CVE-2025-22013

Summary

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state

There are several problems with the way hyp code lazily saves the host's FPSIMD/SVE state, including:

  • Host SVE being discarded unexpectedly due to inconsistent configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to result in QEMU crashes where SVE is used by memmove(), as reported by Eric Auger:

    https://issues.redhat.com/browse/RHEL-68997

  • Host SVE state is discarded after modification by ptrace, which was an unintentional ptrace ABI change introduced with lazy discarding of SVE state.

  • The host FPMR value can be discarded when running a non-protected VM, where FPMR support is not exposed to a VM, and that VM uses FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR before unbinding the host's FPSIMD/SVE/SME state, leaving a stale value in memory.

Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME state when loading a vCPU such that KVM does not need to save any of the host's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is removed and the necessary call to fpsimd_save_and_flush_cpu_state() is placed in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr' should not be used, they are set to NULL; all uses of these will be removed in subsequent patches.

Historical problems go back at least as far as v5.17, e.g. erroneous assumptions about TIF_SVE being clear in commit:

8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving")

… and so this eager save+flush probably needs to be backported to ALL stable trees.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxc4ab60a86c5ed7c0d727c6dc8cec352e16bc7f90 < 5289ac43b69c61a49c75720921f2008005a31c43affected
LinuxLinuxd5f7d3833b534f9e43e548461dba1e60aa82f587 < 04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82eaffected
LinuxLinux93ae6b01bafee8fa385aa25ee7ebdb40057f6abe < 806d5c1e1d2e5502175a24bf70f251648d99c36aaffected
LinuxLinux93ae6b01bafee8fa385aa25ee7ebdb40057f6abe < 79e140bba70bcacc5fe15bf8c0b958793fd7d56faffected
LinuxLinux93ae6b01bafee8fa385aa25ee7ebdb40057f6abe < 900b444be493b7f404898c785d6605b177a093d0affected
LinuxLinux93ae6b01bafee8fa385aa25ee7ebdb40057f6abe < fbc7e61195e23f744814e78524b73b59faa54ab4affected
LinuxLinux6.2affected
LinuxLinux0 < 6.2unaffected
LinuxLinux6.6.85 <= 6.6.*unaffected
LinuxLinux6.12.21 <= 6.12.*unaffected
LinuxLinux6.13.9 <= 6.13.*unaffected
LinuxLinux6.14 <= *unaffected

Weaknesses

References