Re: [PATCH 1/1] liveupdate: luo_file: Add internal APIs for file preservation

[Pratyush Yadav <pratyush@kernel.org>]

On Mon, Jun 29 2026, Pratyush Yadav wrote:

> On Mon, Jun 29 2026, Pasha Tatashin wrote:
>
>> On 06-26 13:57, Pratyush Yadav wrote:
>>> Hi Sami,
>>> 
>>> On Sat, Jun 13 2026, Samiullah Khawaja wrote:
>>> 
>>> > From: Pasha Tatashin <pasha.tatashin@soleen.com>
>>> >
>>> > Live update orchestrator file handlers depend on the preservation of
>>> > other files. To make sure that the dependency is preserved, the file
>>> > handlers needs to fetch the preservation token of the preserved
>>> > dependency. Similarly during restore, a file handler wants to fetch the
>>> > restored file of the dependency.
>>> >
>>> > Add APIs that allows fetching token of dependency during preservation,
>>> > and fetching the restored file dependency during restore.
>>> >
>>> > Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
>>> > Signed-off-by: Samiullah Khawaja <skhawaja@google.com>
[...]
>>
>> To achieve this, LUO provides the .can_finish() callback. So, LUO does
>> two-phase verification:
>>
>> 1. It iterates through all tracked files and invokes .can_finish().
>> 2. Only if *all* files return success does it proceed to invoke .finish().
>>
>> If a VMM restores a file (such as guest_memfd) but fails to restore its
>> dependency (such as the VM FD), or attempts to close the session 
>> prematurely, the .can_finish() check for that file will fail (returning 
>> -EBUSY), and the entire finish sequence will abort. This guarantees 
>> kernel-enforced correctness at the session boundary and without forcing 
>> the VMM to execute restores in a strict sequential order, which anway 
>> would not make  any sense from kernel side due to circular dependecies 
>> issue, where topological sort does not exist.
>>
>>> 
>>> But on the preservation side, VMMs still do need to follow the
>>> topological order of dependencies. Because if they don't, the
>>> liveupdate_get_token_outgoing() call will fail and preservation can't
>>> proceed.
>>
>> Actually, preservation can also be performed in an order-independent manner.
>> While a handler can call liveupdate_get_token_outgoing() during .preserve(),
>> it can also defer this query until the .freeze() callback. Because .freeze()
>> is invoked after all files in the session have completed their .preserve() phase,
>> all dependency tokens are guaranteed to be available, completely eliminating any
>> topological ordering requirements during the initial preservation calls. It is
>> up to individual file handler implementations to decide whether they wish to
>> enforce ordering at .preserve() time or defer it to .freeze().
>
> That is the worst of both worlds. I get your point that LUO doesn't want
> to enforce dependency ordering. My arguments against that are somewhat
> subjective so I can live with this.
>
> But then you can't let file handlers enforce it as they wish. The
> dependency ordering is uAPI because it directly affects how VMMs
> preserve files. If the VMM has to keep track of dependencies for some
> file types and doesn't have to do so for others, that is a terrible and
> inconsistent API.
>
> Ideally, LUO should handle the dependencies on its own. preserve() can
> give LUO a list of files the preserved file depends on, and LUO makes
> sure all the dependencies are present in the session at freeze. We would
> also need a way of getting the dependent files back from LUO on
> retrieve(). That would make sure the dependencies are properly enforced
> both on freeze and finish, and the enforcement isn't left up to the file
> handlers.
>
> Unfortunately all that sounds fairly complicated so I am not sure if we
> want to do that just yet, although I would like to hear your thoughts on
> this.

We had discussion about this in the live update bi-weekly today. The
conclusion we arrived at is to keep the current functionality. That is,
we don't enforce preservation dependency.

But that also means file handlers can't try to get their dependent file
in their preserve() callback, since that would implicitly enforce
ordering. They always _have_ to do it from their freeze() callback.

Similarly, on retrieve side, file handlers enforce their dependent files
are restored via the can_finish() callback only.

So I think the next steps for this series is to clearly document this
requirement for file handlers in the documentation for
liveupdate_get_token_outgoing() and liveupdate_get_file_incoming().

Also, I think you need some way of tracking if the file was explicitly
restored by userspace, which is something file handlers would then need
to call in their can_finish().

[...]

-- 
Regards,
Pratyush Yadav