From nobody Tue Apr 7 14:04:17 2026 Received: from smtpbgsg1.qq.com (smtpbgsg1.qq.com [54.254.200.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 84BE7331A5E; Fri, 6 Mar 2026 02:18:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=54.254.200.92 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772763504; cv=none; b=W6Rxu5VzTRM/rNxZGOJQeEt3x2duM78mL0phTPKt8hL3KWm+4ZopknHCRVyBtnSho4FPqAZJZq+VgM5kufkXqMvDcUdxhRW82zTw3rAUzT+xp/wY0+SkMQfPK0Vs4jFYLFq08AHWpBzNkJKMV1rF3AlThZ7QCi3WCONHRKyXRS8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772763504; c=relaxed/simple; bh=4FFsfrZFEcCJkEj03PiT6eEh7joQWCOPWcQx5zj3kO8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=KfbLAQdrqAxgRETpXLT58Of0zO8W+mYSQjzIklPk7q401av4fKVezaCNQ16Bgfw54xlYggFzsIKbEOiOGz+ciiUqp7jwsPudjh6eydNhqmR5xOn977oWuzQwi5KHTzHrQKQUdyjf0t73eu4EsEHo62lHQBGW6Gpp4OuXzzQQDh8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com; spf=pass smtp.mailfrom=uniontech.com; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b=mQIqpFDh; arc=none smtp.client-ip=54.254.200.92 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uniontech.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b="mQIqpFDh" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com; s=onoh2408; t=1772763441; bh=Z/uExSTqjB90Cv4XfLKYjxXEk/KU+MTGsWjOqiW1TQc=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=mQIqpFDhahJk0c2F7TmqfjFYoY6Mrq8NkFynwNzCHMso9bcQbNsAvtRjUGRCX1uMM lc7Q3cwDyPoayqqb+2fcDgkLeyQnw+NEnDoIAnYIhp7Kvtyg6NBzJRJJdJvwysMx3J JRfaAab6w+C6bA1ahjm3F7NlZzprEWL6Nl9f1mkg= X-QQ-mid: esmtpgz16t1772763424tede956aa X-QQ-Originating-IP: hF+RSFJqUDIeNGe7mJPwnY1Lh0QM7wpE6qilcO+yV/o= Received: from localhost.localdomain ( [123.114.60.34]) by bizesmtp.qq.com (ESMTP) with id ; Fri, 06 Mar 2026 10:17:02 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 1 X-BIZMAIL-ID: 17020885750232885752 EX-QQ-RecipientCnt: 10 From: Yihan Ding To: gnoack3000@gmail.com Cc: dingyihan@uniontech.com, jannh@google.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, m@maowtm.org, mic@digikod.net, paul@paul-moore.com, syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com, utilityemal77@gmail.com Subject: [PATCH v5 1/2] landlock: Serialize TSYNC thread restriction Date: Fri, 6 Mar 2026 10:16:50 +0800 Message-Id: <20260306021651.744723-2-dingyihan@uniontech.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20260306021651.744723-1-dingyihan@uniontech.com> References: <20260306021651.744723-1-dingyihan@uniontech.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-QQ-SENDSIZE: 520 Feedback-ID: esmtpgz:uniontech.com:qybglogicsvrsz:qybglogicsvrsz4b-0 X-QQ-XMAILINFO: MTmey8JzPeV9+TgYmrQJZq7AHlAMpXQ6YRRyjHG+KRQhZgEIclJofyw+ KyxGz2KBg+KFQj1501FX8mIur80ZMaS4YYs8HfO3yLvDD7VXr0Z9JxBrbwADUnCekqNdAET iYTxoXRIgRuSyPxFVUORzZ34V/2svoXak7nBrFkMe1qhTyUsXhNrkIvjuop1hsZOGsS6YLF R32bMbhtchi8ds1v/2Zwpw7uBKaL4E3kK538LFLi1yvj66ZkxA3ERDs/D/6yaksjXy7geVY OjSfDYARqIAC7jd5655WyV8qXR5OEQbhS9Xx8F/lWGT87RuWAZ7C51IaARs7lfCRQhsm1Vm qkduCwKWluNhjm271fWcOg/XsXifitHZdGTy4hDfVDQcOAfiYK7gHppFZoO3ozeuPZYcBn7 fDclYkjXo74UBvbRmb7IBCgncO8OHDEZl2DZ/Cm5nlQI/VV8vk65ljY+ML7NcF12vSDzD+h E/inbTf0G7QI6SQMRKuv7U0mpwJNjLG/+V05Lwy4I0FXbSstym0Jjc5ofkkk461Vg4ZRTBE x3g7HpEn6LJwpZu/mA2oY+QJELjUVsIma1oGz51JHGzs1SRxdMdYMqOjECP8D/AhQwHqKuk VEbHOMxQxQa7RUz0gwEiBhVpvNd/WV3eJoPHRMeZxN3Nq59m/CKOD+IXOHE01N8n5P3iSm1 9ddYtZUf6aR2SEVoPInaTGoVBEMKQbi6xjwOhZ27rRD54U5FiUPEJDmoYQ0lqRpnuDIQUm/ CJF0myy6ARE4hB0jBW+a7ezW6vOChbdWP1N4/qkJN6O4xaOa9vPwxGdvrE8UpjzhE56uv8R 4JS+NzFUA9AS/afOjQeSL9Jqp5DTlkd4g6NI3DKsOcbChoCbhSWMBNpAKTzwTIudvU5LyMQ G1r5SZUrsH7eaEURIyEp9LE51cmIezf6n37jguiqkPTcsA4lhKiliQd+nwPPljZDXGCeady j5s6tZtElUcIUITRHlnitBZo9td54RA+ucQgzMB9zW95Z9iJnfAVOL5EW6ZNrjPYRdoW0gm R+By0uDm6Tif9NqZI3hwmb/ULx88SRPU/jIHwKiE46/1HuQXsZ X-QQ-XMRINFO: NyFYKkN4Ny6FuXrnB5Ye7Aabb3ujjtK+gg== X-QQ-RECHKSPAM: 0 syzbot found a deadlock in landlock_restrict_sibling_threads(). When multiple threads concurrently call landlock_restrict_self() with sibling thread restriction enabled, they can deadlock by mutually queueing task_works on each other and then blocking in kernel space (waiting for the other to finish). Fix this by serializing the TSYNC operations within the same process using the exec_update_lock. This prevents concurrent invocations from deadlocking. We use down_write_trylock() and restart the syscall if the lock cannot be acquired immediately. This ensures that if a thread fails to get the lock, it will return to userspace, allowing it to process any pending TSYNC task_works from the lock holder, and then transparently restart the syscall. Fixes: 42fc7e6543f6 ("landlock: Multithreading support for landlock_restric= t_self()") Reported-by: syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D7ea2f5e9dfd468201817 Reported-by: Justin Suess Closes: https://lore.kernel.org/all/aacKOr1wywSSOAVv@suesslenovo/ Suggested-by: G=C3=BCnther Noack Suggested-by: Tingmao Wang Tested-by: Justin Suess Signed-off-by: Yihan Ding Reviewed-by: G=C3=BCnther Noack Tested-by: G=C3=BCnther Noack --- Changes in v5: - Just simple formatting changes, no code changes. Changes in v4: - Use restart_syscall() instead of returning -ERESTARTNOINTR. This ensures the syscall is properly restarted without leaking the internal error code to userspace, fixing a test failure in tsync_test.competing_enablement. (Caught by Justin Suess, suggested by Tingmao Wang). Changes in v3: - Replaced down_write_killable() with down_write_trylock() and returned -ERESTARTNOINTR to avoid a secondary deadlock caused by blocking the execution of task_works. (Caught by G=C3=BCnther Noack). --- security/landlock/tsync.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c index de01aa899751..1f460b9ec833 100644 --- a/security/landlock/tsync.c +++ b/security/landlock/tsync.c @@ -446,6 +446,15 @@ int landlock_restrict_sibling_threads(const struct cre= d *old_cred, shared_ctx.old_cred =3D old_cred; shared_ctx.new_cred =3D new_cred; shared_ctx.set_no_new_privs =3D task_no_new_privs(current); + /* + * Serialize concurrent TSYNC operations to prevent deadlocks when + * multiple threads call landlock_restrict_self() simultaneously. + * If the lock is already held, we gracefully yield by restarting the + * syscall. This allows the current thread to process pending + * task_works before retrying. + */ + if (!down_write_trylock(¤t->signal->exec_update_lock)) + return restart_syscall(); =20 /* * We schedule a pseudo-signal task_work for each of the calling task's @@ -556,6 +565,6 @@ int landlock_restrict_sibling_threads(const struct cred= *old_cred, wait_for_completion(&shared_ctx.all_finished); =20 tsync_works_release(&works); - + up_write(¤t->signal->exec_update_lock); return atomic_read(&shared_ctx.preparation_error); } --=20 2.20.1 From nobody Tue Apr 7 14:04:17 2026 Received: from smtpbgbr1.qq.com (smtpbgbr1.qq.com [54.207.19.206]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA1702FD1B6; Fri, 6 Mar 2026 02:18:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=54.207.19.206 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772763491; cv=none; b=KulI2mSl6h3bVAH5qj+Ltse3+FSI8UUpd1xKaXuSSDM8zM4DsDYZDwQxn5LE7PPfh7FxKU9UMBBchGWFAcK5alzVQG1i+PpyQo6WcQCSp2HGYMMQrgnqFWb+NjbE1KmSkcUNobaDdPlP1vb/vK72Rq2pWDRrDupt2n7Rjo9NbBI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772763491; c=relaxed/simple; bh=uT4GaYEoEWcXxRj1J00akdNKQbaeyyG4cNHir36SbSc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=mHYPJh6OuMRPUwVhZ+kUZj6NEFYpXdT3OcU1epj0eGeKzHleRWd3Trcw7gbZHdYIVg+pFWNEdnLhdF/Q1n23VIydxMTtRAKekjqZ4TK7BFivpMTv55/FdjsLYoXCbDtziF+zQzMMDzBExzEXHHu2HO2qCVLNoLVrkiNM/RP80vY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com; spf=pass smtp.mailfrom=uniontech.com; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b=Wy32M/oJ; arc=none smtp.client-ip=54.207.19.206 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniontech.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uniontech.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=uniontech.com header.i=@uniontech.com header.b="Wy32M/oJ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com; s=onoh2408; t=1772763444; bh=V845cZ30XMnNibLWcbQwL2AxTpfZTtQF9z2UlfASRx0=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=Wy32M/oJIpS9Ha+5cRQVfotqvAZXIv1CrdJcZrw5l5tnmD1T76CS/HIuQARDz8luX 9NtEgKAcRMeZ1/ke8xpFZ+8Ce7PBUzYYpyhOtAbJh9/QNv2h6wOUV4GsB1cSD9HQfg w/poqrayVJIkNBsUeIx4dU+nLzuLuw7hwq5Xz92I= X-QQ-mid: esmtpgz16t1772763427teb8fca0f X-QQ-Originating-IP: qoBKk+Q2gz0F4mZSjdn5GSH7N+f0I4v8zxVpizIkhNI= Received: from localhost.localdomain ( [123.114.60.34]) by bizesmtp.qq.com (ESMTP) with id ; Fri, 06 Mar 2026 10:17:06 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 1 X-BIZMAIL-ID: 16528853221485374802 EX-QQ-RecipientCnt: 10 From: Yihan Ding To: gnoack3000@gmail.com Cc: dingyihan@uniontech.com, jannh@google.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, m@maowtm.org, mic@digikod.net, paul@paul-moore.com, syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com, utilityemal77@gmail.com Subject: [PATCH v5 2/2] landlock: Clean up interrupted thread logic in TSYNC Date: Fri, 6 Mar 2026 10:16:51 +0800 Message-Id: <20260306021651.744723-3-dingyihan@uniontech.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20260306021651.744723-1-dingyihan@uniontech.com> References: <20260306021651.744723-1-dingyihan@uniontech.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-QQ-SENDSIZE: 520 Feedback-ID: esmtpgz:uniontech.com:qybglogicsvrsz:qybglogicsvrsz4b-0 X-QQ-XMAILINFO: Nc4Sv39/e83Wp3Zs7rg8R8dZzEZJrg7Z1R4iQDIyfi/qYSl0rPVl0KpC cr40Xyw0Gt24KZHLSEuOwjWcpekqjszMSNISKb2doUPrxCyz0gkMsJD3vvC8gRa0sxZDCrP JWFDMaVIv5ixFVqG6i8Uf7Ri7tp9XsPbBRlBbDCC8wNmdAKVcADD5DqGEuf7xkuP1oVi5Df OgE0nYG6KzSfd50Vw8R5VE3Np4VaFHcaICpsCZD0uQhKyF/EuioXdvqS7eI7MWCyWwu0v3a 1h9O/3GMa8fsPKolO+J3VVe+yAkA+o4TzUEb4wmOvt/xA45pmqPVg+mKjf2SjotdjoM9DGP /OuiP5H4KE58qFItEnFfujMxgGYsUyv24oipzExfxCW/bOTPOSONWfAQgkbBe9WPJlxcU1/ vM6+uojL2B7Bqfc0fxBIAyYpzTlIpdZPhkZfNAV0LcXRjkmkT6GAmM38bB3mit+P8Pqueqt qI0viyGtPOzbfY0bfGelKp/jMnB/5mWr2M7ExI+27M1bO+BCG6vAFBJMpaISzIaxa4rekRS XVHUmYzFRltKpiibugzqQR9PkEYsEzpKP7SzuMaeEq9D6fuOAYP1Obf6bD5rINuG7URn6rd t/0rBEsZfsHyW9EEsGbcHbrV1yDuQTS8qdfBusirN/AioGvO7Z4bj2+VQBPQIUP0fc3U6r1 ea1JKpICcakkyrdJPRsoXO7RAVOqJleyXr85t51JT6dINVmHoszttVM3arpkQc9XHjbqZGR 8pAfbQY3QfCjJiZcNLLp0xOfUKVbjA5+UGh0IfBOcxUAEUwgDiGUucI9R5q1ergNU6GVj87 U3o/I5OFJpfc6OBcwIOOna0DaHVA2mPy2OsVFIUOqyRHBT2o5fnNfQzK2gklP9WREeCVRpr UDbmDguO0k7sEhvMK3s5D0QTcLpGptrXy1ziHlUFFSJgv6rQEtn5S30hQYoMr4BkocfLPwK 9+MqzNSpqwW5t14D0t1Q8jhSXeUIy0wqHp4mn5+RBWKuELaatTEzaApH/fY2pxMaTnsgjfc FHAzH9g8ogj17e1wnZWDaWCy7osXY= X-QQ-XMRINFO: NS+P29fieYNwqS3WCnRCOn9D1NpZuCnCRA== X-QQ-RECHKSPAM: 0 In landlock_restrict_sibling_threads(), when the calling thread is interrupted while waiting for sibling threads to prepare, it executes a recovery path. Previously, this path included a wait_for_completion() call on all_prepared to prevent a Use-After-Free of the local shared_ctx. However, this wait is redundant. Exiting the main do-while loop already leads to a bottom cleanup section that unconditionally waits for all_finished. Therefore, replacing the wait with a simple break is safe, prevents UAF, and correctly unblocks the remaining task_works. Clean up the error path by breaking the loop and updating the surrounding comments to accurately reflect the state machine. Suggested-by: G=C3=BCnther Noack Signed-off-by: Yihan Ding Reviewed-by: G=C3=BCnther Noack Tested-by: G=C3=BCnther Noack --- Changes in v3, v4, v5: - No changes. Changes in v2: - Replaced wait_for_completion(&shared_ctx.all_prepared) with a break statement based on the realization that the bottom wait for 'all_finished' already guards against UAF. - Updated comments for clarity. --- security/landlock/tsync.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c index 1f460b9ec833..d52583ee1d93 100644 --- a/security/landlock/tsync.c +++ b/security/landlock/tsync.c @@ -536,24 +536,27 @@ int landlock_restrict_sibling_threads(const struct cr= ed *old_cred, -ERESTARTNOINTR); =20 /* - * Cancel task works for tasks that did not start running yet, - * and decrement all_prepared and num_unfinished accordingly. + * Opportunistic improvement: try to cancel task works for + * tasks that did not start running yet. We do not have a + * guarantee that it cancels any of the enqueued task works + * because task_work_run() might already have dequeued them. */ cancel_tsync_works(&works, &shared_ctx); =20 /* - * The remaining task works have started running, so waiting for - * their completion will finish. + * Break the loop with error. The cleanup code after the loop + * unblocks the remaining task_works. */ - wait_for_completion(&shared_ctx.all_prepared); + break; } } } while (found_more_threads && !atomic_read(&shared_ctx.preparation_error)); =20 /* - * We now have all sibling threads blocking and in "prepared" state in the - * task work. Ask all threads to commit. + * We now have either (a) all sibling threads blocking and in "prepared" + * state in the task work, or (b) the preparation error is set. Ask all + * threads to commit (or abort). */ complete_all(&shared_ctx.ready_to_commit); =20 --=20 2.20.1