1 // SPDX-License-Identifier: GPL-2.0
2
3 /*
4 * Copyright (c) 2025, Google LLC.
5 * Pasha Tatashin <pasha.tatashin@soleen.com>
6 */
7
8 /**
9 * DOC: LUO File Descriptors
10 *
11 * LUO provides the infrastructure to preserve specific, stateful file
12 * descriptors across a kexec-based live update. The primary goal is to allow
13 * workloads, such as virtual machines using vfio, memfd, or iommufd, to
14 * retain access to their essential resources without interruption.
15 *
16 * The framework is built around a callback-based handler model and a well-
17 * defined lifecycle for each preserved file.
18 *
19 * Handler Registration:
20 * Kernel modules responsible for a specific file type (e.g., memfd, vfio)
21 * register a &struct liveupdate_file_handler. This handler provides a set of
22 * callbacks that LUO invokes at different stages of the update process, most
23 * notably:
24 *
25 * - can_preserve(): A lightweight check to determine if the handler is
26 * compatible with a given 'struct file'.
27 * - preserve(): The heavyweight operation that saves the file's state and
28 * returns an opaque u64 handle. This is typically performed while the
29 * workload is still active to minimize the downtime during the
30 * actual reboot transition.
31 * - unpreserve(): Cleans up any resources allocated by .preserve(), called
32 * if the preservation process is aborted before the reboot (i.e. session is
33 * closed).
34 * - freeze(): A final pre-reboot opportunity to prepare the state for kexec.
35 * We are already in reboot syscall, and therefore userspace cannot mutate
36 * the file anymore.
37 * - unfreeze(): Undoes the actions of .freeze(), called if the live update
38 * is aborted after the freeze phase.
39 * - retrieve(): Reconstructs the file in the new kernel from the preserved
40 * handle.
41 * - finish(): Performs final check and cleanup in the new kernel. After
42 * succesul finish call, LUO gives up ownership to this file.
43 *
44 * File Preservation Lifecycle happy path:
45 *
46 * 1. Preserve (Normal Operation): A userspace agent preserves files one by one
47 * via an ioctl. For each file, luo_preserve_file() finds a compatible
48 * handler, calls its .preserve() operation, and creates an internal &struct
49 * luo_file to track the live state.
50 *
51 * 2. Freeze (Pre-Reboot): Just before the kexec, luo_file_freeze() is called.
52 * It iterates through all preserved files, calls their respective .freeze()
53 * operation, and serializes their final metadata (compatible string, token,
54 * and data handle) into a contiguous memory block for KHO.
55 *
56 * 3. Deserialize: After kexec, luo_file_deserialize() runs when session gets
57 * deserialized (which is when /dev/liveupdate is first opened). It reads the
58 * serialized data from the KHO memory region and reconstructs the in-memory
59 * list of &struct luo_file instances for the new kernel, linking them to
60 * their corresponding handlers.
61 *
62 * 4. Retrieve (New Kernel - Userspace Ready): The userspace agent can now
63 * restore file descriptors by providing a token. luo_retrieve_file()
64 * searches for the matching token, calls the handler's .retrieve() op to
65 * re-create the 'struct file', and returns a new FD. Files can be
66 * retrieved in ANY order.
67 *
68 * 5. Finish (New Kernel - Cleanup): Once a session retrival is complete,
69 * luo_file_finish() is called. It iterates through all files, invokes their
70 * .finish() operations for final cleanup, and releases all associated kernel
71 * resources.
72 *
73 * File Preservation Lifecycle unhappy paths:
74 *
75 * 1. Abort Before Reboot: If the userspace agent aborts the live update
76 * process before calling reboot (e.g., by closing the session file
77 * descriptor), the session's release handler calls
78 * luo_file_unpreserve_files(). This invokes the .unpreserve() callback on
79 * all preserved files, ensuring all allocated resources are cleaned up and
80 * returning the system to a clean state.
81 *
82 * 2. Freeze Failure: During the reboot() syscall, if any handler's .freeze()
83 * op fails, the .unfreeze() op is invoked on all previously *successful*
84 * freezes to roll back their state. The reboot() syscall then returns an
85 * error to userspace, canceling the live update.
86 *
87 * 3. Finish Failure: In the new kernel, if a handler's .finish() op fails,
88 * the luo_file_finish() operation is aborted. LUO retains ownership of
89 * all files within that session, including those that were not yet
90 * processed. The userspace agent can attempt to call the finish operation
91 * again later. If the issue cannot be resolved, these resources will be held
92 * by LUO until the next live update cycle, at which point they will be
93 * discarded.
94 */
95
96 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
97
98 #include <linux/cleanup.h>
99 #include <linux/compiler.h>
100 #include <linux/err.h>
101 #include <linux/errno.h>
102 #include <linux/file.h>
103 #include <linux/fs.h>
104 #include <linux/io.h>
105 #include <linux/kexec_handover.h>
106 #include <linux/kho/abi/luo.h>
107 #include <linux/list_private.h>
108 #include <linux/liveupdate.h>
109 #include <linux/module.h>
110 #include <linux/sizes.h>
111 #include <linux/xarray.h>
112 #include <linux/slab.h>
113 #include <linux/string.h>
114 #include "luo_internal.h"
115
116 static LIST_HEAD(luo_file_handler_list);
117
118 /* Keep track of files being preserved by LUO */
119 static DEFINE_XARRAY(luo_preserved_files);
120
121 /* 2 4K pages, give space for 128 files per file_set */
122 #define LUO_FILE_PGCNT 2ul
123 #define LUO_FILE_MAX \
124 ((LUO_FILE_PGCNT << PAGE_SHIFT) / sizeof(struct luo_file_ser))
125
126 /**
127 * struct luo_file - Represents a single preserved file instance.
128 * @fh: Pointer to the &struct liveupdate_file_handler that manages
129 * this type of file.
130 * @file: Pointer to the kernel's &struct file that is being preserved.
131 * This is NULL in the new kernel until the file is successfully
132 * retrieved.
133 * @serialized_data: The opaque u64 handle to the serialized state of the file.
134 * This handle is passed back to the handler's .freeze(),
135 * .retrieve(), and .finish() callbacks, allowing it to track
136 * and update its serialized state across phases.
137 * @private_data: Pointer to the private data for the file used to hold runtime
138 * state that is not preserved. Set by the handler's .preserve()
139 * callback, and must be freed in the handler's .unpreserve()
140 * callback.
141 * @retrieve_status: Status code indicating whether a user/kernel in the new kernel has
142 * successfully called retrieve() on this file. This prevents
143 * multiple retrieval attempts. A value of 0 means a retrieve()
144 * has not been attempted, a positive value means the retrieve()
145 * was successful, and a negative value means the retrieve()
146 * failed, and the value is the error code of the call.
147 * @mutex: A mutex that protects the fields of this specific instance
148 * (e.g., @retrieved, @file), ensuring that operations like
149 * retrieving or finishing a file are atomic.
150 * @list: The list_head linking this instance into its parent
151 * file_set's list of preserved files.
152 * @token: The user-provided unique token used to identify this file.
153 *
154 * This structure is the core in-kernel representation of a single file being
155 * managed through a live update. An instance is created by luo_preserve_file()
156 * to link a 'struct file' to its corresponding handler, a user-provided token,
157 * and the serialized state handle returned by the handler's .preserve()
158 * operation.
159 *
160 * These instances are tracked in a per-file_set list. The @serialized_data
161 * field, which holds a handle to the file's serialized state, may be updated
162 * during the .freeze() callback before being serialized for the next kernel.
163 * After reboot, these structures are recreated by luo_file_deserialize() and
164 * are finally cleaned up by luo_file_finish().
165 */
166 struct luo_file {
167 struct liveupdate_file_handler *fh;
168 struct file *file;
169 u64 serialized_data;
170 void *private_data;
171 int retrieve_status;
172 struct mutex mutex;
173 struct list_head list;
174 u64 token;
175 };
176
luo_alloc_files_mem(struct luo_file_set * file_set)177 static int luo_alloc_files_mem(struct luo_file_set *file_set)
178 {
179 size_t size;
180 void *mem;
181
182 if (file_set->files)
183 return 0;
184
185 WARN_ON_ONCE(file_set->count);
186
187 size = LUO_FILE_PGCNT << PAGE_SHIFT;
188 mem = kho_alloc_preserve(size);
189 if (IS_ERR(mem))
190 return PTR_ERR(mem);
191
192 file_set->files = mem;
193
194 return 0;
195 }
196
luo_free_files_mem(struct luo_file_set * file_set)197 static void luo_free_files_mem(struct luo_file_set *file_set)
198 {
199 /* If file_set has files, no need to free preservation memory */
200 if (file_set->count)
201 return;
202
203 if (!file_set->files)
204 return;
205
206 kho_unpreserve_free(file_set->files);
207 file_set->files = NULL;
208 }
209
luo_get_id(struct liveupdate_file_handler * fh,struct file * file)210 static unsigned long luo_get_id(struct liveupdate_file_handler *fh,
211 struct file *file)
212 {
213 return fh->ops->get_id ? fh->ops->get_id(file) : (unsigned long)file;
214 }
215
luo_token_is_used(struct luo_file_set * file_set,u64 token)216 static bool luo_token_is_used(struct luo_file_set *file_set, u64 token)
217 {
218 struct luo_file *iter;
219
220 list_for_each_entry(iter, &file_set->files_list, list) {
221 if (iter->token == token)
222 return true;
223 }
224
225 return false;
226 }
227
228 /**
229 * luo_preserve_file - Initiate the preservation of a file descriptor.
230 * @file_set: The file_set to which the preserved file will be added.
231 * @token: A unique, user-provided identifier for the file.
232 * @fd: The file descriptor to be preserved.
233 *
234 * This function orchestrates the first phase of preserving a file. Upon entry,
235 * it takes a reference to the 'struct file' via fget(), effectively making LUO
236 * a co-owner of the file. This reference is held until the file is either
237 * unpreserved or successfully finished in the next kernel, preventing the file
238 * from being prematurely destroyed.
239 *
240 * This function orchestrates the first phase of preserving a file. It performs
241 * the following steps:
242 *
243 * 1. Validates that the @token is not already in use within the file_set.
244 * 2. Ensures the file_set's memory for files serialization is allocated
245 * (allocates if needed).
246 * 3. Iterates through registered handlers, calling can_preserve() to find one
247 * compatible with the given @fd.
248 * 4. Calls the handler's .preserve() operation, which saves the file's state
249 * and returns an opaque private data handle.
250 * 5. Adds the new instance to the file_set's internal list.
251 *
252 * On success, LUO takes a reference to the 'struct file' and considers it
253 * under its management until it is unpreserved or finished.
254 *
255 * In case of any failure, all intermediate allocations (file reference, memory
256 * for the 'luo_file' struct, etc.) are cleaned up before returning an error.
257 *
258 * Context: Can be called from an ioctl handler during normal system operation.
259 * Return: 0 on success. Returns a negative errno on failure:
260 * -EEXIST if the token is already used.
261 * -EBUSY if the file descriptor is already preserved by another session.
262 * -EBADF if the file descriptor is invalid.
263 * -ENOSPC if the file_set is full.
264 * -ENOENT if no compatible handler is found.
265 * -ENOMEM on memory allocation failure.
266 * Other erros might be returned by .preserve().
267 */
luo_preserve_file(struct luo_file_set * file_set,u64 token,int fd)268 int luo_preserve_file(struct luo_file_set *file_set, u64 token, int fd)
269 {
270 struct liveupdate_file_op_args args = {0};
271 struct liveupdate_file_handler *fh;
272 struct luo_file *luo_file;
273 struct file *file;
274 int err;
275
276 if (luo_token_is_used(file_set, token))
277 return -EEXIST;
278
279 if (file_set->count == LUO_FILE_MAX)
280 return -ENOSPC;
281
282 file = fget(fd);
283 if (!file)
284 return -EBADF;
285
286 err = luo_alloc_files_mem(file_set);
287 if (err)
288 goto err_fput;
289
290 err = -ENOENT;
291 down_read(&luo_register_rwlock);
292 list_private_for_each_entry(fh, &luo_file_handler_list, list) {
293 if (fh->ops->can_preserve(fh, file)) {
294 if (try_module_get(fh->ops->owner))
295 err = 0;
296 break;
297 }
298 }
299 up_read(&luo_register_rwlock);
300
301 /* err is still -ENOENT if no handler was found */
302 if (err)
303 goto err_free_files_mem;
304
305 err = xa_insert(&luo_preserved_files, luo_get_id(fh, file),
306 file, GFP_KERNEL);
307 if (err)
308 goto err_module_put;
309
310 err = luo_flb_file_preserve(fh);
311 if (err)
312 goto err_erase_xa;
313
314 luo_file = kzalloc_obj(*luo_file);
315 if (!luo_file) {
316 err = -ENOMEM;
317 goto err_flb_unpreserve;
318 }
319
320 luo_file->file = file;
321 luo_file->fh = fh;
322 luo_file->token = token;
323 mutex_init(&luo_file->mutex);
324
325 args.handler = fh;
326 args.file = file;
327 err = fh->ops->preserve(&args);
328 if (err)
329 goto err_kfree;
330
331 luo_file->serialized_data = args.serialized_data;
332 luo_file->private_data = args.private_data;
333 list_add_tail(&luo_file->list, &file_set->files_list);
334 file_set->count++;
335
336 return 0;
337
338 err_kfree:
339 kfree(luo_file);
340 err_flb_unpreserve:
341 luo_flb_file_unpreserve(fh);
342 err_erase_xa:
343 xa_erase(&luo_preserved_files, luo_get_id(fh, file));
344 err_module_put:
345 module_put(fh->ops->owner);
346 err_free_files_mem:
347 luo_free_files_mem(file_set);
348 err_fput:
349 fput(file);
350
351 return err;
352 }
353
354 /**
355 * luo_file_unpreserve_files - Unpreserves all files from a file_set.
356 * @file_set: The files to be cleaned up.
357 *
358 * This function serves as the primary cleanup path for a file_set. It is
359 * invoked when the userspace agent closes the file_set's file descriptor.
360 *
361 * For each file, it performs the following cleanup actions:
362 * 1. Calls the handler's .unpreserve() callback to allow the handler to
363 * release any resources it allocated.
364 * 2. Removes the file from the file_set's internal tracking list.
365 * 3. Releases the reference to the 'struct file' that was taken by
366 * luo_preserve_file() via fput(), returning ownership.
367 * 4. Frees the memory associated with the internal 'struct luo_file'.
368 *
369 * After all individual files are unpreserved, it frees the contiguous memory
370 * block that was allocated to hold their serialization data.
371 */
luo_file_unpreserve_files(struct luo_file_set * file_set)372 void luo_file_unpreserve_files(struct luo_file_set *file_set)
373 {
374 struct luo_file *luo_file;
375
376 while (!list_empty(&file_set->files_list)) {
377 struct liveupdate_file_op_args args = {0};
378
379 luo_file = list_last_entry(&file_set->files_list,
380 struct luo_file, list);
381
382 args.handler = luo_file->fh;
383 args.file = luo_file->file;
384 args.serialized_data = luo_file->serialized_data;
385 args.private_data = luo_file->private_data;
386 luo_file->fh->ops->unpreserve(&args);
387 luo_flb_file_unpreserve(luo_file->fh);
388 module_put(luo_file->fh->ops->owner);
389
390 xa_erase(&luo_preserved_files,
391 luo_get_id(luo_file->fh, luo_file->file));
392 list_del(&luo_file->list);
393 file_set->count--;
394
395 fput(luo_file->file);
396 mutex_destroy(&luo_file->mutex);
397 kfree(luo_file);
398 }
399
400 luo_free_files_mem(file_set);
401 }
402
luo_file_freeze_one(struct luo_file_set * file_set,struct luo_file * luo_file)403 static int luo_file_freeze_one(struct luo_file_set *file_set,
404 struct luo_file *luo_file)
405 {
406 int err = 0;
407
408 guard(mutex)(&luo_file->mutex);
409
410 if (luo_file->fh->ops->freeze) {
411 struct liveupdate_file_op_args args = {0};
412
413 args.handler = luo_file->fh;
414 args.file = luo_file->file;
415 args.serialized_data = luo_file->serialized_data;
416 args.private_data = luo_file->private_data;
417
418 err = luo_file->fh->ops->freeze(&args);
419 if (!err)
420 luo_file->serialized_data = args.serialized_data;
421 }
422
423 return err;
424 }
425
luo_file_unfreeze_one(struct luo_file_set * file_set,struct luo_file * luo_file)426 static void luo_file_unfreeze_one(struct luo_file_set *file_set,
427 struct luo_file *luo_file)
428 {
429 guard(mutex)(&luo_file->mutex);
430
431 if (luo_file->fh->ops->unfreeze) {
432 struct liveupdate_file_op_args args = {0};
433
434 args.handler = luo_file->fh;
435 args.file = luo_file->file;
436 args.serialized_data = luo_file->serialized_data;
437 args.private_data = luo_file->private_data;
438
439 luo_file->fh->ops->unfreeze(&args);
440 }
441 }
442
__luo_file_unfreeze(struct luo_file_set * file_set,struct luo_file * failed_entry)443 static void __luo_file_unfreeze(struct luo_file_set *file_set,
444 struct luo_file *failed_entry)
445 {
446 struct list_head *files_list = &file_set->files_list;
447 struct luo_file *luo_file;
448
449 list_for_each_entry(luo_file, files_list, list) {
450 if (luo_file == failed_entry)
451 break;
452
453 luo_file_unfreeze_one(file_set, luo_file);
454 }
455
456 memset(file_set->files, 0, LUO_FILE_PGCNT << PAGE_SHIFT);
457 }
458
459 /**
460 * luo_file_freeze - Freezes all preserved files and serializes their metadata.
461 * @file_set: The file_set whose files are to be frozen.
462 * @file_set_ser: Where to put the serialized file_set.
463 *
464 * This function is called from the reboot() syscall path, just before the
465 * kernel transitions to the new image via kexec. Its purpose is to perform the
466 * final preparation and serialization of all preserved files in the file_set.
467 *
468 * It iterates through each preserved file in FIFO order (the order of
469 * preservation) and performs two main actions:
470 *
471 * 1. Freezes the File: It calls the handler's .freeze() callback for each
472 * file. This gives the handler a final opportunity to quiesce the device or
473 * prepare its state for the upcoming reboot. The handler may update its
474 * private data handle during this step.
475 *
476 * 2. Serializes Metadata: After a successful freeze, it copies the final file
477 * metadata—the handler's compatible string, the user token, and the final
478 * private data handle—into the pre-allocated contiguous memory buffer
479 * (file_set->files) that will be handed over to the next kernel via KHO.
480 *
481 * Error Handling (Rollback):
482 * This function is atomic. If any handler's .freeze() operation fails, the
483 * entire live update is aborted. The __luo_file_unfreeze() helper is
484 * immediately called to invoke the .unfreeze() op on all files that were
485 * successfully frozen before the point of failure, rolling them back to a
486 * running state. The function then returns an error, causing the reboot()
487 * syscall to fail.
488 *
489 * Context: Called only from the liveupdate_reboot() path.
490 * Return: 0 on success, or a negative errno on failure.
491 */
luo_file_freeze(struct luo_file_set * file_set,struct luo_file_set_ser * file_set_ser)492 int luo_file_freeze(struct luo_file_set *file_set,
493 struct luo_file_set_ser *file_set_ser)
494 {
495 struct luo_file_ser *file_ser = file_set->files;
496 struct luo_file *luo_file;
497 int err;
498 int i;
499
500 if (!file_set->count)
501 return 0;
502
503 if (WARN_ON(!file_ser))
504 return -EINVAL;
505
506 i = 0;
507 list_for_each_entry(luo_file, &file_set->files_list, list) {
508 err = luo_file_freeze_one(file_set, luo_file);
509 if (err < 0) {
510 pr_warn("Freeze failed for token[%#0llx] handler[%s] err[%pe]\n",
511 luo_file->token, luo_file->fh->compatible,
512 ERR_PTR(err));
513 goto err_unfreeze;
514 }
515
516 strscpy(file_ser[i].compatible, luo_file->fh->compatible,
517 sizeof(file_ser[i].compatible));
518 file_ser[i].data = luo_file->serialized_data;
519 file_ser[i].token = luo_file->token;
520 i++;
521 }
522
523 file_set_ser->count = file_set->count;
524 if (file_set->files)
525 file_set_ser->files = virt_to_phys(file_set->files);
526
527 return 0;
528
529 err_unfreeze:
530 __luo_file_unfreeze(file_set, luo_file);
531
532 return err;
533 }
534
535 /**
536 * luo_file_unfreeze - Unfreezes all files in a file_set and clear serialization
537 * @file_set: The file_set whose files are to be unfrozen.
538 * @file_set_ser: Serialized file_set.
539 *
540 * This function rolls back the state of all files in a file_set after the
541 * freeze phase has begun but must be aborted. It is the counterpart to
542 * luo_file_freeze().
543 *
544 * It invokes the __luo_file_unfreeze() helper with a NULL argument, which
545 * signals the helper to iterate through all files in the file_set and call
546 * their respective .unfreeze() handler callbacks.
547 *
548 * Context: This is called when the live update is aborted during
549 * the reboot() syscall, after luo_file_freeze() has been called.
550 */
luo_file_unfreeze(struct luo_file_set * file_set,struct luo_file_set_ser * file_set_ser)551 void luo_file_unfreeze(struct luo_file_set *file_set,
552 struct luo_file_set_ser *file_set_ser)
553 {
554 if (!file_set->count)
555 return;
556
557 __luo_file_unfreeze(file_set, NULL);
558 memset(file_set_ser, 0, sizeof(*file_set_ser));
559 }
560
561 /**
562 * luo_retrieve_file - Restores a preserved file from a file_set by its token.
563 * @file_set: The file_set from which to retrieve the file.
564 * @token: The unique token identifying the file to be restored.
565 * @filep: Output parameter; on success, this is populated with a pointer
566 * to the newly retrieved 'struct file'.
567 *
568 * This function is the primary mechanism for recreating a file in the new
569 * kernel after a live update. It searches the file_set's list of deserialized
570 * files for an entry matching the provided @token.
571 *
572 * The operation is idempotent: if a file has already been successfully
573 * retrieved, this function will simply return a pointer to the existing
574 * 'struct file' and report success without re-executing the retrieve
575 * operation. This is handled by checking the 'retrieved' flag under a lock.
576 *
577 * File retrieval can happen in any order; it is not bound by the order of
578 * preservation.
579 *
580 * Context: Can be called from an ioctl or other in-kernel code in the new
581 * kernel.
582 * Return: 0 on success. Returns a negative errno on failure:
583 * -ENOENT if no file with the matching token is found.
584 * Any error code returned by the handler's .retrieve() op.
585 */
luo_retrieve_file(struct luo_file_set * file_set,u64 token,struct file ** filep)586 int luo_retrieve_file(struct luo_file_set *file_set, u64 token,
587 struct file **filep)
588 {
589 struct liveupdate_file_op_args args = {0};
590 struct luo_file *luo_file;
591 bool found = false;
592 int err;
593
594 if (list_empty(&file_set->files_list))
595 return -ENOENT;
596
597 list_for_each_entry(luo_file, &file_set->files_list, list) {
598 if (luo_file->token == token) {
599 found = true;
600 break;
601 }
602 }
603
604 if (!found)
605 return -ENOENT;
606
607 guard(mutex)(&luo_file->mutex);
608 if (luo_file->retrieve_status < 0) {
609 /* Retrieve was attempted and it failed. Return the error code. */
610 return luo_file->retrieve_status;
611 }
612
613 if (luo_file->retrieve_status > 0) {
614 /*
615 * Someone is asking for this file again, so get a reference
616 * for them.
617 */
618 get_file(luo_file->file);
619 *filep = luo_file->file;
620 return 0;
621 }
622
623 args.handler = luo_file->fh;
624 args.serialized_data = luo_file->serialized_data;
625 err = luo_file->fh->ops->retrieve(&args);
626 if (err) {
627 /* Keep the error code for later use. */
628 luo_file->retrieve_status = err;
629 return err;
630 }
631
632 luo_file->file = args.file;
633 /* Get reference so we can keep this file in LUO until finish */
634 get_file(luo_file->file);
635
636 WARN_ON(xa_insert(&luo_preserved_files,
637 luo_get_id(luo_file->fh, luo_file->file),
638 luo_file->file, GFP_KERNEL));
639
640 *filep = luo_file->file;
641 luo_file->retrieve_status = 1;
642
643 return 0;
644 }
645
luo_file_can_finish_one(struct luo_file_set * file_set,struct luo_file * luo_file)646 static int luo_file_can_finish_one(struct luo_file_set *file_set,
647 struct luo_file *luo_file)
648 {
649 bool can_finish = true;
650
651 guard(mutex)(&luo_file->mutex);
652
653 if (luo_file->fh->ops->can_finish) {
654 struct liveupdate_file_op_args args = {0};
655
656 args.handler = luo_file->fh;
657 args.file = luo_file->file;
658 args.serialized_data = luo_file->serialized_data;
659 args.retrieve_status = luo_file->retrieve_status;
660 can_finish = luo_file->fh->ops->can_finish(&args);
661 }
662
663 return can_finish ? 0 : -EBUSY;
664 }
665
luo_file_finish_one(struct luo_file_set * file_set,struct luo_file * luo_file)666 static void luo_file_finish_one(struct luo_file_set *file_set,
667 struct luo_file *luo_file)
668 {
669 struct liveupdate_file_op_args args = {0};
670
671 guard(mutex)(&luo_file->mutex);
672
673 args.handler = luo_file->fh;
674 args.file = luo_file->file;
675 args.serialized_data = luo_file->serialized_data;
676 args.retrieve_status = luo_file->retrieve_status;
677
678 luo_file->fh->ops->finish(&args);
679 luo_flb_file_finish(luo_file->fh);
680 module_put(luo_file->fh->ops->owner);
681 }
682
683 /**
684 * luo_file_finish - Completes the lifecycle for all files in a file_set.
685 * @file_set: The file_set to be finalized.
686 *
687 * This function orchestrates the final teardown of a live update file_set in
688 * the new kernel. It should be called after all necessary files have been
689 * retrieved and the userspace agent is ready to release the preserved state.
690 *
691 * The function iterates through all tracked files. For each file, it performs
692 * the following sequence of cleanup actions:
693 *
694 * 1. If file is not yet retrieved, retrieves it, and calls can_finish() on
695 * every file in the file_set. If all can_finish return true, continue to
696 * finish.
697 * 2. Calls the handler's .finish() callback (via luo_file_finish_one) to
698 * allow for final resource cleanup within the handler.
699 * 3. Releases LUO's ownership reference on the 'struct file' via fput(). This
700 * is the counterpart to the get_file() call in luo_retrieve_file().
701 * 4. Removes the 'struct luo_file' from the file_set's internal list.
702 * 5. Frees the memory for the 'struct luo_file' instance itself.
703 *
704 * After successfully finishing all individual files, it frees the
705 * contiguous memory block that was used to transfer the serialized metadata
706 * from the previous kernel.
707 *
708 * Error Handling (Atomic Failure):
709 * This operation is atomic. If any handler's .can_finish() op fails, the entire
710 * function aborts immediately and returns an error.
711 *
712 * Context: Can be called from an ioctl handler in the new kernel.
713 * Return: 0 on success, or a negative errno on failure.
714 */
luo_file_finish(struct luo_file_set * file_set)715 int luo_file_finish(struct luo_file_set *file_set)
716 {
717 struct list_head *files_list = &file_set->files_list;
718 struct luo_file *luo_file;
719 int err;
720
721 if (!file_set->count)
722 return 0;
723
724 list_for_each_entry(luo_file, files_list, list) {
725 err = luo_file_can_finish_one(file_set, luo_file);
726 if (err)
727 return err;
728 }
729
730 while (!list_empty(&file_set->files_list)) {
731 luo_file = list_last_entry(&file_set->files_list,
732 struct luo_file, list);
733
734 luo_file_finish_one(file_set, luo_file);
735
736 if (luo_file->file) {
737 xa_erase(&luo_preserved_files,
738 luo_get_id(luo_file->fh, luo_file->file));
739 fput(luo_file->file);
740 }
741 list_del(&luo_file->list);
742 file_set->count--;
743 mutex_destroy(&luo_file->mutex);
744 kfree(luo_file);
745 }
746
747 if (file_set->files) {
748 kho_restore_free(file_set->files);
749 file_set->files = NULL;
750 }
751
752 return 0;
753 }
754
755 /**
756 * luo_file_deserialize - Reconstructs the list of preserved files in the new kernel.
757 * @file_set: The incoming file_set to fill with deserialized data.
758 * @file_set_ser: Serialized KHO file_set data from the previous kernel.
759 *
760 * This function is called during the early boot process of the new kernel. It
761 * takes the raw, contiguous memory block of 'struct luo_file_ser' entries,
762 * provided by the previous kernel, and transforms it back into a live,
763 * in-memory linked list of 'struct luo_file' instances.
764 *
765 * For each serialized entry, it performs the following steps:
766 * 1. Reads the 'compatible' string.
767 * 2. Searches the global list of registered file handlers for one that
768 * matches the compatible string.
769 * 3. Allocates a new 'struct luo_file'.
770 * 4. Populates the new structure with the deserialized data (token, private
771 * data handle) and links it to the found handler. The 'file' pointer is
772 * initialized to NULL, as the file has not been retrieved yet.
773 * 5. Adds the new 'struct luo_file' to the file_set's files_list.
774 *
775 * This prepares the file_set for userspace, which can later call
776 * luo_retrieve_file() to restore the actual file descriptors.
777 *
778 * Context: Called from session deserialization.
779 */
luo_file_deserialize(struct luo_file_set * file_set,struct luo_file_set_ser * file_set_ser)780 int luo_file_deserialize(struct luo_file_set *file_set,
781 struct luo_file_set_ser *file_set_ser)
782 {
783 struct luo_file_ser *file_ser;
784 u64 i;
785
786 if (!file_set_ser->files) {
787 WARN_ON(file_set_ser->count);
788 return 0;
789 }
790
791 file_set->count = file_set_ser->count;
792 file_set->files = phys_to_virt(file_set_ser->files);
793
794 /*
795 * Note on error handling:
796 *
797 * If deserialization fails (e.g., allocation failure or corrupt data),
798 * we intentionally skip cleanup of files that were already restored.
799 *
800 * A partial failure leaves the preserved state inconsistent.
801 * Implementing a safe "undo" to unwind complex dependencies (sessions,
802 * files, hardware state) is error-prone and provides little value, as
803 * the system is effectively in a broken state.
804 *
805 * We treat these resources as leaked. The expected recovery path is for
806 * userspace to detect the failure and trigger a reboot, which will
807 * reliably reset devices and reclaim memory.
808 */
809 file_ser = file_set->files;
810 for (i = 0; i < file_set->count; i++) {
811 struct liveupdate_file_handler *fh;
812 bool handler_found = false;
813 struct luo_file *luo_file;
814
815 down_read(&luo_register_rwlock);
816 list_private_for_each_entry(fh, &luo_file_handler_list, list) {
817 if (!strcmp(fh->compatible, file_ser[i].compatible)) {
818 if (try_module_get(fh->ops->owner))
819 handler_found = true;
820 break;
821 }
822 }
823 up_read(&luo_register_rwlock);
824
825 if (!handler_found) {
826 pr_warn("No registered handler for compatible '%.*s'\n",
827 (int)sizeof(file_ser[i].compatible),
828 file_ser[i].compatible);
829 return -ENOENT;
830 }
831
832 luo_file = kzalloc_obj(*luo_file);
833 if (!luo_file) {
834 module_put(fh->ops->owner);
835 return -ENOMEM;
836 }
837
838 luo_file->fh = fh;
839 luo_file->file = NULL;
840 luo_file->serialized_data = file_ser[i].data;
841 luo_file->token = file_ser[i].token;
842 mutex_init(&luo_file->mutex);
843 list_add_tail(&luo_file->list, &file_set->files_list);
844 }
845
846 return 0;
847 }
848
luo_file_set_init(struct luo_file_set * file_set)849 void luo_file_set_init(struct luo_file_set *file_set)
850 {
851 INIT_LIST_HEAD(&file_set->files_list);
852 }
853
luo_file_set_destroy(struct luo_file_set * file_set)854 void luo_file_set_destroy(struct luo_file_set *file_set)
855 {
856 WARN_ON(file_set->count);
857 WARN_ON(!list_empty(&file_set->files_list));
858 }
859
860 /**
861 * liveupdate_register_file_handler - Register a file handler with LUO.
862 * @fh: Pointer to a caller-allocated &struct liveupdate_file_handler.
863 * The caller must initialize this structure, including a unique
864 * 'compatible' string and a valid 'fh' callbacks. This function adds the
865 * handler to the global list of supported file handlers.
866 *
867 * Context: Typically called during module initialization for file types that
868 * support live update preservation.
869 *
870 * Return: 0 on success. Negative errno on failure.
871 */
liveupdate_register_file_handler(struct liveupdate_file_handler * fh)872 int liveupdate_register_file_handler(struct liveupdate_file_handler *fh)
873 {
874 struct liveupdate_file_handler *fh_iter;
875 int err;
876
877 if (!liveupdate_enabled())
878 return -EOPNOTSUPP;
879
880 /* Sanity check that all required callbacks are set */
881 if (!fh->ops->preserve || !fh->ops->unpreserve || !fh->ops->retrieve ||
882 !fh->ops->finish || !fh->ops->can_preserve) {
883 return -EINVAL;
884 }
885
886 down_write(&luo_register_rwlock);
887 /* Check for duplicate compatible strings */
888 list_private_for_each_entry(fh_iter, &luo_file_handler_list, list) {
889 if (!strcmp(fh_iter->compatible, fh->compatible)) {
890 pr_err("File handler registration failed: Compatible string '%s' already registered.\n",
891 fh->compatible);
892 err = -EEXIST;
893 goto err_unlock;
894 }
895 }
896
897 INIT_LIST_HEAD(&ACCESS_PRIVATE(fh, flb_list));
898 INIT_LIST_HEAD(&ACCESS_PRIVATE(fh, list));
899 list_add_tail(&ACCESS_PRIVATE(fh, list), &luo_file_handler_list);
900 up_write(&luo_register_rwlock);
901
902 liveupdate_test_register(fh);
903
904 return 0;
905
906 err_unlock:
907 up_write(&luo_register_rwlock);
908 return err;
909 }
910
911 /**
912 * liveupdate_unregister_file_handler - Unregister a liveupdate file handler
913 * @fh: The file handler to unregister
914 *
915 * Unregisters the file handler from the liveupdate core. This function
916 * reverses the operations of liveupdate_register_file_handler().
917 */
liveupdate_unregister_file_handler(struct liveupdate_file_handler * fh)918 void liveupdate_unregister_file_handler(struct liveupdate_file_handler *fh)
919 {
920 if (!liveupdate_enabled())
921 return;
922
923 guard(rwsem_write)(&luo_register_rwlock);
924 luo_flb_unregister_all(fh);
925 list_del(&ACCESS_PRIVATE(fh, list));
926 }
927