CVE-2025-38723

Summary

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: BPF: Fix jump offset calculation in tailcall

The extra pass of bpf_int_jit_compile() skips JIT context initialization which essentially skips offset calculation leaving out_offset = -1, so the jmp_offset in emit_bpf_tail_call is calculated by

"#define jmp_offset (out_offset - (cur_offset))"

is a negative number, which is wrong. The final generated assembly are as follow.

54: bgeu $a2, $t1, -8 # 0x0000004c 58: addi.d $a6, $s5, -1 5c: bltz $a6, -16 # 0x0000004c 60: alsl.d $t2, $a2, $a1, 0x3 64: ld.d $t2, $t2, 264 68: beq $t2, $zero, -28 # 0x0000004c

Before apply this patch, the follow test case will reveal soft lock issues.

cd tools/testing/selftests/bpf/ ./test_progs –allow=tailcalls/tailcall_bpf2bpf_1

dmesg: watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]

Affected Software

VendorProductVersion RangeStatus
LinuxLinux5dc615520c4dfb358245680f1904bad61116648e < 1a782fa32e644aa9fbae6c8488f3e61221ac96e1affected
LinuxLinux5dc615520c4dfb358245680f1904bad61116648e < 17c010fe45def335fe03a0718935416b04c7f349affected
LinuxLinux5dc615520c4dfb358245680f1904bad61116648e < f83d469e16bb1f75991ca67c56786fb2aaa42beaaffected
LinuxLinux5dc615520c4dfb358245680f1904bad61116648e < f2b5e50cc04d7a049b385bc1c93b9cbf5f10c94faffected
LinuxLinux5dc615520c4dfb358245680f1904bad61116648e < 9262e3e04621558e875eb5afb5e726b648cd5949affected
LinuxLinux5dc615520c4dfb358245680f1904bad61116648e < cd39d9e6b7e4c58fa77783e7aedf7ada51d02ea3affected
LinuxLinux6.1affected
LinuxLinux0 < 6.1unaffected
LinuxLinux6.1.149 <= 6.1.*unaffected
LinuxLinux6.6.103 <= 6.6.*unaffected
LinuxLinux6.12.43 <= 6.12.*unaffected
LinuxLinux6.15.11 <= 6.15.*unaffected
LinuxLinux6.16.2 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

Additional References

References