From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE0F238E103 for ; Thu, 26 Feb 2026 07:23:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772090635; cv=none; b=SK1wMXOYwRuoKqMc4PGx2VLBc5GzQ73L6FvULDo6YthfMd9CfYAkTNkAw3lrl8ZY5sXVBdf2s/zPKwVAoY6BH3Xp4OpYXrGS6Qaa8RvMb0Io7Hp9xLbY6lQx91lg6LlXXMVwzNCNC4zGe/0XD9VZOtb7T2GTkmZxFQcV45G8GQg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772090635; c=relaxed/simple; bh=VXn9sFpHwfH0BR15DwxHz5D8lM6BYgFnUK7JmfJBq3M=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=fD90/7tIEq+Depde8CJp3BerPwZQuCJuIZoq4LjHAcjz3pgl4j/czquPlV1S04U7V0qHLCivjP5MxB2ip3PQbTxWRUJPhFbb6N+U1bEPa4tdNmmUB2aoOpQ3R36zbhiqtm05ftD7OynPRmaxyNq6SO/mmivw2MWn4Q8/sWGv7hc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gLQ13vK9; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gLQ13vK9" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4834826e5a0so5699755e9.2 for ; Wed, 25 Feb 2026 23:23:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772090632; x=1772695432; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=XDBpg16h+HHqzlsU5v34rJbFohd9+zl+xOp/DXEiK2M=; b=gLQ13vK9RyCM13w4mSZQArWFDomgjpvg0tHgK41FN5R/RGoC3iMcUuqyG1YpBueUGo mgOXtI/f6Exx03yRklekTPeo/gyleCarQs4atOF4iSb5sPYf2n8zMHSIOJw6mAcqH1cQ dZSaOB8rzhf7zw27Rx3Z92gmN7LA8TuohrkPFIABXumsHC/pytyJY95eJ2V4cBlRxj3w rIKVs4sOvCUhRU31Mn19OJ2t1hA50+8Ry6OEVA0S+h2Upa77irm5zK5zYbs5Uq7Zqxqs U4PgMGvPIligt9sqrPP9M3mpwG7E2tuWUTQ2vG/AM7PlDyehTrpNTS50zQNU3vZ5clAP h8TA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772090632; x=1772695432; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XDBpg16h+HHqzlsU5v34rJbFohd9+zl+xOp/DXEiK2M=; b=Xgwb2pvBld0fX9V2BtPYYynDHd7yN71MvF3mbMFpzZ2gR6EVPLpQnKrWI1i2iLe6Tn UjMj8bOKD9+wLC7BXKyQTm0qNZp4hCxfOsCwWjbiFtnbBmPYd/MHT/0GFYRgW+WlAsq+ C7gZijjogM5uwiQC8iGNKgrFqtRlIP9uZ/DS/NZ0rgV6ymy4sQxLy4MAvPs0WFc+qRiG QHvedDEoDuvvUVRKp4vZ+BBiNRE2/jXaHgBHRw+j6lbH1YJwRdE6HZ8ItrfuiH86zBVF 2hJv2sVIRtEc4p46MlQHyTIWWGvv2227t1/oVIAyBbLiNDPun9LmZsF5qfq8Oqzc4e3Z 5oZA== X-Forwarded-Encrypted: i=1; AJvYcCXACFKsxu1bdPhQLP+xdO72pOs7Ik1D44RDuY6t2EEiXB3rwEmAc171DwjBn6+uUPw1LEJFWI5FXedDxiA=@vger.kernel.org X-Gm-Message-State: AOJu0YwtkvnxeUQxHmcIaI+Oj/2WK7ZWOl7JByx5rn9oNc/0nFPFdZl+ x9ZaBIGm3C2sjPGM0WEAHENsarsm7MWWjIzRf+nuuXvjDybb+8bBxti7 X-Gm-Gg: ATEYQzxApofV2vw5E8RUfSgMFOKuuOZ65RaQm60L6mptt9IrlKpk2Qlt+J5WPDhP08K iflhsfGOJ/AUZ1DEwaoi63vyN9iuZLc2s53oLOB9H+Jjy2YIa3B0aKPY2gIMv0jxAP45DPmP2Sk RejyO5U/nDCGJJCEaT/yYFrQceDJUfPXhgnyCx7Efrx7duOwnOXTj/bGr0SkMbtpUl7ttoJKkHL Glnm9SBzaRZRJczd6oQsRkHv0BGKSw2baIyYPr/+sidtrnnZ5v9EMU9JPrsiWTzNjPZ4eEpr3FB 9s1Wl2fM4tE264rDsS7Ie56S+S7NnpZk54hbp5hix8PAdjRvdkdlRmJiainPDjYm88LeIYFqkJ3 1D/B3dXal7RZSH2E6rwF98bGbn5rYD3pHwS27wtoMPuc5NyiWRezKesgZv48E10alt19llELiWa L7XhnuQFcfuHFBswIzGiTc0w4LGqZc9IjOiNZosfSuM9AJIZGh X-Received: by 2002:a05:600c:46cd:b0:477:9eb8:97d2 with SMTP id 5b1f17b1804b1-483c3dbb412mr16522625e9.8.1772090632089; Wed, 25 Feb 2026 23:23:52 -0800 (PST) Received: from localhost (ip87-106-108-193.pbiaas.com. [87.106.108.193]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bd6f26d7sm132961235e9.3.2026.02.25.23.23.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Feb 2026 23:23:51 -0800 (PST) Date: Thu, 26 Feb 2026 08:23:50 +0100 From: =?iso-8859-1?Q?G=FCnther?= Noack To: Yihan Ding Cc: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , Paul Moore , Jann Horn , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com Subject: Re: [PATCH v3 2/2] landlock: Clean up interrupted thread logic in TSYNC Message-ID: <20260226.08cc999172f9@gnoack.org> References: <20260226015903.3158620-1-dingyihan@uniontech.com> <20260226015903.3158620-3-dingyihan@uniontech.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20260226015903.3158620-3-dingyihan@uniontech.com> On Thu, Feb 26, 2026 at 09:59:03AM +0800, Yihan Ding wrote: > In landlock_restrict_sibling_threads(), when the calling thread is > interrupted while waiting for sibling threads to prepare, it executes > a recovery path. > > Previously, this path included a wait_for_completion() call on > all_prepared to prevent a Use-After-Free of the local shared_ctx. > However, this wait is redundant. Exiting the main do-while loop > already leads to a bottom cleanup section that unconditionally waits > for all_finished. Therefore, replacing the wait with a simple break > is safe, prevents UAF, and correctly unblocks the remaining task_works. > > Clean up the error path by breaking the loop and updating the > surrounding comments to accurately reflect the state machine. > > Suggested-by: Günther Noack > Signed-off-by: Yihan Ding > --- > Change in v3: > -No change in v3 > > Changes in v2: > - Replaced wait_for_completion(&shared_ctx.all_prepared) with a break > statement based on the realization that the bottom wait for 'all_finished' > already guards against UAF. > - Updated comments for clarity. > --- > security/landlock/tsync.c | 18 +++++++++++------- > 1 file changed, 11 insertions(+), 7 deletions(-) > > diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c > index 420fcfc2fe9a..9731ec7f329a 100644 > --- a/security/landlock/tsync.c > +++ b/security/landlock/tsync.c > @@ -534,24 +534,28 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred, > -ERESTARTNOINTR); > > /* > - * Cancel task works for tasks that did not start running yet, > - * and decrement all_prepared and num_unfinished accordingly. > + * Opportunistic improvement: try to cancel task works > + * for tasks that did not start running yet. We do not > + * have a guarantee that it cancels any of the enqueued > + * task works (because task_work_run() might already have > + * dequeued them). > */ > cancel_tsync_works(&works, &shared_ctx); > > /* > - * The remaining task works have started running, so waiting for > - * their completion will finish. > + * Break the loop with error. The cleanup code after the loop > + * unblocks the remaining task_works. > */ > - wait_for_completion(&shared_ctx.all_prepared); > + break; > } > } > } while (found_more_threads && > !atomic_read(&shared_ctx.preparation_error)); > > /* > - * We now have all sibling threads blocking and in "prepared" state in the > - * task work. Ask all threads to commit. > + * We now have either (a) all sibling threads blocking and in > + * "prepared" state in the task work, or (b) the preparation error is > + * set. Ask all threads to commit (or abort). > */ > complete_all(&shared_ctx.ready_to_commit); > > -- > 2.51.0 > Reviewed-by: Günther Noack