CVE-2026-23107

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA<br /> <br /> The code to restore a ZA context doesn&amp;#39;t attempt to allocate the task&amp;#39;s<br /> sve_state before setting TIF_SME. Consequently, restoring a ZA context<br /> can place a task into an invalid state where TIF_SME is set but the<br /> task&amp;#39;s sve_state is NULL.<br /> <br /> In legitimate but uncommon cases where the ZA signal context was NOT<br /> created by the kernel in the context of the same task (e.g. if the task<br /> is saved/restored with something like CRIU), we have no guarantee that<br /> sve_state had been allocated previously. In these cases, userspace can<br /> enter streaming mode without trapping while sve_state is NULL, causing a<br /> later NULL pointer dereference when the kernel attempts to store the<br /> register state:<br /> <br /> | # ./sigreturn-za<br /> | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000<br /> | Mem abort info:<br /> | ESR = 0x0000000096000046<br /> | EC = 0x25: DABT (current EL), IL = 32 bits<br /> | SET = 0, FnV = 0<br /> | EA = 0, S1PTW = 0<br /> | FSC = 0x06: level 2 translation fault<br /> | Data abort info:<br /> | ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000<br /> | CM = 0, WnR = 1, TnD = 0, TagAccess = 0<br /> | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> | user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00<br /> | [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000<br /> | Internal error: Oops: 0000000096000046 [#1] SMP<br /> | Modules linked in:<br /> | CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT<br /> | Hardware name: linux,dummy-virt (DT)<br /> | pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> | pc : sve_save_state+0x4/0xf0<br /> | lr : fpsimd_save_user_state+0xb0/0x1c0<br /> | sp : ffff80008070bcc0<br /> | x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658<br /> | x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000<br /> | x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40<br /> | x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000<br /> | x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c<br /> | x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020<br /> | x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0<br /> | x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48<br /> | x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000<br /> | x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440<br /> | Call trace:<br /> | sve_save_state+0x4/0xf0 (P)<br /> | fpsimd_thread_switch+0x48/0x198<br /> | __switch_to+0x20/0x1c0<br /> | __schedule+0x36c/0xce0<br /> | schedule+0x34/0x11c<br /> | exit_to_user_mode_loop+0x124/0x188<br /> | el0_interrupt+0xc8/0xd8<br /> | __el0_irq_handler_common+0x18/0x24<br /> | el0t_64_irq_handler+0x10/0x1c<br /> | el0t_64_irq+0x198/0x19c<br /> | Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)<br /> | ---[ end trace 0000000000000000 ]---<br /> <br /> Fix this by having restore_za_context() ensure that the task&amp;#39;s sve_state<br /> is allocated, matching what we do when taking an SME trap. Any live<br /> SVE/SSVE state (which is restored earlier from a separate signal<br /> context) must be preserved, and hence this is not zeroed.