{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38170","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.991Z","datePublished":"2025-07-03T08:36:09.012Z","dateUpdated":"2026-05-11T21:22:36.924Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:22:36.924Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: Discard stale CPU state when handling SME traps\n\nThe logic for handling SME traps manipulates saved FPSIMD/SVE/SME state\nincorrectly, and a race with preemption can result in a task having\nTIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SME traps enabled). This can result in warnings from\ndo_sme_acc() where SME traps are not expected while TIF_SME is set:\n\n| /* With TIF_SME userspace shouldn't generate any traps */\n| if (test_and_set_thread_flag(TIF_SME))\n| WARN_ON(1);\n\nThis is very similar to the SVE issue we fixed in commit:\n\n 751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\")\n\nThe race can occur when the SME trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE/SME state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sme_acc(unsigned long esr, struct pt_regs *regs)\n| {\n| // Trap on CPU 0 with TIF_SME clear, SME traps enabled\n| // task->fpsimd_cpu is 0.\n| // per_cpu_ptr(&fpsimd_last_state, 0) is task.\n|\n| ...\n|\n| // Preempted; migrated from CPU 0 to CPU 1.\n| // TIF_FOREIGN_FPSTATE is set.\n|\n| get_cpu_fpsimd_context();\n|\n| /* With TIF_SME userspace shouldn't generate any traps */\n| if (test_and_set_thread_flag(TIF_SME))\n| WARN_ON(1);\n|\n| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n| unsigned long vq_minus_one =\n| sve_vq_from_vl(task_get_sme_vl(current)) - 1;\n| sme_set_vq(vq_minus_one);\n|\n| fpsimd_bind_task_to_cpu();\n| }\n|\n| put_cpu_fpsimd_context();\n|\n| // Preempted; migrated from CPU 1 to CPU 0.\n| // task->fpsimd_cpu is still 0\n| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:\n| // - Stale HW state is reused (with SME traps enabled)\n| // - TIF_FOREIGN_FPSTATE is cleared\n| // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace.\n\nNote: this was originallly posted as [1].\n\n[ Rutland: rewrite commit message ]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/kernel/fpsimd.c"],"versions":[{"version":"8bd7f91c03d886f41d35f6108078d20be5a4a1bd","lessThan":"de89368de3894a8db27caeb8fd902ba1c49f696a","status":"affected","versionType":"git"},{"version":"8bd7f91c03d886f41d35f6108078d20be5a4a1bd","lessThan":"43be952e885476dafb74aa832c0847b2f4f650c6","status":"affected","versionType":"git"},{"version":"8bd7f91c03d886f41d35f6108078d20be5a4a1bd","lessThan":"6103f9ba51a59afb5a0f32299c837377c5a5a693","status":"affected","versionType":"git"},{"version":"8bd7f91c03d886f41d35f6108078d20be5a4a1bd","lessThan":"c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3","status":"affected","versionType":"git"},{"version":"8bd7f91c03d886f41d35f6108078d20be5a4a1bd","lessThan":"d3eaab3c70905c5467e5c4ea403053d67505adeb","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/kernel/fpsimd.c"],"versions":[{"version":"5.19","status":"affected"},{"version":"0","lessThan":"5.19","status":"unaffected","versionType":"semver"},{"version":"6.1.142","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.94","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.34","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.3","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.1.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.6.94"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.12.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.15.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/de89368de3894a8db27caeb8fd902ba1c49f696a"},{"url":"https://git.kernel.org/stable/c/43be952e885476dafb74aa832c0847b2f4f650c6"},{"url":"https://git.kernel.org/stable/c/6103f9ba51a59afb5a0f32299c837377c5a5a693"},{"url":"https://git.kernel.org/stable/c/c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3"},{"url":"https://git.kernel.org/stable/c/d3eaab3c70905c5467e5c4ea403053d67505adeb"}],"title":"arm64/fpsimd: Discard stale CPU state when handling SME traps","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:34:57.733Z"}}]}}