CVE-2025-40178

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pid: Add a judgment for ns null in pid_nr_ns<br /> <br /> __task_pid_nr_ns<br /> ns = task_active_pid_ns(current);<br /> pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);<br /> if (pid &amp;&amp; ns-&gt;level level) {<br /> <br /> Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns.<br /> <br /> For example:<br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058<br /> Mem abort info:<br /> ESR = 0x0000000096000007<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x07: level 3 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000<br /> CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> user pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000<br /> [0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000<br /> pstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)<br /> pc : __task_pid_nr_ns+0x74/0xd0<br /> lr : __task_pid_nr_ns+0x24/0xd0<br /> sp : ffffffc08001bd10<br /> x29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001<br /> x26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31<br /> x23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0<br /> x20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000<br /> x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc<br /> x14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800<br /> x11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001<br /> x8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449<br /> x5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc<br /> x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0<br /> Call trace:<br /> __task_pid_nr_ns+0x74/0xd0<br /> ...<br /> __handle_irq_event_percpu+0xd4/0x284<br /> handle_irq_event+0x48/0xb0<br /> handle_fasteoi_irq+0x160/0x2d8<br /> generic_handle_domain_irq+0x44/0x60<br /> gic_handle_irq+0x4c/0x114<br /> call_on_irq_stack+0x3c/0x74<br /> do_interrupt_handler+0x4c/0x84<br /> el1_interrupt+0x34/0x58<br /> el1h_64_irq_handler+0x18/0x24<br /> el1h_64_irq+0x68/0x6c<br /> account_kernel_stack+0x60/0x144<br /> exit_task_stack_account+0x1c/0x80<br /> do_exit+0x7e4/0xaf8<br /> ...<br /> get_signal+0x7bc/0x8d8<br /> do_notify_resume+0x128/0x828<br /> el0_svc+0x6c/0x70<br /> el0t_64_sync_handler+0x68/0xbc<br /> el0t_64_sync+0x1a8/0x1ac<br /> Code: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69)<br /> ---[ end trace 0000000000000000 ]---<br /> Kernel panic - not syncing: Oops: Fatal exception in interrupt