{"id":"CVE-2024-50275","summary":"arm64/sve: Discard stale CPU state when handling SVE traps","details":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64/sve: Discard stale CPU state when handling SVE traps\n\nThe logic for handling SVE traps manipulates saved FPSIMD/SVE state\nincorrectly, and a race with preemption can result in a task having\nTIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SVE traps enabled). This has been observed to result\nin warnings from do_sve_acc() where SVE traps are not expected while\nTIF_SVE is set:\n\n|         if (test_and_set_thread_flag(TIF_SVE))\n|                 WARN_ON(1); /* SVE access shouldn't have trapped */\n\nWarnings of this form have been reported intermittently, e.g.\n\n  https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/\n  https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/\n\nThe race can occur when the SVE trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sve_acc(unsigned long esr, struct pt_regs *regs)\n| {\n|         // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled\n|         // task-\u003efpsimd_cpu is 0.\n|         // per_cpu_ptr(&fpsimd_last_state, 0) is task.\n|\n|         ...\n|\n|         // Preempted; migrated from CPU 0 to CPU 1.\n|         // TIF_FOREIGN_FPSTATE is set.\n|\n|         get_cpu_fpsimd_context();\n|\n|         if (test_and_set_thread_flag(TIF_SVE))\n|                 WARN_ON(1); /* SVE access shouldn't have trapped */\n|\n|         sve_init_regs() {\n|                 if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n|                         ...\n|                 } else {\n|                         fpsimd_to_sve(current);\n|                         current-\u003ethread.fp_type = FP_STATE_SVE;\n|                 }\n|         }\n|\n|         put_cpu_fpsimd_context();\n|\n|         // Preempted; migrated from CPU 1 to CPU 0.\n|         // task-\u003efpsimd_cpu is still 0\n|         // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:\n|         // - Stale HW state is reused (with SVE traps enabled)\n|         // - TIF_FOREIGN_FPSTATE is cleared\n|         // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace.","modified":"2026-03-20T12:39:40.866126Z","published":"2024-11-19T01:30:15.293Z","related":["ALSA-2025:0578","ALSA-2025:1067","ALSA-2025:1068","SUSE-SU-2024:4314-1","SUSE-SU-2024:4316-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:0556-1","SUSE-SU-2025:0577-1","SUSE-SU-2025:0577-2","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1","USN-7276-1","USN-7277-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50275.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/51d11ea0250d6ee461987403bbfd4b2abb5613a7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/51d3d80a6dc314982a9a0aeb0961085922a1aa15"},{"type":"WEB","url":"https://git.kernel.org/stable/c/751ecf6afd6568adc98f2a6052315552c0483d18"},{"type":"WEB","url":"https://git.kernel.org/stable/c/de529504b3274d57caf8f66800b714b0d3ee235a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fa9ce027b3ce37a2bb173bf2553b5caa438fd8c9"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50275.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50275"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cccb78ce89c45a4414db712be4986edfb92434bd"},{"fixed":"51d3d80a6dc314982a9a0aeb0961085922a1aa15"},{"fixed":"de529504b3274d57caf8f66800b714b0d3ee235a"},{"fixed":"51d11ea0250d6ee461987403bbfd4b2abb5613a7"},{"fixed":"fa9ce027b3ce37a2bb173bf2553b5caa438fd8c9"},{"fixed":"751ecf6afd6568adc98f2a6052315552c0483d18"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50275.json"}}],"schema_version":"1.7.5"}