* [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation
@ 2026-07-15 6:06 Jackie Liu
2026-07-15 6:06 ` [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH Jackie Liu
2026-07-15 14:10 ` [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Pratyush Yadav
0 siblings, 2 replies; 4+ messages in thread
From: Jackie Liu @ 2026-07-15 6:06 UTC (permalink / raw)
To: pasha.tatashin; +Cc: rppt, kexec
From: Jackie Liu <liuyun01@kylinos.cn>
LIVEUPDATE_SESSION_GET_NAME was developed in the liveupdate/next branch
while the session type validation change was carried in liveupdate-fixes.
When the conflict between the two branches was resolved, the GET_NAME
operation descriptor picked up the structure and last member from
RETRIEVE_FD.
This makes both its known size and minimum size 16 bytes rather than 72.
Consequently, copy_struct_from_user() treats most of a normal GET_NAME
argument as unknown trailing data and rejects it with -E2BIG when any of
those bytes are nonzero. It also accepts a 16-byte argument and returns
success after copying only a truncated session name.
Use the GET_NAME structure and its name field in the descriptor.
Link: https://lore.kernel.org/all/ahWlYXNjGUbkKoHy@sirena.org.uk/
Assisted-by: Codex:gpt-5.6-sol
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
---
kernel/liveupdate/luo_session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index b79b2a488974..f38b5b18f3f8 100644
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -378,7 +378,7 @@ static const struct luo_ioctl_op luo_session_ioctl_ops[] = {
IOCTL_OP(LIVEUPDATE_SESSION_RETRIEVE_FD, luo_session_retrieve_fd,
struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_INCOMING),
IOCTL_OP(LIVEUPDATE_SESSION_GET_NAME, luo_session_get_name,
- struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_ALL),
+ struct liveupdate_session_get_name, name, LUO_IOCTL_ALL),
};
static bool luo_ioctl_type_valid(struct luo_session *session,
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH
2026-07-15 6:06 [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Jackie Liu
@ 2026-07-15 6:06 ` Jackie Liu
2026-07-15 14:11 ` Pratyush Yadav
2026-07-15 14:10 ` [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Pratyush Yadav
1 sibling, 1 reply; 4+ messages in thread
From: Jackie Liu @ 2026-07-15 6:06 UTC (permalink / raw)
To: pasha.tatashin; +Cc: rppt, kexec
From: Jackie Liu <liuyun01@kylinos.cn>
The UAPI documents liveupdate_session_finish::reserved as requiring zero,
but luo_session_finish() currently ignores it and finishes the session.
Accepting nonzero values prevents the field from being safely repurposed
by a future extension.
Reject nonzero reserved values before changing session state, matching
LIVEUPDATE_SESSION_GET_NAME.
Fixes: 16cec0d26521 ("liveupdate: luo_session: add ioctls for file preservation")
Assisted-by: Codex:gpt-5.6-sol
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
---
kernel/liveupdate/luo_session.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index f38b5b18f3f8..15342c0783b5 100644
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -316,7 +316,12 @@ static int luo_session_finish(struct luo_session *session,
struct luo_ucmd *ucmd)
{
struct liveupdate_session_finish *argp = ucmd->cmd;
- int err = luo_session_finish_one(session);
+ int err;
+
+ if (argp->reserved)
+ return -EINVAL;
+
+ err = luo_session_finish_one(session);
if (err)
return err;
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation
2026-07-15 6:06 [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Jackie Liu
2026-07-15 6:06 ` [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH Jackie Liu
@ 2026-07-15 14:10 ` Pratyush Yadav
1 sibling, 0 replies; 4+ messages in thread
From: Pratyush Yadav @ 2026-07-15 14:10 UTC (permalink / raw)
To: Jackie Liu; +Cc: pasha.tatashin, rppt, kexec
Hi,
> Cc: pasha.tatashin@soleen.com, rppt@kernel.org, kexec@lists.infradead.org
Please run ./scripts/get_maintainer.pl *.patch to get the full list of
people to Cc on the patch. You missed me and linux-kernel@.
On Wed, Jul 15 2026, Jackie Liu wrote:
> From: Jackie Liu <liuyun01@kylinos.cn>
>
> LIVEUPDATE_SESSION_GET_NAME was developed in the liveupdate/next branch
> while the session type validation change was carried in liveupdate-fixes.
> When the conflict between the two branches was resolved, the GET_NAME
> operation descriptor picked up the structure and last member from
> RETRIEVE_FD.
>
> This makes both its known size and minimum size 16 bytes rather than 72.
> Consequently, copy_struct_from_user() treats most of a normal GET_NAME
> argument as unknown trailing data and rejects it with -E2BIG when any of
> those bytes are nonzero. It also accepts a 16-byte argument and returns
> success after copying only a truncated session name.
Nit: The second line doesn't seem to be true. The get_session_name
selftest tries to create a session with 21 byte name and it passes. I
think it works because luo_session_get_name assumes ucmd->cmd is struct
liveupdate_session_get_name and so it tries to copy the whole thing via
luo_ucmd_respond(), and if the user buffer it large enough, it will
work.
But yeah, the -E2BIG seems like a real problem.
And anyway, that's a tricky bug and I missed it completely when I
reviewed the final rebased version. So thanks for fixing it.
Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org>
>
> Use the GET_NAME structure and its name field in the descriptor.
>
> Link: https://lore.kernel.org/all/ahWlYXNjGUbkKoHy@sirena.org.uk/
> Assisted-by: Codex:gpt-5.6-sol
> Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
> ---
> kernel/liveupdate/luo_session.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
> index b79b2a488974..f38b5b18f3f8 100644
> --- a/kernel/liveupdate/luo_session.c
> +++ b/kernel/liveupdate/luo_session.c
> @@ -378,7 +378,7 @@ static const struct luo_ioctl_op luo_session_ioctl_ops[] = {
> IOCTL_OP(LIVEUPDATE_SESSION_RETRIEVE_FD, luo_session_retrieve_fd,
> struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_INCOMING),
> IOCTL_OP(LIVEUPDATE_SESSION_GET_NAME, luo_session_get_name,
> - struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_ALL),
> + struct liveupdate_session_get_name, name, LUO_IOCTL_ALL),
> };
>
> static bool luo_ioctl_type_valid(struct luo_session *session,
--
Regards,
Pratyush Yadav
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH
2026-07-15 6:06 ` [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH Jackie Liu
@ 2026-07-15 14:11 ` Pratyush Yadav
0 siblings, 0 replies; 4+ messages in thread
From: Pratyush Yadav @ 2026-07-15 14:11 UTC (permalink / raw)
To: Jackie Liu; +Cc: pasha.tatashin, rppt, kexec
On Wed, Jul 15 2026, Jackie Liu wrote:
> From: Jackie Liu <liuyun01@kylinos.cn>
>
> The UAPI documents liveupdate_session_finish::reserved as requiring zero,
> but luo_session_finish() currently ignores it and finishes the session.
> Accepting nonzero values prevents the field from being safely repurposed
> by a future extension.
>
> Reject nonzero reserved values before changing session state, matching
> LIVEUPDATE_SESSION_GET_NAME.
>
> Fixes: 16cec0d26521 ("liveupdate: luo_session: add ioctls for file preservation")
> Assisted-by: Codex:gpt-5.6-sol
> Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org>
[...]
--
Regards,
Pratyush Yadav
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-15 14:11 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-15 6:06 [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Jackie Liu
2026-07-15 6:06 ` [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH Jackie Liu
2026-07-15 14:11 ` Pratyush Yadav
2026-07-15 14:10 ` [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Pratyush Yadav
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.