From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 734CF472767 for ; Wed, 13 May 2026 15:09:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778684943; cv=none; b=RAGQk7I1d5o46eQP8mxJ4qj6fvb1aLAGEpSSzBPCZ+w2iu7+2SJLFUH+WqYd2s7OJOcJOcDW0gCOHyUgUWR+IGhFWYmhWwx25XqFbJbXGLwIOY4+n52gVh4YiZZgpjvg4gNDni7A3zvA4Ao/6w7vkRBvzxTzCMm24dUDX9XtSVs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778684943; c=relaxed/simple; bh=XJYIJDuyV+UAh3e5KM8qHWShTCT8v9Q3gycIURcfoFw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=G04wkLuUiujgZkItY5zrRoEdLR5oUm5qsZ1wudx6U43UyXT8vHTMOsqUr5JcKu/MvgqRK+AYBMkA+fFfTY/HwWnF1noMQnvkdl4xuZ8CxmZfau71LRLbjRjzFtfmVTnhjsqSrXXCh6G0bQx/X1bUFD8IHuHEqxsQqCQOpb/dnqI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=BAumT5/2; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="BAumT5/2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C5E4AC19425; Wed, 13 May 2026 15:09:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778684943; bh=XJYIJDuyV+UAh3e5KM8qHWShTCT8v9Q3gycIURcfoFw=; h=From:To:Cc:Subject:Date:Reply-To:From; b=BAumT5/2IXIs8pQNdOzHuF14jGxL/jhaKIQ3V8WKZhYAeLWoPpwZvLyBdPE2PYyfW 5GOpavn5RcmZFMK5qdI+wxh815OCTTa2hX9PlnZ73XigFLqv/2P+IgXvJ6W7gOoEgp 9gp6uY0QKmCeXcKSb6hD1wWeGvOPezmSEPldzYbI= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43489: liveupdate: luo_file: remember retrieve() status Date: Wed, 13 May 2026 17:08:57 +0200 Message-ID: <2026051350-CVE-2026-43489-70b3@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3966; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=6HsQdE3IfPvQOuw097S8j0jSIfgD1d2yDCG/gCReMug=; b=owGbwMvMwCRo6H6F97bub03G02pJDFksU5iathW/ftL5PFpW0iKStcj+puw0m1R9765nyxbam wf13rTriGVhEGRikBVTZPmyjefo/opDil6Gtqdh5rAygQxh4OIUgIkkL2SYK1PxRtfEOCBkpov7 Z1W1m1dyUpakMCxoEqpMnqI3qzXm13ZH9thri2Seis8HAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: liveupdate: luo_file: remember retrieve() status LUO keeps track of successful retrieve attempts on a LUO file. It does so to avoid multiple retrievals of the same file. Multiple retrievals cause problems because once the file is retrieved, the serialized data structures are likely freed and the file is likely in a very different state from what the code expects. The retrieve boolean in struct luo_file keeps track of this, and is passed to the finish callback so it knows what work was already done and what it has left to do. All this works well when retrieve succeeds. When it fails, luo_retrieve_file() returns the error immediately, without ever storing anywhere that a retrieve was attempted or what its error code was. This results in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace, but nothing prevents it from trying this again. The retry is problematic for much of the same reasons listed above. The file is likely in a very different state than what the retrieve logic normally expects, and it might even have freed some serialization data structures. Attempting to access them or free them again is going to break things. For example, if memfd managed to restore 8 of its 10 folios, but fails on the 9th, a subsequent retrieve attempt will try to call kho_restore_folio() on the first folio again, and that will fail with a warning since it is an invalid operation. Apart from the retry, finish() also breaks. Since on failure the retrieved bool in luo_file is never touched, the finish() call on session close will tell the file handler that retrieve was never attempted, and it will try to access or free the data structures that might not exist, much in the same way as the retry attempt. There is no sane way of attempting the retrieve again. Remember the error retrieve returned and directly return it on a retry. Also pass this status code to finish() so it can make the right decision on the work it needs to do. This is done by changing the bool to an integer. A value of 0 means retrieve was never attempted, a positive value means it succeeded, and a negative value means it failed and the error code is the value. The Linux kernel CVE team has assigned CVE-2026-43489 to this issue. Affected and fixed versions =========================== Issue introduced in 6.19 with commit 7c722a7f44e0c1f9714084152226bc7bd644b7e3 and fixed in 6.19.9 with commit 1d3ad69484dc1cc53be62d2554e7ef038a627af9 Issue introduced in 6.19 with commit 7c722a7f44e0c1f9714084152226bc7bd644b7e3 and fixed in 7.0 with commit f85b1c6af5bc3872f994df0a5688c1162de07a62 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43489 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/linux/liveupdate.h kernel/liveupdate/luo_file.c mm/memfd_luo.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/1d3ad69484dc1cc53be62d2554e7ef038a627af9 https://git.kernel.org/stable/c/f85b1c6af5bc3872f994df0a5688c1162de07a62