Re: [PATCH 1/5] liveupdate: block outgoing session updates during reboot

[oskar@gerlicz.space]

On 2026-03-21 02:23, Andrew Morton wrote:
> On Fri, 20 Mar 2026 17:37:16 +0100 Oskar Gerlicz Kowalczuk <oskar@gerlicz.space> wrote:
> 
>> When kernel_kexec() starts a live update handover, LUO serializes
>> outgoing sessions before the reboot path freezes tasks or shuts
>> devices down. That leaves a window where close() and
>> LIVEUPDATE_SESSION_PRESERVE_FD can still mutate an existing outgoing
>> session after luo_session_serialize() has already captured it.
>> 
>> The race is dangerous because the next kernel may inherit stale file
>> metadata or references to memory that userspace has already
>> unpreserved. That breaks handover consistency and can later trigger
>> restore failures on already torn down state.
>> 
>> Mark the outgoing session set as rebooting while serialization is in
>> progress, reject new mutations with -EBUSY, and make release wait
>> until rebooting finishes before unpreserving files. Reset the flag and
>> wake waiters when serialization rolls back, and use READ_ONCE() and
>> WRITE_ONCE() so the state is visible across CPUs.
> 
> Sashiko AI review has quite a few questions:
> 	https://sashiko.dev/#/patchset/20260320163720.100456-1-oskar@gerlicz.space


Thanks for the careful review.

Patch 1

You are right. The incoming .release path can return before
luo_session_remove() / luo_session_free() and leave the session
stranded. This is pre-existing rather than introduced by this patch,
but it is a real bug. I will fix it in v2 by ensuring the release path
always removes and frees the session, while keeping the warning if
finish fails.

You are right. This wait can be hit from userspace while the
preserve_context path is entering the freezer. I will switch this to
wait_event_freezable(), as this path can be reached from userspace
during the freeze phase.

You are right. Dropping the rwsem before luo_session_remove() leaves
a serialize-vs-close window, so v1 still allows an outgoing session to
be serialized after close has started. In v2 I will keep the outgoing
session exclusion across the entire unpreserve/remove path (i.e. prevent
serialization until the session is fully removed), and I will gate both
PRESERVE_FD and FINISH under the same reboot check.

These issues indicate the outgoing session lifecycle still has race
windows, so I will rework this part more substantially in v2.

Patch 2

You are right. On the preserve_context flow, machine_kexec() can
return to the original kernel with error == 0, so the current
abort-on-error logic is insufficient. I will fix this by explicitly
aborting liveupdate state on the preserve_context return path in
kernel_kexec() after machine_kexec() returns.

Agreed. The abort loop only stays synchronized as long as the outgoing
list cannot change after serialization. The remaining release/remove
race in patch 1 breaks that assumption. I will fix that in v2 by
ensuring outgoing removal is excluded once serialization starts, so
abort can unfreeze the same session set that was serialized.

Patch 3

You are right. luo_file_discard_deserialized() currently drops
file_set->files without freeing the preserved KHO block. I will fix
this by routing the discard path through a common cleanup path which
calls kho_restore_free(file_set->files) before clearing the pointer.

You are right. The direct returns in luo_session_deserialize()
bypass cleanup of sh->header_ser, can leave previously restored
sessions behind, and do not cache the final error value. I will fix
this by routing all deserialize failures through a common cleanup path
which removes any sessions restored so far, frees sh->header_ser,
clears sh->ser, and stores the cached error before returning.

I do not think this specific UAF is reachable, because deserialization
happens before the device becomes visible to userspace and the device
enforces single-open semantics. The cleanup and leak issues are real,
though, and the common unwind path above will address them.

Patch 4

Agreed. The file-set validation failures currently share the same
cleanup hole as patch 3. The common deserialize cleanup in v2 will
free the preserved file_set block via kho_restore_free() before
dropping the pointer.

You are right about the direct returns in luo_session_deserialize().
I will convert those to the same common error path so sh->header_ser
is freed and the cached error is set consistently.

You are right about memfd cleanup. I will route early validation
failures through free_ser:, and I will fix the folio unwind so it also
releases the current folio entry rather than only the tail entries
after it.

Agreed. I will also validate nr_folios against the vmalloc backing
metadata (ser->folios.total_pages), not only against ser->size,
before iterating.

Patch 5

I agree this is a bug. It is pre-existing and not introduced by this
patch, so I will fix it in a follow-up by rechecking the incoming state
under the mutex before returning success from
liveupdate_flb_get_incoming().

Overall, I will rework the outgoing session lifecycle, unify the
serialization exclusion rules, and fix the cleanup paths in v2.

Oskar Gerlicz Kowalczuk