1. Patchew
  2. linux
  3. View series

[PATCH v3 0/5] liveupdate: serialization safety and race fixes

Pasha Tatashin posted 5 patches 4 weeks ago
There is a newer version of this series
kernel/kexec_core.c              |  8 +++++---
kernel/liveupdate/luo_file.c     |  5 +++--
kernel/liveupdate/luo_internal.h |  2 --
kernel/liveupdate/luo_session.c  | 27 ++++++++++++++++++++-------
4 files changed, 28 insertions(+), 14 deletions(-)
[PATCH v3 0/5] liveupdate: serialization safety and race fixes
Posted by Pasha Tatashin 4 weeks ago 
This series addresses several issues related to the synchronization
between the reboot process and LUO session management.

Changes in v3:
- Refined the session mutation blocking to use a dedicated global
  rwsem (luo_session_serialize_rwsem) instead of pinning individual
  mutexes.
- Fixed a use-after-free race in luo_file_unpreserve_files() where
  a module could be released before its file handler ID was erased.
- Fixed a TOCTOU race in luo_session_retrieve() by extending the
  lock scope to overlap with session mutex acquisition.
- Removed an unused 'ser' field from struct luo_session.
- Dropped the KHO skip patch as it was not needed.

1. Skip LUO serialization for context-preserving kexec: A
preserve_context kexec returns to the current kernel, which is unrelated
to live update where state is passed to the next kernel. Skipping
serialization avoids unnecessary work and prevents sessions from being
left in a frozen state upon return.

2. Block session mutations during reboot: During the reboot() syscall,
user processes may still be running concurrently and attempting to
mutate sessions. To prevent this, we introduce luo_session_serialize_rwsem.
All mutation operations (create, retrieve, release, ioctl) hold the
read lock. The serialization process holds the write lock indefinitely
on success, effectively freezing the subsystem.

3. Fix use-after-free in luo_file_unpreserve_files(): Reorder module_put()
to ensure the file handler module remains pinned while its operations
are being accessed during cleanup.

4. Fix TOCTOU race in luo_session_retrieve(): Extend the rwsem lock
scope to prevent a session from being released between lookup and
mutex acquisition.

5. Remove unused ser field from struct luo_session: Clean up the
session structure by removing a field that was never utilized.

Tree: git.kernel.org/pub/scm/linux/kernel/git/tatashin/linux.git Branch:
luo-reboot-sync/v3

Pasha Tatashin (5):
  liveupdate: skip serialization for context-preserving kexec
  liveupdate: block session mutations during reboot
  liveupdate: fix u-a-f in luo_file_unpreserve_files() and
    luo_file_finish()
  liveupdate: fix TOCTOU race in luo_session_retrieve()
  liveupdate: Remove unused ser field from struct luo_session

 kernel/kexec_core.c              |  8 +++++---
 kernel/liveupdate/luo_file.c     |  5 +++--
 kernel/liveupdate/luo_internal.h |  2 --
 kernel/liveupdate/luo_session.c  | 27 ++++++++++++++++++++-------
 4 files changed, 28 insertions(+), 14 deletions(-)


base-commit: 7b0b68b2b95606e65594958686833e53423f58f2
-- 
2.53.0
Re: [PATCH v3 0/5] liveupdate: serialization safety and race fixes
Posted by Mike Rapoport 3 weeks, 4 days ago 
On Fri, May 15, 2026 at 12:37:17AM +0000, Pasha Tatashin wrote:
> This series addresses several issues related to the synchronization
> between the reboot process and LUO session management.
> 
> Changes in v3:
> - Refined the session mutation blocking to use a dedicated global
>   rwsem (luo_session_serialize_rwsem) instead of pinning individual
>   mutexes.
> - Fixed a use-after-free race in luo_file_unpreserve_files() where
>   a module could be released before its file handler ID was erased.
> - Fixed a TOCTOU race in luo_session_retrieve() by extending the
>   lock scope to overlap with session mutex acquisition.
> - Removed an unused 'ser' field from struct luo_session.
> - Dropped the KHO skip patch as it was not needed.
> 
> 1. Skip LUO serialization for context-preserving kexec: A
> preserve_context kexec returns to the current kernel, which is unrelated
> to live update where state is passed to the next kernel. Skipping
> serialization avoids unnecessary work and prevents sessions from being
> left in a frozen state upon return.
> 
> 2. Block session mutations during reboot: During the reboot() syscall,
> user processes may still be running concurrently and attempting to
> mutate sessions. To prevent this, we introduce luo_session_serialize_rwsem.
> All mutation operations (create, retrieve, release, ioctl) hold the
> read lock. The serialization process holds the write lock indefinitely
> on success, effectively freezing the subsystem.
> 
> 3. Fix use-after-free in luo_file_unpreserve_files(): Reorder module_put()
> to ensure the file handler module remains pinned while its operations
> are being accessed during cleanup.
> 
> 4. Fix TOCTOU race in luo_session_retrieve(): Extend the rwsem lock
> scope to prevent a session from being released between lookup and
> mutex acquisition.
> 
> 5. Remove unused ser field from struct luo_session: Clean up the
> session structure by removing a field that was never utilized.

Sashiko is still unhappy:
https://sashiko.dev/#/patchset/20260515003722.938123-1-pasha.tatashin@soleen.com

Didn't verify it's actually right, but its complaints seem legit.

Among other things sashiko noted a TOCTOU issue and then found it's fixed
by a later patch, maybe move the TOCTOU fix earlier in the series?
 
> Tree: git.kernel.org/pub/scm/linux/kernel/git/tatashin/linux.git Branch:
> luo-reboot-sync/v3
> 
> Pasha Tatashin (5):
>   liveupdate: skip serialization for context-preserving kexec
>   liveupdate: block session mutations during reboot
>   liveupdate: fix u-a-f in luo_file_unpreserve_files() and
>     luo_file_finish()
>   liveupdate: fix TOCTOU race in luo_session_retrieve()
>   liveupdate: Remove unused ser field from struct luo_session
> 
>  kernel/kexec_core.c              |  8 +++++---
>  kernel/liveupdate/luo_file.c     |  5 +++--
>  kernel/liveupdate/luo_internal.h |  2 --
>  kernel/liveupdate/luo_session.c  | 27 ++++++++++++++++++++-------
>  4 files changed, 28 insertions(+), 14 deletions(-)
> 
> 
> base-commit: 7b0b68b2b95606e65594958686833e53423f58f2
> -- 
> 2.53.0
> 

-- 
Sincerely yours,
Mike.
Re: [PATCH v3 0/5] liveupdate: serialization safety and race fixes
Posted by Pasha Tatashin 3 weeks, 4 days ago 
On 05-17 20:43, Mike Rapoport wrote:
> On Fri, May 15, 2026 at 12:37:17AM +0000, Pasha Tatashin wrote:
> > This series addresses several issues related to the synchronization
> > between the reboot process and LUO session management.
> > 
> > Changes in v3:
> > - Refined the session mutation blocking to use a dedicated global
> >   rwsem (luo_session_serialize_rwsem) instead of pinning individual
> >   mutexes.
> > - Fixed a use-after-free race in luo_file_unpreserve_files() where
> >   a module could be released before its file handler ID was erased.
> > - Fixed a TOCTOU race in luo_session_retrieve() by extending the
> >   lock scope to overlap with session mutex acquisition.
> > - Removed an unused 'ser' field from struct luo_session.
> > - Dropped the KHO skip patch as it was not needed.
> > 
> > 1. Skip LUO serialization for context-preserving kexec: A
> > preserve_context kexec returns to the current kernel, which is unrelated
> > to live update where state is passed to the next kernel. Skipping
> > serialization avoids unnecessary work and prevents sessions from being
> > left in a frozen state upon return.
> > 
> > 2. Block session mutations during reboot: During the reboot() syscall,
> > user processes may still be running concurrently and attempting to
> > mutate sessions. To prevent this, we introduce luo_session_serialize_rwsem.
> > All mutation operations (create, retrieve, release, ioctl) hold the
> > read lock. The serialization process holds the write lock indefinitely
> > on success, effectively freezing the subsystem.
> > 
> > 3. Fix use-after-free in luo_file_unpreserve_files(): Reorder module_put()
> > to ensure the file handler module remains pinned while its operations
> > are being accessed during cleanup.
> > 
> > 4. Fix TOCTOU race in luo_session_retrieve(): Extend the rwsem lock
> > scope to prevent a session from being released between lookup and
> > mutex acquisition.
> > 
> > 5. Remove unused ser field from struct luo_session: Clean up the
> > session structure by removing a field that was never utilized.
> 
> Sashiko is still unhappy:
> https://sashiko.dev/#/patchset/20260515003722.938123-1-pasha.tatashin@soleen.com
> 
> Didn't verify it's actually right, but its complaints seem legit.

Reviewed the complaints, a couple things are legit, I will address 
them and respin.

> Among other things sashiko noted a TOCTOU issue and then found it's fixed
> by a later patch, maybe move the TOCTOU fix earlier in the series?

Sure, will move it earlier, while I think, as long as it is fixed in 
ther series it does not matter where it is :-)

Pasha
Re: [PATCH v3 0/5] liveupdate: serialization safety and race fixes
Posted by Mike Rapoport 3 weeks, 4 days ago 
On Sun, May 17, 2026 at 07:01:27PM +0000, Pasha Tatashin wrote:
> On 05-17 20:43, Mike Rapoport wrote:
> 
> > Among other things sashiko noted a TOCTOU issue and then found it's fixed
> > by a later patch, maybe move the TOCTOU fix earlier in the series?
> 
> Sure, will move it earlier, while I think, as long as it is fixed in 
> ther series it does not matter where it is :-)

Less sashiko comments to read ;-)
 
> Pasha

-- 
Sincerely yours,
Mike.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.