[BUG] landlock: warning in collect_domain_accesses via renameat2 path rename

Next message: Guangshuo Li: "Re: [PATCH] ALSA: pcmtest: fix reference leak on failed device registration"
Previous message: Andy Shevchenko: "Re: [PATCH v2] iio: buffer: fix warning in requesting threaded irq"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: 王志

Date: Fri Apr 17 2026 - 07:32:41 EST

Dear Maintainers,

When using our customized Syzkaller to fuzz the latest Linux kernel, we discovered a crash related to Landlock during a path rename operation.

HEAD commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449
git tree: upstream

Reproducer and logs:
Output: https://github.com/manual0/crash/blob/main/cebd27007e806e16cf15cb1e0214c24054e8998e/report1
Kernel config: https://github.com/manual0/crash/blob/main/6.18-syzbot.config
C reproducer: https://github.com/manual0/crash/blob/main/cebd27007e806e16cf15cb1e0214c24054e8998e/repro.c

----------------------------------------

Analysis:

The crash is triggered through the following path:

renameat2
→ security_path_rename
→ current_check_refer_path
→ collect_domain_accesses

This indicates that a path rename operation triggers Landlock's path access control checks. The crash occurs inside collect_domain_accesses(), which is responsible for collecting the current process's domain access rights.

The bug is caused by collect_domain_accesses() traversing inconsistent or invalid Landlock ruleset data during rename path permission checks, leading to unsafe memory access.
----------------------------------------

If you fix this issue, please add the following tag to the commit:

Reported-by: Zhi Wang <wangzhi@xxxxxxxxxxxxxxxxx>

Thanks,
Zhi Wang