In the Linux kernel, the following vulnerabilities have been resolved: riscv, bpf: Sign extension for struct operations correctly handles return values. The ns_bpf_qdisc selftest triggers a kernel panic: Unable to handle kernel paging requests at virtual address ffffffffa38dbf58. Current test_progs pgtable: 4K page size, 57-bit Virtual Addresses, pgdp=0x00000001109cc000 [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000 Oops [#1] Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [...] [last unloaded: bpf_testmod(OE)] CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G W OE 6.17.0-rc1-g2465bb83e0b4 #1 NONE Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024 epc: __qdisc_run+0x82/0x6f0 ra: __qdisc_run+0x6e/0x6f0 epc: ffffffff80bd5c7a ra: ffffffff80bd5c66 sp: ff2000000eecb550 gp: ffffffff82472098 tp: ff60000096895940 t0: ffffffff8001f180 t1: ffffffff801e1664 t2: 0000000000000000 s0: ff2000000eecb5d0 s1: ff60000093a6a600 a0: ffffffffa38dbee8 a1: 0000000000000001 a2: ff2000000eecb510 a3: 0000000000000001 a4: 0000000000000000 a5: 0000000000000010 a6: 0000000000000000 a7: 0000000000735049 s2: ffffffffa38dbee8 s3: 0000000000000040 s4: ff6000008bcda000 s5: 0000000000000008 s6: ff60000093a6a680 s7: ff60000093a6a6f0 s8: ff60000093a6a6ac s9: ff60000093140000 s10: 0000000000000000 s11: ff2000000eecb9d0 t3: 0000000000000000 t4: 0000000000ff0000 t5 : 0000000000000000 t6 : ff60000093a6a8b6 status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d [] __qdisc_run+0x82/0x6f0 [] __dev_queue_xmit+0x4c0/0x1128 [] neigh_resolve_output+0xd0/0x170 [] ip6_finish_output2+0x226/0x6c8 [] ip6_finish_output+0x10c/0x2a0 [] ip6_output+0x5e/0x178 [] ip6_xmit+0x29a/0x608 [] inet6_csk_xmit+0xe6/0x140 [] __tcp_transmit_skb+0x45c/0xaa8 [] tcp_connect+0x9ce/0xd10 [] tcp_v6_connect+0x4ac/0x5e8 [] __inet_stream_connect+0xd8/0x318 [] inet_stream_connect+0x3e/0x68 [] __sys_connect_file+0x50/0x88 [] __sys_connect+0x96/0xc8 [] __riscv_sys_connect+0x20/0x30 [] do_trap_ecall_u+0x256/0x378 [] handle_exception+0x14a/0x156 Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709 ---[ End Trace: 0000000000000000]--- The bpf_fifo_dequeue prog returns a skb, which is a pointer. The pointer is treated as a 32-bit value and signed-extended to 64 bits at the end. This behavior is correct for most bpf prog types, but incorrect for struct operations that require the RISC-V ABI. So, let’s perform signed extension of return values from struct operations according to the function model and the RISC-V ABI ([0]). [0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf

Query Builder