CVE-2025-40178

In the Linux kernel, the following vulnerability has been resolved:

pid: Add a judgment for ns null in pidnrns

_taskpidnrns ns = taskactivepidns(current); pidnrns(rcudereference(*taskpidptr(task, type)), ns); if (pid && ns->level <= pid->level) {

Sometimes null is returned for taskactivepidns. Then it will trigger kernel panic in pidnr_ns.

For example: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000 [0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000 pstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __taskpidnr_ns+0x74/0xd0 lr : __taskpidnr_ns+0x24/0xd0 sp : ffffffc08001bd10 x29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001 x26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31 x23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0 x20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000 x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc x14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800 x11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001 x8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449 x5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0 Call trace: __taskpidnr_ns+0x74/0xd0 ... __handleirqeventpercpu+0xd4/0x284 handleirqevent+0x48/0xb0 handlefasteoiirq+0x160/0x2d8 generichandledomainirq+0x44/0x60 gichandleirq+0x4c/0x114 callonirqstack+0x3c/0x74 dointerrupthandler+0x4c/0x84 el1interrupt+0x34/0x58 el1h64irqhandler+0x18/0x24 el1h64irq+0x68/0x6c accountkernelstack+0x60/0x144 exittaskstackaccount+0x1c/0x80 doexit+0x7e4/0xaf8 ... getsignal+0x7bc/0x8d8 donotifyresume+0x128/0x828 el0svc+0x6c/0x70 el0t64synchandler+0x68/0xbc el0t64sync+0x1a8/0x1ac Code: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt