CVE-2025-40143

In the Linux kernel, the following vulnerability has been resolved:

bpf: dont report verifier bug for missing bpfsccvisit on speculative path

Syzbot generated a program that triggers a verifierbug() call in maybeexitscc(). maybeexitscc() assumes that, when called for a state with insnidx in some SCC, there should be an instance of struct bpfsccvisit allocated for that SCC. Turns out the assumption does not hold for speculative execution paths. See example in the next patch.

maybesccexit() is called from updatebranchcounts() for states that reach branch count of zero, meaning that path exploration for a particular path is finished. Path exploration can finish in one of three ways: a. Verification error is found. In this case, updatebranchcounts() is called only for non-speculative paths. b. Top level BPFEXIT is reached. Such instructions are never a part of an SCC, so computescccallchain() in maybesccexit() will return false, and maybesccexit() will return early. c. A checkpoint is reached and matched. Checkpoints are created by isstatevisited(), which calls maybeenterscc(), which allocates bpfscc_visit instances for checkpoints within SCCs.

Hence, for non-speculative symbolic execution paths, the assumption still holds: if maybesccexit() is called for a state within an SCC, bpfsccvisit instance must exist.

This patch removes the verifier_bug() call for speculative paths.