On Tue, Apr 14 2026, Pasha Tatashin wrote: > Currently, the number of LUO sessions is limited by a fixed number of > pre-allocated pages for serialization (16 pages, allowing for ~819 > sessions). > > This limitation is problematic if LUO is used to support things such as > systemd file descriptor store, and would be used not just as VM memory > but to save other states on the machine. > > Remove this limit by transitioning to a linked-block approach for > session metadata serialization. Instead of a single contiguous block, > session metadata is now stored in a chain of 16-page blocks. Each block > starts with a header containing the physical address of the next block > and the number of session entries in the current block.
We now have 3 variants of this linked block data structure: LUO sessions, LUO files, and KHO vmalloc. Is it time now to unify them into a reusable data structure? I proposed "KHO Array" some time ago. That was a collection of pointers, but perhaps we can generalize that to a collection of elements of arbitrary size? [0] https://lore.kernel.org/linux-mm/[email protected]/T/#u > > - Bump session ABI version to v3. > - Update struct luo_session_header_ser to include a 'next' pointer. > - Implement dynamic block allocation in luo_session_insert(). > - Update setup, serialization, and deserialization logic to traverse > the block chain. > - Remove LUO_SESSION_MAX limit. > > Signed-off-by: Pasha Tatashin <[email protected]> > --- > include/linux/kho/abi/luo.h | 19 +-- > kernel/liveupdate/luo_internal.h | 12 +- > kernel/liveupdate/luo_session.c | 237 +++++++++++++++++++++++-------- > 3 files changed, 197 insertions(+), 71 deletions(-) > > diff --git a/include/linux/kho/abi/luo.h b/include/linux/kho/abi/luo.h > index 46750a0ddf88..f5732958545e 100644 > --- a/include/linux/kho/abi/luo.h > +++ b/include/linux/kho/abi/luo.h > @@ -57,9 +57,10 @@ > * - compatible: "luo-session-v1" > * Identifies the session ABI version. > * - luo-session-header: u64 > - * The physical address of a `struct luo_session_header_ser`. This > structure > - * is the header for a contiguous block of memory containing an array of > - * `struct luo_session_ser`, one for each preserved session. > + * The physical address of the first `struct luo_session_header_ser`. > + * This structure is the header for a block of memory containing an array > + * of `struct luo_session_ser` entries. Multiple blocks are linked via > + * the `next` field in the header. > * > * File-Lifecycle-Bound Node (luo-flb): > * This node describes all preserved global objects whose lifecycle is > bound > @@ -77,9 +78,9 @@ > * `__packed` structures. These structures contain the actual preserved > state. > * > * - struct luo_session_header_ser: > - * Header for the session array. Contains the total page count of the > - * preserved memory block and the number of `struct luo_session_ser` > - * entries that follow. > + * Header for the session data block. Contains the physical address of > the > + * next session data block and the number of `struct luo_session_ser` > + * entries that follow this header in the current block. > * > * - struct luo_session_ser: > * Metadata for a single session, including its name and a physical > pointer > @@ -153,21 +154,23 @@ struct luo_file_set_ser { > * luo_session_header_ser > */ > #define LUO_FDT_SESSION_NODE_NAME "luo-session" > -#define LUO_FDT_SESSION_COMPATIBLE "luo-session-v2" > +#define LUO_FDT_SESSION_COMPATIBLE "luo-session-v3" > #define LUO_FDT_SESSION_HEADER "luo-session-header" > > /** > * struct luo_session_header_ser - Header for the serialized session data > block. > + * @next: Physical address of the next struct luo_session_header_ser. > * @count: The number of `struct luo_session_ser` entries that immediately > * follow this header in the memory block. > * > - * This structure is located at the beginning of a contiguous block of > + * This structure is located at the beginning of a block of > * physical memory preserved across the kexec. It provides the necessary > * metadata to interpret the array of session entries that follow. > * > * If this structure is modified, `LUO_FDT_SESSION_COMPATIBLE` must be > updated. > */ > struct luo_session_header_ser { > + u64 next; > u64 count; > } __packed; > > diff --git a/kernel/liveupdate/luo_internal.h > b/kernel/liveupdate/luo_internal.h > index 875844d7a41d..a73f42069301 100644 > --- a/kernel/liveupdate/luo_internal.h > +++ b/kernel/liveupdate/luo_internal.h > @@ -11,6 +11,16 @@ > #include <linux/liveupdate.h> > #include <linux/uaccess.h> > > +/* > + * Safeguard limit for the number of serialization blocks. This is used to > + * prevent infinite loops and excessive memory allocation in case of memory > + * corruption in the preserved state. > + * > + * This limit allows for ~8.1 million sessions and ~1.2 million files per > + * session, which is more than enough for all realistic use cases. > + */ > +#define LUO_MAX_BLOCKS 10000 > + > struct luo_ucmd { > void __user *ubuffer; > u32 user_size; > @@ -59,7 +69,6 @@ struct luo_file_set { > * struct luo_session - Represents an active or incoming Live Update session. > * @name: A unique name for this session, used for identification and > * retrieval. > - * @ser: Pointer to the serialized data for this session. > * @list: A list_head member used to link this session into a global > list > * of either outgoing (to be preserved) or incoming (restored > from > * previous kernel) sessions. > @@ -70,7 +79,6 @@ struct luo_file_set { > */ > struct luo_session { > char name[LIVEUPDATE_SESSION_NAME_LENGTH]; > - struct luo_session_ser *ser; I was confused by this removal. Seeing this makes one think this got moved to some other place. But it seems like this was never used. I think it would be good to mention that in the commit message. > struct list_head list; > bool retrieved; > struct luo_file_set file_set; > diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c > index 92b1af791889..007ca34eba79 100644 > --- a/kernel/liveupdate/luo_session.c > +++ b/kernel/liveupdate/luo_session.c > @@ -69,30 +69,39 @@ > #include <uapi/linux/liveupdate.h> > #include "luo_internal.h" > > -/* 16 4K pages, give space for 744 sessions */ > +/* 16 4K pages, give space for 819 sessions per block */ It seems odd to read that we added 8 bytes to the header and the number of sessions per block grew. But then I did the math and I think the number was always 819 sessions per block and adding the extra 8 bytes didn't make a difference. > #define LUO_SESSION_PGCNT 16ul > -#define LUO_SESSION_MAX (((LUO_SESSION_PGCNT << PAGE_SHIFT) - > \ > +#define LUO_SESSION_BLOCK_MAX (((LUO_SESSION_PGCNT << > PAGE_SHIFT) - \ > sizeof(struct luo_session_header_ser)) / \ > sizeof(struct luo_session_ser)) > > +/** > + * struct luo_session_block - Internal representation of a session > serialization block. > + * @list: List head for linking blocks in memory. > + * @ser: Pointer to the serialized header in preserved memory. > + */ > +struct luo_session_block { > + struct list_head list; > + struct luo_session_header_ser *ser; Nit: luo_session_header_ser reads like it is the header for the entire list not for each block. Perhaps rename it to luo_block_header_ser? > +}; > + > /** > * struct luo_session_header - Header struct for managing LUO sessions. > * @count: The number of sessions currently tracked in the @list. > + * @nblocks: The number of allocated serialization blocks. > * @list: The head of the linked list of `struct luo_session` > instances. > * @rwsem: A read-write semaphore providing synchronized access to the > * session list and other fields in this structure. > - * @header_ser: The header data of serialization array. > - * @ser: The serialized session data (an array of > - * `struct luo_session_ser`). > + * @blocks: The list of serialization blocks (struct luo_session_block). > * @active: Set to true when first initialized. If previous kernel did > not > * send session data, active stays false for incoming. > */ > struct luo_session_header { > long count; > + long nblocks; > struct list_head list; > struct rw_semaphore rwsem; > - struct luo_session_header_ser *header_ser; > - struct luo_session_ser *ser; > + struct list_head blocks; > bool active; > }; > > @@ -110,10 +119,12 @@ static struct luo_session_global luo_session_global = { > .incoming = { > .list = LIST_HEAD_INIT(luo_session_global.incoming.list), > .rwsem = __RWSEM_INITIALIZER(luo_session_global.incoming.rwsem), > + .blocks = LIST_HEAD_INIT(luo_session_global.incoming.blocks), > }, > .outgoing = { > .list = LIST_HEAD_INIT(luo_session_global.outgoing.list), > .rwsem = __RWSEM_INITIALIZER(luo_session_global.outgoing.rwsem), > + .blocks = LIST_HEAD_INIT(luo_session_global.outgoing.blocks), > }, > }; > > @@ -140,6 +151,70 @@ static void luo_session_free(struct luo_session *session) > kfree(session); > } > > +static int luo_session_add_block(struct luo_session_header *sh, > + struct luo_session_header_ser *ser) > +{ > + struct luo_session_block *block; > + > + if (sh->nblocks >= LUO_MAX_BLOCKS) > + return -ENOSPC; > + > + block = kzalloc_obj(*block); > + if (!block) > + return -ENOMEM; > + > + block->ser = ser; > + list_add_tail(&block->list, &sh->blocks); > + sh->nblocks++; > + > + return 0; > +} > + > +static int luo_session_create_ser_block(struct luo_session_header *sh) > +{ > + struct luo_session_block *last = NULL; > + struct luo_session_header_ser *ser; > + int err; > + > + ser = kho_alloc_preserve(LUO_SESSION_PGCNT << PAGE_SHIFT); > + if (IS_ERR(ser)) > + return PTR_ERR(ser); > + > + if (!list_empty(&sh->blocks)) > + last = list_last_entry(&sh->blocks, struct luo_session_block, > list); Nit: using list_last_entry_or_null() is a tiny bit cleaner. > + > + err = luo_session_add_block(sh, ser); > + if (err) > + goto err_unpreserve; > + > + if (last) > + last->ser->next = virt_to_phys(ser); Nit: can you please move this to luo_session_add_block(). Logically this operation is a part of adding a block. You add a block to the list and then update the serialized state. So would be nice to have it done in one place. > + > + return 0; > + > +err_unpreserve: > + kho_unpreserve_free(ser); > + return err; > +} > + > +static void luo_session_destroy_ser_blocks(struct luo_session_header *sh, > + bool unpreserve) > +{ > + struct luo_session_block *block, *tmp; > + > + list_for_each_entry_safe(block, tmp, &sh->blocks, list) { > + if (block->ser) { Block always has ser. Why this check? > + if (unpreserve) > + kho_unpreserve_free(block->ser); > + else > + kho_restore_free(block->ser); Ugh, this is ugly. But I don't see anything obviously better. Perhaps we can check for sh == luo_session_global.outgoing but that is probably worse. > + } > + list_del(&block->list); > + kfree(block); > + sh->nblocks--; > + } > +} > + > static int luo_session_insert(struct luo_session_header *sh, > struct luo_session *session) > { > @@ -147,15 +222,6 @@ static int luo_session_insert(struct luo_session_header > *sh, > > guard(rwsem_write)(&sh->rwsem); > > - /* > - * For outgoing we should make sure there is room in serialization array > - * for new session. > - */ > - if (sh == &luo_session_global.outgoing) { > - if (sh->count == LUO_SESSION_MAX) > - return -ENOMEM; > - } > - > /* > * For small number of sessions this loop won't hurt performance > * but if we ever start using a lot of sessions, this might > @@ -166,6 +232,20 @@ static int luo_session_insert(struct luo_session_header > *sh, > if (!strncmp(it->name, session->name, sizeof(it->name))) > return -EEXIST; > } > + > + /* > + * For outgoing we should make sure there is room in serialization array > + * for new session. If not, allocate a new block. > + */ > + if (sh == &luo_session_global.outgoing) { > + if (sh->count == sh->nblocks * LUO_SESSION_BLOCK_MAX) { > + int err = luo_session_create_ser_block(sh); > + > + if (err) > + return err; > + } > + } > + Since we just allocate space here and not actually fill it yet, I think we can do the same check in luo_session_remove() to free blocks once session count falls below (sh->nblocks - 1) * LUO_SESSION_BLOCK_MAX. This prevents memory leak if the number of sessions goes too high at some point and then falls back down. Not that I think it is something likely to happen, but I don't see why not. Perhaps also abstract this out to a helper function for readability? > list_add_tail(&session->list, &sh->list); > sh->count++; > > @@ -444,9 +524,12 @@ int __init luo_session_setup_outgoing(void *fdt_out) > u64 header_ser_pa; > int err; > > - header_ser = kho_alloc_preserve(LUO_SESSION_PGCNT << PAGE_SHIFT); > - if (IS_ERR(header_ser)) > - return PTR_ERR(header_ser); > + err = luo_session_create_ser_block(&luo_session_global.outgoing); > + if (err) > + return err; > + > + header_ser = list_first_entry(&luo_session_global.outgoing.blocks, > + struct luo_session_block, list)->ser; I suppose it would be a tiny bit better to create a placeholder entry here and then fill it up later in luo_session_serialize(). This would result in the first block not being a special case and it can be allocated and freed on demand list the rest of the blocks. I won't insist on it but would be nice to have IMO if you're willing to do the refactor. > header_ser_pa = virt_to_phys(header_ser); > > err = fdt_begin_node(fdt_out, LUO_FDT_SESSION_NODE_NAME); > @@ -459,19 +542,18 @@ int __init luo_session_setup_outgoing(void *fdt_out) > if (err) > goto err_unpreserve; > > - luo_session_global.outgoing.header_ser = header_ser; > - luo_session_global.outgoing.ser = (void *)(header_ser + 1); > luo_session_global.outgoing.active = true; > > return 0; > > err_unpreserve: > - kho_unpreserve_free(header_ser); > + luo_session_destroy_ser_blocks(&luo_session_global.outgoing, true); > return err; > } > > int __init luo_session_setup_incoming(void *fdt_in) > { > + struct luo_session_header *sh = &luo_session_global.incoming; > struct luo_session_header_ser *header_ser; > int err, header_size, offset; > u64 header_ser_pa; [...] -- Regards, Pratyush Yadav
