cve/2024/CVE-2024-50275.md

### [CVE-2024-50275](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50275)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=5.13%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=cccb78ce89c45a4414db712be4986edfb92434bd%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)

### Description

In the Linux kernel, the following vulnerability has been resolved:arm64/sve: Discard stale CPU state when handling SVE trapsThe logic for handling SVE traps manipulates saved FPSIMD/SVE stateincorrectly, and a race with preemption can result in a task havingTIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU stateis stale (e.g. with SVE traps enabled). This has been observed to resultin warnings from do_sve_acc() where SVE traps are not expected whileTIF_SVE is set:|         if (test_and_set_thread_flag(TIF_SVE))|                 WARN_ON(1); /* SVE access shouldn't have trapped */Warnings of this form have been reported intermittently, e.g.  https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/  https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/The race can occur when the SVE trap handler is preempted before andafter manipulating the saved FPSIMD/SVE state, starting and ending onthe same CPU, e.g.| void do_sve_acc(unsigned long esr, struct pt_regs *regs)| {|         // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled|         // task->fpsimd_cpu is 0.|         // per_cpu_ptr(&fpsimd_last_state, 0) is task.||         ...||         // Preempted; migrated from CPU 0 to CPU 1.|         // TIF_FOREIGN_FPSTATE is set.||         get_cpu_fpsimd_context();||         if (test_and_set_thread_flag(TIF_SVE))|                 WARN_ON(1); /* SVE access shouldn't have trapped */||         sve_init_regs() {|                 if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {|                         ...|                 } else {|                         fpsimd_to_sve(current);|                         current->thread.fp_type = FP_STATE_SVE;|                 }|         }||         put_cpu_fpsimd_context();||         // Preempted; migrated from CPU 1 to CPU 0.|         // task->fpsimd_cpu is still 0|         // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:|         // - Stale HW state is reused (with SVE traps enabled)|         // - TIF_FOREIGN_FPSTATE is cleared|         // - A return to userspace skips HW state restore| }Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is setby calling fpsimd_flush_task_state() to detach from the saved CPUstate. This ensures that a subsequent context switch will not reuse thestale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing thenew state to be reloaded from memory prior to a return to userspace.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/w4zu/Debian_security
Update CVE list 2025-09-29 21:09 2025-09-29 21:09:30 +02:00			`### [CVE-2024-50275](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50275)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=5.13%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=cccb78ce89c45a4414db712be4986edfb92434bd%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)`

			`### Description`

			In the Linux kernel, the following vulnerability has been resolved:arm64/sve: Discard stale CPU state when handling SVE trapsThe logic for handling SVE traps manipulates saved FPSIMD/SVE stateincorrectly, and a race with preemption can result in a task havingTIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU stateis stale (e.g. with SVE traps enabled). This has been observed to resultin warnings from do_sve_acc() where SVE traps are not expected whileTIF_SVE is set:\| if (test_and_set_thread_flag(TIF_SVE))\| WARN_ON(1); /* SVE access shouldn't have trapped /Warnings of this form have been reported intermittently, e.g. https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/ https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/The race can occur when the SVE trap handler is preempted before andafter manipulating the saved FPSIMD/SVE state, starting and ending onthe same CPU, e.g.\| void do_sve_acc(unsigned long esr, struct pt_regs regs)\| {\| // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled\| // task->fpsimd_cpu is 0.\| // per_cpu_ptr(&fpsimd_last_state, 0) is task.\|\| ...\|\| // Preempted; migrated from CPU 0 to CPU 1.\| // TIF_FOREIGN_FPSTATE is set.\|\| get_cpu_fpsimd_context();\|\| if (test_and_set_thread_flag(TIF_SVE))\| WARN_ON(1); /* SVE access shouldn't have trapped */\|\| sve_init_regs() {\| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\| ...\| } else {\| fpsimd_to_sve(current);\| current->thread.fp_type = FP_STATE_SVE;\| }\| }\|\| put_cpu_fpsimd_context();\|\| // Preempted; migrated from CPU 1 to CPU 0.\| // task->fpsimd_cpu is still 0\| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:\| // - Stale HW state is reused (with SVE traps enabled)\| // - TIF_FOREIGN_FPSTATE is cleared\| // - A return to userspace skips HW state restore\| }Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is setby calling fpsimd_flush_task_state() to detach from the saved CPUstate. This ensures that a subsequent context switch will not reuse thestale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing thenew state to be reloaded from memory prior to a return to userspace.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/w4zu/Debian_security`