Re: [PATCH v3 03/10] liveupdate: Protect file handler list with rwsem

[Samiullah Khawaja <skhawaja@google.com>]

On Fri, Mar 27, 2026 at 03:33:27AM +0000, Pasha Tatashin wrote:
>Because liveupdate file handlers will no longer hold a module reference
>when registered, we must ensure that the access to the handler list is
>protected against concurrent module unloading.

Nit: Here we make an assumption that the file (and flb) handler
lifecycle is bound with the module lifecycle. It is a fair assumption,
but maybe this can be documented somewhere?
>
>Utilize the global luo_register_rwlock to protect the global registry of
>file handlers. Read locks are taken during list traversals in
>luo_preserve_file() and luo_file_deserialize(). Write locks are taken
>during registration and unregistration.
>
>Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
>---
> kernel/liveupdate/luo_core.c     |  6 ++++++
> kernel/liveupdate/luo_file.c     | 22 +++++++++++++++++-----
> kernel/liveupdate/luo_internal.h |  2 ++
> 3 files changed, 25 insertions(+), 5 deletions(-)
>
>diff --git a/kernel/liveupdate/luo_core.c b/kernel/liveupdate/luo_core.c
>index dda7bb57d421..f9ae9364a962 100644
>--- a/kernel/liveupdate/luo_core.c
>+++ b/kernel/liveupdate/luo_core.c
>@@ -54,6 +54,7 @@
> #include <linux/liveupdate.h>
> #include <linux/miscdevice.h>
> #include <linux/mm.h>
>+#include <linux/rwsem.h>
> #include <linux/sizes.h>
> #include <linux/string.h>
> #include <linux/unaligned.h>
>@@ -68,6 +69,11 @@ static struct {
> 	u64 liveupdate_num;
> } luo_global;
>
>+/*
>+ * luo_register_rwlock - Protects registration of file handlers and FLBs.
>+ */
>+DECLARE_RWSEM(luo_register_rwlock);
>+
> static int __init early_liveupdate_param(char *buf)
> {
> 	return kstrtobool(buf, &luo_global.enabled);
>diff --git a/kernel/liveupdate/luo_file.c b/kernel/liveupdate/luo_file.c
>index a6d98fc75d25..4aea17a94b4f 100644
>--- a/kernel/liveupdate/luo_file.c
>+++ b/kernel/liveupdate/luo_file.c
>@@ -277,12 +277,14 @@ int luo_preserve_file(struct luo_file_set *file_set, u64 token, int fd)
> 		goto  err_fput;
>
> 	err = -ENOENT;
>+	down_read(&luo_register_rwlock);
> 	list_private_for_each_entry(fh, &luo_file_handler_list, list) {
> 		if (fh->ops->can_preserve(fh, file)) {
> 			err = 0;
> 			break;
> 		}
> 	}
>+	up_read(&luo_register_rwlock);

We took the read lock here when running can_preserve, but then we use
the fh without taking the lock later before calling file_preserve. This
is safe since the module reference is taken and fh will not go away
(based on the assumption I mentioned above). Maybe add a comment here
that documents this assumption.
>
> 	/* err is still -ENOENT if no handler was found */
> 	if (err)
>@@ -777,12 +779,14 @@ int luo_file_deserialize(struct luo_file_set *file_set,
> 		bool handler_found = false;
> 		struct luo_file *luo_file;
>
>+		down_read(&luo_register_rwlock);
> 		list_private_for_each_entry(fh, &luo_file_handler_list, list) {
> 			if (!strcmp(fh->compatible, file_ser[i].compatible)) {
> 				handler_found = true;
> 				break;
> 			}
> 		}
>+		up_read(&luo_register_rwlock);
>
> 		if (!handler_found) {
> 			pr_warn("No registered handler for compatible '%.*s'\n",
>@@ -851,32 +855,36 @@ int liveupdate_register_file_handler(struct liveupdate_file_handler *fh)
> 	if (!luo_session_quiesce())
> 		return -EBUSY;
>
>+	down_write(&luo_register_rwlock);
> 	/* Check for duplicate compatible strings */
> 	list_private_for_each_entry(fh_iter, &luo_file_handler_list, list) {
> 		if (!strcmp(fh_iter->compatible, fh->compatible)) {
> 			pr_err("File handler registration failed: Compatible string '%s' already registered.\n",
> 			       fh->compatible);
> 			err = -EEXIST;
>-			goto err_resume;
>+			goto err_unlock;
> 		}
> 	}
>
> 	/* Pin the module implementing the handler */
> 	if (!try_module_get(fh->ops->owner)) {
> 		err = -EAGAIN;
>-		goto err_resume;
>+		goto err_unlock;
> 	}
>
> 	INIT_LIST_HEAD(&ACCESS_PRIVATE(fh, flb_list));
> 	INIT_LIST_HEAD(&ACCESS_PRIVATE(fh, list));
> 	list_add_tail(&ACCESS_PRIVATE(fh, list), &luo_file_handler_list);
>+	up_write(&luo_register_rwlock);
>+
> 	luo_session_resume();
>
> 	liveupdate_test_register(fh);
>
> 	return 0;
>
>-err_resume:
>+err_unlock:
>+	up_write(&luo_register_rwlock);
> 	luo_session_resume();
> 	return err;
> }
>@@ -910,16 +918,20 @@ int liveupdate_unregister_file_handler(struct liveupdate_file_handler *fh)
> 	if (!luo_session_quiesce())
> 		goto err_register;
>
>+	down_write(&luo_register_rwlock);
> 	if (!list_empty(&ACCESS_PRIVATE(fh, flb_list)))
>-		goto err_resume;
>+		goto err_unlock;
>
> 	list_del(&ACCESS_PRIVATE(fh, list));
>+	up_write(&luo_register_rwlock);
>+
> 	module_put(fh->ops->owner);
> 	luo_session_resume();
>
> 	return 0;
>
>-err_resume:
>+err_unlock:
>+	up_write(&luo_register_rwlock);
> 	luo_session_resume();
> err_register:
> 	liveupdate_test_register(fh);
>diff --git a/kernel/liveupdate/luo_internal.h b/kernel/liveupdate/luo_internal.h
>index 8083d8739b09..4bfe00ac8866 100644
>--- a/kernel/liveupdate/luo_internal.h
>+++ b/kernel/liveupdate/luo_internal.h
>@@ -77,6 +77,8 @@ struct luo_session {
> 	struct mutex mutex;
> };
>
>+extern struct rw_semaphore luo_register_rwlock;
>+
> int luo_session_create(const char *name, struct file **filep);
> int luo_session_retrieve(const char *name, struct file **filep);
> int __init luo_session_setup_outgoing(void *fdt);
>-- 
>2.43.0
>