* [PATCH v6 12/20] mm: shmem: allow freezing inode mapping
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
In-Reply-To: <20251115233409.768044-1-pasha.tatashin@soleen.com>
From: Pratyush Yadav <ptyadav@amazon.de>
To prepare a shmem inode for live update via the Live Update
Orchestrator (LUO), its index -> folio mappings must be serialized. Once
the mappings are serialized, they cannot change since it would cause the
serialized data to become inconsistent. This can be done by pinning the
folios to avoid migration, and by making sure no folios can be added to
or removed from the inode.
While mechanisms to pin folios already exist, the only way to stop
folios being added or removed are the grow and shrink file seals. But
file seals come with their own semantics, one of which is that they
can't be removed. This doesn't work with liveupdate since it can be
cancelled or error out, which would need the seals to be removed and the
file's normal functionality to be restored.
Introduce SHMEM_F_MAPPING_FROZEN to indicate this instead. It is
internal to shmem and is not directly exposed to userspace. It functions
similar to F_SEAL_GROW | F_SEAL_SHRINK, but additionally disallows hole
punching, and can be removed.
Signed-off-by: Pratyush Yadav <ptyadav@amazon.de>
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
include/linux/shmem_fs.h | 17 +++++++++++++++++
mm/shmem.c | 12 +++++++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/include/linux/shmem_fs.h b/include/linux/shmem_fs.h
index 650874b400b5..a9f5db472a39 100644
--- a/include/linux/shmem_fs.h
+++ b/include/linux/shmem_fs.h
@@ -24,6 +24,14 @@ struct swap_iocb;
#define SHMEM_F_NORESERVE BIT(0)
/* Disallow swapping. */
#define SHMEM_F_LOCKED BIT(1)
+/*
+ * Disallow growing, shrinking, or hole punching in the inode. Combined with
+ * folio pinning, makes sure the inode's mapping stays fixed.
+ *
+ * In some ways similar to F_SEAL_GROW | F_SEAL_SHRINK, but can be removed and
+ * isn't directly visible to userspace.
+ */
+#define SHMEM_F_MAPPING_FROZEN BIT(2)
struct shmem_inode_info {
spinlock_t lock;
@@ -186,6 +194,15 @@ static inline bool shmem_file(struct file *file)
return shmem_mapping(file->f_mapping);
}
+/* Must be called with inode lock taken exclusive. */
+static inline void shmem_i_mapping_freeze(struct inode *inode, bool freeze)
+{
+ if (freeze)
+ SHMEM_I(inode)->flags |= SHMEM_F_MAPPING_FROZEN;
+ else
+ SHMEM_I(inode)->flags &= ~SHMEM_F_MAPPING_FROZEN;
+}
+
/*
* If fallocate(FALLOC_FL_KEEP_SIZE) has been used, there may be pages
* beyond i_size's notion of EOF, which fallocate has committed to reserving:
diff --git a/mm/shmem.c b/mm/shmem.c
index 1d5036dec08a..05c3db840257 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1292,7 +1292,8 @@ static int shmem_setattr(struct mnt_idmap *idmap,
loff_t newsize = attr->ia_size;
/* protected by i_rwsem */
- if ((newsize < oldsize && (info->seals & F_SEAL_SHRINK)) ||
+ if ((info->flags & SHMEM_F_MAPPING_FROZEN) ||
+ (newsize < oldsize && (info->seals & F_SEAL_SHRINK)) ||
(newsize > oldsize && (info->seals & F_SEAL_GROW)))
return -EPERM;
@@ -3289,6 +3290,10 @@ shmem_write_begin(const struct kiocb *iocb, struct address_space *mapping,
return -EPERM;
}
+ if (unlikely((info->flags & SHMEM_F_MAPPING_FROZEN) &&
+ pos + len > inode->i_size))
+ return -EPERM;
+
ret = shmem_get_folio(inode, index, pos + len, &folio, SGP_WRITE);
if (ret)
return ret;
@@ -3662,6 +3667,11 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
inode_lock(inode);
+ if (info->flags & SHMEM_F_MAPPING_FROZEN) {
+ error = -EPERM;
+ goto out;
+ }
+
if (mode & FALLOC_FL_PUNCH_HOLE) {
struct address_space *mapping = file->f_mapping;
loff_t unmap_start = round_up(offset, PAGE_SIZE);
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related
* [PATCH v6 11/20] mm: shmem: use SHMEM_F_* flags instead of VM_* flags
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
In-Reply-To: <20251115233409.768044-1-pasha.tatashin@soleen.com>
From: Pratyush Yadav <ptyadav@amazon.de>
shmem_inode_info::flags can have the VM flags VM_NORESERVE and
VM_LOCKED. These are used to suppress pre-accounting or to lock the
pages in the inode respectively. Using the VM flags directly makes it
difficult to add shmem-specific flags that are unrelated to VM behavior
since one would need to find a VM flag not used by shmem and re-purpose
it.
Introduce SHMEM_F_NORESERVE and SHMEM_F_LOCKED which represent the same
information, but their bits are independent of the VM flags. Callers can
still pass VM_NORESERVE to shmem_get_inode(), but it gets transformed to
the shmem-specific flag internally.
No functional changes intended.
Signed-off-by: Pratyush Yadav <ptyadav@amazon.de>
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
include/linux/shmem_fs.h | 6 ++++++
mm/shmem.c | 28 +++++++++++++++-------------
2 files changed, 21 insertions(+), 13 deletions(-)
diff --git a/include/linux/shmem_fs.h b/include/linux/shmem_fs.h
index 0e47465ef0fd..650874b400b5 100644
--- a/include/linux/shmem_fs.h
+++ b/include/linux/shmem_fs.h
@@ -10,6 +10,7 @@
#include <linux/xattr.h>
#include <linux/fs_parser.h>
#include <linux/userfaultfd_k.h>
+#include <linux/bits.h>
struct swap_iocb;
@@ -19,6 +20,11 @@ struct swap_iocb;
#define SHMEM_MAXQUOTAS 2
#endif
+/* Suppress pre-accounting of the entire object size. */
+#define SHMEM_F_NORESERVE BIT(0)
+/* Disallow swapping. */
+#define SHMEM_F_LOCKED BIT(1)
+
struct shmem_inode_info {
spinlock_t lock;
unsigned int seals; /* shmem seals */
diff --git a/mm/shmem.c b/mm/shmem.c
index 58701d14dd96..1d5036dec08a 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -175,20 +175,20 @@ static inline struct shmem_sb_info *SHMEM_SB(struct super_block *sb)
*/
static inline int shmem_acct_size(unsigned long flags, loff_t size)
{
- return (flags & VM_NORESERVE) ?
+ return (flags & SHMEM_F_NORESERVE) ?
0 : security_vm_enough_memory_mm(current->mm, VM_ACCT(size));
}
static inline void shmem_unacct_size(unsigned long flags, loff_t size)
{
- if (!(flags & VM_NORESERVE))
+ if (!(flags & SHMEM_F_NORESERVE))
vm_unacct_memory(VM_ACCT(size));
}
static inline int shmem_reacct_size(unsigned long flags,
loff_t oldsize, loff_t newsize)
{
- if (!(flags & VM_NORESERVE)) {
+ if (!(flags & SHMEM_F_NORESERVE)) {
if (VM_ACCT(newsize) > VM_ACCT(oldsize))
return security_vm_enough_memory_mm(current->mm,
VM_ACCT(newsize) - VM_ACCT(oldsize));
@@ -206,7 +206,7 @@ static inline int shmem_reacct_size(unsigned long flags,
*/
static inline int shmem_acct_blocks(unsigned long flags, long pages)
{
- if (!(flags & VM_NORESERVE))
+ if (!(flags & SHMEM_F_NORESERVE))
return 0;
return security_vm_enough_memory_mm(current->mm,
@@ -215,7 +215,7 @@ static inline int shmem_acct_blocks(unsigned long flags, long pages)
static inline void shmem_unacct_blocks(unsigned long flags, long pages)
{
- if (flags & VM_NORESERVE)
+ if (flags & SHMEM_F_NORESERVE)
vm_unacct_memory(pages * VM_ACCT(PAGE_SIZE));
}
@@ -1551,7 +1551,7 @@ int shmem_writeout(struct folio *folio, struct swap_iocb **plug,
int nr_pages;
bool split = false;
- if ((info->flags & VM_LOCKED) || sbinfo->noswap)
+ if ((info->flags & SHMEM_F_LOCKED) || sbinfo->noswap)
goto redirty;
if (!total_swap_pages)
@@ -2910,15 +2910,15 @@ int shmem_lock(struct file *file, int lock, struct ucounts *ucounts)
* ipc_lock_object() when called from shmctl_do_lock(),
* no serialization needed when called from shm_destroy().
*/
- if (lock && !(info->flags & VM_LOCKED)) {
+ if (lock && !(info->flags & SHMEM_F_LOCKED)) {
if (!user_shm_lock(inode->i_size, ucounts))
goto out_nomem;
- info->flags |= VM_LOCKED;
+ info->flags |= SHMEM_F_LOCKED;
mapping_set_unevictable(file->f_mapping);
}
- if (!lock && (info->flags & VM_LOCKED) && ucounts) {
+ if (!lock && (info->flags & SHMEM_F_LOCKED) && ucounts) {
user_shm_unlock(inode->i_size, ucounts);
- info->flags &= ~VM_LOCKED;
+ info->flags &= ~SHMEM_F_LOCKED;
mapping_clear_unevictable(file->f_mapping);
}
retval = 0;
@@ -3062,7 +3062,7 @@ static struct inode *__shmem_get_inode(struct mnt_idmap *idmap,
spin_lock_init(&info->lock);
atomic_set(&info->stop_eviction, 0);
info->seals = F_SEAL_SEAL;
- info->flags = flags & VM_NORESERVE;
+ info->flags = (flags & VM_NORESERVE) ? SHMEM_F_NORESERVE : 0;
info->i_crtime = inode_get_mtime(inode);
info->fsflags = (dir == NULL) ? 0 :
SHMEM_I(dir)->fsflags & SHMEM_FL_INHERITED;
@@ -5804,8 +5804,10 @@ static inline struct inode *shmem_get_inode(struct mnt_idmap *idmap,
/* common code */
static struct file *__shmem_file_setup(struct vfsmount *mnt, const char *name,
- loff_t size, unsigned long flags, unsigned int i_flags)
+ loff_t size, unsigned long vm_flags,
+ unsigned int i_flags)
{
+ unsigned long flags = (vm_flags & VM_NORESERVE) ? SHMEM_F_NORESERVE : 0;
struct inode *inode;
struct file *res;
@@ -5822,7 +5824,7 @@ static struct file *__shmem_file_setup(struct vfsmount *mnt, const char *name,
return ERR_PTR(-ENOMEM);
inode = shmem_get_inode(&nop_mnt_idmap, mnt->mnt_sb, NULL,
- S_IFREG | S_IRWXUGO, 0, flags);
+ S_IFREG | S_IRWXUGO, 0, vm_flags);
if (IS_ERR(inode)) {
shmem_unacct_size(flags, size);
return ERR_CAST(inode);
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related
* [PATCH v6 10/20] MAINTAINERS: add liveupdate entry
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
In-Reply-To: <20251115233409.768044-1-pasha.tatashin@soleen.com>
Add a MAINTAINERS file entry for the new Live Update Orchestrator
introduced in previous patches.
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
MAINTAINERS | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/MAINTAINERS b/MAINTAINERS
index 500789529359..bc9f5c6f0e80 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -14464,6 +14464,17 @@ F: kernel/module/livepatch.c
F: samples/livepatch/
F: tools/testing/selftests/livepatch/
+LIVE UPDATE
+M: Pasha Tatashin <pasha.tatashin@soleen.com>
+L: linux-kernel@vger.kernel.org
+S: Maintained
+F: Documentation/core-api/liveupdate.rst
+F: Documentation/userspace-api/liveupdate.rst
+F: include/linux/liveupdate.h
+F: include/linux/liveupdate/
+F: include/uapi/linux/liveupdate.h
+F: kernel/liveupdate/
+
LLC (802.2)
L: netdev@vger.kernel.org
S: Odd fixes
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related
* [PATCH v6 09/20] docs: add luo documentation
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
In-Reply-To: <20251115233409.768044-1-pasha.tatashin@soleen.com>
Add the documentation files for the Live Update Orchestrator
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
Documentation/core-api/index.rst | 1 +
Documentation/core-api/liveupdate.rst | 64 ++++++++++++++++++++++
Documentation/userspace-api/index.rst | 1 +
Documentation/userspace-api/liveupdate.rst | 20 +++++++
4 files changed, 86 insertions(+)
create mode 100644 Documentation/core-api/liveupdate.rst
create mode 100644 Documentation/userspace-api/liveupdate.rst
diff --git a/Documentation/core-api/index.rst b/Documentation/core-api/index.rst
index 6cbdcbfa79c3..5eb0fbbbc323 100644
--- a/Documentation/core-api/index.rst
+++ b/Documentation/core-api/index.rst
@@ -138,6 +138,7 @@ Documents that don't fit elsewhere or which have yet to be categorized.
:maxdepth: 1
librs
+ liveupdate
netlink
.. only:: subproject and html
diff --git a/Documentation/core-api/liveupdate.rst b/Documentation/core-api/liveupdate.rst
new file mode 100644
index 000000000000..deacc098d024
--- /dev/null
+++ b/Documentation/core-api/liveupdate.rst
@@ -0,0 +1,64 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+========================
+Live Update Orchestrator
+========================
+:Author: Pasha Tatashin <pasha.tatashin@soleen.com>
+
+.. kernel-doc:: kernel/liveupdate/luo_core.c
+ :doc: Live Update Orchestrator (LUO)
+
+LUO Sessions
+============
+.. kernel-doc:: kernel/liveupdate/luo_session.c
+ :doc: LUO Sessions
+
+LUO Preserving File Descriptors
+===============================
+.. kernel-doc:: kernel/liveupdate/luo_file.c
+ :doc: LUO File Descriptors
+
+LUO File Lifecycle Bound Global Data
+====================================
+.. kernel-doc:: kernel/liveupdate/luo_flb.c
+ :doc: LUO File Lifecycle Bound Global Data
+
+Live Update Orchestrator ABI
+============================
+.. kernel-doc:: include/linux/liveupdate/abi/luo.h
+ :doc: Live Update Orchestrator ABI
+
+Public API
+==========
+.. kernel-doc:: include/linux/liveupdate.h
+
+.. kernel-doc:: include/linux/liveupdate/abi/luo.h
+
+.. kernel-doc:: kernel/liveupdate/luo_core.c
+ :export:
+
+.. kernel-doc:: kernel/liveupdate/luo_flb.c
+ :export:
+
+.. kernel-doc:: kernel/liveupdate/luo_file.c
+ :export:
+
+Internal API
+============
+.. kernel-doc:: kernel/liveupdate/luo_core.c
+ :internal:
+
+.. kernel-doc:: kernel/liveupdate/luo_flb.c
+ :internal:
+
+.. kernel-doc:: kernel/liveupdate/luo_session.c
+ :internal:
+
+.. kernel-doc:: kernel/liveupdate/luo_file.c
+ :internal:
+
+See Also
+========
+
+- :doc:`Live Update uAPI </userspace-api/liveupdate>`
+- :doc:`/core-api/kho/concepts`
diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspace-api/index.rst
index b8c73be4fb11..8a61ac4c1bf1 100644
--- a/Documentation/userspace-api/index.rst
+++ b/Documentation/userspace-api/index.rst
@@ -61,6 +61,7 @@ Everything else
:maxdepth: 1
ELF
+ liveupdate
netlink/index
sysfs-platform_profile
vduse
diff --git a/Documentation/userspace-api/liveupdate.rst b/Documentation/userspace-api/liveupdate.rst
new file mode 100644
index 000000000000..04210a6cf6d6
--- /dev/null
+++ b/Documentation/userspace-api/liveupdate.rst
@@ -0,0 +1,20 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+================
+Live Update uAPI
+================
+:Author: Pasha Tatashin <pasha.tatashin@soleen.com>
+
+ioctl interface
+===============
+.. kernel-doc:: kernel/liveupdate/luo_ioctl.c
+ :doc: LUO ioctl Interface
+
+ioctl uAPI
+===========
+.. kernel-doc:: include/uapi/linux/liveupdate.h
+
+See Also
+========
+
+- :doc:`Live Update Orchestrator </core-api/liveupdate>`
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related
* [PATCH v6 08/20] liveupdate: luo_flb: Introduce File-Lifecycle-Bound global state
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
In-Reply-To: <20251115233409.768044-1-pasha.tatashin@soleen.com>
Introduce a mechanism for managing global kernel state whose lifecycle
is tied to the preservation of one or more files. This is necessary for
subsystems where multiple preserved file descriptors depend on a single,
shared underlying resource.
An example is HugeTLB, where multiple file descriptors such as memfd and
guest_memfd may rely on the state of a single HugeTLB subsystem.
Preserving this state for each individual file would be redundant and
incorrect. The state should be preserved only once when the first file
is preserved, and restored/finished only once the last file is handled.
This patch introduces File-Lifecycle-Bound (FLB) objects to solve this
problem. An FLB is a global, reference-counted object with a defined set
of operations:
- A file handler (struct liveupdate_file_handler) declares a dependency
on one or more FLBs via a new registration function,
liveupdate_register_flb().
- When the first file depending on an FLB is preserved, the FLB's
.preserve() callback is invoked to save the shared global state. The
reference count is then incremented for each subsequent file.
- Conversely, when the last file is unpreserved (before reboot) or
finished (after reboot), the FLB's .unpreserve() or .finish() callback
is invoked to clean up the global resource.
The implementation includes:
- A new set of ABI definitions (luo_flb_ser, luo_flb_head_ser) and a
corresponding FDT node (luo-flb) to serialize the state of all active
FLBs and pass them via Kexec Handover.
- Core logic in luo_flb.c to manage FLB registration, reference
counting, and the invocation of lifecycle callbacks.
- An API (liveupdate_flb_*_locked/*_unlock) for other kernel subsystems
to safely access the live object managed by an FLB, both before and
after the live update.
This framework provides the necessary infrastructure for more complex
subsystems like IOMMU, VFIO, and KVM to integrate with the Live Update
Orchestrator.
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
include/linux/liveupdate.h | 116 +++++
include/linux/liveupdate/abi/luo.h | 76 ++++
kernel/liveupdate/Makefile | 1 +
kernel/liveupdate/luo_core.c | 7 +-
kernel/liveupdate/luo_file.c | 8 +
kernel/liveupdate/luo_flb.c | 658 +++++++++++++++++++++++++++++
kernel/liveupdate/luo_internal.h | 7 +
7 files changed, 872 insertions(+), 1 deletion(-)
create mode 100644 kernel/liveupdate/luo_flb.c
diff --git a/include/linux/liveupdate.h b/include/linux/liveupdate.h
index 4a5d4dd9905a..36a831ae3ead 100644
--- a/include/linux/liveupdate.h
+++ b/include/linux/liveupdate.h
@@ -14,6 +14,7 @@
#include <uapi/linux/liveupdate.h>
struct liveupdate_file_handler;
+struct liveupdate_flb;
struct liveupdate_session;
struct file;
@@ -81,6 +82,7 @@ struct liveupdate_file_ops {
* associated with individual &struct file instances.
* @list: Used for linking this handler instance into a global
* list of registered file handlers.
+ * @flb_list: A list of FLB dependencies.
*
* Modules that want to support live update for specific file types should
* register an instance of this structure. LUO uses this registration to
@@ -91,6 +93,80 @@ struct liveupdate_file_handler {
const struct liveupdate_file_ops *ops;
const char compatible[LIVEUPDATE_HNDL_COMPAT_LENGTH];
struct list_head list;
+ struct list_head flb_list;
+};
+
+/**
+ * struct liveupdate_flb_op_args - Arguments for FLB operation callbacks.
+ * @flb: The global FLB instance for which this call is performed.
+ * @data: For .preserve(): [OUT] The callback sets this field.
+ * For .unpreserve(): [IN] The handle from .preserve().
+ * For .retrieve(): [IN] The handle from .preserve().
+ * @obj: For .preserve(): [OUT] Sets this to the live object.
+ * For .retrieve(): [OUT] Sets this to the live object.
+ * For .finish(): [IN] The live object from .retrieve().
+ *
+ * This structure bundles all parameters for the FLB operation callbacks.
+ */
+struct liveupdate_flb_op_args {
+ struct liveupdate_flb *flb;
+ u64 data;
+ void *obj;
+};
+
+/**
+ * struct liveupdate_flb_ops - Callbacks for global File-Lifecycle-Bound data.
+ * @preserve: Called when the first file using this FLB is preserved.
+ * The callback must save its state and return a single,
+ * self-contained u64 handle by setting the 'argp->data'
+ * field and 'argp->obj'.
+ * @unpreserve: Called when the last file using this FLB is unpreserved
+ * (aborted before reboot). Receives the handle via
+ * 'argp->data' and live object via 'argp->obj'.
+ * @retrieve: Called on-demand in the new kernel, the first time a
+ * component requests access to the shared object. It receives
+ * the preserved handle via 'argp->data' and must reconstruct
+ * the live object, returning it by setting the 'argp->obj'
+ * field.
+ * @finish: Called in the new kernel when the last file using this FLB
+ * is finished. Receives the live object via 'argp->obj' for
+ * cleanup.
+ * @owner: Module reference
+ *
+ * Operations that manage global shared data with file bound lifecycle,
+ * triggered by the first file that uses it and concluded by the last file that
+ * uses it, across all sessions.
+ */
+struct liveupdate_flb_ops {
+ int (*preserve)(struct liveupdate_flb_op_args *argp);
+ void (*unpreserve)(struct liveupdate_flb_op_args *argp);
+ int (*retrieve)(struct liveupdate_flb_op_args *argp);
+ void (*finish)(struct liveupdate_flb_op_args *argp);
+ struct module *owner;
+};
+
+/**
+ * struct liveupdate_flb - A global definition for a shared data object.
+ * @ops: Callback functions
+ * @compatible: The compatibility string (e.g., "iommu-core-v1"
+ * that uniquely identifies the FLB type this handler
+ * supports. This is matched against the compatible string
+ * associated with individual &struct liveupdate_flb
+ * instances.
+ * @list: A global list of registered FLBs.
+ * @internal: Internal state, set in liveupdate_init_flb().
+ *
+ * This struct is the "template" that a driver registers to define a shared,
+ * file-lifecycle-bound object. The actual runtime state (the live object,
+ * refcount, etc.) is managed internally by the LUO core.
+ * Use liveupdate_init_flb() to initialize this struct before using it in
+ * other functions.
+ */
+struct liveupdate_flb {
+ const struct liveupdate_flb_ops *ops;
+ const char compatible[LIVEUPDATE_FLB_COMPAT_LENGTH];
+ struct list_head list;
+ void *internal;
};
#ifdef CONFIG_LIVEUPDATE
@@ -111,6 +187,17 @@ int liveupdate_get_file_incoming(struct liveupdate_session *s, u64 token,
int liveupdate_get_token_outgoing(struct liveupdate_session *s,
struct file *file, u64 *tokenp);
+/* Before using FLB for the first time it should be initialized */
+int liveupdate_init_flb(struct liveupdate_flb *flb);
+
+int liveupdate_register_flb(struct liveupdate_file_handler *h,
+ struct liveupdate_flb *flb);
+
+int liveupdate_flb_incoming_locked(struct liveupdate_flb *flb, void **objp);
+void liveupdate_flb_incoming_unlock(struct liveupdate_flb *flb, void *obj);
+int liveupdate_flb_outgoing_locked(struct liveupdate_flb *flb, void **objp);
+void liveupdate_flb_outgoing_unlock(struct liveupdate_flb *flb, void *obj);
+
#else /* CONFIG_LIVEUPDATE */
static inline bool liveupdate_enabled(void)
@@ -140,5 +227,34 @@ static inline int liveupdate_get_token_outgoing(struct liveupdate_session *s,
return -EOPNOTSUPP;
}
+static inline int liveupdate_init_flb(struct liveupdate_flb *flb)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline int liveupdate_register_flb(struct liveupdate_file_handler *h,
+ struct liveupdate_flb *flb)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline int liveupdate_flb_incoming_locked(struct liveupdate_flb *flb,
+ void **objp)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline void liveupdate_flb_incoming_unlock(struct liveupdate_flb *flb,
+ void *obj) { }
+
+static inline int liveupdate_flb_outgoing_locked(struct liveupdate_flb *flb,
+ void **objp)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline void liveupdate_flb_outgoing_unlock(struct liveupdate_flb *flb,
+ void *obj) { }
+
#endif /* CONFIG_LIVEUPDATE */
#endif /* _LINUX_LIVEUPDATE_H */
diff --git a/include/linux/liveupdate/abi/luo.h b/include/linux/liveupdate/abi/luo.h
index 3a596ca1907b..85596ce68c16 100644
--- a/include/linux/liveupdate/abi/luo.h
+++ b/include/linux/liveupdate/abi/luo.h
@@ -33,6 +33,11 @@
* compatible = "luo-session-v1";
* luo-session-header = <phys_addr_of_session_header_ser>;
* };
+ *
+ * luo-flb {
+ * compatible = "luo-flb-v1";
+ * luo-flb-header = <phys_addr_of_flb_header_ser>;
+ * };
* };
*
* Main LUO Node (/):
@@ -52,6 +57,17 @@
* is the header for a contiguous block of memory containing an array of
* `struct luo_session_ser`, one for each preserved session.
*
+ * File-Lifecycle-Bound Node (luo-flb):
+ * This node describes all preserved global objects whose lifecycle is bound
+ * to that of the preserved files (e.g., shared IOMMU state).
+ *
+ * - compatible: "luo-flb-v1"
+ * Identifies the FLB ABI version.
+ * - luo-flb-header: u64
+ * The physical address of a `struct luo_flb_header_ser`. This structure is
+ * the header for a contiguous block of memory containing an array of
+ * `struct luo_flb_ser`, one for each preserved global object.
+ *
* Serialization Structures:
* The FDT properties point to memory regions containing arrays of simple,
* `__packed` structures. These structures contain the actual preserved state.
@@ -70,6 +86,16 @@
* Metadata for a single preserved file. Contains the `compatible` string to
* find the correct handler in the new kernel, a user-provided `token` for
* identification, and an opaque `data` handle for the handler to use.
+ *
+ * - struct luo_flb_header_ser:
+ * Header for the FLB array. Contains the total page count of the
+ * preserved memory block and the number of `struct luo_flb_ser` entries
+ * that follow.
+ *
+ * - struct luo_flb_ser:
+ * Metadata for a single preserved global object. Contains its `name`
+ * (compatible string), an opaque `data` handle, and the `count`
+ * number of files depending on it.
*/
#ifndef _LINUX_LIVEUPDATE_ABI_LUO_H
@@ -154,4 +180,54 @@ struct luo_file_ser {
u64 token;
} __packed;
+/* The max size is set so it can be reliably used during in serialization */
+#define LIVEUPDATE_FLB_COMPAT_LENGTH 48
+
+#define LUO_FDT_FLB_NODE_NAME "luo-flb"
+#define LUO_FDT_FLB_COMPATIBLE "luo-flb-v1"
+#define LUO_FDT_FLB_HEADER "luo-flb-header"
+
+/**
+ * struct luo_flb_header_ser - Header for the serialized FLB data block.
+ * @pgcnt: The total number of pages occupied by the entire preserved memory
+ * region, including this header and the subsequent array of
+ * &struct luo_flb_ser entries.
+ * @count: The number of &struct luo_flb_ser entries that follow this header
+ * in the memory block.
+ *
+ * This structure is located at the physical address specified by the
+ * `LUO_FDT_FLB_HEADER` FDT property. It provides the new kernel with the
+ * necessary information to find and iterate over the array of preserved
+ * File-Lifecycle-Bound objects and to manage the underlying memory.
+ *
+ * If this structure is modified, LUO_FDT_FLB_COMPATIBLE must be updated.
+ */
+struct luo_flb_header_ser {
+ u64 pgcnt;
+ u64 count;
+} __packed;
+
+/**
+ * struct luo_flb_ser - Represents the serialized state of a single FLB object.
+ * @name: The unique compatibility string of the FLB object, used to find the
+ * corresponding &struct liveupdate_flb handler in the new kernel.
+ * @data: The opaque u64 handle returned by the FLB's .preserve() operation
+ * in the old kernel. This handle encapsulates the entire state needed
+ * for restoration.
+ * @count: The reference count at the time of serialization; i.e., the number
+ * of preserved files that depended on this FLB. This is used by the
+ * new kernel to correctly manage the FLB's lifecycle.
+ *
+ * An array of these structures is created in a preserved memory region and
+ * passed to the new kernel. Each entry allows the LUO core to restore one
+ * global, shared object.
+ *
+ * If this structure is modified, LUO_FDT_FLB_COMPATIBLE must be updated.
+ */
+struct luo_flb_ser {
+ char name[LIVEUPDATE_FLB_COMPAT_LENGTH];
+ u64 data;
+ u64 count;
+} __packed;
+
#endif /* _LINUX_LIVEUPDATE_ABI_LUO_H */
diff --git a/kernel/liveupdate/Makefile b/kernel/liveupdate/Makefile
index c2252a2ad7bd..8d5a8354ad5a 100644
--- a/kernel/liveupdate/Makefile
+++ b/kernel/liveupdate/Makefile
@@ -3,6 +3,7 @@
luo-y := \
luo_core.o \
luo_file.o \
+ luo_flb.o \
luo_ioctl.o \
luo_session.o
diff --git a/kernel/liveupdate/luo_core.c b/kernel/liveupdate/luo_core.c
index 653cdca5e25d..7c3932b6f96f 100644
--- a/kernel/liveupdate/luo_core.c
+++ b/kernel/liveupdate/luo_core.c
@@ -122,7 +122,9 @@ static int __init luo_early_startup(void)
if (err)
return err;
- return 0;
+ err = luo_flb_setup_incoming(luo_global.fdt_in);
+
+ return err;
}
static int __init liveupdate_early_init(void)
@@ -159,6 +161,7 @@ static int __init luo_fdt_setup(void)
err |= fdt_property_string(fdt_out, "compatible", LUO_FDT_COMPATIBLE);
err |= fdt_property(fdt_out, LUO_FDT_LIVEUPDATE_NUM, &ln, sizeof(ln));
err |= luo_session_setup_outgoing(fdt_out);
+ err |= luo_flb_setup_outgoing(fdt_out);
err |= fdt_end_node(fdt_out);
err |= fdt_finish(fdt_out);
if (err)
@@ -220,6 +223,8 @@ int liveupdate_reboot(void)
if (err)
return err;
+ luo_flb_serialize();
+
err = kho_finalize();
if (err) {
pr_err("kho_finalize failed %d\n", err);
diff --git a/kernel/liveupdate/luo_file.c b/kernel/liveupdate/luo_file.c
index dae27a69a09f..3d3bd84cb281 100644
--- a/kernel/liveupdate/luo_file.c
+++ b/kernel/liveupdate/luo_file.c
@@ -282,6 +282,10 @@ int luo_preserve_file(struct luo_session *session, u64 token, int fd)
if (err)
goto exit_err;
+ err = luo_flb_file_preserve(fh);
+ if (err)
+ goto exit_err;
+
luo_file = kzalloc(sizeof(*luo_file), GFP_KERNEL);
if (!luo_file) {
err = -ENOMEM;
@@ -301,6 +305,7 @@ int luo_preserve_file(struct luo_session *session, u64 token, int fd)
if (err) {
mutex_destroy(&luo_file->mutex);
kfree(luo_file);
+ luo_flb_file_unpreserve(fh);
goto exit_err;
} else {
luo_file->serialized_data = args.serialized_data;
@@ -352,6 +357,7 @@ void luo_file_unpreserve_files(struct luo_session *session)
args.file = luo_file->file;
args.serialized_data = luo_file->serialized_data;
luo_file->fh->ops->unpreserve(&args);
+ luo_flb_file_unpreserve(luo_file->fh);
list_del(&luo_file->list);
session->count--;
@@ -624,6 +630,7 @@ static void luo_file_finish_one(struct luo_session *session,
args.file = luo_file->file;
args.serialized_data = luo_file->serialized_data;
args.retrieved = luo_file->retrieved;
+ luo_flb_file_finish(luo_file->fh);
luo_file->fh->ops->finish(&args);
}
@@ -815,6 +822,7 @@ int liveupdate_register_file_handler(struct liveupdate_file_handler *fh)
return -EAGAIN;
INIT_LIST_HEAD(&fh->list);
+ INIT_LIST_HEAD(&fh->flb_list);
list_add_tail(&fh->list, &luo_file_handler_list);
return 0;
diff --git a/kernel/liveupdate/luo_flb.c b/kernel/liveupdate/luo_flb.c
new file mode 100644
index 000000000000..47fcd3d74eb5
--- /dev/null
+++ b/kernel/liveupdate/luo_flb.c
@@ -0,0 +1,658 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright (c) 2025, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+
+/**
+ * DOC: LUO File Lifecycle Bound Global Data
+ *
+ * File-Lifecycle-Bound (FLB) objects provide a mechanism for managing global
+ * state that is shared across multiple live-updatable files. The lifecycle of
+ * this shared state is tied to the preservation of the files that depend on it.
+ *
+ * An FLB represents a global resource, such as the IOMMU core state, that is
+ * required by multiple file descriptors (e.g., all VFIO fds).
+ *
+ * The preservation of the FLB's state is triggered when the *first* file
+ * depending on it is preserved. The cleanup of this state (unpreserve or
+ * finish) is triggered when the *last* file depending on it is unpreserved or
+ * finished.
+ *
+ * Handler Dependency: A file handler declares its dependency on one or more
+ * FLBs by registering them via liveupdate_register_flb().
+ *
+ * Callback Model: Each FLB is defined by a set of operations
+ * (&struct liveupdate_flb_ops) that LUO invokes at key points:
+ *
+ * - .preserve(): Called for the first file. Saves global state.
+ * - .unpreserve(): Called for the last file (if aborted pre-reboot).
+ * - .retrieve(): Called on-demand in the new kernel to restore the state.
+ * - .finish(): Called for the last file in the new kernel for cleanup.
+ *
+ * This reference-counted approach ensures that shared state is saved exactly
+ * once and restored exactly once, regardless of how many files depend on it,
+ * and that its lifecycle is correctly managed across the kexec transition.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/cleanup.h>
+#include <linux/err.h>
+#include <linux/errno.h>
+#include <linux/io.h>
+#include <linux/kexec_handover.h>
+#include <linux/libfdt.h>
+#include <linux/list.h>
+#include <linux/liveupdate.h>
+#include <linux/liveupdate/abi/luo.h>
+#include <linux/module.h>
+#include <linux/mutex.h>
+#include <linux/slab.h>
+#include <linux/unaligned.h>
+#include "luo_internal.h"
+
+#define LUO_FLB_PGCNT 1ul
+#define LUO_FLB_MAX (((LUO_FLB_PGCNT << PAGE_SHIFT) - \
+ sizeof(struct luo_flb_header_ser)) / sizeof(struct luo_flb_ser))
+
+struct luo_flb_header {
+ struct luo_flb_header_ser *header_ser;
+ struct luo_flb_ser *ser;
+ bool active;
+};
+
+struct luo_flb_global {
+ struct luo_flb_header incoming;
+ struct luo_flb_header outgoing;
+ struct list_head list;
+ long count;
+};
+
+static struct luo_flb_global luo_flb_global = {
+ .list = LIST_HEAD_INIT(luo_flb_global.list),
+};
+
+/*
+ * struct luo_flb_link - Links an FLB definition to a file handler's internal
+ * list of dependencies.
+ * @flb: A pointer to the registered &struct liveupdate_flb definition.
+ * @list: The list_head for linking.
+ */
+struct luo_flb_link {
+ struct liveupdate_flb *flb;
+ struct list_head list;
+};
+
+/*
+ * struct luo_flb_state - Holds the runtime state for one FLB lifecycle path.
+ * @count: The number of preserved files currently depending on this FLB.
+ * This is used to trigger the preserve/unpreserve/finish ops on the
+ * first/last file.
+ * @data: The opaque u64 handle returned by .preserve() or passed to
+ * .retrieve().
+ * @obj: The live kernel object returned by .preserve() or .retrieve().
+ * @lock: A mutex that protects all fields within this structure, providing
+ * the synchronization service for the FLB's ops.
+ */
+struct luo_flb_state {
+ long count;
+ u64 data;
+ void *obj;
+ struct mutex lock;
+};
+
+/*
+ * struct luo_flb_internal - Keep separate incoming and outgoing states.
+ * @outgoing: The runtime state for the pre-reboot (preserve/unpreserve)
+ * lifecycle.
+ * @incoming: The runtime state for the post-reboot (retrieve/finish)
+ * lifecycle.
+ */
+struct luo_flb_internal {
+ struct luo_flb_state outgoing;
+ struct luo_flb_state incoming;
+};
+
+static int luo_flb_file_preserve_one(struct liveupdate_flb *flb)
+{
+ struct luo_flb_internal *internal = flb->internal;
+
+ scoped_guard(mutex, &internal->outgoing.lock) {
+ if (!internal->outgoing.count) {
+ struct liveupdate_flb_op_args args = {0};
+ int err;
+
+ args.flb = flb;
+ err = flb->ops->preserve(&args);
+ if (err)
+ return err;
+ internal->outgoing.data = args.data;
+ internal->outgoing.obj = args.obj;
+ }
+ internal->outgoing.count++;
+ }
+
+ return 0;
+}
+
+static void luo_flb_file_unpreserve_one(struct liveupdate_flb *flb)
+{
+ struct luo_flb_internal *internal = flb->internal;
+
+ scoped_guard(mutex, &internal->outgoing.lock) {
+ internal->outgoing.count--;
+ if (!internal->outgoing.count) {
+ struct liveupdate_flb_op_args args = {0};
+
+ args.flb = flb;
+ args.data = internal->outgoing.data;
+ args.obj = internal->outgoing.obj;
+
+ if (flb->ops->unpreserve)
+ flb->ops->unpreserve(&args);
+
+ internal->outgoing.data = 0;
+ internal->outgoing.obj = NULL;
+ }
+ }
+}
+
+static int luo_flb_retrieve_one(struct liveupdate_flb *flb)
+{
+ struct luo_flb_header *fh = &luo_flb_global.incoming;
+ struct luo_flb_internal *internal = flb->internal;
+ struct liveupdate_flb_op_args args = {0};
+ bool found = false;
+ int err;
+
+ guard(mutex)(&internal->incoming.lock);
+
+ if (internal->incoming.obj)
+ return 0;
+
+ if (!fh->active)
+ return -ENODATA;
+
+ for (int i = 0; i < fh->header_ser->count; i++) {
+ if (!strcmp(fh->ser[i].name, flb->compatible)) {
+ internal->incoming.data = fh->ser[i].data;
+ internal->incoming.count = fh->ser[i].count;
+ found = true;
+ break;
+ }
+ }
+
+ if (!found)
+ return -ENOENT;
+
+ args.flb = flb;
+ args.data = internal->incoming.data;
+
+ err = flb->ops->retrieve(&args);
+ if (err)
+ return err;
+
+ internal->incoming.obj = args.obj;
+
+ if (WARN_ON_ONCE(!internal->incoming.obj))
+ return -EIO;
+
+ return 0;
+}
+
+static void luo_flb_file_finish_one(struct liveupdate_flb *flb)
+{
+ struct luo_flb_internal *internal = flb->internal;
+ u64 count;
+
+ scoped_guard(mutex, &internal->incoming.lock)
+ count = --internal->incoming.count;
+
+ if (!count) {
+ struct liveupdate_flb_op_args args = {0};
+
+ if (!internal->incoming.obj) {
+ int err = luo_flb_retrieve_one(flb);
+
+ if (WARN_ON(err))
+ return;
+ }
+
+ scoped_guard(mutex, &internal->incoming.lock) {
+ args.flb = flb;
+ args.obj = internal->incoming.obj;
+ flb->ops->finish(&args);
+
+ internal->incoming.data = 0;
+ internal->incoming.obj = NULL;
+ }
+ }
+}
+
+/**
+ * luo_flb_file_preserve - Notifies FLBs that a file is about to be preserved.
+ * @h: The file handler for the preserved file.
+ *
+ * This function iterates through all FLBs associated with the given file
+ * handler. It increments the reference count for each FLB. If the count becomes
+ * 1, it triggers the FLB's .preserve() callback to save the global state.
+ *
+ * This operation is atomic. If any FLB's .preserve() op fails, it will roll
+ * back by calling .unpreserve() on any FLBs that were successfully preserved
+ * during this call.
+ *
+ * Context: Called from luo_preserve_file()
+ * Return: 0 on success, or a negative errno on failure.
+ */
+int luo_flb_file_preserve(struct liveupdate_file_handler *h)
+{
+ struct luo_flb_link *iter;
+ int err = 0;
+
+ list_for_each_entry(iter, &h->flb_list, list) {
+ err = luo_flb_file_preserve_one(iter->flb);
+ if (err)
+ goto exit_err;
+ }
+
+ return 0;
+
+exit_err:
+ list_for_each_entry_continue_reverse(iter, &h->flb_list, list)
+ luo_flb_file_unpreserve_one(iter->flb);
+
+ return err;
+}
+
+/**
+ * luo_flb_file_unpreserve - Notifies FLBs that a dependent file was unpreserved.
+ * @h: The file handler for the unpreserved file.
+ *
+ * This function iterates through all FLBs associated with the given file
+ * handler, in reverse order of registration. It decrements the reference count
+ * for each FLB. If the count becomes 0, it triggers the FLB's .unpreserve()
+ * callback to clean up the global state.
+ *
+ * Context: Called when a preserved file is being cleaned up before reboot
+ * (e.g., from luo_file_unpreserve_files()).
+ */
+void luo_flb_file_unpreserve(struct liveupdate_file_handler *h)
+{
+ struct luo_flb_link *iter;
+
+ list_for_each_entry_reverse(iter, &h->flb_list, list)
+ luo_flb_file_unpreserve_one(iter->flb);
+}
+
+/**
+ * luo_flb_file_finish - Notifies FLBs that a dependent file has been finished.
+ * @h: The file handler for the finished file.
+ *
+ * This function iterates through all FLBs associated with the given file
+ * handler, in reverse order of registration. It decrements the incoming
+ * reference count for each FLB. If the count becomes 0, it triggers the FLB's
+ * .finish() callback for final cleanup in the new kernel.
+ *
+ * Context: Called from luo_file_finish() for each file being finished.
+ */
+void luo_flb_file_finish(struct liveupdate_file_handler *h)
+{
+ struct luo_flb_link *iter;
+
+ list_for_each_entry_reverse(iter, &h->flb_list, list)
+ luo_flb_file_finish_one(iter->flb);
+}
+
+/**
+ * liveupdate_init_flb - Initializes a liveupdate FLB structure.
+ * @flb: The &struct liveupdate_flb to initialize.
+ *
+ * This function must be called to prepare an FLB structure before it can be
+ * used with liveupdate_register_flb() or any other LUO functions.
+ *
+ * Context: Typically called once from a subsystem's module init function for
+ * each global FLB object that the module defines.
+ *
+ * Return: 0 on success, or -ENOMEM if memory allocation fails, and -EOPNOTSUPP
+ * when live update is disabled or not configured.
+ */
+int liveupdate_init_flb(struct liveupdate_flb *flb)
+{
+ struct luo_flb_internal *internal;
+
+ if (!liveupdate_enabled())
+ return -EOPNOTSUPP;
+
+ internal = kzalloc(sizeof(*internal), GFP_KERNEL | __GFP_ZERO);
+ if (!internal)
+ return -ENOMEM;
+
+ mutex_init(&internal->incoming.lock);
+ mutex_init(&internal->outgoing.lock);
+
+ flb->internal = internal;
+ INIT_LIST_HEAD(&flb->list);
+
+ return 0;
+}
+
+/**
+ * liveupdate_register_flb - Associate an FLB with a file handler and register it globally.
+ * @h: The file handler that will now depend on the FLB.
+ * @flb: The File-Lifecycle-Bound object to associate.
+ *
+ * Establishes a dependency, informing the LUO core that whenever a file of
+ * type @h is preserved, the state of @flb must also be managed.
+ *
+ * On the first registration of a given @flb object, it is added to a global
+ * registry. This function checks for duplicate registrations, both for a
+ * specific handler and globally, and ensures the total number of unique
+ * FLBs does not exceed the system limit.
+ *
+ * Context: Typically called from a subsystem's module init function after
+ * both the handler and the FLB have been defined and initialized.
+ * Return: 0 on success. Returns a negative errno on failure:
+ * -EINVAL if arguments are NULL or not initialized.
+ * -ENOMEM on memory allocation failure.
+ * -EEXIST if this FLB is already registered with this handler.
+ * -ENOSPC if the maximum number of global FLBs has been reached.
+ * -EOPNOTSUPP if live update is disabled or not configured.
+ */
+int liveupdate_register_flb(struct liveupdate_file_handler *h,
+ struct liveupdate_flb *flb)
+{
+ struct luo_flb_internal *internal = flb->internal;
+ struct luo_flb_link *link __free(kfree) = NULL;
+ static DEFINE_MUTEX(register_flb_lock);
+ struct liveupdate_flb *gflb;
+ struct luo_flb_link *iter;
+
+ if (!liveupdate_enabled())
+ return -EOPNOTSUPP;
+
+ if (WARN_ON(!h || !flb || !internal))
+ return -EINVAL;
+
+ if (WARN_ON(!flb->ops->preserve || !flb->ops->unpreserve ||
+ !flb->ops->retrieve || !flb->ops->finish)) {
+ return -EINVAL;
+ }
+
+ /*
+ * Once session/files have been deserialized, FLBs cannot be registered,
+ * it is too late. Deserialization uses file handlers, and FLB registers
+ * to file handlers.
+ */
+ if (WARN_ON(luo_session_is_deserialized()))
+ return -EBUSY;
+
+ /*
+ * File handler must already be registered, as it is initializes the
+ * flb_list
+ */
+ if (WARN_ON(list_empty(&h->list)))
+ return -EINVAL;
+
+ link = kzalloc(sizeof(*link), GFP_KERNEL);
+ if (!link)
+ return -ENOMEM;
+
+ guard(mutex)(®ister_flb_lock);
+
+ /* Check that this FLB is not already linked to this file handler */
+ list_for_each_entry(iter, &h->flb_list, list) {
+ if (iter->flb == flb)
+ return -EEXIST;
+ }
+
+ /* Is this FLB linked to global list ? */
+ if (list_empty(&flb->list)) {
+ if (luo_flb_global.count == LUO_FLB_MAX)
+ return -ENOSPC;
+
+ /* Check that compatible string is unique in global list */
+ list_for_each_entry(gflb, &luo_flb_global.list, list) {
+ if (!strcmp(gflb->compatible, flb->compatible))
+ return -EEXIST;
+ }
+
+ if (!try_module_get(flb->ops->owner))
+ return -EAGAIN;
+
+ list_add_tail(&flb->list, &luo_flb_global.list);
+ luo_flb_global.count++;
+ }
+
+ /* Finally, link the FLB to the file handler */
+ link->flb = flb;
+ list_add_tail(&no_free_ptr(link)->list, &h->flb_list);
+
+ return 0;
+}
+
+/**
+ * liveupdate_flb_incoming_locked - Lock and retrieve the incoming FLB object.
+ * @flb: The FLB definition.
+ * @objp: Output parameter; will be populated with the live shared object.
+ *
+ * Acquires the FLB's internal lock and returns a pointer to its shared live
+ * object for the incoming (post-reboot) path.
+ *
+ * If this is the first time the object is requested in the new kernel, this
+ * function will trigger the FLB's .retrieve() callback to reconstruct the
+ * object from its preserved state. Subsequent calls will return the same
+ * cached object.
+ *
+ * The caller MUST call liveupdate_flb_incoming_unlock() to release the lock.
+ *
+ * Return: 0 on success, or a negative errno on failure. -ENODATA means no
+ * incoming FLB data, -ENOENT means specific flb not found in the incoming
+ * data, and -EOPNOTSUPP when live update is disabled or not configured.
+ */
+int liveupdate_flb_incoming_locked(struct liveupdate_flb *flb, void **objp)
+{
+ struct luo_flb_internal *internal = flb->internal;
+
+ if (!liveupdate_enabled())
+ return -EOPNOTSUPP;
+
+ if (WARN_ON(!internal))
+ return -EINVAL;
+
+ if (!internal->incoming.obj) {
+ int err = luo_flb_retrieve_one(flb);
+
+ if (err)
+ return err;
+ }
+
+ mutex_lock(&internal->incoming.lock);
+ *objp = internal->incoming.obj;
+
+ return 0;
+}
+
+/**
+ * liveupdate_flb_incoming_unlock - Unlock an incoming FLB object.
+ * @flb: The FLB definition.
+ * @obj: The object that was returned by the _locked call (used for validation).
+ *
+ * Releases the internal lock acquired by liveupdate_flb_incoming_locked().
+ */
+void liveupdate_flb_incoming_unlock(struct liveupdate_flb *flb, void *obj)
+{
+ struct luo_flb_internal *internal = flb->internal;
+
+ lockdep_assert_held(&internal->incoming.lock);
+ internal->incoming.obj = obj;
+ mutex_unlock(&internal->incoming.lock);
+}
+
+/**
+ * liveupdate_flb_outgoing_locked - Lock and retrieve the outgoing FLB object.
+ * @flb: The FLB definition.
+ * @objp: Output parameter; will be populated with the live shared object.
+ *
+ * Acquires the FLB's internal lock and returns a pointer to its shared live
+ * object for the outgoing (pre-reboot) path.
+ *
+ * This function assumes the object has already been created by the FLB's
+ * .preserve() callback, which is triggered when the first dependent file
+ * is preserved.
+ *
+ * The caller MUST call liveupdate_flb_outgoing_unlock() to release the lock.
+ *
+ * Return: 0 on success, or a negative errno on failure.
+ */
+int liveupdate_flb_outgoing_locked(struct liveupdate_flb *flb, void **objp)
+{
+ struct luo_flb_internal *internal = flb->internal;
+
+ if (!liveupdate_enabled())
+ return -EOPNOTSUPP;
+
+ if (WARN_ON(!internal))
+ return -EINVAL;
+
+ mutex_lock(&internal->outgoing.lock);
+
+ /* The object must exist if any file is being preserved */
+ if (WARN_ON_ONCE(!internal->outgoing.obj)) {
+ mutex_unlock(&internal->outgoing.lock);
+ return -ENOENT;
+ }
+
+ *objp = internal->outgoing.obj;
+
+ return 0;
+}
+
+/**
+ * liveupdate_flb_outgoing_unlock - Unlock an outgoing FLB object.
+ * @flb: The FLB definition.
+ * @obj: The object that was returned by the _locked call (used for validation).
+ *
+ * Releases the internal lock acquired by liveupdate_flb_outgoing_locked().
+ */
+void liveupdate_flb_outgoing_unlock(struct liveupdate_flb *flb, void *obj)
+{
+ struct luo_flb_internal *internal = flb->internal;
+
+ lockdep_assert_held(&internal->outgoing.lock);
+ internal->outgoing.obj = obj;
+ mutex_unlock(&internal->outgoing.lock);
+}
+
+int __init luo_flb_setup_outgoing(void *fdt_out)
+{
+ struct luo_flb_header_ser *header_ser;
+ u64 header_ser_pa;
+ int err;
+
+ header_ser = kho_alloc_preserve(LUO_FLB_PGCNT << PAGE_SHIFT);
+ if (IS_ERR(header_ser))
+ return PTR_ERR(header_ser);
+
+ header_ser_pa = virt_to_phys(header_ser);
+
+ err = fdt_begin_node(fdt_out, LUO_FDT_FLB_NODE_NAME);
+ err |= fdt_property_string(fdt_out, "compatible",
+ LUO_FDT_FLB_COMPATIBLE);
+ err |= fdt_property(fdt_out, LUO_FDT_FLB_HEADER, &header_ser_pa,
+ sizeof(header_ser_pa));
+ err |= fdt_end_node(fdt_out);
+
+ if (err)
+ goto err_unpreserve;
+
+ header_ser->pgcnt = LUO_FLB_PGCNT;
+ luo_flb_global.outgoing.header_ser = header_ser;
+ luo_flb_global.outgoing.ser = (void *)(header_ser + 1);
+ luo_flb_global.outgoing.active = true;
+
+ return 0;
+
+err_unpreserve:
+ kho_unpreserve_free(header_ser);
+
+ return err;
+}
+
+int __init luo_flb_setup_incoming(void *fdt_in)
+{
+ struct luo_flb_header_ser *header_ser;
+ int err, header_size, offset;
+ const void *ptr;
+ u64 header_ser_pa;
+
+ offset = fdt_subnode_offset(fdt_in, 0, LUO_FDT_FLB_NODE_NAME);
+ if (offset < 0) {
+ pr_err("Unable to get FLB node [%s]\n", LUO_FDT_FLB_NODE_NAME);
+
+ return -ENOENT;
+ }
+
+ err = fdt_node_check_compatible(fdt_in, offset,
+ LUO_FDT_FLB_COMPATIBLE);
+ if (err) {
+ pr_err("FLB node is incompatible with '%s' [%d]\n",
+ LUO_FDT_FLB_COMPATIBLE, err);
+
+ return -EINVAL;
+ }
+
+ header_size = 0;
+ ptr = fdt_getprop(fdt_in, offset, LUO_FDT_FLB_HEADER, &header_size);
+ if (!ptr || header_size != sizeof(u64)) {
+ pr_err("Unable to get FLB header property '%s' [%d]\n",
+ LUO_FDT_FLB_HEADER, header_size);
+
+ return -EINVAL;
+ }
+
+ header_ser_pa = get_unaligned((u64 *)ptr);
+ header_ser = phys_to_virt(header_ser_pa);
+
+ luo_flb_global.incoming.header_ser = header_ser;
+ luo_flb_global.incoming.ser = (void *)(header_ser + 1);
+ luo_flb_global.incoming.active = true;
+
+ return 0;
+}
+
+/**
+ * luo_flb_serialize - Serializes all active FLB objects for KHO.
+ *
+ * This function is called from the reboot path. It iterates through all
+ * registered File-Lifecycle-Bound (FLB) objects. For each FLB that has been
+ * preserved (i.e., its reference count is greater than zero), it writes its
+ * metadata into the memory region designated for Kexec Handover.
+ *
+ * The serialized data includes the FLB's compatibility string, its opaque
+ * data handle, and the final reference count. This allows the new kernel to
+ * find the appropriate handler and reconstruct the FLB's state.
+ *
+ * Context: Called from liveupdate_reboot() just before kho_finalize().
+ */
+void luo_flb_serialize(void)
+{
+ struct luo_flb_header *fh = &luo_flb_global.outgoing;
+ struct liveupdate_flb *flb;
+ int i = 0;
+
+ list_for_each_entry(flb, &luo_flb_global.list, list) {
+ struct luo_flb_internal *internal = flb->internal;
+
+ if (internal->outgoing.count > 0) {
+ strscpy(fh->ser[i].name, flb->compatible,
+ sizeof(fh->ser[i].name));
+ fh->ser[i].data = internal->outgoing.data;
+ fh->ser[i].count = internal->outgoing.count;
+ i++;
+ }
+ }
+
+ fh->header_ser->count = i;
+}
diff --git a/kernel/liveupdate/luo_internal.h b/kernel/liveupdate/luo_internal.h
index 1a36f2383123..389fb102775f 100644
--- a/kernel/liveupdate/luo_internal.h
+++ b/kernel/liveupdate/luo_internal.h
@@ -79,4 +79,11 @@ int luo_retrieve_file(struct luo_session *session, u64 token,
int luo_file_finish(struct luo_session *session);
int luo_file_deserialize(struct luo_session *session);
+int luo_flb_file_preserve(struct liveupdate_file_handler *h);
+void luo_flb_file_unpreserve(struct liveupdate_file_handler *h);
+void luo_flb_file_finish(struct liveupdate_file_handler *h);
+int __init luo_flb_setup_outgoing(void *fdt);
+int __init luo_flb_setup_incoming(void *fdt);
+void luo_flb_serialize(void);
+
#endif /* _LINUX_LUO_INTERNAL_H */
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related
* [PATCH v6 07/20] liveupdate: luo_session: Add ioctls for file preservation
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
In-Reply-To: <20251115233409.768044-1-pasha.tatashin@soleen.com>
Introducing the userspace interface and internal logic required to
manage the lifecycle of file descriptors within a session. Previously, a
session was merely a container; this change makes it a functional
management unit.
The following capabilities are added:
A new set of ioctl commands are added, which operate on the file
descriptor returned by CREATE_SESSION. This allows userspace to:
- LIVEUPDATE_SESSION_PRESERVE_FD: Add a file descriptor to a session
to be preserved across the live update.
- LIVEUPDATE_SESSION_RETRIEVE_FD: Retrieve a preserved file in the
new kernel using its unique token.
- LIVEUPDATE_SESSION_FINISH: finish session
The session's .release handler is enhanced to be state-aware. When a
session's file descriptor is closed, it correctly unpreserves
the session based on its current state before freeing all
associated file resources.
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
include/uapi/linux/liveupdate.h | 103 ++++++++++++++++++
kernel/liveupdate/luo_session.c | 187 +++++++++++++++++++++++++++++++-
2 files changed, 286 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/liveupdate.h b/include/uapi/linux/liveupdate.h
index 6e04254ee535..3902ffab4c53 100644
--- a/include/uapi/linux/liveupdate.h
+++ b/include/uapi/linux/liveupdate.h
@@ -53,6 +53,14 @@ enum {
LIVEUPDATE_CMD_RETRIEVE_SESSION = 0x01,
};
+/* ioctl commands for session file descriptors */
+enum {
+ LIVEUPDATE_CMD_SESSION_BASE = 0x40,
+ LIVEUPDATE_CMD_SESSION_PRESERVE_FD = LIVEUPDATE_CMD_SESSION_BASE,
+ LIVEUPDATE_CMD_SESSION_RETRIEVE_FD = 0x41,
+ LIVEUPDATE_CMD_SESSION_FINISH = 0x42,
+};
+
/**
* struct liveupdate_ioctl_create_session - ioctl(LIVEUPDATE_IOCTL_CREATE_SESSION)
* @size: Input; sizeof(struct liveupdate_ioctl_create_session)
@@ -110,4 +118,99 @@ struct liveupdate_ioctl_retrieve_session {
#define LIVEUPDATE_IOCTL_RETRIEVE_SESSION \
_IO(LIVEUPDATE_IOCTL_TYPE, LIVEUPDATE_CMD_RETRIEVE_SESSION)
+/* Session specific IOCTLs */
+
+/**
+ * struct liveupdate_session_preserve_fd - ioctl(LIVEUPDATE_SESSION_PRESERVE_FD)
+ * @size: Input; sizeof(struct liveupdate_session_preserve_fd)
+ * @fd: Input; The user-space file descriptor to be preserved.
+ * @token: Input; An opaque, unique token for preserved resource.
+ *
+ * Holds parameters for preserving a file descriptor.
+ *
+ * User sets the @fd field identifying the file descriptor to preserve
+ * (e.g., memfd, kvm, iommufd, VFIO). The kernel validates if this FD type
+ * and its dependencies are supported for preservation. If validation passes,
+ * the kernel marks the FD internally and *initiates the process* of preparing
+ * its state for saving. The actual snapshotting of the state typically occurs
+ * during the subsequent %LIVEUPDATE_IOCTL_PREPARE execution phase, though
+ * some finalization might occur during freeze.
+ * On successful validation and initiation, the kernel uses the @token
+ * field with an opaque identifier representing the resource being preserved.
+ * This token confirms the FD is targeted for preservation and is required for
+ * the subsequent %LIVEUPDATE_SESSION_RETRIEVE_FD call after the live update.
+ *
+ * Return: 0 on success (validation passed, preservation initiated), negative
+ * error code on failure (e.g., unsupported FD type, dependency issue,
+ * validation failed).
+ */
+struct liveupdate_session_preserve_fd {
+ __u32 size;
+ __s32 fd;
+ __aligned_u64 token;
+};
+
+#define LIVEUPDATE_SESSION_PRESERVE_FD \
+ _IO(LIVEUPDATE_IOCTL_TYPE, LIVEUPDATE_CMD_SESSION_PRESERVE_FD)
+
+/**
+ * struct liveupdate_session_retrieve_fd - ioctl(LIVEUPDATE_SESSION_RETRIEVE_FD)
+ * @size: Input; sizeof(struct liveupdate_session_RETRIEVE_fd)
+ * @fd: Output; The new file descriptor representing the fully restored
+ * kernel resource.
+ * @token: Input; An opaque, token that was used to preserve the resource.
+ *
+ * Retrieve a previously preserved file descriptor.
+ *
+ * User sets the @token field to the value obtained from a successful
+ * %LIVEUPDATE_IOCTL_FD_PRESERVE call before the live update. On success,
+ * the kernel restores the state (saved during the PREPARE/FREEZE phases)
+ * associated with the token and populates the @fd field with a new file
+ * descriptor referencing the restored resource in the current (new) kernel.
+ * This operation must be performed *before* signaling completion via
+ * %LIVEUPDATE_IOCTL_FINISH.
+ *
+ * Return: 0 on success, negative error code on failure (e.g., invalid token).
+ */
+struct liveupdate_session_retrieve_fd {
+ __u32 size;
+ __s32 fd;
+ __aligned_u64 token;
+};
+
+#define LIVEUPDATE_SESSION_RETRIEVE_FD \
+ _IO(LIVEUPDATE_IOCTL_TYPE, LIVEUPDATE_CMD_SESSION_RETRIEVE_FD)
+
+/**
+ * struct liveupdate_session_finish - ioctl(LIVEUPDATE_SESSION_FINISH)
+ * @size: Input; sizeof(struct liveupdate_session_finish)
+ * @reserved: Input; Must be zero. Reserved for future use.
+ *
+ * Signals the completion of the restoration process for a retrieved session.
+ * This is the final operation that should be performed on a session file
+ * descriptor after a live update.
+ *
+ * This ioctl must be called once all required file descriptors for the session
+ * have been successfully retrieved (using %LIVEUPDATE_SESSION_RETRIEVE_FD) and
+ * are fully restored from the userspace and kernel perspective.
+ *
+ * Upon success, the kernel releases its ownership of the preserved resources
+ * associated with this session. This allows internal resources to be freed,
+ * typically by decrementing reference counts on the underlying preserved
+ * objects.
+ *
+ * If this operation fails, the resources remain preserved in memory. Userspace
+ * may attempt to call finish again. The resources will otherwise be reset
+ * during the next live update cycle.
+ *
+ * Return: 0 on success, negative error code on failure.
+ */
+struct liveupdate_session_finish {
+ __u32 size;
+ __u32 reserved;
+};
+
+#define LIVEUPDATE_SESSION_FINISH \
+ _IO(LIVEUPDATE_IOCTL_TYPE, LIVEUPDATE_CMD_SESSION_FINISH)
+
#endif /* _UAPI_LIVEUPDATE_H */
diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index cb74bfaba479..82ba6e3578f5 100644
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -174,26 +174,189 @@ static void luo_session_remove(struct luo_session_header *sh,
sh->count--;
}
+static int luo_session_finish_one(struct luo_session *session)
+{
+ guard(mutex)(&session->mutex);
+ return luo_file_finish(session);
+}
+
+static void luo_session_unfreeze_one(struct luo_session *session)
+{
+ guard(mutex)(&session->mutex);
+ luo_file_unfreeze(session);
+}
+
+static int luo_session_freeze_one(struct luo_session *session)
+{
+ guard(mutex)(&session->mutex);
+ return luo_file_freeze(session);
+}
+
static int luo_session_release(struct inode *inodep, struct file *filep)
{
struct luo_session *session = filep->private_data;
struct luo_session_header *sh;
+ int err = 0;
/* If retrieved is set, it means this session is from incoming list */
- if (session->retrieved)
+ if (session->retrieved) {
sh = &luo_session_global.incoming;
- else
+
+ err = luo_session_finish_one(session);
+ if (err) {
+ pr_warn("Unable to finish session [%s] on release\n",
+ session->name);
+ } else {
+ luo_session_remove(sh, session);
+ luo_session_free(session);
+ }
+
+ } else {
sh = &luo_session_global.outgoing;
- luo_session_remove(sh, session);
- luo_session_free(session);
+ scoped_guard(mutex, &session->mutex)
+ luo_file_unpreserve_files(session);
+ luo_session_remove(sh, session);
+ luo_session_free(session);
+ }
+
+ return err;
+}
+
+static int luo_session_preserve_fd(struct luo_session *session,
+ struct luo_ucmd *ucmd)
+{
+ struct liveupdate_session_preserve_fd *argp = ucmd->cmd;
+ int err;
+
+ guard(mutex)(&session->mutex);
+ err = luo_preserve_file(session, argp->token, argp->fd);
+ if (err)
+ return err;
+
+ err = luo_ucmd_respond(ucmd, sizeof(*argp));
+ if (err)
+ pr_warn("The file was successfully preserved, but response to user failed\n");
+
+ return err;
+}
+
+static int luo_session_retrieve_fd(struct luo_session *session,
+ struct luo_ucmd *ucmd)
+{
+ struct liveupdate_session_retrieve_fd *argp = ucmd->cmd;
+ struct file *file;
+ int err;
+
+ argp->fd = get_unused_fd_flags(O_CLOEXEC);
+ if (argp->fd < 0)
+ return argp->fd;
+
+ guard(mutex)(&session->mutex);
+ err = luo_retrieve_file(session, argp->token, &file);
+ if (err < 0)
+ goto err_put_fd;
+
+ err = luo_ucmd_respond(ucmd, sizeof(*argp));
+ if (err)
+ goto err_put_file;
+
+ fd_install(argp->fd, file);
return 0;
+
+err_put_file:
+ fput(file);
+err_put_fd:
+ put_unused_fd(argp->fd);
+
+ return err;
+}
+
+static int luo_session_finish(struct luo_session *session,
+ struct luo_ucmd *ucmd)
+{
+ struct liveupdate_session_finish *argp = ucmd->cmd;
+ int err = luo_session_finish_one(session);
+
+ if (err)
+ return err;
+
+ return luo_ucmd_respond(ucmd, sizeof(*argp));
+}
+
+union ucmd_buffer {
+ struct liveupdate_session_finish finish;
+ struct liveupdate_session_preserve_fd preserve;
+ struct liveupdate_session_retrieve_fd retrieve;
+};
+
+struct luo_ioctl_op {
+ unsigned int size;
+ unsigned int min_size;
+ unsigned int ioctl_num;
+ int (*execute)(struct luo_session *session, struct luo_ucmd *ucmd);
+};
+
+#define IOCTL_OP(_ioctl, _fn, _struct, _last) \
+ [_IOC_NR(_ioctl) - LIVEUPDATE_CMD_SESSION_BASE] = { \
+ .size = sizeof(_struct) + \
+ BUILD_BUG_ON_ZERO(sizeof(union ucmd_buffer) < \
+ sizeof(_struct)), \
+ .min_size = offsetofend(_struct, _last), \
+ .ioctl_num = _ioctl, \
+ .execute = _fn, \
+ }
+
+static const struct luo_ioctl_op luo_session_ioctl_ops[] = {
+ IOCTL_OP(LIVEUPDATE_SESSION_FINISH, luo_session_finish,
+ struct liveupdate_session_finish, reserved),
+ IOCTL_OP(LIVEUPDATE_SESSION_PRESERVE_FD, luo_session_preserve_fd,
+ struct liveupdate_session_preserve_fd, token),
+ IOCTL_OP(LIVEUPDATE_SESSION_RETRIEVE_FD, luo_session_retrieve_fd,
+ struct liveupdate_session_retrieve_fd, token),
+};
+
+static long luo_session_ioctl(struct file *filep, unsigned int cmd,
+ unsigned long arg)
+{
+ struct luo_session *session = filep->private_data;
+ const struct luo_ioctl_op *op;
+ struct luo_ucmd ucmd = {};
+ union ucmd_buffer buf;
+ unsigned int nr;
+ int ret;
+
+ nr = _IOC_NR(cmd);
+ if (nr < LIVEUPDATE_CMD_SESSION_BASE || (nr - LIVEUPDATE_CMD_SESSION_BASE) >=
+ ARRAY_SIZE(luo_session_ioctl_ops)) {
+ return -EINVAL;
+ }
+
+ ucmd.ubuffer = (void __user *)arg;
+ ret = get_user(ucmd.user_size, (u32 __user *)ucmd.ubuffer);
+ if (ret)
+ return ret;
+
+ op = &luo_session_ioctl_ops[nr - LIVEUPDATE_CMD_SESSION_BASE];
+ if (op->ioctl_num != cmd)
+ return -ENOIOCTLCMD;
+ if (ucmd.user_size < op->min_size)
+ return -EINVAL;
+
+ ucmd.cmd = &buf;
+ ret = copy_struct_from_user(ucmd.cmd, op->size, ucmd.ubuffer,
+ ucmd.user_size);
+ if (ret)
+ return ret;
+
+ return op->execute(session, &ucmd);
}
static const struct file_operations luo_session_fops = {
.owner = THIS_MODULE,
.release = luo_session_release,
+ .unlocked_ioctl = luo_session_ioctl,
};
/* Create a "struct file" for session */
@@ -391,6 +554,8 @@ int luo_session_deserialize(void)
session->count = sh->ser[i].count;
session->files = sh->ser[i].files ? phys_to_virt(sh->ser[i].files) : 0;
session->pgcnt = sh->ser[i].pgcnt;
+ scoped_guard(mutex, &session->mutex)
+ luo_file_deserialize(session);
}
kho_restore_free(sh->header_ser);
@@ -405,9 +570,14 @@ int luo_session_serialize(void)
struct luo_session_header *sh = &luo_session_global.outgoing;
struct luo_session *session;
int i = 0;
+ int err;
guard(rwsem_write)(&sh->rwsem);
list_for_each_entry(session, &sh->list, list) {
+ err = luo_session_freeze_one(session);
+ if (err)
+ goto err_undo;
+
strscpy(sh->ser[i].name, session->name,
sizeof(sh->ser[i].name));
sh->ser[i].count = session->count;
@@ -418,4 +588,13 @@ int luo_session_serialize(void)
sh->header_ser->count = sh->count;
return 0;
+
+err_undo:
+ list_for_each_entry_continue_reverse(session, &sh->list, list) {
+ luo_session_unfreeze_one(session);
+ i--;
+ memset(&sh->ser[i], 0, sizeof(sh->ser[i]));
+ }
+
+ return err;
}
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related
* [PATCH v6 06/20] liveupdate: luo_file: implement file systems callbacks
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
In-Reply-To: <20251115233409.768044-1-pasha.tatashin@soleen.com>
This patch implements the core mechanism for managing preserved
files throughout the live update lifecycle. It provides the logic to
invoke the file handler callbacks (preserve, unpreserve, freeze,
unfreeze, retrieve, and finish) at the appropriate stages.
During the reboot phase, luo_file_freeze() serializes the final
metadata for each file (handler compatible string, token, and data
handle) into a memory region preserved by KHO. In the new kernel,
luo_file_deserialize() reconstructs the in-memory file list from this
data, preparing the session for retrieval.
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
include/linux/liveupdate.h | 109 ++++
include/linux/liveupdate/abi/luo.h | 22 +
kernel/liveupdate/Makefile | 1 +
kernel/liveupdate/luo_file.c | 887 +++++++++++++++++++++++++++++
kernel/liveupdate/luo_internal.h | 9 +
5 files changed, 1028 insertions(+)
create mode 100644 kernel/liveupdate/luo_file.c
diff --git a/include/linux/liveupdate.h b/include/linux/liveupdate.h
index 730b76625fec..4a5d4dd9905a 100644
--- a/include/linux/liveupdate.h
+++ b/include/linux/liveupdate.h
@@ -10,6 +10,88 @@
#include <linux/bug.h>
#include <linux/types.h>
#include <linux/list.h>
+#include <linux/liveupdate/abi/luo.h>
+#include <uapi/linux/liveupdate.h>
+
+struct liveupdate_file_handler;
+struct liveupdate_session;
+struct file;
+
+/**
+ * struct liveupdate_file_op_args - Arguments for file operation callbacks.
+ * @handler: The file handler being called.
+ * @session: The session this file belongs to.
+ * @retrieved: The retrieve status for the 'can_finish / finish'
+ * operation.
+ * @file: The file object. For retrieve: [OUT] The callback sets
+ * this to the new file. For other ops: [IN] The caller sets
+ * this to the file being operated on.
+ * @serialized_data: The opaque u64 handle, preserve/prepare/freeze may update
+ * this field.
+ *
+ * This structure bundles all parameters for the file operation callbacks.
+ * The 'data' and 'file' fields are used for both input and output.
+ */
+struct liveupdate_file_op_args {
+ struct liveupdate_file_handler *handler;
+ struct liveupdate_session *session;
+ bool retrieved;
+ struct file *file;
+ u64 serialized_data;
+};
+
+/**
+ * struct liveupdate_file_ops - Callbacks for live-updatable files.
+ * @can_preserve: Required. Lightweight check to see if this handler is
+ * compatible with the given file.
+ * @preserve: Required. Performs state-saving for the file.
+ * @unpreserve: Required. Cleans up any resources allocated by @preserve.
+ * @freeze: Optional. Final actions just before kernel transition.
+ * @unfreeze: Optional. Undo freeze operations.
+ * @retrieve: Required. Restores the file in the new kernel.
+ * @can_finish: Optional. Check if this FD can finish, i.e. all restoration
+ * pre-requirements for this FD are satisfied. Called prior to
+ * finish, in order to do successful finish calls for all
+ * resources in the session.
+ * @finish: Required. Final cleanup in the new kernel.
+ * @owner: Module reference
+ *
+ * All operations (except can_preserve) receive a pointer to a
+ * 'struct liveupdate_file_op_args' containing the necessary context.
+ */
+struct liveupdate_file_ops {
+ bool (*can_preserve)(struct liveupdate_file_handler *handler,
+ struct file *file);
+ int (*preserve)(struct liveupdate_file_op_args *args);
+ void (*unpreserve)(struct liveupdate_file_op_args *args);
+ int (*freeze)(struct liveupdate_file_op_args *args);
+ void (*unfreeze)(struct liveupdate_file_op_args *args);
+ int (*retrieve)(struct liveupdate_file_op_args *args);
+ bool (*can_finish)(struct liveupdate_file_op_args *args);
+ void (*finish)(struct liveupdate_file_op_args *args);
+ struct module *owner;
+};
+
+/**
+ * struct liveupdate_file_handler - Represents a handler for a live-updatable file type.
+ * @ops: Callback functions
+ * @compatible: The compatibility string (e.g., "memfd-v1", "vfiofd-v1")
+ * that uniquely identifies the file type this handler
+ * supports. This is matched against the compatible string
+ * associated with individual &struct file instances.
+ * @list: Used for linking this handler instance into a global
+ * list of registered file handlers.
+ *
+ * Modules that want to support live update for specific file types should
+ * register an instance of this structure. LUO uses this registration to
+ * determine if a given file can be preserved and to find the appropriate
+ * operations to manage its state across the update.
+ */
+struct liveupdate_file_handler {
+ const struct liveupdate_file_ops *ops;
+ const char compatible[LIVEUPDATE_HNDL_COMPAT_LENGTH];
+ struct list_head list;
+};
#ifdef CONFIG_LIVEUPDATE
@@ -19,6 +101,16 @@ bool liveupdate_enabled(void);
/* Called during kexec to tell LUO that entered into reboot */
int liveupdate_reboot(void);
+int liveupdate_register_file_handler(struct liveupdate_file_handler *h);
+
+/* kernel can internally retrieve files */
+int liveupdate_get_file_incoming(struct liveupdate_session *s, u64 token,
+ struct file **filep);
+
+/* Get a token for an outgoing file, or -ENOENT if file is not preserved */
+int liveupdate_get_token_outgoing(struct liveupdate_session *s,
+ struct file *file, u64 *tokenp);
+
#else /* CONFIG_LIVEUPDATE */
static inline bool liveupdate_enabled(void)
@@ -31,5 +123,22 @@ static inline int liveupdate_reboot(void)
return 0;
}
+static inline int liveupdate_register_file_handler(struct liveupdate_file_handler *h)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline int liveupdate_get_file_incoming(struct liveupdate_session *s,
+ u64 token, struct file **filep)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline int liveupdate_get_token_outgoing(struct liveupdate_session *s,
+ struct file *file, u64 *tokenp)
+{
+ return -EOPNOTSUPP;
+}
+
#endif /* CONFIG_LIVEUPDATE */
#endif /* _LINUX_LIVEUPDATE_H */
diff --git a/include/linux/liveupdate/abi/luo.h b/include/linux/liveupdate/abi/luo.h
index 03a177ae232e..3a596ca1907b 100644
--- a/include/linux/liveupdate/abi/luo.h
+++ b/include/linux/liveupdate/abi/luo.h
@@ -65,6 +65,11 @@
* Metadata for a single session, including its name and a physical pointer
* to another preserved memory block containing an array of
* `struct luo_file_ser` for all files in that session.
+ *
+ * - struct luo_file_ser:
+ * Metadata for a single preserved file. Contains the `compatible` string to
+ * find the correct handler in the new kernel, a user-provided `token` for
+ * identification, and an opaque `data` handle for the handler to use.
*/
#ifndef _LINUX_LIVEUPDATE_ABI_LUO_H
@@ -132,4 +137,21 @@ struct luo_session_ser {
u64 count;
} __packed;
+/* The max size is set so it can be reliably used during in serialization */
+#define LIVEUPDATE_HNDL_COMPAT_LENGTH 48
+
+/**
+ * struct luo_file_ser - Represents the serialized preserves files.
+ * @compatible: File handler compatible string.
+ * @data: Private data
+ * @token: User provided token for this file
+ *
+ * If this structure is modified, LUO_SESSION_COMPATIBLE must be updated.
+ */
+struct luo_file_ser {
+ char compatible[LIVEUPDATE_HNDL_COMPAT_LENGTH];
+ u64 data;
+ u64 token;
+} __packed;
+
#endif /* _LINUX_LIVEUPDATE_ABI_LUO_H */
diff --git a/kernel/liveupdate/Makefile b/kernel/liveupdate/Makefile
index 83285e7ad726..c2252a2ad7bd 100644
--- a/kernel/liveupdate/Makefile
+++ b/kernel/liveupdate/Makefile
@@ -2,6 +2,7 @@
luo-y := \
luo_core.o \
+ luo_file.o \
luo_ioctl.o \
luo_session.o
diff --git a/kernel/liveupdate/luo_file.c b/kernel/liveupdate/luo_file.c
new file mode 100644
index 000000000000..dae27a69a09f
--- /dev/null
+++ b/kernel/liveupdate/luo_file.c
@@ -0,0 +1,887 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright (c) 2025, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+
+/**
+ * DOC: LUO File Descriptors
+ *
+ * LUO provides the infrastructure to preserve specific, stateful file
+ * descriptors across a kexec-based live update. The primary goal is to allow
+ * workloads, such as virtual machines using vfio, memfd, or iommufd, to
+ * retain access to their essential resources without interruption.
+ *
+ * The framework is built around a callback-based handler model and a well-
+ * defined lifecycle for each preserved file.
+ *
+ * Handler Registration:
+ * Kernel modules responsible for a specific file type (e.g., memfd, vfio)
+ * register a &struct liveupdate_file_handler. This handler provides a set of
+ * callbacks that LUO invokes at different stages of the update process, most
+ * notably:
+ *
+ * - can_preserve(): A lightweight check to determine if the handler is
+ * compatible with a given 'struct file'.
+ * - preserve(): The heavyweight operation that saves the file's state and
+ * returns an opaque u64 handle, happens while vcpus are still running.
+ * LUO becomes the owner of this file until session is closed or file is
+ * finished.
+ * - unpreserve(): Cleans up any resources allocated by .preserve(), called
+ * if the preservation process is aborted before the reboot (i.e. session is
+ * closed).
+ * - freeze(): A final pre-reboot opportunity to prepare the state for kexec.
+ * We are already in reboot syscall, and therefore userspace cannot mutate
+ * the file anymore.
+ * - unfreeze(): Undoes the actions of .freeze(), called if the live update
+ * is aborted after the freeze phase.
+ * - retrieve(): Reconstructs the file in the new kernel from the preserved
+ * handle.
+ * - finish(): Performs final check and cleanup in the new kernel. After
+ * succesul finish call, LUO gives up ownership to this file.
+ *
+ * File Preservation Lifecycle happy path:
+ *
+ * 1. Preserve (Normal Operation): A userspace agent preserves files one by one
+ * via an ioctl. For each file, luo_preserve_file() finds a compatible
+ * handler, calls its .preserve() op, and creates an internal &struct
+ * luo_file to track the live state.
+ *
+ * 2. Freeze (Pre-Reboot): Just before the kexec, luo_file_freeze() is called.
+ * It iterates through all preserved files, calls their respective .freeze()
+ * ops, and serializes their final metadata (compatible string, token, and
+ * data handle) into a contiguous memory block for KHO.
+ *
+ * 3. Deserialize (New Kernel - Early Boot): After kexec, luo_file_deserialize()
+ * runs. It reads the serialized data from the KHO memory region and
+ * reconstructs the in-memory list of &struct luo_file instances for the new
+ * kernel, linking them to their corresponding handlers.
+ *
+ * 4. Retrieve (New Kernel - Userspace Ready): The userspace agent can now
+ * restore file descriptors by providing a token. luo_retrieve_file()
+ * searches for the matching token, calls the handler's .retrieve() op to
+ * re-create the 'struct file', and returns a new FD. Files can be
+ * retrieved in ANY order.
+ *
+ * 5. Finish (New Kernel - Cleanup): Once a session retrival is complete,
+ * luo_file_finish() is called. It iterates through all files,
+ * invokes their .finish() ops for final cleanup, and releases all
+ * associated kernel resources.
+ *
+ * File Preservation Lifecycle unhappy paths:
+ *
+ * 1. Abort Before Reboot: If the userspace agent aborts the live update
+ * process before calling reboot (e.g., by closing the session file
+ * descriptor), the session's release handler calls
+ * luo_file_unpreserve_files(). This invokes the .unpreserve() callback on
+ * all preserved files, ensuring all allocated resources are cleaned up and
+ * returning the system to a clean state.
+ *
+ * 2. Freeze Failure: During the reboot() syscall, if any handler's .freeze()
+ * op fails, the .unfreeze() op is invoked on all previously *successful*
+ * freezes to roll back their state. The reboot() syscall then returns an
+ * error to userspace, canceling the live update.
+ *
+ * 3. Finish Failure: In the new kernel, if a handler's .finish() op fails,
+ * the luo_file_finish() operation is aborted. LUO retains ownership of
+ * all files within that session, including those that were not yet
+ * processed. The userspace agent can attempt to call the finish operation
+ * again later. If the issue cannot be resolved, these resources will be held
+ * by LUO until the next live update cycle, at which point they will be
+ * discarded.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/cleanup.h>
+#include <linux/err.h>
+#include <linux/errno.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/kexec_handover.h>
+#include <linux/liveupdate.h>
+#include <linux/liveupdate/abi/luo.h>
+#include <linux/module.h>
+#include <linux/sizes.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include "luo_internal.h"
+
+static LIST_HEAD(luo_file_handler_list);
+
+/* 2 4K pages, give space for 128 files per session */
+#define LUO_FILE_PGCNT 2ul
+#define LUO_FILE_MAX \
+ ((LUO_FILE_PGCNT << PAGE_SHIFT) / sizeof(struct luo_file_ser))
+
+/**
+ * struct luo_file - Represents a single preserved file instance.
+ * @fh: Pointer to the &struct liveupdate_file_handler that manages
+ * this type of file.
+ * @file: Pointer to the kernel's &struct file that is being preserved.
+ * This is NULL in the new kernel until the file is successfully
+ * retrieved.
+ * @serialized_data: The opaque u64 handle to the serialized state of the file.
+ * This handle is passed back to the handler's .freeze(),
+ * .retrieve(), and .finish() callbacks, allowing it to track
+ * and update its serialized state across phases.
+ * @retrieved: A flag indicating whether a user/kernel in the new kernel has
+ * successfully called retrieve() on this file. This prevents
+ * multiple retrieval attempts.
+ * @mutex: A mutex that protects the fields of this specific instance
+ * (e.g., @retrieved, @file), ensuring that operations like
+ * retrieving or finishing a file are atomic.
+ * @list: The list_head linking this instance into its parent
+ * session's list of preserved files.
+ * @token: The user-provided unique token used to identify this file.
+ *
+ * This structure is the core in-kernel representation of a single file being
+ * managed through a live update. An instance is created by luo_preserve_file()
+ * to link a 'struct file' to its corresponding handler, a user-provided token,
+ * and the serialized state handle returned by the handler's .preserve()
+ * operation.
+ *
+ * These instances are tracked in a per-session list. The @serialized_data
+ * field, which holds a handle to the file's serialized state, may be updated
+ * during the .freeze() callback before being serialized for the next kernel.
+ * After reboot, these structures are recreated by luo_file_deserialize() and
+ * are finally cleaned up by luo_file_finish().
+ */
+struct luo_file {
+ struct liveupdate_file_handler *fh;
+ struct file *file;
+ u64 serialized_data;
+ bool retrieved;
+ struct mutex mutex;
+ struct list_head list;
+ u64 token;
+};
+
+static int luo_session_alloc_files_mem(struct luo_session *session)
+{
+ size_t size;
+ void *mem;
+
+ if (session->files)
+ return 0;
+
+ WARN_ON_ONCE(session->count);
+
+ size = LUO_FILE_PGCNT << PAGE_SHIFT;
+ mem = kho_alloc_preserve(size);
+ if (IS_ERR(mem))
+ return PTR_ERR(mem);
+
+ session->files = mem;
+ session->pgcnt = LUO_FILE_PGCNT;
+
+ return 0;
+}
+
+static void luo_session_free_files_mem(struct luo_session *session)
+{
+ /* If session has files, no need to free preservation memory */
+ if (session->count)
+ return;
+
+ if (!session->files)
+ return;
+
+ kho_unpreserve_free(session->files);
+ session->files = NULL;
+ session->pgcnt = 0;
+}
+
+static bool luo_token_is_used(struct luo_session *session, u64 token)
+{
+ struct luo_file *iter;
+
+ list_for_each_entry(iter, &session->files_list, list) {
+ if (iter->token == token)
+ return true;
+ }
+
+ return false;
+}
+
+/**
+ * luo_preserve_file - Initiate the preservation of a file descriptor.
+ * @session: The session to which the preserved file will be added.
+ * @token: A unique, user-provided identifier for the file.
+ * @fd: The file descriptor to be preserved.
+ *
+ * This function orchestrates the first phase of preserving a file. Upon entry,
+ * it takes a reference to the 'struct file' via fget(), effectively making LUO
+ * a co-owner of the file. This reference is held until the file is either
+ * unpreserved or successfully finished in the next kernel, preventing the file
+ * from being prematurely destroyed.
+ *
+ * This function orchestrates the first phase of preserving a file. It performs
+ * the following steps:
+ *
+ * 1. Validates that the @token is not already in use within the session.
+ * 2. Ensures the session's memory for files serialization is allocated
+ * (allocates if needed).
+ * 3. Iterates through registered handlers, calling can_preserve() to find one
+ * compatible with the given @fd.
+ * 4. Calls the handler's .preserve() operation, which saves the file's state
+ * and returns an opaque private data handle.
+ * 5. Adds the new instance to the session's internal list.
+ *
+ * On success, LUO takes a reference to the 'struct file' and considers it
+ * under its management until it is unpreserved or finished.
+ *
+ * In case of any failure, all intermediate allocations (file reference, memory
+ * for the 'luo_file' struct, etc.) are cleaned up before returning an error.
+ *
+ * Context: Can be called from an ioctl handler during normal system operation.
+ * Return: 0 on success. Returns a negative errno on failure:
+ * -EEXIST if the token is already used.
+ * -EBADF if the file descriptor is invalid.
+ * -ENOSPC if the session is full.
+ * -ENOENT if no compatible handler is found.
+ * -ENOMEM on memory allocation failure.
+ * Other erros might be returned by .preserve().
+ */
+int luo_preserve_file(struct luo_session *session, u64 token, int fd)
+{
+ struct liveupdate_file_op_args args = {0};
+ struct liveupdate_file_handler *fh;
+ struct luo_file *luo_file;
+ struct file *file;
+ int err;
+
+ lockdep_assert_held(&session->mutex);
+
+ if (luo_token_is_used(session, token))
+ return -EEXIST;
+
+ file = fget(fd);
+ if (!file)
+ return -EBADF;
+
+ err = luo_session_alloc_files_mem(session);
+ if (err)
+ goto exit_err;
+
+ if (session->count == LUO_FILE_MAX) {
+ err = -ENOSPC;
+ goto exit_err;
+ }
+
+ err = -ENOENT;
+ list_for_each_entry(fh, &luo_file_handler_list, list) {
+ if (fh->ops->can_preserve(fh, file)) {
+ err = 0;
+ break;
+ }
+ }
+
+ /* err is still -ENOENT if no handler was found */
+ if (err)
+ goto exit_err;
+
+ luo_file = kzalloc(sizeof(*luo_file), GFP_KERNEL);
+ if (!luo_file) {
+ err = -ENOMEM;
+ goto exit_err;
+ }
+
+ luo_file->file = file;
+ luo_file->fh = fh;
+ luo_file->token = token;
+ luo_file->retrieved = false;
+ mutex_init(&luo_file->mutex);
+
+ args.handler = fh;
+ args.session = (struct liveupdate_session *)session;
+ args.file = file;
+ err = fh->ops->preserve(&args);
+ if (err) {
+ mutex_destroy(&luo_file->mutex);
+ kfree(luo_file);
+ goto exit_err;
+ } else {
+ luo_file->serialized_data = args.serialized_data;
+ list_add_tail(&luo_file->list, &session->files_list);
+ session->count++;
+ }
+
+ return 0;
+
+exit_err:
+ fput(file);
+ luo_session_free_files_mem(session);
+
+ return err;
+}
+
+/**
+ * luo_file_unpreserve_files - Unpreserves all files from a session.
+ * @session: The session to be cleaned up.
+ *
+ * This function serves as the primary cleanup path for a session. It is
+ * invoked when the userspace agent closes the session's file descriptor.
+ *
+ * For each file, it performs the following cleanup actions:
+ * 1. Calls the handler's .unpreserve() callback to allow the handler to
+ * release any resources it allocated.
+ * 2. Removes the file from the session's internal tracking list.
+ * 3. Releases the reference to the 'struct file' that was taken by
+ * luo_preserve_file() via fput(), returning ownership.
+ * 4. Frees the memory associated with the internal 'struct luo_file'.
+ *
+ * After all individual files are unpreserved, it frees the contiguous memory
+ * block that was allocated to hold their serialization data.
+ */
+void luo_file_unpreserve_files(struct luo_session *session)
+{
+ struct luo_file *luo_file;
+
+ lockdep_assert_held(&session->mutex);
+
+ while (!list_empty(&session->files_list)) {
+ struct liveupdate_file_op_args args = {0};
+
+ luo_file = list_last_entry(&session->files_list,
+ struct luo_file, list);
+
+ args.handler = luo_file->fh;
+ args.session = (struct liveupdate_session *)session;
+ args.file = luo_file->file;
+ args.serialized_data = luo_file->serialized_data;
+ luo_file->fh->ops->unpreserve(&args);
+
+ list_del(&luo_file->list);
+ session->count--;
+
+ fput(luo_file->file);
+ mutex_destroy(&luo_file->mutex);
+ kfree(luo_file);
+ }
+
+ luo_session_free_files_mem(session);
+}
+
+static int luo_file_freeze_one(struct luo_session *session,
+ struct luo_file *luo_file)
+{
+ int err = 0;
+
+ guard(mutex)(&luo_file->mutex);
+
+ if (luo_file->fh->ops->freeze) {
+ struct liveupdate_file_op_args args = {0};
+
+ args.handler = luo_file->fh;
+ args.session = (struct liveupdate_session *)session;
+ args.file = luo_file->file;
+ args.serialized_data = luo_file->serialized_data;
+
+ err = luo_file->fh->ops->freeze(&args);
+ if (!err)
+ luo_file->serialized_data = args.serialized_data;
+ }
+
+ return err;
+}
+
+static void luo_file_unfreeze_one(struct luo_session *session,
+ struct luo_file *luo_file)
+{
+ guard(mutex)(&luo_file->mutex);
+
+ if (luo_file->fh->ops->unfreeze) {
+ struct liveupdate_file_op_args args = {0};
+
+ args.handler = luo_file->fh;
+ args.session = (struct liveupdate_session *)session;
+ args.file = luo_file->file;
+ args.serialized_data = luo_file->serialized_data;
+
+ luo_file->fh->ops->unfreeze(&args);
+ }
+
+ luo_file->serialized_data = 0;
+}
+
+static void __luo_file_unfreeze(struct luo_session *session,
+ struct luo_file *failed_entry)
+{
+ struct list_head *files_list = &session->files_list;
+ struct luo_file *luo_file;
+
+ list_for_each_entry(luo_file, files_list, list) {
+ if (luo_file == failed_entry)
+ break;
+
+ luo_file_unfreeze_one(session, luo_file);
+ }
+
+ memset(session->files, 0, session->pgcnt << PAGE_SHIFT);
+}
+
+/**
+ * luo_file_freeze - Freezes all preserved files and serializes their metadata.
+ * @session: The session whose files are to be frozen.
+ *
+ * This function is called from the reboot() syscall path, just before the
+ * kernel transitions to the new image via kexec. Its purpose is to perform the
+ * final preparation and serialization of all preserved files in the session.
+ *
+ * It iterates through each preserved file in FIFO order (the order of
+ * preservation) and performs two main actions:
+ *
+ * 1. Freezes the File: It calls the handler's .freeze() callback for each
+ * file. This gives the handler a final opportunity to quiesce the device or
+ * prepare its state for the upcoming reboot. The handler may update its
+ * private data handle during this step.
+ *
+ * 2. Serializes Metadata: After a successful freeze, it copies the final file
+ * metadata—the handler's compatible string, the user token, and the final
+ * private data handle—into the pre-allocated contiguous memory buffer
+ * (session->files) that will be handed over to the next kernel via KHO.
+ *
+ * Error Handling (Rollback):
+ * This function is atomic. If any handler's .freeze() operation fails, the
+ * entire live update is aborted. The __luo_file_unfreeze() helper is
+ * immediately called to invoke the .unfreeze() op on all files that were
+ * successfully frozen before the point of failure, rolling them back to a
+ * running state. The function then returns an error, causing the reboot()
+ * syscall to fail.
+ *
+ * Context: Called only from the liveupdate_reboot() path.
+ * Return: 0 on success, or a negative errno on failure.
+ */
+int luo_file_freeze(struct luo_session *session)
+{
+ struct luo_file_ser *file_ser = session->files;
+ struct luo_file *luo_file;
+ int err;
+ int i;
+
+ lockdep_assert_held(&session->mutex);
+
+ if (!session->count)
+ return 0;
+
+ if (WARN_ON(!file_ser))
+ return -EINVAL;
+
+ i = 0;
+ list_for_each_entry(luo_file, &session->files_list, list) {
+ err = luo_file_freeze_one(session, luo_file);
+ if (err < 0) {
+ pr_warn("Freeze failed for session[%s] token[%#0llx] handler[%s] err[%pe]\n",
+ session->name, luo_file->token,
+ luo_file->fh->compatible, ERR_PTR(err));
+ goto exit_err;
+ }
+
+ strscpy(file_ser[i].compatible, luo_file->fh->compatible,
+ sizeof(file_ser[i].compatible));
+ file_ser[i].data = luo_file->serialized_data;
+ file_ser[i].token = luo_file->token;
+ i++;
+ }
+
+ return 0;
+
+exit_err:
+ __luo_file_unfreeze(session, luo_file);
+
+ return err;
+}
+
+/**
+ * luo_file_unfreeze - Unfreezes all files in a session.
+ * @session: The session whose files are to be unfrozen.
+ *
+ * This function rolls back the state of all files in a session after the freeze
+ * phase has begun but must be aborted. It is the counterpart to
+ * luo_file_freeze().
+ *
+ * It invokes the __luo_file_unfreeze() helper with a NULL argument, which
+ * signals the helper to iterate through all files in the session and call
+ * their respective .unfreeze() handler callbacks.
+ *
+ * Context: This is called when the live update is aborted during
+ * the reboot() syscall, after luo_file_freeze() has been called.
+ */
+void luo_file_unfreeze(struct luo_session *session)
+{
+ lockdep_assert_held(&session->mutex);
+
+ if (!session->count)
+ return;
+
+ __luo_file_unfreeze(session, NULL);
+}
+
+/**
+ * luo_retrieve_file - Restores a preserved file from a session by its token.
+ * @session: The session from which to retrieve the file.
+ * @token: The unique token identifying the file to be restored.
+ * @filep: Output parameter; on success, this is populated with a pointer
+ * to the newly retrieved 'struct file'.
+ *
+ * This function is the primary mechanism for recreating a file in the new
+ * kernel after a live update. It searches the session's list of deserialized
+ * files for an entry matching the provided @token.
+ *
+ * The operation is idempotent: if a file has already been successfully
+ * retrieved, this function will simply return a pointer to the existing
+ * 'struct file' and report success without re-executing the retrieve
+ * operation. This is handled by checking the 'retrieved' flag under a lock.
+ *
+ * File retrieval can happen in any order; it is not bound by the order of
+ * preservation.
+ *
+ * Context: Can be called from an ioctl or other in-kernel code in the new
+ * kernel.
+ * Return: 0 on success. Returns a negative errno on failure:
+ * -ENOENT if no file with the matching token is found.
+ * Any error code returned by the handler's .retrieve() op.
+ */
+int luo_retrieve_file(struct luo_session *session, u64 token,
+ struct file **filep)
+{
+ struct liveupdate_file_op_args args = {0};
+ struct luo_file *luo_file;
+ int err;
+
+ lockdep_assert_held(&session->mutex);
+
+ if (list_empty(&session->files_list))
+ return -ENOENT;
+
+ list_for_each_entry(luo_file, &session->files_list, list) {
+ if (luo_file->token == token)
+ break;
+ }
+
+ if (luo_file->token != token)
+ return -ENOENT;
+
+ guard(mutex)(&luo_file->mutex);
+ if (luo_file->retrieved) {
+ /*
+ * Someone is asking for this file again, so get a reference
+ * for them.
+ */
+ get_file(luo_file->file);
+ *filep = luo_file->file;
+ return 0;
+ }
+
+ args.handler = luo_file->fh;
+ args.session = (struct liveupdate_session *)session;
+ args.serialized_data = luo_file->serialized_data;
+ err = luo_file->fh->ops->retrieve(&args);
+ if (!err) {
+ luo_file->file = args.file;
+
+ /* Get reference so we can keep this file in LUO until finish */
+ get_file(luo_file->file);
+ *filep = luo_file->file;
+ luo_file->retrieved = true;
+ }
+
+ return err;
+}
+
+static int luo_file_can_finish_one(struct luo_session *session,
+ struct luo_file *luo_file)
+{
+ bool can_finish = true;
+
+ guard(mutex)(&luo_file->mutex);
+
+ if (luo_file->fh->ops->can_finish) {
+ struct liveupdate_file_op_args args = {0};
+
+ args.handler = luo_file->fh;
+ args.session = (struct liveupdate_session *)session;
+ args.file = luo_file->file;
+ args.serialized_data = luo_file->serialized_data;
+ args.retrieved = luo_file->retrieved;
+ can_finish = luo_file->fh->ops->can_finish(&args);
+ }
+
+ return can_finish ? 0 : -EBUSY;
+}
+
+static void luo_file_finish_one(struct luo_session *session,
+ struct luo_file *luo_file)
+{
+ struct liveupdate_file_op_args args = {0};
+
+ guard(mutex)(&luo_file->mutex);
+
+ args.handler = luo_file->fh;
+ args.session = (struct liveupdate_session *)session;
+ args.file = luo_file->file;
+ args.serialized_data = luo_file->serialized_data;
+ args.retrieved = luo_file->retrieved;
+
+ luo_file->fh->ops->finish(&args);
+}
+
+/**
+ * luo_file_finish - Completes the lifecycle for all files in a session.
+ * @session: The session to be finalized.
+ *
+ * This function orchestrates the final teardown of a live update session in the
+ * new kernel. It should be called after all necessary files have been
+ * retrieved and the userspace agent is ready to release the preserved state.
+ *
+ * The function iterates through all tracked files. For each file, it performs
+ * the following sequence of cleanup actions:
+ *
+ * 1. If file is not yet retrieved, retrieves it, and calls can_finish() on
+ * every file in the session. If all can_finish return true, continue to
+ * finish.
+ * 2. Calls the handler's .finish() callback (via luo_file_finish_one) to
+ * allow for final resource cleanup within the handler.
+ * 3. Releases LUO's ownership reference on the 'struct file' via fput(). This
+ * is the counterpart to the get_file() call in luo_retrieve_file().
+ * 4. Removes the 'struct luo_file' from the session's internal list.
+ * 5. Frees the memory for the 'struct luo_file' instance itself.
+ *
+ * After successfully finishing all individual files, it frees the
+ * contiguous memory block that was used to transfer the serialized metadata
+ * from the previous kernel.
+ *
+ * Error Handling (Atomic Failure):
+ * This operation is atomic. If any handler's .can_finish() op fails, the entire
+ * function aborts immediately and returns an error.
+ *
+ * Context: Can be called from an ioctl handler in the new kernel.
+ * Return: 0 on success, or a negative errno on failure.
+ */
+int luo_file_finish(struct luo_session *session)
+{
+ struct list_head *files_list = &session->files_list;
+ struct luo_file *luo_file;
+ int err;
+
+ if (!session->count)
+ return 0;
+
+ lockdep_assert_held(&session->mutex);
+
+ list_for_each_entry(luo_file, files_list, list) {
+ err = luo_file_can_finish_one(session, luo_file);
+ if (err)
+ return err;
+ }
+
+ while (!list_empty(&session->files_list)) {
+ luo_file = list_last_entry(&session->files_list,
+ struct luo_file, list);
+
+ luo_file_finish_one(session, luo_file);
+
+ if (luo_file->file)
+ fput(luo_file->file);
+ list_del(&luo_file->list);
+ session->count--;
+ mutex_destroy(&luo_file->mutex);
+ kfree(luo_file);
+ }
+
+ if (session->files) {
+ kho_restore_free(session->files);
+ session->files = NULL;
+ session->pgcnt = 0;
+ }
+
+ return 0;
+}
+
+/**
+ * luo_file_deserialize - Reconstructs the list of preserved files in the new kernel.
+ * @session: The incoming session containing the serialized file data from KHO.
+ *
+ * This function is called during the early boot process of the new kernel. It
+ * takes the raw, contiguous memory block of 'struct luo_file_ser' entries,
+ * provided by the previous kernel, and transforms it back into a live,
+ * in-memory linked list of 'struct luo_file' instances.
+ *
+ * For each serialized entry, it performs the following steps:
+ * 1. Reads the 'compatible' string.
+ * 2. Searches the global list of registered file handlers for one that
+ * matches the compatible string.
+ * 3. Allocates a new 'struct luo_file'.
+ * 4. Populates the new structure with the deserialized data (token, private
+ * data handle) and links it to the found handler. The 'file' pointer is
+ * initialized to NULL, as the file has not been retrieved yet.
+ * 5. Adds the new 'struct luo_file' to the session's files_list.
+ *
+ * This prepares the session for userspace, which can later call
+ * luo_retrieve_file() to restore the actual file descriptors.
+ *
+ * Context: Called from session deserialization.
+ */
+int luo_file_deserialize(struct luo_session *session)
+{
+ struct luo_file_ser *file_ser;
+ u64 i;
+
+ lockdep_assert_held(&session->mutex);
+
+ if (!session->files)
+ return 0;
+
+ file_ser = session->files;
+ for (i = 0; i < session->count; i++) {
+ struct liveupdate_file_handler *fh;
+ bool handler_found = false;
+ struct luo_file *luo_file;
+
+ list_for_each_entry(fh, &luo_file_handler_list, list) {
+ if (!strcmp(fh->compatible, file_ser[i].compatible)) {
+ handler_found = true;
+ break;
+ }
+ }
+
+ if (!handler_found) {
+ pr_warn("No registered handler for compatible '%s'\n",
+ file_ser[i].compatible);
+ return -ENOENT;
+ }
+
+ luo_file = kzalloc(sizeof(*luo_file), GFP_KERNEL);
+ if (!luo_file)
+ return -ENOMEM;
+
+ luo_file->fh = fh;
+ luo_file->file = NULL;
+ luo_file->serialized_data = file_ser[i].data;
+ luo_file->token = file_ser[i].token;
+ luo_file->retrieved = false;
+ mutex_init(&luo_file->mutex);
+ list_add_tail(&luo_file->list, &session->files_list);
+ }
+
+ return 0;
+}
+
+/**
+ * liveupdate_register_file_handler - Register a file handler with LUO.
+ * @fh: Pointer to a caller-allocated &struct liveupdate_file_handler.
+ * The caller must initialize this structure, including a unique
+ * 'compatible' string and a valid 'fh' callbacks. This function adds the
+ * handler to the global list of supported file handlers.
+ *
+ * Context: Typically called during module initialization for file types that
+ * support live update preservation.
+ *
+ * Return: 0 on success. Negative errno on failure.
+ */
+int liveupdate_register_file_handler(struct liveupdate_file_handler *fh)
+{
+ static DEFINE_MUTEX(register_file_handler_lock);
+ struct liveupdate_file_handler *fh_iter;
+
+ if (!liveupdate_enabled())
+ return -EOPNOTSUPP;
+
+ /*
+ * Once sessions have been deserialized, file handlers cannot be
+ * registered, it is too late.
+ */
+ if (WARN_ON(luo_session_is_deserialized()))
+ return -EBUSY;
+
+ /* Sanity check that all required callbacks are set */
+ if (!fh->ops->preserve || !fh->ops->unpreserve ||
+ !fh->ops->retrieve || !fh->ops->finish) {
+ return -EINVAL;
+ }
+
+ guard(mutex)(®ister_file_handler_lock);
+ list_for_each_entry(fh_iter, &luo_file_handler_list, list) {
+ if (!strcmp(fh_iter->compatible, fh->compatible)) {
+ pr_err("File handler registration failed: Compatible string '%s' already registered.\n",
+ fh->compatible);
+ return -EEXIST;
+ }
+ }
+
+ if (!try_module_get(fh->ops->owner))
+ return -EAGAIN;
+
+ INIT_LIST_HEAD(&fh->list);
+ list_add_tail(&fh->list, &luo_file_handler_list);
+
+ return 0;
+}
+
+/**
+ * liveupdate_get_token_outgoing - Get the token for a preserved file.
+ * @s: The outgoing liveupdate session.
+ * @file: The file object to search for.
+ * @tokenp: Output parameter for the found token.
+ *
+ * Searches the list of preserved files in an outgoing session for a matching
+ * file object. If found, the corresponding user-provided token is returned.
+ *
+ * This function is intended for in-kernel callers that need to correlate a
+ * file with its liveupdate token.
+ *
+ * Context: Can be called from any context that can acquire the session mutex.
+ * Return: 0 on success, -ENOENT if the file is not preserved in this session.
+ */
+int liveupdate_get_token_outgoing(struct liveupdate_session *s,
+ struct file *file, u64 *tokenp)
+{
+ struct luo_session *session = (struct luo_session *)s;
+ struct luo_file *luo_file;
+ int err = -ENOENT;
+
+ list_for_each_entry(luo_file, &session->files_list, list) {
+ if (luo_file->file == file) {
+ if (tokenp)
+ *tokenp = luo_file->token;
+ err = 0;
+ break;
+ }
+ }
+
+ return err;
+}
+
+/**
+ * liveupdate_get_file_incoming - Retrieves a preserved file for in-kernel use.
+ * @s: The incoming liveupdate session (restored from the previous kernel).
+ * @token: The unique token identifying the file to retrieve.
+ * @filep: On success, this will be populated with a pointer to the retrieved
+ * 'struct file'.
+ *
+ * Provides a kernel-internal API for other subsystems to retrieve their
+ * preserved files after a live update. This function is a simple wrapper
+ * around luo_retrieve_file(), allowing callers to find a file by its token.
+ *
+ * The operation is idempotent; subsequent calls for the same token will return
+ * a pointer to the same 'struct file' object.
+ *
+ * The caller receives a pointer to the file with a reference incremented. The
+ * file's lifetime is managed by LUO and any userspace file
+ * descriptors. If the caller needs to hold a reference to the file beyond the
+ * immediate scope, it must call get_file() itself.
+ *
+ * Context: Can be called from any context in the new kernel that has a handle
+ * to a restored session.
+ * Return: 0 on success. Returns -ENOENT if no file with the matching token is
+ * found, or any other negative errno on failure.
+ */
+int liveupdate_get_file_incoming(struct liveupdate_session *s, u64 token,
+ struct file **filep)
+{
+ struct luo_session *session = (struct luo_session *)s;
+
+ return luo_retrieve_file(session, token, filep);
+}
diff --git a/kernel/liveupdate/luo_internal.h b/kernel/liveupdate/luo_internal.h
index 5185ad37a8c1..1a36f2383123 100644
--- a/kernel/liveupdate/luo_internal.h
+++ b/kernel/liveupdate/luo_internal.h
@@ -70,4 +70,13 @@ int luo_session_serialize(void);
int luo_session_deserialize(void);
bool luo_session_is_deserialized(void);
+int luo_preserve_file(struct luo_session *session, u64 token, int fd);
+void luo_file_unpreserve_files(struct luo_session *session);
+int luo_file_freeze(struct luo_session *session);
+void luo_file_unfreeze(struct luo_session *session);
+int luo_retrieve_file(struct luo_session *session, u64 token,
+ struct file **filep);
+int luo_file_finish(struct luo_session *session);
+int luo_file_deserialize(struct luo_session *session);
+
#endif /* _LINUX_LUO_INTERNAL_H */
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related
* [PATCH v6 05/20] liveupdate: luo_ioctl: add user interface
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
In-Reply-To: <20251115233409.768044-1-pasha.tatashin@soleen.com>
Introduce the user-space interface for the Live Update Orchestrator
via ioctl commands, enabling external control over the live update
process and management of preserved resources.
The idea is that there is going to be a single userspace agent driving
the live update, therefore, only a single process can ever hold this
device opened at a time.
The following ioctl commands are introduced:
LIVEUPDATE_IOCTL_CREATE_SESSION
Provides a way for userspace to create a named session for grouping file
descriptors that need to be preserved. It returns a new file descriptor
representing the session.
LIVEUPDATE_IOCTL_RETRIEVE_SESSION
Allows the userspace agent in the new kernel to reclaim a preserved
session by its name, receiving a new file descriptor to manage the
restored resources.
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
include/uapi/linux/liveupdate.h | 66 +++++++++++-
kernel/liveupdate/luo_internal.h | 21 ++++
kernel/liveupdate/luo_ioctl.c | 178 +++++++++++++++++++++++++++++++
3 files changed, 264 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/liveupdate.h b/include/uapi/linux/liveupdate.h
index d2ef2f7e0dbd..6e04254ee535 100644
--- a/include/uapi/linux/liveupdate.h
+++ b/include/uapi/linux/liveupdate.h
@@ -44,6 +44,70 @@
#define LIVEUPDATE_IOCTL_TYPE 0xBA
/* The maximum length of session name including null termination */
-#define LIVEUPDATE_SESSION_NAME_LENGTH 56
+#define LIVEUPDATE_SESSION_NAME_LENGTH 64
+
+/* The /dev/liveupdate ioctl commands */
+enum {
+ LIVEUPDATE_CMD_BASE = 0x00,
+ LIVEUPDATE_CMD_CREATE_SESSION = LIVEUPDATE_CMD_BASE,
+ LIVEUPDATE_CMD_RETRIEVE_SESSION = 0x01,
+};
+
+/**
+ * struct liveupdate_ioctl_create_session - ioctl(LIVEUPDATE_IOCTL_CREATE_SESSION)
+ * @size: Input; sizeof(struct liveupdate_ioctl_create_session)
+ * @fd: Output; The new file descriptor for the created session.
+ * @name: Input; A null-terminated string for the session name, max
+ * length %LIVEUPDATE_SESSION_NAME_LENGTH including termination
+ * char.
+ *
+ * Creates a new live update session for managing preserved resources.
+ * This ioctl can only be called on the main /dev/liveupdate device.
+ *
+ * Return: 0 on success, negative error code on failure.
+ */
+struct liveupdate_ioctl_create_session {
+ __u32 size;
+ __s32 fd;
+ __u8 name[LIVEUPDATE_SESSION_NAME_LENGTH];
+};
+
+#define LIVEUPDATE_IOCTL_CREATE_SESSION \
+ _IO(LIVEUPDATE_IOCTL_TYPE, LIVEUPDATE_CMD_CREATE_SESSION)
+
+/**
+ * struct liveupdate_ioctl_retrieve_session - ioctl(LIVEUPDATE_IOCTL_RETRIEVE_SESSION)
+ * @size: Input; sizeof(struct liveupdate_ioctl_retrieve_session)
+ * @fd: Output; The new file descriptor for the retrieved session.
+ * @name: Input; A null-terminated string identifying the session to retrieve.
+ * The name must exactly match the name used when the session was
+ * created in the previous kernel.
+ *
+ * Retrieves a handle (a new file descriptor) for a preserved session by its
+ * name. This is the primary mechanism for a userspace agent to regain control
+ * of its preserved resources after a live update.
+ *
+ * The userspace application provides the null-terminated `name` of a session
+ * it created before the live update. If a preserved session with a matching
+ * name is found, the kernel instantiates it and returns a new file descriptor
+ * in the `fd` field. This new session FD can then be used for all file-specific
+ * operations, such as restoring individual file descriptors with
+ * LIVEUPDATE_SESSION_RETRIEVE_FD.
+ *
+ * It is the responsibility of the userspace application to know the names of
+ * the sessions it needs to retrieve. If no session with the given name is
+ * found, the ioctl will fail with -ENOENT.
+ *
+ * This ioctl can only be called on the main /dev/liveupdate device when the
+ * system is in the LIVEUPDATE_STATE_UPDATED state.
+ */
+struct liveupdate_ioctl_retrieve_session {
+ __u32 size;
+ __s32 fd;
+ __u8 name[LIVEUPDATE_SESSION_NAME_LENGTH];
+};
+
+#define LIVEUPDATE_IOCTL_RETRIEVE_SESSION \
+ _IO(LIVEUPDATE_IOCTL_TYPE, LIVEUPDATE_CMD_RETRIEVE_SESSION)
#endif /* _UAPI_LIVEUPDATE_H */
diff --git a/kernel/liveupdate/luo_internal.h b/kernel/liveupdate/luo_internal.h
index 245373edfa6f..5185ad37a8c1 100644
--- a/kernel/liveupdate/luo_internal.h
+++ b/kernel/liveupdate/luo_internal.h
@@ -9,6 +9,27 @@
#define _LINUX_LUO_INTERNAL_H
#include <linux/liveupdate.h>
+#include <linux/uaccess.h>
+
+struct luo_ucmd {
+ void __user *ubuffer;
+ u32 user_size;
+ void *cmd;
+};
+
+static inline int luo_ucmd_respond(struct luo_ucmd *ucmd,
+ size_t kernel_cmd_size)
+{
+ /*
+ * Copy the minimum of what the user provided and what we actually
+ * have.
+ */
+ if (copy_to_user(ucmd->ubuffer, ucmd->cmd,
+ min_t(size_t, ucmd->user_size, kernel_cmd_size))) {
+ return -EFAULT;
+ }
+ return 0;
+}
/**
* struct luo_session - Represents an active or incoming Live Update session.
diff --git a/kernel/liveupdate/luo_ioctl.c b/kernel/liveupdate/luo_ioctl.c
index 44d365185f7c..367385efa962 100644
--- a/kernel/liveupdate/luo_ioctl.c
+++ b/kernel/liveupdate/luo_ioctl.c
@@ -5,15 +5,192 @@
* Pasha Tatashin <pasha.tatashin@soleen.com>
*/
+/**
+ * DOC: LUO ioctl Interface
+ *
+ * The IOCTL user-space control interface for the LUO subsystem.
+ * It registers a character device, typically found at ``/dev/liveupdate``,
+ * which allows a userspace agent to manage the LUO state machine and its
+ * associated resources, such as preservable file descriptors.
+ *
+ * To ensure that the state machine is controlled by a single entity, access
+ * to this device is exclusive: only one process is permitted to have
+ * ``/dev/liveupdate`` open at any given time. Subsequent open attempts will
+ * fail with -EBUSY until the first process closes its file descriptor.
+ * This singleton model simplifies state management by preventing conflicting
+ * commands from multiple userspace agents.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/atomic.h>
+#include <linux/errno.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/init.h>
+#include <linux/kernel.h>
#include <linux/liveupdate.h>
#include <linux/miscdevice.h>
+#include <uapi/linux/liveupdate.h>
+#include "luo_internal.h"
struct luo_device_state {
struct miscdevice miscdev;
+ atomic_t in_use;
+};
+
+static int luo_ioctl_create_session(struct luo_ucmd *ucmd)
+{
+ struct liveupdate_ioctl_create_session *argp = ucmd->cmd;
+ struct file *file;
+ int err;
+
+ argp->fd = get_unused_fd_flags(O_CLOEXEC);
+ if (argp->fd < 0)
+ return argp->fd;
+
+ err = luo_session_create(argp->name, &file);
+ if (err)
+ goto err_put_fd;
+
+ err = luo_ucmd_respond(ucmd, sizeof(*argp));
+ if (err)
+ goto err_put_file;
+
+ fd_install(argp->fd, file);
+
+ return 0;
+
+err_put_file:
+ fput(file);
+err_put_fd:
+ put_unused_fd(argp->fd);
+
+ return err;
+}
+
+static int luo_ioctl_retrieve_session(struct luo_ucmd *ucmd)
+{
+ struct liveupdate_ioctl_retrieve_session *argp = ucmd->cmd;
+ struct file *file;
+ int err;
+
+ argp->fd = get_unused_fd_flags(O_CLOEXEC);
+ if (argp->fd < 0)
+ return argp->fd;
+
+ err = luo_session_retrieve(argp->name, &file);
+ if (err < 0)
+ goto err_put_fd;
+
+ err = luo_ucmd_respond(ucmd, sizeof(*argp));
+ if (err)
+ goto err_put_file;
+
+ fd_install(argp->fd, file);
+
+ return 0;
+
+err_put_file:
+ fput(file);
+err_put_fd:
+ put_unused_fd(argp->fd);
+
+ return err;
+}
+
+static int luo_open(struct inode *inodep, struct file *filep)
+{
+ struct luo_device_state *ldev = container_of(filep->private_data,
+ struct luo_device_state,
+ miscdev);
+
+ if (atomic_cmpxchg(&ldev->in_use, 0, 1))
+ return -EBUSY;
+
+ luo_session_deserialize();
+
+ return 0;
+}
+
+static int luo_release(struct inode *inodep, struct file *filep)
+{
+ struct luo_device_state *ldev = container_of(filep->private_data,
+ struct luo_device_state,
+ miscdev);
+ atomic_set(&ldev->in_use, 0);
+
+ return 0;
+}
+
+union ucmd_buffer {
+ struct liveupdate_ioctl_create_session create;
+ struct liveupdate_ioctl_retrieve_session retrieve;
+};
+
+struct luo_ioctl_op {
+ unsigned int size;
+ unsigned int min_size;
+ unsigned int ioctl_num;
+ int (*execute)(struct luo_ucmd *ucmd);
+};
+
+#define IOCTL_OP(_ioctl, _fn, _struct, _last) \
+ [_IOC_NR(_ioctl) - LIVEUPDATE_CMD_BASE] = { \
+ .size = sizeof(_struct) + \
+ BUILD_BUG_ON_ZERO(sizeof(union ucmd_buffer) < \
+ sizeof(_struct)), \
+ .min_size = offsetofend(_struct, _last), \
+ .ioctl_num = _ioctl, \
+ .execute = _fn, \
+ }
+
+static const struct luo_ioctl_op luo_ioctl_ops[] = {
+ IOCTL_OP(LIVEUPDATE_IOCTL_CREATE_SESSION, luo_ioctl_create_session,
+ struct liveupdate_ioctl_create_session, name),
+ IOCTL_OP(LIVEUPDATE_IOCTL_RETRIEVE_SESSION, luo_ioctl_retrieve_session,
+ struct liveupdate_ioctl_retrieve_session, name),
};
+static long luo_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
+{
+ const struct luo_ioctl_op *op;
+ struct luo_ucmd ucmd = {};
+ union ucmd_buffer buf;
+ unsigned int nr;
+ int err;
+
+ nr = _IOC_NR(cmd);
+ if (nr < LIVEUPDATE_CMD_BASE ||
+ (nr - LIVEUPDATE_CMD_BASE) >= ARRAY_SIZE(luo_ioctl_ops)) {
+ return -EINVAL;
+ }
+
+ ucmd.ubuffer = (void __user *)arg;
+ err = get_user(ucmd.user_size, (u32 __user *)ucmd.ubuffer);
+ if (err)
+ return err;
+
+ op = &luo_ioctl_ops[nr - LIVEUPDATE_CMD_BASE];
+ if (op->ioctl_num != cmd)
+ return -ENOIOCTLCMD;
+ if (ucmd.user_size < op->min_size)
+ return -EINVAL;
+
+ ucmd.cmd = &buf;
+ err = copy_struct_from_user(ucmd.cmd, op->size, ucmd.ubuffer,
+ ucmd.user_size);
+ if (err)
+ return err;
+
+ return op->execute(&ucmd);
+}
+
static const struct file_operations luo_fops = {
.owner = THIS_MODULE,
+ .open = luo_open,
+ .release = luo_release,
+ .unlocked_ioctl = luo_ioctl,
};
static struct luo_device_state luo_dev = {
@@ -22,6 +199,7 @@ static struct luo_device_state luo_dev = {
.name = "liveupdate",
.fops = &luo_fops,
},
+ .in_use = ATOMIC_INIT(0),
};
static int __init liveupdate_ioctl_init(void)
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related
* [PATCH v6 04/20] liveupdate: luo_session: add sessions support
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
In-Reply-To: <20251115233409.768044-1-pasha.tatashin@soleen.com>
Introduce concept of "Live Update Sessions" within the LUO framework.
LUO sessions provide a mechanism to group and manage `struct file *`
instances (representing file descriptors) that need to be preserved
across a kexec-based live update.
Each session is identified by a unique name and acts as a container
for file objects whose state is critical to a userspace workload, such
as a virtual machine or a high-performance database, aiming to maintain
their functionality across a kernel transition.
This groundwork establishes the framework for preserving file-backed
state across kernel updates, with the actual file data preservation
mechanisms to be implemented in subsequent patches.
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
include/linux/liveupdate/abi/luo.h | 83 +++++-
include/uapi/linux/liveupdate.h | 3 +
kernel/liveupdate/Makefile | 3 +-
kernel/liveupdate/luo_core.c | 10 +
kernel/liveupdate/luo_internal.h | 52 ++++
kernel/liveupdate/luo_session.c | 421 +++++++++++++++++++++++++++++
6 files changed, 570 insertions(+), 2 deletions(-)
create mode 100644 kernel/liveupdate/luo_internal.h
create mode 100644 kernel/liveupdate/luo_session.c
diff --git a/include/linux/liveupdate/abi/luo.h b/include/linux/liveupdate/abi/luo.h
index 9483a294287f..03a177ae232e 100644
--- a/include/linux/liveupdate/abi/luo.h
+++ b/include/linux/liveupdate/abi/luo.h
@@ -28,6 +28,11 @@
* / {
* compatible = "luo-v1";
* liveupdate-number = <...>;
+ *
+ * luo-session {
+ * compatible = "luo-session-v1";
+ * luo-session-header = <phys_addr_of_session_header_ser>;
+ * };
* };
*
* Main LUO Node (/):
@@ -36,14 +41,40 @@
* Identifies the overall LUO ABI version.
* - liveupdate-number: u64
* A counter tracking the number of successful live updates performed.
+ *
+ * Session Node (luo-session):
+ * This node describes all preserved user-space sessions.
+ *
+ * - compatible: "luo-session-v1"
+ * Identifies the session ABI version.
+ * - luo-session-header: u64
+ * The physical address of a `struct luo_session_header_ser`. This structure
+ * is the header for a contiguous block of memory containing an array of
+ * `struct luo_session_ser`, one for each preserved session.
+ *
+ * Serialization Structures:
+ * The FDT properties point to memory regions containing arrays of simple,
+ * `__packed` structures. These structures contain the actual preserved state.
+ *
+ * - struct luo_session_header_ser:
+ * Header for the session array. Contains the total page count of the
+ * preserved memory block and the number of `struct luo_session_ser`
+ * entries that follow.
+ *
+ * - struct luo_session_ser:
+ * Metadata for a single session, including its name and a physical pointer
+ * to another preserved memory block containing an array of
+ * `struct luo_file_ser` for all files in that session.
*/
#ifndef _LINUX_LIVEUPDATE_ABI_LUO_H
#define _LINUX_LIVEUPDATE_ABI_LUO_H
+#include <uapi/linux/liveupdate.h>
+
/*
* The LUO FDT hooks all LUO state for sessions, fds, etc.
- * In the root it allso carries "liveupdate-number" 64-bit property that
+ * In the root it also carries "liveupdate-number" 64-bit property that
* corresponds to the number of live-updates performed on this machine.
*/
#define LUO_FDT_SIZE PAGE_SIZE
@@ -51,4 +82,54 @@
#define LUO_FDT_COMPATIBLE "luo-v1"
#define LUO_FDT_LIVEUPDATE_NUM "liveupdate-number"
+/*
+ * LUO FDT session node
+ * LUO_FDT_SESSION_HEADER: is a u64 physical address of struct
+ * luo_session_header_ser
+ */
+#define LUO_FDT_SESSION_NODE_NAME "luo-session"
+#define LUO_FDT_SESSION_COMPATIBLE "luo-session-v1"
+#define LUO_FDT_SESSION_HEADER "luo-session-header"
+
+/**
+ * struct luo_session_header_ser - Header for the serialized session data block.
+ * @pgcnt: The total size, in pages, of the entire preserved memory block
+ * that this header describes.
+ * @count: The number of 'struct luo_session_ser' entries that immediately
+ * follow this header in the memory block.
+ *
+ * This structure is located at the beginning of a contiguous block of
+ * physical memory preserved across the kexec. It provides the necessary
+ * metadata to interpret the array of session entries that follow.
+ */
+struct luo_session_header_ser {
+ u64 pgcnt;
+ u64 count;
+} __packed;
+
+/**
+ * struct luo_session_ser - Represents the serialized metadata for a LUO session.
+ * @name: The unique name of the session, copied from the `luo_session`
+ * structure.
+ * @files: The physical address of a contiguous memory block that holds
+ * the serialized state of files.
+ * @pgcnt: The number of pages occupied by the `files` memory block.
+ * @count: The total number of files that were part of this session during
+ * serialization. Used for iteration and validation during
+ * restoration.
+ *
+ * This structure is used to package session-specific metadata for transfer
+ * between kernels via Kexec Handover. An array of these structures (one per
+ * session) is created and passed to the new kernel, allowing it to reconstruct
+ * the session context.
+ *
+ * If this structure is modified, LUO_SESSION_COMPATIBLE must be updated.
+ */
+struct luo_session_ser {
+ char name[LIVEUPDATE_SESSION_NAME_LENGTH];
+ u64 files;
+ u64 pgcnt;
+ u64 count;
+} __packed;
+
#endif /* _LINUX_LIVEUPDATE_ABI_LUO_H */
diff --git a/include/uapi/linux/liveupdate.h b/include/uapi/linux/liveupdate.h
index df34c1642c4d..d2ef2f7e0dbd 100644
--- a/include/uapi/linux/liveupdate.h
+++ b/include/uapi/linux/liveupdate.h
@@ -43,4 +43,7 @@
/* The ioctl type, documented in ioctl-number.rst */
#define LIVEUPDATE_IOCTL_TYPE 0xBA
+/* The maximum length of session name including null termination */
+#define LIVEUPDATE_SESSION_NAME_LENGTH 56
+
#endif /* _UAPI_LIVEUPDATE_H */
diff --git a/kernel/liveupdate/Makefile b/kernel/liveupdate/Makefile
index 413722002b7a..83285e7ad726 100644
--- a/kernel/liveupdate/Makefile
+++ b/kernel/liveupdate/Makefile
@@ -2,7 +2,8 @@
luo-y := \
luo_core.o \
- luo_ioctl.o
+ luo_ioctl.o \
+ luo_session.o
obj-$(CONFIG_KEXEC_HANDOVER) += kexec_handover.o
obj-$(CONFIG_KEXEC_HANDOVER_DEBUG) += kexec_handover_debug.o
diff --git a/kernel/liveupdate/luo_core.c b/kernel/liveupdate/luo_core.c
index 4a213b262b9f..653cdca5e25d 100644
--- a/kernel/liveupdate/luo_core.c
+++ b/kernel/liveupdate/luo_core.c
@@ -54,6 +54,7 @@
#include <linux/unaligned.h>
#include "kexec_handover_internal.h"
+#include "luo_internal.h"
static struct {
bool enabled;
@@ -117,6 +118,10 @@ static int __init luo_early_startup(void)
pr_info("Retrieved live update data, liveupdate number: %lld\n",
luo_global.liveupdate_num);
+ err = luo_session_setup_incoming(luo_global.fdt_in);
+ if (err)
+ return err;
+
return 0;
}
@@ -153,6 +158,7 @@ static int __init luo_fdt_setup(void)
err |= fdt_begin_node(fdt_out, "");
err |= fdt_property_string(fdt_out, "compatible", LUO_FDT_COMPATIBLE);
err |= fdt_property(fdt_out, LUO_FDT_LIVEUPDATE_NUM, &ln, sizeof(ln));
+ err |= luo_session_setup_outgoing(fdt_out);
err |= fdt_end_node(fdt_out);
err |= fdt_finish(fdt_out);
if (err)
@@ -210,6 +216,10 @@ int liveupdate_reboot(void)
if (!liveupdate_enabled())
return 0;
+ err = luo_session_serialize();
+ if (err)
+ return err;
+
err = kho_finalize();
if (err) {
pr_err("kho_finalize failed %d\n", err);
diff --git a/kernel/liveupdate/luo_internal.h b/kernel/liveupdate/luo_internal.h
new file mode 100644
index 000000000000..245373edfa6f
--- /dev/null
+++ b/kernel/liveupdate/luo_internal.h
@@ -0,0 +1,52 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/*
+ * Copyright (c) 2025, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+
+#ifndef _LINUX_LUO_INTERNAL_H
+#define _LINUX_LUO_INTERNAL_H
+
+#include <linux/liveupdate.h>
+
+/**
+ * struct luo_session - Represents an active or incoming Live Update session.
+ * @name: A unique name for this session, used for identification and
+ * retrieval.
+ * @files_list: An ordered list of files associated with this session, it is
+ * ordered by preservation time.
+ * @ser: Pointer to the serialized data for this session.
+ * @count: A counter tracking the number of files currently stored in the
+ * @files_list for this session.
+ * @list: A list_head member used to link this session into a global list
+ * of either outgoing (to be preserved) or incoming (restored from
+ * previous kernel) sessions.
+ * @retrieved: A boolean flag indicating whether this session has been
+ * retrieved by a consumer in the new kernel.
+ * @mutex: Session lock, protects files_list, and count.
+ * @files: The physically contiguous memory block that holds the serialized
+ * state of files.
+ * @pgcnt: The number of pages @files occupy.
+ */
+struct luo_session {
+ char name[LIVEUPDATE_SESSION_NAME_LENGTH];
+ struct list_head files_list;
+ struct luo_session_ser *ser;
+ long count;
+ struct list_head list;
+ bool retrieved;
+ struct mutex mutex;
+ struct luo_file_ser *files;
+ u64 pgcnt;
+};
+
+int luo_session_create(const char *name, struct file **filep);
+int luo_session_retrieve(const char *name, struct file **filep);
+int __init luo_session_setup_outgoing(void *fdt);
+int __init luo_session_setup_incoming(void *fdt);
+int luo_session_serialize(void);
+int luo_session_deserialize(void);
+bool luo_session_is_deserialized(void);
+
+#endif /* _LINUX_LUO_INTERNAL_H */
diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
new file mode 100644
index 000000000000..cb74bfaba479
--- /dev/null
+++ b/kernel/liveupdate/luo_session.c
@@ -0,0 +1,421 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright (c) 2025, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+
+/**
+ * DOC: LUO Sessions
+ *
+ * LUO Sessions provide the core mechanism for grouping and managing `struct
+ * file *` instances that need to be preserved across a kexec-based live
+ * update. Each session acts as a named container for a set of file objects,
+ * allowing a userspace agent to manage the lifecycle of resources critical to a
+ * workload.
+ *
+ * Core Concepts:
+ *
+ * - Named Containers: Sessions are identified by a unique, user-provided name,
+ * which is used for both creation in the current kernel and retrieval in the
+ * next kernel.
+ *
+ * - Userspace Interface: Session management is driven from userspace via
+ * ioctls on /dev/liveupdate.
+ *
+ * - Serialization: Session metadata is preserved using the KHO framework. When
+ * a live update is triggered via kexec, an array of `struct luo_session_ser`
+ * is populated and placed in a preserved memory region. An FDT node is also
+ * created, containing the count of sessions and the physical address of this
+ * array.
+ *
+ * Session Lifecycle:
+ *
+ * 1. Creation: A userspace agent calls `luo_session_create()` to create a
+ * new, empty session and receives a file descriptor for it.
+ *
+ * 2. Serialization: When the `reboot(LINUX_REBOOT_CMD_KEXEC)` syscall is
+ * made, `luo_session_serialize()` is called. It iterates through all
+ * active sessions and writes their metadata into a memory area preserved
+ * by KHO.
+ *
+ * 3. Deserialization (in new kernel): After kexec, `luo_session_deserialize()`
+ * runs, reading the serialized data and creating a list of `struct
+ * luo_session` objects representing the preserved sessions.
+ *
+ * 4. Retrieval: A userspace agent in the new kernel can then call
+ * `luo_session_retrieve()` with a session name to get a new file
+ * descriptor and access the preserved state.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/anon_inodes.h>
+#include <linux/cleanup.h>
+#include <linux/err.h>
+#include <linux/errno.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/io.h>
+#include <linux/kexec_handover.h>
+#include <linux/libfdt.h>
+#include <linux/list.h>
+#include <linux/liveupdate.h>
+#include <linux/liveupdate/abi/luo.h>
+#include <linux/mutex.h>
+#include <linux/slab.h>
+#include <linux/unaligned.h>
+#include <uapi/linux/liveupdate.h>
+#include "luo_internal.h"
+
+/* 16 4K pages, give space for 819 sessions */
+#define LUO_SESSION_PGCNT 16ul
+#define LUO_SESSION_MAX (((LUO_SESSION_PGCNT << PAGE_SHIFT) - \
+ sizeof(struct luo_session_header_ser)) / \
+ sizeof(struct luo_session_ser))
+
+/**
+ * struct luo_session_header - Header struct for managing LUO sessions.
+ * @count: The number of sessions currently tracked in the @list.
+ * @list: The head of the linked list of `struct luo_session` instances.
+ * @rwsem: A read-write semaphore providing synchronized access to the
+ * session list and other fields in this structure.
+ * @header_ser: The header data of serialization array.
+ * @ser: The serialized session data (an array of
+ * `struct luo_session_ser`).
+ * @active: Set to true when first initialized. If previous kernel did not
+ * send session data, active stays false for incoming.
+ */
+struct luo_session_header {
+ long count;
+ struct list_head list;
+ struct rw_semaphore rwsem;
+ struct luo_session_header_ser *header_ser;
+ struct luo_session_ser *ser;
+ bool active;
+};
+
+/**
+ * struct luo_session_global - Global container for managing LUO sessions.
+ * @incoming: The sessions passed from the previous kernel.
+ * @outgoing: The sessions that are going to be passed to the next kernel.
+ * @deserialized: The sessions have been deserialized once /dev/liveupdate
+ * has been opened.
+ */
+struct luo_session_global {
+ struct luo_session_header incoming;
+ struct luo_session_header outgoing;
+ bool deserialized;
+};
+
+static struct luo_session_global luo_session_global;
+
+static struct luo_session *luo_session_alloc(const char *name)
+{
+ struct luo_session *session = kzalloc(sizeof(*session), GFP_KERNEL);
+
+ if (!session)
+ return ERR_PTR(-ENOMEM);
+
+ strscpy(session->name, name, sizeof(session->name));
+ INIT_LIST_HEAD(&session->files_list);
+ INIT_LIST_HEAD(&session->list);
+ mutex_init(&session->mutex);
+ session->count = 0;
+
+ return session;
+}
+
+static void luo_session_free(struct luo_session *session)
+{
+ WARN_ON(session->count);
+ WARN_ON(!list_empty(&session->files_list));
+ mutex_destroy(&session->mutex);
+ kfree(session);
+}
+
+static int luo_session_insert(struct luo_session_header *sh,
+ struct luo_session *session)
+{
+ struct luo_session *it;
+
+ guard(rwsem_write)(&sh->rwsem);
+
+ /*
+ * For outgoing we should make sure there is room in serialization array
+ * for new session.
+ */
+ if (sh == &luo_session_global.outgoing) {
+ if (sh->count == LUO_SESSION_MAX)
+ return -ENOMEM;
+ }
+
+ /*
+ * For small number of sessions this loop won't hurt performance
+ * but if we ever start using a lot of sessions, this might
+ * become a bottle neck during deserialization time, as it would
+ * cause O(n*n) complexity.
+ */
+ list_for_each_entry(it, &sh->list, list) {
+ if (!strncmp(it->name, session->name, sizeof(it->name)))
+ return -EEXIST;
+ }
+ list_add_tail(&session->list, &sh->list);
+ sh->count++;
+
+ return 0;
+}
+
+static void luo_session_remove(struct luo_session_header *sh,
+ struct luo_session *session)
+{
+ guard(rwsem_write)(&sh->rwsem);
+ list_del(&session->list);
+ sh->count--;
+}
+
+static int luo_session_release(struct inode *inodep, struct file *filep)
+{
+ struct luo_session *session = filep->private_data;
+ struct luo_session_header *sh;
+
+ /* If retrieved is set, it means this session is from incoming list */
+ if (session->retrieved)
+ sh = &luo_session_global.incoming;
+ else
+ sh = &luo_session_global.outgoing;
+
+ luo_session_remove(sh, session);
+ luo_session_free(session);
+
+ return 0;
+}
+
+static const struct file_operations luo_session_fops = {
+ .owner = THIS_MODULE,
+ .release = luo_session_release,
+};
+
+/* Create a "struct file" for session */
+static int luo_session_getfile(struct luo_session *session, struct file **filep)
+{
+ char name_buf[128];
+ struct file *file;
+
+ guard(mutex)(&session->mutex);
+ snprintf(name_buf, sizeof(name_buf), "[luo_session] %s", session->name);
+ file = anon_inode_getfile(name_buf, &luo_session_fops, session, O_RDWR);
+ if (IS_ERR(file))
+ return PTR_ERR(file);
+
+ *filep = file;
+
+ return 0;
+}
+
+int luo_session_create(const char *name, struct file **filep)
+{
+ struct luo_session *session;
+ int err;
+
+ session = luo_session_alloc(name);
+ if (IS_ERR(session))
+ return PTR_ERR(session);
+
+ err = luo_session_insert(&luo_session_global.outgoing, session);
+ if (err)
+ goto err_free;
+
+ err = luo_session_getfile(session, filep);
+ if (err)
+ goto err_remove;
+
+ return 0;
+
+err_remove:
+ luo_session_remove(&luo_session_global.outgoing, session);
+err_free:
+ luo_session_free(session);
+
+ return err;
+}
+
+int luo_session_retrieve(const char *name, struct file **filep)
+{
+ struct luo_session_header *sh = &luo_session_global.incoming;
+ struct luo_session *session = NULL;
+ struct luo_session *it;
+ int err;
+
+ scoped_guard(rwsem_read, &sh->rwsem) {
+ list_for_each_entry(it, &sh->list, list) {
+ if (!strncmp(it->name, name, sizeof(it->name))) {
+ session = it;
+ break;
+ }
+ }
+ }
+
+ if (!session)
+ return -ENOENT;
+
+ scoped_guard(mutex, &session->mutex) {
+ if (session->retrieved)
+ return -EINVAL;
+ }
+
+ err = luo_session_getfile(session, filep);
+ if (!err) {
+ scoped_guard(mutex, &session->mutex)
+ session->retrieved = true;
+ }
+
+ return err;
+}
+
+int __init luo_session_setup_outgoing(void *fdt_out)
+{
+ struct luo_session_header_ser *header_ser;
+ u64 header_ser_pa;
+ int err;
+
+ header_ser = kho_alloc_preserve(LUO_SESSION_PGCNT << PAGE_SHIFT);
+ if (IS_ERR(header_ser))
+ return PTR_ERR(header_ser);
+ header_ser_pa = virt_to_phys(header_ser);
+
+ err = fdt_begin_node(fdt_out, LUO_FDT_SESSION_NODE_NAME);
+ err |= fdt_property_string(fdt_out, "compatible",
+ LUO_FDT_SESSION_COMPATIBLE);
+ err |= fdt_property(fdt_out, LUO_FDT_SESSION_HEADER, &header_ser_pa,
+ sizeof(header_ser_pa));
+ err |= fdt_end_node(fdt_out);
+
+ if (err)
+ goto err_unpreserve;
+
+ header_ser->pgcnt = LUO_SESSION_PGCNT;
+ INIT_LIST_HEAD(&luo_session_global.outgoing.list);
+ init_rwsem(&luo_session_global.outgoing.rwsem);
+ luo_session_global.outgoing.header_ser = header_ser;
+ luo_session_global.outgoing.ser = (void *)(header_ser + 1);
+ luo_session_global.outgoing.active = true;
+
+ return 0;
+
+err_unpreserve:
+ kho_unpreserve_free(header_ser);
+ return err;
+}
+
+int __init luo_session_setup_incoming(void *fdt_in)
+{
+ struct luo_session_header_ser *header_ser;
+ int err, header_size, offset;
+ u64 header_ser_pa;
+ const void *ptr;
+
+ offset = fdt_subnode_offset(fdt_in, 0, LUO_FDT_SESSION_NODE_NAME);
+ if (offset < 0) {
+ pr_err("Unable to get session node: [%s]\n",
+ LUO_FDT_SESSION_NODE_NAME);
+ return -EINVAL;
+ }
+
+ err = fdt_node_check_compatible(fdt_in, offset,
+ LUO_FDT_SESSION_COMPATIBLE);
+ if (err) {
+ pr_err("Session node incompatible [%s]\n",
+ LUO_FDT_SESSION_COMPATIBLE);
+ return -EINVAL;
+ }
+
+ header_size = 0;
+ ptr = fdt_getprop(fdt_in, offset, LUO_FDT_SESSION_HEADER, &header_size);
+ if (!ptr || header_size != sizeof(u64)) {
+ pr_err("Unable to get session header '%s' [%d]\n",
+ LUO_FDT_SESSION_HEADER, header_size);
+ return -EINVAL;
+ }
+
+ header_ser_pa = get_unaligned((u64 *)ptr);
+ header_ser = phys_to_virt(header_ser_pa);
+
+ luo_session_global.incoming.header_ser = header_ser;
+ luo_session_global.incoming.ser = (void *)(header_ser + 1);
+ INIT_LIST_HEAD(&luo_session_global.incoming.list);
+ init_rwsem(&luo_session_global.incoming.rwsem);
+ luo_session_global.incoming.active = true;
+
+ return 0;
+}
+
+bool luo_session_is_deserialized(void)
+{
+ return luo_session_global.deserialized;
+}
+
+int luo_session_deserialize(void)
+{
+ struct luo_session_header *sh = &luo_session_global.incoming;
+ int err;
+
+ if (luo_session_is_deserialized())
+ return 0;
+
+ luo_session_global.deserialized = true;
+ if (!sh->active) {
+ INIT_LIST_HEAD(&sh->list);
+ init_rwsem(&sh->rwsem);
+ return 0;
+ }
+
+ for (int i = 0; i < sh->header_ser->count; i++) {
+ struct luo_session *session;
+
+ session = luo_session_alloc(sh->ser[i].name);
+ if (IS_ERR(session)) {
+ pr_warn("Failed to allocate session [%s] during deserialization %pe\n",
+ sh->ser[i].name, session);
+ return PTR_ERR(session);
+ }
+
+ err = luo_session_insert(sh, session);
+ if (err) {
+ luo_session_free(session);
+ pr_warn("Failed to insert session [%s] %pe\n",
+ session->name, ERR_PTR(err));
+ return err;
+ }
+
+ session->count = sh->ser[i].count;
+ session->files = sh->ser[i].files ? phys_to_virt(sh->ser[i].files) : 0;
+ session->pgcnt = sh->ser[i].pgcnt;
+ }
+
+ kho_restore_free(sh->header_ser);
+ sh->header_ser = NULL;
+ sh->ser = NULL;
+
+ return 0;
+}
+
+int luo_session_serialize(void)
+{
+ struct luo_session_header *sh = &luo_session_global.outgoing;
+ struct luo_session *session;
+ int i = 0;
+
+ guard(rwsem_write)(&sh->rwsem);
+ list_for_each_entry(session, &sh->list, list) {
+ strscpy(sh->ser[i].name, session->name,
+ sizeof(sh->ser[i].name));
+ sh->ser[i].count = session->count;
+ sh->ser[i].files = session->files ? virt_to_phys(session->files) : 0;
+ sh->ser[i].pgcnt = session->pgcnt;
+ i++;
+ }
+ sh->header_ser->count = sh->count;
+
+ return 0;
+}
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related
* [PATCH v6 03/20] kexec: call liveupdate_reboot() before kexec
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
In-Reply-To: <20251115233409.768044-1-pasha.tatashin@soleen.com>
Modify the kernel_kexec() to call liveupdate_reboot().
This ensures that the Live Update Orchestrator is notified just
before the kernel executes the kexec jump. The liveupdate_reboot()
function triggers the final freeze event, allowing participating
FDs perform last-minute check or state saving within the blackout
window.
If liveupdate_reboot() returns an error (indicating a failure during
LUO finalization), the kexec operation is aborted to prevent proceeding
with an inconsistent state. An error is returned to user.
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
kernel/kexec_core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
index a8890dd03a1d..3122235c225b 100644
--- a/kernel/kexec_core.c
+++ b/kernel/kexec_core.c
@@ -15,6 +15,7 @@
#include <linux/kexec.h>
#include <linux/mutex.h>
#include <linux/list.h>
+#include <linux/liveupdate.h>
#include <linux/highmem.h>
#include <linux/syscalls.h>
#include <linux/reboot.h>
@@ -1145,6 +1146,10 @@ int kernel_kexec(void)
goto Unlock;
}
+ error = liveupdate_reboot();
+ if (error)
+ goto Unlock;
+
#ifdef CONFIG_KEXEC_JUMP
if (kexec_image->preserve_context) {
/*
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related
* [PATCH v6 02/20] liveupdate: luo_core: integrate with KHO
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
In-Reply-To: <20251115233409.768044-1-pasha.tatashin@soleen.com>
Integrate the LUO with the KHO framework to enable passing LUO state
across a kexec reboot.
When LUO is transitioned to a "prepared" state, it tells KHO to
finalize, so all memory segments that were added to KHO preservation
list are getting preserved. After "Prepared" state no new segments
can be preserved. If LUO is canceled, it also tells KHO to cancel the
serialization, and therefore, later LUO can go back into the prepared
state.
This patch introduces the following changes:
- During the KHO finalization phase allocate FDT blob.
- Populate this FDT with a LUO compatibility string ("luo-v1").
LUO now depends on `CONFIG_KEXEC_HANDOVER`. The core state transition
logic (`luo_do_*_calls`) remains unimplemented in this patch.
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
include/linux/liveupdate/abi/luo.h | 54 ++++++++++
kernel/liveupdate/luo_core.c | 153 ++++++++++++++++++++++++++++-
2 files changed, 206 insertions(+), 1 deletion(-)
create mode 100644 include/linux/liveupdate/abi/luo.h
diff --git a/include/linux/liveupdate/abi/luo.h b/include/linux/liveupdate/abi/luo.h
new file mode 100644
index 000000000000..9483a294287f
--- /dev/null
+++ b/include/linux/liveupdate/abi/luo.h
@@ -0,0 +1,54 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/*
+ * Copyright (c) 2025, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+
+/**
+ * DOC: Live Update Orchestrator ABI
+ *
+ * This header defines the stable Application Binary Interface used by the
+ * Live Update Orchestrator to pass state from a pre-update kernel to a
+ * post-update kernel. The ABI is built upon the Kexec HandOver framework
+ * and uses a Flattened Device Tree to describe the preserved data.
+ *
+ * This interface is a contract. Any modification to the FDT structure, node
+ * properties, compatible strings, or the layout of the `__packed` serialization
+ * structures defined here constitutes a breaking change. Such changes require
+ * incrementing the version number in the relevant `_COMPATIBLE` string to
+ * prevent a new kernel from misinterpreting data from an old kernel.
+ *
+ * FDT Structure Overview:
+ * The entire LUO state is encapsulated within a single KHO entry named "LUO".
+ * This entry contains an FDT with the following layout:
+ *
+ * .. code-block:: none
+ *
+ * / {
+ * compatible = "luo-v1";
+ * liveupdate-number = <...>;
+ * };
+ *
+ * Main LUO Node (/):
+ *
+ * - compatible: "luo-v1"
+ * Identifies the overall LUO ABI version.
+ * - liveupdate-number: u64
+ * A counter tracking the number of successful live updates performed.
+ */
+
+#ifndef _LINUX_LIVEUPDATE_ABI_LUO_H
+#define _LINUX_LIVEUPDATE_ABI_LUO_H
+
+/*
+ * The LUO FDT hooks all LUO state for sessions, fds, etc.
+ * In the root it allso carries "liveupdate-number" 64-bit property that
+ * corresponds to the number of live-updates performed on this machine.
+ */
+#define LUO_FDT_SIZE PAGE_SIZE
+#define LUO_FDT_KHO_ENTRY_NAME "LUO"
+#define LUO_FDT_COMPATIBLE "luo-v1"
+#define LUO_FDT_LIVEUPDATE_NUM "liveupdate-number"
+
+#endif /* _LINUX_LIVEUPDATE_ABI_LUO_H */
diff --git a/kernel/liveupdate/luo_core.c b/kernel/liveupdate/luo_core.c
index 0e1ab19fa1cd..4a213b262b9f 100644
--- a/kernel/liveupdate/luo_core.c
+++ b/kernel/liveupdate/luo_core.c
@@ -42,11 +42,24 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/io.h>
+#include <linux/kexec_handover.h>
#include <linux/kobject.h>
+#include <linux/libfdt.h>
#include <linux/liveupdate.h>
+#include <linux/liveupdate/abi/luo.h>
+#include <linux/mm.h>
+#include <linux/sizes.h>
+#include <linux/string.h>
+#include <linux/unaligned.h>
+
+#include "kexec_handover_internal.h"
static struct {
bool enabled;
+ void *fdt_out;
+ void *fdt_in;
+ u64 liveupdate_num;
} luo_global;
static int __init early_liveupdate_param(char *buf)
@@ -55,6 +68,129 @@ static int __init early_liveupdate_param(char *buf)
}
early_param("liveupdate", early_liveupdate_param);
+static int __init luo_early_startup(void)
+{
+ phys_addr_t fdt_phys;
+ int err, ln_size;
+ const void *ptr;
+
+ if (!kho_is_enabled()) {
+ if (liveupdate_enabled())
+ pr_warn("Disabling liveupdate because KHO is disabled\n");
+ luo_global.enabled = false;
+ return 0;
+ }
+
+ /* Retrieve LUO subtree, and verify its format. */
+ err = kho_retrieve_subtree(LUO_FDT_KHO_ENTRY_NAME, &fdt_phys);
+ if (err) {
+ if (err != -ENOENT) {
+ pr_err("failed to retrieve FDT '%s' from KHO: %pe\n",
+ LUO_FDT_KHO_ENTRY_NAME, ERR_PTR(err));
+ return err;
+ }
+
+ return 0;
+ }
+
+ luo_global.fdt_in = phys_to_virt(fdt_phys);
+ err = fdt_node_check_compatible(luo_global.fdt_in, 0,
+ LUO_FDT_COMPATIBLE);
+ if (err) {
+ pr_err("FDT '%s' is incompatible with '%s' [%d]\n",
+ LUO_FDT_KHO_ENTRY_NAME, LUO_FDT_COMPATIBLE, err);
+
+ return -EINVAL;
+ }
+
+ ln_size = 0;
+ ptr = fdt_getprop(luo_global.fdt_in, 0, LUO_FDT_LIVEUPDATE_NUM,
+ &ln_size);
+ if (!ptr || ln_size != sizeof(luo_global.liveupdate_num)) {
+ pr_err("Unable to get live update number '%s' [%d]\n",
+ LUO_FDT_LIVEUPDATE_NUM, ln_size);
+
+ return -EINVAL;
+ }
+
+ luo_global.liveupdate_num = get_unaligned((u64 *)ptr);
+ pr_info("Retrieved live update data, liveupdate number: %lld\n",
+ luo_global.liveupdate_num);
+
+ return 0;
+}
+
+static int __init liveupdate_early_init(void)
+{
+ int err;
+
+ err = luo_early_startup();
+ if (err) {
+ pr_err("The incoming tree failed to initialize properly [%pe], disabling live update\n",
+ ERR_PTR(err));
+ luo_global.enabled = false;
+ }
+
+ return err;
+}
+early_initcall(liveupdate_early_init);
+
+/* Called during boot to create outgoing LUO fdt tree */
+static int __init luo_fdt_setup(void)
+{
+ const u64 ln = luo_global.liveupdate_num + 1;
+ void *fdt_out;
+ int err;
+
+ fdt_out = kho_alloc_preserve(LUO_FDT_SIZE);
+ if (IS_ERR(fdt_out)) {
+ pr_err("failed to allocate/preserve FDT memory\n");
+ return PTR_ERR(fdt_out);
+ }
+
+ err = fdt_create(fdt_out, LUO_FDT_SIZE);
+ err |= fdt_finish_reservemap(fdt_out);
+ err |= fdt_begin_node(fdt_out, "");
+ err |= fdt_property_string(fdt_out, "compatible", LUO_FDT_COMPATIBLE);
+ err |= fdt_property(fdt_out, LUO_FDT_LIVEUPDATE_NUM, &ln, sizeof(ln));
+ err |= fdt_end_node(fdt_out);
+ err |= fdt_finish(fdt_out);
+ if (err)
+ goto exit_free;
+
+ err = kho_add_subtree(LUO_FDT_KHO_ENTRY_NAME, fdt_out);
+ if (err)
+ goto exit_free;
+ luo_global.fdt_out = fdt_out;
+
+ return 0;
+
+exit_free:
+ kho_unpreserve_free(fdt_out);
+ pr_err("failed to prepare LUO FDT: %d\n", err);
+
+ return err;
+}
+
+/*
+ * late initcall because it initializes the outgoing tree that is needed only
+ * once userspace starts using /dev/liveupdate.
+ */
+static int __init luo_late_startup(void)
+{
+ int err;
+
+ if (!liveupdate_enabled())
+ return 0;
+
+ err = luo_fdt_setup();
+ if (err)
+ luo_global.enabled = false;
+
+ return err;
+}
+late_initcall(luo_late_startup);
+
/* Public Functions */
/**
@@ -69,7 +205,22 @@ early_param("liveupdate", early_liveupdate_param);
*/
int liveupdate_reboot(void)
{
- return 0;
+ int err;
+
+ if (!liveupdate_enabled())
+ return 0;
+
+ err = kho_finalize();
+ if (err) {
+ pr_err("kho_finalize failed %d\n", err);
+ /*
+ * kho_finalize() may return libfdt errors, to aboid passing to
+ * userspace unknown errors, change this to EAGAIN.
+ */
+ err = -EAGAIN;
+ }
+
+ return err;
}
/**
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related
* [PATCH v6 01/20] liveupdate: luo_core: luo_ioctl: Live Update Orchestrator
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
In-Reply-To: <20251115233409.768044-1-pasha.tatashin@soleen.com>
Introduce LUO, a mechanism intended to facilitate kernel updates while
keeping designated devices operational across the transition (e.g., via
kexec). The primary use case is updating hypervisors with minimal
disruption to running virtual machines. For userspace side of hypervisor
update we have copyless migration. LUO is for updating the kernel.
This initial patch lays the groundwork for the LUO subsystem.
Further functionality, including the implementation of state transition
logic, integration with KHO, and hooks for subsystems and file
descriptors, will be added in subsequent patches.
Create a character device at /dev/liveupdate.
A new uAPI header, <uapi/linux/liveupdate.h>, will define the necessary
structures. The magic number for IOCTL is registered in
Documentation/userspace-api/ioctl/ioctl-number.rst.
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
.../userspace-api/ioctl/ioctl-number.rst | 2 +
include/linux/liveupdate.h | 35 ++++++++
include/uapi/linux/liveupdate.h | 46 ++++++++++
kernel/liveupdate/Kconfig | 27 ++++++
kernel/liveupdate/Makefile | 6 ++
kernel/liveupdate/luo_core.c | 86 +++++++++++++++++++
kernel/liveupdate/luo_ioctl.c | 45 ++++++++++
7 files changed, 247 insertions(+)
create mode 100644 include/linux/liveupdate.h
create mode 100644 include/uapi/linux/liveupdate.h
create mode 100644 kernel/liveupdate/luo_core.c
create mode 100644 kernel/liveupdate/luo_ioctl.c
diff --git a/Documentation/userspace-api/ioctl/ioctl-number.rst b/Documentation/userspace-api/ioctl/ioctl-number.rst
index 7c527a01d1cf..7232b3544cec 100644
--- a/Documentation/userspace-api/ioctl/ioctl-number.rst
+++ b/Documentation/userspace-api/ioctl/ioctl-number.rst
@@ -385,6 +385,8 @@ Code Seq# Include File Comments
0xB8 01-02 uapi/misc/mrvl_cn10k_dpi.h Marvell CN10K DPI driver
0xB8 all uapi/linux/mshv.h Microsoft Hyper-V /dev/mshv driver
<mailto:linux-hyperv@vger.kernel.org>
+0xBA 00-0F uapi/linux/liveupdate.h Pasha Tatashin
+ <mailto:pasha.tatashin@soleen.com>
0xC0 00-0F linux/usb/iowarrior.h
0xCA 00-0F uapi/misc/cxl.h Dead since 6.15
0xCA 10-2F uapi/misc/ocxl.h
diff --git a/include/linux/liveupdate.h b/include/linux/liveupdate.h
new file mode 100644
index 000000000000..730b76625fec
--- /dev/null
+++ b/include/linux/liveupdate.h
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/*
+ * Copyright (c) 2025, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+#ifndef _LINUX_LIVEUPDATE_H
+#define _LINUX_LIVEUPDATE_H
+
+#include <linux/bug.h>
+#include <linux/types.h>
+#include <linux/list.h>
+
+#ifdef CONFIG_LIVEUPDATE
+
+/* Return true if live update orchestrator is enabled */
+bool liveupdate_enabled(void);
+
+/* Called during kexec to tell LUO that entered into reboot */
+int liveupdate_reboot(void);
+
+#else /* CONFIG_LIVEUPDATE */
+
+static inline bool liveupdate_enabled(void)
+{
+ return false;
+}
+
+static inline int liveupdate_reboot(void)
+{
+ return 0;
+}
+
+#endif /* CONFIG_LIVEUPDATE */
+#endif /* _LINUX_LIVEUPDATE_H */
diff --git a/include/uapi/linux/liveupdate.h b/include/uapi/linux/liveupdate.h
new file mode 100644
index 000000000000..df34c1642c4d
--- /dev/null
+++ b/include/uapi/linux/liveupdate.h
@@ -0,0 +1,46 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+
+/*
+ * Userspace interface for /dev/liveupdate
+ * Live Update Orchestrator
+ *
+ * Copyright (c) 2025, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+
+#ifndef _UAPI_LIVEUPDATE_H
+#define _UAPI_LIVEUPDATE_H
+
+#include <linux/ioctl.h>
+#include <linux/types.h>
+
+/**
+ * DOC: General ioctl format
+ *
+ * The ioctl interface follows a general format to allow for extensibility. Each
+ * ioctl is passed in a structure pointer as the argument providing the size of
+ * the structure in the first u32. The kernel checks that any structure space
+ * beyond what it understands is 0. This allows userspace to use the backward
+ * compatible portion while consistently using the newer, larger, structures.
+ *
+ * ioctls use a standard meaning for common errnos:
+ *
+ * - ENOTTY: The IOCTL number itself is not supported at all
+ * - E2BIG: The IOCTL number is supported, but the provided structure has
+ * non-zero in a part the kernel does not understand.
+ * - EOPNOTSUPP: The IOCTL number is supported, and the structure is
+ * understood, however a known field has a value the kernel does not
+ * understand or support.
+ * - EINVAL: Everything about the IOCTL was understood, but a field is not
+ * correct.
+ * - ENOENT: A provided token does not exist.
+ * - ENOMEM: Out of memory.
+ * - EOVERFLOW: Mathematics overflowed.
+ *
+ * As well as additional errnos, within specific ioctls.
+ */
+
+/* The ioctl type, documented in ioctl-number.rst */
+#define LIVEUPDATE_IOCTL_TYPE 0xBA
+
+#endif /* _UAPI_LIVEUPDATE_H */
diff --git a/kernel/liveupdate/Kconfig b/kernel/liveupdate/Kconfig
index a973a54447de..90857dccb359 100644
--- a/kernel/liveupdate/Kconfig
+++ b/kernel/liveupdate/Kconfig
@@ -1,4 +1,10 @@
# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (c) 2025, Google LLC.
+# Pasha Tatashin <pasha.tatashin@soleen.com>
+#
+# Live Update Orchestrator
+#
menu "Live Update and Kexec HandOver"
depends on !DEFERRED_STRUCT_PAGE_INIT
@@ -51,4 +57,25 @@ config KEXEC_HANDOVER_ENABLE_DEFAULT
The default behavior can still be overridden at boot time by
passing 'kho=off'.
+config LIVEUPDATE
+ bool "Live Update Orchestrator"
+ depends on KEXEC_HANDOVER
+ help
+ Enable the Live Update Orchestrator. Live Update is a mechanism,
+ typically based on kexec, that allows the kernel to be updated
+ while keeping selected devices operational across the transition.
+ These devices are intended to be reclaimed by the new kernel and
+ re-attached to their original workload without requiring a device
+ reset.
+
+ Ability to handover a device from current to the next kernel depends
+ on specific support within device drivers and related kernel
+ subsystems.
+
+ This feature primarily targets virtual machine hosts to quickly update
+ the kernel hypervisor with minimal disruption to the running virtual
+ machines.
+
+ If unsure, say N.
+
endmenu
diff --git a/kernel/liveupdate/Makefile b/kernel/liveupdate/Makefile
index f52ce1ebcf86..413722002b7a 100644
--- a/kernel/liveupdate/Makefile
+++ b/kernel/liveupdate/Makefile
@@ -1,5 +1,11 @@
# SPDX-License-Identifier: GPL-2.0
+luo-y := \
+ luo_core.o \
+ luo_ioctl.o
+
obj-$(CONFIG_KEXEC_HANDOVER) += kexec_handover.o
obj-$(CONFIG_KEXEC_HANDOVER_DEBUG) += kexec_handover_debug.o
obj-$(CONFIG_KEXEC_HANDOVER_DEBUGFS) += kexec_handover_debugfs.o
+
+obj-$(CONFIG_LIVEUPDATE) += luo.o
diff --git a/kernel/liveupdate/luo_core.c b/kernel/liveupdate/luo_core.c
new file mode 100644
index 000000000000..0e1ab19fa1cd
--- /dev/null
+++ b/kernel/liveupdate/luo_core.c
@@ -0,0 +1,86 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright (c) 2025, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+
+/**
+ * DOC: Live Update Orchestrator (LUO)
+ *
+ * Live Update is a specialized, kexec-based reboot process that allows a
+ * running kernel to be updated from one version to another while preserving
+ * the state of selected resources and keeping designated hardware devices
+ * operational. For these devices, DMA activity may continue throughout the
+ * kernel transition.
+ *
+ * While the primary use case driving this work is supporting live updates of
+ * the Linux kernel when it is used as a hypervisor in cloud environments, the
+ * LUO framework itself is designed to be workload-agnostic. Much like Kernel
+ * Live Patching, which applies security fixes regardless of the workload,
+ * Live Update facilitates a full kernel version upgrade for any type of system.
+ *
+ * For example, a non-hypervisor system running an in-memory cache like
+ * memcached with many gigabytes of data can use LUO. The userspace service
+ * can place its cache into a memfd, have its state preserved by LUO, and
+ * restore it immediately after the kernel kexec.
+ *
+ * Whether the system is running virtual machines, containers, a
+ * high-performance database, or networking services, LUO's primary goal is to
+ * enable a full kernel update by preserving critical userspace state and
+ * keeping essential devices operational.
+ *
+ * The core of LUO is a mechanism that tracks the progress of a live update,
+ * along with a callback API that allows other kernel subsystems to participate
+ * in the process. Example subsystems that can hook into LUO include: kvm,
+ * iommu, interrupts, vfio, participating filesystems, and memory management.
+ *
+ * LUO uses Kexec Handover to transfer memory state from the current kernel to
+ * the next kernel. For more details see
+ * Documentation/core-api/kho/concepts.rst.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/kobject.h>
+#include <linux/liveupdate.h>
+
+static struct {
+ bool enabled;
+} luo_global;
+
+static int __init early_liveupdate_param(char *buf)
+{
+ return kstrtobool(buf, &luo_global.enabled);
+}
+early_param("liveupdate", early_liveupdate_param);
+
+/* Public Functions */
+
+/**
+ * liveupdate_reboot() - Kernel reboot notifier for live update final
+ * serialization.
+ *
+ * This function is invoked directly from the reboot() syscall pathway
+ * if kexec is in progress.
+ *
+ * If any callback fails, this function aborts KHO, undoes the freeze()
+ * callbacks, and returns an error.
+ */
+int liveupdate_reboot(void)
+{
+ return 0;
+}
+
+/**
+ * liveupdate_enabled - Check if the live update feature is enabled.
+ *
+ * This function returns the state of the live update feature flag, which
+ * can be controlled via the ``liveupdate`` kernel command-line parameter.
+ *
+ * @return true if live update is enabled, false otherwise.
+ */
+bool liveupdate_enabled(void)
+{
+ return luo_global.enabled;
+}
diff --git a/kernel/liveupdate/luo_ioctl.c b/kernel/liveupdate/luo_ioctl.c
new file mode 100644
index 000000000000..44d365185f7c
--- /dev/null
+++ b/kernel/liveupdate/luo_ioctl.c
@@ -0,0 +1,45 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright (c) 2025, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+
+#include <linux/liveupdate.h>
+#include <linux/miscdevice.h>
+
+struct luo_device_state {
+ struct miscdevice miscdev;
+};
+
+static const struct file_operations luo_fops = {
+ .owner = THIS_MODULE,
+};
+
+static struct luo_device_state luo_dev = {
+ .miscdev = {
+ .minor = MISC_DYNAMIC_MINOR,
+ .name = "liveupdate",
+ .fops = &luo_fops,
+ },
+};
+
+static int __init liveupdate_ioctl_init(void)
+{
+ if (!liveupdate_enabled())
+ return 0;
+
+ return misc_register(&luo_dev.miscdev);
+}
+module_init(liveupdate_ioctl_init);
+
+static void __exit liveupdate_exit(void)
+{
+ misc_deregister(&luo_dev.miscdev);
+}
+module_exit(liveupdate_exit);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Pasha Tatashin");
+MODULE_DESCRIPTION("Live Update Orchestrator");
+MODULE_VERSION("0.1");
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply related
* [PATCH v6 00/20] Live Update Orchestrator
From: Pasha Tatashin @ 2025-11-15 23:33 UTC (permalink / raw)
To: pratyush, jasonmiu, graf, pasha.tatashin, rppt, dmatlack,
rientjes, corbet, rdunlap, ilpo.jarvinen, kanie, ojeda, aliceryhl,
masahiroy, akpm, tj, yoann.congal, mmaurer, roman.gushchin,
chenridong, axboe, mark.rutland, jannh, vincent.guittot, hannes,
dan.j.williams, david, joel.granados, rostedt, anna.schumaker,
song, linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx,
mingo, bp, dave.hansen, x86, hpa, rafael, dakr,
bartosz.golaszewski, cw00.choi, myungjoo.ham, yesanishhere,
Jonathan.Cameron, quic_zijuhu, aleksander.lobakin, ira.weiny,
andriy.shevchenko, leon, lukas, bhelgaas, wagi, djeffery,
stuart.w.hayes, ptyadav, lennart, brauner, linux-api,
linux-fsdevel, saeedm, ajayachandra, jgg, parav, leonro, witu,
hughd, skhawaja, chrisl
This series introduces the Live Update Orchestrator, a kernel subsystem
designed to facilitate live kernel updates using a kexec-based reboot.
This capability is critical for cloud environments, allowing hypervisors
to be updated with minimal downtime for running virtual machines. LUO
achieves this by preserving the state of selected resources, such as
memory, devices and their dependencies, across the kernel transition.
As a key feature, this series includes support for preserving memfd file
descriptors, which allows critical in-memory data, such as guest RAM or
any other large memory region, to be maintained in RAM across the kexec
reboot.
The other series that use LUO, are VFIO [1], IOMMU [2], and PCI [3]
preservations.
Github repo of this series [4].
The core of LUO is a framework for managing the lifecycle of preserved
resources through a userspace-driven interface. Key features include:
- Session Management
Userspace agent (i.e. luod [5]) creates named sessions, each
represented by a file descriptor (via centralized agent that controls
/dev/liveupdate). The lifecycle of all preserved resources within a
session is tied to this FD, ensuring automatic kernel cleanup if the
controlling userspace agent crashes or exits unexpectedly.
- File Preservation
A handler-based framework allows specific file types (demonstrated
here with memfd) to be preserved. Handlers manage the serialization,
restoration, and lifecycle of their specific file types.
- File-Lifecycle-Bound State
A new mechanism for managing shared global state whose lifecycle is
tied to the preservation of one or more files. This is crucial for
subsystems like IOMMU or HugeTLB, where multiple file descriptors may
depend on a single, shared underlying resource that must be preserved
only once.
- KHO Integration
LUO drives the Kexec Handover framework programmatically to pass its
serialized metadata to the next kernel. The LUO state is finalized and
added to the kexec image just before the reboot is triggered. In the
future this step will also be removed once stateless KHO is
merged [6].
- Userspace Interface
Control is provided via ioctl commands on /dev/liveupdate for creating
and retrieving sessions, as well as on session file descriptors for
managing individual files.
- Testing
The series includes a set of selftests, including userspace API
validation, kexec-based lifecycle tests for various session and file
scenarios, and a new in-kernel test module to validate the FLB logic.
Changelog since v5 [7]
- Moved internal luo_alloc/free_* memory helpers to generic
kho_alloc/free_* APIs, and submitted as a separate KHO series [8].
- Moved the liveupdate_reboot() invocation from kernel/reboot.c to
kernel_kexec() in kernel/kexec_core.c.
- Moved generic KHO enabling patches (debugfs, kimage logic) out of this
series and into the base KHO series.
- Feedback: Addressed review comments from Mike Rapoport and Pratyush
Yadav.
[1] https://lore.kernel.org/all/20251018000713.677779-1-vipinsh@google.com/
[2] https://lore.kernel.org/linux-iommu/20250928190624.3735830-1-skhawaja@google.com
[3] https://lore.kernel.org/linux-pci/20250916-luo-pci-v2-0-c494053c3c08@kernel.org
[4] https://github.com/googleprodkernel/linux-liveupdate/tree/luo/v6
[5] https://tinyurl.com/luoddesign
[6] https://lore.kernel.org/all/20251020100306.2709352-1-jasonmiu@google.com
[7] https://lore.kernel.org/all/20251107210526.257742-1-pasha.tatashin@soleen.com
[8] https://lore.kernel.org/all/20251114190002.3311679-1-pasha.tatashin@soleen.com
Pasha Tatashin (14):
liveupdate: luo_core: luo_ioctl: Live Update Orchestrator
liveupdate: luo_core: integrate with KHO
kexec: call liveupdate_reboot() before kexec
liveupdate: luo_session: add sessions support
liveupdate: luo_ioctl: add user interface
liveupdate: luo_file: implement file systems callbacks
liveupdate: luo_session: Add ioctls for file preservation
liveupdate: luo_flb: Introduce File-Lifecycle-Bound global state
docs: add luo documentation
MAINTAINERS: add liveupdate entry
selftests/liveupdate: Add userspace API selftests
selftests/liveupdate: Add kexec-based selftest for session lifecycle
selftests/liveupdate: Add kexec test for multiple and empty sessions
tests/liveupdate: Add in-kernel liveupdate test
Pratyush Yadav (6):
mm: shmem: use SHMEM_F_* flags instead of VM_* flags
mm: shmem: allow freezing inode mapping
mm: shmem: export some functions to internal.h
liveupdate: luo_file: add private argument to store runtime state
mm: memfd_luo: allow preserving memfd
docs: add documentation for memfd preservation via LUO
Documentation/core-api/index.rst | 1 +
Documentation/core-api/liveupdate.rst | 71 ++
Documentation/mm/index.rst | 1 +
Documentation/mm/memfd_preservation.rst | 23 +
Documentation/userspace-api/index.rst | 1 +
.../userspace-api/ioctl/ioctl-number.rst | 2 +
Documentation/userspace-api/liveupdate.rst | 20 +
MAINTAINERS | 15 +
include/linux/liveupdate.h | 265 +++++
include/linux/liveupdate/abi/luo.h | 238 +++++
include/linux/liveupdate/abi/memfd.h | 88 ++
include/linux/shmem_fs.h | 23 +
include/uapi/linux/liveupdate.h | 216 +++++
kernel/kexec_core.c | 5 +
kernel/liveupdate/Kconfig | 27 +
kernel/liveupdate/Makefile | 9 +
kernel/liveupdate/luo_core.c | 252 +++++
kernel/liveupdate/luo_file.c | 906 ++++++++++++++++++
kernel/liveupdate/luo_flb.c | 658 +++++++++++++
kernel/liveupdate/luo_internal.h | 95 ++
kernel/liveupdate/luo_ioctl.c | 223 +++++
kernel/liveupdate/luo_session.c | 600 ++++++++++++
lib/Kconfig.debug | 23 +
lib/tests/Makefile | 1 +
lib/tests/liveupdate.c | 143 +++
mm/Makefile | 1 +
mm/internal.h | 6 +
mm/memfd_luo.c | 671 +++++++++++++
mm/shmem.c | 50 +-
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/liveupdate/.gitignore | 3 +
tools/testing/selftests/liveupdate/Makefile | 40 +
tools/testing/selftests/liveupdate/config | 5 +
.../testing/selftests/liveupdate/do_kexec.sh | 16 +
.../testing/selftests/liveupdate/liveupdate.c | 348 +++++++
.../selftests/liveupdate/luo_kexec_simple.c | 114 +++
.../selftests/liveupdate/luo_multi_session.c | 190 ++++
.../selftests/liveupdate/luo_test_utils.c | 168 ++++
.../selftests/liveupdate/luo_test_utils.h | 39 +
39 files changed, 5539 insertions(+), 19 deletions(-)
create mode 100644 Documentation/core-api/liveupdate.rst
create mode 100644 Documentation/mm/memfd_preservation.rst
create mode 100644 Documentation/userspace-api/liveupdate.rst
create mode 100644 include/linux/liveupdate.h
create mode 100644 include/linux/liveupdate/abi/luo.h
create mode 100644 include/linux/liveupdate/abi/memfd.h
create mode 100644 include/uapi/linux/liveupdate.h
create mode 100644 kernel/liveupdate/luo_core.c
create mode 100644 kernel/liveupdate/luo_file.c
create mode 100644 kernel/liveupdate/luo_flb.c
create mode 100644 kernel/liveupdate/luo_internal.h
create mode 100644 kernel/liveupdate/luo_ioctl.c
create mode 100644 kernel/liveupdate/luo_session.c
create mode 100644 lib/tests/liveupdate.c
create mode 100644 mm/memfd_luo.c
create mode 100644 tools/testing/selftests/liveupdate/.gitignore
create mode 100644 tools/testing/selftests/liveupdate/Makefile
create mode 100644 tools/testing/selftests/liveupdate/config
create mode 100755 tools/testing/selftests/liveupdate/do_kexec.sh
create mode 100644 tools/testing/selftests/liveupdate/liveupdate.c
create mode 100644 tools/testing/selftests/liveupdate/luo_kexec_simple.c
create mode 100644 tools/testing/selftests/liveupdate/luo_multi_session.c
create mode 100644 tools/testing/selftests/liveupdate/luo_test_utils.c
create mode 100644 tools/testing/selftests/liveupdate/luo_test_utils.h
--
2.52.0.rc1.455.g30608eb744-goog
^ permalink raw reply
* Re: RFC: Serial port DTR/RTS - O_<something>
From: H. Peter Anvin @ 2025-11-15 22:29 UTC (permalink / raw)
To: Ned Ulbricht, Maciej W. Rozycki
Cc: Greg KH, Theodore Ts'o, Maarten Brock,
linux-serial@vger.kernel.org, linux-api@vger.kernel.org, LKML
In-Reply-To: <6c26eea2-6f90-f48a-9488-e7480f086c70@netscape.net>
On 2025-11-15 13:29, Ned Ulbricht wrote:
> On 11/14/25 10:53, H. Peter Anvin wrote:
>> On November 14, 2025 10:49:09 AM PST, "Maciej W. Rozycki"
>> <macro@orcam.me.uk> wrote:
>>> On Thu, 13 Nov 2025, H. Peter Anvin wrote:
>>>
>>>>> I think this is going to be the most difficult. I don't remember why I
>>>>> rejected the old submission, but maybe it would have modified the
>>>>> existing behaviour? A new open flag "O_DO_NOT_TOUCH_ANYTHING" might be
>>>>> the simplest?
>>>>>
>>>>
>>>> Okay, to I'm going to toss out a couple suggestions for naming:
>>>>
>>>> O_(PRE|FOR|N|NO)?(INIT|CONFIG|START)(DEV|HW|IO)?
>>>> O_(NO?RESET|PREPARE)(DEV|HW|IO)?
>>>> O_NO?TOUCH
>>>> O_NYET ("not yet")
>>>>
>>>> I think my personal preference at the moment is either O_NYET or O_PRECONFIG
>>>> or O_NYET; although it is perhaps a bit more "use case centric" than "what
>>>> actual effect it has" I think it might be clearer. A -DEV, -HW or -IO suffix
>>>> would seem to needlessly preclude it being used for future similar use cases
>>>> for files that are not device nodes.
>>>
>>> Hmm, I'm inconvinced about any of these.
>>>
>>> How about O_FDONLY, to reflect that you are after a file descriptor only
>>> [snip]
>
> Hi all,
>
> Resurrecting a (private email) discussion from a few years back now, my
> personal preferences are:
> (1) O_KEEP
> (2) O_TTY_KEEP
> (3) O_TTY_NOINIT.
>
> (Of course, naming an open() flag has got to be a paradigmatic
> invitation for bike-shedding...)
>
> It's worth pointing out, though, that even though O_TTY_INIT doesn't
> generally appear in linux headers, that particular flag is documented in
> POSIX to have at least incompatible --perhaps even strictly opposite--
> behavior compared with this new proposed flag.
>
I dislike O_TTY_* because restricts it to the TTY use case.
-hpa
^ permalink raw reply
* Re: RFC: Serial port DTR/RTS - O_<something>
From: Ned Ulbricht @ 2025-11-15 21:29 UTC (permalink / raw)
To: H. Peter Anvin, Maciej W. Rozycki
Cc: Greg KH, Theodore Ts'o, Maarten Brock,
linux-serial@vger.kernel.org, linux-api@vger.kernel.org, LKML
In-Reply-To: <B72D6F71-7C0B-4C5A-8866-25D7946E0932@zytor.com>
On 11/14/25 10:53, H. Peter Anvin wrote:
> On November 14, 2025 10:49:09 AM PST, "Maciej W. Rozycki" <macro@orcam.me.uk> wrote:
>> On Thu, 13 Nov 2025, H. Peter Anvin wrote:
>>
>>>> I think this is going to be the most difficult. I don't remember why I
>>>> rejected the old submission, but maybe it would have modified the
>>>> existing behaviour? A new open flag "O_DO_NOT_TOUCH_ANYTHING" might be
>>>> the simplest?
>>>>
>>>
>>> Okay, to I'm going to toss out a couple suggestions for naming:
>>>
>>> O_(PRE|FOR|N|NO)?(INIT|CONFIG|START)(DEV|HW|IO)?
>>> O_(NO?RESET|PREPARE)(DEV|HW|IO)?
>>> O_NO?TOUCH
>>> O_NYET ("not yet")
>>>
>>> I think my personal preference at the moment is either O_NYET or O_PRECONFIG
>>> or O_NYET; although it is perhaps a bit more "use case centric" than "what
>>> actual effect it has" I think it might be clearer. A -DEV, -HW or -IO suffix
>>> would seem to needlessly preclude it being used for future similar use cases
>>> for files that are not device nodes.
>>
>> Hmm, I'm inconvinced about any of these.
>>
>> How about O_FDONLY, to reflect that you are after a file descriptor only [snip]
Hi all,
Resurrecting a (private email) discussion from a few years back now, my
personal preferences are:
(1) O_KEEP
(2) O_TTY_KEEP
(3) O_TTY_NOINIT.
(Of course, naming an open() flag has got to be a paradigmatic
invitation for bike-shedding...)
It's worth pointing out, though, that even though O_TTY_INIT doesn't
generally appear in linux headers, that particular flag is documented in
POSIX to have at least incompatible --perhaps even strictly opposite--
behavior compared with this new proposed flag.
See The Open Group Base Specifications Issue 8 (IEEE Std 1003.1-2024):
| 11.1.1 Opening a Terminal Device File
|
| 3. ... The terminal parameters can be set to values that ensure the
| terminal behaves in a conforming manner by means of the O_TTY_INIT
| open flag....
https://pubs.opengroup.org/onlinepubs/9799919799/basedefs/V1_chap11.html
| open, openat — open file
|
| O_TTY_INIT
https://pubs.opengroup.org/onlinepubs/9799919799/
That's what motivates my first-glance preference to name this new flag,
which will have approximately opposite behavior, as O_TTY_NOINIT.
But as a generic abstraction, I more prefer O_KEEP.
Ned
^ permalink raw reply
* Re: RFC: Serial port DTR/RTS - O_<something>
From: H. Peter Anvin @ 2025-11-14 18:53 UTC (permalink / raw)
To: Maciej W. Rozycki
Cc: Greg KH, Theodore Ts'o, Maarten Brock,
linux-serial@vger.kernel.org, linux-api@vger.kernel.org, LKML
In-Reply-To: <alpine.DEB.2.21.2511141836130.47194@angie.orcam.me.uk>
On November 14, 2025 10:49:09 AM PST, "Maciej W. Rozycki" <macro@orcam.me.uk> wrote:
>On Thu, 13 Nov 2025, H. Peter Anvin wrote:
>
>> > I think this is going to be the most difficult. I don't remember why I
>> > rejected the old submission, but maybe it would have modified the
>> > existing behaviour? A new open flag "O_DO_NOT_TOUCH_ANYTHING" might be
>> > the simplest?
>> >
>>
>> Okay, to I'm going to toss out a couple suggestions for naming:
>>
>> O_(PRE|FOR|N|NO)?(INIT|CONFIG|START)(DEV|HW|IO)?
>> O_(NO?RESET|PREPARE)(DEV|HW|IO)?
>> O_NO?TOUCH
>> O_NYET ("not yet")
>>
>> I think my personal preference at the moment is either O_NYET or O_PRECONFIG
>> or O_NYET; although it is perhaps a bit more "use case centric" than "what
>> actual effect it has" I think it might be clearer. A -DEV, -HW or -IO suffix
>> would seem to needlessly preclude it being used for future similar use cases
>> for files that are not device nodes.
>
> Hmm, I'm inconvinced about any of these.
>
> How about O_FDONLY, to reflect that you are after a file descriptor only
>with no further actions at open time while avoiding the ambiguity of names
>such as CONFIG vs NOCONFIG or speaking more broadly implying any specific
>intent of use at all such as with CONFIG/INIT/PREPARE/RESET/whatever?
>
> I think O_FDONLY is concise, easy to spell/say/remember, and fits the
>purpose. Your call!
>
> Maciej
Overlaps too much with O_PATH, and implies that communication isn't possible *after* device-dependent setup.
^ permalink raw reply
* Re: RFC: Serial port DTR/RTS - O_<something>
From: Maciej W. Rozycki @ 2025-11-14 18:49 UTC (permalink / raw)
To: H. Peter Anvin
Cc: Greg KH, Theodore Ts'o, Maarten Brock,
linux-serial@vger.kernel.org, linux-api@vger.kernel.org, LKML
In-Reply-To: <14b1bc5c-83ac-431f-a53b-14872024b969@zytor.com>
On Thu, 13 Nov 2025, H. Peter Anvin wrote:
> > I think this is going to be the most difficult. I don't remember why I
> > rejected the old submission, but maybe it would have modified the
> > existing behaviour? A new open flag "O_DO_NOT_TOUCH_ANYTHING" might be
> > the simplest?
> >
>
> Okay, to I'm going to toss out a couple suggestions for naming:
>
> O_(PRE|FOR|N|NO)?(INIT|CONFIG|START)(DEV|HW|IO)?
> O_(NO?RESET|PREPARE)(DEV|HW|IO)?
> O_NO?TOUCH
> O_NYET ("not yet")
>
> I think my personal preference at the moment is either O_NYET or O_PRECONFIG
> or O_NYET; although it is perhaps a bit more "use case centric" than "what
> actual effect it has" I think it might be clearer. A -DEV, -HW or -IO suffix
> would seem to needlessly preclude it being used for future similar use cases
> for files that are not device nodes.
Hmm, I'm inconvinced about any of these.
How about O_FDONLY, to reflect that you are after a file descriptor only
with no further actions at open time while avoiding the ambiguity of names
such as CONFIG vs NOCONFIG or speaking more broadly implying any specific
intent of use at all such as with CONFIG/INIT/PREPARE/RESET/whatever?
I think O_FDONLY is concise, easy to spell/say/remember, and fits the
purpose. Your call!
Maciej
^ permalink raw reply
* [PATCH 2/2] man/man7/ip.7: Reword IP_PKTINFO's description
From: Jakub Głogowski @ 2025-11-14 14:29 UTC (permalink / raw)
To: Alejandro Colomar; +Cc: Jakub Głogowski, linux-man, LKML, Linux API, ej
In-Reply-To: <cover.1763130571.git.not@dzwdz.net>
I've heavily cut down the first paragraph (which wasn't really saying
anything), and emphasized the difference between how recvmsg(2) and
sendmsg(2) treat this struct.
"This works only for datagram oriented sockets" is redundant with
"Not supported for SOCK_STREAM", and the mention of sendmsg(2) was moved
down.
I called it a boolean option because that's how these were introduced at
the start of the section.
I've tried rewording ipi_spec_dst's effect on sendmsg to be a bit more
clear.
The only piece of new information which this adds is that you can use
the structure returned by recvmsg with sendmsg, which directly follows
from the preceding text.
RFC 3542, Section 6, directly calls out this usecase for in6_pktinfo:
> Some UDP servers want to respond to client
> requests by sending their reply out the same interface on which the
> request was received and with the source IPv6 address of the reply
> equal to the destination IPv6 address of the request. To do this the
> application can enable just the IPV6_RECVPKTINFO socket option and
> then use the received control information from recvmsg() as the
> outgoing control information for sendmsg(). The application need not
> examine or modify the in6_pktinfo structure at all.
I'm not sure if this is the best place to document this, as the sendmsg
behavior is unrelated to the IP_PKTINFO sockopt at all. Maybe some of
the control messages should be broken out to another manpage?
Signed-off-by: Jakub Głogowski <not@dzwdz.net>
---
man/man7/ip.7 | 49 +++++++++++++++++++++----------------------------
1 file changed, 21 insertions(+), 28 deletions(-)
diff --git a/man/man7/ip.7 b/man/man7/ip.7
index a7f118b42..aa2508bc7 100644
--- a/man/man7/ip.7
+++ b/man/man7/ip.7
@@ -783,20 +783,13 @@ .SS Socket options
.TP
.BR IP_PKTINFO " (since Linux 2.2)"
.\" Precisely: since Linux 2.1.68
-Pass an
-.B IP_PKTINFO
-ancillary message that contains a
-.I pktinfo
-structure that supplies some information about the incoming packet.
-This works only for datagram oriented sockets.
-The argument is a flag that tells the socket whether the
-.B IP_PKTINFO
-message should be passed or not.
-The message itself can be sent/retrieved
-only as a control message with a packet using
+If this boolean option is enabled,
.BR recvmsg (2)
-or
-.BR sendmsg (2).
+outputs an
+.B IP_PKTINFO
+ancillary message containing an
+.I in_pktinfo
+structure.
.IP
.in +4n
.EX
@@ -809,37 +802,37 @@ .SS Socket options
.EE
.in
.IP
-When returned by
-.BR recvmsg (2) ,
+In this context,
.I ipi_ifindex
is the unique index of the interface the packet was received on.
.I ipi_spec_dst
is the preferred source address for replies to the given packet, and
.I ipi_addr
-is the destination address in the packet header.
+is the destination address from the packet header.
These addresses are usually the same,
but can differ for broadcast or multicast packets.
Note that, depending on the configured routes,
.I ipi_spec_dst
might belong to a different interface from the one that received the packet.
.IP
-If
-.B IP_PKTINFO
-is passed to
-.BR sendmsg (2)
-and
+This structure can also be passed as an ancillary message to
+.BR sendmsg (2) .
+In that case,
.\" This field is grossly misnamed
.I ipi_spec_dst
-is not zero, then it is used as the local source address, for the routing
-table lookup, and for setting up IP source route options.
-When
+is used as the local source address
+(if non-zero),
+including for the purposes of setting up IP source route options.
+It's also used for the routing table lookup, unless
.I ipi_ifindex
-is not zero, the primary local address of the interface specified by the
-index overwrites
-.I ipi_spec_dst
-for the routing table lookup.
+is non-zero \(en
+then the primary local address of that interface is used there instead.
.I ipi_addr
is ignored.
+The structure returned by
+.BR recvmsg (2)
+can be reused,
+which effectively sends a reply to the original packet.
.IP
Not supported for
.B SOCK_STREAM
--
2.47.3
^ permalink raw reply related
* [PATCH 0/2] man7/ip.7: Clarify PKTINFO's docs
From: Jakub Głogowski @ 2025-11-14 14:29 UTC (permalink / raw)
To: Alejandro Colomar; +Cc: Jakub Głogowski, linux-man, LKML, Linux API, ej
I found the PKTINFO docs pretty confusing, so I tried clarifying them:
- being more specific about each field in the struct
(e.g. "local address of the packet" for a received packet could've
been interpreted in myriad ways),
- making the differences between sendmsg(2)'s and recvmsg(2)'s handling
of that struct more explicit,
- and some other slight rewording to make it (IMO) more readable - I cut
out most of a paragraph that wasn't really saying anything, etc.
I'm not sure if this should even be documented in ip(7) together with
the other sockopts, though? sendmsg(2)'s handling of in_pktinfo is
completely unrelated to the IP_PKTINFO sockopt. Documenting it in its
own manual page would also give us more room for subsection headings and
other formatting, examples, etc - instead of trying to cram it into
what's already an enormous manpage.
Same goes for some of the other more complex sockopts, I guess.
PS. sorry for not signing this email, but neomutt didn't want to
cooperate :/ I'll try to figure it out for any followup patches.
Jakub Głogowski (2):
man/man7/ip.7: Clarify PKTINFO's semantics depending on packet
direction
man/man7/ip.7: Reword IP_PKTINFO's description
man/man7/ip.7 | 57 +++++++++++++++++++++++++++------------------------
1 file changed, 30 insertions(+), 27 deletions(-)
--
2.47.3
^ permalink raw reply
* [PATCH 1/2] man/man7/ip.7: Clarify PKTINFO's semantics depending on packet direction
From: Jakub Głogowski @ 2025-11-14 14:29 UTC (permalink / raw)
To: Alejandro Colomar; +Cc: Jakub Głogowski, linux-man, LKML, Linux API, ej
In-Reply-To: <cover.1763130571.git.not@dzwdz.net>
For recvmsg(2), ipi_spec_dst is set by ipv4_pktinfo_prepare() to the
result of fib_compute_sec_dst(). The latter was introduced in
linux.git 35ebf65e851c6d97 ("ipv4: Create and use fib_compute_spec_dst() helper.").
Quoting its commit message:
> The specific destination is the host we direct unicast replies to.
> Usually this is the original packet source address, but if we are
> responding to a multicast or broadcast packet we have to use something
> different.
>
> Specifically we must use the source address we would use if we were to
> send a packet to the unicast source of the original packet.
Experimentation seems to confirm that behavior.
As for the note about ipi_spec_dst being on a different interface:
- For unicast packets (for which ipi_spec_dst is the original
destination address), I believe this is trivially true because Linux
uses the weak host model (unless there's some interaction with
RTCF_LOCAL that I'm missing).
- For multicast/broadcast packets, fib_compute_sec_dst() only passes the
original interface to the lookup in the context of L3M. In
particular, the original implementation (cited above) set iif and oof
to 0. Also, citing
linux.git e7372197e15856ec ("net/ipv4: Set oif in fib_compute_spec_dst"),
> If the device is not enslaved, oif is still 0 so no affect.
It doesn't seem like using an address specifically from the interface
the packet was received on was ever the intention. I've also confirmed
this behavior (sending a multicast packet from another machine, whose IP
I've routed to a dummy interface).
I'm focusing on this because that's a misconception I've had before
digging into the code - the sendmsg behavior explained in the same
paragraph made me think ipi_spec_dst was the (primary?) address of
ipi_ifindex. I think this is worth clarifying.
I've made it explicit that ipi_addr isn't used by sendmsg because that's
another possible misconception.
The (first) extra comma in sendmsg's ipi_spec_dst's description is meant
to emphasize that it's used as the local source address _and_ for the
routing table lookup, as opposed to just affecting the routing table
lookup.
Stylistically it might be a bit weird but idk how to convey this better.
Apart from the cited commits I was referencing the linux-6.17.7 tarball.
__fib_validate_source (and the comment near it) might also be of
interest to people trying to figure out what "specific destinations"
are, exactly.
Signed-off-by: Jakub Głogowski <not@dzwdz.net>
---
man/man7/ip.7 | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/man/man7/ip.7 b/man/man7/ip.7
index a92939cd0..a7f118b42 100644
--- a/man/man7/ip.7
+++ b/man/man7/ip.7
@@ -809,12 +809,20 @@ .SS Socket options
.EE
.in
.IP
+When returned by
+.BR recvmsg (2) ,
.I ipi_ifindex
is the unique index of the interface the packet was received on.
.I ipi_spec_dst
-is the local address of the packet and
+is the preferred source address for replies to the given packet, and
.I ipi_addr
is the destination address in the packet header.
+These addresses are usually the same,
+but can differ for broadcast or multicast packets.
+Note that, depending on the configured routes,
+.I ipi_spec_dst
+might belong to a different interface from the one that received the packet.
+.IP
If
.B IP_PKTINFO
is passed to
@@ -822,14 +830,16 @@ .SS Socket options
and
.\" This field is grossly misnamed
.I ipi_spec_dst
-is not zero, then it is used as the local source address for the routing
-table lookup and for setting up IP source route options.
+is not zero, then it is used as the local source address, for the routing
+table lookup, and for setting up IP source route options.
When
.I ipi_ifindex
is not zero, the primary local address of the interface specified by the
index overwrites
.I ipi_spec_dst
for the routing table lookup.
+.I ipi_addr
+is ignored.
.IP
Not supported for
.B SOCK_STREAM
--
2.47.3
^ permalink raw reply related
* Re: [PATCH v5 02/22] liveupdate: luo_core: integrate with KHO
From: Pasha Tatashin @ 2025-11-14 14:48 UTC (permalink / raw)
To: Mike Rapoport
Cc: pratyush, jasonmiu, graf, dmatlack, rientjes, corbet, rdunlap,
ilpo.jarvinen, kanie, ojeda, aliceryhl, masahiroy, akpm, tj,
yoann.congal, mmaurer, roman.gushchin, chenridong, axboe,
mark.rutland, jannh, vincent.guittot, hannes, dan.j.williams,
david, joel.granados, rostedt, anna.schumaker, song, zhangguopeng,
linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx, mingo, bp,
dave.hansen, x86, hpa, rafael, dakr, bartosz.golaszewski,
cw00.choi, myungjoo.ham, yesanishhere, Jonathan.Cameron,
quic_zijuhu, aleksander.lobakin, ira.weiny, andriy.shevchenko,
leon, lukas, bhelgaas, wagi, djeffery, stuart.w.hayes, ptyadav,
lennart, brauner, linux-api, linux-fsdevel, saeedm, ajayachandra,
jgg, parav, leonro, witu, hughd, skhawaja, chrisl
In-Reply-To: <aRcSpbwBabFjeYe3@kernel.org>
On Fri, Nov 14, 2025 at 6:30 AM Mike Rapoport <rppt@kernel.org> wrote:
>
> On Fri, Nov 07, 2025 at 04:03:00PM -0500, Pasha Tatashin wrote:
> > Integrate the LUO with the KHO framework to enable passing LUO state
> > across a kexec reboot.
> >
> > When LUO is transitioned to a "prepared" state, it tells KHO to
> > finalize, so all memory segments that were added to KHO preservation
> > list are getting preserved. After "Prepared" state no new segments
> > can be preserved. If LUO is canceled, it also tells KHO to cancel the
> > serialization, and therefore, later LUO can go back into the prepared
> > state.
> >
> > This patch introduces the following changes:
> > - During the KHO finalization phase allocate FDT blob.
> > - Populate this FDT with a LUO compatibility string ("luo-v1").
> >
> > LUO now depends on `CONFIG_KEXEC_HANDOVER`. The core state transition
> > logic (`luo_do_*_calls`) remains unimplemented in this patch.
> >
> > Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
> > ---
> > include/linux/liveupdate.h | 6 +
> > include/linux/liveupdate/abi/luo.h | 54 +++++++
> > kernel/liveupdate/luo_core.c | 243 ++++++++++++++++++++++++++++-
> > kernel/liveupdate/luo_internal.h | 17 ++
> > mm/mm_init.c | 4 +
> > 5 files changed, 323 insertions(+), 1 deletion(-)
> > create mode 100644 include/linux/liveupdate/abi/luo.h
> > create mode 100644 kernel/liveupdate/luo_internal.h
> >
> > diff --git a/include/linux/liveupdate.h b/include/linux/liveupdate.h
> > index 730b76625fec..0be8804fc42a 100644
> > --- a/include/linux/liveupdate.h
> > +++ b/include/linux/liveupdate.h
> > @@ -13,6 +13,8 @@
> >
> > #ifdef CONFIG_LIVEUPDATE
> >
> > +void __init liveupdate_init(void);
> > +
> > /* Return true if live update orchestrator is enabled */
> > bool liveupdate_enabled(void);
> >
> > @@ -21,6 +23,10 @@ int liveupdate_reboot(void);
> >
> > #else /* CONFIG_LIVEUPDATE */
> >
> > +static inline void liveupdate_init(void)
> > +{
> > +}
>
> The common practice is to place brackets at the same line with function
> declaration.
Sure.
>
> ...
>
> > +static int __init luo_early_startup(void)
> > +{
> > + phys_addr_t fdt_phys;
> > + int err, ln_size;
> > + const void *ptr;
> > +
> > + if (!kho_is_enabled()) {
> > + if (liveupdate_enabled())
> > + pr_warn("Disabling liveupdate because KHO is disabled\n");
> > + luo_global.enabled = false;
> > + return 0;
> > + }
> > +
> > + /* Retrieve LUO subtree, and verify its format. */
> > + err = kho_retrieve_subtree(LUO_FDT_KHO_ENTRY_NAME, &fdt_phys);
> > + if (err) {
> > + if (err != -ENOENT) {
> > + pr_err("failed to retrieve FDT '%s' from KHO: %pe\n",
> > + LUO_FDT_KHO_ENTRY_NAME, ERR_PTR(err));
> > + return err;
> > + }
> > +
> > + return 0;
> > + }
> > +
> > + luo_global.fdt_in = __va(fdt_phys);
>
> phys_to_virt is clearer, isn't it?
Sure
>
> > + err = fdt_node_check_compatible(luo_global.fdt_in, 0,
> > + LUO_FDT_COMPATIBLE);
>
> ...
>
> > +void __init liveupdate_init(void)
> > +{
> > + int err;
> > +
> > + err = luo_early_startup();
> > + if (err) {
> > + pr_err("The incoming tree failed to initialize properly [%pe], disabling live update\n",
> > + ERR_PTR(err));
> > + luo_global.enabled = false;
> > + }
> > +}
> > +
> > +/* Called during boot to create LUO fdt tree */
>
> ^ create outgoing
OK
>
> > +static int __init luo_late_startup(void)
> > +{
> > + int err;
> > +
> > + if (!liveupdate_enabled())
> > + return 0;
> > +
> > + err = luo_fdt_setup();
> > + if (err)
> > + luo_global.enabled = false;
> > +
> > + return err;
> > +}
> > +late_initcall(luo_late_startup);
>
> It would be nice to have a comment explaining why late_initcall() is fine
> and why there's no need to initialize the outgoing fdt earlier.
I will add a comment; basically it is fine because the outgoing data
structures are only used after we enter userspace.
>
> > +/**
> > + * luo_alloc_preserve - Allocate, zero, and preserve memory.
>
> I think this and the "free" counterparts would be useful for any KHO users,
> even those that don't need LUO.
I will move them to KHO.
>
> > + * @size: The number of bytes to allocate.
> > + *
> > + * Allocates a physically contiguous block of zeroed pages that is large
> > + * enough to hold @size bytes. The allocated memory is then registered with
> > + * KHO for preservation across a kexec.
> > + *
> > + * Note: The actual allocated size will be rounded up to the nearest
> > + * power-of-two page boundary.
> > + *
> > + * @return A virtual pointer to the allocated and preserved memory on success,
> > + * or an ERR_PTR() encoded error on failure.
> > + */
> > +void *luo_alloc_preserve(size_t size)
> > +{
> > + struct folio *folio;
> > + int order, ret;
> > +
> > + if (!size)
> > + return ERR_PTR(-EINVAL);
> > +
> > + order = get_order(size);
> > + if (order > MAX_PAGE_ORDER)
> > + return ERR_PTR(-E2BIG);
>
> High order allocations would likely fail or at least cause a heavy reclaim.
> For now it seems that we won't be needing really large contiguous chunks so
> maybe limiting this to PAGE_ALLOC_COSTLY_ORDER?
Let's use MAX_PAGE_ORDER for now, my concern is that
PAGE_ALLOC_COSTLY_ORDER too fragile to make it part of ABI. If
allocation fails, the user will have to deal with it, as we return a
proper error code.
> Later if we'd need higher order allocations we can try to allocate with
> __GFP_NORETRY or __GFP_RETRY_MAYFAIL with a fallback to vmalloc.
>
> > +
> > + folio = folio_alloc(GFP_KERNEL | __GFP_ZERO, order);
> > + if (!folio)
> > + return ERR_PTR(-ENOMEM);
> > +
> > + ret = kho_preserve_folio(folio);
> > + if (ret) {
> > + folio_put(folio);
> > + return ERR_PTR(ret);
> > + }
> > +
> > + return folio_address(folio);
> > +}
> > +
>
> --
> Sincerely yours,
> Mike.
^ permalink raw reply
* Re: [PATCH v5 07/22] liveupdate: luo_ioctl: add user interface
From: Pasha Tatashin @ 2025-11-14 14:09 UTC (permalink / raw)
To: Mike Rapoport
Cc: pratyush, jasonmiu, graf, dmatlack, rientjes, corbet, rdunlap,
ilpo.jarvinen, kanie, ojeda, aliceryhl, masahiroy, akpm, tj,
yoann.congal, mmaurer, roman.gushchin, chenridong, axboe,
mark.rutland, jannh, vincent.guittot, hannes, dan.j.williams,
david, joel.granados, rostedt, anna.schumaker, song, zhangguopeng,
linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx, mingo, bp,
dave.hansen, x86, hpa, rafael, dakr, bartosz.golaszewski,
cw00.choi, myungjoo.ham, yesanishhere, Jonathan.Cameron,
quic_zijuhu, aleksander.lobakin, ira.weiny, andriy.shevchenko,
leon, lukas, bhelgaas, wagi, djeffery, stuart.w.hayes, ptyadav,
lennart, brauner, linux-api, linux-fsdevel, saeedm, ajayachandra,
jgg, parav, leonro, witu, hughd, skhawaja, chrisl
In-Reply-To: <aRcnRFnqhm3jkqd3@kernel.org>
On Fri, Nov 14, 2025 at 7:58 AM Mike Rapoport <rppt@kernel.org> wrote:
>
> On Fri, Nov 07, 2025 at 04:03:05PM -0500, Pasha Tatashin wrote:
> > Introduce the user-space interface for the Live Update Orchestrator
> > via ioctl commands, enabling external control over the live update
> > process and management of preserved resources.
> >
> > The idea is that there is going to be a single userspace agent driving
> > the live update, therefore, only a single process can ever hold this
> > device opened at a time.
> >
> > The following ioctl commands are introduced:
> >
> > LIVEUPDATE_IOCTL_CREATE_SESSION
> > Provides a way for userspace to create a named session for grouping file
> > descriptors that need to be preserved. It returns a new file descriptor
> > representing the session.
> >
> > LIVEUPDATE_IOCTL_RETRIEVE_SESSION
> > Allows the userspace agent in the new kernel to reclaim a preserved
> > session by its name, receiving a new file descriptor to manage the
> > restored resources.
> >
> > Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
> > ---
> > include/uapi/linux/liveupdate.h | 64 ++++++++++++
> > kernel/liveupdate/luo_internal.h | 21 ++++
> > kernel/liveupdate/luo_ioctl.c | 173 +++++++++++++++++++++++++++++++
> > 3 files changed, 258 insertions(+)
>
> ...
>
> > +static int luo_ioctl_create_session(struct luo_ucmd *ucmd)
> > +{
> > + struct liveupdate_ioctl_create_session *argp = ucmd->cmd;
> > + struct file *file;
> > + int ret;
> > +
> > + argp->fd = get_unused_fd_flags(O_CLOEXEC);
> > + if (argp->fd < 0)
> > + return argp->fd;
> > +
> > + ret = luo_session_create(argp->name, &file);
> > + if (ret)
>
> put_unused_fd(fd) ?
Yes, thank you.
>
> > + return ret;
> > +
> > + ret = luo_ucmd_respond(ucmd, sizeof(*argp));
> > + if (ret) {
> > + fput(file);
> > + put_unused_fd(argp->fd);
> > + return ret;
> > + }
>
> I think that using gotos for error handling is more appropriate here.
Sure, I will do that
>
> > +
> > + fd_install(argp->fd, file);
> > +
> > + return 0;
> > +}
> > +
> > +static int luo_ioctl_retrieve_session(struct luo_ucmd *ucmd)
> > +{
> > + struct liveupdate_ioctl_retrieve_session *argp = ucmd->cmd;
> > + struct file *file;
> > + int ret;
> > +
> > + argp->fd = get_unused_fd_flags(O_CLOEXEC);
> > + if (argp->fd < 0)
> > + return argp->fd;
> > +
> > + ret = luo_session_retrieve(argp->name, &file);
> > + if (ret < 0) {
> > + put_unused_fd(argp->fd);
> > +
> > + return ret;
> > + }
> > +
> > + ret = luo_ucmd_respond(ucmd, sizeof(*argp));
> > + if (ret) {
> > + fput(file);
> > + put_unused_fd(argp->fd);
> > + return ret;
> > + }
>
> and here.
Sure
>
> > +
> > + fd_install(argp->fd, file);
> > +
> > + return 0;
> > +}
> > +
>
> --
> Sincerely yours,
> Mike.
^ permalink raw reply
* Re: [PATCH v5 06/22] liveupdate: luo_session: add sessions support
From: Pasha Tatashin @ 2025-11-14 14:07 UTC (permalink / raw)
To: Mike Rapoport
Cc: pratyush, jasonmiu, graf, dmatlack, rientjes, corbet, rdunlap,
ilpo.jarvinen, kanie, ojeda, aliceryhl, masahiroy, akpm, tj,
yoann.congal, mmaurer, roman.gushchin, chenridong, axboe,
mark.rutland, jannh, vincent.guittot, hannes, dan.j.williams,
david, joel.granados, rostedt, anna.schumaker, song, zhangguopeng,
linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx, mingo, bp,
dave.hansen, x86, hpa, rafael, dakr, bartosz.golaszewski,
cw00.choi, myungjoo.ham, yesanishhere, Jonathan.Cameron,
quic_zijuhu, aleksander.lobakin, ira.weiny, andriy.shevchenko,
leon, lukas, bhelgaas, wagi, djeffery, stuart.w.hayes, ptyadav,
lennart, brauner, linux-api, linux-fsdevel, saeedm, ajayachandra,
jgg, parav, leonro, witu, hughd, skhawaja, chrisl
In-Reply-To: <aRclYgHYXQFJ2Fpn@kernel.org>
On Fri, Nov 14, 2025 at 7:50 AM Mike Rapoport <rppt@kernel.org> wrote:
>
> On Fri, Nov 07, 2025 at 04:03:04PM -0500, Pasha Tatashin wrote:
> > Introduce concept of "Live Update Sessions" within the LUO framework.
> > LUO sessions provide a mechanism to group and manage `struct file *`
> > instances (representing file descriptors) that need to be preserved
> > across a kexec-based live update.
> >
> > Each session is identified by a unique name and acts as a container
> > for file objects whose state is critical to a userspace workload, such
> > as a virtual machine or a high-performance database, aiming to maintain
> > their functionality across a kernel transition.
> >
> > This groundwork establishes the framework for preserving file-backed
> > state across kernel updates, with the actual file data preservation
> > mechanisms to be implemented in subsequent patches.
> >
> > Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
> > ---
> > include/linux/liveupdate/abi/luo.h | 81 ++++++
> > include/uapi/linux/liveupdate.h | 3 +
> > kernel/liveupdate/Makefile | 3 +-
> > kernel/liveupdate/luo_core.c | 9 +
> > kernel/liveupdate/luo_internal.h | 39 +++
> > kernel/liveupdate/luo_session.c | 405 +++++++++++++++++++++++++++++
> > 6 files changed, 539 insertions(+), 1 deletion(-)
> > create mode 100644 kernel/liveupdate/luo_session.c
> >
> > diff --git a/include/linux/liveupdate/abi/luo.h b/include/linux/liveupdate/abi/luo.h
> > index 9483a294287f..37b9fecef3f7 100644
> > --- a/include/linux/liveupdate/abi/luo.h
> > +++ b/include/linux/liveupdate/abi/luo.h
> > @@ -28,6 +28,11 @@
> > * / {
> > * compatible = "luo-v1";
> > * liveupdate-number = <...>;
> > + *
> > + * luo-session {
> > + * compatible = "luo-session-v1";
> > + * luo-session-head = <phys_addr_of_session_head_ser>;
> > + * };
> > * };
> > *
> > * Main LUO Node (/):
> > @@ -36,11 +41,37 @@
> > * Identifies the overall LUO ABI version.
> > * - liveupdate-number: u64
> > * A counter tracking the number of successful live updates performed.
> > + *
> > + * Session Node (luo-session):
> > + * This node describes all preserved user-space sessions.
> > + *
> > + * - compatible: "luo-session-v1"
> > + * Identifies the session ABI version.
> > + * - luo-session-head: u64
> > + * The physical address of a `struct luo_session_head_ser`. This structure is
> > + * the header for a contiguous block of memory containing an array of
> > + * `struct luo_session_ser`, one for each preserved session.
> > + *
> > + * Serialization Structures:
> > + * The FDT properties point to memory regions containing arrays of simple,
> > + * `__packed` structures. These structures contain the actual preserved state.
> > + *
> > + * - struct luo_session_head_ser:
> > + * Header for the session array. Contains the total page count of the
> > + * preserved memory block and the number of `struct luo_session_ser`
> > + * entries that follow.
> > + *
> > + * - struct luo_session_ser:
> > + * Metadata for a single session, including its name and a physical pointer
> > + * to another preserved memory block containing an array of
> > + * `struct luo_file_ser` for all files in that session.
> > */
> >
> > #ifndef _LINUX_LIVEUPDATE_ABI_LUO_H
> > #define _LINUX_LIVEUPDATE_ABI_LUO_H
> >
> > +#include <uapi/linux/liveupdate.h>
> > +
> > /*
> > * The LUO FDT hooks all LUO state for sessions, fds, etc.
> > * In the root it allso carries "liveupdate-number" 64-bit property that
> > @@ -51,4 +82,54 @@
> > #define LUO_FDT_COMPATIBLE "luo-v1"
> > #define LUO_FDT_LIVEUPDATE_NUM "liveupdate-number"
> >
> > +/*
> > + * LUO FDT session node
> > + * LUO_FDT_SESSION_HEAD: is a u64 physical address of struct
> > + * luo_session_head_ser
> > + */
> > +#define LUO_FDT_SESSION_NODE_NAME "luo-session"
> > +#define LUO_FDT_SESSION_COMPATIBLE "luo-session-v1"
> > +#define LUO_FDT_SESSION_HEAD "luo-session-head"
> > +
> > +/**
> > + * struct luo_session_head_ser - Header for the serialized session data block.
> > + * @pgcnt: The total size, in pages, of the entire preserved memory block
> > + * that this header describes.
> > + * @count: The number of 'struct luo_session_ser' entries that immediately
> > + * follow this header in the memory block.
> > + *
> > + * This structure is located at the beginning of a contiguous block of
> > + * physical memory preserved across the kexec. It provides the necessary
> > + * metadata to interpret the array of session entries that follow.
> > + */
> > +struct luo_session_head_ser {
> > + u64 pgcnt;
> > + u64 count;
> > +} __packed;
> > +
> > +/**
> > + * struct luo_session_ser - Represents the serialized metadata for a LUO session.
> > + * @name: The unique name of the session, copied from the `luo_session`
> > + * structure.
> > + * @files: The physical address of a contiguous memory block that holds
> > + * the serialized state of files.
> > + * @pgcnt: The number of pages occupied by the `files` memory block.
> > + * @count: The total number of files that were part of this session during
> > + * serialization. Used for iteration and validation during
> > + * restoration.
> > + *
> > + * This structure is used to package session-specific metadata for transfer
> > + * between kernels via Kexec Handover. An array of these structures (one per
> > + * session) is created and passed to the new kernel, allowing it to reconstruct
> > + * the session context.
> > + *
> > + * If this structure is modified, LUO_SESSION_COMPATIBLE must be updated.
> > + */
> > +struct luo_session_ser {
> > + char name[LIVEUPDATE_SESSION_NAME_LENGTH];
> > + u64 files;
> > + u64 pgcnt;
> > + u64 count;
> > +} __packed;
> > +
> > #endif /* _LINUX_LIVEUPDATE_ABI_LUO_H */
> > diff --git a/include/uapi/linux/liveupdate.h b/include/uapi/linux/liveupdate.h
> > index df34c1642c4d..d2ef2f7e0dbd 100644
> > --- a/include/uapi/linux/liveupdate.h
> > +++ b/include/uapi/linux/liveupdate.h
> > @@ -43,4 +43,7 @@
> > /* The ioctl type, documented in ioctl-number.rst */
> > #define LIVEUPDATE_IOCTL_TYPE 0xBA
> >
> > +/* The maximum length of session name including null termination */
> > +#define LIVEUPDATE_SESSION_NAME_LENGTH 56
>
> Out of curiosity, why 56? :)
There is no architectural requirement, I picked 56 to be long enough
to contain a meaningful identifier, and also more efficiently fit the
luo_session_ser[] array. However, now thinking about this, I will bump
it up to 64-bytes, just so it does not look strange.
>
> > +
> > #endif /* _UAPI_LIVEUPDATE_H */
> > diff --git a/kernel/liveupdate/Makefile b/kernel/liveupdate/Makefile
> > index 413722002b7a..83285e7ad726 100644
> > --- a/kernel/liveupdate/Makefile
> > +++ b/kernel/liveupdate/Makefile
> > @@ -2,7 +2,8 @@
> >
> > luo-y := \
> > luo_core.o \
> > - luo_ioctl.o
> > + luo_ioctl.o \
> > + luo_session.o
> >
> > obj-$(CONFIG_KEXEC_HANDOVER) += kexec_handover.o
> > obj-$(CONFIG_KEXEC_HANDOVER_DEBUG) += kexec_handover_debug.o
> > diff --git a/kernel/liveupdate/luo_core.c b/kernel/liveupdate/luo_core.c
> > index c1bd236bccb0..83257ab93ebb 100644
> > --- a/kernel/liveupdate/luo_core.c
> > +++ b/kernel/liveupdate/luo_core.c
> > @@ -116,6 +116,10 @@ static int __init luo_early_startup(void)
> > pr_info("Retrieved live update data, liveupdate number: %lld\n",
> > luo_global.liveupdate_num);
> >
> > + err = luo_session_setup_incoming(luo_global.fdt_in);
> > + if (err)
> > + return err;
> > +
> > return 0;
> > }
> >
> > @@ -149,6 +153,7 @@ static int __init luo_fdt_setup(void)
> > err |= fdt_begin_node(fdt_out, "");
> > err |= fdt_property_string(fdt_out, "compatible", LUO_FDT_COMPATIBLE);
> > err |= fdt_property(fdt_out, LUO_FDT_LIVEUPDATE_NUM, &ln, sizeof(ln));
> > + err |= luo_session_setup_outgoing(fdt_out);
> > err |= fdt_end_node(fdt_out);
> > err |= fdt_finish(fdt_out);
> > if (err)
> > @@ -202,6 +207,10 @@ int liveupdate_reboot(void)
> > if (!liveupdate_enabled())
> > return 0;
> >
> > + err = luo_session_serialize();
> > + if (err)
> > + return err;
> > +
> > err = kho_finalize();
> > if (err) {
> > pr_err("kho_finalize failed %d\n", err);
> > diff --git a/kernel/liveupdate/luo_internal.h b/kernel/liveupdate/luo_internal.h
> > index 29f47a69be0b..b4f2d1443c76 100644
> > --- a/kernel/liveupdate/luo_internal.h
> > +++ b/kernel/liveupdate/luo_internal.h
> > @@ -14,4 +14,43 @@ void *luo_alloc_preserve(size_t size);
> > void luo_free_unpreserve(void *mem, size_t size);
> > void luo_free_restore(void *mem, size_t size);
> >
> > +/**
> > + * struct luo_session - Represents an active or incoming Live Update session.
> > + * @name: A unique name for this session, used for identification and
> > + * retrieval.
> > + * @files_list: An ordered list of files associated with this session, it is
> > + * ordered by preservation time.
> > + * @ser: Pointer to the serialized data for this session.
> > + * @count: A counter tracking the number of files currently stored in the
> > + * @files_xa for this session.
>
> ^@files_list
Sure, thanks
>
> > + * @list: A list_head member used to link this session into a global list
> > + * of either outgoing (to be preserved) or incoming (restored from
> > + * previous kernel) sessions.
> > + * @retrieved: A boolean flag indicating whether this session has been
> > + * retrieved by a consumer in the new kernel.
> > + * @mutex: Session lock, protects files_list, and count.
> > + * @files: The physically contiguous memory block that holds the serialized
> > + * state of files.
> > + * @pgcnt: The number of pages files occupy.
>
> ^ @files
Ok
>
> > + */
> > +struct luo_session {
> > + char name[LIVEUPDATE_SESSION_NAME_LENGTH];
> > + struct list_head files_list;
> > + struct luo_session_ser *ser;
> > + long count;
> > + struct list_head list;
> > + bool retrieved;
> > + struct mutex mutex;
> > + struct luo_file_ser *files;
> > + u64 pgcnt;
> > +};
> > +
> > +int luo_session_create(const char *name, struct file **filep);
> > +int luo_session_retrieve(const char *name, struct file **filep);
> > +int __init luo_session_setup_outgoing(void *fdt);
> > +int __init luo_session_setup_incoming(void *fdt);
> > +int luo_session_serialize(void);
> > +int luo_session_deserialize(void);
>
> The last four deal with all the sessions, maybe use plural in the function
> names.
luo_session_* is a common prefix, I would prefer to keep it the same.
These functions are:
luo_session_serialize_sessions()
luo_session_deserialize_sessions()
But, that becomes redundant, so let's keep them as is.
>
> > +bool luo_session_is_deserialized(void);
> > +
> > #endif /* _LINUX_LUO_INTERNAL_H */
> > diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
> > new file mode 100644
> > index 000000000000..a3513118aa74
> > --- /dev/null
> > +++ b/kernel/liveupdate/luo_session.c
> > @@ -0,0 +1,405 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +
> > +/*
> > + * Copyright (c) 2025, Google LLC.
> > + * Pasha Tatashin <pasha.tatashin@soleen.com>
> > + */
> > +
> > +/**
> > + * DOC: LUO Sessions
> > + *
> > + * LUO Sessions provide the core mechanism for grouping and managing `struct
> > + * file *` instances that need to be preserved across a kexec-based live
> > + * update. Each session acts as a named container for a set of file objects,
> > + * allowing a userspace agent to manage the lifecycle of resources critical to a
> > + * workload.
> > + *
> > + * Core Concepts:
> > + *
> > + * - Named Containers: Sessions are identified by a unique, user-provided name,
> > + * which is used for both creation in the current kernel and retrieval in the
> > + * next kernel.
> > + *
> > + * - Userspace Interface: Session management is driven from userspace via
> > + * ioctls on /dev/liveupdate.
> > + *
> > + * - Serialization: Session metadata is preserved using the KHO framework. When
> > + * a live update is triggered via kexec, an array of `struct luo_session_ser`
> > + * is populated and placed in a preserved memory region. An FDT node is also
> > + * created, containing the count of sessions and the physical address of this
> > + * array.
> > + *
> > + * Session Lifecycle:
> > + *
> > + * 1. Creation: A userspace agent calls `luo_session_create()` to create a
> > + * new, empty session and receives a file descriptor for it.
> > + *
> > + * 2. Serialization: When the `reboot(LINUX_REBOOT_CMD_KEXEC)` syscall is
> > + * made, `luo_session_serialize()` is called. It iterates through all
> > + * active sessions and writes their metadata into a memory area preserved
> > + * by KHO.
> > + *
> > + * 3. Deserialization (in new kernel): After kexec, `luo_session_deserialize()`
> > + * runs, reading the serialized data and creating a list of `struct
> > + * luo_session` objects representing the preserved sessions.
> > + *
> > + * 4. Retrieval: A userspace agent in the new kernel can then call
> > + * `luo_session_retrieve()` with a session name to get a new file
> > + * descriptor and access the preserved state.
> > + */
> > +
> > +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> > +
> > +#include <linux/anon_inodes.h>
> > +#include <linux/errno.h>
> > +#include <linux/file.h>
> > +#include <linux/fs.h>
> > +#include <linux/libfdt.h>
> > +#include <linux/liveupdate.h>
> > +#include <linux/liveupdate/abi/luo.h>
> > +#include <uapi/linux/liveupdate.h>
> > +#include "luo_internal.h"
> > +
> > +/* 16 4K pages, give space for 819 sessions */
> > +#define LUO_SESSION_PGCNT 16ul
> > +#define LUO_SESSION_MAX (((LUO_SESSION_PGCNT << PAGE_SHIFT) - \
> > + sizeof(struct luo_session_head_ser)) / \
> > + sizeof(struct luo_session_ser))
> > +
> > +/**
> > + * struct luo_session_head - Head struct for managing LUO sessions.
>
> Head of what? ;-)
Head of incoming and outgoing session lists, sounds appropriate, but
if you do not like that how about: luo_session_set ?
> Maybe luo_session_list? Or even luo_sessions?
luo_session_list would sound good, but I prefer to use that for
"struct list_head *" types. Let's keep luo_session
>
> > + * @count: The number of sessions currently tracked in the @list.
> > + * @list: The head of the linked list of `struct luo_session` instances.
> > + * @rwsem: A read-write semaphore providing synchronized access to the
> > + * session list and other fields in this structure.
> > + * @head_ser: The head data of serialization array.
>
> ^ header?
Yes, I am going to re-name all these to header.
>
> > + * @ser: The serialized session data (an array of
> > + * `struct luo_session_ser`).
> > + * @active: Set to true when first initialized. If previous kernel did not
> > + * send session data, active stays false for incoming.
> > + */
> > +struct luo_session_head {
> > + long count;
> > + struct list_head list;
> > + struct rw_semaphore rwsem;
> > + struct luo_session_head_ser *head_ser;
> > + struct luo_session_ser *ser;
> > + bool active;
> > +};
> > +
> > +/**
> > + * struct luo_session_global - Global container for managing LUO sessions.
> > + * @incoming: The sessions passed from the previous kernel.
> > + * @outgoing: The sessions that are going to be passed to the next kernel.
> > + * @deserialized: The sessions have been deserialized once /dev/liveupdate
> > + * has been opened.
> > + */
> > +struct luo_session_global {
> > + struct luo_session_head incoming;
> > + struct luo_session_head outgoing;
> > + bool deserialized;
> > +} luo_session_global;
>
> Should be static. And frankly, I don't think grouping two global variables
> into a struct gains much.
I have sent a separate fix-up patch to make it static.
>
> static struct luo_sessions luo_sessions_incoming;
> static struct luo_sessions luo_sessions_outgoing;
I prefer to group globals in a struct so over time we do not end-up
sprinkling them all over the file.
>
> reads clearer to me.
>
> > +
> > +static struct luo_session *luo_session_alloc(const char *name)
> > +{
> > + struct luo_session *session = kzalloc(sizeof(*session), GFP_KERNEL);
> > +
> > + if (!session)
> > + return NULL;
> > +
> > + strscpy(session->name, name, sizeof(session->name));
> > + INIT_LIST_HEAD(&session->files_list);
> > + session->count = 0;
>
> I'd move this after mutex_init(), a bit more readable IMHO.
Sure
>
> > + INIT_LIST_HEAD(&session->list);
> > + mutex_init(&session->mutex);
> > +
> > + return session;
> > +}
> > +
> > +static void luo_session_free(struct luo_session *session)
> > +{
> > + WARN_ON(session->count);
> > + WARN_ON(!list_empty(&session->files_list));
> > + mutex_destroy(&session->mutex);
> > + kfree(session);
> > +}
> > +
> > +static int luo_session_insert(struct luo_session_head *sh,
> > + struct luo_session *session)
> > +{
> > + struct luo_session *it;
> > +
> > + guard(rwsem_write)(&sh->rwsem);
> > +
> > + /*
> > + * For outgoing we should make sure there is room in serialization array
> > + * for new session.
> > + */
> > + if (sh == &luo_session_global.outgoing) {
> > + if (sh->count == LUO_SESSION_MAX)
> > + return -ENOMEM;
> > + }
>
> Not a big deal, but this could be outside the guard().
Yes, but then we would still need to check inside... So, since it is
not a performance critical path, let's keep it cleaner and check only
inside.
>
> > +
> > + /*
> > + * For small number of sessions this loop won't hurt performance
> > + * but if we ever start using a lot of sessions, this might
> > + * become a bottle neck during deserialization time, as it would
> > + * cause O(n*n) complexity.
> > + */
>
> The loop is always O(n*n) in the worst case, no matter how many sessions
> there are ;-)
Yes, this is what I am stating, just logically the number of sessions
is not in millions, so it should not cause this to be a problem if it
ever does, we can fix it.
>
> > + list_for_each_entry(it, &sh->list, list) {
> > + if (!strncmp(it->name, session->name, sizeof(it->name)))
> > + return -EEXIST;
> > + }
> > + list_add_tail(&session->list, &sh->list);
> > + sh->count++;
> > +
> > + return 0;
> > +}
> > +
> > +static void luo_session_remove(struct luo_session_head *sh,
> > + struct luo_session *session)
> > +{
> > + guard(rwsem_write)(&sh->rwsem);
> > + list_del(&session->list);
> > + sh->count--;
> > +}
> > +
> > +static int luo_session_release(struct inode *inodep, struct file *filep)
> > +{
> > + struct luo_session *session = filep->private_data;
> > + struct luo_session_head *sh;
> > +
> > + /* If retrieved is set, it means this session is from incoming list */
> > + if (session->retrieved)
> > + sh = &luo_session_global.incoming;
> > + else
> > + sh = &luo_session_global.outgoing;
>
> Maybe just add a backpointer to the list to struct luo_session?
This is the only place where this is used, I think it is readable
instead of carrying an extra 8-byte state in every session.
>
> > +
> > + luo_session_remove(sh, session);
> > + luo_session_free(session);
> > +
> > + return 0;
> > +}
> > +
> > +static const struct file_operations luo_session_fops = {
> > + .owner = THIS_MODULE,
> > + .release = luo_session_release,
> > +};
> > +
> > +/* Create a "struct file" for session */
> > +static int luo_session_getfile(struct luo_session *session, struct file **filep)
> > +{
> > + char name_buf[128];
> > + struct file *file;
> > +
> > + guard(mutex)(&session->mutex);
> > + snprintf(name_buf, sizeof(name_buf), "[luo_session] %s", session->name);
> > + file = anon_inode_getfile(name_buf, &luo_session_fops, session, O_RDWR);
> > + if (IS_ERR(file))
> > + return PTR_ERR(file);
> > +
> > + *filep = file;
> > +
> > + return 0;
> > +}
> > +
> > +int luo_session_create(const char *name, struct file **filep)
> > +{
> > + struct luo_session *session;
> > + int err;
> > +
> > + session = luo_session_alloc(name);
> > + if (!session)
> > + return -ENOMEM;
> > +
> > + err = luo_session_insert(&luo_session_global.outgoing, session);
> > + if (err) {
> > + luo_session_free(session);
> > + return err;
>
> Please goto err_free
Sure.
>
> > + }
> > +
> > + err = luo_session_getfile(session, filep);
> > + if (err) {
> > + luo_session_remove(&luo_session_global.outgoing, session);
> > + luo_session_free(session);
>
> and goto err_remove
Sure.
>
> > + }
> > +
> > + return err;
> > +}
> > +
> > +int luo_session_retrieve(const char *name, struct file **filep)
> > +{
> > + struct luo_session_head *sh = &luo_session_global.incoming;
> > + struct luo_session *session = NULL;
> > + struct luo_session *it;
> > + int err;
> > +
> > + scoped_guard(rwsem_read, &sh->rwsem) {
> > + list_for_each_entry(it, &sh->list, list) {
> > + if (!strncmp(it->name, name, sizeof(it->name))) {
> > + session = it;
> > + break;
> > + }
> > + }
> > + }
> > +
> > + if (!session)
> > + return -ENOENT;
> > +
> > + scoped_guard(mutex, &session->mutex) {
> > + if (session->retrieved)
> > + return -EINVAL;
> > + }
> > +
> > + err = luo_session_getfile(session, filep);
> > + if (!err) {
> > + scoped_guard(mutex, &session->mutex)
> > + session->retrieved = true;
> > + }
> > +
> > + return err;
> > +}
> > +
> > +int __init luo_session_setup_outgoing(void *fdt_out)
> > +{
> > + struct luo_session_head_ser *head_ser;
> > + u64 head_ser_pa;
> > + int err;
> > +
> > + head_ser = luo_alloc_preserve(LUO_SESSION_PGCNT << PAGE_SHIFT);
> > + if (IS_ERR(head_ser))
> > + return PTR_ERR(head_ser);
> > + head_ser_pa = __pa(head_ser);
>
> virt_to_phys please
>
> > +
> > + err = fdt_begin_node(fdt_out, LUO_FDT_SESSION_NODE_NAME);
> > + err |= fdt_property_string(fdt_out, "compatible",
> > + LUO_FDT_SESSION_COMPATIBLE);
> > + err |= fdt_property(fdt_out, LUO_FDT_SESSION_HEAD, &head_ser_pa,
> > + sizeof(head_ser_pa));
> > + err |= fdt_end_node(fdt_out);
> > +
> > + if (err)
> > + goto err_unpreserve;
> > +
> > + head_ser->pgcnt = LUO_SESSION_PGCNT;
> > + INIT_LIST_HEAD(&luo_session_global.outgoing.list);
> > + init_rwsem(&luo_session_global.outgoing.rwsem);
> > + luo_session_global.outgoing.head_ser = head_ser;
> > + luo_session_global.outgoing.ser = (void *)(head_ser + 1);
> > + luo_session_global.outgoing.active = true;
> > +
> > + return 0;
> > +
> > +err_unpreserve:
> > + luo_free_unpreserve(head_ser, LUO_SESSION_PGCNT << PAGE_SHIFT);
> > + return err;
> > +}
> > +
> > +int __init luo_session_setup_incoming(void *fdt_in)
> > +{
> > + struct luo_session_head_ser *head_ser;
> > + int err, head_size, offset;
> > + const void *ptr;
> > + u64 head_ser_pa;
> > +
> > + offset = fdt_subnode_offset(fdt_in, 0, LUO_FDT_SESSION_NODE_NAME);
> > + if (offset < 0) {
> > + pr_err("Unable to get session node: [%s]\n",
> > + LUO_FDT_SESSION_NODE_NAME);
> > + return -EINVAL;
> > + }
> > +
> > + err = fdt_node_check_compatible(fdt_in, offset,
> > + LUO_FDT_SESSION_COMPATIBLE);
> > + if (err) {
> > + pr_err("Session node incompatibale [%s]\n",
> > + LUO_FDT_SESSION_COMPATIBLE);
> > + return -EINVAL;
> > + }
> > +
> > + head_size = 0;
> > + ptr = fdt_getprop(fdt_in, offset, LUO_FDT_SESSION_HEAD, &head_size);
> > + if (!ptr || head_size != sizeof(u64)) {
> > + pr_err("Unable to get session head '%s' [%d]\n",
> > + LUO_FDT_SESSION_HEAD, head_size);
> > + return -EINVAL;
> > + }
> > +
> > + memcpy(&head_ser_pa, ptr, sizeof(u64));
> > + head_ser = __va(head_ser_pa);
> > +
> > + luo_session_global.incoming.head_ser = head_ser;
> > + luo_session_global.incoming.ser = (void *)(head_ser + 1);
> > + INIT_LIST_HEAD(&luo_session_global.incoming.list);
> > + init_rwsem(&luo_session_global.incoming.rwsem);
> > + luo_session_global.incoming.active = true;
> > +
> > + return 0;
> > +}
> > +
> > +bool luo_session_is_deserialized(void)
> > +{
> > + return luo_session_global.deserialized;
> > +}
> > +
> > +int luo_session_deserialize(void)
> > +{
> > + struct luo_session_head *sh = &luo_session_global.incoming;
> > +
> > + if (luo_session_is_deserialized())
> > + return 0;
> > +
> > + luo_session_global.deserialized = true;
>
> Shouldn't this be set after deserialization succeeded?
We do luo_session_deserialize() only once even if it failed or was not
needed. So, set this flag at the beginning.
>
> > + if (!sh->active) {
> > + INIT_LIST_HEAD(&sh->list);
> > + init_rwsem(&sh->rwsem);
> > + return 0;
> > + }
> > +
> > + for (int i = 0; i < sh->head_ser->count; i++) {
> > + struct luo_session *session;
> > +
> > + session = luo_session_alloc(sh->ser[i].name);
> > + if (!session) {
> > + pr_warn("Failed to allocate session [%s] during deserialization\n",
> > + sh->ser[i].name);
> > + return -ENOMEM;
> > + }
> > +
> > + if (luo_session_insert(sh, session)) {
> > + pr_warn("Failed to insert session due to name conflict [%s]\n",
> > + session->name);
> > + return -EEXIST;
>
> Need to free allocated sessions if an insert fails.
Thanks, I will fix it.
>
> > + }
> > +
> > + session->count = sh->ser[i].count;
> > + session->files = __va(sh->ser[i].files);
> > + session->pgcnt = sh->ser[i].pgcnt;
> > + }
> > +
> > + luo_free_restore(sh->head_ser, sh->head_ser->pgcnt << PAGE_SHIFT);
> > + sh->head_ser = NULL;
> > + sh->ser = NULL;
> > +
> > + return 0;
> > +}
> > +
> > +int luo_session_serialize(void)
> > +{
> > + struct luo_session_head *sh = &luo_session_global.outgoing;
> > + struct luo_session *session;
> > + int i = 0;
> > +
> > + guard(rwsem_write)(&sh->rwsem);
> > + list_for_each_entry(session, &sh->list, list) {
> > + strscpy(sh->ser[i].name, session->name,
> > + sizeof(sh->ser[i].name));
> > + sh->ser[i].count = session->count;
> > + sh->ser[i].files = __pa(session->files);
> > + sh->ser[i].pgcnt = session->pgcnt;
> > + i++;
> > + }
> > + sh->head_ser->count = sh->count;
> > +
> > + return 0;
> > +}
> > --
> > 2.51.2.1041.gc1ab5b90ca-goog
> >
> >
>
> --
> Sincerely yours,
> Mike.
^ permalink raw reply
* Re: [PATCH v5 07/22] liveupdate: luo_ioctl: add user interface
From: Mike Rapoport @ 2025-11-14 12:57 UTC (permalink / raw)
To: Pasha Tatashin
Cc: pratyush, jasonmiu, graf, dmatlack, rientjes, corbet, rdunlap,
ilpo.jarvinen, kanie, ojeda, aliceryhl, masahiroy, akpm, tj,
yoann.congal, mmaurer, roman.gushchin, chenridong, axboe,
mark.rutland, jannh, vincent.guittot, hannes, dan.j.williams,
david, joel.granados, rostedt, anna.schumaker, song, zhangguopeng,
linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx, mingo, bp,
dave.hansen, x86, hpa, rafael, dakr, bartosz.golaszewski,
cw00.choi, myungjoo.ham, yesanishhere, Jonathan.Cameron,
quic_zijuhu, aleksander.lobakin, ira.weiny, andriy.shevchenko,
leon, lukas, bhelgaas, wagi, djeffery, stuart.w.hayes, ptyadav,
lennart, brauner, linux-api, linux-fsdevel, saeedm, ajayachandra,
jgg, parav, leonro, witu, hughd, skhawaja, chrisl
In-Reply-To: <20251107210526.257742-8-pasha.tatashin@soleen.com>
On Fri, Nov 07, 2025 at 04:03:05PM -0500, Pasha Tatashin wrote:
> Introduce the user-space interface for the Live Update Orchestrator
> via ioctl commands, enabling external control over the live update
> process and management of preserved resources.
>
> The idea is that there is going to be a single userspace agent driving
> the live update, therefore, only a single process can ever hold this
> device opened at a time.
>
> The following ioctl commands are introduced:
>
> LIVEUPDATE_IOCTL_CREATE_SESSION
> Provides a way for userspace to create a named session for grouping file
> descriptors that need to be preserved. It returns a new file descriptor
> representing the session.
>
> LIVEUPDATE_IOCTL_RETRIEVE_SESSION
> Allows the userspace agent in the new kernel to reclaim a preserved
> session by its name, receiving a new file descriptor to manage the
> restored resources.
>
> Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
> ---
> include/uapi/linux/liveupdate.h | 64 ++++++++++++
> kernel/liveupdate/luo_internal.h | 21 ++++
> kernel/liveupdate/luo_ioctl.c | 173 +++++++++++++++++++++++++++++++
> 3 files changed, 258 insertions(+)
...
> +static int luo_ioctl_create_session(struct luo_ucmd *ucmd)
> +{
> + struct liveupdate_ioctl_create_session *argp = ucmd->cmd;
> + struct file *file;
> + int ret;
> +
> + argp->fd = get_unused_fd_flags(O_CLOEXEC);
> + if (argp->fd < 0)
> + return argp->fd;
> +
> + ret = luo_session_create(argp->name, &file);
> + if (ret)
put_unused_fd(fd) ?
> + return ret;
> +
> + ret = luo_ucmd_respond(ucmd, sizeof(*argp));
> + if (ret) {
> + fput(file);
> + put_unused_fd(argp->fd);
> + return ret;
> + }
I think that using gotos for error handling is more appropriate here.
> +
> + fd_install(argp->fd, file);
> +
> + return 0;
> +}
> +
> +static int luo_ioctl_retrieve_session(struct luo_ucmd *ucmd)
> +{
> + struct liveupdate_ioctl_retrieve_session *argp = ucmd->cmd;
> + struct file *file;
> + int ret;
> +
> + argp->fd = get_unused_fd_flags(O_CLOEXEC);
> + if (argp->fd < 0)
> + return argp->fd;
> +
> + ret = luo_session_retrieve(argp->name, &file);
> + if (ret < 0) {
> + put_unused_fd(argp->fd);
> +
> + return ret;
> + }
> +
> + ret = luo_ucmd_respond(ucmd, sizeof(*argp));
> + if (ret) {
> + fput(file);
> + put_unused_fd(argp->fd);
> + return ret;
> + }
and here.
> +
> + fd_install(argp->fd, file);
> +
> + return 0;
> +}
> +
--
Sincerely yours,
Mike.
^ permalink raw reply
* Re: [PATCH v5 06/22] liveupdate: luo_session: add sessions support
From: Mike Rapoport @ 2025-11-14 12:49 UTC (permalink / raw)
To: Pasha Tatashin
Cc: pratyush, jasonmiu, graf, dmatlack, rientjes, corbet, rdunlap,
ilpo.jarvinen, kanie, ojeda, aliceryhl, masahiroy, akpm, tj,
yoann.congal, mmaurer, roman.gushchin, chenridong, axboe,
mark.rutland, jannh, vincent.guittot, hannes, dan.j.williams,
david, joel.granados, rostedt, anna.schumaker, song, zhangguopeng,
linux, linux-kernel, linux-doc, linux-mm, gregkh, tglx, mingo, bp,
dave.hansen, x86, hpa, rafael, dakr, bartosz.golaszewski,
cw00.choi, myungjoo.ham, yesanishhere, Jonathan.Cameron,
quic_zijuhu, aleksander.lobakin, ira.weiny, andriy.shevchenko,
leon, lukas, bhelgaas, wagi, djeffery, stuart.w.hayes, ptyadav,
lennart, brauner, linux-api, linux-fsdevel, saeedm, ajayachandra,
jgg, parav, leonro, witu, hughd, skhawaja, chrisl
In-Reply-To: <20251107210526.257742-7-pasha.tatashin@soleen.com>
On Fri, Nov 07, 2025 at 04:03:04PM -0500, Pasha Tatashin wrote:
> Introduce concept of "Live Update Sessions" within the LUO framework.
> LUO sessions provide a mechanism to group and manage `struct file *`
> instances (representing file descriptors) that need to be preserved
> across a kexec-based live update.
>
> Each session is identified by a unique name and acts as a container
> for file objects whose state is critical to a userspace workload, such
> as a virtual machine or a high-performance database, aiming to maintain
> their functionality across a kernel transition.
>
> This groundwork establishes the framework for preserving file-backed
> state across kernel updates, with the actual file data preservation
> mechanisms to be implemented in subsequent patches.
>
> Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
> ---
> include/linux/liveupdate/abi/luo.h | 81 ++++++
> include/uapi/linux/liveupdate.h | 3 +
> kernel/liveupdate/Makefile | 3 +-
> kernel/liveupdate/luo_core.c | 9 +
> kernel/liveupdate/luo_internal.h | 39 +++
> kernel/liveupdate/luo_session.c | 405 +++++++++++++++++++++++++++++
> 6 files changed, 539 insertions(+), 1 deletion(-)
> create mode 100644 kernel/liveupdate/luo_session.c
>
> diff --git a/include/linux/liveupdate/abi/luo.h b/include/linux/liveupdate/abi/luo.h
> index 9483a294287f..37b9fecef3f7 100644
> --- a/include/linux/liveupdate/abi/luo.h
> +++ b/include/linux/liveupdate/abi/luo.h
> @@ -28,6 +28,11 @@
> * / {
> * compatible = "luo-v1";
> * liveupdate-number = <...>;
> + *
> + * luo-session {
> + * compatible = "luo-session-v1";
> + * luo-session-head = <phys_addr_of_session_head_ser>;
> + * };
> * };
> *
> * Main LUO Node (/):
> @@ -36,11 +41,37 @@
> * Identifies the overall LUO ABI version.
> * - liveupdate-number: u64
> * A counter tracking the number of successful live updates performed.
> + *
> + * Session Node (luo-session):
> + * This node describes all preserved user-space sessions.
> + *
> + * - compatible: "luo-session-v1"
> + * Identifies the session ABI version.
> + * - luo-session-head: u64
> + * The physical address of a `struct luo_session_head_ser`. This structure is
> + * the header for a contiguous block of memory containing an array of
> + * `struct luo_session_ser`, one for each preserved session.
> + *
> + * Serialization Structures:
> + * The FDT properties point to memory regions containing arrays of simple,
> + * `__packed` structures. These structures contain the actual preserved state.
> + *
> + * - struct luo_session_head_ser:
> + * Header for the session array. Contains the total page count of the
> + * preserved memory block and the number of `struct luo_session_ser`
> + * entries that follow.
> + *
> + * - struct luo_session_ser:
> + * Metadata for a single session, including its name and a physical pointer
> + * to another preserved memory block containing an array of
> + * `struct luo_file_ser` for all files in that session.
> */
>
> #ifndef _LINUX_LIVEUPDATE_ABI_LUO_H
> #define _LINUX_LIVEUPDATE_ABI_LUO_H
>
> +#include <uapi/linux/liveupdate.h>
> +
> /*
> * The LUO FDT hooks all LUO state for sessions, fds, etc.
> * In the root it allso carries "liveupdate-number" 64-bit property that
> @@ -51,4 +82,54 @@
> #define LUO_FDT_COMPATIBLE "luo-v1"
> #define LUO_FDT_LIVEUPDATE_NUM "liveupdate-number"
>
> +/*
> + * LUO FDT session node
> + * LUO_FDT_SESSION_HEAD: is a u64 physical address of struct
> + * luo_session_head_ser
> + */
> +#define LUO_FDT_SESSION_NODE_NAME "luo-session"
> +#define LUO_FDT_SESSION_COMPATIBLE "luo-session-v1"
> +#define LUO_FDT_SESSION_HEAD "luo-session-head"
> +
> +/**
> + * struct luo_session_head_ser - Header for the serialized session data block.
> + * @pgcnt: The total size, in pages, of the entire preserved memory block
> + * that this header describes.
> + * @count: The number of 'struct luo_session_ser' entries that immediately
> + * follow this header in the memory block.
> + *
> + * This structure is located at the beginning of a contiguous block of
> + * physical memory preserved across the kexec. It provides the necessary
> + * metadata to interpret the array of session entries that follow.
> + */
> +struct luo_session_head_ser {
> + u64 pgcnt;
> + u64 count;
> +} __packed;
> +
> +/**
> + * struct luo_session_ser - Represents the serialized metadata for a LUO session.
> + * @name: The unique name of the session, copied from the `luo_session`
> + * structure.
> + * @files: The physical address of a contiguous memory block that holds
> + * the serialized state of files.
> + * @pgcnt: The number of pages occupied by the `files` memory block.
> + * @count: The total number of files that were part of this session during
> + * serialization. Used for iteration and validation during
> + * restoration.
> + *
> + * This structure is used to package session-specific metadata for transfer
> + * between kernels via Kexec Handover. An array of these structures (one per
> + * session) is created and passed to the new kernel, allowing it to reconstruct
> + * the session context.
> + *
> + * If this structure is modified, LUO_SESSION_COMPATIBLE must be updated.
> + */
> +struct luo_session_ser {
> + char name[LIVEUPDATE_SESSION_NAME_LENGTH];
> + u64 files;
> + u64 pgcnt;
> + u64 count;
> +} __packed;
> +
> #endif /* _LINUX_LIVEUPDATE_ABI_LUO_H */
> diff --git a/include/uapi/linux/liveupdate.h b/include/uapi/linux/liveupdate.h
> index df34c1642c4d..d2ef2f7e0dbd 100644
> --- a/include/uapi/linux/liveupdate.h
> +++ b/include/uapi/linux/liveupdate.h
> @@ -43,4 +43,7 @@
> /* The ioctl type, documented in ioctl-number.rst */
> #define LIVEUPDATE_IOCTL_TYPE 0xBA
>
> +/* The maximum length of session name including null termination */
> +#define LIVEUPDATE_SESSION_NAME_LENGTH 56
Out of curiosity, why 56? :)
> +
> #endif /* _UAPI_LIVEUPDATE_H */
> diff --git a/kernel/liveupdate/Makefile b/kernel/liveupdate/Makefile
> index 413722002b7a..83285e7ad726 100644
> --- a/kernel/liveupdate/Makefile
> +++ b/kernel/liveupdate/Makefile
> @@ -2,7 +2,8 @@
>
> luo-y := \
> luo_core.o \
> - luo_ioctl.o
> + luo_ioctl.o \
> + luo_session.o
>
> obj-$(CONFIG_KEXEC_HANDOVER) += kexec_handover.o
> obj-$(CONFIG_KEXEC_HANDOVER_DEBUG) += kexec_handover_debug.o
> diff --git a/kernel/liveupdate/luo_core.c b/kernel/liveupdate/luo_core.c
> index c1bd236bccb0..83257ab93ebb 100644
> --- a/kernel/liveupdate/luo_core.c
> +++ b/kernel/liveupdate/luo_core.c
> @@ -116,6 +116,10 @@ static int __init luo_early_startup(void)
> pr_info("Retrieved live update data, liveupdate number: %lld\n",
> luo_global.liveupdate_num);
>
> + err = luo_session_setup_incoming(luo_global.fdt_in);
> + if (err)
> + return err;
> +
> return 0;
> }
>
> @@ -149,6 +153,7 @@ static int __init luo_fdt_setup(void)
> err |= fdt_begin_node(fdt_out, "");
> err |= fdt_property_string(fdt_out, "compatible", LUO_FDT_COMPATIBLE);
> err |= fdt_property(fdt_out, LUO_FDT_LIVEUPDATE_NUM, &ln, sizeof(ln));
> + err |= luo_session_setup_outgoing(fdt_out);
> err |= fdt_end_node(fdt_out);
> err |= fdt_finish(fdt_out);
> if (err)
> @@ -202,6 +207,10 @@ int liveupdate_reboot(void)
> if (!liveupdate_enabled())
> return 0;
>
> + err = luo_session_serialize();
> + if (err)
> + return err;
> +
> err = kho_finalize();
> if (err) {
> pr_err("kho_finalize failed %d\n", err);
> diff --git a/kernel/liveupdate/luo_internal.h b/kernel/liveupdate/luo_internal.h
> index 29f47a69be0b..b4f2d1443c76 100644
> --- a/kernel/liveupdate/luo_internal.h
> +++ b/kernel/liveupdate/luo_internal.h
> @@ -14,4 +14,43 @@ void *luo_alloc_preserve(size_t size);
> void luo_free_unpreserve(void *mem, size_t size);
> void luo_free_restore(void *mem, size_t size);
>
> +/**
> + * struct luo_session - Represents an active or incoming Live Update session.
> + * @name: A unique name for this session, used for identification and
> + * retrieval.
> + * @files_list: An ordered list of files associated with this session, it is
> + * ordered by preservation time.
> + * @ser: Pointer to the serialized data for this session.
> + * @count: A counter tracking the number of files currently stored in the
> + * @files_xa for this session.
^@files_list
> + * @list: A list_head member used to link this session into a global list
> + * of either outgoing (to be preserved) or incoming (restored from
> + * previous kernel) sessions.
> + * @retrieved: A boolean flag indicating whether this session has been
> + * retrieved by a consumer in the new kernel.
> + * @mutex: Session lock, protects files_list, and count.
> + * @files: The physically contiguous memory block that holds the serialized
> + * state of files.
> + * @pgcnt: The number of pages files occupy.
^ @files
> + */
> +struct luo_session {
> + char name[LIVEUPDATE_SESSION_NAME_LENGTH];
> + struct list_head files_list;
> + struct luo_session_ser *ser;
> + long count;
> + struct list_head list;
> + bool retrieved;
> + struct mutex mutex;
> + struct luo_file_ser *files;
> + u64 pgcnt;
> +};
> +
> +int luo_session_create(const char *name, struct file **filep);
> +int luo_session_retrieve(const char *name, struct file **filep);
> +int __init luo_session_setup_outgoing(void *fdt);
> +int __init luo_session_setup_incoming(void *fdt);
> +int luo_session_serialize(void);
> +int luo_session_deserialize(void);
The last four deal with all the sessions, maybe use plural in the function
names.
> +bool luo_session_is_deserialized(void);
> +
> #endif /* _LINUX_LUO_INTERNAL_H */
> diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
> new file mode 100644
> index 000000000000..a3513118aa74
> --- /dev/null
> +++ b/kernel/liveupdate/luo_session.c
> @@ -0,0 +1,405 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +/*
> + * Copyright (c) 2025, Google LLC.
> + * Pasha Tatashin <pasha.tatashin@soleen.com>
> + */
> +
> +/**
> + * DOC: LUO Sessions
> + *
> + * LUO Sessions provide the core mechanism for grouping and managing `struct
> + * file *` instances that need to be preserved across a kexec-based live
> + * update. Each session acts as a named container for a set of file objects,
> + * allowing a userspace agent to manage the lifecycle of resources critical to a
> + * workload.
> + *
> + * Core Concepts:
> + *
> + * - Named Containers: Sessions are identified by a unique, user-provided name,
> + * which is used for both creation in the current kernel and retrieval in the
> + * next kernel.
> + *
> + * - Userspace Interface: Session management is driven from userspace via
> + * ioctls on /dev/liveupdate.
> + *
> + * - Serialization: Session metadata is preserved using the KHO framework. When
> + * a live update is triggered via kexec, an array of `struct luo_session_ser`
> + * is populated and placed in a preserved memory region. An FDT node is also
> + * created, containing the count of sessions and the physical address of this
> + * array.
> + *
> + * Session Lifecycle:
> + *
> + * 1. Creation: A userspace agent calls `luo_session_create()` to create a
> + * new, empty session and receives a file descriptor for it.
> + *
> + * 2. Serialization: When the `reboot(LINUX_REBOOT_CMD_KEXEC)` syscall is
> + * made, `luo_session_serialize()` is called. It iterates through all
> + * active sessions and writes their metadata into a memory area preserved
> + * by KHO.
> + *
> + * 3. Deserialization (in new kernel): After kexec, `luo_session_deserialize()`
> + * runs, reading the serialized data and creating a list of `struct
> + * luo_session` objects representing the preserved sessions.
> + *
> + * 4. Retrieval: A userspace agent in the new kernel can then call
> + * `luo_session_retrieve()` with a session name to get a new file
> + * descriptor and access the preserved state.
> + */
> +
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +
> +#include <linux/anon_inodes.h>
> +#include <linux/errno.h>
> +#include <linux/file.h>
> +#include <linux/fs.h>
> +#include <linux/libfdt.h>
> +#include <linux/liveupdate.h>
> +#include <linux/liveupdate/abi/luo.h>
> +#include <uapi/linux/liveupdate.h>
> +#include "luo_internal.h"
> +
> +/* 16 4K pages, give space for 819 sessions */
> +#define LUO_SESSION_PGCNT 16ul
> +#define LUO_SESSION_MAX (((LUO_SESSION_PGCNT << PAGE_SHIFT) - \
> + sizeof(struct luo_session_head_ser)) / \
> + sizeof(struct luo_session_ser))
> +
> +/**
> + * struct luo_session_head - Head struct for managing LUO sessions.
Head of what? ;-)
Maybe luo_session_list? Or even luo_sessions?
> + * @count: The number of sessions currently tracked in the @list.
> + * @list: The head of the linked list of `struct luo_session` instances.
> + * @rwsem: A read-write semaphore providing synchronized access to the
> + * session list and other fields in this structure.
> + * @head_ser: The head data of serialization array.
^ header?
> + * @ser: The serialized session data (an array of
> + * `struct luo_session_ser`).
> + * @active: Set to true when first initialized. If previous kernel did not
> + * send session data, active stays false for incoming.
> + */
> +struct luo_session_head {
> + long count;
> + struct list_head list;
> + struct rw_semaphore rwsem;
> + struct luo_session_head_ser *head_ser;
> + struct luo_session_ser *ser;
> + bool active;
> +};
> +
> +/**
> + * struct luo_session_global - Global container for managing LUO sessions.
> + * @incoming: The sessions passed from the previous kernel.
> + * @outgoing: The sessions that are going to be passed to the next kernel.
> + * @deserialized: The sessions have been deserialized once /dev/liveupdate
> + * has been opened.
> + */
> +struct luo_session_global {
> + struct luo_session_head incoming;
> + struct luo_session_head outgoing;
> + bool deserialized;
> +} luo_session_global;
Should be static. And frankly, I don't think grouping two global variables
into a struct gains much.
static struct luo_sessions luo_sessions_incoming;
static struct luo_sessions luo_sessions_outgoing;
reads clearer to me.
> +
> +static struct luo_session *luo_session_alloc(const char *name)
> +{
> + struct luo_session *session = kzalloc(sizeof(*session), GFP_KERNEL);
> +
> + if (!session)
> + return NULL;
> +
> + strscpy(session->name, name, sizeof(session->name));
> + INIT_LIST_HEAD(&session->files_list);
> + session->count = 0;
I'd move this after mutex_init(), a bit more readable IMHO.
> + INIT_LIST_HEAD(&session->list);
> + mutex_init(&session->mutex);
> +
> + return session;
> +}
> +
> +static void luo_session_free(struct luo_session *session)
> +{
> + WARN_ON(session->count);
> + WARN_ON(!list_empty(&session->files_list));
> + mutex_destroy(&session->mutex);
> + kfree(session);
> +}
> +
> +static int luo_session_insert(struct luo_session_head *sh,
> + struct luo_session *session)
> +{
> + struct luo_session *it;
> +
> + guard(rwsem_write)(&sh->rwsem);
> +
> + /*
> + * For outgoing we should make sure there is room in serialization array
> + * for new session.
> + */
> + if (sh == &luo_session_global.outgoing) {
> + if (sh->count == LUO_SESSION_MAX)
> + return -ENOMEM;
> + }
Not a big deal, but this could be outside the guard().
> +
> + /*
> + * For small number of sessions this loop won't hurt performance
> + * but if we ever start using a lot of sessions, this might
> + * become a bottle neck during deserialization time, as it would
> + * cause O(n*n) complexity.
> + */
The loop is always O(n*n) in the worst case, no matter how many sessions
there are ;-)
> + list_for_each_entry(it, &sh->list, list) {
> + if (!strncmp(it->name, session->name, sizeof(it->name)))
> + return -EEXIST;
> + }
> + list_add_tail(&session->list, &sh->list);
> + sh->count++;
> +
> + return 0;
> +}
> +
> +static void luo_session_remove(struct luo_session_head *sh,
> + struct luo_session *session)
> +{
> + guard(rwsem_write)(&sh->rwsem);
> + list_del(&session->list);
> + sh->count--;
> +}
> +
> +static int luo_session_release(struct inode *inodep, struct file *filep)
> +{
> + struct luo_session *session = filep->private_data;
> + struct luo_session_head *sh;
> +
> + /* If retrieved is set, it means this session is from incoming list */
> + if (session->retrieved)
> + sh = &luo_session_global.incoming;
> + else
> + sh = &luo_session_global.outgoing;
Maybe just add a backpointer to the list to struct luo_session?
> +
> + luo_session_remove(sh, session);
> + luo_session_free(session);
> +
> + return 0;
> +}
> +
> +static const struct file_operations luo_session_fops = {
> + .owner = THIS_MODULE,
> + .release = luo_session_release,
> +};
> +
> +/* Create a "struct file" for session */
> +static int luo_session_getfile(struct luo_session *session, struct file **filep)
> +{
> + char name_buf[128];
> + struct file *file;
> +
> + guard(mutex)(&session->mutex);
> + snprintf(name_buf, sizeof(name_buf), "[luo_session] %s", session->name);
> + file = anon_inode_getfile(name_buf, &luo_session_fops, session, O_RDWR);
> + if (IS_ERR(file))
> + return PTR_ERR(file);
> +
> + *filep = file;
> +
> + return 0;
> +}
> +
> +int luo_session_create(const char *name, struct file **filep)
> +{
> + struct luo_session *session;
> + int err;
> +
> + session = luo_session_alloc(name);
> + if (!session)
> + return -ENOMEM;
> +
> + err = luo_session_insert(&luo_session_global.outgoing, session);
> + if (err) {
> + luo_session_free(session);
> + return err;
Please goto err_free
> + }
> +
> + err = luo_session_getfile(session, filep);
> + if (err) {
> + luo_session_remove(&luo_session_global.outgoing, session);
> + luo_session_free(session);
and goto err_remove
> + }
> +
> + return err;
> +}
> +
> +int luo_session_retrieve(const char *name, struct file **filep)
> +{
> + struct luo_session_head *sh = &luo_session_global.incoming;
> + struct luo_session *session = NULL;
> + struct luo_session *it;
> + int err;
> +
> + scoped_guard(rwsem_read, &sh->rwsem) {
> + list_for_each_entry(it, &sh->list, list) {
> + if (!strncmp(it->name, name, sizeof(it->name))) {
> + session = it;
> + break;
> + }
> + }
> + }
> +
> + if (!session)
> + return -ENOENT;
> +
> + scoped_guard(mutex, &session->mutex) {
> + if (session->retrieved)
> + return -EINVAL;
> + }
> +
> + err = luo_session_getfile(session, filep);
> + if (!err) {
> + scoped_guard(mutex, &session->mutex)
> + session->retrieved = true;
> + }
> +
> + return err;
> +}
> +
> +int __init luo_session_setup_outgoing(void *fdt_out)
> +{
> + struct luo_session_head_ser *head_ser;
> + u64 head_ser_pa;
> + int err;
> +
> + head_ser = luo_alloc_preserve(LUO_SESSION_PGCNT << PAGE_SHIFT);
> + if (IS_ERR(head_ser))
> + return PTR_ERR(head_ser);
> + head_ser_pa = __pa(head_ser);
virt_to_phys please
> +
> + err = fdt_begin_node(fdt_out, LUO_FDT_SESSION_NODE_NAME);
> + err |= fdt_property_string(fdt_out, "compatible",
> + LUO_FDT_SESSION_COMPATIBLE);
> + err |= fdt_property(fdt_out, LUO_FDT_SESSION_HEAD, &head_ser_pa,
> + sizeof(head_ser_pa));
> + err |= fdt_end_node(fdt_out);
> +
> + if (err)
> + goto err_unpreserve;
> +
> + head_ser->pgcnt = LUO_SESSION_PGCNT;
> + INIT_LIST_HEAD(&luo_session_global.outgoing.list);
> + init_rwsem(&luo_session_global.outgoing.rwsem);
> + luo_session_global.outgoing.head_ser = head_ser;
> + luo_session_global.outgoing.ser = (void *)(head_ser + 1);
> + luo_session_global.outgoing.active = true;
> +
> + return 0;
> +
> +err_unpreserve:
> + luo_free_unpreserve(head_ser, LUO_SESSION_PGCNT << PAGE_SHIFT);
> + return err;
> +}
> +
> +int __init luo_session_setup_incoming(void *fdt_in)
> +{
> + struct luo_session_head_ser *head_ser;
> + int err, head_size, offset;
> + const void *ptr;
> + u64 head_ser_pa;
> +
> + offset = fdt_subnode_offset(fdt_in, 0, LUO_FDT_SESSION_NODE_NAME);
> + if (offset < 0) {
> + pr_err("Unable to get session node: [%s]\n",
> + LUO_FDT_SESSION_NODE_NAME);
> + return -EINVAL;
> + }
> +
> + err = fdt_node_check_compatible(fdt_in, offset,
> + LUO_FDT_SESSION_COMPATIBLE);
> + if (err) {
> + pr_err("Session node incompatibale [%s]\n",
> + LUO_FDT_SESSION_COMPATIBLE);
> + return -EINVAL;
> + }
> +
> + head_size = 0;
> + ptr = fdt_getprop(fdt_in, offset, LUO_FDT_SESSION_HEAD, &head_size);
> + if (!ptr || head_size != sizeof(u64)) {
> + pr_err("Unable to get session head '%s' [%d]\n",
> + LUO_FDT_SESSION_HEAD, head_size);
> + return -EINVAL;
> + }
> +
> + memcpy(&head_ser_pa, ptr, sizeof(u64));
> + head_ser = __va(head_ser_pa);
> +
> + luo_session_global.incoming.head_ser = head_ser;
> + luo_session_global.incoming.ser = (void *)(head_ser + 1);
> + INIT_LIST_HEAD(&luo_session_global.incoming.list);
> + init_rwsem(&luo_session_global.incoming.rwsem);
> + luo_session_global.incoming.active = true;
> +
> + return 0;
> +}
> +
> +bool luo_session_is_deserialized(void)
> +{
> + return luo_session_global.deserialized;
> +}
> +
> +int luo_session_deserialize(void)
> +{
> + struct luo_session_head *sh = &luo_session_global.incoming;
> +
> + if (luo_session_is_deserialized())
> + return 0;
> +
> + luo_session_global.deserialized = true;
Shouldn't this be set after deserialization succeeded?
> + if (!sh->active) {
> + INIT_LIST_HEAD(&sh->list);
> + init_rwsem(&sh->rwsem);
> + return 0;
> + }
> +
> + for (int i = 0; i < sh->head_ser->count; i++) {
> + struct luo_session *session;
> +
> + session = luo_session_alloc(sh->ser[i].name);
> + if (!session) {
> + pr_warn("Failed to allocate session [%s] during deserialization\n",
> + sh->ser[i].name);
> + return -ENOMEM;
> + }
> +
> + if (luo_session_insert(sh, session)) {
> + pr_warn("Failed to insert session due to name conflict [%s]\n",
> + session->name);
> + return -EEXIST;
Need to free allocated sessions if an insert fails.
> + }
> +
> + session->count = sh->ser[i].count;
> + session->files = __va(sh->ser[i].files);
> + session->pgcnt = sh->ser[i].pgcnt;
> + }
> +
> + luo_free_restore(sh->head_ser, sh->head_ser->pgcnt << PAGE_SHIFT);
> + sh->head_ser = NULL;
> + sh->ser = NULL;
> +
> + return 0;
> +}
> +
> +int luo_session_serialize(void)
> +{
> + struct luo_session_head *sh = &luo_session_global.outgoing;
> + struct luo_session *session;
> + int i = 0;
> +
> + guard(rwsem_write)(&sh->rwsem);
> + list_for_each_entry(session, &sh->list, list) {
> + strscpy(sh->ser[i].name, session->name,
> + sizeof(sh->ser[i].name));
> + sh->ser[i].count = session->count;
> + sh->ser[i].files = __pa(session->files);
> + sh->ser[i].pgcnt = session->pgcnt;
> + i++;
> + }
> + sh->head_ser->count = sh->count;
> +
> + return 0;
> +}
> --
> 2.51.2.1041.gc1ab5b90ca-goog
>
>
--
Sincerely yours,
Mike.
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox