1 // SPDX-License-Identifier: GPL-2.0 2 3 /* 4 * Copyright (c) 2025, Google LLC. 5 * Pasha Tatashin <pasha.tatashin@soleen.com> 6 */ 7 8 /** 9 * DOC: LUO File Descriptors 10 * 11 * LUO provides the infrastructure to preserve specific, stateful file 12 * descriptors across a kexec-based live update. The primary goal is to allow 13 * workloads, such as virtual machines using vfio, memfd, or iommufd, to 14 * retain access to their essential resources without interruption. 15 * 16 * The framework is built around a callback-based handler model and a well- 17 * defined lifecycle for each preserved file. 18 * 19 * Handler Registration: 20 * Kernel modules responsible for a specific file type (e.g., memfd, vfio) 21 * register a &struct liveupdate_file_handler. This handler provides a set of 22 * callbacks that LUO invokes at different stages of the update process, most 23 * notably: 24 * 25 * - can_preserve(): A lightweight check to determine if the handler is 26 * compatible with a given 'struct file'. 27 * - preserve(): The heavyweight operation that saves the file's state and 28 * returns an opaque u64 handle. This is typically performed while the 29 * workload is still active to minimize the downtime during the 30 * actual reboot transition. 31 * - unpreserve(): Cleans up any resources allocated by .preserve(), called 32 * if the preservation process is aborted before the reboot (i.e. session is 33 * closed). 34 * - freeze(): A final pre-reboot opportunity to prepare the state for kexec. 35 * We are already in reboot syscall, and therefore userspace cannot mutate 36 * the file anymore. 37 * - unfreeze(): Undoes the actions of .freeze(), called if the live update 38 * is aborted after the freeze phase. 39 * - retrieve(): Reconstructs the file in the new kernel from the preserved 40 * handle. 41 * - finish(): Performs final check and cleanup in the new kernel. After 42 * succesul finish call, LUO gives up ownership to this file. 43 * 44 * File Preservation Lifecycle happy path: 45 * 46 * 1. Preserve (Normal Operation): A userspace agent preserves files one by one 47 * via an ioctl. For each file, luo_preserve_file() finds a compatible 48 * handler, calls its .preserve() operation, and creates an internal &struct 49 * luo_file to track the live state. 50 * 51 * 2. Freeze (Pre-Reboot): Just before the kexec, luo_file_freeze() is called. 52 * It iterates through all preserved files, calls their respective .freeze() 53 * operation, and serializes their final metadata (compatible string, token, 54 * and data handle) into a contiguous memory block for KHO. 55 * 56 * 3. Deserialize: After kexec, luo_file_deserialize() runs when session gets 57 * deserialized (which is when /dev/liveupdate is first opened). It reads the 58 * serialized data from the KHO memory region and reconstructs the in-memory 59 * list of &struct luo_file instances for the new kernel, linking them to 60 * their corresponding handlers. 61 * 62 * 4. Retrieve (New Kernel - Userspace Ready): The userspace agent can now 63 * restore file descriptors by providing a token. luo_retrieve_file() 64 * searches for the matching token, calls the handler's .retrieve() op to 65 * re-create the 'struct file', and returns a new FD. Files can be 66 * retrieved in ANY order. 67 * 68 * 5. Finish (New Kernel - Cleanup): Once a session retrival is complete, 69 * luo_file_finish() is called. It iterates through all files, invokes their 70 * .finish() operations for final cleanup, and releases all associated kernel 71 * resources. 72 * 73 * File Preservation Lifecycle unhappy paths: 74 * 75 * 1. Abort Before Reboot: If the userspace agent aborts the live update 76 * process before calling reboot (e.g., by closing the session file 77 * descriptor), the session's release handler calls 78 * luo_file_unpreserve_files(). This invokes the .unpreserve() callback on 79 * all preserved files, ensuring all allocated resources are cleaned up and 80 * returning the system to a clean state. 81 * 82 * 2. Freeze Failure: During the reboot() syscall, if any handler's .freeze() 83 * op fails, the .unfreeze() op is invoked on all previously *successful* 84 * freezes to roll back their state. The reboot() syscall then returns an 85 * error to userspace, canceling the live update. 86 * 87 * 3. Finish Failure: In the new kernel, if a handler's .finish() op fails, 88 * the luo_file_finish() operation is aborted. LUO retains ownership of 89 * all files within that session, including those that were not yet 90 * processed. The userspace agent can attempt to call the finish operation 91 * again later. If the issue cannot be resolved, these resources will be held 92 * by LUO until the next live update cycle, at which point they will be 93 * discarded. 94 */ 95 96 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 97 98 #include <linux/cleanup.h> 99 #include <linux/compiler.h> 100 #include <linux/err.h> 101 #include <linux/errno.h> 102 #include <linux/file.h> 103 #include <linux/fs.h> 104 #include <linux/io.h> 105 #include <linux/kexec_handover.h> 106 #include <linux/kho/abi/luo.h> 107 #include <linux/list_private.h> 108 #include <linux/liveupdate.h> 109 #include <linux/module.h> 110 #include <linux/sizes.h> 111 #include <linux/slab.h> 112 #include <linux/string.h> 113 #include "luo_internal.h" 114 115 static LIST_HEAD(luo_file_handler_list); 116 117 /* 2 4K pages, give space for 128 files per file_set */ 118 #define LUO_FILE_PGCNT 2ul 119 #define LUO_FILE_MAX \ 120 ((LUO_FILE_PGCNT << PAGE_SHIFT) / sizeof(struct luo_file_ser)) 121 122 /** 123 * struct luo_file - Represents a single preserved file instance. 124 * @fh: Pointer to the &struct liveupdate_file_handler that manages 125 * this type of file. 126 * @file: Pointer to the kernel's &struct file that is being preserved. 127 * This is NULL in the new kernel until the file is successfully 128 * retrieved. 129 * @serialized_data: The opaque u64 handle to the serialized state of the file. 130 * This handle is passed back to the handler's .freeze(), 131 * .retrieve(), and .finish() callbacks, allowing it to track 132 * and update its serialized state across phases. 133 * @private_data: Pointer to the private data for the file used to hold runtime 134 * state that is not preserved. Set by the handler's .preserve() 135 * callback, and must be freed in the handler's .unpreserve() 136 * callback. 137 * @retrieved: A flag indicating whether a user/kernel in the new kernel has 138 * successfully called retrieve() on this file. This prevents 139 * multiple retrieval attempts. 140 * @mutex: A mutex that protects the fields of this specific instance 141 * (e.g., @retrieved, @file), ensuring that operations like 142 * retrieving or finishing a file are atomic. 143 * @list: The list_head linking this instance into its parent 144 * file_set's list of preserved files. 145 * @token: The user-provided unique token used to identify this file. 146 * 147 * This structure is the core in-kernel representation of a single file being 148 * managed through a live update. An instance is created by luo_preserve_file() 149 * to link a 'struct file' to its corresponding handler, a user-provided token, 150 * and the serialized state handle returned by the handler's .preserve() 151 * operation. 152 * 153 * These instances are tracked in a per-file_set list. The @serialized_data 154 * field, which holds a handle to the file's serialized state, may be updated 155 * during the .freeze() callback before being serialized for the next kernel. 156 * After reboot, these structures are recreated by luo_file_deserialize() and 157 * are finally cleaned up by luo_file_finish(). 158 */ 159 struct luo_file { 160 struct liveupdate_file_handler *fh; 161 struct file *file; 162 u64 serialized_data; 163 void *private_data; 164 bool retrieved; 165 struct mutex mutex; 166 struct list_head list; 167 u64 token; 168 }; 169 170 static int luo_alloc_files_mem(struct luo_file_set *file_set) 171 { 172 size_t size; 173 void *mem; 174 175 if (file_set->files) 176 return 0; 177 178 WARN_ON_ONCE(file_set->count); 179 180 size = LUO_FILE_PGCNT << PAGE_SHIFT; 181 mem = kho_alloc_preserve(size); 182 if (IS_ERR(mem)) 183 return PTR_ERR(mem); 184 185 file_set->files = mem; 186 187 return 0; 188 } 189 190 static void luo_free_files_mem(struct luo_file_set *file_set) 191 { 192 /* If file_set has files, no need to free preservation memory */ 193 if (file_set->count) 194 return; 195 196 if (!file_set->files) 197 return; 198 199 kho_unpreserve_free(file_set->files); 200 file_set->files = NULL; 201 } 202 203 static bool luo_token_is_used(struct luo_file_set *file_set, u64 token) 204 { 205 struct luo_file *iter; 206 207 list_for_each_entry(iter, &file_set->files_list, list) { 208 if (iter->token == token) 209 return true; 210 } 211 212 return false; 213 } 214 215 /** 216 * luo_preserve_file - Initiate the preservation of a file descriptor. 217 * @file_set: The file_set to which the preserved file will be added. 218 * @token: A unique, user-provided identifier for the file. 219 * @fd: The file descriptor to be preserved. 220 * 221 * This function orchestrates the first phase of preserving a file. Upon entry, 222 * it takes a reference to the 'struct file' via fget(), effectively making LUO 223 * a co-owner of the file. This reference is held until the file is either 224 * unpreserved or successfully finished in the next kernel, preventing the file 225 * from being prematurely destroyed. 226 * 227 * This function orchestrates the first phase of preserving a file. It performs 228 * the following steps: 229 * 230 * 1. Validates that the @token is not already in use within the file_set. 231 * 2. Ensures the file_set's memory for files serialization is allocated 232 * (allocates if needed). 233 * 3. Iterates through registered handlers, calling can_preserve() to find one 234 * compatible with the given @fd. 235 * 4. Calls the handler's .preserve() operation, which saves the file's state 236 * and returns an opaque private data handle. 237 * 5. Adds the new instance to the file_set's internal list. 238 * 239 * On success, LUO takes a reference to the 'struct file' and considers it 240 * under its management until it is unpreserved or finished. 241 * 242 * In case of any failure, all intermediate allocations (file reference, memory 243 * for the 'luo_file' struct, etc.) are cleaned up before returning an error. 244 * 245 * Context: Can be called from an ioctl handler during normal system operation. 246 * Return: 0 on success. Returns a negative errno on failure: 247 * -EEXIST if the token is already used. 248 * -EBADF if the file descriptor is invalid. 249 * -ENOSPC if the file_set is full. 250 * -ENOENT if no compatible handler is found. 251 * -ENOMEM on memory allocation failure. 252 * Other erros might be returned by .preserve(). 253 */ 254 int luo_preserve_file(struct luo_file_set *file_set, u64 token, int fd) 255 { 256 struct liveupdate_file_op_args args = {0}; 257 struct liveupdate_file_handler *fh; 258 struct luo_file *luo_file; 259 struct file *file; 260 int err; 261 262 if (luo_token_is_used(file_set, token)) 263 return -EEXIST; 264 265 if (file_set->count == LUO_FILE_MAX) 266 return -ENOSPC; 267 268 file = fget(fd); 269 if (!file) 270 return -EBADF; 271 272 err = luo_alloc_files_mem(file_set); 273 if (err) 274 goto err_fput; 275 276 err = -ENOENT; 277 list_private_for_each_entry(fh, &luo_file_handler_list, list) { 278 if (fh->ops->can_preserve(fh, file)) { 279 err = 0; 280 break; 281 } 282 } 283 284 /* err is still -ENOENT if no handler was found */ 285 if (err) 286 goto err_free_files_mem; 287 288 err = luo_flb_file_preserve(fh); 289 if (err) 290 goto err_free_files_mem; 291 292 luo_file = kzalloc(sizeof(*luo_file), GFP_KERNEL); 293 if (!luo_file) { 294 err = -ENOMEM; 295 goto err_flb_unpreserve; 296 } 297 298 luo_file->file = file; 299 luo_file->fh = fh; 300 luo_file->token = token; 301 luo_file->retrieved = false; 302 mutex_init(&luo_file->mutex); 303 304 args.handler = fh; 305 args.file = file; 306 err = fh->ops->preserve(&args); 307 if (err) 308 goto err_kfree; 309 310 luo_file->serialized_data = args.serialized_data; 311 luo_file->private_data = args.private_data; 312 list_add_tail(&luo_file->list, &file_set->files_list); 313 file_set->count++; 314 315 return 0; 316 317 err_kfree: 318 kfree(luo_file); 319 err_flb_unpreserve: 320 luo_flb_file_unpreserve(fh); 321 err_free_files_mem: 322 luo_free_files_mem(file_set); 323 err_fput: 324 fput(file); 325 326 return err; 327 } 328 329 /** 330 * luo_file_unpreserve_files - Unpreserves all files from a file_set. 331 * @file_set: The files to be cleaned up. 332 * 333 * This function serves as the primary cleanup path for a file_set. It is 334 * invoked when the userspace agent closes the file_set's file descriptor. 335 * 336 * For each file, it performs the following cleanup actions: 337 * 1. Calls the handler's .unpreserve() callback to allow the handler to 338 * release any resources it allocated. 339 * 2. Removes the file from the file_set's internal tracking list. 340 * 3. Releases the reference to the 'struct file' that was taken by 341 * luo_preserve_file() via fput(), returning ownership. 342 * 4. Frees the memory associated with the internal 'struct luo_file'. 343 * 344 * After all individual files are unpreserved, it frees the contiguous memory 345 * block that was allocated to hold their serialization data. 346 */ 347 void luo_file_unpreserve_files(struct luo_file_set *file_set) 348 { 349 struct luo_file *luo_file; 350 351 while (!list_empty(&file_set->files_list)) { 352 struct liveupdate_file_op_args args = {0}; 353 354 luo_file = list_last_entry(&file_set->files_list, 355 struct luo_file, list); 356 357 args.handler = luo_file->fh; 358 args.file = luo_file->file; 359 args.serialized_data = luo_file->serialized_data; 360 args.private_data = luo_file->private_data; 361 luo_file->fh->ops->unpreserve(&args); 362 luo_flb_file_unpreserve(luo_file->fh); 363 364 list_del(&luo_file->list); 365 file_set->count--; 366 367 fput(luo_file->file); 368 mutex_destroy(&luo_file->mutex); 369 kfree(luo_file); 370 } 371 372 luo_free_files_mem(file_set); 373 } 374 375 static int luo_file_freeze_one(struct luo_file_set *file_set, 376 struct luo_file *luo_file) 377 { 378 int err = 0; 379 380 guard(mutex)(&luo_file->mutex); 381 382 if (luo_file->fh->ops->freeze) { 383 struct liveupdate_file_op_args args = {0}; 384 385 args.handler = luo_file->fh; 386 args.file = luo_file->file; 387 args.serialized_data = luo_file->serialized_data; 388 args.private_data = luo_file->private_data; 389 390 err = luo_file->fh->ops->freeze(&args); 391 if (!err) 392 luo_file->serialized_data = args.serialized_data; 393 } 394 395 return err; 396 } 397 398 static void luo_file_unfreeze_one(struct luo_file_set *file_set, 399 struct luo_file *luo_file) 400 { 401 guard(mutex)(&luo_file->mutex); 402 403 if (luo_file->fh->ops->unfreeze) { 404 struct liveupdate_file_op_args args = {0}; 405 406 args.handler = luo_file->fh; 407 args.file = luo_file->file; 408 args.serialized_data = luo_file->serialized_data; 409 args.private_data = luo_file->private_data; 410 411 luo_file->fh->ops->unfreeze(&args); 412 } 413 414 luo_file->serialized_data = 0; 415 } 416 417 static void __luo_file_unfreeze(struct luo_file_set *file_set, 418 struct luo_file *failed_entry) 419 { 420 struct list_head *files_list = &file_set->files_list; 421 struct luo_file *luo_file; 422 423 list_for_each_entry(luo_file, files_list, list) { 424 if (luo_file == failed_entry) 425 break; 426 427 luo_file_unfreeze_one(file_set, luo_file); 428 } 429 430 memset(file_set->files, 0, LUO_FILE_PGCNT << PAGE_SHIFT); 431 } 432 433 /** 434 * luo_file_freeze - Freezes all preserved files and serializes their metadata. 435 * @file_set: The file_set whose files are to be frozen. 436 * @file_set_ser: Where to put the serialized file_set. 437 * 438 * This function is called from the reboot() syscall path, just before the 439 * kernel transitions to the new image via kexec. Its purpose is to perform the 440 * final preparation and serialization of all preserved files in the file_set. 441 * 442 * It iterates through each preserved file in FIFO order (the order of 443 * preservation) and performs two main actions: 444 * 445 * 1. Freezes the File: It calls the handler's .freeze() callback for each 446 * file. This gives the handler a final opportunity to quiesce the device or 447 * prepare its state for the upcoming reboot. The handler may update its 448 * private data handle during this step. 449 * 450 * 2. Serializes Metadata: After a successful freeze, it copies the final file 451 * metadata—the handler's compatible string, the user token, and the final 452 * private data handle—into the pre-allocated contiguous memory buffer 453 * (file_set->files) that will be handed over to the next kernel via KHO. 454 * 455 * Error Handling (Rollback): 456 * This function is atomic. If any handler's .freeze() operation fails, the 457 * entire live update is aborted. The __luo_file_unfreeze() helper is 458 * immediately called to invoke the .unfreeze() op on all files that were 459 * successfully frozen before the point of failure, rolling them back to a 460 * running state. The function then returns an error, causing the reboot() 461 * syscall to fail. 462 * 463 * Context: Called only from the liveupdate_reboot() path. 464 * Return: 0 on success, or a negative errno on failure. 465 */ 466 int luo_file_freeze(struct luo_file_set *file_set, 467 struct luo_file_set_ser *file_set_ser) 468 { 469 struct luo_file_ser *file_ser = file_set->files; 470 struct luo_file *luo_file; 471 int err; 472 int i; 473 474 if (!file_set->count) 475 return 0; 476 477 if (WARN_ON(!file_ser)) 478 return -EINVAL; 479 480 i = 0; 481 list_for_each_entry(luo_file, &file_set->files_list, list) { 482 err = luo_file_freeze_one(file_set, luo_file); 483 if (err < 0) { 484 pr_warn("Freeze failed for token[%#0llx] handler[%s] err[%pe]\n", 485 luo_file->token, luo_file->fh->compatible, 486 ERR_PTR(err)); 487 goto err_unfreeze; 488 } 489 490 strscpy(file_ser[i].compatible, luo_file->fh->compatible, 491 sizeof(file_ser[i].compatible)); 492 file_ser[i].data = luo_file->serialized_data; 493 file_ser[i].token = luo_file->token; 494 i++; 495 } 496 497 file_set_ser->count = file_set->count; 498 if (file_set->files) 499 file_set_ser->files = virt_to_phys(file_set->files); 500 501 return 0; 502 503 err_unfreeze: 504 __luo_file_unfreeze(file_set, luo_file); 505 506 return err; 507 } 508 509 /** 510 * luo_file_unfreeze - Unfreezes all files in a file_set and clear serialization 511 * @file_set: The file_set whose files are to be unfrozen. 512 * @file_set_ser: Serialized file_set. 513 * 514 * This function rolls back the state of all files in a file_set after the 515 * freeze phase has begun but must be aborted. It is the counterpart to 516 * luo_file_freeze(). 517 * 518 * It invokes the __luo_file_unfreeze() helper with a NULL argument, which 519 * signals the helper to iterate through all files in the file_set and call 520 * their respective .unfreeze() handler callbacks. 521 * 522 * Context: This is called when the live update is aborted during 523 * the reboot() syscall, after luo_file_freeze() has been called. 524 */ 525 void luo_file_unfreeze(struct luo_file_set *file_set, 526 struct luo_file_set_ser *file_set_ser) 527 { 528 if (!file_set->count) 529 return; 530 531 __luo_file_unfreeze(file_set, NULL); 532 memset(file_set_ser, 0, sizeof(*file_set_ser)); 533 } 534 535 /** 536 * luo_retrieve_file - Restores a preserved file from a file_set by its token. 537 * @file_set: The file_set from which to retrieve the file. 538 * @token: The unique token identifying the file to be restored. 539 * @filep: Output parameter; on success, this is populated with a pointer 540 * to the newly retrieved 'struct file'. 541 * 542 * This function is the primary mechanism for recreating a file in the new 543 * kernel after a live update. It searches the file_set's list of deserialized 544 * files for an entry matching the provided @token. 545 * 546 * The operation is idempotent: if a file has already been successfully 547 * retrieved, this function will simply return a pointer to the existing 548 * 'struct file' and report success without re-executing the retrieve 549 * operation. This is handled by checking the 'retrieved' flag under a lock. 550 * 551 * File retrieval can happen in any order; it is not bound by the order of 552 * preservation. 553 * 554 * Context: Can be called from an ioctl or other in-kernel code in the new 555 * kernel. 556 * Return: 0 on success. Returns a negative errno on failure: 557 * -ENOENT if no file with the matching token is found. 558 * Any error code returned by the handler's .retrieve() op. 559 */ 560 int luo_retrieve_file(struct luo_file_set *file_set, u64 token, 561 struct file **filep) 562 { 563 struct liveupdate_file_op_args args = {0}; 564 struct luo_file *luo_file; 565 bool found = false; 566 int err; 567 568 if (list_empty(&file_set->files_list)) 569 return -ENOENT; 570 571 list_for_each_entry(luo_file, &file_set->files_list, list) { 572 if (luo_file->token == token) { 573 found = true; 574 break; 575 } 576 } 577 578 if (!found) 579 return -ENOENT; 580 581 guard(mutex)(&luo_file->mutex); 582 if (luo_file->retrieved) { 583 /* 584 * Someone is asking for this file again, so get a reference 585 * for them. 586 */ 587 get_file(luo_file->file); 588 *filep = luo_file->file; 589 return 0; 590 } 591 592 args.handler = luo_file->fh; 593 args.serialized_data = luo_file->serialized_data; 594 err = luo_file->fh->ops->retrieve(&args); 595 if (!err) { 596 luo_file->file = args.file; 597 598 /* Get reference so we can keep this file in LUO until finish */ 599 get_file(luo_file->file); 600 *filep = luo_file->file; 601 luo_file->retrieved = true; 602 } 603 604 return err; 605 } 606 607 static int luo_file_can_finish_one(struct luo_file_set *file_set, 608 struct luo_file *luo_file) 609 { 610 bool can_finish = true; 611 612 guard(mutex)(&luo_file->mutex); 613 614 if (luo_file->fh->ops->can_finish) { 615 struct liveupdate_file_op_args args = {0}; 616 617 args.handler = luo_file->fh; 618 args.file = luo_file->file; 619 args.serialized_data = luo_file->serialized_data; 620 args.retrieved = luo_file->retrieved; 621 can_finish = luo_file->fh->ops->can_finish(&args); 622 } 623 624 return can_finish ? 0 : -EBUSY; 625 } 626 627 static void luo_file_finish_one(struct luo_file_set *file_set, 628 struct luo_file *luo_file) 629 { 630 struct liveupdate_file_op_args args = {0}; 631 632 guard(mutex)(&luo_file->mutex); 633 634 args.handler = luo_file->fh; 635 args.file = luo_file->file; 636 args.serialized_data = luo_file->serialized_data; 637 args.retrieved = luo_file->retrieved; 638 639 luo_file->fh->ops->finish(&args); 640 luo_flb_file_finish(luo_file->fh); 641 } 642 643 /** 644 * luo_file_finish - Completes the lifecycle for all files in a file_set. 645 * @file_set: The file_set to be finalized. 646 * 647 * This function orchestrates the final teardown of a live update file_set in 648 * the new kernel. It should be called after all necessary files have been 649 * retrieved and the userspace agent is ready to release the preserved state. 650 * 651 * The function iterates through all tracked files. For each file, it performs 652 * the following sequence of cleanup actions: 653 * 654 * 1. If file is not yet retrieved, retrieves it, and calls can_finish() on 655 * every file in the file_set. If all can_finish return true, continue to 656 * finish. 657 * 2. Calls the handler's .finish() callback (via luo_file_finish_one) to 658 * allow for final resource cleanup within the handler. 659 * 3. Releases LUO's ownership reference on the 'struct file' via fput(). This 660 * is the counterpart to the get_file() call in luo_retrieve_file(). 661 * 4. Removes the 'struct luo_file' from the file_set's internal list. 662 * 5. Frees the memory for the 'struct luo_file' instance itself. 663 * 664 * After successfully finishing all individual files, it frees the 665 * contiguous memory block that was used to transfer the serialized metadata 666 * from the previous kernel. 667 * 668 * Error Handling (Atomic Failure): 669 * This operation is atomic. If any handler's .can_finish() op fails, the entire 670 * function aborts immediately and returns an error. 671 * 672 * Context: Can be called from an ioctl handler in the new kernel. 673 * Return: 0 on success, or a negative errno on failure. 674 */ 675 int luo_file_finish(struct luo_file_set *file_set) 676 { 677 struct list_head *files_list = &file_set->files_list; 678 struct luo_file *luo_file; 679 int err; 680 681 if (!file_set->count) 682 return 0; 683 684 list_for_each_entry(luo_file, files_list, list) { 685 err = luo_file_can_finish_one(file_set, luo_file); 686 if (err) 687 return err; 688 } 689 690 while (!list_empty(&file_set->files_list)) { 691 luo_file = list_last_entry(&file_set->files_list, 692 struct luo_file, list); 693 694 luo_file_finish_one(file_set, luo_file); 695 696 if (luo_file->file) 697 fput(luo_file->file); 698 list_del(&luo_file->list); 699 file_set->count--; 700 mutex_destroy(&luo_file->mutex); 701 kfree(luo_file); 702 } 703 704 if (file_set->files) { 705 kho_restore_free(file_set->files); 706 file_set->files = NULL; 707 } 708 709 return 0; 710 } 711 712 /** 713 * luo_file_deserialize - Reconstructs the list of preserved files in the new kernel. 714 * @file_set: The incoming file_set to fill with deserialized data. 715 * @file_set_ser: Serialized KHO file_set data from the previous kernel. 716 * 717 * This function is called during the early boot process of the new kernel. It 718 * takes the raw, contiguous memory block of 'struct luo_file_ser' entries, 719 * provided by the previous kernel, and transforms it back into a live, 720 * in-memory linked list of 'struct luo_file' instances. 721 * 722 * For each serialized entry, it performs the following steps: 723 * 1. Reads the 'compatible' string. 724 * 2. Searches the global list of registered file handlers for one that 725 * matches the compatible string. 726 * 3. Allocates a new 'struct luo_file'. 727 * 4. Populates the new structure with the deserialized data (token, private 728 * data handle) and links it to the found handler. The 'file' pointer is 729 * initialized to NULL, as the file has not been retrieved yet. 730 * 5. Adds the new 'struct luo_file' to the file_set's files_list. 731 * 732 * This prepares the file_set for userspace, which can later call 733 * luo_retrieve_file() to restore the actual file descriptors. 734 * 735 * Context: Called from session deserialization. 736 */ 737 int luo_file_deserialize(struct luo_file_set *file_set, 738 struct luo_file_set_ser *file_set_ser) 739 { 740 struct luo_file_ser *file_ser; 741 u64 i; 742 743 if (!file_set_ser->files) { 744 WARN_ON(file_set_ser->count); 745 return 0; 746 } 747 748 file_set->count = file_set_ser->count; 749 file_set->files = phys_to_virt(file_set_ser->files); 750 751 /* 752 * Note on error handling: 753 * 754 * If deserialization fails (e.g., allocation failure or corrupt data), 755 * we intentionally skip cleanup of files that were already restored. 756 * 757 * A partial failure leaves the preserved state inconsistent. 758 * Implementing a safe "undo" to unwind complex dependencies (sessions, 759 * files, hardware state) is error-prone and provides little value, as 760 * the system is effectively in a broken state. 761 * 762 * We treat these resources as leaked. The expected recovery path is for 763 * userspace to detect the failure and trigger a reboot, which will 764 * reliably reset devices and reclaim memory. 765 */ 766 file_ser = file_set->files; 767 for (i = 0; i < file_set->count; i++) { 768 struct liveupdate_file_handler *fh; 769 bool handler_found = false; 770 struct luo_file *luo_file; 771 772 list_private_for_each_entry(fh, &luo_file_handler_list, list) { 773 if (!strcmp(fh->compatible, file_ser[i].compatible)) { 774 handler_found = true; 775 break; 776 } 777 } 778 779 if (!handler_found) { 780 pr_warn("No registered handler for compatible '%s'\n", 781 file_ser[i].compatible); 782 return -ENOENT; 783 } 784 785 luo_file = kzalloc(sizeof(*luo_file), GFP_KERNEL); 786 if (!luo_file) 787 return -ENOMEM; 788 789 luo_file->fh = fh; 790 luo_file->file = NULL; 791 luo_file->serialized_data = file_ser[i].data; 792 luo_file->token = file_ser[i].token; 793 luo_file->retrieved = false; 794 mutex_init(&luo_file->mutex); 795 list_add_tail(&luo_file->list, &file_set->files_list); 796 } 797 798 return 0; 799 } 800 801 void luo_file_set_init(struct luo_file_set *file_set) 802 { 803 INIT_LIST_HEAD(&file_set->files_list); 804 } 805 806 void luo_file_set_destroy(struct luo_file_set *file_set) 807 { 808 WARN_ON(file_set->count); 809 WARN_ON(!list_empty(&file_set->files_list)); 810 } 811 812 /** 813 * liveupdate_register_file_handler - Register a file handler with LUO. 814 * @fh: Pointer to a caller-allocated &struct liveupdate_file_handler. 815 * The caller must initialize this structure, including a unique 816 * 'compatible' string and a valid 'fh' callbacks. This function adds the 817 * handler to the global list of supported file handlers. 818 * 819 * Context: Typically called during module initialization for file types that 820 * support live update preservation. 821 * 822 * Return: 0 on success. Negative errno on failure. 823 */ 824 int liveupdate_register_file_handler(struct liveupdate_file_handler *fh) 825 { 826 struct liveupdate_file_handler *fh_iter; 827 int err; 828 829 if (!liveupdate_enabled()) 830 return -EOPNOTSUPP; 831 832 /* Sanity check that all required callbacks are set */ 833 if (!fh->ops->preserve || !fh->ops->unpreserve || !fh->ops->retrieve || 834 !fh->ops->finish || !fh->ops->can_preserve) { 835 return -EINVAL; 836 } 837 838 /* 839 * Ensure the system is quiescent (no active sessions). 840 * This prevents registering new handlers while sessions are active or 841 * while deserialization is in progress. 842 */ 843 if (!luo_session_quiesce()) 844 return -EBUSY; 845 846 /* Check for duplicate compatible strings */ 847 list_private_for_each_entry(fh_iter, &luo_file_handler_list, list) { 848 if (!strcmp(fh_iter->compatible, fh->compatible)) { 849 pr_err("File handler registration failed: Compatible string '%s' already registered.\n", 850 fh->compatible); 851 err = -EEXIST; 852 goto err_resume; 853 } 854 } 855 856 /* Pin the module implementing the handler */ 857 if (!try_module_get(fh->ops->owner)) { 858 err = -EAGAIN; 859 goto err_resume; 860 } 861 862 INIT_LIST_HEAD(&ACCESS_PRIVATE(fh, flb_list)); 863 INIT_LIST_HEAD(&ACCESS_PRIVATE(fh, list)); 864 list_add_tail(&ACCESS_PRIVATE(fh, list), &luo_file_handler_list); 865 luo_session_resume(); 866 867 liveupdate_test_register(fh); 868 869 return 0; 870 871 err_resume: 872 luo_session_resume(); 873 return err; 874 } 875 876 /** 877 * liveupdate_unregister_file_handler - Unregister a liveupdate file handler 878 * @fh: The file handler to unregister 879 * 880 * Unregisters the file handler from the liveupdate core. This function 881 * reverses the operations of liveupdate_register_file_handler(). 882 * 883 * It ensures safe removal by checking that: 884 * No live update session is currently in progress. 885 * No FLB registered with this file handler. 886 * 887 * If the unregistration fails, the internal test state is reverted. 888 * 889 * Return: 0 Success. -EOPNOTSUPP when live update is not enabled. -EBUSY A live 890 * update is in progress, can't quiesce live update or FLB is registred with 891 * this file handler. 892 */ 893 int liveupdate_unregister_file_handler(struct liveupdate_file_handler *fh) 894 { 895 int err = -EBUSY; 896 897 if (!liveupdate_enabled()) 898 return -EOPNOTSUPP; 899 900 liveupdate_test_unregister(fh); 901 902 if (!luo_session_quiesce()) 903 goto err_register; 904 905 if (!list_empty(&ACCESS_PRIVATE(fh, flb_list))) 906 goto err_resume; 907 908 list_del(&ACCESS_PRIVATE(fh, list)); 909 module_put(fh->ops->owner); 910 luo_session_resume(); 911 912 return 0; 913 914 err_resume: 915 luo_session_resume(); 916 err_register: 917 liveupdate_test_register(fh); 918 return err; 919 } 920