CVE-2025-68216

Summary

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: BPF: Disable trampoline for kernel module function trace

The current LoongArch BPF trampoline implementation is incompatible with tracing functions in kernel modules. This causes several severe and user-visible problems:

  • The bpf_selftests/module_attach test fails consistently.
  • Kernel lockup when a BPF program is attached to a module function 1.
  • Critical kernel modules like WireGuard experience traffic disruption when their functions are traced with fentry 2.

Given the severity and the potential for other unknown side-effects, it is safest to disable the feature entirely for now. This patch prevents the BPF subsystem from allowing trampoline attachments to kernel module functions on LoongArch.

This is a temporary mitigation until the core issues in the trampoline code for kernel module handling can be identified and fixed.

[root@fedora bpf]# ./test_progs -a module_attach -v bpf_testmod.ko is already unloaded. Loading bpf_testmod.ko… Successfully loaded bpf_testmod.ko. test_module_attach:PASS:skel_open 0 nsec test_module_attach:PASS:set_attach_target 0 nsec test_module_attach:PASS:set_attach_target_explicit 0 nsec test_module_attach:PASS:skel_load 0 nsec libbpf: prog 'handle_fentry': failed to attach: -ENOTSUPP libbpf: prog 'handle_fentry': failed to auto-attach: -ENOTSUPP test_module_attach:FAIL:skel_attach skeleton attach failed: -524 Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED Successfully unloaded bpf_testmod.ko.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxf9b6b41f0cf31791541cea9644ddbedb46465801 < 44eb3849378be5f72b8be03edbacbdcd6f5eade4affected
LinuxLinuxf9b6b41f0cf31791541cea9644ddbedb46465801 < 677e6123e3d24adaa252697dc89740f2ac07664eaffected
LinuxLinux6.17affected
LinuxLinux0 < 6.17unaffected
LinuxLinux6.17.10 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References