fkie_cve-2025-38170
Vulnerability from fkie_nvd
Published
2025-07-03 09:15
Modified
2025-11-03 18:16
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Discard stale CPU state when handling SME traps The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state incorrectly, and a race with preemption can result in a task having TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SME traps enabled). This can result in warnings from do_sme_acc() where SME traps are not expected while TIF_SME is set: | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); This is very similar to the SVE issue we fixed in commit: 751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps") The race can occur when the SME trap handler is preempted before and after manipulating the saved FPSIMD/SVE/SME state, starting and ending on the same CPU, e.g. | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SME clear, SME traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SME traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. Note: this was originallly posted as [1]. [ Rutland: rewrite commit message ]
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/43be952e885476dafb74aa832c0847b2f4f650c6
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6103f9ba51a59afb5a0f32299c837377c5a5a693
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d3eaab3c70905c5467e5c4ea403053d67505adeb
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/de89368de3894a8db27caeb8fd902ba1c49f696a
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: Discard stale CPU state when handling SME traps\n\nThe logic for handling SME traps manipulates saved FPSIMD/SVE/SME state\nincorrectly, and a race with preemption can result in a task having\nTIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SME traps enabled). This can result in warnings from\ndo_sme_acc() where SME traps are not expected while TIF_SME is set:\n\n|        /* With TIF_SME userspace shouldn\u0027t generate any traps */\n|        if (test_and_set_thread_flag(TIF_SME))\n|                WARN_ON(1);\n\nThis is very similar to the SVE issue we fixed in commit:\n\n  751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\")\n\nThe race can occur when the SME trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE/SME state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sme_acc(unsigned long esr, struct pt_regs *regs)\n| {\n|         // Trap on CPU 0 with TIF_SME clear, SME traps enabled\n|         // task-\u003efpsimd_cpu is 0.\n|         // per_cpu_ptr(\u0026fpsimd_last_state, 0) is task.\n|\n|         ...\n|\n|         // Preempted; migrated from CPU 0 to CPU 1.\n|         // TIF_FOREIGN_FPSTATE is set.\n|\n|         get_cpu_fpsimd_context();\n|\n|         /* With TIF_SME userspace shouldn\u0027t generate any traps */\n|         if (test_and_set_thread_flag(TIF_SME))\n|                 WARN_ON(1);\n|\n|         if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n|                 unsigned long vq_minus_one =\n|                         sve_vq_from_vl(task_get_sme_vl(current)) - 1;\n|                 sme_set_vq(vq_minus_one);\n|\n|                 fpsimd_bind_task_to_cpu();\n|         }\n|\n|         put_cpu_fpsimd_context();\n|\n|         // Preempted; migrated from CPU 1 to CPU 0.\n|         // task-\u003efpsimd_cpu is still 0\n|         // If per_cpu_ptr(\u0026fpsimd_last_state, 0) is still task then:\n|         // - Stale HW state is reused (with SME traps enabled)\n|         // - TIF_FOREIGN_FPSTATE is cleared\n|         // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace.\n\nNote: this was originallly posted as [1].\n\n[ Rutland: rewrite commit message ]"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64/fpsimd: Descartar estado de CPU obsoleto al manejar trampas de SME La l\u00f3gica para manejar trampas de SME manipula incorrectamente el estado FPSIMD/SVE/SME guardado, y una ejecuci\u00f3n con preempci\u00f3n puede dar como resultado que una tarea tenga TIF_SME establecido y TIF_FOREIGN_FPSTATE borrado incluso si el estado de CPU en vivo est\u00e1 obsoleto (por ejemplo, con trampas de SME habilitadas). Esto puede dar como resultado advertencias de do_sme_acc() donde no se esperan trampas de SME mientras TIF_SME est\u00e9 establecido: | /* Con TIF_SME, el espacio de usuario no deber\u00eda generar ninguna trampa */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); Esto es muy similar al problema de SVE que corregimos en el commit: 751ecf6afd6568ad (\"arm64/sve: descartar estado de CPU obsoleto al manejar trampas de SVE\") La ejecuci\u00f3n puede ocurrir cuando el controlador de trampas de SME se interrumpe antes y despu\u00e9s de manipular el estado FPSIMD/SVE/SME guardado, comenzando y terminando en la misma CPU, por ejemplo, | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trampa en la CPU 0 con TIF_SME limpio, trampas de SME habilitadas | // task-\u0026gt;fpsimd_cpu es 0. | // per_cpu_ptr(\u0026amp;fpsimd_last_state, 0) es la tarea. | | ... | | // Interrumpido; migrado de la CPU 0 a la CPU 1. | // TIF_FOREIGN_FPSTATE est\u00e1 configurado. | | get_cpu_fpsimd_context(); | | /* Con TIF_SME el espacio de usuario no deber\u00eda generar ninguna trampa */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Interrumpido; migrado de la CPU 1 a la CPU 0. | // task-\u0026gt;fpsimd_cpu sigue siendo 0 | // Si per_cpu_ptr(\u0026amp;fpsimd_last_state, 0) sigue siendo tarea, entonces: | // - Se reutiliza el estado de hardware obsoleto (con las trampas de SME habilitadas) | // - Se borra TIF_FOREIGN_FPSTATE | // - Al regresar al espacio de usuario, se omite la restauraci\u00f3n del estado de hardware | } Se soluciona el caso en el que el estado no est\u00e1 activo y TIF_FOREIGN_FPSTATE se establece llamando a fpsimd_flush_task_state() para separarlo del estado de CPU guardado. Esto garantiza que un cambio de contexto posterior no reutilice el estado de CPU obsoleto, sino que establezca TIF_FOREIGN_FPSTATE, forzando la recarga del nuevo estado desde la memoria antes de regresar al espacio de usuario. Nota: esto se public\u00f3 originalmente como [1]. [Rutland: reescribir el mensaje de confirmaci\u00f3n]"
    }
  ],
  "id": "CVE-2025-38170",
  "lastModified": "2025-11-03T18:16:06.860",
  "metrics": {},
  "published": "2025-07-03T09:15:32.643",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/43be952e885476dafb74aa832c0847b2f4f650c6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6103f9ba51a59afb5a0f32299c837377c5a5a693"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d3eaab3c70905c5467e5c4ea403053d67505adeb"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/de89368de3894a8db27caeb8fd902ba1c49f696a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.