Fixed
Created: Oct 22, 2025
Updated: Oct 26, 2025
Resolved Date: Oct 26, 2025
Found In Version: 10.23.30.1
Fix Version: 10.23.30.2
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]arm64: sme: Use STR P to clear FFR context field in streaming SVE mode[EOL][EOL]The FFR is a predicate register which can vary between 16 and 256 bits[EOL]in size depending upon the configured vector length. When saving the[EOL]SVE state in streaming SVE mode, the FFR register is inaccessible and[EOL]so commit 9f5848665788 ("arm64/sve: Make access to FFR optional") simply[EOL]clears the FFR field of the in-memory context structure. Unfortunately,[EOL]it achieves this using an unconditional 8-byte store and so if the SME[EOL]vector length is anything other than 64 bytes in size we will either[EOL]fail to clear the entire field or, worse, we will corrupt memory[EOL]immediately following the structure. This has led to intermittent kfence[EOL]splats in CI [1] and can trigger kmalloc Redzone corruption messages[EOL]when running the 'fp-stress' kselftest:[EOL][EOL] ( =============================================================================[EOL) | BUG kmalloc-1k (Not tainted): kmalloc Redzone overwrittenEOL] ( -----------------------------------------------------------------------------[EOL) |EOL] ( 0xffff000809bf1e22-0xffff000809bf1e27 @offset=7714. First byte 0x0 instead of 0xcc[EOL) | Allocated in do_sme_acc+0x9c/0x220 age=2613 cpu=1 pid=531EOL] ( __kmalloc+0x8c/0xcc[EOL) | do_sme_acc+0x9c/0x220EOL] ( ...[EOL)[EOL]Replace the 8-byte store with a store of a predicate register which has[EOL]been zero-initialised with PFALSE, ensuring that the entire field is[EOL]cleared in memory.[EOL][EOL][1] https://lore.kernel.org/r/CA+G9fYtU7HsV0R0dp4XEH5xXHSJFw8KyDf5VQrLLfMxWfxQkag@mail.gmail.com
