1 // SPDX-License-Identifier: GPL-2.0 2 3 /* 4 * Copyright (c) 2025, Google LLC. 5 * Pasha Tatashin <pasha.tatashin@soleen.com> 6 */ 7 8 /** 9 * DOC: LUO File Descriptors 10 * 11 * LUO provides the infrastructure to preserve specific, stateful file 12 * descriptors across a kexec-based live update. The primary goal is to allow 13 * workloads, such as virtual machines using vfio, memfd, or iommufd, to 14 * retain access to their essential resources without interruption. 15 * 16 * The framework is built around a callback-based handler model and a well- 17 * defined lifecycle for each preserved file. 18 * 19 * Handler Registration: 20 * Kernel modules responsible for a specific file type (e.g., memfd, vfio) 21 * register a &struct liveupdate_file_handler. This handler provides a set of 22 * callbacks that LUO invokes at different stages of the update process, most 23 * notably: 24 * 25 * - can_preserve(): A lightweight check to determine if the handler is 26 * compatible with a given 'struct file'. 27 * - preserve(): The heavyweight operation that saves the file's state and 28 * returns an opaque u64 handle. This is typically performed while the 29 * workload is still active to minimize the downtime during the 30 * actual reboot transition. 31 * - unpreserve(): Cleans up any resources allocated by .preserve(), called 32 * if the preservation process is aborted before the reboot (i.e. session is 33 * closed). 34 * - freeze(): A final pre-reboot opportunity to prepare the state for kexec. 35 * We are already in reboot syscall, and therefore userspace cannot mutate 36 * the file anymore. 37 * - unfreeze(): Undoes the actions of .freeze(), called if the live update 38 * is aborted after the freeze phase. 39 * - retrieve(): Reconstructs the file in the new kernel from the preserved 40 * handle. 41 * - finish(): Performs final check and cleanup in the new kernel. After 42 * succesul finish call, LUO gives up ownership to this file. 43 * 44 * File Preservation Lifecycle happy path: 45 * 46 * 1. Preserve (Normal Operation): A userspace agent preserves files one by one 47 * via an ioctl. For each file, luo_preserve_file() finds a compatible 48 * handler, calls its .preserve() operation, and creates an internal &struct 49 * luo_file to track the live state. 50 * 51 * 2. Freeze (Pre-Reboot): Just before the kexec, luo_file_freeze() is called. 52 * It iterates through all preserved files, calls their respective .freeze() 53 * operation, and serializes their final metadata (compatible string, token, 54 * and data handle) into a contiguous memory block for KHO. 55 * 56 * 3. Deserialize: After kexec, luo_file_deserialize() runs when session gets 57 * deserialized (which is when /dev/liveupdate is first opened). It reads the 58 * serialized data from the KHO memory region and reconstructs the in-memory 59 * list of &struct luo_file instances for the new kernel, linking them to 60 * their corresponding handlers. 61 * 62 * 4. Retrieve (New Kernel - Userspace Ready): The userspace agent can now 63 * restore file descriptors by providing a token. luo_retrieve_file() 64 * searches for the matching token, calls the handler's .retrieve() op to 65 * re-create the 'struct file', and returns a new FD. Files can be 66 * retrieved in ANY order. 67 * 68 * 5. Finish (New Kernel - Cleanup): Once a session retrival is complete, 69 * luo_file_finish() is called. It iterates through all files, invokes their 70 * .finish() operations for final cleanup, and releases all associated kernel 71 * resources. 72 * 73 * File Preservation Lifecycle unhappy paths: 74 * 75 * 1. Abort Before Reboot: If the userspace agent aborts the live update 76 * process before calling reboot (e.g., by closing the session file 77 * descriptor), the session's release handler calls 78 * luo_file_unpreserve_files(). This invokes the .unpreserve() callback on 79 * all preserved files, ensuring all allocated resources are cleaned up and 80 * returning the system to a clean state. 81 * 82 * 2. Freeze Failure: During the reboot() syscall, if any handler's .freeze() 83 * op fails, the .unfreeze() op is invoked on all previously *successful* 84 * freezes to roll back their state. The reboot() syscall then returns an 85 * error to userspace, canceling the live update. 86 * 87 * 3. Finish Failure: In the new kernel, if a handler's .finish() op fails, 88 * the luo_file_finish() operation is aborted. LUO retains ownership of 89 * all files within that session, including those that were not yet 90 * processed. The userspace agent can attempt to call the finish operation 91 * again later. If the issue cannot be resolved, these resources will be held 92 * by LUO until the next live update cycle, at which point they will be 93 * discarded. 94 */ 95 96 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 97 98 #include <linux/cleanup.h> 99 #include <linux/compiler.h> 100 #include <linux/err.h> 101 #include <linux/errno.h> 102 #include <linux/file.h> 103 #include <linux/fs.h> 104 #include <linux/io.h> 105 #include <linux/kexec_handover.h> 106 #include <linux/kho/abi/luo.h> 107 #include <linux/list_private.h> 108 #include <linux/liveupdate.h> 109 #include <linux/module.h> 110 #include <linux/sizes.h> 111 #include <linux/xarray.h> 112 #include <linux/slab.h> 113 #include <linux/string.h> 114 #include "luo_internal.h" 115 116 static LIST_HEAD(luo_file_handler_list); 117 118 /* Keep track of files being preserved by LUO */ 119 static DEFINE_XARRAY(luo_preserved_files); 120 121 /* 2 4K pages, give space for 128 files per file_set */ 122 #define LUO_FILE_PGCNT 2ul 123 #define LUO_FILE_MAX \ 124 ((LUO_FILE_PGCNT << PAGE_SHIFT) / sizeof(struct luo_file_ser)) 125 126 /** 127 * struct luo_file - Represents a single preserved file instance. 128 * @fh: Pointer to the &struct liveupdate_file_handler that manages 129 * this type of file. 130 * @file: Pointer to the kernel's &struct file that is being preserved. 131 * This is NULL in the new kernel until the file is successfully 132 * retrieved. 133 * @serialized_data: The opaque u64 handle to the serialized state of the file. 134 * This handle is passed back to the handler's .freeze(), 135 * .retrieve(), and .finish() callbacks, allowing it to track 136 * and update its serialized state across phases. 137 * @private_data: Pointer to the private data for the file used to hold runtime 138 * state that is not preserved. Set by the handler's .preserve() 139 * callback, and must be freed in the handler's .unpreserve() 140 * callback. 141 * @retrieve_status: Status code indicating whether a user/kernel in the new kernel has 142 * successfully called retrieve() on this file. This prevents 143 * multiple retrieval attempts. A value of 0 means a retrieve() 144 * has not been attempted, a positive value means the retrieve() 145 * was successful, and a negative value means the retrieve() 146 * failed, and the value is the error code of the call. 147 * @mutex: A mutex that protects the fields of this specific instance 148 * (e.g., @retrieved, @file), ensuring that operations like 149 * retrieving or finishing a file are atomic. 150 * @list: The list_head linking this instance into its parent 151 * file_set's list of preserved files. 152 * @token: The user-provided unique token used to identify this file. 153 * 154 * This structure is the core in-kernel representation of a single file being 155 * managed through a live update. An instance is created by luo_preserve_file() 156 * to link a 'struct file' to its corresponding handler, a user-provided token, 157 * and the serialized state handle returned by the handler's .preserve() 158 * operation. 159 * 160 * These instances are tracked in a per-file_set list. The @serialized_data 161 * field, which holds a handle to the file's serialized state, may be updated 162 * during the .freeze() callback before being serialized for the next kernel. 163 * After reboot, these structures are recreated by luo_file_deserialize() and 164 * are finally cleaned up by luo_file_finish(). 165 */ 166 struct luo_file { 167 struct liveupdate_file_handler *fh; 168 struct file *file; 169 u64 serialized_data; 170 void *private_data; 171 int retrieve_status; 172 struct mutex mutex; 173 struct list_head list; 174 u64 token; 175 }; 176 177 static int luo_alloc_files_mem(struct luo_file_set *file_set) 178 { 179 size_t size; 180 void *mem; 181 182 if (file_set->files) 183 return 0; 184 185 WARN_ON_ONCE(file_set->count); 186 187 size = LUO_FILE_PGCNT << PAGE_SHIFT; 188 mem = kho_alloc_preserve(size); 189 if (IS_ERR(mem)) 190 return PTR_ERR(mem); 191 192 file_set->files = mem; 193 194 return 0; 195 } 196 197 static void luo_free_files_mem(struct luo_file_set *file_set) 198 { 199 /* If file_set has files, no need to free preservation memory */ 200 if (file_set->count) 201 return; 202 203 if (!file_set->files) 204 return; 205 206 kho_unpreserve_free(file_set->files); 207 file_set->files = NULL; 208 } 209 210 static unsigned long luo_get_id(struct liveupdate_file_handler *fh, 211 struct file *file) 212 { 213 return fh->ops->get_id ? fh->ops->get_id(file) : (unsigned long)file; 214 } 215 216 static bool luo_token_is_used(struct luo_file_set *file_set, u64 token) 217 { 218 struct luo_file *iter; 219 220 list_for_each_entry(iter, &file_set->files_list, list) { 221 if (iter->token == token) 222 return true; 223 } 224 225 return false; 226 } 227 228 /** 229 * luo_preserve_file - Initiate the preservation of a file descriptor. 230 * @file_set: The file_set to which the preserved file will be added. 231 * @token: A unique, user-provided identifier for the file. 232 * @fd: The file descriptor to be preserved. 233 * 234 * This function orchestrates the first phase of preserving a file. Upon entry, 235 * it takes a reference to the 'struct file' via fget(), effectively making LUO 236 * a co-owner of the file. This reference is held until the file is either 237 * unpreserved or successfully finished in the next kernel, preventing the file 238 * from being prematurely destroyed. 239 * 240 * This function orchestrates the first phase of preserving a file. It performs 241 * the following steps: 242 * 243 * 1. Validates that the @token is not already in use within the file_set. 244 * 2. Ensures the file_set's memory for files serialization is allocated 245 * (allocates if needed). 246 * 3. Iterates through registered handlers, calling can_preserve() to find one 247 * compatible with the given @fd. 248 * 4. Calls the handler's .preserve() operation, which saves the file's state 249 * and returns an opaque private data handle. 250 * 5. Adds the new instance to the file_set's internal list. 251 * 252 * On success, LUO takes a reference to the 'struct file' and considers it 253 * under its management until it is unpreserved or finished. 254 * 255 * In case of any failure, all intermediate allocations (file reference, memory 256 * for the 'luo_file' struct, etc.) are cleaned up before returning an error. 257 * 258 * Context: Can be called from an ioctl handler during normal system operation. 259 * Return: 0 on success. Returns a negative errno on failure: 260 * -EEXIST if the token is already used. 261 * -EBUSY if the file descriptor is already preserved by another session. 262 * -EBADF if the file descriptor is invalid. 263 * -ENOSPC if the file_set is full. 264 * -ENOENT if no compatible handler is found. 265 * -ENOMEM on memory allocation failure. 266 * Other erros might be returned by .preserve(). 267 */ 268 int luo_preserve_file(struct luo_file_set *file_set, u64 token, int fd) 269 { 270 struct liveupdate_file_op_args args = {0}; 271 struct liveupdate_file_handler *fh; 272 struct luo_file *luo_file; 273 struct file *file; 274 int err; 275 276 if (luo_token_is_used(file_set, token)) 277 return -EEXIST; 278 279 if (file_set->count == LUO_FILE_MAX) 280 return -ENOSPC; 281 282 file = fget(fd); 283 if (!file) 284 return -EBADF; 285 286 err = luo_alloc_files_mem(file_set); 287 if (err) 288 goto err_fput; 289 290 err = -ENOENT; 291 down_read(&luo_register_rwlock); 292 list_private_for_each_entry(fh, &luo_file_handler_list, list) { 293 if (fh->ops->can_preserve(fh, file)) { 294 err = 0; 295 break; 296 } 297 } 298 up_read(&luo_register_rwlock); 299 300 /* err is still -ENOENT if no handler was found */ 301 if (err) 302 goto err_free_files_mem; 303 304 err = xa_insert(&luo_preserved_files, luo_get_id(fh, file), 305 file, GFP_KERNEL); 306 if (err) 307 goto err_free_files_mem; 308 309 err = luo_flb_file_preserve(fh); 310 if (err) 311 goto err_erase_xa; 312 313 luo_file = kzalloc_obj(*luo_file); 314 if (!luo_file) { 315 err = -ENOMEM; 316 goto err_flb_unpreserve; 317 } 318 319 luo_file->file = file; 320 luo_file->fh = fh; 321 luo_file->token = token; 322 mutex_init(&luo_file->mutex); 323 324 args.handler = fh; 325 args.file = file; 326 err = fh->ops->preserve(&args); 327 if (err) 328 goto err_kfree; 329 330 luo_file->serialized_data = args.serialized_data; 331 luo_file->private_data = args.private_data; 332 list_add_tail(&luo_file->list, &file_set->files_list); 333 file_set->count++; 334 335 return 0; 336 337 err_kfree: 338 kfree(luo_file); 339 err_flb_unpreserve: 340 luo_flb_file_unpreserve(fh); 341 err_erase_xa: 342 xa_erase(&luo_preserved_files, luo_get_id(fh, file)); 343 err_free_files_mem: 344 luo_free_files_mem(file_set); 345 err_fput: 346 fput(file); 347 348 return err; 349 } 350 351 /** 352 * luo_file_unpreserve_files - Unpreserves all files from a file_set. 353 * @file_set: The files to be cleaned up. 354 * 355 * This function serves as the primary cleanup path for a file_set. It is 356 * invoked when the userspace agent closes the file_set's file descriptor. 357 * 358 * For each file, it performs the following cleanup actions: 359 * 1. Calls the handler's .unpreserve() callback to allow the handler to 360 * release any resources it allocated. 361 * 2. Removes the file from the file_set's internal tracking list. 362 * 3. Releases the reference to the 'struct file' that was taken by 363 * luo_preserve_file() via fput(), returning ownership. 364 * 4. Frees the memory associated with the internal 'struct luo_file'. 365 * 366 * After all individual files are unpreserved, it frees the contiguous memory 367 * block that was allocated to hold their serialization data. 368 */ 369 void luo_file_unpreserve_files(struct luo_file_set *file_set) 370 { 371 struct luo_file *luo_file; 372 373 while (!list_empty(&file_set->files_list)) { 374 struct liveupdate_file_op_args args = {0}; 375 376 luo_file = list_last_entry(&file_set->files_list, 377 struct luo_file, list); 378 379 args.handler = luo_file->fh; 380 args.file = luo_file->file; 381 args.serialized_data = luo_file->serialized_data; 382 args.private_data = luo_file->private_data; 383 luo_file->fh->ops->unpreserve(&args); 384 luo_flb_file_unpreserve(luo_file->fh); 385 386 xa_erase(&luo_preserved_files, 387 luo_get_id(luo_file->fh, luo_file->file)); 388 list_del(&luo_file->list); 389 file_set->count--; 390 391 fput(luo_file->file); 392 mutex_destroy(&luo_file->mutex); 393 kfree(luo_file); 394 } 395 396 luo_free_files_mem(file_set); 397 } 398 399 static int luo_file_freeze_one(struct luo_file_set *file_set, 400 struct luo_file *luo_file) 401 { 402 int err = 0; 403 404 guard(mutex)(&luo_file->mutex); 405 406 if (luo_file->fh->ops->freeze) { 407 struct liveupdate_file_op_args args = {0}; 408 409 args.handler = luo_file->fh; 410 args.file = luo_file->file; 411 args.serialized_data = luo_file->serialized_data; 412 args.private_data = luo_file->private_data; 413 414 err = luo_file->fh->ops->freeze(&args); 415 if (!err) 416 luo_file->serialized_data = args.serialized_data; 417 } 418 419 return err; 420 } 421 422 static void luo_file_unfreeze_one(struct luo_file_set *file_set, 423 struct luo_file *luo_file) 424 { 425 guard(mutex)(&luo_file->mutex); 426 427 if (luo_file->fh->ops->unfreeze) { 428 struct liveupdate_file_op_args args = {0}; 429 430 args.handler = luo_file->fh; 431 args.file = luo_file->file; 432 args.serialized_data = luo_file->serialized_data; 433 args.private_data = luo_file->private_data; 434 435 luo_file->fh->ops->unfreeze(&args); 436 } 437 } 438 439 static void __luo_file_unfreeze(struct luo_file_set *file_set, 440 struct luo_file *failed_entry) 441 { 442 struct list_head *files_list = &file_set->files_list; 443 struct luo_file *luo_file; 444 445 list_for_each_entry(luo_file, files_list, list) { 446 if (luo_file == failed_entry) 447 break; 448 449 luo_file_unfreeze_one(file_set, luo_file); 450 } 451 452 memset(file_set->files, 0, LUO_FILE_PGCNT << PAGE_SHIFT); 453 } 454 455 /** 456 * luo_file_freeze - Freezes all preserved files and serializes their metadata. 457 * @file_set: The file_set whose files are to be frozen. 458 * @file_set_ser: Where to put the serialized file_set. 459 * 460 * This function is called from the reboot() syscall path, just before the 461 * kernel transitions to the new image via kexec. Its purpose is to perform the 462 * final preparation and serialization of all preserved files in the file_set. 463 * 464 * It iterates through each preserved file in FIFO order (the order of 465 * preservation) and performs two main actions: 466 * 467 * 1. Freezes the File: It calls the handler's .freeze() callback for each 468 * file. This gives the handler a final opportunity to quiesce the device or 469 * prepare its state for the upcoming reboot. The handler may update its 470 * private data handle during this step. 471 * 472 * 2. Serializes Metadata: After a successful freeze, it copies the final file 473 * metadata—the handler's compatible string, the user token, and the final 474 * private data handle—into the pre-allocated contiguous memory buffer 475 * (file_set->files) that will be handed over to the next kernel via KHO. 476 * 477 * Error Handling (Rollback): 478 * This function is atomic. If any handler's .freeze() operation fails, the 479 * entire live update is aborted. The __luo_file_unfreeze() helper is 480 * immediately called to invoke the .unfreeze() op on all files that were 481 * successfully frozen before the point of failure, rolling them back to a 482 * running state. The function then returns an error, causing the reboot() 483 * syscall to fail. 484 * 485 * Context: Called only from the liveupdate_reboot() path. 486 * Return: 0 on success, or a negative errno on failure. 487 */ 488 int luo_file_freeze(struct luo_file_set *file_set, 489 struct luo_file_set_ser *file_set_ser) 490 { 491 struct luo_file_ser *file_ser = file_set->files; 492 struct luo_file *luo_file; 493 int err; 494 int i; 495 496 if (!file_set->count) 497 return 0; 498 499 if (WARN_ON(!file_ser)) 500 return -EINVAL; 501 502 i = 0; 503 list_for_each_entry(luo_file, &file_set->files_list, list) { 504 err = luo_file_freeze_one(file_set, luo_file); 505 if (err < 0) { 506 pr_warn("Freeze failed for token[%#0llx] handler[%s] err[%pe]\n", 507 luo_file->token, luo_file->fh->compatible, 508 ERR_PTR(err)); 509 goto err_unfreeze; 510 } 511 512 strscpy(file_ser[i].compatible, luo_file->fh->compatible, 513 sizeof(file_ser[i].compatible)); 514 file_ser[i].data = luo_file->serialized_data; 515 file_ser[i].token = luo_file->token; 516 i++; 517 } 518 519 file_set_ser->count = file_set->count; 520 if (file_set->files) 521 file_set_ser->files = virt_to_phys(file_set->files); 522 523 return 0; 524 525 err_unfreeze: 526 __luo_file_unfreeze(file_set, luo_file); 527 528 return err; 529 } 530 531 /** 532 * luo_file_unfreeze - Unfreezes all files in a file_set and clear serialization 533 * @file_set: The file_set whose files are to be unfrozen. 534 * @file_set_ser: Serialized file_set. 535 * 536 * This function rolls back the state of all files in a file_set after the 537 * freeze phase has begun but must be aborted. It is the counterpart to 538 * luo_file_freeze(). 539 * 540 * It invokes the __luo_file_unfreeze() helper with a NULL argument, which 541 * signals the helper to iterate through all files in the file_set and call 542 * their respective .unfreeze() handler callbacks. 543 * 544 * Context: This is called when the live update is aborted during 545 * the reboot() syscall, after luo_file_freeze() has been called. 546 */ 547 void luo_file_unfreeze(struct luo_file_set *file_set, 548 struct luo_file_set_ser *file_set_ser) 549 { 550 if (!file_set->count) 551 return; 552 553 __luo_file_unfreeze(file_set, NULL); 554 memset(file_set_ser, 0, sizeof(*file_set_ser)); 555 } 556 557 /** 558 * luo_retrieve_file - Restores a preserved file from a file_set by its token. 559 * @file_set: The file_set from which to retrieve the file. 560 * @token: The unique token identifying the file to be restored. 561 * @filep: Output parameter; on success, this is populated with a pointer 562 * to the newly retrieved 'struct file'. 563 * 564 * This function is the primary mechanism for recreating a file in the new 565 * kernel after a live update. It searches the file_set's list of deserialized 566 * files for an entry matching the provided @token. 567 * 568 * The operation is idempotent: if a file has already been successfully 569 * retrieved, this function will simply return a pointer to the existing 570 * 'struct file' and report success without re-executing the retrieve 571 * operation. This is handled by checking the 'retrieved' flag under a lock. 572 * 573 * File retrieval can happen in any order; it is not bound by the order of 574 * preservation. 575 * 576 * Context: Can be called from an ioctl or other in-kernel code in the new 577 * kernel. 578 * Return: 0 on success. Returns a negative errno on failure: 579 * -ENOENT if no file with the matching token is found. 580 * Any error code returned by the handler's .retrieve() op. 581 */ 582 int luo_retrieve_file(struct luo_file_set *file_set, u64 token, 583 struct file **filep) 584 { 585 struct liveupdate_file_op_args args = {0}; 586 struct luo_file *luo_file; 587 bool found = false; 588 int err; 589 590 if (list_empty(&file_set->files_list)) 591 return -ENOENT; 592 593 list_for_each_entry(luo_file, &file_set->files_list, list) { 594 if (luo_file->token == token) { 595 found = true; 596 break; 597 } 598 } 599 600 if (!found) 601 return -ENOENT; 602 603 guard(mutex)(&luo_file->mutex); 604 if (luo_file->retrieve_status < 0) { 605 /* Retrieve was attempted and it failed. Return the error code. */ 606 return luo_file->retrieve_status; 607 } 608 609 if (luo_file->retrieve_status > 0) { 610 /* 611 * Someone is asking for this file again, so get a reference 612 * for them. 613 */ 614 get_file(luo_file->file); 615 *filep = luo_file->file; 616 return 0; 617 } 618 619 args.handler = luo_file->fh; 620 args.serialized_data = luo_file->serialized_data; 621 err = luo_file->fh->ops->retrieve(&args); 622 if (err) { 623 /* Keep the error code for later use. */ 624 luo_file->retrieve_status = err; 625 return err; 626 } 627 628 luo_file->file = args.file; 629 /* Get reference so we can keep this file in LUO until finish */ 630 get_file(luo_file->file); 631 632 WARN_ON(xa_insert(&luo_preserved_files, 633 luo_get_id(luo_file->fh, luo_file->file), 634 luo_file->file, GFP_KERNEL)); 635 636 *filep = luo_file->file; 637 luo_file->retrieve_status = 1; 638 639 return 0; 640 } 641 642 static int luo_file_can_finish_one(struct luo_file_set *file_set, 643 struct luo_file *luo_file) 644 { 645 bool can_finish = true; 646 647 guard(mutex)(&luo_file->mutex); 648 649 if (luo_file->fh->ops->can_finish) { 650 struct liveupdate_file_op_args args = {0}; 651 652 args.handler = luo_file->fh; 653 args.file = luo_file->file; 654 args.serialized_data = luo_file->serialized_data; 655 args.retrieve_status = luo_file->retrieve_status; 656 can_finish = luo_file->fh->ops->can_finish(&args); 657 } 658 659 return can_finish ? 0 : -EBUSY; 660 } 661 662 static void luo_file_finish_one(struct luo_file_set *file_set, 663 struct luo_file *luo_file) 664 { 665 struct liveupdate_file_op_args args = {0}; 666 667 guard(mutex)(&luo_file->mutex); 668 669 args.handler = luo_file->fh; 670 args.file = luo_file->file; 671 args.serialized_data = luo_file->serialized_data; 672 args.retrieve_status = luo_file->retrieve_status; 673 674 luo_file->fh->ops->finish(&args); 675 luo_flb_file_finish(luo_file->fh); 676 } 677 678 /** 679 * luo_file_finish - Completes the lifecycle for all files in a file_set. 680 * @file_set: The file_set to be finalized. 681 * 682 * This function orchestrates the final teardown of a live update file_set in 683 * the new kernel. It should be called after all necessary files have been 684 * retrieved and the userspace agent is ready to release the preserved state. 685 * 686 * The function iterates through all tracked files. For each file, it performs 687 * the following sequence of cleanup actions: 688 * 689 * 1. If file is not yet retrieved, retrieves it, and calls can_finish() on 690 * every file in the file_set. If all can_finish return true, continue to 691 * finish. 692 * 2. Calls the handler's .finish() callback (via luo_file_finish_one) to 693 * allow for final resource cleanup within the handler. 694 * 3. Releases LUO's ownership reference on the 'struct file' via fput(). This 695 * is the counterpart to the get_file() call in luo_retrieve_file(). 696 * 4. Removes the 'struct luo_file' from the file_set's internal list. 697 * 5. Frees the memory for the 'struct luo_file' instance itself. 698 * 699 * After successfully finishing all individual files, it frees the 700 * contiguous memory block that was used to transfer the serialized metadata 701 * from the previous kernel. 702 * 703 * Error Handling (Atomic Failure): 704 * This operation is atomic. If any handler's .can_finish() op fails, the entire 705 * function aborts immediately and returns an error. 706 * 707 * Context: Can be called from an ioctl handler in the new kernel. 708 * Return: 0 on success, or a negative errno on failure. 709 */ 710 int luo_file_finish(struct luo_file_set *file_set) 711 { 712 struct list_head *files_list = &file_set->files_list; 713 struct luo_file *luo_file; 714 int err; 715 716 if (!file_set->count) 717 return 0; 718 719 list_for_each_entry(luo_file, files_list, list) { 720 err = luo_file_can_finish_one(file_set, luo_file); 721 if (err) 722 return err; 723 } 724 725 while (!list_empty(&file_set->files_list)) { 726 luo_file = list_last_entry(&file_set->files_list, 727 struct luo_file, list); 728 729 luo_file_finish_one(file_set, luo_file); 730 731 if (luo_file->file) { 732 xa_erase(&luo_preserved_files, 733 luo_get_id(luo_file->fh, luo_file->file)); 734 fput(luo_file->file); 735 } 736 list_del(&luo_file->list); 737 file_set->count--; 738 mutex_destroy(&luo_file->mutex); 739 kfree(luo_file); 740 } 741 742 if (file_set->files) { 743 kho_restore_free(file_set->files); 744 file_set->files = NULL; 745 } 746 747 return 0; 748 } 749 750 /** 751 * luo_file_deserialize - Reconstructs the list of preserved files in the new kernel. 752 * @file_set: The incoming file_set to fill with deserialized data. 753 * @file_set_ser: Serialized KHO file_set data from the previous kernel. 754 * 755 * This function is called during the early boot process of the new kernel. It 756 * takes the raw, contiguous memory block of 'struct luo_file_ser' entries, 757 * provided by the previous kernel, and transforms it back into a live, 758 * in-memory linked list of 'struct luo_file' instances. 759 * 760 * For each serialized entry, it performs the following steps: 761 * 1. Reads the 'compatible' string. 762 * 2. Searches the global list of registered file handlers for one that 763 * matches the compatible string. 764 * 3. Allocates a new 'struct luo_file'. 765 * 4. Populates the new structure with the deserialized data (token, private 766 * data handle) and links it to the found handler. The 'file' pointer is 767 * initialized to NULL, as the file has not been retrieved yet. 768 * 5. Adds the new 'struct luo_file' to the file_set's files_list. 769 * 770 * This prepares the file_set for userspace, which can later call 771 * luo_retrieve_file() to restore the actual file descriptors. 772 * 773 * Context: Called from session deserialization. 774 */ 775 int luo_file_deserialize(struct luo_file_set *file_set, 776 struct luo_file_set_ser *file_set_ser) 777 { 778 struct luo_file_ser *file_ser; 779 u64 i; 780 781 if (!file_set_ser->files) { 782 WARN_ON(file_set_ser->count); 783 return 0; 784 } 785 786 file_set->count = file_set_ser->count; 787 file_set->files = phys_to_virt(file_set_ser->files); 788 789 /* 790 * Note on error handling: 791 * 792 * If deserialization fails (e.g., allocation failure or corrupt data), 793 * we intentionally skip cleanup of files that were already restored. 794 * 795 * A partial failure leaves the preserved state inconsistent. 796 * Implementing a safe "undo" to unwind complex dependencies (sessions, 797 * files, hardware state) is error-prone and provides little value, as 798 * the system is effectively in a broken state. 799 * 800 * We treat these resources as leaked. The expected recovery path is for 801 * userspace to detect the failure and trigger a reboot, which will 802 * reliably reset devices and reclaim memory. 803 */ 804 file_ser = file_set->files; 805 for (i = 0; i < file_set->count; i++) { 806 struct liveupdate_file_handler *fh; 807 bool handler_found = false; 808 struct luo_file *luo_file; 809 810 down_read(&luo_register_rwlock); 811 list_private_for_each_entry(fh, &luo_file_handler_list, list) { 812 if (!strcmp(fh->compatible, file_ser[i].compatible)) { 813 handler_found = true; 814 break; 815 } 816 } 817 up_read(&luo_register_rwlock); 818 819 if (!handler_found) { 820 pr_warn("No registered handler for compatible '%.*s'\n", 821 (int)sizeof(file_ser[i].compatible), 822 file_ser[i].compatible); 823 return -ENOENT; 824 } 825 826 luo_file = kzalloc_obj(*luo_file); 827 if (!luo_file) 828 return -ENOMEM; 829 830 luo_file->fh = fh; 831 luo_file->file = NULL; 832 luo_file->serialized_data = file_ser[i].data; 833 luo_file->token = file_ser[i].token; 834 mutex_init(&luo_file->mutex); 835 list_add_tail(&luo_file->list, &file_set->files_list); 836 } 837 838 return 0; 839 } 840 841 void luo_file_set_init(struct luo_file_set *file_set) 842 { 843 INIT_LIST_HEAD(&file_set->files_list); 844 } 845 846 void luo_file_set_destroy(struct luo_file_set *file_set) 847 { 848 WARN_ON(file_set->count); 849 WARN_ON(!list_empty(&file_set->files_list)); 850 } 851 852 /** 853 * liveupdate_register_file_handler - Register a file handler with LUO. 854 * @fh: Pointer to a caller-allocated &struct liveupdate_file_handler. 855 * The caller must initialize this structure, including a unique 856 * 'compatible' string and a valid 'fh' callbacks. This function adds the 857 * handler to the global list of supported file handlers. 858 * 859 * Context: Typically called during module initialization for file types that 860 * support live update preservation. 861 * 862 * Return: 0 on success. Negative errno on failure. 863 */ 864 int liveupdate_register_file_handler(struct liveupdate_file_handler *fh) 865 { 866 struct liveupdate_file_handler *fh_iter; 867 int err; 868 869 if (!liveupdate_enabled()) 870 return -EOPNOTSUPP; 871 872 /* Sanity check that all required callbacks are set */ 873 if (!fh->ops->preserve || !fh->ops->unpreserve || !fh->ops->retrieve || 874 !fh->ops->finish || !fh->ops->can_preserve) { 875 return -EINVAL; 876 } 877 878 /* 879 * Ensure the system is quiescent (no active sessions). 880 * This prevents registering new handlers while sessions are active or 881 * while deserialization is in progress. 882 */ 883 if (!luo_session_quiesce()) 884 return -EBUSY; 885 886 down_write(&luo_register_rwlock); 887 /* Check for duplicate compatible strings */ 888 list_private_for_each_entry(fh_iter, &luo_file_handler_list, list) { 889 if (!strcmp(fh_iter->compatible, fh->compatible)) { 890 pr_err("File handler registration failed: Compatible string '%s' already registered.\n", 891 fh->compatible); 892 err = -EEXIST; 893 goto err_unlock; 894 } 895 } 896 897 /* Pin the module implementing the handler */ 898 if (!try_module_get(fh->ops->owner)) { 899 err = -EAGAIN; 900 goto err_unlock; 901 } 902 903 INIT_LIST_HEAD(&ACCESS_PRIVATE(fh, flb_list)); 904 INIT_LIST_HEAD(&ACCESS_PRIVATE(fh, list)); 905 list_add_tail(&ACCESS_PRIVATE(fh, list), &luo_file_handler_list); 906 up_write(&luo_register_rwlock); 907 908 luo_session_resume(); 909 910 liveupdate_test_register(fh); 911 912 return 0; 913 914 err_unlock: 915 up_write(&luo_register_rwlock); 916 luo_session_resume(); 917 return err; 918 } 919 920 /** 921 * liveupdate_unregister_file_handler - Unregister a liveupdate file handler 922 * @fh: The file handler to unregister 923 * 924 * Unregisters the file handler from the liveupdate core. This function 925 * reverses the operations of liveupdate_register_file_handler(). 926 * 927 * It ensures safe removal by checking that: 928 * No live update session is currently in progress. 929 * No FLB registered with this file handler. 930 * 931 * If the unregistration fails, the internal test state is reverted. 932 * 933 * Return: 0 Success. -EOPNOTSUPP when live update is not enabled. -EBUSY A live 934 * update is in progress, can't quiesce live update or FLB is registred with 935 * this file handler. 936 */ 937 int liveupdate_unregister_file_handler(struct liveupdate_file_handler *fh) 938 { 939 int err = -EBUSY; 940 941 if (!liveupdate_enabled()) 942 return -EOPNOTSUPP; 943 944 liveupdate_test_unregister(fh); 945 946 if (!luo_session_quiesce()) 947 goto err_register; 948 949 down_write(&luo_register_rwlock); 950 if (!list_empty(&ACCESS_PRIVATE(fh, flb_list))) 951 goto err_unlock; 952 953 list_del(&ACCESS_PRIVATE(fh, list)); 954 up_write(&luo_register_rwlock); 955 956 module_put(fh->ops->owner); 957 luo_session_resume(); 958 959 return 0; 960 961 err_unlock: 962 up_write(&luo_register_rwlock); 963 luo_session_resume(); 964 err_register: 965 liveupdate_test_register(fh); 966 return err; 967 } 968