Linux Kernel SME Trap Handling Vulnerability Leading to Stale CPU State

A vulnerability in the Linux kernel's handling of Scalable Matrix Extension (SME) traps can lead to the incorrect management of saved FPSIMD, SVE, and SME states. This issue arises from a race condition with preemption, allowing a task to have TIF_SME set while TIF_FOREIGN_FPSTATE is clear, even though the live CPU state is outdated. Consequently, this can trigger unexpected warnings from the do_sme_acc() function, which should not occur when TIF_SME is active. The vulnerability is present in the arm64 architecture and affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause the system to reuse stale hardware state with SME traps enabled, leading to incorrect trap handling and potential disruption of normal task execution.

Reproduction

The vulnerability can be reproduced by enabling SME traps on a task and then preempting the SME trap handler. This can be done by manipulating the saved FPSIMD, SVE, and SME states, causing the task to migrate between CPUs. If the task returns to a CPU where the saved state is still linked to the task, the stale state will be applied, with SME traps active, creating a mismatch that the system's trap handling does not expect.

Remediation

The vulnerability has been addressed by updating the SME trap handling logic to discard stale CPU states. This fix ensures that a task detaches from outdated saved states before a context switch, preventing the reuse of stale information and maintaining proper trap management.