CVE-2025-38060

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: copy_verifier_state() should copy &amp;#39;loop_entry&amp;#39; field<br /> <br /> The bpf_verifier_state.loop_entry state should be copied by<br /> copy_verifier_state(). Otherwise, .loop_entry values from unrelated<br /> states would poison env-&gt;cur_state.<br /> <br /> Additionally, env-&gt;stack should not contain any states with<br /> .loop_entry != NULL. The states in env-&gt;stack are yet to be verified,<br /> while .loop_entry is set for states that reached an equivalent state.<br /> This means that env-&gt;cur_state-&gt;loop_entry should always be NULL after<br /> pop_stack().<br /> <br /> See the selftest in the next commit for an example of the program that<br /> is not safe yet is accepted by verifier w/o this fix.<br /> <br /> This change has some verification performance impact for selftests:<br /> <br /> File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)<br /> ---------------------------------- ---------------------------- --------- --------- -------------- ---------- ---------- -------------<br /> arena_htab.bpf.o arena_htab_llvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%)<br /> arena_htab_asm.bpf.o arena_htab_asm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%)<br /> arena_list.bpf.o arena_list_del 309 279 -30 (-9.71%) 23 14 -9 (-39.13%)<br /> iters.bpf.o iter_subprog_check_stacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%)<br /> iters.bpf.o iter_subprog_iters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%)<br /> iters.bpf.o loop_state_deps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%)<br /> kmem_cache_iter.bpf.o open_coded_iter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%)<br /> verifier_bits_iter.bpf.o max_words 92 84 -8 (-8.70%) 8 7 -1 (-12.50%)<br /> verifier_iterating_callbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%)<br /> <br /> And significant negative impact for sched_ext:<br /> <br /> File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)<br /> ----------------- ---------------------- --------- --------- -------------------- ---------- ---------- ------------------<br /> bpf.bpf.o lavd_init 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%)<br /> bpf.bpf.o layered_dispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%)<br /> bpf.bpf.o layered_dump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%)<br /> bpf.bpf.o layered_enqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%)<br /> bpf.bpf.o p2dq_dispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%)<br /> bpf.bpf.o p2dq_init 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%)<br /> bpf.bpf.o refresh_layer_cpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%)<br /> bpf.bpf.o rusty_select_cpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%)<br /> scx_central.bpf.o central_dispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%)<br /> scx_nest.bpf.o nest_init 636 815 +179 (+28.14%) 60 73 +13 (+21.67%)<br /> scx_qmap.bpf.o qmap_dispatch <br /> ---truncated---