{"id":"AZL-64625","summary":"CVE-2025-38170 affecting package kernel for versions less than 6.6.96.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: Discard stale CPU state when handling SME traps\n\nThe logic for handling SME traps manipulates saved FPSIMD/SVE/SME state\nincorrectly, and a race with preemption can result in a task having\nTIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SME traps enabled). This can result in warnings from\ndo_sme_acc() where SME traps are not expected while TIF_SME is set:\n\n|        /* With TIF_SME userspace shouldn't generate any traps */\n|        if (test_and_set_thread_flag(TIF_SME))\n|                WARN_ON(1);\n\nThis is very similar to the SVE issue we fixed in commit:\n\n  751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\")\n\nThe race can occur when the SME trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE/SME state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sme_acc(unsigned long esr, struct pt_regs *regs)\n| {\n|         // Trap on CPU 0 with TIF_SME clear, SME traps enabled\n|         // task-\u003efpsimd_cpu is 0.\n|         // per_cpu_ptr(&fpsimd_last_state, 0) is task.\n|\n|         ...\n|\n|         // Preempted; migrated from CPU 0 to CPU 1.\n|         // TIF_FOREIGN_FPSTATE is set.\n|\n|         get_cpu_fpsimd_context();\n|\n|         /* With TIF_SME userspace shouldn't generate any traps */\n|         if (test_and_set_thread_flag(TIF_SME))\n|                 WARN_ON(1);\n|\n|         if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n|                 unsigned long vq_minus_one =\n|                         sve_vq_from_vl(task_get_sme_vl(current)) - 1;\n|                 sme_set_vq(vq_minus_one);\n|\n|                 fpsimd_bind_task_to_cpu();\n|         }\n|\n|         put_cpu_fpsimd_context();\n|\n|         // Preempted; migrated from CPU 1 to CPU 0.\n|         // task-\u003efpsimd_cpu is still 0\n|         // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:\n|         // - Stale HW state is reused (with SME traps enabled)\n|         // - TIF_FOREIGN_FPSTATE is cleared\n|         // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace.\n\nNote: this was originallly posted as [1].\n\n[ Rutland: rewrite commit message ]","modified":"2026-04-01T05:04:46.117255Z","published":"2025-07-03T09:15:32Z","upstream":["CVE-2025-38170"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38170"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.96.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64625.json"}}],"schema_version":"1.7.5"}