[PATCH v3 00/10] liveupdate: Fix module unloading and unregister API

[Pasha Tatashin]

This patch series addresses an issue with how LUO handles module
reference counting and unregistration during a module unload (e.g.,
via rmmod).

Currently, modules that register live update file handlers are pinned
for the entire duration they are registered. This prevents the modules
from being unloaded gracefully, even when no live update session is in
progress.

Furthermore, if a module is forcefully unloaded, the unregistration
functions return an error (e.g. -EBUSY) if a session is active, which
is ignored by the kernel's module unload path, leaving dangling
pointers in the LUO global lists.

To resolve these issues, this series introduces the following changes:
1. Adds a global read-write semaphore (luo_register_rwlock) to protect
   the registration lists for both file handlers and FLBs.
2. Reduces the scope of module reference counting for file handlers and
   FLBs. Instead of pinning modules indefinitely upon registration,
   references are now taken only when they are actively used in a live
   update session (e.g., during preservation, retrieval, or
   deserialization).
3. Removes the global luo_session_quiesce() mechanism since module
   unload behavior now handles active sessions implicitly.
4. Introduces auto-unregistration of FLBs during file handler
   unregistration to prevent leaving dangling resources.
5. Changes the unregistration functions to return void instead of
   an error code.
6. Fixes a data race in luo_flb_get_private() by introducing a spinlock
   for thread-safe lazy initialization.
7. Strengthens security by using %.*s when printing untrusted deserialized
   compatible strings and session names to prevent out-of-bounds reads.

Changelog since v2:
- Reintroduced explicit module refcounting for file handlers from v1 to
  avoid problems during deserialization time and for overall simplicity.
- Simplified the locking model by consolidating luo_file_handler_lock,
  luo_flb_lock, and per-handler flb_lock into a single luo_register_rwlock,
  based on a suggestion from Samiullah Khawaja.
- Replaced scoped_guard() with explicit down/up lock calls in cases where
  goto is used for error handling, as suggested by Mike Rapoport.
- Also add to small hardening fixes: Synchronize lazy initialization of
  FLB private state and Safely print untrusted strings.

[1] https://lore.kernel.org/all/20260303210733.GG972761@xxxxxxxxxx
[2] https://lore.kernel.org/all/20260318141637.1870220-10-pasha.tatashin@xxxxxxxxxx

Pasha Tatashin (10):
  liveupdate: Safely print untrusted strings
  liveupdate: Synchronize lazy initialization of FLB private state
  liveupdate: Protect file handler list with rwsem
  liveupdate: Protect FLB lists with luo_register_rwlock
  liveupdate: Defer FLB module refcounting to active sessions
  liveupdate: Remove luo_session_quiesce()
  liveupdate: Auto unregister FLBs on file handler unregistration
  liveupdate: Remove liveupdate_test_unregister()
  liveupdate: Make unregister functions return void
  liveupdate: Defer file handler module refcounting to active sessions

 include/linux/liveupdate.h       |  15 ++-
 kernel/liveupdate/luo_core.c     |   6 +
 kernel/liveupdate/luo_file.c     |  82 +++++---------
 kernel/liveupdate/luo_flb.c      | 182 ++++++++++++++++---------------
 kernel/liveupdate/luo_internal.h |   7 +-
 kernel/liveupdate/luo_session.c  |  46 +-------
 lib/tests/liveupdate.c           |  18 ---
 7 files changed, 142 insertions(+), 214 deletions(-)


base-commit: 4f1d805a97d6353e4ae468b08ca212641cd26f92
-- 
2.43.0