From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qv1-f41.google.com (mail-qv1-f41.google.com [209.85.219.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B346E38333B for ; Thu, 11 Jun 2026 18:55:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781204112; cv=none; b=d7phIf6dLShkCdEcurYly26EqlCozXMEgjTC6YwTWw0ujSdfCutMGrrQQ+O/UG2Zp5IiNa0DhrtD84dKYYG3qDg3sNln1+t1jdR3AOj0uiIsRl71AAdjNL5VTjibQSZkUbkdiXXwamev2rL86sFVUs3HlEito4832F4C7wk1LkE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781204112; c=relaxed/simple; bh=2ZTdQuPTOazka/oAWI7cJ0OzKRajxS8CY74Fdfni9Kw=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=HsOJQDAH/jmSQV+RTXwLvGXBOpCmyzVbz3mL70g5UH/gcOWjFH5/peP7iyezyHjr1IP3FwjEn1sEK8Q6wBbBDuwp5DUDkLWMpV2EUeH7yn4PKhmDCabFpyWLAoMeXAyWzjmj9hQCtHmAgNkp117gk/vdyXXHBm3Ias0gcwLSp44= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=soleen.com; spf=pass smtp.mailfrom=soleen.com; dkim=pass (2048-bit key) header.d=soleen.com header.i=@soleen.com header.b=WvxxCZFh; arc=none smtp.client-ip=209.85.219.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=soleen.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=soleen.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=soleen.com header.i=@soleen.com header.b="WvxxCZFh" Received: by mail-qv1-f41.google.com with SMTP id 6a1803df08f44-8cebfb15413so2216226d6.0 for ; Thu, 11 Jun 2026 11:55:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=soleen.com; s=google; t=1781204109; x=1781808909; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=ykavwyEqXsW5ZZ5nScuS33KTE6M/HjG6kMAg60TPXhY=; b=WvxxCZFhZbL/MkY3KLjD7fJP9aylWI8NGRcMj2Arz2sZ7kw4Knzn2vEiDEnjvofbPS z+GRAHYUgQsbsvp4VqGzXdUBq+tRSTmmcH4BGlwnWv8w++WHKbinajd+rAYgCnIq6Fmc MJuMWmcilp0ufy17ms9Uz/kstSq/5jQRzrjubhIXGeDn+ebggcoKAqfwrTKuJHwsByZ6 T7JTcgyQ1vRxaWGsA5qkwZVHC03rZgRQAg8jc1r/HnUxNuHG+9USgHPd0MuxYut/Q8Ab M0UdFepYmD3U3Tw3YYjXd8MMy11ujKW9gnUERorBzJctdOzVv5kU+wBhgiFDo+KbtEya wfpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781204109; x=1781808909; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ykavwyEqXsW5ZZ5nScuS33KTE6M/HjG6kMAg60TPXhY=; b=FzcN92UKRIQ7UeLDIqxPxHGuJotKQGukPlhFuvwzh5pUNawpb/ZAyrxUYWm1dolWrN +HiZxxThVTrhKD03zXz82JfK2NfMLwmitxiMsQpFJ7kO2RWauJ6r7IFQe2x3aNkxL0YN smJXimxJmPGv3IGY0hz2N2jL8aQOWBmI03zf8baQqFwPjSy+DoJUtUfJIAsI6cPsLBMp 7Ms0o4z0TFfUIpNLNwnCNtlWA7xhDMqbDLGhylyyvSoc9WiBvOUew784Btu8MlbwAJQJ djsZlSa/KXYpyYARki/imDMPnuhaCzQ8dHwAS+kD/ZI2iSX5C1nNYwLKxBUI3LYfgyUT nI6A== X-Forwarded-Encrypted: i=1; AFNElJ/vzGxjYxpJnYdTScCHHsMpX/noSJEBx7akhGsHItQTNpPDkwrtuXMihnT25qgSFq7N56Gd0TdH91bGKuc=@vger.kernel.org X-Gm-Message-State: AOJu0YzJFeBjtNmjkKYQYsPEEvehKu66uDy7qaCGOnpESkq+whju6FmG 6uo4bLIb78PCJjFAOgC+0j2DW/Ce+2u8mAQBE2GSLFQzRY8WexcBUhY6oscSeTH5kQw= X-Gm-Gg: Acq92OFIgZpVWYbeX/HvOrY2NDwIXALCs9EqWcp7dLCdEPcb0NR0YffNBLm6nOyxghZ 3+gSy3cpICPKC1nZQSKxTUrMRv6Wj+UD1TsYYTyL1YdHxjezXev6wQFCvFFVCLf7qA9VSh9XNL1 ujOy63dr0b5jB9wLvHo8nyGhD5QHcEypckV0Q20kfWyM4xavcdg6JaWpKzgVzW84DWOPMb1G+fC CrIhSGpYMvEM2Dc6swu4clFCv+z9nHt+aBrRLtRD/y1lLc1QdlkTnkcRc0wsPtcr7dpOJSp1C2m 0UCzlSMsYCv/VHA76hjgE2IwrAlHN0bNs3s2W+pNC+8nOYswDy4wG2B9E0uFSdddFY7H1kYg1TQ GCLRLcvQsrXLunkiBwUe930qtfhKVCH7lgmzplycpk2lU6yoVrGb15+0twKbJWunQDK4PD6+SkK lYpbLskqd3uYyCLMpxoeuyPeZrYEZ6HKQsVAR2++JRJ7LpjHg7WeItChnqGECPvw== X-Received: by 2002:a05:6214:4113:b0:8cc:ece4:f88a with SMTP id 6a1803df08f44-8d1d8246c51mr65020766d6.2.1781204109520; Thu, 11 Jun 2026 11:55:09 -0700 (PDT) Received: from plex ([71.181.43.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8d302211f20sm1590026d6.21.2026.06.11.11.55.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Jun 2026 11:55:09 -0700 (PDT) Date: Thu, 11 Jun 2026 18:55:08 +0000 From: Pasha Tatashin To: Michal Clapinski Cc: Kees Cook , Tony Luck , "Guilherme G. Piccoli" , Pasha Tatashin , Mike Rapoport , Pratyush Yadav , Alexander Graf , linux-kernel@vger.kernel.org, kexec@lists.infradead.org Subject: Re: [PATCH v2] pstore: add a KHO backend Message-ID: References: <20260605121040.1177072-1-mclapinski@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260605121040.1177072-1-mclapinski@google.com> On 06-05 14:10, Michal Clapinski wrote: > Up to this point to preserve late shutdown logs in memory, users had to > predefine a memory region using ramoops. This commit changes this by > preserving a buffer using kexec-handover. > > pstore_kho supports preserving only 1 dmesg buffer. > It gets replaced with the new buffer on every kexec, so the user has to > copy the file out of pstore after every kexec. > There is no erase() support. > > Signed-off-by: Michal Clapinski > --- > v2: > - Added a comment explaining the benefits of pstore_kho. > - Created include/linux/kho/abi/pstore.h. > - Got rid of the KHO subtree. > - Made sure never to free incoming kho data. > This way the module can be safely reloaded. > - Sashiko complained that I trust the data coming from the old kernel. > I ignored it. LMK if I shouldn't trust the old kernel. > --- > fs/pstore/Kconfig | 10 ++ > fs/pstore/Makefile | 2 + > fs/pstore/pstore_kho.c | 230 +++++++++++++++++++++++++++++++++ > include/linux/kho/abi/pstore.h | 27 ++++ > 4 files changed, 269 insertions(+) > create mode 100644 fs/pstore/pstore_kho.c > create mode 100644 include/linux/kho/abi/pstore.h > > diff --git a/fs/pstore/Kconfig b/fs/pstore/Kconfig > index 3acc38600cd1..455790fec955 100644 > --- a/fs/pstore/Kconfig > +++ b/fs/pstore/Kconfig > @@ -81,6 +81,16 @@ config PSTORE_RAM > > For more information, see Documentation/admin-guide/ramoops.rst. > > +config PSTORE_KHO > + tristate "Preserve logs over kexec" > + depends on PSTORE > + depends on KEXEC_HANDOVER > + help > + A pstore backend for preserving dmesg over KHO (kexec handover). > + It does not require any additional cmdline params to work. > + > + It supports preservation of only 1 dmesg file. > + > config PSTORE_ZONE > tristate > depends on PSTORE > diff --git a/fs/pstore/Makefile b/fs/pstore/Makefile > index c270467aeece..518cd408bf8e 100644 > --- a/fs/pstore/Makefile > +++ b/fs/pstore/Makefile > @@ -13,6 +13,8 @@ pstore-$(CONFIG_PSTORE_PMSG) += pmsg.o > ramoops-objs += ram.o ram_core.o > obj-$(CONFIG_PSTORE_RAM) += ramoops.o > > +obj-$(CONFIG_PSTORE_KHO) += pstore_kho.o > + > pstore_zone-objs += zone.o > obj-$(CONFIG_PSTORE_ZONE) += pstore_zone.o > > diff --git a/fs/pstore/pstore_kho.c b/fs/pstore/pstore_kho.c > new file mode 100644 > index 000000000000..6d4187d91642 > --- /dev/null > +++ b/fs/pstore/pstore_kho.c > @@ -0,0 +1,230 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * KHO (Kexec Handover) backend for pstore. No need to spelll it out. > + * > + * KHO-based pstore provides a mechanism to hand over pstore data (specifically > + * dmesg logs) from one kernel to another across a kexec reboot using the > + * Kexec Handover (KHO) framework. > + * > + * Key advantages of KHO-based pstore include: > + * - No hardcoded memmap: Unlike ramoops, it does not require reserving a static > + * memory region in the bootloader or device tree. Memory is allocated > + * dynamically and handed over to the next kernel. > + * - Firmware independence: It does not rely on platform firmware support (like > + * ACPI ERST or UEFI variable storage) to preserve logs across reboots. > + * - High throughput: It avoids the performance bottlenecks of serial consoles, > + * not being limited by console baud rates. > + * - Complete log preservation: It preserves all dmesg logs, including those > + * generated late in the reboot cycle after filesystems have been unmounted, > + * up to the point of the kexec jump. > + */ > + > +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +/* > + * The in and out buffers are separate and they need not be the same size. > + * Therefore, this is not part of ABI. > + */ > +#define RECORD_MAX_SIZE (1 << CONFIG_LOG_BUF_SHIFT) This does not sound right. I think, we should enforce size through ABI. Or make it flexible so > + > +struct pstore_kho_context { > + struct pstore_info pstore; > + bool read_done; > +}; > + > +static struct pstore_ser *kho_ser_in; > +static struct pstore_ser *kho_ser_out; > + > +static int pstore_kho_open(struct pstore_info *psi) > +{ > + struct pstore_kho_context *cxt = psi->data; > + > + cxt->read_done = false; > + return 0; > +} > + > +static ssize_t pstore_kho_read(struct pstore_record *record) > +{ > + struct pstore_kho_context *cxt = record->psi->data; > + struct pstore_kho_record *kho_data_in; > + > + if (cxt->read_done || !kho_ser_in) > + return 0; > + > + cxt->read_done = true; > + kho_data_in = &kho_ser_in->record; > + > + record->buf = kmemdup(kho_data_in->buf, kho_data_in->size, GFP_KERNEL); > + if (!record->buf) > + return -ENOMEM; > + > + record->type = PSTORE_TYPE_DMESG; > + record->id = 0; > + record->size = kho_data_in->size; > + record->time.tv_sec = kho_data_in->time_sec; > + record->time.tv_nsec = kho_data_in->time_nsec; > + record->count = kho_data_in->count; > + record->reason = kho_data_in->reason; > + record->part = kho_data_in->part; > + record->compressed = kho_data_in->compressed; > + > + return record->size; > +} > + > +static int pstore_kho_write(struct pstore_record *record) > +{ > + struct pstore_kho_record *kho_data_out = &kho_ser_out->record; > + > + if (record->type != PSTORE_TYPE_DMESG) > + return -EINVAL; > + > + if (kho_data_out->size != 0) { > + pr_err("pstore kho already contains a record\n"); > + return -ENOSPC; > + } > + > + if (record->size > RECORD_MAX_SIZE) { > + pr_err("dmesg record too big, record size: %lu, available space: %d\n", > + record->size, RECORD_MAX_SIZE); > + return -ENOSPC; > + } > + > + memcpy(kho_data_out->buf, record->buf, record->size); > + kho_data_out->size = record->size; > + kho_data_out->time_sec = record->time.tv_sec; > + kho_data_out->time_nsec = record->time.tv_nsec; > + kho_data_out->count = record->count; > + kho_data_out->reason = record->reason; > + kho_data_out->part = record->part; > + kho_data_out->compressed = record->compressed; > + > + return 0; > +} > + > +static struct pstore_kho_context pstore_kho_cxt = { > + .pstore = { > + .owner = THIS_MODULE, > + .name = "kho", > + .bufsize = RECORD_MAX_SIZE, Let's make this ABI for simplicity. > + .flags = PSTORE_FLAGS_DMESG, > + .max_reason = KMSG_DUMP_SHUTDOWN, In all other places, the default is KMSG_DUMP_OOPS, and it is increased or decreased based on user-provided parameters. Should we not do the same here? > + .open = pstore_kho_open, > + .read = pstore_kho_read, > + .write = pstore_kho_write, > + }, > +}; > + > +static void __init kho_setup_incoming(void) > +{ > + phys_addr_t kho_ser_phys; > + int err; > + > + err = kho_retrieve_subtree(KHO_PSTORE_FDT_NAME, &kho_ser_phys); > + if (err) { > + if (err != -ENOENT) > + pr_err("failed to retrieve KHO data %s: %d\n", > + KHO_PSTORE_FDT_NAME, err); > + return; > + } > + > + kho_ser_in = phys_to_virt(kho_ser_phys); > + > + if (kho_ser_in->version != KHO_PSTORE_VERSION) { > + pr_err("unsupported KHO pstore version: %d\n", kho_ser_in->version); > + kho_ser_in = NULL; > + return; > + } > + > + pr_info("successfully restored preserved data\n"); > +} > + > +static int __init kho_setup_outgoing(void) > +{ > + int err; > + size_t total_size = sizeof(struct pstore_ser) + RECORD_MAX_SIZE; Please use the reverse-christmas-tree order for variable declarations. > + > + kho_ser_out = kho_alloc_preserve(total_size); RECORD_MAX_SIZE is not part of the ABI, yet it is statically configured during kho_setup_outgoing(). We need to either make it dynamic, setting up preserved pages as we go based on the amount of used memory (i.e use something like KHO linked-blocks), or make this part of the ABI. > + if (IS_ERR(kho_ser_out)) { > + pr_err("failed to allocate pstore kho ser anchor\n"); > + return PTR_ERR(kho_ser_out); > + } > + memset(kho_ser_out, 0, total_size); > + kho_ser_out->version = KHO_PSTORE_VERSION; > + > + err = kho_add_subtree(KHO_PSTORE_FDT_NAME, kho_ser_out); > + if (err) { > + pr_err("failed to add KHO data\n"); > + goto err_free_ser; > + } > + > + return 0; > + > +err_free_ser: > + kho_unpreserve_free(kho_ser_out); > + return err; > +} > + > +static int __init pstore_kho_init(void) > +{ > + int err; > + struct pstore_kho_context *cxt = &pstore_kho_cxt; RCT order please. > + > + if (!kho_is_enabled()) { > + pr_info("KHO is disabled, pstore_kho cannot start\n"); > + return -ENODEV; > + } > + > + kho_setup_incoming(); > + err = kho_setup_outgoing(); > + if (err) { > + pr_err("failed to setup outgoing KHO\n"); > + return err; Although the outgoing failed, can we still retrieve incoming messages? > + } > + > + cxt->pstore.data = cxt; > + cxt->pstore.buf = kmalloc(cxt->pstore.bufsize, GFP_KERNEL); > + if (!cxt->pstore.buf) { > + err = -ENOMEM; > + goto err_free_outgoing; > + } > + > + err = pstore_register(&cxt->pstore); > + if (err) { > + pr_err("failed to register with pstore\n"); > + goto err_free_pstore_buf; > + } > + > + return 0; > + > +err_free_pstore_buf: > + kfree(cxt->pstore.buf); > + > +err_free_outgoing: > + kho_remove_subtree(kho_ser_out); > + kho_unpreserve_free(kho_ser_out); > + > + return err; > +} > +module_init(pstore_kho_init); > + > +static void __exit pstore_kho_exit(void) > +{ > + pstore_unregister(&pstore_kho_cxt.pstore); > + kfree(pstore_kho_cxt.pstore.buf); > + > + kho_remove_subtree(kho_ser_out); > + kho_unpreserve_free(kho_ser_out); > +} > +module_exit(pstore_kho_exit); > + > +MODULE_LICENSE("GPL"); > +MODULE_DESCRIPTION("Pstore backend for dmesg preservation over kexec"); > diff --git a/include/linux/kho/abi/pstore.h b/include/linux/kho/abi/pstore.h > new file mode 100644 > index 000000000000..743ec64d67fc > --- /dev/null > +++ b/include/linux/kho/abi/pstore.h > @@ -0,0 +1,27 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > + > +#ifndef _LINUX_KHO_ABI_PSTORE_H > +#define _LINUX_KHO_ABI_PSTORE_H > + > +#include Please use the header comment in other ABI files as a template for what should be stated here. Please also include it in the documentation, consistent with all other ABI headers. > + > +#define KHO_PSTORE_FDT_NAME "pstore-kho" > +#define KHO_PSTORE_VERSION 1 > + > +struct pstore_kho_record { I would prefer: pstore_record_ser > + s64 size; > + s64 time_sec; > + u32 time_nsec; > + s32 count; > + u32 reason; > + u32 part; > + u32 compressed; > + char buf[]; > +}; > + > +struct pstore_ser { > + u32 version; > + struct pstore_kho_record record; > +}; > + > +#endif /* _LINUX_KHO_ABI_PSTORE_H */ > -- > 2.54.0.1032.g2f8565e1d1-goog >