We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-38170

arm64/fpsimd: Discard stale CPU state when handling SME traps



Description

In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Discard stale CPU state when handling SME traps The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state incorrectly, and a race with preemption can result in a task having TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SME traps enabled). This can result in warnings from do_sme_acc() where SME traps are not expected while TIF_SME is set: | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); This is very similar to the SVE issue we fixed in commit: 751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps") The race can occur when the SME trap handler is preempted before and after manipulating the saved FPSIMD/SVE/SME state, starting and ending on the same CPU, e.g. | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SME clear, SME traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SME traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. Note: this was originallly posted as [1]. [ Rutland: rewrite commit message ]

Reserved 2025-04-16 | Published 2025-07-03 | Updated 2025-07-03 | Assigner Linux

Product status

Default status
unaffected

8bd7f91c03d886f41d35f6108078d20be5a4a1bd before de89368de3894a8db27caeb8fd902ba1c49f696a
affected

8bd7f91c03d886f41d35f6108078d20be5a4a1bd before 43be952e885476dafb74aa832c0847b2f4f650c6
affected

8bd7f91c03d886f41d35f6108078d20be5a4a1bd before 6103f9ba51a59afb5a0f32299c837377c5a5a693
affected

8bd7f91c03d886f41d35f6108078d20be5a4a1bd before c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3
affected

8bd7f91c03d886f41d35f6108078d20be5a4a1bd before d3eaab3c70905c5467e5c4ea403053d67505adeb
affected

Default status
affected

5.19
affected

Any version before 5.19
unaffected

6.1.142
unaffected

6.6.94
unaffected

6.12.34
unaffected

6.15.3
unaffected

6.16-rc1
unaffected

References

git.kernel.org/...c/de89368de3894a8db27caeb8fd902ba1c49f696a

git.kernel.org/...c/43be952e885476dafb74aa832c0847b2f4f650c6

git.kernel.org/...c/6103f9ba51a59afb5a0f32299c837377c5a5a693

git.kernel.org/...c/c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3

git.kernel.org/...c/d3eaab3c70905c5467e5c4ea403053d67505adeb

cve.org (CVE-2025-38170)

nvd.nist.gov (CVE-2025-38170)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-38170

Support options

Helpdesk Chat, Email, Knowledgebase