[PATCH v1 0/3] liveupdate: serialization safety and race fixes

[PATCH v1 0/3] liveupdate: serialization safety and race fixes

[Pasha Tatashin]

This series addresses several issues related to the synchronization between
the reboot process and LUO session management.

1. Skip serialization for context-preserving kexec:
   A preserve_context kexec returns to the current kernel, which is
   unrelated to live update where state is passed to the next kernel.
   Skipping serialization avoids unnecessary work and prevents sessions
   from being left in a frozen state upon return.

2. Block session mutations during serialization:
   Once serialization has started, no new outgoing session mutations
   (creations or file preservations) should occur. A 'rebooting' flag
   is introduced to ensure this.

3. Pin sessions and handle inactive ones:
   Ensures that outgoing sessions are pinned by taking a reference to
   their struct file during serialization. This prevents race conditions
   where a user process might close a session while it is being
   serialized. Inactive sessions are cleaned up and removed.

Tree: git.kernel.org/pub/scm/linux/kernel/git/tatashin/linux.git
Branch: luo-reboot-sync/v1

Pasha Tatashin (3):
  liveupdate: skip serialization for context-preserving kexec
  liveupdate: block outgoing session mutations during serialization
  liveupdate: pin sessions and handle inactive ones during serialization

 kernel/kexec_core.c              |  8 +--
 kernel/liveupdate/luo_internal.h |  1 +
 kernel/liveupdate/luo_session.c  | 90 ++++++++++++++++++++++++++++++--
 3 files changed, 91 insertions(+), 8 deletions(-)


base-commit: 7b0b68b2b95606e65594958686833e53423f58f2
-- 
2.54.0.545.g6539524ca2-goog

[PATCH v1 1/3] liveupdate: skip serialization for context-preserving kexec

[Pasha Tatashin]

A preserve_context kexec returns to the current kernel, which
is unrelated to live update where the state is passed to the next
kernel. Skip liveupdate_reboot() in this case to avoid serialization
and prevent sessions from being left in a frozen state upon return.

Fixes: db8bed8082dc ("kexec: call liveupdate_reboot() before kexec")
Reported-by: Oskar Gerlicz Kowalczuk <oskar@gerlicz.space>
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
 kernel/kexec_core.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
index a43d2da0fe3e..dc770b9a6d05 100644
--- a/kernel/kexec_core.c
+++ b/kernel/kexec_core.c
@@ -1146,9 +1146,11 @@ int kernel_kexec(void)
 		goto Unlock;
 	}
 
-	error = liveupdate_reboot();
-	if (error)
-		goto Unlock;
+	if (!kexec_image->preserve_context) {
+		error = liveupdate_reboot();
+		if (error)
+			goto Unlock;
+	}
 
 #ifdef CONFIG_KEXEC_JUMP
 	if (kexec_image->preserve_context) {
-- 
2.54.0.545.g6539524ca2-goog

Re: [PATCH v1 1/3] liveupdate: skip serialization for context-preserving kexec

[Pratyush Yadav]

Hi Pasha,

On Wed, May 06 2026, Pasha Tatashin wrote:

> A preserve_context kexec returns to the current kernel, which
> is unrelated to live update where the state is passed to the next
> kernel. Skip liveupdate_reboot() in this case to avoid serialization
> and prevent sessions from being left in a frozen state upon return.

Should we also stop KHO? Now it is stateless and always finalized. I am
not sure how these kexec jump images will interact with KHO data, but
seems like we shouldn't be handing over memory if the image will jump
back.

Anyway, for this patch:

Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org>

>
> Fixes: db8bed8082dc ("kexec: call liveupdate_reboot() before kexec")
> Reported-by: Oskar Gerlicz Kowalczuk <oskar@gerlicz.space>
> Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
[...]

-- 
Regards,
Pratyush Yadav

Re: [PATCH v1 1/3] liveupdate: skip serialization for context-preserving kexec

[Pasha Tatashin]

On 05-06 10:31, Pratyush Yadav wrote:
> Hi Pasha,
> 
> On Wed, May 06 2026, Pasha Tatashin wrote:
> 
> > A preserve_context kexec returns to the current kernel, which
> > is unrelated to live update where the state is passed to the next
> > kernel. Skip liveupdate_reboot() in this case to avoid serialization
> > and prevent sessions from being left in a frozen state upon return.
> 
> Should we also stop KHO? Now it is stateless and always finalized. I am

No. KHO preserves kernel internal memory; for context-preserved 
kexec, the 2nd kernel and the 1st kernel do not have overlapping 
memory. So, whatever the 1st kernel maintains in KHO is an internal 
detail of the 1st kernel. Once we return from the 2nd kernel to the 1st 
kernel, all KHO memory is going to stay as-is, and the 1st kernel can 
even perform a regular kexec or live update later.

Pasha

> not sure how these kexec jump images will interact with KHO data, but
> seems like we shouldn't be handing over memory if the image will jump
> back.
> 
> Anyway, for this patch:
> 
> Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org>
> 
> >
> > Fixes: db8bed8082dc ("kexec: call liveupdate_reboot() before kexec")
> > Reported-by: Oskar Gerlicz Kowalczuk <oskar@gerlicz.space>
> > Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
> [...]
> 
> -- 
> Regards,
> Pratyush Yadav

Re: [PATCH v1 1/3] liveupdate: skip serialization for context-preserving kexec

[Pratyush Yadav]

On Wed, May 06 2026, Pasha Tatashin wrote:

> On 05-06 10:31, Pratyush Yadav wrote:
>> Hi Pasha,
>> 
>> On Wed, May 06 2026, Pasha Tatashin wrote:
>> 
>> > A preserve_context kexec returns to the current kernel, which
>> > is unrelated to live update where the state is passed to the next
>> > kernel. Skip liveupdate_reboot() in this case to avoid serialization
>> > and prevent sessions from being left in a frozen state upon return.
>> 
>> Should we also stop KHO? Now it is stateless and always finalized. I am
>
> No. KHO preserves kernel internal memory; for context-preserved 
> kexec, the 2nd kernel and the 1st kernel do not have overlapping 
> memory. So, whatever the 1st kernel maintains in KHO is an internal 
> detail of the 1st kernel. Once we return from the 2nd kernel to the 1st 
> kernel, all KHO memory is going to stay as-is, and the 1st kernel can 
> even perform a regular kexec or live update later.

My point is that we keep KHO data in the 1st kernel but do not pass it
to the 2nd kernel via setup_data or the devicetree because it should not
use that memory anyway. So essentially we add a check in
kho_fill_kimage() and return early if preserve_context is set.

I don't think it makes much difference in practice so no strong
opinions. Fine either way.

[...]

-- 
Regards,
Pratyush Yadav

Re: [PATCH v1 1/3] liveupdate: skip serialization for context-preserving kexec

[Pasha Tatashin]

On 05-06 17:33, Pratyush Yadav wrote:
> On Wed, May 06 2026, Pasha Tatashin wrote:
> 
> > On 05-06 10:31, Pratyush Yadav wrote:
> >> Hi Pasha,
> >> 
> >> On Wed, May 06 2026, Pasha Tatashin wrote:
> >> 
> >> > A preserve_context kexec returns to the current kernel, which
> >> > is unrelated to live update where the state is passed to the next
> >> > kernel. Skip liveupdate_reboot() in this case to avoid serialization
> >> > and prevent sessions from being left in a frozen state upon return.
> >> 
> >> Should we also stop KHO? Now it is stateless and always finalized. I am
> >
> > No. KHO preserves kernel internal memory; for context-preserved 
> > kexec, the 2nd kernel and the 1st kernel do not have overlapping 
> > memory. So, whatever the 1st kernel maintains in KHO is an internal 
> > detail of the 1st kernel. Once we return from the 2nd kernel to the 1st 
> > kernel, all KHO memory is going to stay as-is, and the 1st kernel can 
> > even perform a regular kexec or live update later.
> 
> My point is that we keep KHO data in the 1st kernel but do not pass it
> to the 2nd kernel via setup_data or the devicetree because it should not
> use that memory anyway. So essentially we add a check in
> kho_fill_kimage() and return early if preserve_context is set.

This is a good point, I think we should do that to prevent passing via 
setup_data on preserve_context kexec.

> 
> I don't think it makes much difference in practice so no strong
> opinions. Fine either way.
> 
> [...]
> 
> -- 
> Regards,
> Pratyush Yadav

[PATCH v1 2/3] liveupdate: block outgoing session mutations during serialization

[Pasha Tatashin]

Introduce a 'rebooting' flag in the session header to ensure that once
serialization has started, no new outgoing session mutations (creations
or file preservations) can occur.

Fixes: 0153094d03df ("liveupdate: luo_session: add sessions support")
Reported-by: Oskar Gerlicz Kowalczuk <oskar@gerlicz.space>
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
 kernel/liveupdate/luo_session.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index a3327a28fc1f..996adc995514 100644
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -84,6 +84,7 @@
  * @header_ser: The header data of serialization array.
  * @ser:        The serialized session data (an array of
  *              `struct luo_session_ser`).
+ * @rebooting:  Indicates that the session list is being serialized.
  * @active:     Set to true when first initialized. If previous kernel did not
  *              send session data, active stays false for incoming.
  */
@@ -93,6 +94,7 @@ struct luo_session_header {
 	struct rw_semaphore rwsem;
 	struct luo_session_header_ser *header_ser;
 	struct luo_session_ser *ser;
+	bool rebooting;
 	bool active;
 };
 
@@ -147,6 +149,9 @@ static int luo_session_insert(struct luo_session_header *sh,
 
 	guard(rwsem_write)(&sh->rwsem);
 
+	if (sh->rebooting)
+		return -EBUSY;
+
 	/*
 	 * For outgoing we should make sure there is room in serialization array
 	 * for new session.
@@ -230,10 +235,15 @@ static int luo_session_release(struct inode *inodep, struct file *filep)
 static int luo_session_preserve_fd(struct luo_session *session,
 				   struct luo_ucmd *ucmd)
 {
+	struct luo_session_header *sh = &luo_session_global.outgoing;
 	struct liveupdate_session_preserve_fd *argp = ucmd->cmd;
 	int err;
 
 	guard(mutex)(&session->mutex);
+
+	if (READ_ONCE(sh->rebooting))
+		return -EBUSY;
+
 	err = luo_preserve_file(&session->file_set, argp->token, argp->fd);
 	if (err)
 		return err;
@@ -584,6 +594,8 @@ int luo_session_serialize(void)
 	int err;
 
 	guard(rwsem_write)(&sh->rwsem);
+
+	sh->rebooting = true;
 	list_for_each_entry(session, &sh->list, list) {
 		err = luo_session_freeze_one(session, &sh->ser[i]);
 		if (err)
@@ -598,6 +610,7 @@ int luo_session_serialize(void)
 	return 0;
 
 err_undo:
+	sh->rebooting = false;
 	list_for_each_entry_continue_reverse(session, &sh->list, list) {
 		i--;
 		luo_session_unfreeze_one(session, &sh->ser[i]);
-- 
2.54.0.545.g6539524ca2-goog

Re: [PATCH v1 2/3] liveupdate: block outgoing session mutations during serialization

[Pratyush Yadav]

On Wed, May 06 2026, Pasha Tatashin wrote:

> Introduce a 'rebooting' flag in the session header to ensure that once
> serialization has started, no new outgoing session mutations (creations
> or file preservations) can occur.

Would it be a better idea to hold the session header lock and locks of
each session? This would prevent anyone else from getting access to any
of the sessions, and we don't have to worry about all the weird cases
when one might add a file to a serialized session or something similar.

Once liveupdate_reboot() returns success, there is no going back anyway
so I don't think it matters much that some tasks will be left waiting.

>
> Fixes: 0153094d03df ("liveupdate: luo_session: add sessions support")
> Reported-by: Oskar Gerlicz Kowalczuk <oskar@gerlicz.space>
> Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
[...]

-- 
Regards,
Pratyush Yadav

Re: [PATCH v1 2/3] liveupdate: block outgoing session mutations during serialization

[Pasha Tatashin]

On 05-06 10:47, Pratyush Yadav wrote:
> On Wed, May 06 2026, Pasha Tatashin wrote:
> 
> > Introduce a 'rebooting' flag in the session header to ensure that once
> > serialization has started, no new outgoing session mutations (creations
> > or file preservations) can occur.
> 
> Would it be a better idea to hold the session header lock and locks of
> each session? This would prevent anyone else from getting access to any
> of the sessions, and we don't have to worry about all the weird cases
> when one might add a file to a serialized session or something similar.
> 
> Once liveupdate_reboot() returns success, there is no going back anyway
> so I don't think it matters much that some tasks will be left waiting.

Overall, we can do that. The only possible issue I can think of is that 
we might get some stupid warnings if the shutdown takes too long:

INFO: task ... blocked for more than ... seconds
followed by a call trace.

But that is unlikely, and it also means that userspace has been trying 
to mutate sessions when it should not have, so I think your approach is 
workable. Let me update the implementation.

Pasha

[PATCH v1 3/3] liveupdate: pin sessions and handle inactive ones during serialization

[Pasha Tatashin]

During the reboot() syscall, user processes are still running
concurrently. Even though the system is actively serializing LUO
sessions and will not return to userspace unless liveupdate_reboot()
fails, it is still possible for a user process to close a preserved LUO
session. This creates a race condition where a session could be
destroyed while it is being serialized.

To fix this, we must ensure that we only preserve sessions that are not
closed at the time of serialization. Take a reference to the session's
struct file for all outgoing sessions to pin them during this process.

Handle inactive sessions (where get_file_active() fails) by cleaning
them up and removing them from the outgoing list during the pinning
phase. This ensures serialization can safely proceed with the remaining
active sessions.

Fixes: 0153094d03df ("liveupdate: luo_session: add sessions support")
Reported-by: Oskar Gerlicz Kowalczuk <oskar@gerlicz.space>
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
 kernel/liveupdate/luo_internal.h |  1 +
 kernel/liveupdate/luo_session.c  | 77 +++++++++++++++++++++++++++++---
 2 files changed, 73 insertions(+), 5 deletions(-)

diff --git a/kernel/liveupdate/luo_internal.h b/kernel/liveupdate/luo_internal.h
index 875844d7a41d..1124bab6e0de 100644
--- a/kernel/liveupdate/luo_internal.h
+++ b/kernel/liveupdate/luo_internal.h
@@ -73,6 +73,7 @@ struct luo_session {
 	struct luo_session_ser *ser;
 	struct list_head list;
 	bool retrieved;
+	struct file *file;
 	struct luo_file_set file_set;
 	struct mutex mutex;
 };
diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index 996adc995514..b344b64bbced 100644
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -177,12 +177,27 @@ static int luo_session_insert(struct luo_session_header *sh,
 	return 0;
 }
 
+static void __luo_session_remove(struct luo_session_header *sh,
+				 struct luo_session *session)
+{
+	lockdep_assert_held_write(&sh->rwsem);
+	if (!list_empty(&session->list)) {
+		list_del_init(&session->list);
+		sh->count--;
+	}
+}
+
+static void luo_session_unpreserve_files(struct luo_session *session)
+{
+	scoped_guard(mutex, &session->mutex)
+		luo_file_unpreserve_files(&session->file_set);
+}
+
 static void luo_session_remove(struct luo_session_header *sh,
 			       struct luo_session *session)
 {
-	guard(rwsem_write)(&sh->rwsem);
-	list_del(&session->list);
-	sh->count--;
+	scoped_guard(rwsem_write, &sh->rwsem)
+		__luo_session_remove(sh, session);
 }
 
 static int luo_session_finish_one(struct luo_session *session)
@@ -217,12 +232,13 @@ static int luo_session_release(struct inode *inodep, struct file *filep)
 		if (err) {
 			pr_warn("Unable to finish session [%s] on release\n",
 				session->name);
+			scoped_guard(mutex, &session->mutex)
+				session->file = NULL;
 			return err;
 		}
 		sh = &luo_session_global.incoming;
 	} else {
-		scoped_guard(mutex, &session->mutex)
-			luo_file_unpreserve_files(&session->file_set);
+		luo_session_unpreserve_files(session);
 		sh = &luo_session_global.outgoing;
 	}
 
@@ -380,16 +396,65 @@ static int luo_session_getfile(struct luo_session *session, struct file **filep)
 	struct file *file;
 
 	lockdep_assert_held(&session->mutex);
+
+	/* serialization may evict partially initialized session */
+	if (list_empty(&session->list))
+		return -EBUSY;
+
 	snprintf(name_buf, sizeof(name_buf), "[luo_session] %s", session->name);
 	file = anon_inode_getfile(name_buf, &luo_session_fops, session, O_RDWR);
 	if (IS_ERR(file))
 		return PTR_ERR(file);
 
+	session->file = file;
 	*filep = file;
 
 	return 0;
 }
 
+/**
+ * luo_session_get_all_outgoing - Pins all active outgoing sessions.
+ *
+ * This function iterates through all sessions in the outgoing list and
+ * attempts to pin their associated file descriptors. If a session's file
+ * is no longer active (refcount 0), the session is cleaned up and removed.
+ *
+ * Note: Successfully pinned files have their reference count increased.
+ * These references are intentionally leaked in the current kernel upon
+ * successful live update, as the system will transition to a new kernel
+ * image which will reclaim all memory. In case of failure, they are
+ * released in luo_session_put_all_outgoing().
+ */
+static void luo_session_get_all_outgoing(void)
+{
+	struct luo_session_header *sh = &luo_session_global.outgoing;
+	struct luo_session *session, *tmp;
+
+	lockdep_assert_held_write(&sh->rwsem);
+	list_for_each_entry_safe(session, tmp, &sh->list, list) {
+		guard(mutex)(&session->mutex);
+		if (!session->file) {
+			__luo_session_remove(sh, session);
+		} else if (!get_file_active(&session->file)) {
+			luo_session_unpreserve_files(session);
+			__luo_session_remove(sh, session);
+		}
+	}
+}
+
+static void luo_session_put_all_outgoing(void)
+{
+	struct luo_session_header *sh = &luo_session_global.outgoing;
+	struct luo_session *session;
+
+	lockdep_assert_held_write(&sh->rwsem);
+	list_for_each_entry(session, &sh->list, list) {
+		guard(mutex)(&session->mutex);
+		if (session->file)
+			fput(session->file);
+	}
+}
+
 int luo_session_create(const char *name, struct file **filep)
 {
 	struct luo_session *session;
@@ -596,6 +661,7 @@ int luo_session_serialize(void)
 	guard(rwsem_write)(&sh->rwsem);
 
 	sh->rebooting = true;
+	luo_session_get_all_outgoing();
 	list_for_each_entry(session, &sh->list, list) {
 		err = luo_session_freeze_one(session, &sh->ser[i]);
 		if (err)
@@ -616,6 +682,7 @@ int luo_session_serialize(void)
 		luo_session_unfreeze_one(session, &sh->ser[i]);
 		memset(sh->ser[i].name, 0, sizeof(sh->ser[i].name));
 	}
+	luo_session_put_all_outgoing();
 
 	return err;
 }
-- 
2.54.0.545.g6539524ca2-goog

Re: [PATCH v1 3/3] liveupdate: pin sessions and handle inactive ones during serialization

[Pratyush Yadav]

On Wed, May 06 2026, Pasha Tatashin wrote:

> During the reboot() syscall, user processes are still running
> concurrently. Even though the system is actively serializing LUO
> sessions and will not return to userspace unless liveupdate_reboot()
> fails, it is still possible for a user process to close a preserved LUO
> session. This creates a race condition where a session could be
> destroyed while it is being serialized.
>
> To fix this, we must ensure that we only preserve sessions that are not
> closed at the time of serialization. Take a reference to the session's
> struct file for all outgoing sessions to pin them during this process.
>
> Handle inactive sessions (where get_file_active() fails) by cleaning
> them up and removing them from the outgoing list during the pinning
> phase. This ensures serialization can safely proceed with the remaining
> active sessions.
>
> Fixes: 0153094d03df ("liveupdate: luo_session: add sessions support")
> Reported-by: Oskar Gerlicz Kowalczuk <oskar@gerlicz.space>
> Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>

Same here. If we hold the session header and session locks, we don't
have to worry about all these corner cases. It is too late to touch the
session once liveupdate_reboot() starts, and if you try you just get put
to sleep.

[...]

-- 
Regards,
Pratyush Yadav