liveupdate: fix TOCTOU race in luo_session_retrieve()

Extend the scope of the rwsem_read lock in luo_session_retrieve() to
overlap with the acquisition of the session mutex. This prevents a
concurrent thread from releasing and freeing the session between the
lookup and the mutex lock.

Fixes: 0153094d03df ("liveupdate: luo_session: add sessions support")
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Link: https://patch.msgid.link/20260527202737.1345192-3-pasha.tatashin@soleen.com
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>

diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index 099db679bdc5335b1278c9aed795738043f38ebf..a1c742eeb444e04c50ad6b0b0596bbf9618b1929 100644 (file)
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -463,12 +463,11 @@ int luo_session_retrieve(const char *name, struct file **filep)
        struct luo_session *it;
        int err;
 
-       scoped_guard(rwsem_read, &sh->rwsem) {
-               list_for_each_entry(it, &sh->list, list) {
-                       if (!strncmp(it->name, name, sizeof(it->name))) {
-                               session = it;
-                               break;
-                       }
+       guard(rwsem_read)(&sh->rwsem);
+       list_for_each_entry(it, &sh->list, list) {
+               if (!strncmp(it->name, name, sizeof(it->name))) {
+                       session = it;
+                       break;
                }
        }