[BUG] liveupdate: incoming/outgoing session ioctls accepted in wrong phase can panic

[BUG] liveupdate: incoming/outgoing session ioctls accepted in wrong phase can panic

[Yifei Chu]

[-- Attachment #1.1: Type: text/plain, Size: 2991 bytes --]

Hello,

Short version: I found that liveupdate session ioctls can be accepted on
the wrong kind of session. In my tests, that lets userspace drive memfd LUO
into KHO restore paths for current-kernel preserved memory, which hits
kho_restore_page() warnings and panics with panic_on_warn=1.

There are two closely related cases.

First, a newly created outgoing session accepts incoming-only operations:

LIVEUPDATE_SESSION_FINISH
LIVEUPDATE_SESSION_RETRIEVE_FD

After preserving a memfd, either ioctl dispatches into the incoming restore
path and reaches kho_restore_page().

Second, a retrieved incoming session accepts the outgoing-only operation:

LIVEUPDATE_SESSION_PRESERVE_FD

After a real KHO/kexec handoff, the PoC retrieves the incoming session,
preserves a new current-kernel memfd on it, and then calls FINISH. That
again treats current-kernel state as incoming KHO state.

Tested environment:

Linux version 7.0.9, x86_64 QEMU
gcc 12.3.0, GNU ld 2.38
CONFIG_LIVEUPDATE=y
CONFIG_LIVEUPDATE_MEMFD=y
CONFIG_KEXEC_HANDOVER=y
Boot args included: kho=on liveupdate=on panic_on_warn=1

Outgoing-session FINISH result:

session fd=4
preserved memfd token=0x6f757466696e6973
calling FINISH on outgoing session; this should be rejected
WARNING: kernel/liveupdate/kexec_handover.c:256 at
kho_restore_page+0x1e9/0x4a0
memfd_luo_finish+0x12c/0x370
luo_session_finish+0x35/0x130
Kernel panic - not syncing: kernel: panic_on_warn set …

Outgoing-session RETRIEVE_FD result:

calling RETRIEVE_FD on outgoing session; this should be rejected
WARNING: kernel/liveupdate/kexec_handover.c:256 at
kho_restore_page+0x1e9/0x4a0
memfd_luo_retrieve+0x224/0x9f0
luo_session_retrieve_fd+0x124/0x320
Kernel panic - not syncing: kernel: panic_on_warn set …

Incoming-session PRESERVE_FD result:

[stage2] retrieved incoming session fd=4
[stage2] preserving new fd on incoming session; this should be rejected
[stage2] late preserve succeeded token=0x696e636f6d653032
[stage2] finishing session should hit KHO restore WARN
WARNING: kernel/liveupdate/kexec_handover.c:256 at
kho_restore_page+0x11e/0x280
memfd_luo_finish+0x6d/0x190
luo_session_finish+0x31/0xa0
Kernel panic - not syncing: kernel: panic_on_warn set …

My read is that the ioctl paths need to enforce session phase/origin
consistently. A minimal direction would be:

PRESERVE_FD: require !session->retrieved
RETRIEVE_FD: require session->retrieved
FINISH: require session->retrieved

An explicit immutable incoming/outgoing origin bit might be clearer if the
state machine is expected to grow.

The attached tarball has two PoC directories, full QEMU serial logs, kernel
configs, and README files.

I reproduced the panics on the 7.0.9 QEMU build above. I also checked the
current liveupdate userspace API documentation and current mainline source
for related semantics/source shape, but I have not yet runtime-tested
current mainline.

Thanks,
Chuyifei

[-- Attachment #1.2: Type: text/html, Size: 3256 bytes --]

[-- Attachment #2: liveupdate_phase_origin_warn_panic.tar.gz --]
[-- Type: application/x-tar, Size: 113726 bytes --]

Re: [BUG] liveupdate: incoming/outgoing session ioctls accepted in wrong phase can panic

[Pratyush Yadav]

On Sun, May 24 2026, Yifei Chu wrote:

> Hello,
>
> Short version: I found that liveupdate session ioctls can be accepted on the wrong kind of session. In my tests, that
> lets userspace drive memfd LUO into KHO restore paths for current-kernel preserved memory, which hits kho_restore_page()
> warnings and panics with panic_on_warn=1.

I already sent a fix for this:
https://lore.kernel.org/kexec/20260519122428.2378446-1-pratyush@kernel.org/

I need to do a refresh of this patch with some tests.

-- 
Regards,
Pratyush Yadav