From: Pasha Tatashin <pasha.tatashin@soleen.com>
Date: Wed, 27 May 2026 20:27:34 +0000 (+0000)
Subject: liveupdate: fix TOCTOU race in luo_session_retrieve()
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d3ae9e7fddb4036f50003d7fa1ef52801fdb961b;p=thirdparty%2Flinux.git

liveupdate: fix TOCTOU race in luo_session_retrieve()

Extend the scope of the rwsem_read lock in luo_session_retrieve() to
overlap with the acquisition of the session mutex. This prevents a
concurrent thread from releasing and freeing the session between the
lookup and the mutex lock.

Fixes: 0153094d03df ("liveupdate: luo_session: add sessions support")
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Link: https://patch.msgid.link/20260527202737.1345192-3-pasha.tatashin@soleen.com
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
---

diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index 099db679bdc5..a1c742eeb444 100644
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -463,12 +463,11 @@ int luo_session_retrieve(const char *name, struct file **filep)
 	struct luo_session *it;
 	int err;
 
-	scoped_guard(rwsem_read, &sh->rwsem) {
-		list_for_each_entry(it, &sh->list, list) {
-			if (!strncmp(it->name, name, sizeof(it->name))) {
-				session = it;
-				break;
-			}
+	guard(rwsem_read)(&sh->rwsem);
+	list_for_each_entry(it, &sh->list, list) {
+		if (!strncmp(it->name, name, sizeof(it->name))) {
+			session = it;
+			break;
 		}
 	}