CVE-2025-22013

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state<br /> <br /> There are several problems with the way hyp code lazily saves the host&amp;#39;s<br /> FPSIMD/SVE state, including:<br /> <br /> * Host SVE being discarded unexpectedly due to inconsistent<br /> configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to<br /> result in QEMU crashes where SVE is used by memmove(), as reported by<br /> Eric Auger:<br /> <br /> https://issues.redhat.com/browse/RHEL-68997<br /> <br /> * Host SVE state is discarded *after* modification by ptrace, which was an<br /> unintentional ptrace ABI change introduced with lazy discarding of SVE state.<br /> <br /> * The host FPMR value can be discarded when running a non-protected VM,<br /> where FPMR support is not exposed to a VM, and that VM uses<br /> FPSIMD/SVE. In these cases the hyp code does not save the host&amp;#39;s FPMR<br /> before unbinding the host&amp;#39;s FPSIMD/SVE/SME state, leaving a stale<br /> value in memory.<br /> <br /> Avoid these by eagerly saving and "flushing" the host&amp;#39;s FPSIMD/SVE/SME<br /> state when loading a vCPU such that KVM does not need to save any of the<br /> host&amp;#39;s FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is<br /> removed and the necessary call to fpsimd_save_and_flush_cpu_state() is<br /> placed in kvm_arch_vcpu_load_fp(). As &amp;#39;fpsimd_state&amp;#39; and &amp;#39;fpmr_ptr&amp;#39;<br /> should not be used, they are set to NULL; all uses of these will be<br /> removed in subsequent patches.<br /> <br /> Historical problems go back at least as far as v5.17, e.g. erroneous<br /> assumptions about TIF_SVE being clear in commit:<br /> <br /> 8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving")<br /> <br /> ... and so this eager save+flush probably needs to be backported to ALL<br /> stable trees.