /> to have at least one stable reference in slow path, so the simple atomic add<br /> could be used. The performance difference should be trivial, but the<br /> misuse may be confusing and misleading.<br /> <br /> Redefined try_grab_folio() to try_grab_folio_fast(), and try_grab_page()<br /> to try_grab_folio(), and use them in the proper paths. This solves both<br /> the abuse and the kernel warning.<br /> <br /> The proper naming makes their usecase more clear and should prevent from<br /> abusing in the future.<br /> <br /> peterx said:<br /> <br /> : The user will see the pin fails, for gpu-slow it further triggers the WARN<br /> : right below that failure (as in the original report):<br /> : <br /> : folio = try_grab_folio(page, page_increm - 1,<br /> : foll_flags);<br /> : if (WARN_ON_ONCE(!folio)) {