{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40079","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.160Z","datePublished":"2025-10-28T11:48:44.122Z","dateUpdated":"2026-05-11T21:42:06.130Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:42:06.130Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv, bpf: Sign extend struct ops return values properly\n\nThe ns_bpf_qdisc selftest triggers a kernel panic:\n\n    Unable to handle kernel paging request at virtual address ffffffffa38dbf58\n    Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000\n    [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000\n    Oops [#1]\n    Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [...] [last unloaded: bpf_testmod(OE)]\n    CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G        W  OE       6.17.0-rc1-g2465bb83e0b4 #1 NONE\n    Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n    Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024\n    epc : __qdisc_run+0x82/0x6f0\n     ra : __qdisc_run+0x6e/0x6f0\n    epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550\n     gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180\n     t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0\n     s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001\n     a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000\n     a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049\n     s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000\n     s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0\n     s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000\n     s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000\n     t5 : 0000000000000000 t6 : ff60000093a6a8b6\n    status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d\n    [<ffffffff80bd5c7a>] __qdisc_run+0x82/0x6f0\n    [<ffffffff80b6fe58>] __dev_queue_xmit+0x4c0/0x1128\n    [<ffffffff80b80ae0>] neigh_resolve_output+0xd0/0x170\n    [<ffffffff80d2daf6>] ip6_finish_output2+0x226/0x6c8\n    [<ffffffff80d31254>] ip6_finish_output+0x10c/0x2a0\n    [<ffffffff80d31446>] ip6_output+0x5e/0x178\n    [<ffffffff80d2e232>] ip6_xmit+0x29a/0x608\n    [<ffffffff80d6f4c6>] inet6_csk_xmit+0xe6/0x140\n    [<ffffffff80c985e4>] __tcp_transmit_skb+0x45c/0xaa8\n    [<ffffffff80c995fe>] tcp_connect+0x9ce/0xd10\n    [<ffffffff80d66524>] tcp_v6_connect+0x4ac/0x5e8\n    [<ffffffff80cc19b8>] __inet_stream_connect+0xd8/0x318\n    [<ffffffff80cc1c36>] inet_stream_connect+0x3e/0x68\n    [<ffffffff80b42b20>] __sys_connect_file+0x50/0x88\n    [<ffffffff80b42bee>] __sys_connect+0x96/0xc8\n    [<ffffffff80b42c40>] __riscv_sys_connect+0x20/0x30\n    [<ffffffff80e5bcae>] do_trap_ecall_u+0x256/0x378\n    [<ffffffff80e69af2>] handle_exception+0x14a/0x156\n    Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709\n    ---[ end trace 0000000000000000 ]---\n\nThe bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer\nis treated as a 32bit value and sign extend to 64bit in epilogue. This\nbehavior is right for most bpf prog types but wrong for struct ops which\nrequires RISC-V ABI.\n\nSo let's sign extend struct ops return values according to the function\nmodel and RISC-V ABI([0]).\n\n  [0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/riscv/net/bpf_jit_comp64.c"],"versions":[{"version":"25ad10658dc1068a671553ff10e19a812c2a3783","lessThan":"92751937f12a7d34ad492577a251c94a55e97e72","status":"affected","versionType":"git"},{"version":"25ad10658dc1068a671553ff10e19a812c2a3783","lessThan":"918a399501e28e0cc36dbd1fcfb4208f8aa1e4d1","status":"affected","versionType":"git"},{"version":"25ad10658dc1068a671553ff10e19a812c2a3783","lessThan":"fd2e08128944a7679e753f920e9eda72057e427c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/riscv/net/bpf_jit_comp64.c"],"versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","status":"unaffected","versionType":"semver"},{"version":"6.12.53","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.3","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.12.53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/92751937f12a7d34ad492577a251c94a55e97e72"},{"url":"https://git.kernel.org/stable/c/918a399501e28e0cc36dbd1fcfb4208f8aa1e4d1"},{"url":"https://git.kernel.org/stable/c/fd2e08128944a7679e753f920e9eda72057e427c"}],"title":"riscv, bpf: Sign extend struct ops return values properly","x_generator":{"engine":"bippy-1.2.0"}}}}