From nobody Thu Apr  9 17:49:53 2026
Received: from m16.mail.163.com (m16.mail.163.com [220.197.31.4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 18681373C07;
	Tue,  3 Mar 2026 01:51:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=220.197.31.4
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772502690; cv=none;
 b=JCCl4DW2W/tr+CVbO84Zj9s6ZQOOKHzPCzJjHb1KBF7/HsECiopLsVtzTOhlWWc2fVFNVD4jMWF7rUE10U0/oW6Kvo12m4JsevKeYAd7wgH6FB30bCN4kNjI429/ncins7QA7x8JYUARRgrL/6vpK2D4a6nZ33j7FXYOvc0NOVU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772502690; c=relaxed/simple;
	bh=ADUESCLJaX4eiR/SFBXL5hM188k4g7qBP6XOzvTrKvc=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=uR5RYb89ivxW+C5sGNSIYVmd44pAcX1Ztcu3pE5AQoGoFk7I8pJPgAOm844K8FFXQtzOmhvd/EikhnLR8Bro6rZTzPEjiRtlS14yjQUnh9j692XmdRHmWKk7SN6+vysooYWCUetARkH5U4Qnuw39KR2Lz9eBngYifKTcXh/E+LA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=163.com;
 spf=pass smtp.mailfrom=163.com;
 dkim=pass (1024-bit key) header.d=163.com header.i=@163.com
 header.b=aiJy2aeR; arc=none smtp.client-ip=220.197.31.4
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=163.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=163.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=163.com header.i=@163.com
 header.b="aiJy2aeR"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
	s=s110527; h=From:To:Subject:Date:Message-Id:MIME-Version; bh=LN
	TFCOu8QjlEE/BFJC2VrkXT/oeVq90OquaCypbjHZ0=; b=aiJy2aeRR2oIUj2hZB
	sWUZchjLaQr9X5GvVk2KURuBH8hA74eOdDIU6/JBjILxZC0Lkr8OHvn0pg2rU56d
	0Ic/dQWFd6Zf5/QAIWOhN02EVW7jazBu88ngtesl7M2cLVWBiKe4yLU9HJXTm1IY
	SadCSgvX81izjLtoBSxNJw1fI=
Received: from pek-lpg-core6.wrs.com (unknown [])
	by gzga-smtp-mtada-g1-3 (Coremail) with SMTP id
 _____wCnhCODPqZp1ezIOw--.34317S4;
	Tue, 03 Mar 2026 09:51:02 +0800 (CST)
From: Rahul Sharma <black.hawk@163.com>
To: gregkh@linuxfoundation.org,
	stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	Mark Rutland <mark.rutland@arm.com>,
	Mark Brown <broonie@kernel.org>,
	Will Deacon <will@kernel.org>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Rahul Sharma <black.hawk@163.com>
Subject: [PATCH 6.12.y 2/2] arm64/fpsimd: signal: Fix restoration of SVE
 context
Date: Tue,  3 Mar 2026 09:50:47 +0800
Message-Id: <20260303015047.2014999-3-black.hawk@163.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260303015047.2014999-1-black.hawk@163.com>
References: <20260303015047.2014999-1-black.hawk@163.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-CM-TRANSID: _____wCnhCODPqZp1ezIOw--.34317S4
X-Coremail-Antispam: 1Uf129KBjvJXoW3JFyUtw1rKrW8tw4fGFWfZrb_yoW7tr43pr
	WfGry3Kr4DJF1Iyr1Sqw4q9F95G3s5Jr45Gr9xK34rCFy5Cr9Ygr47tFyjqF43CrZ5WF4j
	qrWjqFykWa1DKaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zMT5lUUUUUU=
X-CM-SenderInfo: 5eoduy4okd4yi6rwjhhfrp/xtbC3ga0TmmmPoYChwAA3Q
Content-Type: text/plain; charset="utf-8"

From: Mark Rutland <mark.rutland@arm.com>

[ Upstream commit d2907cbe9ea0a54cbe078076f9d089240ee1e2d9 ]

When SME is supported, Restoring SVE signal context can go wrong in a
few ways, including placing the task into an invalid state where the
kernel may read from out-of-bounds memory (and may potentially take a
fatal fault) and/or may kill the task with a SIGKILL.

(1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into
    an invalid state where SVCR.SM is set (and sve_state is non-NULL)
    but TIF_SME is clear, consequently resuting in out-of-bounds memory
    reads and/or killing the task with SIGKILL.

    This can only occur in unusual (but legitimate) cases where the SVE
    signal context has either been modified by userspace or was saved in
    the context of another task (e.g. as with CRIU), as otherwise the
    presence of an SVE signal context with SVE_SIG_FLAG_SM implies that
    TIF_SME is already set.

    While in this state, task_fpsimd_load() will NOT configure SMCR_ELx
    (leaving some arbitrary value configured in hardware) before
    restoring SVCR and attempting to restore the streaming mode SVE
    registers from memory via sve_load_state(). As the value of
    SMCR_ELx.LEN may be larger than the task's streaming SVE vector
    length, this may read memory outside of the task's allocated
    sve_state, reading unrelated data and/or triggering a fault.

    While this can result in secrets being loaded into streaming SVE
    registers, these values are never exposed. As TIF_SME is clear,
    fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0
    accesses to streaming mode SVE registers, so these cannot be
    accessed directly at EL0. As fpsimd_save_user_state() verifies the
    live vector length before saving (S)SVE state to memory, no secret
    values can be saved back to memory (and hence cannot be observed via
    ptrace, signals, etc).

    When the live vector length doesn't match the expected vector length
    for the task, fpsimd_save_user_state() will send a fatal SIGKILL
    signal to the task. Hence the task may be killed after executing
    userspace for some period of time.

(2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the
    task's SVCR.SM. If SVCR.SM was set prior to restoring the context,
    then the task will be left in streaming mode unexpectedly, and some
    register state will be combined inconsistently, though the task will
    be left in legitimate state from the kernel's PoV.

    This can only occur in unusual (but legitimate) cases where ptrace
    has been used to set SVCR.SM after entry to the sigreturn syscall,
    as syscall entry clears SVCR.SM.

    In these cases, the the provided SVE register data will be loaded
    into the task's sve_state using the non-streaming SVE vector length
    and the FPSIMD registers will be merged into this using the
    streaming SVE vector length.

Fix (1) by setting TIF_SME when setting SVCR.SM. This also requires
ensuring that the task's sme_state has been allocated, but as this could
contain live ZA state, it should not be zeroed. Fix (2) by clearing
SVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear.

For consistency, I've pulled the manipulation of SVCR, TIF_SVE, TIF_SME,
and fp_type earlier, immediately after the allocation of
sve_state/sme_state, before the restore of the actual register state.
This makes it easier to ensure that these are always modified
consistently, even if a fault is taken while reading the register data
from the signal context. I do not expect any software to depend on the
exact state restored when a fault is taken while reading the context.

Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: <stable@vger.kernel.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ The context change is due to the commit 929fa99b1215
("arm64/fpsimd: signal: Always save+flush state early")
and the commit be625d803c3b
("arm64/fpsimd: signal: Consistently read FPSIMD context")
in v6.16 which are irrelevant to the logic of this patch. ]
Signed-off-by: Rahul Sharma <black.hawk@163.com>
---
 arch/arm64/kernel/signal.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 2ff6af928426..65f4e5841ea8 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -452,6 +452,11 @@ static int restore_sve_fpsimd_context(struct user_ctxs=
 *user)
=20
 	fpsimd_flush_task_state(current);
 	/* From now, fpsimd_thread_switch() won't touch thread.sve_state */
+	if (sm) {
+		sme_alloc(current, false);
+		if (!current->thread.sme_state)
+			return -ENOMEM;
+	}
=20
 	sve_alloc(current, true);
 	if (!current->thread.sve_state) {
@@ -459,6 +464,16 @@ static int restore_sve_fpsimd_context(struct user_ctxs=
 *user)
 		return -ENOMEM;
 	}
=20
+	if (sm) {
+		current->thread.svcr |=3D SVCR_SM_MASK;
+		set_thread_flag(TIF_SME);
+	} else {
+		current->thread.svcr &=3D ~SVCR_SM_MASK;
+		set_thread_flag(TIF_SVE);
+	}
+
+	current->thread.fp_type =3D FP_STATE_SVE;
+
 	err =3D __copy_from_user(current->thread.sve_state,
 			       (char __user const *)user->sve +
 					SVE_SIG_REGS_OFFSET,
@@ -466,12 +481,6 @@ static int restore_sve_fpsimd_context(struct user_ctxs=
 *user)
 	if (err)
 		return -EFAULT;
=20
-	if (flags & SVE_SIG_FLAG_SM)
-		current->thread.svcr |=3D SVCR_SM_MASK;
-	else
-		set_thread_flag(TIF_SVE);
-	current->thread.fp_type =3D FP_STATE_SVE;
-
 fpsimd_only:
 	/* copy the FP and status/control registers */
 	/* restore_sigframe() already checked that user->fpsimd !=3D NULL. */
--=20
2.34.1