CVE-2025-22048

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> LoongArch: BPF: Don&amp;#39;t override subprog&amp;#39;s return value<br /> <br /> The verifier test `calls: div by 0 in subprog` triggers a panic at the<br /> ld.bu instruction. The ld.bu insn is trying to load byte from memory<br /> address returned by the subprog. The subprog actually set the correct<br /> address at the a5 register (dedicated register for BPF return values).<br /> But at commit 73c359d1d356 ("LoongArch: BPF: Sign-extend return values")<br /> we also sign extended a5 to the a0 register (return value in LoongArch).<br /> For function call insn, we later propagate the a0 register back to a5<br /> register. This is right for native calls but wrong for bpf2bpf calls<br /> which expect zero-extended return value in a5 register. So only move a0<br /> to a5 for native calls (i.e. non-BPF_PSEUDO_CALL).