From nobody Sat Jun 13 20:27:49 2026
Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 84EE11C861D
	for <linux-kernel@vger.kernel.org>; Tue,  5 May 2026 16:02:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=82.195.75.108
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777996957; cv=none;
 b=Xo6PqmNaT0v6DuKYgnL90oy9FB058JNr+oO1tom+11+MAF1Ti35x3r1s9TGXE27Bv9cI6iy4HMh5eYhdVQrqhUI34WyR+mw5XF5IBqpd5vGTyadSUzjjxn3fvOuvzOi/txc9FoohfmQx57LSfasOxt0JNVa+mcyqQeZOAkT4mc0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777996957; c=relaxed/simple;
	bh=IUePtTvQ2uwrE6aC1G7IWe8HsA67uQUPK38IVnbXGkQ=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc;
 b=T2co5DBZqIjdX58eiS3Oc6KPoRTmSb/yOuE7IXSkDzMxZkPuqcpSmEsEW13n0tpveCRTb8DVIzIpOMfoQDy4iZSPFvFRD1tt37CtqOYlhwYesTibn4Bi0fob2BUIe4L6uAZ7XesKFjmqhr+0URhM5qUYJtRHP1TLCMlQzSKkv5s=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=debian.org;
 spf=pass smtp.mailfrom=debian.org;
 dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org
 header.b=FB2KVSMq; arc=none smtp.client-ip=82.195.75.108
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=debian.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=debian.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org
 header.b="FB2KVSMq"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org;
	s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:Message-Id:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From:
	Reply-To:Content-ID:Content-Description:In-Reply-To:References;
	bh=2wLsw9nGyw43qdgk/7w4u2+YPwhp18IN4nTEToE9F3Y=; b=FB2KVSMqpbICkJnzCRWeGNbgng
	ZvX6EP4GNEyiNzKh/qHDCA1ipaWNbObphRvLdNOPcTi3UMjKLVQhrOLVQHha6wgSR3vaa3YP+XIit
	F3awJeA9pq7MHxi8BL/1afC7kIeLuBl0WrdlGk7Bkg02tlCnxBReqMxGJPN34eI4oAteEUcTIMte1
	MDBYJiMMgRex+foKnhJIHSbOlpmiMRkImwSvO95U/erbDy+rUTByASJJfW8ZuGNTY883/uYQoB04p
	U/4awfxXJA6HZ4MF62rPRMZEzJ0/L9OVbA/6xdpdx81oZ3RMuXFHjOuxNGAju7wXkxfQKjNPRdFns
	gnM814pA==;
Received: from authenticated user
	by stravinsky.debian.org with esmtpsa
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
	(Exim 4.96)
	(envelope-from <leitao@debian.org>)
	id 1wKIE6-002vJ4-2r;
	Tue, 05 May 2026 16:02:27 +0000
From: Breno Leitao <leitao@debian.org>
Date: Tue, 05 May 2026 09:02:13 -0700
Subject: [PATCH] arm64/fpsimd: ptrace: zero target's fpsimd_state, not the
 tracer's
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260505-fix_ptrace-v1-1-36ac1f6d0bfb@debian.org>
X-B4-Tracking: v=1; b=H4sIAIUU+mkC/yXMQQqDMBAF0KsMf20gChGSq0gpcZzYcWElsRIQ7
 15sl2/zThTJKgWBTmQ5tOh7RaC2IfArrrMYnRAIne1666wzSetz23NkMe3IcXLesfWChrBlSVp
 /2fD4u3zGRXi/B1zXF78XopVuAAAA
X-Change-ID: 20260505-fix_ptrace-1bcad595c09e
To: Oleg Nesterov <oleg@redhat.com>,
 Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>,
 Mark Rutland <mark.rutland@arm.com>
Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
 kernel-team@meta.com, Breno Leitao <leitao@debian.org>
X-Mailer: b4 0.16-dev-453a6
X-Developer-Signature: v=1; a=openpgp-sha256; l=2116; i=leitao@debian.org;
 h=from:subject:message-id; bh=IUePtTvQ2uwrE6aC1G7IWe8HsA67uQUPK38IVnbXGkQ=;
 b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBp+hSO7GZIc4/Lkdia4lLzVLAru8vqS+wiBEY0r
 flINyBU37eJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCafoUjgAKCRA1o5Of/Hh3
 bXrfD/4v9pniIS+MUjOPPhAPYVwngnhfpi6cdZCo2aJA22+Tbnm+lf0KjJCkolNPJ9P4Eqbqqbc
 OESHJljjd21SrorgJ2vLXevuzCFQC3CM/+h3y/Da3dpDEcom05rQPvDfQSvnotYSWo3MAIPRj3U
 tRIBCqJLYakhLeTLMn5/bJ2aOyHUTLJoolOZXqeSF/sblfo9rFw1b7GQ71JfBJJ96qqTIAB4H+W
 QI49HCHVfUcllHfDBPM4gjdSulJUfpSal18SlRTBEl1jvYyJEzPIvwh7yw+Uv6bGIWKMP2jGJzv
 vc//Vb5FrfvsGJRfPcu3iuA2MAYybE8U9LYbtKy7zC+/b0F76zqI0TyG8lVCNzIBGrbKn4zRU+L
 sMZYh5WJjCm3YZQtF8rETRzYTU+tWjYbggRts+3Dhi92sgGJgvZQyuZvdbKmHCtEZ59+NU+btpT
 FbS4YwKJ6AWfbHCW2TnkcREGSyiMDxVSONOFundB7XGhbGDdthuHTW8sHMF9emuCZk6dRxRTY88
 DkapqO983BzOV6fcAbeEewN7DzYgXPdTREeFGMsYVZUBPbdpOSo1F1ZNVFm78GIMn49lJhBFCFE
 wHjJ/cJ4azaLZE9WAvQKNOz+p5U9Bdtk0RhLS/IN97+8OaoRtUTuQfETd1Cgb2Nn0YrWVtJUKLI
 ahFpCFMTTNt9bGg==
X-Developer-Key: i=leitao@debian.org; a=openpgp;
 fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D
X-Debian-User: leitao

sve_set_common() is the backend for PTRACE_SETREGSET(NT_ARM_SVE) and
PTRACE_SETREGSET(NT_ARM_SSVE). Every write in the function operates on
the tracee (target) - except a single memset that uses current instead,
zeroing the tracer's saved V0-V31 / FPSR / FPCR shadow on every ptrace
SETREGSET call.

The memset is meant to give the tracee a defined zero register image
before the user-supplied payload is copied in (for partial writes,
header-only writes, and FPSIMD<->SVE format switches). Aiming it at
current both denies the tracee that clean slate and silently corrupts
the tracer.

Due to FPSIMD lazy save/restore the wipe only takes effect when the
tracer's CPU FPSIMD binding is dropped after the memset; the next
return to userspace then reloads V0-V31, FPSR and FPCR as zero. No
signal is raised and ptrace() returns success.

Reproducible on an arm64 kernel with SVE: a single-threaded tracer that
loads a known pattern into V0-V31, issues PTRACE_SETREGSET(NT_ARM_SVE)
on a child, and reads V0-V31 back observes them all zeroed within tens
of thousands of iterations when a sibling thread keeps stealing the
FPSIMD CPU binding.

Fixes: 316283f276eb ("arm64/fpsimd: ptrace: Consistently handle partial wri=
tes to NT_ARM_(S)SVE")
Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
---
 arch/arm64/kernel/ptrace.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index ba5eab23fd900..4d08598e2891d 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -983,8 +983,8 @@ static int sve_set_common(struct task_struct *target,
 	}
=20
 	/* Always zero V regs, FPSR, and FPCR */
-	memset(&current->thread.uw.fpsimd_state, 0,
-	       sizeof(current->thread.uw.fpsimd_state));
+	memset(&target->thread.uw.fpsimd_state, 0,
+	       sizeof(target->thread.uw.fpsimd_state));
=20
 	/* Registers: FPSIMD-only case */
=20

---
base-commit: 9d0d467c3572e93c5faa2e5906a8bbcd70b24efd
change-id: 20260505-fix_ptrace-1bcad595c09e

Best regards,
-- =20
Breno Leitao <leitao@debian.org>