From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qt1-f176.google.com (mail-qt1-f176.google.com [209.85.160.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C64343ED3D8 for ; Tue, 19 May 2026 14:11:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.176 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779199890; cv=none; b=qunHHcb1NlzNVZosBPZij1mHZM23xvC9yaSvp7INmw1XlH8+w6J7EoZ9nLVnNfuYmFjFiV6+Wph/LaqbDGrqiZYyxY2H2G1FOJrZQLuHFQ3Xt7mAvbxkqndd78awzc6rx/QAjA3z9aFNOlEHpj5pZSQF9/4MpovY/iS4RGDWCFc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779199890; c=relaxed/simple; bh=bdsUFO9kZ1k4aaN5bTjRDtTJSDsls6AitnmCnu9c8+A=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=I8rQEqw7Czu6cJ7SQxiroDuUN3UhXDY3A7b69KI5PlviS1JNrVil+bvmvvfQbrHwXalYsVxvn59tL1qgiKtYZPffkNc/l30/ATs5uhvEMbgmmkioEz8GBioJS2xaCavrJezmy6B7moME/siUMfN57ZnfeFhhEUaz2Wdv4sEFylk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=soleen.com; spf=pass smtp.mailfrom=soleen.com; dkim=pass (2048-bit key) header.d=soleen.com header.i=@soleen.com header.b=C67ncJcS; arc=none smtp.client-ip=209.85.160.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=soleen.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=soleen.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=soleen.com header.i=@soleen.com header.b="C67ncJcS" Received: by mail-qt1-f176.google.com with SMTP id d75a77b69052e-50e5dbd8e0eso43883581cf.1 for ; Tue, 19 May 2026 07:11:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=soleen.com; s=google; t=1779199888; x=1779804688; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=LyJqfMx5Ks1exoptQvYh/tS2q82SfLe8ov3UKKxLEwc=; b=C67ncJcSxS1LI8J8SlrYLiw0VyGxFN4n985gE8IxvNR52FIjNSqvk5FOcH/M7FTpiL X+Boa5TNCbjSfB7uunZjII0dBRUKq7YR3UrdeP9GR5pP5MX86XIZfMNFHoQ/KBxriofU O359I5RCfXH4NIq6PQeORoRW7DX4KZFKLA0aF2EKmmqgZGixulpbYOhJ/NqHDw2g87Cj KEUEDl906HPqzwnja+Uv/EmJBY2ndOyv2vqooAvx1ZhUQdzD8fpKL+NEet+GPEEDxF0o uOHRTyUjA3Nf2BIlO25N8TNFmhttc0jZFL05zl6l9SPpZLCJY9lqjsgOjEebasHuwdUL 0mCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779199888; x=1779804688; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LyJqfMx5Ks1exoptQvYh/tS2q82SfLe8ov3UKKxLEwc=; b=g2VZgskEk2lAh1qdkAYyXlMmhGOgOFzB2atOG1vUuLnbYd5o1dOrhNlVaLxKfra6hi uKE2gm0RXJlweIWli9EmpnOAoV6C2nrisIBqxrmM8r9xUBoKssasS8aNuKkl3eIsw5uU QXc9SX0eY+yDbVRnTwFtMps5CSsJAV62900RJBcf3Mxavp5kNZ9qBMDn0mQ5pSkU6xpk W3lBBBXON4PPVsn0jecuRn4g5tjGwVgp9OsmkoZlLQxlnCokDJ8g4OBjHsXTUEo6XnWj wjDjcpus6BGgRipFjPV5ogpQ1UxSbZEgui8wOl+DgLXF2mEaSBABTuvqLgm8mDl929WZ RTCw== X-Forwarded-Encrypted: i=1; AFNElJ91VZSZOv02IvtdHz2ExC8xTLzI6dzNImEPWK2paBblHJsVPjz1VIsMt2TyE8hZKsdah8jxnPshCPNc93g=@vger.kernel.org X-Gm-Message-State: AOJu0YxEn3OJGVRNkfvX6GD6ojvhOMAFOedUexFROOc+wNPWOIJ18n6L f3W9m3kSYtNGT9HqmtURLwXzN45Y0CK5BpnFANXtCE5qblsxJQfVNGAvPK5+GfLJUHY= X-Gm-Gg: Acq92OH4jlTFyub/P4Ezs6DM7lsr3XdVSZRjN6E3OPmYrf3JoVCToa9qYnx2xwppIgd 77FUeQvMveuJ0lUwhryeYMGTdBrzmNRHErec3coPpdSGksfqTE+eO/Fsl9Le1JV7T44ztzphw2O YEX6T14B0TqE6lJdXx3XsjPvdJl4QJCmVE/yAkhY3oPzwRiOZ75OW0UpOt8DUbLw4HhcGBmdJtN GlXAykIM4VKEep3IqZd0gybGq1zMb39zNZAhD7vcQhcwa5yAN/2117sjhM65K42tY/m89C8meR4 VqX55nsLaxnLpEbUZURMZi5nfaD6q5LQVAnGT00D1h7XWKzBU852lxXHR2bTDTl/xo2UQfmbf8G Fg1fVH5fqllsnOJVWpHe60cb7GEnUIQajOWcxDe9mwnDA9RRbbdhZjt+s57GUqk/eVDafm+FpTd 9YNp5/i1f+Y6sK9bgDP2ysEvXBIKFc3aBSFkFjRD2oETGK/4rAMlQ= X-Received: by 2002:a05:622a:90e:b0:50e:635b:5579 with SMTP id d75a77b69052e-5165a00702cmr265768101cf.19.1779199887300; Tue, 19 May 2026 07:11:27 -0700 (PDT) Received: from plex ([71.181.43.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-5164585fa0asm177729321cf.31.2026.05.19.07.11.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 May 2026 07:11:26 -0700 (PDT) Date: Tue, 19 May 2026 14:11:26 +0000 From: Pasha Tatashin To: Pratyush Yadav Cc: Pasha Tatashin , Mike Rapoport , Andrew Morton , linux-kernel@vger.kernel.org, kexec@lists.infradead.org, stable@vger.kernel.org Subject: Re: [PATCH] liveupdate: validate session type before performing operation Message-ID: References: <20260519122428.2378446-1-pratyush@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260519122428.2378446-1-pratyush@kernel.org> On 05-19 14:24, Pratyush Yadav wrote: > From: "Pratyush Yadav (Google)" > > The sessions ioctls are not applicable to all session types. PRESERVE_FD > is only applicable to outgoing sessions. RETRIEVE_FD and FINISH are only > valid for incoming session. Calling a incoming ioctl on an outgoing > session is invalid and can cause file handlers to run into unexpected > errors. > > For example, a user can create a (outgoing) session, preserve a memfd, > and then immediately do a retrieve without doing a kexec in between. Please add a self-test tools/testing/selftests/liveupdate/liveupdate.c to verify that outgoing sessions do not accept retrieve_fd ioctl. Option, you could also add to luo_multi_session.c a test to verifying that incoming does not accept preserve_fd > This would result in memfd's retrieve handler to run. The handlers > expects to be called from a post-kexec context, and will try to do a > kho_restore_vmalloc() or kho_restore_folio() to try and restore memory. > > KHO catches this (thanks to KHO_PAGE_MAGIC) and returns an error, but > since this is considered an internal error and KHO throws out a bunch of > WARN()s. > > Associate a type with each ioctl op and validate the type in > luo_session_ioctl() before dispatching the ioctl handler to make sure > the op is being called for the right session type. > > Fixes: 16cec0d26521 ("liveupdate: luo_session: add ioctls for file preservation") > Cc: stable@vger.kernel.org > Signed-off-by: Pratyush Yadav (Google) > --- > > Notes: > I added LUO_IOCTL_ALL but there is no user in this patch. The type is > for LIVEUPDATE_SESSION_GET_NAME which is supported for both session > types. The support for GET_NAME is in next and this patch should go > through fixes. > > Alternatively, we can remove LUO_IOCTL_ALL from this patch and add it to > the LIVEUPDATE_SESSION_GET_NAME patch in next. But that would need us to > rebase to an rc that contains this fix. Let's keep LUO_IOCTL_ALL change in this patch. Please add tests, otherwise LGTM. Pasha > > kernel/liveupdate/luo_session.c | 36 +++++++++++++++++++++++++++++---- > 1 file changed, 32 insertions(+), 4 deletions(-) > > diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c > index a3327a28fc1f..e84218e3cacb 100644 > --- a/kernel/liveupdate/luo_session.c > +++ b/kernel/liveupdate/luo_session.c > @@ -295,32 +295,58 @@ union ucmd_buffer { > struct liveupdate_session_retrieve_fd retrieve; > }; > > +/* Type of sessions the ioctl applies to. */ > +enum luo_ioctl_type { > + LUO_IOCTL_INCOMING, > + LUO_IOCTL_OUTGOING, > + LUO_IOCTL_ALL, > +}; > + > struct luo_ioctl_op { > unsigned int size; > unsigned int min_size; > unsigned int ioctl_num; > + enum luo_ioctl_type type; > int (*execute)(struct luo_session *session, struct luo_ucmd *ucmd); > }; > > -#define IOCTL_OP(_ioctl, _fn, _struct, _last) \ > +#define IOCTL_OP(_ioctl, _fn, _struct, _last, _type) \ > [_IOC_NR(_ioctl) - LIVEUPDATE_CMD_SESSION_BASE] = { \ > .size = sizeof(_struct) + \ > BUILD_BUG_ON_ZERO(sizeof(union ucmd_buffer) < \ > sizeof(_struct)), \ > .min_size = offsetofend(_struct, _last), \ > .ioctl_num = _ioctl, \ > + .type = _type, \ > .execute = _fn, \ > } > > static const struct luo_ioctl_op luo_session_ioctl_ops[] = { > IOCTL_OP(LIVEUPDATE_SESSION_FINISH, luo_session_finish, > - struct liveupdate_session_finish, reserved), > + struct liveupdate_session_finish, reserved, LUO_IOCTL_INCOMING), > IOCTL_OP(LIVEUPDATE_SESSION_PRESERVE_FD, luo_session_preserve_fd, > - struct liveupdate_session_preserve_fd, token), > + struct liveupdate_session_preserve_fd, token, LUO_IOCTL_OUTGOING), > IOCTL_OP(LIVEUPDATE_SESSION_RETRIEVE_FD, luo_session_retrieve_fd, > - struct liveupdate_session_retrieve_fd, token), > + struct liveupdate_session_retrieve_fd, token, LUO_IOCTL_INCOMING), > }; > > +static bool luo_ioctl_type_valid(struct luo_session *session, > + const struct luo_ioctl_op *op) > +{ > + switch (op->type) { > + case LUO_IOCTL_INCOMING: > + /* Retrieved is only set on incoming sessions */ > + return session->retrieved; > + case LUO_IOCTL_OUTGOING: > + return !session->retrieved; > + case LUO_IOCTL_ALL: > + return true; > + } > + > + /* Catch-all. */ > + return false; > +} > + > static long luo_session_ioctl(struct file *filep, unsigned int cmd, > unsigned long arg) > { > @@ -345,6 +371,8 @@ static long luo_session_ioctl(struct file *filep, unsigned int cmd, > op = &luo_session_ioctl_ops[nr - LIVEUPDATE_CMD_SESSION_BASE]; > if (op->ioctl_num != cmd) > return -ENOIOCTLCMD; > + if (!luo_ioctl_type_valid(session, op)) > + return -EINVAL; > if (ucmd.user_size < op->min_size) > return -EINVAL; > > > base-commit: b1378127003b61930ce30064328640503ad3ef6d > -- > 2.54.0.563.g4f69b47b94-goog >