In the Linux kernel, the following vulnerability has been resolved:
arm64/fpsimd: Discard stale CPU state when handling SME traps
The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state incorrectly, and a race with preemption can result in a task having TIFSME set and TIFFOREIGNFPSTATE clear even though the live CPU state is stale (e.g. with SME traps enabled). This can result in warnings from dosmeacc() where SME traps are not expected while TIFSME is set:
| /* With TIFSME userspace shouldn't generate any traps */ | if (testandsetthreadflag(TIFSME)) | WARN_ON(1);
This is very similar to the SVE issue we fixed in commit:
751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps")
The race can occur when the SME trap handler is preempted before and after manipulating the saved FPSIMD/SVE/SME state, starting and ending on the same CPU, e.g.
| void dosmeacc(unsigned long esr, struct ptregs *regs) | { | // Trap on CPU 0 with TIFSME clear, SME traps enabled | // task->fpsimdcpu is 0. | // percpuptr(&fpsimdlaststate, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIFFOREIGNFPSTATE is set. | | getcpufpsimdcontext(); | | /* With TIFSME userspace shouldn't generate any traps */ | if (testandsetthreadflag(TIFSME)) | WARNON(1); | | if (!testthreadflag(TIFFOREIGNFPSTATE)) { | unsigned long vqminusone = | svevqfromvl(taskgetsmevl(current)) - 1; | smesetvq(vqminusone); | | fpsimdbindtasktocpu(); | } | | putcpufpsimdcontext(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimdcpu is still 0 | // If percpuptr(&fpsimdlaststate, 0) is still task then: | // - Stale HW state is reused (with SME traps enabled) | // - TIFFOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | }
Fix the case where the state is not live and TIFFOREIGNFPSTATE is set by calling fpsimdflushtaskstate() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIFFOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace.
Note: this was originallly posted as [1].
[ Rutland: rewrite commit message ]