[BUG] landlock: warning in collect_domain_accesses via renameat2 path rename

[Justin Suess]

On Fri, Apr 17, 2026 at 07:30:03PM +0800, 王志 wrote:
> Dear Maintainers,
> 
> When using our customized Syzkaller to fuzz the latest Linux kernel, we discovered a crash related to Landlock during a path rename operation.
> 
> HEAD commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449

This is the initial 6.18 release, without the stable backported fixes.

> git tree: upstream
> 
> Reproducer and logs:
> Output: https://github.com/manual0/crash/blob/main/cebd27007e806e16cf15cb1e0214c24054e8998e/report1
> Kernel config: https://github.com/manual0/crash/blob/main/6.18-syzbot.config
> C reproducer: https://github.com/manual0/crash/blob/main/cebd27007e806e16cf15cb1e0214c24054e8998e/repro.c
> 
> ----------------------------------------
> 
> Analysis:
> 
> The crash is triggered through the following path:
> 
> renameat2
>   → security_path_rename
>   → current_check_refer_path
>   → collect_domain_accesses
> 
> This indicates that a path rename operation triggers Landlock's path access control checks. The crash occurs inside collect_domain_accesses(), which is responsible for collecting the current process's domain access rights.
> 
> The bug is caused by collect_domain_accesses() traversing inconsistent or invalid Landlock ruleset data during rename path permission checks, leading to unsafe memory access.
> ----------------------------------------
> 
> If you fix this issue, please add the following tag to the commit:
> 
> Reported-by: Zhi Wang <wangzhi at stu.xidian.edu.cn>
>
This was fixed in 6.18.2 with
cadb28f8b3fd6908e3051e86158c65c3a8e1c907 (landlock: Fix handling of
disconnected directories) [1]

So this has been fixed upstream and backported already.

Please target fuzzing against a supported tag.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.18.y&id=cadb28f8b3fd6908e3051e86158c65c3a8e1c907

Justin
> Thanks,
> Zhi Wang