From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41D20330676 for ; Wed, 25 Feb 2026 12:07:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772021256; cv=none; b=Xofa7trCrgw6lBmftEf6MDwuTJy0CGrZfVJm6GhCSI/vErrXaufJ73rXQBxf1Xrq8XlbTTNxztCKM4ceGDdUdtEbEpXqc4bLPunrnItpgUjXu7FVnPGzXSl1TH5TNzYGMhwhVDfDI8zhGiEX82yM9P1x/f+Eyh3QNzhdsQaxmyk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772021256; c=relaxed/simple; bh=k5AyMm38axpCnNUZMKhOaaUCpu5/4L5dhb8UvkyUQsk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=jHOtNIOiOBZZ6NbywCh1Pd+mM6CCeE2i89vMmjTqCTTvQ1g0T2LZOenxP+/9S748AjQFuUbvo4tOTHIWILpGCeroChjiE40xwB/OPYDAELFI60VLkl99fbtib3uMaCGH72jn8DulyQYsbsReHygxoMBiLXAeamGQ17ezkwWK5fs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=VvwIjWAi; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="VvwIjWAi" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-48375f1defeso46183025e9.0 for ; Wed, 25 Feb 2026 04:07:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1772021254; x=1772626054; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=hP3eP7lQUeBanoY3mNDaFgqzxq5QqafounHzIr8KfRU=; b=VvwIjWAiTv8QN//0TIgBWS46JzOL8IVPamvbbeRD6S6TvQsU7bM3m2OB6Q/igWxqxM 1C/gLxJX8OyFxNDzgvNnNnSzbVYf8JhVeOZhnZ03ecaXY6P37wyJbK5XwYpwL7POM1yi TflbFZqU9hrj9zhHLLH9v47uT8BVR4J2DsMB5cyqMOGqapLQPnkDtrgxVCW6raDITXPI jRyNcJ2h7UzX+djG9JmGOwVFnAh58Ag3dDYkFj2crSpvQWLP4MGWvziGT7Mw9jxYXTfz k/EwAXB/5W7itgVOgc8tK89k4XekKeiZBzLZPwKPtj333AwSCtr91bNdGtS7Aym92vmW YUXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772021254; x=1772626054; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hP3eP7lQUeBanoY3mNDaFgqzxq5QqafounHzIr8KfRU=; b=rVzazejILxxlnsRPZc7QqR6vhekJ1rxmn2bAN6oZyiI59patm+n5VxLF8FxEWArRog TMCvsq66ofahC5qksz2IsKO96cmTpjKdZY4F7dfvzHrA+le8zNyd6c2DUS/qyJNjiXMd Bd6HL3mygP6FLH5qc15VL+YNS8O/ihBcwUz6Zm+lvTTMrRO4FtNhgTQRfuPAB/8Voy95 qt9gFuAEEeKWy2oSWB3AR8q5kuk25wb4fGfokEItPxin2yamXuwR8D0EQPZbBVLrWI+R dITOITUDSczqL43clKlMJr0rTxhyT9tq47zSpzHHoC6hKY5r3JSQzU28D3w0sXTArI61 8Lhg== X-Forwarded-Encrypted: i=1; AJvYcCUsmeKOI9SgzMLBsg0KsanYatnSILv6dzR5sM979vzlxweXA2600SUC38FGrNmB7pdCU9+OvdATjb/sjzk=@vger.kernel.org X-Gm-Message-State: AOJu0Ywzc0fh+JjS0z9Z/LHK9WtmqlN3rp8yAkCPYF3jJTSSNq+p9/zn DxlcEuiPYgs2qkU62stCM3PTb0ajIy5/6a1DLR+pgfgA0JlDjJVzeF2Uhy5iI5c71w== X-Gm-Gg: ATEYQzzQNnG5fQxGcDMVZwQbjLzeUmfxCIdFMzHcZ73HK0OvKEUnRMewr1SqiETv673 0/6UfWt8HiB9eDqTi4QazQowdukre73Fq3Q0jVfxS7TcvVY0KohyKVW4Cnl4FP75KnYSFMO8WYx BHYr/+ZvPlLVVFEawmZQeQ4EulmdYU1gvMV7gSGMKIp5hOmfeEFlj6tv/k5mA0iJWpGTD7Q5cFE AajkM0YUf2MhqSO6nj5k3IF+Kgsfvbo3BMSomDknx+TzXwjpF6YBMLScQBTAJwZJMxJgR0KVWUX 17i3kEeE/jI9DAL3O3HEoiuVig4eIeA7BP+PiCs2u4xkt917kGKZRMVY7Kwg7+ACUiAd5TK2GlR HXcFzQ/OnLYkR3pN2ULOyaHcO93I3T7oa4PmR4+NWk3jBOXFbzz6BX/EZlwXAVJMU35w6PVYVrV +515wPT9tjdIZG0u7fOxpdx0yMWoev8YKzmGDXx6uzwWms8H50t2e1Ww== X-Received: by 2002:a05:600c:64ce:b0:483:498f:7953 with SMTP id 5b1f17b1804b1-483a9637a6cmr239087565e9.28.1772021253116; Wed, 25 Feb 2026 04:07:33 -0800 (PST) Received: from google.com ([2a00:79e0:288a:8:dd44:5fa0:1b9a:d7c9]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bd7141e4sm70330895e9.7.2026.02.25.04.07.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Feb 2026 04:07:32 -0800 (PST) Date: Wed, 25 Feb 2026 13:07:26 +0100 From: =?utf-8?Q?G=C3=BCnther?= Noack To: Yihan Ding Cc: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= , =?utf-8?Q?G=C3=BCnther?= Noack , Paul Moore , Jann Horn , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com Subject: Re: [PATCH v2 1/2] landlock: Serialize TSYNC thread restriction Message-ID: References: <20260225024734.3024732-1-dingyihan@uniontech.com> <20260225024734.3024732-2-dingyihan@uniontech.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20260225024734.3024732-2-dingyihan@uniontech.com> On Wed, Feb 25, 2026 at 10:47:33AM +0800, Yihan Ding wrote: > syzbot found a deadlock in landlock_restrict_sibling_threads(). > When multiple threads concurrently call landlock_restrict_self() with > sibling thread restriction enabled, they can deadlock by mutually > queueing task_works on each other and then blocking in kernel space > (waiting for the other to finish). > > Fix this by serializing the TSYNC operations within the same process > using the exec_update_lock. This prevents concurrent invocations > from deadlocking. We use down_write_killable() to ensure the thread > remains responsive to fatal signals while waiting for the lock. > > Fixes: 42fc7e6543f6 ("landlock: Multithreading support for landlock_restrict_self()") > Reported-by: syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=7ea2f5e9dfd468201817 > Suggested-by: Günther Noack > Signed-off-by: Yihan Ding > --- > security/landlock/tsync.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c > index de01aa899751..420fcfc2fe9a 100644 > --- a/security/landlock/tsync.c > +++ b/security/landlock/tsync.c > @@ -447,6 +447,13 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred, > shared_ctx.new_cred = new_cred; > shared_ctx.set_no_new_privs = task_no_new_privs(current); > > + /* > + * Serialize concurrent TSYNC operations to prevent deadlocks > + * when multiple threads call landlock_restrict_self() simultaneously. > + */ > + if (down_write_killable(¤t->signal->exec_update_lock)) > + return -EINTR; > + > /* > * We schedule a pseudo-signal task_work for each of the calling task's > * sibling threads. In the task work, each thread: > @@ -556,6 +563,7 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred, > wait_for_completion(&shared_ctx.all_finished); > > tsync_works_release(&works); > + up_write(¤t->signal->exec_update_lock); > > return atomic_read(&shared_ctx.preparation_error); > } > -- > 2.51.0 > Thank you! Reviewed-by: Günther Noack