From nobody Fri Apr 17 00:17:58 2026 Received: from smtpbgau2.qq.com (smtpbgau2.qq.com [54.206.34.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0D54827280F; Wed, 25 Feb 2026 02:49:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=54.206.34.216 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771987794; cv=none; b=sUCFlw6+Yoic4JLY5hv0+U0UbhupMoeHQ/2rTpqXrSv2vwv/cJ08Z3jARufl1A7+fxOm2x5aYB381h0I9woMwi08mHxiwwGBTAgYubmdZ4fjWJq2C8yogT+CYYBX0rR+nEpF2Me9sJ4rPj6dfSllY7VAPvcPA+XcX42gpEFLk5o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771987794; c=relaxed/simple; bh=G+xtbzT0Jit9gznTRTlgA3Ch7eth+fyjUvGQ8ItHatA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=CD3WfU5seRXAFQa85i3uOw5yoJF8E1uWRnx6J7sWtaUa3v9D+fGrrsfkRfCZjUnMhyIziX7aU366f2aWh9Hxa7dxX+pBeIndUVcgiJ7nOl5hmcyfVIZHup0tWIfMCcpR6rT6g3TvxkO9Yak5SVBdcXidT/fyS528XavALWCovLo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com; spf=pass smtp.mailfrom=uniontech.com; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b=BcAam2MT; arc=none smtp.client-ip=54.206.34.216 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uniontech.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b="BcAam2MT" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com; s=onoh2408; t=1771987741; bh=CM+iM+nnuHSGhZDGqjSLZ7tW86deFitywd+FiQnBYXc=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=BcAam2MTSfpw8lt0HaR1OJqfRV/Xt3aHxb8K8pE1ZkwrQ9pw78L/ymdQRjFHvj+HR piKz188brMMkFumfqm9NeShTUwBvSsX9Dua+OyDx29BH6bnIiwCsOn/NwPFip4Q85E rMaeERXNnnBY7H85rl8OrSiUYfkD7yr0Q3BGXjJo= X-QQ-mid: zesmtpgz8t1771987726t9282cb38 X-QQ-Originating-IP: 6qKmemgcBPoJeRq4cbrrIOUDclK7Ia1b221C0/AF7kA= Received: from localhost.localdomain ( [123.114.60.34]) by bizesmtp.qq.com (ESMTP) with id ; Wed, 25 Feb 2026 10:48:19 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 1 X-BIZMAIL-ID: 12023568224237598104 EX-QQ-RecipientCnt: 8 From: Yihan Ding To: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , =?UTF-8?q?G=C3=BCnther=20Noack?= Cc: Paul Moore , Jann Horn , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com, Yihan Ding Subject: [PATCH v2 1/2] landlock: Serialize TSYNC thread restriction Date: Wed, 25 Feb 2026 10:47:33 +0800 Message-Id: <20260225024734.3024732-2-dingyihan@uniontech.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20260225024734.3024732-1-dingyihan@uniontech.com> References: <20260225024734.3024732-1-dingyihan@uniontech.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-QQ-SENDSIZE: 520 Feedback-ID: zesmtpgz:uniontech.com:qybglogicsvrsz:qybglogicsvrsz4b-0 X-QQ-XMAILINFO: MglA7JX7t2v3+7F/MKBo7kKmEl+UUwnLRwB2BQjRigurbnQem7CAI6zY D6IpEhQ5dsiibIxZZPws1J4rHIkrLXTxA4OgmjYmJHRrWWt3KvDBcgY5gE9aG+teI4wI83m 682qi5vqD4SdFO1WZkMFawsH4x+1ULnGqdM1q9LI6J7Q3HkJW7pZ4rsVOu5ccXhrwp0OGKD gZ/CzKgQC6eOSvJ0g/OH4Secr5h/a3NMGcKta9bvlFN5HxfFWU8AiRDRWqD3HDhou4MrZJs 1DuZScOgZtmWqX2L4EpAgC5TlWLEtl72bcY0FMFNzY6TuGEn9jnVe7A+zecw+s7AUNmLLs8 zX+KtiGHwNFZ8uPv0Qb+5xbPsmp6ZqDy6gVZFW4RvkBTu6gqamH7DNmWCYrvtoyEljDvVSn ucK94mYWrmh3FpYvkouDTjzeIloDNffeqpeQbrK/Pv9lKHAd53LrbFbG+Kulv38VQsDK8TG XLU2bMp351vLqmw958be561a2ifV9kojkBS9QVbC08sGAkKbolZKSdJFIJVzDvlmzxtrugg wvwbW8QVIdbB75qJRCeHEYuJ+LD1W8oJ/7JXPX5vEdLwLC44atKdG0ZPy11CN6Be17lEuEZ 4/GmHkgP3rT5wDvxenc1WMwaGfatVNFuVA5LXYX9ou1dLtH9TVPrz70w8fO54YHwFFCN4zS 7V3RH4o1OotyJf8wpAt+g9uY4Eq4CbC77n+zcGtKazMj1GsKAourGFB3Zd9r8h/EK7JEu9b SEauEiPheEwmlB0rUHeV9z35CvYJDCsvVKwcsYnCimOSEi1lgrepAb2SMgTvskukBiETIgR q5PrkDB6HK1c7O/Kr2t3zoaHyaaeHnZH2ynmP0R+mU2fkd3UdhAa8mQP5DrjsIsL3A3UWZx G0wMRsInNnwCWY/jMF6BWI9RGvc+8lUaWjHBQ86Gf7DK4zw3TivMRfRieMuK9oPV7WjcGgR 8fw1ta5hdHjJ5t3D2bv0N21gKa+nQ0jGA2fqo3cSFdNIws6AoGx5CGL9yVqLFYeEEUNqrLI d1NlOfvjsi5JUganhwM9nP6WwTQHcp8it3oyU4Mzupf79nbbf4S9bgHbC4Deg= X-QQ-XMRINFO: Mp0Kj//9VHAxzExpfF+O8yhSrljjwrznVg== X-QQ-RECHKSPAM: 0 syzbot found a deadlock in landlock_restrict_sibling_threads(). When multiple threads concurrently call landlock_restrict_self() with sibling thread restriction enabled, they can deadlock by mutually queueing task_works on each other and then blocking in kernel space (waiting for the other to finish). Fix this by serializing the TSYNC operations within the same process using the exec_update_lock. This prevents concurrent invocations from deadlocking. We use down_write_killable() to ensure the thread remains responsive to fatal signals while waiting for the lock. Fixes: 42fc7e6543f6 ("landlock: Multithreading support for landlock_restric= t_self()") Reported-by: syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D7ea2f5e9dfd468201817 Suggested-by: G=C3=BCnther Noack Signed-off-by: Yihan Ding Reviewed-by: G=C3=BCnther Noack --- security/landlock/tsync.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c index de01aa899751..420fcfc2fe9a 100644 --- a/security/landlock/tsync.c +++ b/security/landlock/tsync.c @@ -447,6 +447,13 @@ int landlock_restrict_sibling_threads(const struct cre= d *old_cred, shared_ctx.new_cred =3D new_cred; shared_ctx.set_no_new_privs =3D task_no_new_privs(current); =20 + /* + * Serialize concurrent TSYNC operations to prevent deadlocks + * when multiple threads call landlock_restrict_self() simultaneously. + */ + if (down_write_killable(¤t->signal->exec_update_lock)) + return -EINTR; + /* * We schedule a pseudo-signal task_work for each of the calling task's * sibling threads. In the task work, each thread: @@ -556,6 +563,7 @@ int landlock_restrict_sibling_threads(const struct cred= *old_cred, wait_for_completion(&shared_ctx.all_finished); =20 tsync_works_release(&works); + up_write(¤t->signal->exec_update_lock); =20 return atomic_read(&shared_ctx.preparation_error); } --=20 2.51.0 From nobody Fri Apr 17 00:17:58 2026 Received: from smtpbguseast2.qq.com (smtpbguseast2.qq.com [54.204.34.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5240229AAE3; Wed, 25 Feb 2026 02:49:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=54.204.34.130 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771987798; cv=none; b=G+6/rzjl0bBMFYM3J4gRjs4hbD4K1MJexfDjNZsfIdlEvfIhbeAQ82OlcvUYcvsxHwlPTKYQzpr9HDl2+EEncFz3bzWrLDjQGtpT7jmt0RO3ibdmFRHJvO27ci23S3UxLCF+pnOF9Q2Wd+dAmkGnYBuGLZQ+s2uxfCSqaTWOPZU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771987798; c=relaxed/simple; bh=HunT1Q3oHTOhHLKaoqB3zpiZDgc8y4Xa4lNK/psSaj4=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=hyuhT2TAUImfZDBw5L0XVFPR54KWwpUwLT9VjuVX3bWsCaIfLhpXnVtsxhWbY6S99EY34MyQY5DbloEdiz6uDOWgTAg8YK1fSD/Q6FVOrlq7NEjrZK9yYL/JTduZEKxZJ+HXthdi8h7+agxNXCsiUwwvRu4PFCFKleiauQZKcJE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com; spf=pass smtp.mailfrom=uniontech.com; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b=KX2HnaDs; arc=none smtp.client-ip=54.204.34.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uniontech.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b="KX2HnaDs" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com; s=onoh2408; t=1771987754; bh=MxK7oG8ca45J2GKKngreLzCSXfJmov6rHOvjJQyg4g0=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=KX2HnaDsV72sQKi+25yOJRZYkMKdVBJyyc6ROlnKfkjpeX8+cVngVbhjaMDl4EjBM DhWx1ah/WgKG9MqroCtjEuhyzo8KA4vXjMlcPjm6cXc9LWzhyrktWa3JxWvdFNItcR 5UQKZxk16YUZj3fEDx4SqJ88ODkmpze0dsSjvrLs= X-QQ-mid: zesmtpgz8t1771987738t7865982f X-QQ-Originating-IP: 06MOFvhg4ASOlMRVgH5KDKP2IWxf+vP36S+rlPgtltU= Received: from localhost.localdomain ( [123.114.60.34]) by bizesmtp.qq.com (ESMTP) with id ; Wed, 25 Feb 2026 10:48:48 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 1 X-BIZMAIL-ID: 13392820973086466500 EX-QQ-RecipientCnt: 8 From: Yihan Ding To: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , =?UTF-8?q?G=C3=BCnther=20Noack?= Cc: Paul Moore , Jann Horn , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com, Yihan Ding Subject: [PATCH v2 2/2] landlock: Clean up interrupted thread logic in TSYNC Date: Wed, 25 Feb 2026 10:47:34 +0800 Message-Id: <20260225024734.3024732-3-dingyihan@uniontech.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20260225024734.3024732-1-dingyihan@uniontech.com> References: <20260225024734.3024732-1-dingyihan@uniontech.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-QQ-SENDSIZE: 520 Feedback-ID: zesmtpgz:uniontech.com:qybglogicsvrsz:qybglogicsvrsz4b-0 X-QQ-XMAILINFO: MKbpLBOB35npCv5E3qszZEzTiM0bI3HgH/aBnH7MeSVLf0yR7lWy+WoU nBWMZwYWUnDHGJUcDJC8U04HyFlYuz/8Pw+JV18YHz4Qc68L5DP7cRYxfDeh++ygQYd8iP8 a/j7QHhLk+DRBPxOSTAndUBhiHeJ6IRjp2opqpFsir/g0pM3JEE4GMmvWywxd3ttc+js1oA sXAFUeRxiiAyfJ4OYmT3GKSY9Rt5E5fqsjmXxkIhP/Vhso0tENNPpLtEhGTqAXIypQ+IW+W 7IinPz9kbSwf0S5LQf2vMQv4CQ/aHV+627qFQcuU6b/ZLNT8UcqtJ7aJ6+Vw0FmqKPFD/Uo ry7fusLQPs9WIPSvy/pYkbE+wcpNOfIeuMpBt1+k3HuLUCvQlBDPhDMNZW+3wl+D3ljFgc4 E8Ws5nzzZ+lGEzNDud28wAQ4IxS9/VMQHcJ3GF8A24ZLx8uKopS/UcC64zqoon1lqrxP3eF x6FU/q3W6t5dlyegbyGpvzYGmcU3C5V1e102ijiJg6DtXpu8+bxgZY4qXMGzb1w6kxP4cx6 fvmRHecSpMDWgXsGFBwQc/tv3O1Ywvvfw345XVREM/ZGcI71CLOiyNz+HHalCo2/OGPn/E2 PrvqKhXHAsL1rmZxoaoL/nPCMAX1fmF83JNek1qmRXMdXt9n7Pjlw/aA0Tk40xQUG0rCLSF FS+zuyyNtEhKiIVthiyJJbZSaF27H3FlbHWFLnX/uFh3hO0UHlAPLoOaw+QckUyK6gFwzfJ sWv9FArjgLq0M45qPmd57wHB+kAlH8k17XpeFd0SfzvXs316kAlB3rsNqWWFaFjbzPF45Fm oiQTxdsqB65C57v/mHsRHIEyIJPxkH1oBgC01Okcd5y2fnVLwkEWMGrO+5kORXDxCEKvn79 6nlDFy7s0nxB5ri8dem873AqgHpqOjCMHJ7iyO05E+HQAWfiZn3ZdcZk0YIc99QVHRoOBPU PsOL1kLkKcWKJ8HhjUwMxTRn0mAo5zRCyMK4kphyv+TMur4N8mk0I0RIuOU3y0SxuvjhvI0 x+oGHYfFgcUQbSatNa X-QQ-XMRINFO: Mp0Kj//9VHAxzExpfF+O8yhSrljjwrznVg== X-QQ-RECHKSPAM: 0 In landlock_restrict_sibling_threads(), when the calling thread is interrupted while waiting for sibling threads to prepare, it executes a recovery path. Previously, this path included a wait_for_completion() call on all_prepared to prevent a Use-After-Free of the local shared_ctx. However, this wait is redundant. Exiting the main do-while loop already leads to a bottom cleanup section that unconditionally waits for all_finished. Therefore, replacing the wait with a simple break is safe, prevents UAF, and correctly unblocks the remaining task_works. Clean up the error path by breaking the loop and updating the surrounding comments to accurately reflect the state machine. Suggested-by: G=C3=BCnther Noack Signed-off-by: Yihan Ding Reviewed-by: G=C3=BCnther Noack --- Changes in v2: - Replaced wait_for_completion(&shared_ctx.all_prepared) with a break statement based on the realization that the bottom wait for 'all_finished' already guards against UAF. - Updated comments for clarity. --- security/landlock/tsync.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c index 420fcfc2fe9a..9731ec7f329a 100644 --- a/security/landlock/tsync.c +++ b/security/landlock/tsync.c @@ -534,24 +534,28 @@ int landlock_restrict_sibling_threads(const struct cr= ed *old_cred, -ERESTARTNOINTR); =20 /* - * Cancel task works for tasks that did not start running yet, - * and decrement all_prepared and num_unfinished accordingly. + * Opportunistic improvement: try to cancel task works + * for tasks that did not start running yet. We do not + * have a guarantee that it cancels any of the enqueued + * task works (because task_work_run() might already have + * dequeued them). */ cancel_tsync_works(&works, &shared_ctx); =20 /* - * The remaining task works have started running, so waiting for - * their completion will finish. + * Break the loop with error. The cleanup code after the loop + * unblocks the remaining task_works. */ - wait_for_completion(&shared_ctx.all_prepared); + break; } } } while (found_more_threads && !atomic_read(&shared_ctx.preparation_error)); =20 /* - * We now have all sibling threads blocking and in "prepared" state in the - * task work. Ask all threads to commit. + * We now have either (a) all sibling threads blocking and in + * "prepared" state in the task work, or (b) the preparation error is + * set. Ask all threads to commit (or abort). */ complete_all(&shared_ctx.ready_to_commit); =20 --=20 2.51.0