CVE-2025-40201

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kernel/sys.c: fix the racy usage of task_lock(tsk-&gt;group_leader) in sys_prlimit64() paths<br /> <br /> The usage of task_lock(tsk-&gt;group_leader) in sys_prlimit64()-&gt;do_prlimit()<br /> path is very broken.<br /> <br /> sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct<br /> itself. If tsk != current and tsk is not a leader, this process can exit/exec<br /> and task_lock(tsk-&gt;group_leader) may use the already freed task_struct.<br /> <br /> Another problem is that sys_prlimit64() can race with mt-exec which changes<br /> -&gt;group_leader. In this case do_prlimit() may take the wrong lock, or (worse)<br /> -&gt;group_leader may change between task_lock() and task_unlock().<br /> <br /> Change sys_prlimit64() to take tasklist_lock when necessary. This is not<br /> nice, but I don&amp;#39;t see a better fix for -stable.