[BUG] liveupdate/memfd: duplicate memfd preserve restores same KHO folio twice

[BUG] liveupdate/memfd: duplicate memfd preserve restores same KHO folio twice

[Yifei Chu]

[-- Attachment #1.1: Type: text/plain, Size: 2750 bytes --]

Hello,

Short version: I found that the same memfd can be preserved more than once
in a single liveupdate session under different tokens. After kexec, those
tokens can both refer to the same preserved KHO folio, and the second
restore path hits kho_restore_page(). With panic_on_warn=1, this is a
reproducible panic.

The core issue seems to be that mm/memfd_luo.c records the same underlying
folio PFNs for each preserved token, while KHO page preservation is
one-shot state rather than reference-counted ownership.

I reproduced two variants.

Variant A: duplicate preserve, retrieve both tokens

   1. Create one liveupdate session.
   2. Create one 4 KiB memfd and write a marker.
   3. Call LIVEUPDATE_SESSION_PRESERVE_FD twice for the same memfd with two
   distinct tokens.
   4. Keep the session fd alive across kexec.
   5. In the second kernel, retrieve token A successfully.
   6. Retrieve token B, which attempts to restore the same KHO folio again.

Observed result:

[stage2] token A marker=’duplicate-preserve-marker’
[stage2] retrieving token B should hit duplicate KHO folio restore
WARNING: kernel/liveupdate/kexec_handover.c:256 at
kho_restore_page+0x11e/0x280
memfd_luo_retrieve+0x1aa/0x490
luo_session_retrieve_fd+0x73/0x130
Kernel panic - not syncing: kernel: panic_on_warn set …

Variant B: duplicate preserve, FINISH an unretrieved session

   1. Preserve the same memfd twice under different tokens.
   2. Kexec into the second kernel.
   3. Retrieve the session but do not retrieve individual fds.
   4. Call LIVEUPDATE_SESSION_FINISH.

Observed result:

[stage2] finishing session should hit duplicate KHO restore
WARNING: kernel/liveupdate/kexec_handover.c:256 at
kho_restore_page+0x11e/0x280
memfd_luo_finish+0x10f/0x190
luo_session_finish+0x31/0xa0
Kernel panic - not syncing: kernel: panic_on_warn set …

Tested environment:

Linux version 7.0.9, x86_64 QEMU
gcc 12.3.0, GNU ld 2.38
CONFIG_LIVEUPDATE=y
CONFIG_LIVEUPDATE_MEMFD=y
CONFIG_KEXEC_HANDOVER=y
CONFIG_KASAN=y in the tested config
Boot args included: kho=on liveupdate=on panic_on_warn=1

My read is that duplicate preservation of the same underlying memfd/inode
should either be rejected within a session, or KHO preserved-page ownership
would need reference-counted semantics so duplicate logical owners cannot
independently consume the same physical folio.

The attached tarball has both PoC directories, full QEMU serial logs,
kernel configs, and README files.

I reproduced the panics on the 7.0.9 QEMU build above. I also checked
current mainline mm/memfd_luo.c for an obvious duplicate-preserve guard,
but I have not yet runtime-tested current mainline.

Thanks,
Chuyifei

[-- Attachment #1.2: Type: text/html, Size: 2960 bytes --]

[-- Attachment #2: liveupdate_duplicate_memfd_warn_panic.tar.gz --]
[-- Type: application/x-tar, Size: 107132 bytes --]

[BUG] liveupdate/memfd: duplicate memfd preserve restores same KHO folio twice

[Yifei Chu]

Hello,

Resending this to kexec@lists.infradead.org in plain text only. The
previous copy to this list was rejected because it was sent as HTML mail.
The original report was also sent to the liveupdate maintainers,
linux-kernel, linux-mm, and the related reviewers.

Short version: I found that the same memfd can be preserved more than once
in a single liveupdate session under different tokens. After kexec, those
tokens can both refer to the same preserved KHO folio, and the second
restore path hits kho_restore_page(). With panic_on_warn=1, this is a
reproducible panic.

The core issue seems to be that mm/memfd_luo.c records the same underlying
folio PFNs for each preserved token, while KHO page preservation is one-shot
state rather than reference-counted ownership.

I reproduced two variants.

Variant A: duplicate preserve, retrieve both tokens

  1. Create one liveupdate session.
  2. Create one 4 KiB memfd and write a marker.
  3. Call LIVEUPDATE_SESSION_PRESERVE_FD twice for the same memfd with two
     distinct tokens.
  4. Keep the session fd alive across kexec.
  5. In the second kernel, retrieve token A successfully.
  6. Retrieve token B, which attempts to restore the same KHO folio again.

Observed result:

  [stage2] token A marker='duplicate-preserve-marker'
  [stage2] retrieving token B should hit duplicate KHO folio restore
  WARNING: kernel/liveupdate/kexec_handover.c:256 at kho_restore_page+0x11e/0x280
  memfd_luo_retrieve+0x1aa/0x490
  luo_session_retrieve_fd+0x73/0x130
  Kernel panic - not syncing: kernel: panic_on_warn set ...

Variant B: duplicate preserve, FINISH an unretrieved session

  1. Preserve the same memfd twice under different tokens.
  2. Kexec into the second kernel.
  3. Retrieve the session but do not retrieve individual fds.
  4. Call LIVEUPDATE_SESSION_FINISH.

Observed result:

  [stage2] finishing session should hit duplicate KHO restore
  WARNING: kernel/liveupdate/kexec_handover.c:256 at kho_restore_page+0x11e/0x280
  memfd_luo_finish+0x10f/0x190
  luo_session_finish+0x31/0xa0
  Kernel panic - not syncing: kernel: panic_on_warn set ...

Tested environment:

  Linux version 7.0.9, x86_64 QEMU
  gcc 12.3.0, GNU ld 2.38
  CONFIG_LIVEUPDATE=y
  CONFIG_LIVEUPDATE_MEMFD=y
  CONFIG_KEXEC_HANDOVER=y
  CONFIG_KASAN=y in the tested config
  Boot args included: kho=on liveupdate=on panic_on_warn=1

My read is that duplicate preservation of the same underlying memfd/inode
should either be rejected within a session, or KHO preserved-page ownership
would need reference-counted semantics so duplicate logical owners cannot
independently consume the same physical folio.

The full report artifacts are available and were included with the original
mail sent to the other recipients:

  liveupdate_duplicate_memfd_warn_panic.tar.gz

It contains both PoC directories, full QEMU serial logs, kernel configs, and
README files. I can resend the artifacts in plain-text-friendly form if that
is preferred.

I reproduced the panics on the 7.0.9 QEMU build above. I also checked current
mainline mm/memfd_luo.c for an obvious duplicate-preserve guard, but I have
not yet runtime-tested current mainline.

Thanks,
Chuyifei

Re: [BUG] liveupdate/memfd: duplicate memfd preserve restores same KHO folio twice

[Pratyush Yadav]

On Sun, May 24 2026, Yifei Chu wrote:

> Hello,
>
> Short version: I found that the same memfd can be preserved more than once in a single liveupdate session under different
> tokens. After kexec, those tokens can both refer to the same preserved KHO folio, and the second restore path hits
> kho_restore_page(). With panic_on_warn=1, this is a reproducible panic.

Pasha fixed this with 00d0b372374f ("liveupdate: prevent double
management of files"). It landed in v7.1-rc1.

Since you seem to be using 7.0.9, please port this patch to the 7.0.y
series and try again. If this fixes the problem, please send it to
stable@vger.kernel.org so it can be included in the 7.0.y series.

-- 
Regards,
Pratyush Yadav