1 // SPDX-License-Identifier: GPL-2.0
2
3 /*
4 * Copyright (c) 2025, Google LLC.
5 * Pasha Tatashin <pasha.tatashin@soleen.com>
6 */
7
8 /**
9 * DOC: LUO File Descriptors
10 *
11 * LUO provides the infrastructure to preserve specific, stateful file
12 * descriptors across a kexec-based live update. The primary goal is to allow
13 * workloads, such as virtual machines using vfio, memfd, or iommufd, to
14 * retain access to their essential resources without interruption.
15 *
16 * The framework is built around a callback-based handler model and a well-
17 * defined lifecycle for each preserved file.
18 *
19 * Handler Registration:
20 * Kernel modules responsible for a specific file type (e.g., memfd, vfio)
21 * register a &struct liveupdate_file_handler. This handler provides a set of
22 * callbacks that LUO invokes at different stages of the update process, most
23 * notably:
24 *
25 * - can_preserve(): A lightweight check to determine if the handler is
26 * compatible with a given 'struct file'.
27 * - preserve(): The heavyweight operation that saves the file's state and
28 * returns an opaque u64 handle. This is typically performed while the
29 * workload is still active to minimize the downtime during the
30 * actual reboot transition.
31 * - unpreserve(): Cleans up any resources allocated by .preserve(), called
32 * if the preservation process is aborted before the reboot (i.e. session is
33 * closed).
34 * - freeze(): A final pre-reboot opportunity to prepare the state for kexec.
35 * We are already in reboot syscall, and therefore userspace cannot mutate
36 * the file anymore.
37 * - unfreeze(): Undoes the actions of .freeze(), called if the live update
38 * is aborted after the freeze phase.
39 * - retrieve(): Reconstructs the file in the new kernel from the preserved
40 * handle.
41 * - finish(): Performs final check and cleanup in the new kernel. After
42 * succesul finish call, LUO gives up ownership to this file.
43 *
44 * File Preservation Lifecycle happy path:
45 *
46 * 1. Preserve (Normal Operation): A userspace agent preserves files one by one
47 * via an ioctl. For each file, luo_preserve_file() finds a compatible
48 * handler, calls its .preserve() operation, and creates an internal &struct
49 * luo_file to track the live state.
50 *
51 * 2. Freeze (Pre-Reboot): Just before the kexec, luo_file_freeze() is called.
52 * It iterates through all preserved files, calls their respective .freeze()
53 * operation, and serializes their final metadata (compatible string, token,
54 * and data handle) into a contiguous memory block for KHO.
55 *
56 * 3. Deserialize: After kexec, luo_file_deserialize() runs when session gets
57 * deserialized (which is when /dev/liveupdate is first opened). It reads the
58 * serialized data from the KHO memory region and reconstructs the in-memory
59 * list of &struct luo_file instances for the new kernel, linking them to
60 * their corresponding handlers.
61 *
62 * 4. Retrieve (New Kernel - Userspace Ready): The userspace agent can now
63 * restore file descriptors by providing a token. luo_retrieve_file()
64 * searches for the matching token, calls the handler's .retrieve() op to
65 * re-create the 'struct file', and returns a new FD. Files can be
66 * retrieved in ANY order.
67 *
68 * 5. Finish (New Kernel - Cleanup): Once a session retrival is complete,
69 * luo_file_finish() is called. It iterates through all files, invokes their
70 * .finish() operations for final cleanup, and releases all associated kernel
71 * resources.
72 *
73 * File Preservation Lifecycle unhappy paths:
74 *
75 * 1. Abort Before Reboot: If the userspace agent aborts the live update
76 * process before calling reboot (e.g., by closing the session file
77 * descriptor), the session's release handler calls
78 * luo_file_unpreserve_files(). This invokes the .unpreserve() callback on
79 * all preserved files, ensuring all allocated resources are cleaned up and
80 * returning the system to a clean state.
81 *
82 * 2. Freeze Failure: During the reboot() syscall, if any handler's .freeze()
83 * op fails, the .unfreeze() op is invoked on all previously *successful*
84 * freezes to roll back their state. The reboot() syscall then returns an
85 * error to userspace, canceling the live update.
86 *
87 * 3. Finish Failure: In the new kernel, if a handler's .finish() op fails,
88 * the luo_file_finish() operation is aborted. LUO retains ownership of
89 * all files within that session, including those that were not yet
90 * processed. The userspace agent can attempt to call the finish operation
91 * again later. If the issue cannot be resolved, these resources will be held
92 * by LUO until the next live update cycle, at which point they will be
93 * discarded.
94 */
95
96 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
97
98 #include <linux/cleanup.h>
99 #include <linux/compiler.h>
100 #include <linux/err.h>
101 #include <linux/errno.h>
102 #include <linux/file.h>
103 #include <linux/fs.h>
104 #include <linux/io.h>
105 #include <linux/kexec_handover.h>
106 #include <linux/kho/abi/luo.h>
107 #include <linux/list_private.h>
108 #include <linux/liveupdate.h>
109 #include <linux/module.h>
110 #include <linux/sizes.h>
111 #include <linux/slab.h>
112 #include <linux/string.h>
113 #include "luo_internal.h"
114
115 static LIST_HEAD(luo_file_handler_list);
116
117 /* 2 4K pages, give space for 128 files per file_set */
118 #define LUO_FILE_PGCNT 2ul
119 #define LUO_FILE_MAX \
120 ((LUO_FILE_PGCNT << PAGE_SHIFT) / sizeof(struct luo_file_ser))
121
122 /**
123 * struct luo_file - Represents a single preserved file instance.
124 * @fh: Pointer to the &struct liveupdate_file_handler that manages
125 * this type of file.
126 * @file: Pointer to the kernel's &struct file that is being preserved.
127 * This is NULL in the new kernel until the file is successfully
128 * retrieved.
129 * @serialized_data: The opaque u64 handle to the serialized state of the file.
130 * This handle is passed back to the handler's .freeze(),
131 * .retrieve(), and .finish() callbacks, allowing it to track
132 * and update its serialized state across phases.
133 * @private_data: Pointer to the private data for the file used to hold runtime
134 * state that is not preserved. Set by the handler's .preserve()
135 * callback, and must be freed in the handler's .unpreserve()
136 * callback.
137 * @retrieve_status: Status code indicating whether a user/kernel in the new kernel has
138 * successfully called retrieve() on this file. This prevents
139 * multiple retrieval attempts. A value of 0 means a retrieve()
140 * has not been attempted, a positive value means the retrieve()
141 * was successful, and a negative value means the retrieve()
142 * failed, and the value is the error code of the call.
143 * @mutex: A mutex that protects the fields of this specific instance
144 * (e.g., @retrieved, @file), ensuring that operations like
145 * retrieving or finishing a file are atomic.
146 * @list: The list_head linking this instance into its parent
147 * file_set's list of preserved files.
148 * @token: The user-provided unique token used to identify this file.
149 *
150 * This structure is the core in-kernel representation of a single file being
151 * managed through a live update. An instance is created by luo_preserve_file()
152 * to link a 'struct file' to its corresponding handler, a user-provided token,
153 * and the serialized state handle returned by the handler's .preserve()
154 * operation.
155 *
156 * These instances are tracked in a per-file_set list. The @serialized_data
157 * field, which holds a handle to the file's serialized state, may be updated
158 * during the .freeze() callback before being serialized for the next kernel.
159 * After reboot, these structures are recreated by luo_file_deserialize() and
160 * are finally cleaned up by luo_file_finish().
161 */
162 struct luo_file {
163 struct liveupdate_file_handler *fh;
164 struct file *file;
165 u64 serialized_data;
166 void *private_data;
167 int retrieve_status;
168 struct mutex mutex;
169 struct list_head list;
170 u64 token;
171 };
172
luo_alloc_files_mem(struct luo_file_set * file_set)173 static int luo_alloc_files_mem(struct luo_file_set *file_set)
174 {
175 size_t size;
176 void *mem;
177
178 if (file_set->files)
179 return 0;
180
181 WARN_ON_ONCE(file_set->count);
182
183 size = LUO_FILE_PGCNT << PAGE_SHIFT;
184 mem = kho_alloc_preserve(size);
185 if (IS_ERR(mem))
186 return PTR_ERR(mem);
187
188 file_set->files = mem;
189
190 return 0;
191 }
192
luo_free_files_mem(struct luo_file_set * file_set)193 static void luo_free_files_mem(struct luo_file_set *file_set)
194 {
195 /* If file_set has files, no need to free preservation memory */
196 if (file_set->count)
197 return;
198
199 if (!file_set->files)
200 return;
201
202 kho_unpreserve_free(file_set->files);
203 file_set->files = NULL;
204 }
205
luo_token_is_used(struct luo_file_set * file_set,u64 token)206 static bool luo_token_is_used(struct luo_file_set *file_set, u64 token)
207 {
208 struct luo_file *iter;
209
210 list_for_each_entry(iter, &file_set->files_list, list) {
211 if (iter->token == token)
212 return true;
213 }
214
215 return false;
216 }
217
218 /**
219 * luo_preserve_file - Initiate the preservation of a file descriptor.
220 * @file_set: The file_set to which the preserved file will be added.
221 * @token: A unique, user-provided identifier for the file.
222 * @fd: The file descriptor to be preserved.
223 *
224 * This function orchestrates the first phase of preserving a file. Upon entry,
225 * it takes a reference to the 'struct file' via fget(), effectively making LUO
226 * a co-owner of the file. This reference is held until the file is either
227 * unpreserved or successfully finished in the next kernel, preventing the file
228 * from being prematurely destroyed.
229 *
230 * This function orchestrates the first phase of preserving a file. It performs
231 * the following steps:
232 *
233 * 1. Validates that the @token is not already in use within the file_set.
234 * 2. Ensures the file_set's memory for files serialization is allocated
235 * (allocates if needed).
236 * 3. Iterates through registered handlers, calling can_preserve() to find one
237 * compatible with the given @fd.
238 * 4. Calls the handler's .preserve() operation, which saves the file's state
239 * and returns an opaque private data handle.
240 * 5. Adds the new instance to the file_set's internal list.
241 *
242 * On success, LUO takes a reference to the 'struct file' and considers it
243 * under its management until it is unpreserved or finished.
244 *
245 * In case of any failure, all intermediate allocations (file reference, memory
246 * for the 'luo_file' struct, etc.) are cleaned up before returning an error.
247 *
248 * Context: Can be called from an ioctl handler during normal system operation.
249 * Return: 0 on success. Returns a negative errno on failure:
250 * -EEXIST if the token is already used.
251 * -EBADF if the file descriptor is invalid.
252 * -ENOSPC if the file_set is full.
253 * -ENOENT if no compatible handler is found.
254 * -ENOMEM on memory allocation failure.
255 * Other erros might be returned by .preserve().
256 */
luo_preserve_file(struct luo_file_set * file_set,u64 token,int fd)257 int luo_preserve_file(struct luo_file_set *file_set, u64 token, int fd)
258 {
259 struct liveupdate_file_op_args args = {0};
260 struct liveupdate_file_handler *fh;
261 struct luo_file *luo_file;
262 struct file *file;
263 int err;
264
265 if (luo_token_is_used(file_set, token))
266 return -EEXIST;
267
268 if (file_set->count == LUO_FILE_MAX)
269 return -ENOSPC;
270
271 file = fget(fd);
272 if (!file)
273 return -EBADF;
274
275 err = luo_alloc_files_mem(file_set);
276 if (err)
277 goto err_fput;
278
279 err = -ENOENT;
280 list_private_for_each_entry(fh, &luo_file_handler_list, list) {
281 if (fh->ops->can_preserve(fh, file)) {
282 err = 0;
283 break;
284 }
285 }
286
287 /* err is still -ENOENT if no handler was found */
288 if (err)
289 goto err_free_files_mem;
290
291 err = luo_flb_file_preserve(fh);
292 if (err)
293 goto err_free_files_mem;
294
295 luo_file = kzalloc_obj(*luo_file);
296 if (!luo_file) {
297 err = -ENOMEM;
298 goto err_flb_unpreserve;
299 }
300
301 luo_file->file = file;
302 luo_file->fh = fh;
303 luo_file->token = token;
304 mutex_init(&luo_file->mutex);
305
306 args.handler = fh;
307 args.file = file;
308 err = fh->ops->preserve(&args);
309 if (err)
310 goto err_kfree;
311
312 luo_file->serialized_data = args.serialized_data;
313 luo_file->private_data = args.private_data;
314 list_add_tail(&luo_file->list, &file_set->files_list);
315 file_set->count++;
316
317 return 0;
318
319 err_kfree:
320 kfree(luo_file);
321 err_flb_unpreserve:
322 luo_flb_file_unpreserve(fh);
323 err_free_files_mem:
324 luo_free_files_mem(file_set);
325 err_fput:
326 fput(file);
327
328 return err;
329 }
330
331 /**
332 * luo_file_unpreserve_files - Unpreserves all files from a file_set.
333 * @file_set: The files to be cleaned up.
334 *
335 * This function serves as the primary cleanup path for a file_set. It is
336 * invoked when the userspace agent closes the file_set's file descriptor.
337 *
338 * For each file, it performs the following cleanup actions:
339 * 1. Calls the handler's .unpreserve() callback to allow the handler to
340 * release any resources it allocated.
341 * 2. Removes the file from the file_set's internal tracking list.
342 * 3. Releases the reference to the 'struct file' that was taken by
343 * luo_preserve_file() via fput(), returning ownership.
344 * 4. Frees the memory associated with the internal 'struct luo_file'.
345 *
346 * After all individual files are unpreserved, it frees the contiguous memory
347 * block that was allocated to hold their serialization data.
348 */
luo_file_unpreserve_files(struct luo_file_set * file_set)349 void luo_file_unpreserve_files(struct luo_file_set *file_set)
350 {
351 struct luo_file *luo_file;
352
353 while (!list_empty(&file_set->files_list)) {
354 struct liveupdate_file_op_args args = {0};
355
356 luo_file = list_last_entry(&file_set->files_list,
357 struct luo_file, list);
358
359 args.handler = luo_file->fh;
360 args.file = luo_file->file;
361 args.serialized_data = luo_file->serialized_data;
362 args.private_data = luo_file->private_data;
363 luo_file->fh->ops->unpreserve(&args);
364 luo_flb_file_unpreserve(luo_file->fh);
365
366 list_del(&luo_file->list);
367 file_set->count--;
368
369 fput(luo_file->file);
370 mutex_destroy(&luo_file->mutex);
371 kfree(luo_file);
372 }
373
374 luo_free_files_mem(file_set);
375 }
376
luo_file_freeze_one(struct luo_file_set * file_set,struct luo_file * luo_file)377 static int luo_file_freeze_one(struct luo_file_set *file_set,
378 struct luo_file *luo_file)
379 {
380 int err = 0;
381
382 guard(mutex)(&luo_file->mutex);
383
384 if (luo_file->fh->ops->freeze) {
385 struct liveupdate_file_op_args args = {0};
386
387 args.handler = luo_file->fh;
388 args.file = luo_file->file;
389 args.serialized_data = luo_file->serialized_data;
390 args.private_data = luo_file->private_data;
391
392 err = luo_file->fh->ops->freeze(&args);
393 if (!err)
394 luo_file->serialized_data = args.serialized_data;
395 }
396
397 return err;
398 }
399
luo_file_unfreeze_one(struct luo_file_set * file_set,struct luo_file * luo_file)400 static void luo_file_unfreeze_one(struct luo_file_set *file_set,
401 struct luo_file *luo_file)
402 {
403 guard(mutex)(&luo_file->mutex);
404
405 if (luo_file->fh->ops->unfreeze) {
406 struct liveupdate_file_op_args args = {0};
407
408 args.handler = luo_file->fh;
409 args.file = luo_file->file;
410 args.serialized_data = luo_file->serialized_data;
411 args.private_data = luo_file->private_data;
412
413 luo_file->fh->ops->unfreeze(&args);
414 }
415 }
416
__luo_file_unfreeze(struct luo_file_set * file_set,struct luo_file * failed_entry)417 static void __luo_file_unfreeze(struct luo_file_set *file_set,
418 struct luo_file *failed_entry)
419 {
420 struct list_head *files_list = &file_set->files_list;
421 struct luo_file *luo_file;
422
423 list_for_each_entry(luo_file, files_list, list) {
424 if (luo_file == failed_entry)
425 break;
426
427 luo_file_unfreeze_one(file_set, luo_file);
428 }
429
430 memset(file_set->files, 0, LUO_FILE_PGCNT << PAGE_SHIFT);
431 }
432
433 /**
434 * luo_file_freeze - Freezes all preserved files and serializes their metadata.
435 * @file_set: The file_set whose files are to be frozen.
436 * @file_set_ser: Where to put the serialized file_set.
437 *
438 * This function is called from the reboot() syscall path, just before the
439 * kernel transitions to the new image via kexec. Its purpose is to perform the
440 * final preparation and serialization of all preserved files in the file_set.
441 *
442 * It iterates through each preserved file in FIFO order (the order of
443 * preservation) and performs two main actions:
444 *
445 * 1. Freezes the File: It calls the handler's .freeze() callback for each
446 * file. This gives the handler a final opportunity to quiesce the device or
447 * prepare its state for the upcoming reboot. The handler may update its
448 * private data handle during this step.
449 *
450 * 2. Serializes Metadata: After a successful freeze, it copies the final file
451 * metadata—the handler's compatible string, the user token, and the final
452 * private data handle—into the pre-allocated contiguous memory buffer
453 * (file_set->files) that will be handed over to the next kernel via KHO.
454 *
455 * Error Handling (Rollback):
456 * This function is atomic. If any handler's .freeze() operation fails, the
457 * entire live update is aborted. The __luo_file_unfreeze() helper is
458 * immediately called to invoke the .unfreeze() op on all files that were
459 * successfully frozen before the point of failure, rolling them back to a
460 * running state. The function then returns an error, causing the reboot()
461 * syscall to fail.
462 *
463 * Context: Called only from the liveupdate_reboot() path.
464 * Return: 0 on success, or a negative errno on failure.
465 */
luo_file_freeze(struct luo_file_set * file_set,struct luo_file_set_ser * file_set_ser)466 int luo_file_freeze(struct luo_file_set *file_set,
467 struct luo_file_set_ser *file_set_ser)
468 {
469 struct luo_file_ser *file_ser = file_set->files;
470 struct luo_file *luo_file;
471 int err;
472 int i;
473
474 if (!file_set->count)
475 return 0;
476
477 if (WARN_ON(!file_ser))
478 return -EINVAL;
479
480 i = 0;
481 list_for_each_entry(luo_file, &file_set->files_list, list) {
482 err = luo_file_freeze_one(file_set, luo_file);
483 if (err < 0) {
484 pr_warn("Freeze failed for token[%#0llx] handler[%s] err[%pe]\n",
485 luo_file->token, luo_file->fh->compatible,
486 ERR_PTR(err));
487 goto err_unfreeze;
488 }
489
490 strscpy(file_ser[i].compatible, luo_file->fh->compatible,
491 sizeof(file_ser[i].compatible));
492 file_ser[i].data = luo_file->serialized_data;
493 file_ser[i].token = luo_file->token;
494 i++;
495 }
496
497 file_set_ser->count = file_set->count;
498 if (file_set->files)
499 file_set_ser->files = virt_to_phys(file_set->files);
500
501 return 0;
502
503 err_unfreeze:
504 __luo_file_unfreeze(file_set, luo_file);
505
506 return err;
507 }
508
509 /**
510 * luo_file_unfreeze - Unfreezes all files in a file_set and clear serialization
511 * @file_set: The file_set whose files are to be unfrozen.
512 * @file_set_ser: Serialized file_set.
513 *
514 * This function rolls back the state of all files in a file_set after the
515 * freeze phase has begun but must be aborted. It is the counterpart to
516 * luo_file_freeze().
517 *
518 * It invokes the __luo_file_unfreeze() helper with a NULL argument, which
519 * signals the helper to iterate through all files in the file_set and call
520 * their respective .unfreeze() handler callbacks.
521 *
522 * Context: This is called when the live update is aborted during
523 * the reboot() syscall, after luo_file_freeze() has been called.
524 */
luo_file_unfreeze(struct luo_file_set * file_set,struct luo_file_set_ser * file_set_ser)525 void luo_file_unfreeze(struct luo_file_set *file_set,
526 struct luo_file_set_ser *file_set_ser)
527 {
528 if (!file_set->count)
529 return;
530
531 __luo_file_unfreeze(file_set, NULL);
532 memset(file_set_ser, 0, sizeof(*file_set_ser));
533 }
534
535 /**
536 * luo_retrieve_file - Restores a preserved file from a file_set by its token.
537 * @file_set: The file_set from which to retrieve the file.
538 * @token: The unique token identifying the file to be restored.
539 * @filep: Output parameter; on success, this is populated with a pointer
540 * to the newly retrieved 'struct file'.
541 *
542 * This function is the primary mechanism for recreating a file in the new
543 * kernel after a live update. It searches the file_set's list of deserialized
544 * files for an entry matching the provided @token.
545 *
546 * The operation is idempotent: if a file has already been successfully
547 * retrieved, this function will simply return a pointer to the existing
548 * 'struct file' and report success without re-executing the retrieve
549 * operation. This is handled by checking the 'retrieved' flag under a lock.
550 *
551 * File retrieval can happen in any order; it is not bound by the order of
552 * preservation.
553 *
554 * Context: Can be called from an ioctl or other in-kernel code in the new
555 * kernel.
556 * Return: 0 on success. Returns a negative errno on failure:
557 * -ENOENT if no file with the matching token is found.
558 * Any error code returned by the handler's .retrieve() op.
559 */
luo_retrieve_file(struct luo_file_set * file_set,u64 token,struct file ** filep)560 int luo_retrieve_file(struct luo_file_set *file_set, u64 token,
561 struct file **filep)
562 {
563 struct liveupdate_file_op_args args = {0};
564 struct luo_file *luo_file;
565 bool found = false;
566 int err;
567
568 if (list_empty(&file_set->files_list))
569 return -ENOENT;
570
571 list_for_each_entry(luo_file, &file_set->files_list, list) {
572 if (luo_file->token == token) {
573 found = true;
574 break;
575 }
576 }
577
578 if (!found)
579 return -ENOENT;
580
581 guard(mutex)(&luo_file->mutex);
582 if (luo_file->retrieve_status < 0) {
583 /* Retrieve was attempted and it failed. Return the error code. */
584 return luo_file->retrieve_status;
585 }
586
587 if (luo_file->retrieve_status > 0) {
588 /*
589 * Someone is asking for this file again, so get a reference
590 * for them.
591 */
592 get_file(luo_file->file);
593 *filep = luo_file->file;
594 return 0;
595 }
596
597 args.handler = luo_file->fh;
598 args.serialized_data = luo_file->serialized_data;
599 err = luo_file->fh->ops->retrieve(&args);
600 if (err) {
601 /* Keep the error code for later use. */
602 luo_file->retrieve_status = err;
603 return err;
604 }
605
606 luo_file->file = args.file;
607 /* Get reference so we can keep this file in LUO until finish */
608 get_file(luo_file->file);
609 *filep = luo_file->file;
610 luo_file->retrieve_status = 1;
611
612 return 0;
613 }
614
luo_file_can_finish_one(struct luo_file_set * file_set,struct luo_file * luo_file)615 static int luo_file_can_finish_one(struct luo_file_set *file_set,
616 struct luo_file *luo_file)
617 {
618 bool can_finish = true;
619
620 guard(mutex)(&luo_file->mutex);
621
622 if (luo_file->fh->ops->can_finish) {
623 struct liveupdate_file_op_args args = {0};
624
625 args.handler = luo_file->fh;
626 args.file = luo_file->file;
627 args.serialized_data = luo_file->serialized_data;
628 args.retrieve_status = luo_file->retrieve_status;
629 can_finish = luo_file->fh->ops->can_finish(&args);
630 }
631
632 return can_finish ? 0 : -EBUSY;
633 }
634
luo_file_finish_one(struct luo_file_set * file_set,struct luo_file * luo_file)635 static void luo_file_finish_one(struct luo_file_set *file_set,
636 struct luo_file *luo_file)
637 {
638 struct liveupdate_file_op_args args = {0};
639
640 guard(mutex)(&luo_file->mutex);
641
642 args.handler = luo_file->fh;
643 args.file = luo_file->file;
644 args.serialized_data = luo_file->serialized_data;
645 args.retrieve_status = luo_file->retrieve_status;
646
647 luo_file->fh->ops->finish(&args);
648 luo_flb_file_finish(luo_file->fh);
649 }
650
651 /**
652 * luo_file_finish - Completes the lifecycle for all files in a file_set.
653 * @file_set: The file_set to be finalized.
654 *
655 * This function orchestrates the final teardown of a live update file_set in
656 * the new kernel. It should be called after all necessary files have been
657 * retrieved and the userspace agent is ready to release the preserved state.
658 *
659 * The function iterates through all tracked files. For each file, it performs
660 * the following sequence of cleanup actions:
661 *
662 * 1. If file is not yet retrieved, retrieves it, and calls can_finish() on
663 * every file in the file_set. If all can_finish return true, continue to
664 * finish.
665 * 2. Calls the handler's .finish() callback (via luo_file_finish_one) to
666 * allow for final resource cleanup within the handler.
667 * 3. Releases LUO's ownership reference on the 'struct file' via fput(). This
668 * is the counterpart to the get_file() call in luo_retrieve_file().
669 * 4. Removes the 'struct luo_file' from the file_set's internal list.
670 * 5. Frees the memory for the 'struct luo_file' instance itself.
671 *
672 * After successfully finishing all individual files, it frees the
673 * contiguous memory block that was used to transfer the serialized metadata
674 * from the previous kernel.
675 *
676 * Error Handling (Atomic Failure):
677 * This operation is atomic. If any handler's .can_finish() op fails, the entire
678 * function aborts immediately and returns an error.
679 *
680 * Context: Can be called from an ioctl handler in the new kernel.
681 * Return: 0 on success, or a negative errno on failure.
682 */
luo_file_finish(struct luo_file_set * file_set)683 int luo_file_finish(struct luo_file_set *file_set)
684 {
685 struct list_head *files_list = &file_set->files_list;
686 struct luo_file *luo_file;
687 int err;
688
689 if (!file_set->count)
690 return 0;
691
692 list_for_each_entry(luo_file, files_list, list) {
693 err = luo_file_can_finish_one(file_set, luo_file);
694 if (err)
695 return err;
696 }
697
698 while (!list_empty(&file_set->files_list)) {
699 luo_file = list_last_entry(&file_set->files_list,
700 struct luo_file, list);
701
702 luo_file_finish_one(file_set, luo_file);
703
704 if (luo_file->file)
705 fput(luo_file->file);
706 list_del(&luo_file->list);
707 file_set->count--;
708 mutex_destroy(&luo_file->mutex);
709 kfree(luo_file);
710 }
711
712 if (file_set->files) {
713 kho_restore_free(file_set->files);
714 file_set->files = NULL;
715 }
716
717 return 0;
718 }
719
720 /**
721 * luo_file_deserialize - Reconstructs the list of preserved files in the new kernel.
722 * @file_set: The incoming file_set to fill with deserialized data.
723 * @file_set_ser: Serialized KHO file_set data from the previous kernel.
724 *
725 * This function is called during the early boot process of the new kernel. It
726 * takes the raw, contiguous memory block of 'struct luo_file_ser' entries,
727 * provided by the previous kernel, and transforms it back into a live,
728 * in-memory linked list of 'struct luo_file' instances.
729 *
730 * For each serialized entry, it performs the following steps:
731 * 1. Reads the 'compatible' string.
732 * 2. Searches the global list of registered file handlers for one that
733 * matches the compatible string.
734 * 3. Allocates a new 'struct luo_file'.
735 * 4. Populates the new structure with the deserialized data (token, private
736 * data handle) and links it to the found handler. The 'file' pointer is
737 * initialized to NULL, as the file has not been retrieved yet.
738 * 5. Adds the new 'struct luo_file' to the file_set's files_list.
739 *
740 * This prepares the file_set for userspace, which can later call
741 * luo_retrieve_file() to restore the actual file descriptors.
742 *
743 * Context: Called from session deserialization.
744 */
luo_file_deserialize(struct luo_file_set * file_set,struct luo_file_set_ser * file_set_ser)745 int luo_file_deserialize(struct luo_file_set *file_set,
746 struct luo_file_set_ser *file_set_ser)
747 {
748 struct luo_file_ser *file_ser;
749 u64 i;
750
751 if (!file_set_ser->files) {
752 WARN_ON(file_set_ser->count);
753 return 0;
754 }
755
756 file_set->count = file_set_ser->count;
757 file_set->files = phys_to_virt(file_set_ser->files);
758
759 /*
760 * Note on error handling:
761 *
762 * If deserialization fails (e.g., allocation failure or corrupt data),
763 * we intentionally skip cleanup of files that were already restored.
764 *
765 * A partial failure leaves the preserved state inconsistent.
766 * Implementing a safe "undo" to unwind complex dependencies (sessions,
767 * files, hardware state) is error-prone and provides little value, as
768 * the system is effectively in a broken state.
769 *
770 * We treat these resources as leaked. The expected recovery path is for
771 * userspace to detect the failure and trigger a reboot, which will
772 * reliably reset devices and reclaim memory.
773 */
774 file_ser = file_set->files;
775 for (i = 0; i < file_set->count; i++) {
776 struct liveupdate_file_handler *fh;
777 bool handler_found = false;
778 struct luo_file *luo_file;
779
780 list_private_for_each_entry(fh, &luo_file_handler_list, list) {
781 if (!strcmp(fh->compatible, file_ser[i].compatible)) {
782 handler_found = true;
783 break;
784 }
785 }
786
787 if (!handler_found) {
788 pr_warn("No registered handler for compatible '%s'\n",
789 file_ser[i].compatible);
790 return -ENOENT;
791 }
792
793 luo_file = kzalloc_obj(*luo_file);
794 if (!luo_file)
795 return -ENOMEM;
796
797 luo_file->fh = fh;
798 luo_file->file = NULL;
799 luo_file->serialized_data = file_ser[i].data;
800 luo_file->token = file_ser[i].token;
801 mutex_init(&luo_file->mutex);
802 list_add_tail(&luo_file->list, &file_set->files_list);
803 }
804
805 return 0;
806 }
807
luo_file_set_init(struct luo_file_set * file_set)808 void luo_file_set_init(struct luo_file_set *file_set)
809 {
810 INIT_LIST_HEAD(&file_set->files_list);
811 }
812
luo_file_set_destroy(struct luo_file_set * file_set)813 void luo_file_set_destroy(struct luo_file_set *file_set)
814 {
815 WARN_ON(file_set->count);
816 WARN_ON(!list_empty(&file_set->files_list));
817 }
818
819 /**
820 * liveupdate_register_file_handler - Register a file handler with LUO.
821 * @fh: Pointer to a caller-allocated &struct liveupdate_file_handler.
822 * The caller must initialize this structure, including a unique
823 * 'compatible' string and a valid 'fh' callbacks. This function adds the
824 * handler to the global list of supported file handlers.
825 *
826 * Context: Typically called during module initialization for file types that
827 * support live update preservation.
828 *
829 * Return: 0 on success. Negative errno on failure.
830 */
liveupdate_register_file_handler(struct liveupdate_file_handler * fh)831 int liveupdate_register_file_handler(struct liveupdate_file_handler *fh)
832 {
833 struct liveupdate_file_handler *fh_iter;
834 int err;
835
836 if (!liveupdate_enabled())
837 return -EOPNOTSUPP;
838
839 /* Sanity check that all required callbacks are set */
840 if (!fh->ops->preserve || !fh->ops->unpreserve || !fh->ops->retrieve ||
841 !fh->ops->finish || !fh->ops->can_preserve) {
842 return -EINVAL;
843 }
844
845 /*
846 * Ensure the system is quiescent (no active sessions).
847 * This prevents registering new handlers while sessions are active or
848 * while deserialization is in progress.
849 */
850 if (!luo_session_quiesce())
851 return -EBUSY;
852
853 /* Check for duplicate compatible strings */
854 list_private_for_each_entry(fh_iter, &luo_file_handler_list, list) {
855 if (!strcmp(fh_iter->compatible, fh->compatible)) {
856 pr_err("File handler registration failed: Compatible string '%s' already registered.\n",
857 fh->compatible);
858 err = -EEXIST;
859 goto err_resume;
860 }
861 }
862
863 /* Pin the module implementing the handler */
864 if (!try_module_get(fh->ops->owner)) {
865 err = -EAGAIN;
866 goto err_resume;
867 }
868
869 INIT_LIST_HEAD(&ACCESS_PRIVATE(fh, flb_list));
870 INIT_LIST_HEAD(&ACCESS_PRIVATE(fh, list));
871 list_add_tail(&ACCESS_PRIVATE(fh, list), &luo_file_handler_list);
872 luo_session_resume();
873
874 liveupdate_test_register(fh);
875
876 return 0;
877
878 err_resume:
879 luo_session_resume();
880 return err;
881 }
882
883 /**
884 * liveupdate_unregister_file_handler - Unregister a liveupdate file handler
885 * @fh: The file handler to unregister
886 *
887 * Unregisters the file handler from the liveupdate core. This function
888 * reverses the operations of liveupdate_register_file_handler().
889 *
890 * It ensures safe removal by checking that:
891 * No live update session is currently in progress.
892 * No FLB registered with this file handler.
893 *
894 * If the unregistration fails, the internal test state is reverted.
895 *
896 * Return: 0 Success. -EOPNOTSUPP when live update is not enabled. -EBUSY A live
897 * update is in progress, can't quiesce live update or FLB is registred with
898 * this file handler.
899 */
liveupdate_unregister_file_handler(struct liveupdate_file_handler * fh)900 int liveupdate_unregister_file_handler(struct liveupdate_file_handler *fh)
901 {
902 int err = -EBUSY;
903
904 if (!liveupdate_enabled())
905 return -EOPNOTSUPP;
906
907 liveupdate_test_unregister(fh);
908
909 if (!luo_session_quiesce())
910 goto err_register;
911
912 if (!list_empty(&ACCESS_PRIVATE(fh, flb_list)))
913 goto err_resume;
914
915 list_del(&ACCESS_PRIVATE(fh, list));
916 module_put(fh->ops->owner);
917 luo_session_resume();
918
919 return 0;
920
921 err_resume:
922 luo_session_resume();
923 err_register:
924 liveupdate_test_register(fh);
925 return err;
926 }
927