From nobody Mon Apr 13 21:01:10 2026 Received: from smtpbgeu2.qq.com (smtpbgeu2.qq.com [18.194.254.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A35C039FCC5; Wed, 4 Mar 2026 09:57:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=18.194.254.142 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772618258; cv=none; b=tmzR3Rklcg6FNlew093gS2q5yxtW/NvzuAZmdzO6tEZ5tjvJ69/FNZqdz+1oJ6vTVLLPkbP/uXZo5xkcTL+SdZS4jbzXBYdlS7mpOqnre8bc/FwuLdZOXB7+APYv6QhiBDO4HQcoYYGrWXL0ou7xbNVHMoKU5F/PzLy7jmiseXU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772618258; c=relaxed/simple; bh=1WzorIMueLN/WK+6SP4STNNUpo27uNR4U4Ufmj9Cl+o=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=l3CnbvHfKE7Q4HUpWKe+flwVf9HsIxGKQJ6478iC/eHTLGI8Pgp8kGPCgk5eUM0pAUCLjaNk0ACJ8Cy8ukPuqXLMJeffVMlM3cDmk6ABhkxsiJ+S2neLhr097ZpgelbUeE9pLU3DlpcGpnoWR0yHqY0aRpm/SgzrRpT8guNVMVM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com; spf=pass smtp.mailfrom=uniontech.com; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b=JTTVvww9; arc=none smtp.client-ip=18.194.254.142 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uniontech.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b="JTTVvww9" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com; s=onoh2408; t=1772618199; bh=X/S0ccgJVasPU5BTaHXIbvibQKnEVElQDSP6JGMKNXI=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=JTTVvww9UfBdbFIFPVt84hnq3xJm3jeJBSh59ZPkdEO6wW6INiwOOKQX936uaBOT8 xbAgkiNIjdG+yBvDbO0L4DTdZciAYuof6aaJmk8qN7Z1spRdXxlAHpu8Tzm+aA+AKw qgoy1KnWDBq4q54vYnuTuxGdcEsfvUIyxGxjyRTE= X-QQ-mid: esmtpgz11t1772618181t596c7605 X-QQ-Originating-IP: O8sZrnwpvE6iLzpJFSB8HOUq3QJRsbipWeO6zWlv2Xs= Received: from localhost.localdomain ( [123.114.60.34]) by bizesmtp.qq.com (ESMTP) with id ; Wed, 04 Mar 2026 17:56:19 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 1 X-BIZMAIL-ID: 15496339059802541385 EX-QQ-RecipientCnt: 10 From: Yihan Ding To: gnoack3000@gmail.com Cc: dingyihan@uniontech.com, jannh@google.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, m@maowtm.org, mic@digikod.net, paul@paul-moore.com, syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com, utilityemal77@gmail.com Subject: [PATCH v4 1/2] landlock: Serialize TSYNC thread restriction Date: Wed, 4 Mar 2026 17:54:17 +0800 Message-Id: <20260304095418.465594-2-dingyihan@uniontech.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20260304095418.465594-1-dingyihan@uniontech.com> References: <20260304095418.465594-1-dingyihan@uniontech.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-QQ-SENDSIZE: 520 Feedback-ID: esmtpgz:uniontech.com:qybglogicsvrsz:qybglogicsvrsz4b-0 X-QQ-XMAILINFO: NWujniBqiFoNN9fOlCAERboXSzVvpkkc9cn+c4FcP3bu7rYDTGcSlszh PCarhBKqTp4dkpaTAP2jNXdl+ivelTo8B14DdTSO62ZJZYDU4Ot5w74TZRBQ5eypt23efLJ HnhsQjazEKIQz35U/q02/dpIv15ZEZD9VPj8dd1Bsi44cL9AM3/zEXbhVPFcWoI8c/9GW4r SxQXzbryPe3uzeuBkgUTqXlA4WKnbwwNjDvhY2NyM1lv3k5vjSAcIe+OKjfcG5gpzegreOK 5O5EXbr8zw2/7Doc8hJgr62I/9yihHZgkh54mDGcxnbm0C4IUYe7vReHUMxbRLCET2vbyci PqhDrjCz0vXh1GA6C18qH29x/+Gzzlkyym5v6dqAIp/kO0GCieVjojrcl7++CsSACJP0Wou fnhF6npfFq1kf8lOz1s9hHPEk4Zxu1Z0TsFrephHKUAor3iI4ZRtpi0xC7KwYR0OJhRoXpI mfdSR5ar5Il3mlD+5NzTpO79ie1WThDaCk2g8ymHY4iN0+BsYdgSjcEZPPfXmHI3lJjCRoj O1Hf3G1saL+UJQ8lGKvi5oJysQ9bKLyczITJFKLjNk0A1WjPNN9WDvrvutyfKlth3w+ONBk f1cGD/R/8ASkvta5M12fRg35WZUrysDXnIzC1DjACn0JrOSQzAFp5Y75S54L+mWp0NkBuqN 1bN2WsUp5sa3Cy4p9oSzO8cGX4YWxrpJLbLhL+76poRa45bSAgfAZtHoyzbeN9CVafGyICu h5bDqtYGQyVcuW9fujiIjTYPBdgUodY5BKSC81FRz7nG/OxPu7BJL8kYl/0xnuwtGGaGbmp 7FL+cKy9evgOeT+1WPk30mbfmoWW8nwfsnT+j+51TjxAqNnmKz7sqS7VUOhTrTGJDjyq7lC V9wIJo/0ZDggmnYBz3FLRvbJgPmOj+aTltI6cGOq4/dN1BDqsIvr6vV4Sum655qYtgJR9X+ F69xRtaqlQ5dXzSNIZGxlhonFVr6JJYXDMNm78CuOjxzV85B8Vz5j/42emqHOlkedk96Bkx z/JA2Gg1aVerLmVeD6uufn5SXtVIhZEgSYiWYEV7vx2wMymPJuJSXKTVwHxH8= X-QQ-XMRINFO: NI4Ajvh11aEjEMj13RCX7UuhPEoou2bs1g== X-QQ-RECHKSPAM: 0 syzbot found a deadlock in landlock_restrict_sibling_threads(). When multiple threads concurrently call landlock_restrict_self() with sibling thread restriction enabled, they can deadlock by mutually queueing task_works on each other and then blocking in kernel space (waiting for the other to finish). Fix this by serializing the TSYNC operations within the same process using the exec_update_lock. This prevents concurrent invocations from deadlocking. We use down_write_trylock() and return -ERESTARTNOINTR if the lock cannot be acquired immediately. This ensures that if a thread fails to get the lock, it will return to userspace, allowing it to process any pending TSYNC task_works from the lock holder, and then transparently restart the syscall. Fixes: 42fc7e6543f6 ("landlock: Multithreading support for landlock_restric= t_self()") Reported-by: syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D7ea2f5e9dfd468201817 Suggested-by: G=C3=BCnther Noack Signed-off-by: Yihan Ding Suggested-by: Tingmao as well. Tested-by: Justin Suess --- Changes in v4: - Use restart_syscall() instead of returning -ERESTARTNOINTR. This ensures the syscall is properly restarted without leaking the internal error code to userspace, fixing a test failure in tsync_test.competing_enablement. (Caught by Justin Suess, suggested by Tingmao Wang). Changes in v3: - Replaced down_write_killable() with down_write_trylock() and returned -ERESTARTNOINTR to avoid a secondary deadlock caused by blocking the execution of task_works. (Caught by G=C3=BCnther Noack). --- security/landlock/tsync.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c index de01aa899751..1f460b9ec833 100644 --- a/security/landlock/tsync.c +++ b/security/landlock/tsync.c @@ -446,6 +446,15 @@ int landlock_restrict_sibling_threads(const struct cre= d *old_cred, shared_ctx.old_cred =3D old_cred; shared_ctx.new_cred =3D new_cred; shared_ctx.set_no_new_privs =3D task_no_new_privs(current); + /* + * Serialize concurrent TSYNC operations to prevent deadlocks when + * multiple threads call landlock_restrict_self() simultaneously. + * If the lock is already held, we gracefully yield by restarting the + * syscall. This allows the current thread to process pending + * task_works before retrying. + */ + if (!down_write_trylock(¤t->signal->exec_update_lock)) + return restart_syscall(); =20 /* * We schedule a pseudo-signal task_work for each of the calling task's @@ -556,6 +565,6 @@ int landlock_restrict_sibling_threads(const struct cred= *old_cred, wait_for_completion(&shared_ctx.all_finished); =20 tsync_works_release(&works); - + up_write(¤t->signal->exec_update_lock); return atomic_read(&shared_ctx.preparation_error); } --=20 2.20.1 From nobody Mon Apr 13 21:01:10 2026 Received: from smtpbgbr2.qq.com (smtpbgbr2.qq.com [54.207.22.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 13F9839D6F2; Wed, 4 Mar 2026 09:57:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=54.207.22.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772618252; cv=none; b=A6BWbHcuLYaEI8UY6wL/ZITKmS8K+0lLTStGfL798FUd2NyXBAL/eCzo9STWSgjSswVo+RfN/GR8pOijELnuGyRvhrmnpvGOgVB45MomhxMB0lMUEyafeq+dNY1TTNXqt3gT8cDKkKWxmAK4/JDhuxcPseKSuWV7uPXBr+Sc0zk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772618252; c=relaxed/simple; bh=i/5IL7EM74KTIdujOneytMkWhKIF8v1uAFN8QyAM3tI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=vDvc1oSOch22VIhJNNcpWmdev5ugd/jz3pDHY3ebzS/YH1C83ePibRrodh6CE8Riv8Hj5HG/DIL48K1MIKUnAyruzIygr3jz3M9BSWqZb6bSvemgcoJ0XgkrW84HpFvPWMVdDkFMc8TJigt6NPa3bUjuYVZfNjZwgMXK+W6RHRk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com; spf=pass smtp.mailfrom=uniontech.com; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b=T8rm40V8; arc=none smtp.client-ip=54.207.22.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uniontech.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b="T8rm40V8" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com; s=onoh2408; t=1772618206; bh=quejclThrut5tBfPvQaqLgibHvXYiuhaAFoQ01cYzE8=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=T8rm40V8FyniYZBgUsB1d1mru8BSlyZMRWExsrlKP54TAWBsnhNCfG8Hbe9ZrI5hK Xuy7invKSLjJtg7Rra1JwkizyLIyAJEpbF41fSYlgVvi7Y/qnydyuUVwldUEWkYHcW 5+4tzJg4YFMGl3vDQWDOVkJGJQmtCZVWzXEAdIPk= X-QQ-mid: esmtpgz11t1772618184td66c0092 X-QQ-Originating-IP: iLWrPiKNfH1xdKjr4ecOsNXlnwRjB+Zg856rnzwbzlA= Received: from localhost.localdomain ( [123.114.60.34]) by bizesmtp.qq.com (ESMTP) with id ; Wed, 04 Mar 2026 17:56:22 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 1 X-BIZMAIL-ID: 3511329184745356515 EX-QQ-RecipientCnt: 10 From: Yihan Ding To: gnoack3000@gmail.com Cc: dingyihan@uniontech.com, jannh@google.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, m@maowtm.org, mic@digikod.net, paul@paul-moore.com, syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com, utilityemal77@gmail.com Subject: [PATCH v4 2/2] landlock: Clean up interrupted thread logic in TSYNC Date: Wed, 4 Mar 2026 17:54:18 +0800 Message-Id: <20260304095418.465594-3-dingyihan@uniontech.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20260304095418.465594-1-dingyihan@uniontech.com> References: <20260304095418.465594-1-dingyihan@uniontech.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-QQ-SENDSIZE: 520 Feedback-ID: esmtpgz:uniontech.com:qybglogicsvrsz:qybglogicsvrsz4b-0 X-QQ-XMAILINFO: NNCgUTg3ctKTXvjQCOdekrhx6ttbjahJFs1qdZK6xuWTuK9GcOeY6NJK jiRIN/JQdBWL8Bo4Mk/HZMtpZiY8iV2hiZn7eMUGvlgY8dB+n6sb+FF+nfFsD2MTmjze60Q 7wvXKzLG7PIptbqtBM6fj65kxKAhNNk4OvpO534BpdyPk/yUId956v+MS/VPBvUzq5EWMLZ VEbJYM+H4KitwWF3SnZRX9gLhee1d87otKu80sCZp5JKmPaTbrI79edT+9g1yZ7Alc0WkAv 2grh9G0uoMWKUhyieo2b4DmY2kye3kglh+hQQ8SVRfmOtFNbtYgQFi3aNdGLDzjIFfArLQD EIYwTf4R/ajhneOTtIcAfdz5kR4+Q91qmsbm2GKyoCbryyBlcB2zOe0K0uCN+qLBMNjBweZ mbRSE7lZ+ViQXuAMuz0lHNAbnIAAgJZgvnUU3FUtKrNOD41y4ihGE4awvAhov+OOr9+a2hY NoyXtq+23By/PaWS/YscQR5EKj+dAil3JC0si7vNOWysprWCv9LLPGcBzNZ6/5yQt8k1e0z /JLWBIz8tD1wIoAWPjnBvutRnECBLmzDZhUOmuQi7PdAqYHu+FHPqBDzMd6AAfpcZ6BeO35 SbIJH3iTSjSpwg4YDkPbrZh6p0Pb94gkZwNUJ1X2M/DZauZeVPYcLry8gnGA+fxB2um61bA ThwWJfOIyrxS83278soICeiVoG2qOZtskiyAUFl/LugJbQoRQrsNhMPiGh+UmiAVHrNvcfX X3fQvws3SD1ACHERZzoMy1/tLiJf/ETtnHgpVPwECdQ7GUMKuirDv1N3A9Nply40PYrULuO spGZSi+FAd2CnroRCszf66r+rzlbRs2CzqaAyd38q6XZ1IWCcSh1KP4efkFcPfN7czm/iyl I4/VbRAA+lqNbVQ9SWGMeYyv05AAZvIhgm563xKSmqMbw7VE+Fseprl0sMQcK7+fCZko6b9 3miUTYLWEBE1yWWHzw/RlU4uBD7zDUWYPHNOBClo4zR9uLnVz9MdMQYXG+IQa3VEhvTlQ6H jMh1P9J1BydPdJcVk4dOmKNt76IyA= X-QQ-XMRINFO: NyFYKkN4Ny6FuXrnB5Ye7Aabb3ujjtK+gg== X-QQ-RECHKSPAM: 0 In landlock_restrict_sibling_threads(), when the calling thread is interrupted while waiting for sibling threads to prepare, it executes a recovery path. Previously, this path included a wait_for_completion() call on all_prepared to prevent a Use-After-Free of the local shared_ctx. However, this wait is redundant. Exiting the main do-while loop already leads to a bottom cleanup section that unconditionally waits for all_finished. Therefore, replacing the wait with a simple break is safe, prevents UAF, and correctly unblocks the remaining task_works. Clean up the error path by breaking the loop and updating the surrounding comments to accurately reflect the state machine. Suggested-by: G=C3=BCnther Noack Signed-off-by: Yihan Ding --- Change in v3: -No change in v3 Changes in v2: - Replaced wait_for_completion(&shared_ctx.all_prepared) with a break statement based on the realization that the bottom wait for 'all_finished' already guards against UAF. - Updated comments for clarity. --- security/landlock/tsync.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c index 1f460b9ec833..d52583ee1d93 100644 --- a/security/landlock/tsync.c +++ b/security/landlock/tsync.c @@ -536,24 +536,27 @@ int landlock_restrict_sibling_threads(const struct cr= ed *old_cred, -ERESTARTNOINTR); =20 /* - * Cancel task works for tasks that did not start running yet, - * and decrement all_prepared and num_unfinished accordingly. + * Opportunistic improvement: try to cancel task works for + * tasks that did not start running yet. We do not have a + * guarantee that it cancels any of the enqueued task works + * because task_work_run() might already have dequeued them. */ cancel_tsync_works(&works, &shared_ctx); =20 /* - * The remaining task works have started running, so waiting for - * their completion will finish. + * Break the loop with error. The cleanup code after the loop + * unblocks the remaining task_works. */ - wait_for_completion(&shared_ctx.all_prepared); + break; } } } while (found_more_threads && !atomic_read(&shared_ctx.preparation_error)); =20 /* - * We now have all sibling threads blocking and in "prepared" state in the - * task work. Ask all threads to commit. + * We now have either (a) all sibling threads blocking and in "prepared" + * state in the task work, or (b) the preparation error is set. Ask all + * threads to commit (or abort). */ complete_all(&shared_ctx.ready_to_commit); =20 --=20 2.20.1