git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Mickaël Salaün <mic@digikod.net>
	Tue, 17 Feb 2026 12:23:39 +0000 (13:23 +0100)
committer	Mickaël Salaün <mic@digikod.net>
	Wed, 4 Mar 2026 17:28:10 +0000 (18:28 +0100)
commit	929553bbb4cdda9be22175e1adb4d5814b770855
tree	4413d0e380b53a1ba191749d1a2c63df4477ade6	tree \| snapshot
parent	405ca72dc589dd746e5ee5378bb9d9ee7f844010	commit \| diff

landlock: Fully release unused TSYNC work entries

If task_work_add() failed, ctx->task is put but the tsync_works struct
is not reset to its previous state.  The first consequence is that the
kernel allocates memory for dying threads, which could lead to
user-accounted memory exhaustion (not very useful nor specific to this
case).  The second consequence is that task_work_cancel(), called by
cancel_tsync_works(), can dereference a NULL task pointer.

Fix this issues by keeping a consistent works->size wrt the added task
work.  This is done in a new tsync_works_trim() helper which also cleans
up the shared_ctx and work fields.

As a safeguard, add a pointer check to cancel_tsync_works() and update
tsync_works_release() accordingly.

Cc: Jann Horn <jannh@google.com>
Reviewed-by: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20260217122341.2359582-1-mic@digikod.net
[mic: Replace memset() with compound literal]
Signed-off-by: Mickaël Salaün <mic@digikod.net>