From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2399C3ACEFA for ; Wed, 25 Feb 2026 12:09:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772021380; cv=none; b=VLRE/JjWXvqxaXkVzn1qNGmKGsUUP9m2Eb5GBoQkk6cW0vbInwKkOLRCAtsVWe5RjQkExi1VEso6C8InSCcisybNm7ljyoOdImrJZzRGg+WVD2zP+TIi1bgxb62aakfHUohqcbx++X1V4zl2nBBDSoJo+G8cgLLo/kcVh8F0xyM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772021380; c=relaxed/simple; bh=qFajCPbZ0QIi5lPiftQyrjRCq28wnTwMEvFiSvEXmM0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=m6FU9T3D+n4egho1cdOaU+3H/9A08bhew/0rbza3nPKqb5x8DhlKxrVoxgK5SXonO/oOyl5i4gwjx3fabrOjvFcIwVJO/eGZK+bOyy7g6p1AVEwkFuwBB0SD0iaKaScoUFC//xJu1/N3G5DUv07yvnKz89Tgj5BV90akpyxipVU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=QGHEsZOB; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="QGHEsZOB" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-48371bb515eso82952835e9.1 for ; Wed, 25 Feb 2026 04:09:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1772021376; x=1772626176; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=DJ5P/C1rpIkuLy8IwHUQqCJbrc4Dun+fV8l4FFB9SII=; b=QGHEsZOBIZ1X+2t+10fvXO9aZw40CaxjrwFUmmn/M+0cQYMW8H5ouMT5UwP+/aAQe8 LU1H8zOL+33P+7kfXquLBGKnuYrMtAtI2wy3sQmybZxmrRfj5+wUJS32Jm+Ig6YYGxsn zFdNIPqwUJ8ESMui6uB7lSYvaX5UQ5Q9WGTojW8FOdvBgXeSy5/BBzU0GYxyilhsEHOq A9g+K8bl46PjW1+RmrNGBRlGr/ca8YU1dmgahWNVVKWPB+8TCuSjCGUAIvTBlY6n4pjI cAjHl2QzXbxirFMuGGuA6IDhdwlzCQji2rP33yplHgrSFhRcbTUNbdl+Mz2HtkNWfJ2n QmlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772021376; x=1772626176; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DJ5P/C1rpIkuLy8IwHUQqCJbrc4Dun+fV8l4FFB9SII=; b=nQxqfnc00d5+KV0QaR7qVnt8QYqEqIfhAhoZwEOJ2yrbCSbstedacrv7HuSjJz+onH CaPRxAtlqZs7A8L/iKpZ+AlOX6CjWTF8R6BryrqUclyB7FZQiyHcivBfsIpXOEJD/G6E KxvEiugWU6Vr8QD5xvmQ1jc86hMLhladoYmmRGiRjCWtDmHYP3ACo8gVNjmt51cBHZSJ hpU1NBP5QKYvukjJ5vumb69OcLOEZO2pMDcn5zr6iZK26ACS3PdFRzEXLfGQSESzDHDr dymOrtvHx5EEM8qJtTID31BYpRhibJ11LXNryaxH0qzXJ6Xk5nSdNXt9aUPAtPq0ZnRf EX6g== X-Forwarded-Encrypted: i=1; AJvYcCV9PANHFXWFciO5fnyA2HLOi22dm4chVRUvcqnUW/bEx2azeqKIjWePIaYf9ZKU99BoT+Ho8GNSY2Yd0J0=@vger.kernel.org X-Gm-Message-State: AOJu0Yweke7SraF4q11rN3WS4w04Q3exmgqvK+BHnbdAUf6da+xyLD4N dGNST0pMw5ss4AphUxfPdRe78tCq/Qqv5UqoeZFlLoaR+hjTlmN3MhMJ3Vpm7ax9NA== X-Gm-Gg: ATEYQzyVL5e5YFPv4g6Lfd0ox5eW5OSVTcXewBFcUOIn+jyJPc7ImK8JrrIK246rV+2 1PSwXErx3sej2mtLi0iHXdNyDXXjgZREdC3kqL0UcRnuTtMZQqW+3KtmfJ58hSV+xOZApWX2Qx7 eSB4h7y53Fbq2FacJ/kDldFtevQD5oyED3I0FA4ij94yZGEHSHCrqehWoEpP+gJgj9G0oMF0W66 Qn1mTtSTn/UXNiKtXe0fT+L0HYIGAuLfz6h+S0uuolNnb281fw7zDfnCKZLPaJ6cSIvKYdtdEBk 1hjteY6sk+Toqb8NGtfGuW+yMyvLtTrXapSlp0vqg/GkliZMVm1YBH7VoBmzQRxA8NDOmHjPRkC 2+Ub53Flv6bG0paFd26sZXUiuDDiKoqlAkj8GBe9k40t6NFMFfjzxlWCibfL1qu8Udf1E8YlvdE MMGQGTZbk9ppBq3PgE5K0+w0ceHhPjFUyZj9XuJau5EazNxRgfQUmWBQ== X-Received: by 2002:a05:600c:8b48:b0:483:c12b:fe4a with SMTP id 5b1f17b1804b1-483c12c0071mr13749565e9.11.1772021376047; Wed, 25 Feb 2026 04:09:36 -0800 (PST) Received: from google.com ([2a00:79e0:288a:8:dd44:5fa0:1b9a:d7c9]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970c00d95sm32212120f8f.13.2026.02.25.04.09.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Feb 2026 04:09:35 -0800 (PST) Date: Wed, 25 Feb 2026 13:09:30 +0100 From: =?utf-8?Q?G=C3=BCnther?= Noack To: Yihan Ding Cc: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= , =?utf-8?Q?G=C3=BCnther?= Noack , Paul Moore , Jann Horn , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com Subject: Re: [PATCH v2 2/2] landlock: Clean up interrupted thread logic in TSYNC Message-ID: References: <20260225024734.3024732-1-dingyihan@uniontech.com> <20260225024734.3024732-3-dingyihan@uniontech.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20260225024734.3024732-3-dingyihan@uniontech.com> On Wed, Feb 25, 2026 at 10:47:34AM +0800, Yihan Ding wrote: > In landlock_restrict_sibling_threads(), when the calling thread is > interrupted while waiting for sibling threads to prepare, it executes > a recovery path. > > Previously, this path included a wait_for_completion() call on > all_prepared to prevent a Use-After-Free of the local shared_ctx. > However, this wait is redundant. Exiting the main do-while loop > already leads to a bottom cleanup section that unconditionally waits > for all_finished. Therefore, replacing the wait with a simple break > is safe, prevents UAF, and correctly unblocks the remaining task_works. > > Clean up the error path by breaking the loop and updating the > surrounding comments to accurately reflect the state machine. > > Suggested-by: Günther Noack > Signed-off-by: Yihan Ding > --- > Changes in v2: > - Replaced wait_for_completion(&shared_ctx.all_prepared) with a break > statement based on the realization that the bottom wait for 'all_finished' > already guards against UAF. > - Updated comments for clarity. > --- > security/landlock/tsync.c | 18 +++++++++++------- > 1 file changed, 11 insertions(+), 7 deletions(-) > > diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c > index 420fcfc2fe9a..9731ec7f329a 100644 > --- a/security/landlock/tsync.c > +++ b/security/landlock/tsync.c > @@ -534,24 +534,28 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred, > -ERESTARTNOINTR); > > /* > - * Cancel task works for tasks that did not start running yet, > - * and decrement all_prepared and num_unfinished accordingly. > + * Opportunistic improvement: try to cancel task works > + * for tasks that did not start running yet. We do not > + * have a guarantee that it cancels any of the enqueued > + * task works (because task_work_run() might already have > + * dequeued them). > */ > cancel_tsync_works(&works, &shared_ctx); > > /* > - * The remaining task works have started running, so waiting for > - * their completion will finish. > + * Break the loop with error. The cleanup code after the loop > + * unblocks the remaining task_works. > */ > - wait_for_completion(&shared_ctx.all_prepared); > + break; > } > } > } while (found_more_threads && > !atomic_read(&shared_ctx.preparation_error)); > > /* > - * We now have all sibling threads blocking and in "prepared" state in the > - * task work. Ask all threads to commit. > + * We now have either (a) all sibling threads blocking and in > + * "prepared" state in the task work, or (b) the preparation error is > + * set. Ask all threads to commit (or abort). > */ > complete_all(&shared_ctx.ready_to_commit); > > -- > 2.51.0 > > Thank you! Reviewed-by: Günther Noack