1 // SPDX-License-Identifier: GPL-2.0 2 3 /* 4 * Copyright (c) 2025, Google LLC. 5 * Pasha Tatashin <pasha.tatashin@soleen.com> 6 */ 7 8 /** 9 * DOC: LUO File Descriptors 10 * 11 * LUO provides the infrastructure to preserve specific, stateful file 12 * descriptors across a kexec-based live update. The primary goal is to allow 13 * workloads, such as virtual machines using vfio, memfd, or iommufd, to 14 * retain access to their essential resources without interruption. 15 * 16 * The framework is built around a callback-based handler model and a well- 17 * defined lifecycle for each preserved file. 18 * 19 * Handler Registration: 20 * Kernel modules responsible for a specific file type (e.g., memfd, vfio) 21 * register a &struct liveupdate_file_handler. This handler provides a set of 22 * callbacks that LUO invokes at different stages of the update process, most 23 * notably: 24 * 25 * - can_preserve(): A lightweight check to determine if the handler is 26 * compatible with a given 'struct file'. 27 * - preserve(): The heavyweight operation that saves the file's state and 28 * returns an opaque u64 handle. This is typically performed while the 29 * workload is still active to minimize the downtime during the 30 * actual reboot transition. 31 * - unpreserve(): Cleans up any resources allocated by .preserve(), called 32 * if the preservation process is aborted before the reboot (i.e. session is 33 * closed). 34 * - freeze(): A final pre-reboot opportunity to prepare the state for kexec. 35 * We are already in reboot syscall, and therefore userspace cannot mutate 36 * the file anymore. 37 * - unfreeze(): Undoes the actions of .freeze(), called if the live update 38 * is aborted after the freeze phase. 39 * - retrieve(): Reconstructs the file in the new kernel from the preserved 40 * handle. 41 * - finish(): Performs final check and cleanup in the new kernel. After 42 * succesul finish call, LUO gives up ownership to this file. 43 * 44 * File Preservation Lifecycle happy path: 45 * 46 * 1. Preserve (Normal Operation): A userspace agent preserves files one by one 47 * via an ioctl. For each file, luo_preserve_file() finds a compatible 48 * handler, calls its .preserve() operation, and creates an internal &struct 49 * luo_file to track the live state. 50 * 51 * 2. Freeze (Pre-Reboot): Just before the kexec, luo_file_freeze() is called. 52 * It iterates through all preserved files, calls their respective .freeze() 53 * operation, and serializes their final metadata (compatible string, token, 54 * and data handle) into a contiguous memory block for KHO. 55 * 56 * 3. Deserialize: After kexec, luo_file_deserialize() runs when session gets 57 * deserialized (which is when /dev/liveupdate is first opened). It reads the 58 * serialized data from the KHO memory region and reconstructs the in-memory 59 * list of &struct luo_file instances for the new kernel, linking them to 60 * their corresponding handlers. 61 * 62 * 4. Retrieve (New Kernel - Userspace Ready): The userspace agent can now 63 * restore file descriptors by providing a token. luo_retrieve_file() 64 * searches for the matching token, calls the handler's .retrieve() op to 65 * re-create the 'struct file', and returns a new FD. Files can be 66 * retrieved in ANY order. 67 * 68 * 5. Finish (New Kernel - Cleanup): Once a session retrival is complete, 69 * luo_file_finish() is called. It iterates through all files, invokes their 70 * .finish() operations for final cleanup, and releases all associated kernel 71 * resources. 72 * 73 * File Preservation Lifecycle unhappy paths: 74 * 75 * 1. Abort Before Reboot: If the userspace agent aborts the live update 76 * process before calling reboot (e.g., by closing the session file 77 * descriptor), the session's release handler calls 78 * luo_file_unpreserve_files(). This invokes the .unpreserve() callback on 79 * all preserved files, ensuring all allocated resources are cleaned up and 80 * returning the system to a clean state. 81 * 82 * 2. Freeze Failure: During the reboot() syscall, if any handler's .freeze() 83 * op fails, the .unfreeze() op is invoked on all previously *successful* 84 * freezes to roll back their state. The reboot() syscall then returns an 85 * error to userspace, canceling the live update. 86 * 87 * 3. Finish Failure: In the new kernel, if a handler's .finish() op fails, 88 * the luo_file_finish() operation is aborted. LUO retains ownership of 89 * all files within that session, including those that were not yet 90 * processed. The userspace agent can attempt to call the finish operation 91 * again later. If the issue cannot be resolved, these resources will be held 92 * by LUO until the next live update cycle, at which point they will be 93 * discarded. 94 */ 95 96 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 97 98 #include <linux/cleanup.h> 99 #include <linux/compiler.h> 100 #include <linux/err.h> 101 #include <linux/errno.h> 102 #include <linux/file.h> 103 #include <linux/fs.h> 104 #include <linux/io.h> 105 #include <linux/kexec_handover.h> 106 #include <linux/kho/abi/luo.h> 107 #include <linux/list_private.h> 108 #include <linux/liveupdate.h> 109 #include <linux/module.h> 110 #include <linux/sizes.h> 111 #include <linux/xarray.h> 112 #include <linux/slab.h> 113 #include <linux/string.h> 114 #include "luo_internal.h" 115 116 static LIST_HEAD(luo_file_handler_list); 117 118 /* Keep track of files being preserved by LUO */ 119 static DEFINE_XARRAY(luo_preserved_files); 120 121 /* 2 4K pages, give space for 128 files per file_set */ 122 #define LUO_FILE_PGCNT 2ul 123 #define LUO_FILE_MAX \ 124 ((LUO_FILE_PGCNT << PAGE_SHIFT) / sizeof(struct luo_file_ser)) 125 126 /** 127 * struct luo_file - Represents a single preserved file instance. 128 * @fh: Pointer to the &struct liveupdate_file_handler that manages 129 * this type of file. 130 * @file: Pointer to the kernel's &struct file that is being preserved. 131 * This is NULL in the new kernel until the file is successfully 132 * retrieved. 133 * @serialized_data: The opaque u64 handle to the serialized state of the file. 134 * This handle is passed back to the handler's .freeze(), 135 * .retrieve(), and .finish() callbacks, allowing it to track 136 * and update its serialized state across phases. 137 * @private_data: Pointer to the private data for the file used to hold runtime 138 * state that is not preserved. Set by the handler's .preserve() 139 * callback, and must be freed in the handler's .unpreserve() 140 * callback. 141 * @retrieve_status: Status code indicating whether a user/kernel in the new kernel has 142 * successfully called retrieve() on this file. This prevents 143 * multiple retrieval attempts. A value of 0 means a retrieve() 144 * has not been attempted, a positive value means the retrieve() 145 * was successful, and a negative value means the retrieve() 146 * failed, and the value is the error code of the call. 147 * @mutex: A mutex that protects the fields of this specific instance 148 * (e.g., @retrieved, @file), ensuring that operations like 149 * retrieving or finishing a file are atomic. 150 * @list: The list_head linking this instance into its parent 151 * file_set's list of preserved files. 152 * @token: The user-provided unique token used to identify this file. 153 * 154 * This structure is the core in-kernel representation of a single file being 155 * managed through a live update. An instance is created by luo_preserve_file() 156 * to link a 'struct file' to its corresponding handler, a user-provided token, 157 * and the serialized state handle returned by the handler's .preserve() 158 * operation. 159 * 160 * These instances are tracked in a per-file_set list. The @serialized_data 161 * field, which holds a handle to the file's serialized state, may be updated 162 * during the .freeze() callback before being serialized for the next kernel. 163 * After reboot, these structures are recreated by luo_file_deserialize() and 164 * are finally cleaned up by luo_file_finish(). 165 */ 166 struct luo_file { 167 struct liveupdate_file_handler *fh; 168 struct file *file; 169 u64 serialized_data; 170 void *private_data; 171 int retrieve_status; 172 struct mutex mutex; 173 struct list_head list; 174 u64 token; 175 }; 176 177 static int luo_alloc_files_mem(struct luo_file_set *file_set) 178 { 179 size_t size; 180 void *mem; 181 182 if (file_set->files) 183 return 0; 184 185 WARN_ON_ONCE(file_set->count); 186 187 size = LUO_FILE_PGCNT << PAGE_SHIFT; 188 mem = kho_alloc_preserve(size); 189 if (IS_ERR(mem)) 190 return PTR_ERR(mem); 191 192 file_set->files = mem; 193 194 return 0; 195 } 196 197 static void luo_free_files_mem(struct luo_file_set *file_set) 198 { 199 /* If file_set has files, no need to free preservation memory */ 200 if (file_set->count) 201 return; 202 203 if (!file_set->files) 204 return; 205 206 kho_unpreserve_free(file_set->files); 207 file_set->files = NULL; 208 } 209 210 static unsigned long luo_get_id(struct liveupdate_file_handler *fh, 211 struct file *file) 212 { 213 return fh->ops->get_id ? fh->ops->get_id(file) : (unsigned long)file; 214 } 215 216 static bool luo_token_is_used(struct luo_file_set *file_set, u64 token) 217 { 218 struct luo_file *iter; 219 220 list_for_each_entry(iter, &file_set->files_list, list) { 221 if (iter->token == token) 222 return true; 223 } 224 225 return false; 226 } 227 228 /** 229 * luo_preserve_file - Initiate the preservation of a file descriptor. 230 * @file_set: The file_set to which the preserved file will be added. 231 * @token: A unique, user-provided identifier for the file. 232 * @fd: The file descriptor to be preserved. 233 * 234 * This function orchestrates the first phase of preserving a file. Upon entry, 235 * it takes a reference to the 'struct file' via fget(), effectively making LUO 236 * a co-owner of the file. This reference is held until the file is either 237 * unpreserved or successfully finished in the next kernel, preventing the file 238 * from being prematurely destroyed. 239 * 240 * This function orchestrates the first phase of preserving a file. It performs 241 * the following steps: 242 * 243 * 1. Validates that the @token is not already in use within the file_set. 244 * 2. Ensures the file_set's memory for files serialization is allocated 245 * (allocates if needed). 246 * 3. Iterates through registered handlers, calling can_preserve() to find one 247 * compatible with the given @fd. 248 * 4. Calls the handler's .preserve() operation, which saves the file's state 249 * and returns an opaque private data handle. 250 * 5. Adds the new instance to the file_set's internal list. 251 * 252 * On success, LUO takes a reference to the 'struct file' and considers it 253 * under its management until it is unpreserved or finished. 254 * 255 * In case of any failure, all intermediate allocations (file reference, memory 256 * for the 'luo_file' struct, etc.) are cleaned up before returning an error. 257 * 258 * Context: Can be called from an ioctl handler during normal system operation. 259 * Return: 0 on success. Returns a negative errno on failure: 260 * -EEXIST if the token is already used. 261 * -EBUSY if the file descriptor is already preserved by another session. 262 * -EBADF if the file descriptor is invalid. 263 * -ENOSPC if the file_set is full. 264 * -ENOENT if no compatible handler is found. 265 * -ENOMEM on memory allocation failure. 266 * Other erros might be returned by .preserve(). 267 */ 268 int luo_preserve_file(struct luo_file_set *file_set, u64 token, int fd) 269 { 270 struct liveupdate_file_op_args args = {0}; 271 struct liveupdate_file_handler *fh; 272 struct luo_file *luo_file; 273 struct file *file; 274 int err; 275 276 if (luo_token_is_used(file_set, token)) 277 return -EEXIST; 278 279 if (file_set->count == LUO_FILE_MAX) 280 return -ENOSPC; 281 282 file = fget(fd); 283 if (!file) 284 return -EBADF; 285 286 err = luo_alloc_files_mem(file_set); 287 if (err) 288 goto err_fput; 289 290 err = -ENOENT; 291 down_read(&luo_register_rwlock); 292 list_private_for_each_entry(fh, &luo_file_handler_list, list) { 293 if (fh->ops->can_preserve(fh, file)) { 294 if (try_module_get(fh->ops->owner)) 295 err = 0; 296 break; 297 } 298 } 299 up_read(&luo_register_rwlock); 300 301 /* err is still -ENOENT if no handler was found */ 302 if (err) 303 goto err_free_files_mem; 304 305 err = xa_insert(&luo_preserved_files, luo_get_id(fh, file), 306 file, GFP_KERNEL); 307 if (err) 308 goto err_module_put; 309 310 err = luo_flb_file_preserve(fh); 311 if (err) 312 goto err_erase_xa; 313 314 luo_file = kzalloc_obj(*luo_file); 315 if (!luo_file) { 316 err = -ENOMEM; 317 goto err_flb_unpreserve; 318 } 319 320 luo_file->file = file; 321 luo_file->fh = fh; 322 luo_file->token = token; 323 mutex_init(&luo_file->mutex); 324 325 args.handler = fh; 326 args.file = file; 327 err = fh->ops->preserve(&args); 328 if (err) 329 goto err_kfree; 330 331 luo_file->serialized_data = args.serialized_data; 332 luo_file->private_data = args.private_data; 333 list_add_tail(&luo_file->list, &file_set->files_list); 334 file_set->count++; 335 336 return 0; 337 338 err_kfree: 339 kfree(luo_file); 340 err_flb_unpreserve: 341 luo_flb_file_unpreserve(fh); 342 err_erase_xa: 343 xa_erase(&luo_preserved_files, luo_get_id(fh, file)); 344 err_module_put: 345 module_put(fh->ops->owner); 346 err_free_files_mem: 347 luo_free_files_mem(file_set); 348 err_fput: 349 fput(file); 350 351 return err; 352 } 353 354 /** 355 * luo_file_unpreserve_files - Unpreserves all files from a file_set. 356 * @file_set: The files to be cleaned up. 357 * 358 * This function serves as the primary cleanup path for a file_set. It is 359 * invoked when the userspace agent closes the file_set's file descriptor. 360 * 361 * For each file, it performs the following cleanup actions: 362 * 1. Calls the handler's .unpreserve() callback to allow the handler to 363 * release any resources it allocated. 364 * 2. Removes the file from the file_set's internal tracking list. 365 * 3. Releases the reference to the 'struct file' that was taken by 366 * luo_preserve_file() via fput(), returning ownership. 367 * 4. Frees the memory associated with the internal 'struct luo_file'. 368 * 369 * After all individual files are unpreserved, it frees the contiguous memory 370 * block that was allocated to hold their serialization data. 371 */ 372 void luo_file_unpreserve_files(struct luo_file_set *file_set) 373 { 374 struct luo_file *luo_file; 375 376 while (!list_empty(&file_set->files_list)) { 377 struct liveupdate_file_op_args args = {0}; 378 379 luo_file = list_last_entry(&file_set->files_list, 380 struct luo_file, list); 381 382 args.handler = luo_file->fh; 383 args.file = luo_file->file; 384 args.serialized_data = luo_file->serialized_data; 385 args.private_data = luo_file->private_data; 386 luo_file->fh->ops->unpreserve(&args); 387 luo_flb_file_unpreserve(luo_file->fh); 388 module_put(luo_file->fh->ops->owner); 389 390 xa_erase(&luo_preserved_files, 391 luo_get_id(luo_file->fh, luo_file->file)); 392 list_del(&luo_file->list); 393 file_set->count--; 394 395 fput(luo_file->file); 396 mutex_destroy(&luo_file->mutex); 397 kfree(luo_file); 398 } 399 400 luo_free_files_mem(file_set); 401 } 402 403 static int luo_file_freeze_one(struct luo_file_set *file_set, 404 struct luo_file *luo_file) 405 { 406 int err = 0; 407 408 guard(mutex)(&luo_file->mutex); 409 410 if (luo_file->fh->ops->freeze) { 411 struct liveupdate_file_op_args args = {0}; 412 413 args.handler = luo_file->fh; 414 args.file = luo_file->file; 415 args.serialized_data = luo_file->serialized_data; 416 args.private_data = luo_file->private_data; 417 418 err = luo_file->fh->ops->freeze(&args); 419 if (!err) 420 luo_file->serialized_data = args.serialized_data; 421 } 422 423 return err; 424 } 425 426 static void luo_file_unfreeze_one(struct luo_file_set *file_set, 427 struct luo_file *luo_file) 428 { 429 guard(mutex)(&luo_file->mutex); 430 431 if (luo_file->fh->ops->unfreeze) { 432 struct liveupdate_file_op_args args = {0}; 433 434 args.handler = luo_file->fh; 435 args.file = luo_file->file; 436 args.serialized_data = luo_file->serialized_data; 437 args.private_data = luo_file->private_data; 438 439 luo_file->fh->ops->unfreeze(&args); 440 } 441 } 442 443 static void __luo_file_unfreeze(struct luo_file_set *file_set, 444 struct luo_file *failed_entry) 445 { 446 struct list_head *files_list = &file_set->files_list; 447 struct luo_file *luo_file; 448 449 list_for_each_entry(luo_file, files_list, list) { 450 if (luo_file == failed_entry) 451 break; 452 453 luo_file_unfreeze_one(file_set, luo_file); 454 } 455 456 memset(file_set->files, 0, LUO_FILE_PGCNT << PAGE_SHIFT); 457 } 458 459 /** 460 * luo_file_freeze - Freezes all preserved files and serializes their metadata. 461 * @file_set: The file_set whose files are to be frozen. 462 * @file_set_ser: Where to put the serialized file_set. 463 * 464 * This function is called from the reboot() syscall path, just before the 465 * kernel transitions to the new image via kexec. Its purpose is to perform the 466 * final preparation and serialization of all preserved files in the file_set. 467 * 468 * It iterates through each preserved file in FIFO order (the order of 469 * preservation) and performs two main actions: 470 * 471 * 1. Freezes the File: It calls the handler's .freeze() callback for each 472 * file. This gives the handler a final opportunity to quiesce the device or 473 * prepare its state for the upcoming reboot. The handler may update its 474 * private data handle during this step. 475 * 476 * 2. Serializes Metadata: After a successful freeze, it copies the final file 477 * metadata—the handler's compatible string, the user token, and the final 478 * private data handle—into the pre-allocated contiguous memory buffer 479 * (file_set->files) that will be handed over to the next kernel via KHO. 480 * 481 * Error Handling (Rollback): 482 * This function is atomic. If any handler's .freeze() operation fails, the 483 * entire live update is aborted. The __luo_file_unfreeze() helper is 484 * immediately called to invoke the .unfreeze() op on all files that were 485 * successfully frozen before the point of failure, rolling them back to a 486 * running state. The function then returns an error, causing the reboot() 487 * syscall to fail. 488 * 489 * Context: Called only from the liveupdate_reboot() path. 490 * Return: 0 on success, or a negative errno on failure. 491 */ 492 int luo_file_freeze(struct luo_file_set *file_set, 493 struct luo_file_set_ser *file_set_ser) 494 { 495 struct luo_file_ser *file_ser = file_set->files; 496 struct luo_file *luo_file; 497 int err; 498 int i; 499 500 if (!file_set->count) 501 return 0; 502 503 if (WARN_ON(!file_ser)) 504 return -EINVAL; 505 506 i = 0; 507 list_for_each_entry(luo_file, &file_set->files_list, list) { 508 err = luo_file_freeze_one(file_set, luo_file); 509 if (err < 0) { 510 pr_warn("Freeze failed for token[%#0llx] handler[%s] err[%pe]\n", 511 luo_file->token, luo_file->fh->compatible, 512 ERR_PTR(err)); 513 goto err_unfreeze; 514 } 515 516 strscpy(file_ser[i].compatible, luo_file->fh->compatible, 517 sizeof(file_ser[i].compatible)); 518 file_ser[i].data = luo_file->serialized_data; 519 file_ser[i].token = luo_file->token; 520 i++; 521 } 522 523 file_set_ser->count = file_set->count; 524 if (file_set->files) 525 file_set_ser->files = virt_to_phys(file_set->files); 526 527 return 0; 528 529 err_unfreeze: 530 __luo_file_unfreeze(file_set, luo_file); 531 532 return err; 533 } 534 535 /** 536 * luo_file_unfreeze - Unfreezes all files in a file_set and clear serialization 537 * @file_set: The file_set whose files are to be unfrozen. 538 * @file_set_ser: Serialized file_set. 539 * 540 * This function rolls back the state of all files in a file_set after the 541 * freeze phase has begun but must be aborted. It is the counterpart to 542 * luo_file_freeze(). 543 * 544 * It invokes the __luo_file_unfreeze() helper with a NULL argument, which 545 * signals the helper to iterate through all files in the file_set and call 546 * their respective .unfreeze() handler callbacks. 547 * 548 * Context: This is called when the live update is aborted during 549 * the reboot() syscall, after luo_file_freeze() has been called. 550 */ 551 void luo_file_unfreeze(struct luo_file_set *file_set, 552 struct luo_file_set_ser *file_set_ser) 553 { 554 if (!file_set->count) 555 return; 556 557 __luo_file_unfreeze(file_set, NULL); 558 memset(file_set_ser, 0, sizeof(*file_set_ser)); 559 } 560 561 /** 562 * luo_retrieve_file - Restores a preserved file from a file_set by its token. 563 * @file_set: The file_set from which to retrieve the file. 564 * @token: The unique token identifying the file to be restored. 565 * @filep: Output parameter; on success, this is populated with a pointer 566 * to the newly retrieved 'struct file'. 567 * 568 * This function is the primary mechanism for recreating a file in the new 569 * kernel after a live update. It searches the file_set's list of deserialized 570 * files for an entry matching the provided @token. 571 * 572 * The operation is idempotent: if a file has already been successfully 573 * retrieved, this function will simply return a pointer to the existing 574 * 'struct file' and report success without re-executing the retrieve 575 * operation. This is handled by checking the 'retrieved' flag under a lock. 576 * 577 * File retrieval can happen in any order; it is not bound by the order of 578 * preservation. 579 * 580 * Context: Can be called from an ioctl or other in-kernel code in the new 581 * kernel. 582 * Return: 0 on success. Returns a negative errno on failure: 583 * -ENOENT if no file with the matching token is found. 584 * Any error code returned by the handler's .retrieve() op. 585 */ 586 int luo_retrieve_file(struct luo_file_set *file_set, u64 token, 587 struct file **filep) 588 { 589 struct liveupdate_file_op_args args = {0}; 590 struct luo_file *luo_file; 591 bool found = false; 592 int err; 593 594 if (list_empty(&file_set->files_list)) 595 return -ENOENT; 596 597 list_for_each_entry(luo_file, &file_set->files_list, list) { 598 if (luo_file->token == token) { 599 found = true; 600 break; 601 } 602 } 603 604 if (!found) 605 return -ENOENT; 606 607 guard(mutex)(&luo_file->mutex); 608 if (luo_file->retrieve_status < 0) { 609 /* Retrieve was attempted and it failed. Return the error code. */ 610 return luo_file->retrieve_status; 611 } 612 613 if (luo_file->retrieve_status > 0) { 614 /* 615 * Someone is asking for this file again, so get a reference 616 * for them. 617 */ 618 get_file(luo_file->file); 619 *filep = luo_file->file; 620 return 0; 621 } 622 623 args.handler = luo_file->fh; 624 args.serialized_data = luo_file->serialized_data; 625 err = luo_file->fh->ops->retrieve(&args); 626 if (err) { 627 /* Keep the error code for later use. */ 628 luo_file->retrieve_status = err; 629 return err; 630 } 631 632 luo_file->file = args.file; 633 /* Get reference so we can keep this file in LUO until finish */ 634 get_file(luo_file->file); 635 636 WARN_ON(xa_insert(&luo_preserved_files, 637 luo_get_id(luo_file->fh, luo_file->file), 638 luo_file->file, GFP_KERNEL)); 639 640 *filep = luo_file->file; 641 luo_file->retrieve_status = 1; 642 643 return 0; 644 } 645 646 static int luo_file_can_finish_one(struct luo_file_set *file_set, 647 struct luo_file *luo_file) 648 { 649 bool can_finish = true; 650 651 guard(mutex)(&luo_file->mutex); 652 653 if (luo_file->fh->ops->can_finish) { 654 struct liveupdate_file_op_args args = {0}; 655 656 args.handler = luo_file->fh; 657 args.file = luo_file->file; 658 args.serialized_data = luo_file->serialized_data; 659 args.retrieve_status = luo_file->retrieve_status; 660 can_finish = luo_file->fh->ops->can_finish(&args); 661 } 662 663 return can_finish ? 0 : -EBUSY; 664 } 665 666 static void luo_file_finish_one(struct luo_file_set *file_set, 667 struct luo_file *luo_file) 668 { 669 struct liveupdate_file_op_args args = {0}; 670 671 guard(mutex)(&luo_file->mutex); 672 673 args.handler = luo_file->fh; 674 args.file = luo_file->file; 675 args.serialized_data = luo_file->serialized_data; 676 args.retrieve_status = luo_file->retrieve_status; 677 678 luo_file->fh->ops->finish(&args); 679 luo_flb_file_finish(luo_file->fh); 680 module_put(luo_file->fh->ops->owner); 681 } 682 683 /** 684 * luo_file_finish - Completes the lifecycle for all files in a file_set. 685 * @file_set: The file_set to be finalized. 686 * 687 * This function orchestrates the final teardown of a live update file_set in 688 * the new kernel. It should be called after all necessary files have been 689 * retrieved and the userspace agent is ready to release the preserved state. 690 * 691 * The function iterates through all tracked files. For each file, it performs 692 * the following sequence of cleanup actions: 693 * 694 * 1. If file is not yet retrieved, retrieves it, and calls can_finish() on 695 * every file in the file_set. If all can_finish return true, continue to 696 * finish. 697 * 2. Calls the handler's .finish() callback (via luo_file_finish_one) to 698 * allow for final resource cleanup within the handler. 699 * 3. Releases LUO's ownership reference on the 'struct file' via fput(). This 700 * is the counterpart to the get_file() call in luo_retrieve_file(). 701 * 4. Removes the 'struct luo_file' from the file_set's internal list. 702 * 5. Frees the memory for the 'struct luo_file' instance itself. 703 * 704 * After successfully finishing all individual files, it frees the 705 * contiguous memory block that was used to transfer the serialized metadata 706 * from the previous kernel. 707 * 708 * Error Handling (Atomic Failure): 709 * This operation is atomic. If any handler's .can_finish() op fails, the entire 710 * function aborts immediately and returns an error. 711 * 712 * Context: Can be called from an ioctl handler in the new kernel. 713 * Return: 0 on success, or a negative errno on failure. 714 */ 715 int luo_file_finish(struct luo_file_set *file_set) 716 { 717 struct list_head *files_list = &file_set->files_list; 718 struct luo_file *luo_file; 719 int err; 720 721 if (!file_set->count) 722 return 0; 723 724 list_for_each_entry(luo_file, files_list, list) { 725 err = luo_file_can_finish_one(file_set, luo_file); 726 if (err) 727 return err; 728 } 729 730 while (!list_empty(&file_set->files_list)) { 731 luo_file = list_last_entry(&file_set->files_list, 732 struct luo_file, list); 733 734 luo_file_finish_one(file_set, luo_file); 735 736 if (luo_file->file) { 737 xa_erase(&luo_preserved_files, 738 luo_get_id(luo_file->fh, luo_file->file)); 739 fput(luo_file->file); 740 } 741 list_del(&luo_file->list); 742 file_set->count--; 743 mutex_destroy(&luo_file->mutex); 744 kfree(luo_file); 745 } 746 747 if (file_set->files) { 748 kho_restore_free(file_set->files); 749 file_set->files = NULL; 750 } 751 752 return 0; 753 } 754 755 /** 756 * luo_file_deserialize - Reconstructs the list of preserved files in the new kernel. 757 * @file_set: The incoming file_set to fill with deserialized data. 758 * @file_set_ser: Serialized KHO file_set data from the previous kernel. 759 * 760 * This function is called during the early boot process of the new kernel. It 761 * takes the raw, contiguous memory block of 'struct luo_file_ser' entries, 762 * provided by the previous kernel, and transforms it back into a live, 763 * in-memory linked list of 'struct luo_file' instances. 764 * 765 * For each serialized entry, it performs the following steps: 766 * 1. Reads the 'compatible' string. 767 * 2. Searches the global list of registered file handlers for one that 768 * matches the compatible string. 769 * 3. Allocates a new 'struct luo_file'. 770 * 4. Populates the new structure with the deserialized data (token, private 771 * data handle) and links it to the found handler. The 'file' pointer is 772 * initialized to NULL, as the file has not been retrieved yet. 773 * 5. Adds the new 'struct luo_file' to the file_set's files_list. 774 * 775 * This prepares the file_set for userspace, which can later call 776 * luo_retrieve_file() to restore the actual file descriptors. 777 * 778 * Context: Called from session deserialization. 779 */ 780 int luo_file_deserialize(struct luo_file_set *file_set, 781 struct luo_file_set_ser *file_set_ser) 782 { 783 struct luo_file_ser *file_ser; 784 u64 i; 785 786 if (!file_set_ser->files) { 787 WARN_ON(file_set_ser->count); 788 return 0; 789 } 790 791 file_set->count = file_set_ser->count; 792 file_set->files = phys_to_virt(file_set_ser->files); 793 794 /* 795 * Note on error handling: 796 * 797 * If deserialization fails (e.g., allocation failure or corrupt data), 798 * we intentionally skip cleanup of files that were already restored. 799 * 800 * A partial failure leaves the preserved state inconsistent. 801 * Implementing a safe "undo" to unwind complex dependencies (sessions, 802 * files, hardware state) is error-prone and provides little value, as 803 * the system is effectively in a broken state. 804 * 805 * We treat these resources as leaked. The expected recovery path is for 806 * userspace to detect the failure and trigger a reboot, which will 807 * reliably reset devices and reclaim memory. 808 */ 809 file_ser = file_set->files; 810 for (i = 0; i < file_set->count; i++) { 811 struct liveupdate_file_handler *fh; 812 bool handler_found = false; 813 struct luo_file *luo_file; 814 815 down_read(&luo_register_rwlock); 816 list_private_for_each_entry(fh, &luo_file_handler_list, list) { 817 if (!strcmp(fh->compatible, file_ser[i].compatible)) { 818 if (try_module_get(fh->ops->owner)) 819 handler_found = true; 820 break; 821 } 822 } 823 up_read(&luo_register_rwlock); 824 825 if (!handler_found) { 826 pr_warn("No registered handler for compatible '%.*s'\n", 827 (int)sizeof(file_ser[i].compatible), 828 file_ser[i].compatible); 829 return -ENOENT; 830 } 831 832 luo_file = kzalloc_obj(*luo_file); 833 if (!luo_file) { 834 module_put(fh->ops->owner); 835 return -ENOMEM; 836 } 837 838 luo_file->fh = fh; 839 luo_file->file = NULL; 840 luo_file->serialized_data = file_ser[i].data; 841 luo_file->token = file_ser[i].token; 842 mutex_init(&luo_file->mutex); 843 list_add_tail(&luo_file->list, &file_set->files_list); 844 } 845 846 return 0; 847 } 848 849 void luo_file_set_init(struct luo_file_set *file_set) 850 { 851 INIT_LIST_HEAD(&file_set->files_list); 852 } 853 854 void luo_file_set_destroy(struct luo_file_set *file_set) 855 { 856 WARN_ON(file_set->count); 857 WARN_ON(!list_empty(&file_set->files_list)); 858 } 859 860 /** 861 * liveupdate_register_file_handler - Register a file handler with LUO. 862 * @fh: Pointer to a caller-allocated &struct liveupdate_file_handler. 863 * The caller must initialize this structure, including a unique 864 * 'compatible' string and a valid 'fh' callbacks. This function adds the 865 * handler to the global list of supported file handlers. 866 * 867 * Context: Typically called during module initialization for file types that 868 * support live update preservation. 869 * 870 * Return: 0 on success. Negative errno on failure. 871 */ 872 int liveupdate_register_file_handler(struct liveupdate_file_handler *fh) 873 { 874 struct liveupdate_file_handler *fh_iter; 875 int err; 876 877 if (!liveupdate_enabled()) 878 return -EOPNOTSUPP; 879 880 /* Sanity check that all required callbacks are set */ 881 if (!fh->ops->preserve || !fh->ops->unpreserve || !fh->ops->retrieve || 882 !fh->ops->finish || !fh->ops->can_preserve) { 883 return -EINVAL; 884 } 885 886 down_write(&luo_register_rwlock); 887 /* Check for duplicate compatible strings */ 888 list_private_for_each_entry(fh_iter, &luo_file_handler_list, list) { 889 if (!strcmp(fh_iter->compatible, fh->compatible)) { 890 pr_err("File handler registration failed: Compatible string '%s' already registered.\n", 891 fh->compatible); 892 err = -EEXIST; 893 goto err_unlock; 894 } 895 } 896 897 INIT_LIST_HEAD(&ACCESS_PRIVATE(fh, flb_list)); 898 INIT_LIST_HEAD(&ACCESS_PRIVATE(fh, list)); 899 list_add_tail(&ACCESS_PRIVATE(fh, list), &luo_file_handler_list); 900 up_write(&luo_register_rwlock); 901 902 liveupdate_test_register(fh); 903 904 return 0; 905 906 err_unlock: 907 up_write(&luo_register_rwlock); 908 return err; 909 } 910 911 /** 912 * liveupdate_unregister_file_handler - Unregister a liveupdate file handler 913 * @fh: The file handler to unregister 914 * 915 * Unregisters the file handler from the liveupdate core. This function 916 * reverses the operations of liveupdate_register_file_handler(). 917 */ 918 void liveupdate_unregister_file_handler(struct liveupdate_file_handler *fh) 919 { 920 if (!liveupdate_enabled()) 921 return; 922 923 guard(rwsem_write)(&luo_register_rwlock); 924 luo_flb_unregister_all(fh); 925 list_del(&ACCESS_PRIVATE(fh, list)); 926 } 927