CVE-2025-40079

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv, bpf: Sign extend struct ops return values properly<br /> <br /> The ns_bpf_qdisc selftest triggers a kernel panic:<br /> <br /> Unable to handle kernel paging request at virtual address ffffffffa38dbf58<br /> Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000<br /> [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000<br /> Oops [#1]<br /> Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [...] [last unloaded: bpf_testmod(OE)]<br /> CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G W OE 6.17.0-rc1-g2465bb83e0b4 #1 NONE<br /> Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024<br /> epc : __qdisc_run+0x82/0x6f0<br /> ra : __qdisc_run+0x6e/0x6f0<br /> epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550<br /> gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180<br /> t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0<br /> s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001<br /> a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000<br /> a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049<br /> s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000<br /> s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0<br /> s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000<br /> s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000<br /> t5 : 0000000000000000 t6 : ff60000093a6a8b6<br /> status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d<br /> [] __qdisc_run+0x82/0x6f0<br /> [] __dev_queue_xmit+0x4c0/0x1128<br /> [] neigh_resolve_output+0xd0/0x170<br /> [] ip6_finish_output2+0x226/0x6c8<br /> [] ip6_finish_output+0x10c/0x2a0<br /> [] ip6_output+0x5e/0x178<br /> [] ip6_xmit+0x29a/0x608<br /> [] inet6_csk_xmit+0xe6/0x140<br /> [] __tcp_transmit_skb+0x45c/0xaa8<br /> [] tcp_connect+0x9ce/0xd10<br /> [] tcp_v6_connect+0x4ac/0x5e8<br /> [] __inet_stream_connect+0xd8/0x318<br /> [] inet_stream_connect+0x3e/0x68<br /> [] __sys_connect_file+0x50/0x88<br /> [] __sys_connect+0x96/0xc8<br /> [] __riscv_sys_connect+0x20/0x30<br /> [] do_trap_ecall_u+0x256/0x378<br /> [] handle_exception+0x14a/0x156<br /> Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> The bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer<br /> is treated as a 32bit value and sign extend to 64bit in epilogue. This<br /> behavior is right for most bpf prog types but wrong for struct ops which<br /> requires RISC-V ABI.<br /> <br /> So let&amp;#39;s sign extend struct ops return values according to the function<br /> model and RISC-V ABI([0]).<br /> <br /> [0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf