All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pasha Tatashin <pasha.tatashin@soleen.com>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: Pratyush Yadav <pratyush@kernel.org>,
	David Matlack <dmatlack@google.com>,
	kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org, Mike Rapoport <rppt@kernel.org>,
	Pasha Tatashin <pasha.tatashin@soleen.com>,
	Samiullah Khawaja <skhawaja@google.com>,
	Shuah Khan <shuah@kernel.org>,
	luca.boccassi@gmail.com
Subject: Re: [RFC PATCH] liveupdate: Allow multiple openers for /dev/liveupdate
Date: Thu, 16 Jul 2026 10:40:30 -0400	[thread overview]
Message-ID: <aljtXsr6xvI6FAmA@google.com> (raw)
In-Reply-To: <20260715172336.GC3775915@nvidia.com>

On 07-15 14:23, Jason Gunthorpe wrote:
> On Wed, Jul 15, 2026 at 03:50:33PM +0200, Pratyush Yadav wrote:
> > Hi David,
> > 
> > On Tue, Jul 14 2026, David Matlack wrote:
> > 
> > > Remove the single-opener restriction for /dev/liveupdate by removing the
> > > atomic in_use tracking and the exclusive open check in luo_open() that
> > > returned -EBUSY. Protect luo_session_deserialize() with a mutex guard so
> > > that concurrent open attempts by multiple processes safely executes
> > > deserialization only once. Update liveupdate selftest to verify that
> > > multiple concurrent openers succeed.
> > >
> > > LUO does not inherently require a single opener. There is some
> > > documentation about it simplifying state management, but the only thing
> > > it actually protects is the session deserialization during first open,
> > > which can be easily handled with a mutex.
> > >
> > > Relaxing the single-opener requirement avoids the kernel forcing a
> > > design pattern on userspace that it itself does not require, e.g.
> > > allowing multiple userspace processes to create and manage sessions.
> > 
> > Agreed. When the kernel had a global state machine in the early versions
> > of LUO, this might have been more relevant. With sessions, even if we
> > later add a state machine, it likely will be per-session instead of
> > being global. So I think letting userspace open /dev/liveupdate multiple
> > times makes a lot of sense.
> > 
> > Also, today's systemd only supports preserving individual files, and
> > does not hand out sessions. To get sessions, userspace must open

It should in the future, because of permissions issue, see below.

> > /dev/liveupdate and create a session. This opens up room for one bad
> > process to block every other process from creating sessions. It also
> > imposes a need for userspace to add a polling/retry logic for getting
> > sessions and serializes their execution around this point.
> 
> Shouldn't systemd open and own /dev/liveupdate? That was at least what
> I originally expected here, you'd talk to it and get a session FD
> through dbus.
> 
> Moving to multi-opening /dev/liveupdate and removing visibility of
> what sessions are open from systemd is a different model
> 
> Not saying this patch is wrong or anything, but that I don't really
> understand what kind of model you are going for now.

CC Luca for systemd's take.

/dev/liveupdate should only be accessed by a privileged process, and 
sessions should be accessed by whoever originally created them. While 
this patch does not change the permissions, it paves the road for us to 
move in the wrong direction: instead of having a privileged userspace 
manager that distributes the sessions to their rightful owners, it 
encourages userspace to work around the permissions so that VMMs access 
/dev/liveupdate to retrieve or store their sessions directly. This would 
also allow them to access sessions belonging to any other participant of 
the live update.

Instead, sessions should be created and retrieved by a privileged 
process that knows to send them back to their rightful owner after 
retrieval.

Also, as a minor concern, each userspace LUO manager needs its own 
session to maintain state. This means that by allowing multiple 
managers, they may run into naming conflicts for those state sessions.

Pasha

> 
> Jason

  reply	other threads:[~2026-07-16 14:40 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-14 19:03 [RFC PATCH] liveupdate: Allow multiple openers for /dev/liveupdate David Matlack
2026-07-15 13:50 ` Pratyush Yadav
2026-07-15 16:07   ` David Matlack
2026-07-15 17:23   ` Jason Gunthorpe
2026-07-16 14:40     ` Pasha Tatashin [this message]
2026-07-16 15:41       ` Pratyush Yadav
2026-07-16 15:23     ` Pratyush Yadav
2026-07-16 15:59       ` Luca Boccassi
2026-07-16  6:06 ` Mike Rapoport

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aljtXsr6xvI6FAmA@google.com \
    --to=pasha.tatashin@soleen.com \
    --cc=dmatlack@google.com \
    --cc=jgg@nvidia.com \
    --cc=kexec@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=luca.boccassi@gmail.com \
    --cc=pratyush@kernel.org \
    --cc=rppt@kernel.org \
    --cc=shuah@kernel.org \
    --cc=skhawaja@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.