Linux kernel BPF tailcall expected_attach_type enforcement flaw

CVE-2025-40123 is a flaw in the Linux kernel BPF subsystem caused by insufficient compatibility checks for BPF tail calls. Specifically, tailcall map compatibility validation did not enforce matching expected_attach_type constraints in __bpf_prog_map_compatible(). As a result, a BPF program could tail-call into another program of the same base bpf_prog_type but with a different expected_attach_type, bypassing attach-type-specific access restrictions and assumptions.

The reported manifestation involved bpf_prog_test_run_xdp(), where a fuzzer found an uninitialized pointer issue leading to a NULL pointer dereference when a BPF program dereferenced the txq member of struct xdp_buff. In the described XDP case, progA was used as the entry program and could not itself have expected_attach_type BPF_XDP_DEVMAP or BPF_XDP_CPUMAP, but it tail-called progB through a tailcall map. ProgB required expected_attach_type BPF_XDP_DEVMAP to pass xdp_is_valid_access() validation and accessed xdp_md.egress_ifindex, which is only valid under that attach type. Because tailcall compatibility did not enforce expected_attach_type, the kernel allowed an invalid execution context to reach code that assumed a different environment.

The issue is broader than XDP. Other BPF program types, including BPF_PROG_TYPE_CGROUP_SOCK_ADDR, also vary permitted helpers and field access based on expected_attach_type. This means tail calls could cross attach-type boundaries and violate intended restrictions or assumptions. The fix was to enforce expected_attach_type for tailcall maps in __bpf_prog_map_compatible(). The change explicitly does not apply to BPF devmaps or cpumaps because those execution paths establish a new execution environment and are not affected in the same way.