From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A61DD331A7E for ; Mon, 29 Jun 2026 07:32:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.46 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782718340; cv=none; b=MN00Fm4aBDatTbBSeu/lL6hIB//b06DvDtJTKLohsJTRlRuaGdNdegASlPpP5P29HheFR2Q4o3njp5VmDgL4DgtnBkDADF2L5HPnESmWs04nMdlNkRWuV5363l4lpYkdSdjOxSe9J8u+TBwImq5AXi0VqGFwL3N0KP9nbSWhDNQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782718340; c=relaxed/simple; bh=W8Cy9M46VWuDt44CjoDoI3Ia8kzNlgfnDl7o+Kj86PQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=kkbD5ldUSo2tup782kh5WEjJZDrNDJBoA7jdoui++bbOPJ5xD+54fZz88PPq00xMpb3RMLnZvvM/6Gv2USQHz4hdvR6+UXrN/pIxx7IFQxyTCsCcB1khq4MU8aNHPYPtrCMXpbLZ7TC60uyjLyd8ubNGPrWpElcHbqiGiDdNjbY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=soleen.com; spf=pass smtp.mailfrom=soleen.com; dkim=pass (2048-bit key) header.d=soleen.com header.i=@soleen.com header.b=VuM8C+P8; arc=none smtp.client-ip=209.85.219.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=soleen.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=soleen.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=soleen.com header.i=@soleen.com header.b="VuM8C+P8" Received: by mail-qv1-f46.google.com with SMTP id 6a1803df08f44-8efbafa1bacso6970746d6.1 for ; Mon, 29 Jun 2026 00:32:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=soleen.com; s=google; t=1782718336; x=1783323136; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=1v6W6k2MU5dZ6c3Yzz6iw0lMzjubTnc25U0LLuynrUI=; b=VuM8C+P8TP0lx9S9jxO2bXcs90J5/tdXAYtmLxkULJjXXzuOyd8BPg2ckf36PuILfk 42aW0wfMTXMYAMBOmFl2AJBzkA48urJh9YZ48EnM26GKC89inWRrXJOyPVzI/9JG0p5A 4iqU1rO6g6bEmehsjKitiRtCBYnS75qXyo76znMWYG9x8GZR7Qmt+KBkxZulu1718hml wS9s7L0yDYPjkUAqPItH9uKRw9Twqm6n+p8N0FC5j3VcdcrodQhrhSB3Q5mAF96j6dr8 Z+aFA2wmejoGyefz72/JRts3vxZ8k5M40ttGPlGZ784B6ZqYQaHfchrgHQ/h10YaFvYl GJAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782718336; x=1783323136; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1v6W6k2MU5dZ6c3Yzz6iw0lMzjubTnc25U0LLuynrUI=; b=CeGWYUX+MLXlSi+qZDltVe/fjefR6W/E0LtfCtrbAVmcmHb4Y5M+PB5Fv8pBDeHPOw xszYBrRcDoyV2dghDPzAW6Vnh5V8UtY6Ln91sEp5Ulcq3PnsOOZRoDJLOVdGV7rsJAjg d5IhXm65m8enkaqwqJOsSY71Ho+97TmCaCqwhTOiKlg4mlnqPFdb4ho+OIT8AuWQHRGw mL6FTPMPbyQgajidXYteFEZQY/RqbEo9HqjE0IkwgD05rh0k/9HCQE+VXIo08BbaxfAG uSRk2mqFw4l10RS6PZMFUzxJ3r/VuzQPPi+EeTN/5NvGqeDzgl2/niVVE6UfEa6BdCh5 1t5g== X-Forwarded-Encrypted: i=1; AHgh+Rptgx+1AMIAa/B/AHFOKNQsaQ3HPg7ZxsGlHxDXki3JgLIUPzbAAtSYzAPTtvc8s1V/yDdSCQWCut3E00E=@vger.kernel.org X-Gm-Message-State: AOJu0YwLUA1CAcfBpPh1SWvvHVXZ7Xcp52NNjP5Z1EYc9U3UjkbBaVY+ bl1QNjlKBPCka+g0aTBAqc8NzR4cR0SnVVenHC34XWvzAo2nyfqLpf1nQWevMu1UQTg= X-Gm-Gg: AfdE7cm5swW/LOlGoDQO2ywbDAKwtFZ2u72V29mAj9azU2wMNn5PNguhSsbIYapfiQu DhLLshziEffMgvHW0wnhqzuzKEjLJPuCM2+Cq/loJbYdW3cKhGakKBLiaFY8Fe+mZBitYUcOHXT TSytSpneM8nugbP3Ky0CjfjsP8PSgsb52L2DB46ZUwBKvyzR6w55jOO9d65d9dhwqiTsLQ+N7M6 FyQ0v2nu8u+AUA+RMSkW2LKGgJXuoTzrX96/EYm7axa+KRSJ2KxBNGOENl5SO0jSMNy75oKsFGG e2Tya9S6AH2NJCD1F7usC1XmqxKmH7KMP8F9oTuCDOsX1sEIlR9zuBwUMX8IQPJwzQsTVbYz+qw EeuCal1QaHs4JCqE0CcKOHivVO0taQKJpOohx33Z5zAJHahBxWb4Ree1JGZr9iYeGHVbmLIMfxQ WcgCvDbP2+UhBeXKLoFW6CNyQb668NnZL3ZMv2j2Pu X-Received: by 2002:a05:6214:6010:b0:8e9:f5de:d5c2 with SMTP id 6a1803df08f44-8e9f5ded9b5mr130841736d6.57.1782718336450; Mon, 29 Jun 2026 00:32:16 -0700 (PDT) Received: from plex ([71.181.43.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8ef55c2a4c2sm47392796d6.10.2026.06.29.00.32.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 00:32:15 -0700 (PDT) Date: Mon, 29 Jun 2026 07:32:14 +0000 From: Pasha Tatashin To: Pratyush Yadav Cc: Samiullah Khawaja , Pasha Tatashin , Mike Rapoport , Alexander Graf , David Matlack , tarunsahu@google.com, open list , "open list:KEXEC HANDOVER (KHO)" , "open list:KEXEC HANDOVER (KHO)" Subject: Re: [PATCH 1/1] liveupdate: luo_file: Add internal APIs for file preservation Message-ID: References: <20260613012521.835490-1-skhawaja@google.com> <20260613012521.835490-2-skhawaja@google.com> <2vxzwlvljyzs.fsf@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2vxzwlvljyzs.fsf@kernel.org> On 06-26 13:57, Pratyush Yadav wrote: > Hi Sami, > > On Sat, Jun 13 2026, Samiullah Khawaja wrote: > > > From: Pasha Tatashin > > > > Live update orchestrator file handlers depend on the preservation of > > other files. To make sure that the dependency is preserved, the file > > handlers needs to fetch the preservation token of the preserved > > dependency. Similarly during restore, a file handler wants to fetch the > > restored file of the dependency. > > > > Add APIs that allows fetching token of dependency during preservation, > > and fetching the restored file dependency during restore. > > > > Signed-off-by: Pasha Tatashin > > Signed-off-by: Samiullah Khawaja > > We discussed this once already on a call, but I'll write my argument out > here for everyone else to get a say as well. > > While it isn't obvious, this patch implicitly defines a part of the uAPI > for live update. This patch says to VMMs (or other live update users) > that "you can restore dependent files in any order". That is, VMMs > don't have to restore the files in a topological sort order or > dependencies, they can do so in any order and the kernel will manage the > dependencies on its own. Avoiding a forced dependency ordering is a deliberate design choice in LUO, to avoid any kind of circular dependeces: A depends on B, B depends on C, and C depends on A. To achieve this, LUO provides the .can_finish() callback. So, LUO does two-phase verification: 1. It iterates through all tracked files and invokes .can_finish(). 2. Only if *all* files return success does it proceed to invoke .finish(). If a VMM restores a file (such as guest_memfd) but fails to restore its dependency (such as the VM FD), or attempts to close the session prematurely, the .can_finish() check for that file will fail (returning -EBUSY), and the entire finish sequence will abort. This guarantees kernel-enforced correctness at the session boundary and without forcing the VMM to execute restores in a strict sequential order, which anway would not make any sense from kernel side due to circular dependecies issue, where topological sort does not exist. > > But on the preservation side, VMMs still do need to follow the > topological order of dependencies. Because if they don't, the > liveupdate_get_token_outgoing() call will fail and preservation can't > proceed. Actually, preservation can also be performed in an order-independent manner. While a handler can call liveupdate_get_token_outgoing() during .preserve(), it can also defer this query until the .freeze() callback. Because .freeze() is invoked after all files in the session have completed their .preserve() phase, all dependency tokens are guaranteed to be available, completely eliminating any topological ordering requirements during the initial preservation calls. It is up to individual file handler implementations to decide whether they wish to enforce ordering at .preserve() time or defer it to .freeze(). > In simple words, if file type A depends on file type B, VMMs always need > to preserve B before A, because A's preservation will try to find B's > token, and if B is not preserved that will fail. On the _restore_ side > though, liveupdate_get_file_incoming() implicitly retrieves the file so > the VMM can restore then in any order. > > I don't like this for a couple reasons. First, this makes the API > asymmetric. If the VMM needs to manage dependency order during > preservation anyway, why not do it on retrieve as well? > > Second, the API is easier to misuse. The VMM can restore A but not B, > and then close the session. It will go on its merry way never knowing it > did something wrong. For example, guest_memfd depends on its VM FD. With > this patch, LUO will allow restoring guest_memfd without restoring the > VM FD. This makes the guest_memfd practically useless. Yes, it is a bug > in the VMM anyway, but if guest_memfd restore was denied, then it would > be easier to catch. > > The kernel will keep itself safe in either case, but it will make the > API harder to misuse. And you can always _relax_ the ordering > requirement if there is a need in the future, but you can't go the other > way round. > > So that's my question: do we enforce restore ordering? The code change > should be relatively simple. You just need to fail if the file is not > already restored in liveupdate_get_file_incoming(). > > In either case, please at least add a piece in the documentation about > this ordering. We should not leave it implicit. As explained above, the .can_finish() callback addresses this problem and prevents any misuse (such as closing a session with a missing VM FD dependency). That said, I agree that these ordering semantics, deferred verification model, and the exact roles of .can_finish() and .freeze() should not remain implicit. It makes sense adding details to the documentation to clarify this behavior. Pasha