Linux Kernel LoongArch BPF Return Value Handling Vulnerability

A vulnerability in the Linux kernel's handling of BPF return values on LoongArch architecture has been addressed. The issue arose because the BPF verifier test 'calls: div by 0 in subprog' caused a panic when the 'ld.bu' instruction attempted to load a byte from a memory address returned by a subprogram. The subprogram correctly set the return address in the 'a5' register, which is designated for BPF return values. However, a previous commit sign-extended the 'a5' register to the 'a0' register, which is the standard return value register in LoongArch. This modification inadvertently disrupted BPF-to-BPF calls, which require the return value in the 'a5' register to be zero-extended. The vulnerability has been resolved by ensuring that the 'a0' to 'a5' transfer only occurs for native calls, not BPF-to-BPF calls.

Impact

Exploitation of this vulnerability could lead to incorrect handling of return values in BPF subprograms, potentially causing panics or other unintended behaviors in the kernel.