[BUG] liveupdate: incoming/outgoing session ioctls accepted in wrong phase can panic

Yifei Chu yifeichu24 at gmail.com
Sun May 24 10:31:39 PDT 2026 

Hello,

Resending this to kexec at lists.infradead.org in plain text only. The
previous copy to this list was rejected because it was sent as HTML mail.
The original report was also sent to the liveupdate maintainers,
linux-kernel, linux-mm, and the related reviewers.

Short version: I found that liveupdate session ioctls can be accepted on
the wrong kind of session. In my tests, that lets userspace drive memfd LUO
into KHO restore paths for current-kernel preserved memory, which hits
kho_restore_page() warnings and panics with panic_on_warn=1.

There are two closely related cases.

First, a newly created outgoing session accepts incoming-only operations:

  LIVEUPDATE_SESSION_FINISH
  LIVEUPDATE_SESSION_RETRIEVE_FD

After preserving a memfd, either ioctl dispatches into the incoming restore
path and reaches kho_restore_page().

Second, a retrieved incoming session accepts the outgoing-only operation:

  LIVEUPDATE_SESSION_PRESERVE_FD

After a real KHO/kexec handoff, the PoC retrieves the incoming session,
preserves a new current-kernel memfd on it, and then calls FINISH. That
again treats current-kernel state as incoming KHO state.

Tested environment:

  Linux version 7.0.9, x86_64 QEMU
  gcc 12.3.0, GNU ld 2.38
  CONFIG_LIVEUPDATE=y
  CONFIG_LIVEUPDATE_MEMFD=y
  CONFIG_KEXEC_HANDOVER=y
  Boot args included: kho=on liveupdate=on panic_on_warn=1

Outgoing-session FINISH result:

  session fd=4
  preserved memfd token=0x6f757466696e6973
  calling FINISH on outgoing session; this should be rejected
  WARNING: kernel/liveupdate/kexec_handover.c:256 at kho_restore_page+0x1e9/0x4a0
  memfd_luo_finish+0x12c/0x370
  luo_session_finish+0x35/0x130
  Kernel panic - not syncing: kernel: panic_on_warn set ...

Outgoing-session RETRIEVE_FD result:

  calling RETRIEVE_FD on outgoing session; this should be rejected
  WARNING: kernel/liveupdate/kexec_handover.c:256 at kho_restore_page+0x1e9/0x4a0
  memfd_luo_retrieve+0x224/0x9f0
  luo_session_retrieve_fd+0x124/0x320
  Kernel panic - not syncing: kernel: panic_on_warn set ...

Incoming-session PRESERVE_FD result:

  [stage2] retrieved incoming session fd=4
  [stage2] preserving new fd on incoming session; this should be rejected
  [stage2] late preserve succeeded token=0x696e636f6d653032
  [stage2] finishing session should hit KHO restore WARN
  WARNING: kernel/liveupdate/kexec_handover.c:256 at kho_restore_page+0x11e/0x280
  memfd_luo_finish+0x6d/0x190
  luo_session_finish+0x31/0xa0
  Kernel panic - not syncing: kernel: panic_on_warn set ...

My read is that the ioctl paths need to enforce session phase/origin
consistently. A minimal direction would be:

  PRESERVE_FD: require !session->retrieved
  RETRIEVE_FD: require session->retrieved
  FINISH: require session->retrieved

An explicit immutable incoming/outgoing origin bit might be clearer if the
state machine is expected to grow.

The full report artifacts are available and were included with the original
mail sent to the other recipients:

  liveupdate_phase_origin_warn_panic.tar.gz

It contains two PoC directories, full QEMU serial logs, kernel configs, and
README files. I can resend the artifacts in plain-text-friendly form if that
is preferred.

I reproduced the panics on the 7.0.9 QEMU build above. I also checked the
current liveupdate userspace API documentation and current mainline source for
related semantics/source shape, but I have not yet runtime-tested current
mainline.

Thanks,
Chuyifei

More information about the kexec mailing list