Wind River Support Network

HomeDefectsLIN1024-10153
Fixed

LIN1024-10153 : Security Advisory - linux - CVE-2025-38170

Created: Jul 4, 2025    Updated: Jul 14, 2025
Resolved Date: Jul 10, 2025
Found In Version: 10.24.33.1
Fix Version: 10.24.33.11
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]arm64/fpsimd: Discard stale CPU state when handling SME traps[EOL][EOL]The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state[EOL]incorrectly, and a race with preemption can result in a task having[EOL]TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state[EOL]is stale (e.g. with SME traps enabled). This can result in warnings from[EOL]do_sme_acc() where SME traps are not expected while TIF_SME is set:[EOL][EOL] (        /* With TIF_SME userspace shouldn't generate any traps */[EOL)|        if (test_and_set_thread_flag(TIF_SME))EOL] (                WARN_ON(1);[EOL)EOL]This is very similar to the SVE issue we fixed in commit:[EOL][EOL]  751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps")[EOL][EOL]The race can occur when the SME trap handler is preempted before and[EOL]after manipulating the saved FPSIMD/SVE/SME state, starting and ending on[EOL]the same CPU, e.g.[EOL][EOL] ( void do_sme_acc(unsigned long esr, struct pt_regs *regs)[EOL)| {EOL] (         // Trap on CPU 0 with TIF_SME clear, SME traps enabled[EOL)|         // task->fpsimd_cpu is 0.EOL] (         // per_cpu_ptr(&fpsimd_last_state, 0) is task.[EOL)|EOL] (         ...[EOL)|EOL] (         // Preempted; migrated from CPU 0 to CPU 1.[EOL)|         // TIF_FOREIGN_FPSTATE is set.EOL] ([EOL)|         get_cpu_fpsimd_context();EOL] ([EOL)|         /* With TIF_SME userspace shouldn't generate any traps */EOL] (         if (test_and_set_thread_flag(TIF_SME))[EOL)|                 WARN_ON(1);EOL] ([EOL)|         if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {EOL] (                 unsigned long vq_minus_one =[EOL)|                         sve_vq_from_vl(task_get_sme_vl(current)) - 1;EOL] (                 sme_set_vq(vq_minus_one);[EOL)|EOL] (                 fpsimd_bind_task_to_cpu();[EOL)|         }EOL] ([EOL)|         put_cpu_fpsimd_context();EOL] ([EOL)|         // Preempted; migrated from CPU 1 to CPU 0.EOL] (         // task->fpsimd_cpu is still 0[EOL)|         // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:EOL] (         // - Stale HW state is reused (with SME traps enabled)[EOL)|         // - TIF_FOREIGN_FPSTATE is clearedEOL] (         // - A return to userspace skips HW state restore[EOL)| }EOL][EOL]Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set[EOL]by calling fpsimd_flush_task_state() to detach from the saved CPU[EOL]state. This ensures that a subsequent context switch will not reuse the[EOL]stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the[EOL]new state to be reloaded from memory prior to a return to userspace.[EOL][EOL]Note: this was originallly posted as [1].[EOL][EOL][ Rutland: rewrite commit message ]

CREATE(Triage):(User=lchen-cn) [CVE-2025-38170 (https://nvd.nist.gov/vuln/detail/CVE-2025-38170)

CVEs

Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube