Kexec Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation
@ 2026-07-15  6:06 Jackie Liu
  2026-07-15  6:06 ` [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH Jackie Liu
  2026-07-15 14:10 ` [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Pratyush Yadav
  0 siblings, 2 replies; 4+ messages in thread
From: Jackie Liu @ 2026-07-15  6:06 UTC (permalink / raw)
  To: pasha.tatashin; +Cc: rppt, kexec

From: Jackie Liu <liuyun01@kylinos.cn>

LIVEUPDATE_SESSION_GET_NAME was developed in the liveupdate/next branch
while the session type validation change was carried in liveupdate-fixes.
When the conflict between the two branches was resolved, the GET_NAME
operation descriptor picked up the structure and last member from
RETRIEVE_FD.

This makes both its known size and minimum size 16 bytes rather than 72.
Consequently, copy_struct_from_user() treats most of a normal GET_NAME
argument as unknown trailing data and rejects it with -E2BIG when any of
those bytes are nonzero. It also accepts a 16-byte argument and returns
success after copying only a truncated session name.

Use the GET_NAME structure and its name field in the descriptor.

Link: https://lore.kernel.org/all/ahWlYXNjGUbkKoHy@sirena.org.uk/
Assisted-by: Codex:gpt-5.6-sol
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
---
 kernel/liveupdate/luo_session.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index b79b2a488974..f38b5b18f3f8 100644
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -378,7 +378,7 @@ static const struct luo_ioctl_op luo_session_ioctl_ops[] = {
 	IOCTL_OP(LIVEUPDATE_SESSION_RETRIEVE_FD, luo_session_retrieve_fd,
 		 struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_INCOMING),
 	IOCTL_OP(LIVEUPDATE_SESSION_GET_NAME, luo_session_get_name,
-		 struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_ALL),
+		 struct liveupdate_session_get_name, name, LUO_IOCTL_ALL),
 };
 
 static bool luo_ioctl_type_valid(struct luo_session *session,
-- 
2.54.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH
  2026-07-15  6:06 [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Jackie Liu
@ 2026-07-15  6:06 ` Jackie Liu
  2026-07-15 14:11   ` Pratyush Yadav
  2026-07-15 14:10 ` [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Pratyush Yadav
  1 sibling, 1 reply; 4+ messages in thread
From: Jackie Liu @ 2026-07-15  6:06 UTC (permalink / raw)
  To: pasha.tatashin; +Cc: rppt, kexec

From: Jackie Liu <liuyun01@kylinos.cn>

The UAPI documents liveupdate_session_finish::reserved as requiring zero,
but luo_session_finish() currently ignores it and finishes the session.
Accepting nonzero values prevents the field from being safely repurposed
by a future extension.

Reject nonzero reserved values before changing session state, matching
LIVEUPDATE_SESSION_GET_NAME.

Fixes: 16cec0d26521 ("liveupdate: luo_session: add ioctls for file preservation")
Assisted-by: Codex:gpt-5.6-sol
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
---
 kernel/liveupdate/luo_session.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index f38b5b18f3f8..15342c0783b5 100644
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -316,7 +316,12 @@ static int luo_session_finish(struct luo_session *session,
 			      struct luo_ucmd *ucmd)
 {
 	struct liveupdate_session_finish *argp = ucmd->cmd;
-	int err = luo_session_finish_one(session);
+	int err;
+
+	if (argp->reserved)
+		return -EINVAL;
+
+	err = luo_session_finish_one(session);
 
 	if (err)
 		return err;
-- 
2.54.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation
  2026-07-15  6:06 [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Jackie Liu
  2026-07-15  6:06 ` [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH Jackie Liu
@ 2026-07-15 14:10 ` Pratyush Yadav
  1 sibling, 0 replies; 4+ messages in thread
From: Pratyush Yadav @ 2026-07-15 14:10 UTC (permalink / raw)
  To: Jackie Liu; +Cc: pasha.tatashin, rppt, kexec

Hi,

> Cc: pasha.tatashin@soleen.com,  rppt@kernel.org,  kexec@lists.infradead.org

Please run ./scripts/get_maintainer.pl *.patch to get the full list of
people to Cc on the patch. You missed me and linux-kernel@.

On Wed, Jul 15 2026, Jackie Liu wrote:

> From: Jackie Liu <liuyun01@kylinos.cn>
>
> LIVEUPDATE_SESSION_GET_NAME was developed in the liveupdate/next branch
> while the session type validation change was carried in liveupdate-fixes.
> When the conflict between the two branches was resolved, the GET_NAME
> operation descriptor picked up the structure and last member from
> RETRIEVE_FD.
>
> This makes both its known size and minimum size 16 bytes rather than 72.
> Consequently, copy_struct_from_user() treats most of a normal GET_NAME
> argument as unknown trailing data and rejects it with -E2BIG when any of
> those bytes are nonzero. It also accepts a 16-byte argument and returns
> success after copying only a truncated session name.

Nit: The second line doesn't seem to be true. The get_session_name
selftest tries to create a session with 21 byte name and it passes. I
think it works because luo_session_get_name assumes ucmd->cmd is struct
liveupdate_session_get_name and so it tries to copy the whole thing via
luo_ucmd_respond(), and if the user buffer it large enough, it will
work.

But yeah, the -E2BIG seems like a real problem.

And anyway, that's a tricky bug and I missed it completely when I
reviewed the final rebased version. So thanks for fixing it.

Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org>

>
> Use the GET_NAME structure and its name field in the descriptor.
>
> Link: https://lore.kernel.org/all/ahWlYXNjGUbkKoHy@sirena.org.uk/
> Assisted-by: Codex:gpt-5.6-sol
> Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
> ---
>  kernel/liveupdate/luo_session.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
> index b79b2a488974..f38b5b18f3f8 100644
> --- a/kernel/liveupdate/luo_session.c
> +++ b/kernel/liveupdate/luo_session.c
> @@ -378,7 +378,7 @@ static const struct luo_ioctl_op luo_session_ioctl_ops[] = {
>  	IOCTL_OP(LIVEUPDATE_SESSION_RETRIEVE_FD, luo_session_retrieve_fd,
>  		 struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_INCOMING),
>  	IOCTL_OP(LIVEUPDATE_SESSION_GET_NAME, luo_session_get_name,
> -		 struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_ALL),
> +		 struct liveupdate_session_get_name, name, LUO_IOCTL_ALL),
>  };
>  
>  static bool luo_ioctl_type_valid(struct luo_session *session,

-- 
Regards,
Pratyush Yadav


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH
  2026-07-15  6:06 ` [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH Jackie Liu
@ 2026-07-15 14:11   ` Pratyush Yadav
  0 siblings, 0 replies; 4+ messages in thread
From: Pratyush Yadav @ 2026-07-15 14:11 UTC (permalink / raw)
  To: Jackie Liu; +Cc: pasha.tatashin, rppt, kexec

On Wed, Jul 15 2026, Jackie Liu wrote:

> From: Jackie Liu <liuyun01@kylinos.cn>
>
> The UAPI documents liveupdate_session_finish::reserved as requiring zero,
> but luo_session_finish() currently ignores it and finishes the session.
> Accepting nonzero values prevents the field from being safely repurposed
> by a future extension.
>
> Reject nonzero reserved values before changing session state, matching
> LIVEUPDATE_SESSION_GET_NAME.
>
> Fixes: 16cec0d26521 ("liveupdate: luo_session: add ioctls for file preservation")
> Assisted-by: Codex:gpt-5.6-sol
> Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>

Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org>

[...]

-- 
Regards,
Pratyush Yadav


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-07-15 14:11 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-15  6:06 [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Jackie Liu
2026-07-15  6:06 ` [PATCH 2/2] liveupdate: reject nonzero reserved value for SESSION_FINISH Jackie Liu
2026-07-15 14:11   ` Pratyush Yadav
2026-07-15 14:10 ` [PATCH 1/2] liveupdate: fix GET_NAME ioctl argument validation Pratyush Yadav

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox