CVE-2024-50275

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64/sve: Discard stale CPU state when handling SVE traps<br /> <br /> The logic for handling SVE traps manipulates saved FPSIMD/SVE state<br /> incorrectly, and a race with preemption can result in a task having<br /> TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state<br /> is stale (e.g. with SVE traps enabled). This has been observed to result<br /> in warnings from do_sve_acc() where SVE traps are not expected while<br /> TIF_SVE is set:<br /> <br /> | if (test_and_set_thread_flag(TIF_SVE))<br /> | WARN_ON(1); /* SVE access shouldn&amp;#39;t have trapped */<br /> <br /> Warnings of this form have been reported intermittently, e.g.<br /> <br /> https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/<br /> https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/<br /> <br /> The race can occur when the SVE trap handler is preempted before and<br /> after manipulating the saved FPSIMD/SVE state, starting and ending on<br /> the same CPU, e.g.<br /> <br /> | void do_sve_acc(unsigned long esr, struct pt_regs *regs)<br /> | {<br /> | // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled<br /> | // task-&gt;fpsimd_cpu is 0.<br /> | // per_cpu_ptr(&amp;fpsimd_last_state, 0) is task.<br /> |<br /> | ...<br /> |<br /> | // Preempted; migrated from CPU 0 to CPU 1.<br /> | // TIF_FOREIGN_FPSTATE is set.<br /> |<br /> | get_cpu_fpsimd_context();<br /> |<br /> | if (test_and_set_thread_flag(TIF_SVE))<br /> | WARN_ON(1); /* SVE access shouldn&amp;#39;t have trapped */<br /> |<br /> | sve_init_regs() {<br /> | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {<br /> | ...<br /> | } else {<br /> | fpsimd_to_sve(current);<br /> | current-&gt;thread.fp_type = FP_STATE_SVE;<br /> | }<br /> | }<br /> |<br /> | put_cpu_fpsimd_context();<br /> |<br /> | // Preempted; migrated from CPU 1 to CPU 0.<br /> | // task-&gt;fpsimd_cpu is still 0<br /> | // If per_cpu_ptr(&amp;fpsimd_last_state, 0) is still task then:<br /> | // - Stale HW state is reused (with SVE traps enabled)<br /> | // - TIF_FOREIGN_FPSTATE is cleared<br /> | // - A return to userspace skips HW state restore<br /> | }<br /> <br /> Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set<br /> by calling fpsimd_flush_task_state() to detach from the saved CPU<br /> state. This ensures that a subsequent context switch will not reuse the<br /> stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the<br /> new state to be reloaded from memory prior to a return to userspace.