From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4BD7F3DA7CF for ; Mon, 6 Jul 2026 20:00:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.171 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783368004; cv=none; b=OorOafYtTB+XnhPtCwPNgygnTCvn8n65o8M2FYfB356wy1CI9HSVLSRJlWmkU0yvUmht9OOfpqo+aXwQd06JiFWWjhaAZSTGZTibW3Z0DEiH6CRVIBBTzhLtEiEp4i7I6hd80i55dtWMzkwofSvlAmb0QddNdiI1fUOzKCAdUlk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783368004; c=relaxed/simple; bh=b5AUnbmNG0YubmTXo6eMXoKhIp7rPXgULERkSpP18U0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Rg0HFVhBdPTlLQyxtBmlRmaZPi2OCFri+YwDRnoOVGitdeO8Ahgd/gMHV9hJbbX4XDobNQ6sEGU5aLQu22ievl+OshTJyM8B6PVxVtWZ68sMy4Y+oUtiC/+NAkFBMr6T6dSaml0bUBuMBvweHTPj6Z/6o/djzdSsSVxXxlpViWw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=sj2xWjKN; arc=none smtp.client-ip=209.85.214.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="sj2xWjKN" Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-2cacef7d299so13415ad.1 for ; Mon, 06 Jul 2026 13:00:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1783368002; x=1783972802; darn=vger.kernel.org; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:from:to:cc:subject :date:message-id:reply-to:content-type; bh=LAhwznhf5DkVP4v3gs3lqPrh/lcXm4gQZUhW/MOasno=; b=sj2xWjKNW+x+ly7iezhp24qFpUyFoHvkQSRjTFSFVfFaa72y6SVmh9nXDVgEhprNGP qkBCRIYWAKSmFPCtO0aVQiUAPkNbzf9Y9ZzPsSd7AUy4jORswFvaSsIf8dimXruQcHqW GZCUMPKSgugIjwB4KwUCOhKkde+o9dGhBZJxsVt75NPTkxkLYQLoHumbSbGlapDu5ylI x4wyikaYTpXqXpRQfSWjDJ/vhk2O8xfqMOWiMED3qfw/5/1hPMDjvPYZ6nMNY/u86wUQ 7lcGH0n1kL2HKPJ9BWneI/bHim8X1iuvQ6o/t5rbVsg8Pwq+ZUEafTSfjekxvmFZ5HIA WrZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783368002; x=1783972802; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=LAhwznhf5DkVP4v3gs3lqPrh/lcXm4gQZUhW/MOasno=; b=sqmUtU59WPwAQiRcN+uOjBCFetCnsCSQfRysumT2RWBUUUnUmzO/X5J9FrlsJTMATw uOo+NXOQqrXCmycOSGzD0IGuuonDNRL48ElDuQ9NYElPCKAkwL7GBLEJQ6wxwjRq8NrH KbOTJAlWotTlIPVfhXoluS5asy3XbItJ4JqN0JkLigBgZfHtbkWeso5thcAshdd6U3lZ YvAQLnO/C17BG9r1F8DXKqXv9NbRCjpU87rY48kofD2OHI27n2RNeDlsghIFChqNIrYz MZaepivueBUCeJRRiTkoyqSiLeehTJ4v5Z29wVNKA+ky4kqkqg3J7ziSapBgylQ/pjYo 6DSQ== X-Forwarded-Encrypted: i=1; AHgh+Rr1hDCdXFS4EpEUEGvuxrvzcGDDikkuKPg+TvZkCkdFAQYOhxYy5I24I1/g8Wrso1cCBDJVYpc21l7JMTU=@vger.kernel.org X-Gm-Message-State: AOJu0YysLTCl6NYagvELrZIZ0n0T1/3LZw1VBaeCapGg/5tBn6GGEQT4 MeNMHIXCX7H68zzayBpBbGwTrJGcq2XV1846PZ1nzP1qgksC6zaaEJjR0v6h2WzKIEYoGTK7s3z lRYTQpQ== X-Gm-Gg: AfdE7cmExam7qV75J6okFdhN+3jUoX8Hxkw6MWJ33dSopoy0l6Rji5PwUXo59sx3Iyw vj0iqrFdTuYxNx21FXxtkYb1bbPJmYgig6lo3h9VnJHvEyyeEL3DKf5mH5Kpcp8Dp3b8byoq0hi 9fmcrzqbeOuFFtrJIuicENKk2c0CzcoZ55i2xPzkmrjdhTkCnJbBlg/LRZhlI54s0KhyWUQccTR +2j31mkHWR89E3BRgGoYGc1tvOCjV5ln1AQMNvgMJj4p7Rk/0j63MjHaIJsD5dIlgG42EH7CKqZ jQHFW8kvPiMWtxrcpAYKDimql0LYpDZrip9jZoA6i2bJ0h1y/eo/Kg8SYZg9aFdkiQcgf1jWLpF BMixayACWs2Ho5ARFIPxt6j8Z0gEOYm+e6rgJ06I5ZPF9QH1B0BUN5KUQvSqgFSWEynovT7uyvP STaGP3rKk4wv0UwR3cWuAFsmaO0/erI1rzixnMgNRjsKkYWfiCT2tc/1wkwrggi6A0VHKdTyose qDK4Anr5l8= X-Received: by 2002:a17:903:41cf:b0:2c9:d89f:fd98 with SMTP id d9443c01a7336-2ccc71c1939mr447305ad.1.1783368002032; Mon, 06 Jul 2026 13:00:02 -0700 (PDT) Received: from google.com (168.136.83.34.bc.googleusercontent.com. [34.83.136.168]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-847f6b609b8sm4361747b3a.5.2026.07.06.13.00.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Jul 2026 13:00:01 -0700 (PDT) Date: Mon, 6 Jul 2026 19:59:57 +0000 From: Samiullah Khawaja To: Pratyush Yadav Cc: Pasha Tatashin , Mike Rapoport , Alexander Graf , David Matlack , tarunsahu@google.com, open list , "open list:KEXEC HANDOVER (KHO)" , "open list:KEXEC HANDOVER (KHO)" Subject: Re: [PATCH 1/1] liveupdate: luo_file: Add internal APIs for file preservation Message-ID: References: <20260613012521.835490-1-skhawaja@google.com> <20260613012521.835490-2-skhawaja@google.com> <2vxzwlvljyzs.fsf@kernel.org> <2vxzse65k938.fsf@kernel.org> <2vxz7bnhjnpa.fsf@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <2vxz7bnhjnpa.fsf@kernel.org> Hi, Sorry I was out of office, so couldn't contribute to this discussion early. On Mon, Jun 29, 2026 at 06:50:09PM +0200, Pratyush Yadav wrote: >On Mon, Jun 29 2026, Pratyush Yadav wrote: > >> On Mon, Jun 29 2026, Pasha Tatashin wrote: >> >>> On 06-26 13:57, Pratyush Yadav wrote: >>>> Hi Sami, >>>> >>>> On Sat, Jun 13 2026, Samiullah Khawaja wrote: >>>> >>>> > From: Pasha Tatashin >>>> > >>>> > Live update orchestrator file handlers depend on the preservation of >>>> > other files. To make sure that the dependency is preserved, the file >>>> > handlers needs to fetch the preservation token of the preserved >>>> > dependency. Similarly during restore, a file handler wants to fetch the >>>> > restored file of the dependency. >>>> > >>>> > Add APIs that allows fetching token of dependency during preservation, >>>> > and fetching the restored file dependency during restore. >>>> > >>>> > Signed-off-by: Pasha Tatashin >>>> > Signed-off-by: Samiullah Khawaja >[...] >>> >>> To achieve this, LUO provides the .can_finish() callback. So, LUO does >>> two-phase verification: >>> >>> 1. It iterates through all tracked files and invokes .can_finish(). >>> 2. Only if *all* files return success does it proceed to invoke .finish(). >>> >>> If a VMM restores a file (such as guest_memfd) but fails to restore its >>> dependency (such as the VM FD), or attempts to close the session >>> prematurely, the .can_finish() check for that file will fail (returning >>> -EBUSY), and the entire finish sequence will abort. This guarantees >>> kernel-enforced correctness at the session boundary and without forcing >>> the VMM to execute restores in a strict sequential order, which anway >>> would not make any sense from kernel side due to circular dependecies >>> issue, where topological sort does not exist. >>> >>>> >>>> But on the preservation side, VMMs still do need to follow the >>>> topological order of dependencies. Because if they don't, the >>>> liveupdate_get_token_outgoing() call will fail and preservation can't >>>> proceed. >>> >>> Actually, preservation can also be performed in an order-independent manner. >>> While a handler can call liveupdate_get_token_outgoing() during .preserve(), >>> it can also defer this query until the .freeze() callback. Because .freeze() >>> is invoked after all files in the session have completed their .preserve() phase, >>> all dependency tokens are guaranteed to be available, completely eliminating any >>> topological ordering requirements during the initial preservation calls. It is >>> up to individual file handler implementations to decide whether they wish to >>> enforce ordering at .preserve() time or defer it to .freeze(). >> >> That is the worst of both worlds. I get your point that LUO doesn't want >> to enforce dependency ordering. My arguments against that are somewhat >> subjective so I can live with this. Pasha replied with some interesting points already, but I want to add some clarification here. During preservation, enforcing order gives the following functionality: - The token of the dependency (can be retrieved during freeze as you suggested). - The dependency is preserved and that means it has bound with the LUO session lifecycle. This guarantees that it is not going to go away until the session is closed. - Once preserved, the dependency is in some kind of "immutable" state. This might not be required by all dependent FDs, but it is critical for some. These ordering requirements should be clearly documented by the associated filehandler so the VMM knows how to do the preservation of a specific FD properly. This is actually similar to the memfd seal rule that iommufd preservation will enforce. >> >> But then you can't let file handlers enforce it as they wish. The >> dependency ordering is uAPI because it directly affects how VMMs >> preserve files. If the VMM has to keep track of dependencies for some >> file types and doesn't have to do so for others, that is a terrible and >> inconsistent API. But as you have already pointed out that the VFIO/IOMMUFD circular dependency is resolved, I am okay with enforcing dependency ordering during restore as well. However, establishing an ordered preserve/restore mandate in LUO at this point will force all future file handlers into complicated and buggy design choices if they have circular dependency or different lifecycle requirements. >> >> Ideally, LUO should handle the dependencies on its own. preserve() can >> give LUO a list of files the preserved file depends on, and LUO makes >> sure all the dependencies are present in the session at freeze. We would This again assumes the lifecycle of various FDs and that dependencies can be resolved during freeze(). Some file handlers do want order of preservation, and this scheme only guarantees preservation dependency without order, introducing hacky dependency state management until freeze(). >> also need a way of getting the dependent files back from LUO on >> retrieve(). That would make sure the dependencies are properly enforced >> both on freeze and finish, and the enforcement isn't left up to the file >> handlers. >> >> Unfortunately all that sounds fairly complicated so I am not sure if we >> want to do that just yet, although I would like to hear your thoughts on >> this. > >We had discussion about this in the live update bi-weekly today. The >conclusion we arrived at is to keep the current functionality. That is, >we don't enforce preservation dependency. > >But that also means file handlers can't try to get their dependent file >in their preserve() callback, since that would implicitly enforce >ordering. They always _have_ to do it from their freeze() callback. This has problems at multiple levels: - This indirectly sets up a precedent in uAPI that the VMM is allowed to preserve the FDs in any order and the file handler will be able to handle this. - This will be very tricky and will force filehandler to have complicated/hacky state management to handle dependency. Specifically I do need iommufd to be preserved before preserving the VFIO cdev that has an iommufd dependency. Not sure, but I think this will also be tricky when we start preservation of VFs and SRIOV PFs. I don't think LUO should enforce an arbitrary rule like this unless we have a strong reasoning behind it. > >Similarly, on retrieve side, file handlers enforce their dependent files >are restored via the can_finish() callback only. Please elaborate: does this mean the file handler cannot fetch the restored struct file of its dependency until can_finish()? This would actually be worse. A filehandler that needs to take a reference to its dependency during its own init phase would just fail to restore. For example, it means the vfio cdev cannot auto-bind with the iommufd until can_finish() is called. Also can_finish() is called just before LUO finish phase, and that is already too late. The FDs should be restored and ready to finish at that point. Forcing the dependent to resolve/enforce dependencies during that means the dependent FDs are half baked before that? Again let's be careful about enforcing arbitrary rules like these in LUO, because these end up defining uAPI and lifecycle rules that we cannot change later. > >So I think the next steps for this series is to clearly document this >requirement for file handlers in the documentation for >liveupdate_get_token_outgoing() and liveupdate_get_file_incoming(). > >Also, I think you need some way of tracking if the file was explicitly >restored by userspace, which is something file handlers would then need I think we should add a mechanism like this regardless. This will allow file handlers like guest_memfd (if they determine it is necessary) to verify that userspace explicitly restored their dependencies, without forcing the ordering policy globally on everyone else. >to call in their can_finish(). > >[...] > >-- >Regards, >Pratyush Yadav Sami