[PATCH] landlock: Yield if unable to acquire exec_update_lock

Justin Suess utilityemal77 at gmail.com
Tue Mar 3 17:43:54 UTC 2026 

Instead of returning -ERESTARTNOINTR when there is no pending
signal, run the pending tasks in the current thread and yield
until the exec_update_lock can be acquired.

This allows other tasks to run and allows the lock contention
to resolve in the kernel's task scheduler.

Cc: Yihan Ding <dingyihan at uniontech.com>
Cc: Günther Noack <gnoack3000 at gmail.com>
Fixes: 3d6327c306b3 ("landlock: Serialize TSYNC thread restriction")
Closes: https://lore.kernel.org/linux-security-module/aacKOr1wywSSOAVv@suesslenovo/
Signed-off-by: Justin Suess <utilityemal77 at gmail.com>
---

Notes:
    This fixes the failure in tsync_test.competing_enablement:
    
      landlock: tsync trylock busy pid=1263 tgid=1261
      landlock: landlock: restrict_self tsync err pid=1263 tgid=1261 err=-513 flags=0x8 ruleset_fd=6
      # tsync_test.c:156:competing_enablement:Expected 0 (0) == d[1].result (-1)
      # competing_enablement: Test failed
      #          FAIL  global.competing_enablement
      not ok 4 global.competing_enablement
    
    The test passes after applying this patch.

 security/landlock/tsync.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c
index 956a64cb6945..83938849620f 100644
--- a/security/landlock/tsync.c
+++ b/security/landlock/tsync.c
@@ -487,10 +487,14 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
 
 	/*
 	 * Serialize concurrent TSYNC operations to prevent deadlocks when multiple
-	 * threads call landlock_restrict_self() simultaneously.
+	 * threads call landlock_restrict_self() simultaneously. If we are unable to
+	 * acquire the lock, we yield nicely and retry.
 	 */
-	if (!down_write_trylock(&current->signal->exec_update_lock))
-		return -ERESTARTNOINTR;
+	while (!down_write_trylock(&current->signal->exec_update_lock)) {
+		if (task_work_pending(current))
+			task_work_run();
+		cond_resched();
+	}
 
 	/*
 	 * We schedule a pseudo-signal task_work for each of the calling task's

base-commit: 8ff74a72b8af3672beca7f6b6b72557a9db94382
-- 
2.51.0

More information about the Linux-security-module-archive mailing list