Re: [PATCH v3 1/2] liveupdate: prevent double management of files

Next message: Pranjal Shrivastava: "Re: [PATCH 14/14] iommufd/selftest: Add test to verify iommufd preservation"
Previous message: Mimi Zohar: "Re: [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG"
In reply to: David Matlack: "Re: [PATCH v3 1/2] liveupdate: prevent double management of files"
Next in thread: Pasha Tatashin: "Re: [PATCH v3 1/2] liveupdate: prevent double management of files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pasha Tatashin

Date: Wed Mar 25 2026 - 17:16:14 EST

On Wed, Mar 25, 2026 at 4:34 PM David Matlack <dmatlack@xxxxxxxxxx> wrote:
>
> On Wed, Mar 25, 2026 at 1:20 PM Pratyush Yadav <pratyush@xxxxxxxxxx> wrote:
>
> > For memfd and hugetlb at least, we serialize the _inode_ not the file.
> > The inode has the contents that we care to preserve.
> >
> > So if two FDs point to the same inode, this will break. You can do this
> > by first creating a memfd and then by opening "/proc/self/fd/<fd>". Then
> > you would be able to trigger the preservation twice, causing all sorts
> > of problems. Same on the retrieve side.

Hm.

>
> > So unless I am missing something, I don't think this approach will work.
> > As much as I hate to suggest it, I think we need to move this check to
> > each caller so they can find out the object they need to serialize and
> > check if it already is.
>
> I think LUO can still enforce that the file is not preserved twice.
> HugeTLB and memfd's preserve() functions just need to also check that
> the associated inode has not already been preserved?

For memfd/hugetlbs the true state is in inode
For vfio/kvm the shared anonymous inode is just a dummy wrapper, and
the true state is in file->private_data.

I wonder if we could use the XArray to track inodes for standard
files, but track the struct file itself for anonymous files (we would
need a new function from FS that allows us to determine if "struct
file" has anonymous inode or not).

Pasha