* [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation
@ 2026-07-15 6:06 Jackie Liu
2026-07-15 6:06 ` [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH Jackie Liu
2026-07-15 14:10 ` [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Pratyush Yadav
0 siblings, 2 replies; 4+ messages in thread
From: Jackie Liu @ 2026-07-15 6:06 UTC (permalink / raw)
To: pasha.tatashin; +Cc: rppt, kexec
From: Jackie Liu <liuyun01@kylinos.cn>
LIVEUPDATE_SESSION_GET_NAME was developed in the liveupdate/next branch
while the session type validation change was carried in liveupdate-fixes.
When the conflict between the two branches was resolved, the GET_NAME
operation descriptor picked up the structure and last member from
RETRIEVE_FD.
This makes both its known size and minimum size 16 bytes rather than 72.
Consequently, copy_struct_from_user() treats most of a normal GET_NAME
argument as unknown trailing data and rejects it with -E2BIG when any of
those bytes are nonzero. It also accepts a 16-byte argument and returns
success after copying only a truncated session name.
Use the GET_NAME structure and its name field in the descriptor.
Link: https://lore.kernel.org/all/ahWlYXNjGUbkKoHy@sirena.org.uk/
Assisted-by: Codex:gpt-5.6-sol
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
---
kernel/liveupdate/luo_session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index b79b2a488974..f38b5b18f3f8 100644
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -378,7 +378,7 @@ static const struct luo_ioctl_op luo_session_ioctl_ops[] = {
IOCTL_OP(LIVEUPDATE_SESSION_RETRIEVE_FD, luo_session_retrieve_fd,
struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_INCOMING),
IOCTL_OP(LIVEUPDATE_SESSION_GET_NAME, luo_session_get_name,
- struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_ALL),
+ struct liveupdate_session_get_name, name, LUO_IOCTL_ALL),
};
static bool luo_ioctl_type_valid(struct luo_session *session,
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH
2026-07-15 6:06 [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Jackie Liu
@ 2026-07-15 6:06 ` Jackie Liu
2026-07-15 14:11 ` Pratyush Yadav
2026-07-15 14:10 ` [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Pratyush Yadav
1 sibling, 1 reply; 4+ messages in thread
From: Jackie Liu @ 2026-07-15 6:06 UTC (permalink / raw)
To: pasha.tatashin; +Cc: rppt, kexec
From: Jackie Liu <liuyun01@kylinos.cn>
The UAPI documents liveupdate_session_finish::reserved as requiring zero,
but luo_session_finish() currently ignores it and finishes the session.
Accepting nonzero values prevents the field from being safely repurposed
by a future extension.
Reject nonzero reserved values before changing session state, matching
LIVEUPDATE_SESSION_GET_NAME.
Fixes: 16cec0d26521 ("liveupdate: luo_session: add ioctls for file preservation")
Assisted-by: Codex:gpt-5.6-sol
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
---
kernel/liveupdate/luo_session.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index f38b5b18f3f8..15342c0783b5 100644
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -316,7 +316,12 @@ static int luo_session_finish(struct luo_session *session,
struct luo_ucmd *ucmd)
{
struct liveupdate_session_finish *argp = ucmd->cmd;
- int err = luo_session_finish_one(session);
+ int err;
+
+ if (argp->reserved)
+ return -EINVAL;
+
+ err = luo_session_finish_one(session);
if (err)
return err;
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation
2026-07-15 6:06 [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Jackie Liu
2026-07-15 6:06 ` [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH Jackie Liu
@ 2026-07-15 14:10 ` Pratyush Yadav
1 sibling, 0 replies; 4+ messages in thread
From: Pratyush Yadav @ 2026-07-15 14:10 UTC (permalink / raw)
To: Jackie Liu; +Cc: pasha.tatashin, rppt, kexec
Hi,
> Cc: pasha.tatashin@soleen.com, rppt@kernel.org, kexec@lists.infradead.org
Please run ./scripts/get_maintainer.pl *.patch to get the full list of
people to Cc on the patch. You missed me and linux-kernel@.
On Wed, Jul 15 2026, Jackie Liu wrote:
> From: Jackie Liu <liuyun01@kylinos.cn>
>
> LIVEUPDATE_SESSION_GET_NAME was developed in the liveupdate/next branch
> while the session type validation change was carried in liveupdate-fixes.
> When the conflict between the two branches was resolved, the GET_NAME
> operation descriptor picked up the structure and last member from
> RETRIEVE_FD.
>
> This makes both its known size and minimum size 16 bytes rather than 72.
> Consequently, copy_struct_from_user() treats most of a normal GET_NAME
> argument as unknown trailing data and rejects it with -E2BIG when any of
> those bytes are nonzero. It also accepts a 16-byte argument and returns
> success after copying only a truncated session name.
Nit: The second line doesn't seem to be true. The get_session_name
selftest tries to create a session with 21 byte name and it passes. I
think it works because luo_session_get_name assumes ucmd->cmd is struct
liveupdate_session_get_name and so it tries to copy the whole thing via
luo_ucmd_respond(), and if the user buffer it large enough, it will
work.
But yeah, the -E2BIG seems like a real problem.
And anyway, that's a tricky bug and I missed it completely when I
reviewed the final rebased version. So thanks for fixing it.
Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org>
>
> Use the GET_NAME structure and its name field in the descriptor.
>
> Link: https://lore.kernel.org/all/ahWlYXNjGUbkKoHy@sirena.org.uk/
> Assisted-by: Codex:gpt-5.6-sol
> Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
> ---
> kernel/liveupdate/luo_session.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
> index b79b2a488974..f38b5b18f3f8 100644
> --- a/kernel/liveupdate/luo_session.c
> +++ b/kernel/liveupdate/luo_session.c
> @@ -378,7 +378,7 @@ static const struct luo_ioctl_op luo_session_ioctl_ops[] = {
> IOCTL_OP(LIVEUPDATE_SESSION_RETRIEVE_FD, luo_session_retrieve_fd,
> struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_INCOMING),
> IOCTL_OP(LIVEUPDATE_SESSION_GET_NAME, luo_session_get_name,
> - struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_ALL),
> + struct liveupdate_session_get_name, name, LUO_IOCTL_ALL),
> };
>
> static bool luo_ioctl_type_valid(struct luo_session *session,
--
Regards,
Pratyush Yadav
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH
2026-07-15 6:06 ` [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH Jackie Liu
@ 2026-07-15 14:11 ` Pratyush Yadav
0 siblings, 0 replies; 4+ messages in thread
From: Pratyush Yadav @ 2026-07-15 14:11 UTC (permalink / raw)
To: Jackie Liu; +Cc: pasha.tatashin, rppt, kexec
On Wed, Jul 15 2026, Jackie Liu wrote:
> From: Jackie Liu <liuyun01@kylinos.cn>
>
> The UAPI documents liveupdate_session_finish::reserved as requiring zero,
> but luo_session_finish() currently ignores it and finishes the session.
> Accepting nonzero values prevents the field from being safely repurposed
> by a future extension.
>
> Reject nonzero reserved values before changing session state, matching
> LIVEUPDATE_SESSION_GET_NAME.
>
> Fixes: 16cec0d26521 ("liveupdate: luo_session: add ioctls for file preservation")
> Assisted-by: Codex:gpt-5.6-sol
> Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org>
[...]
--
Regards,
Pratyush Yadav
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-15 14:11 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-15 6:06 [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Jackie Liu
2026-07-15 6:06 ` [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH Jackie Liu
2026-07-15 14:11 ` Pratyush Yadav
2026-07-15 14:10 ` [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Pratyush Yadav
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox