Introduce LUO, a mechanism intended to facilitate kernel updates while
keeping designated devices operational across the transition (e.g., via
kexec). The primary use case is updating hypervisors with minimal
disruption to running virtual machines. For userspace side of hypervisor
update we have copyless migration. LUO is for updating the kernel.
This initial patch lays the groundwork for the LUO subsystem.
Further functionality, including the implementation of state transition
logic, integration with KHO, and hooks for subsystems and file
descriptors, will be added in subsequent patches.
Create a character device at /dev/liveupdate.
A new uAPI header, <uapi/linux/liveupdate.h>, will define the necessary
structures. The magic number for IOCTL is registered in
Documentation/userspace-api/ioctl/ioctl-number.rst.
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
---
.../userspace-api/ioctl/ioctl-number.rst | 2 +
include/linux/liveupdate.h | 35 ++++++
include/uapi/linux/liveupdate.h | 46 ++++++++
kernel/liveupdate/Kconfig | 27 +++++
kernel/liveupdate/Makefile | 5 +
kernel/liveupdate/luo_core.c | 111 ++++++++++++++++++
6 files changed, 226 insertions(+)
create mode 100644 include/linux/liveupdate.h
create mode 100644 include/uapi/linux/liveupdate.h
create mode 100644 kernel/liveupdate/luo_core.c
diff --git a/Documentation/userspace-api/ioctl/ioctl-number.rst b/Documentation/userspace-api/ioctl/ioctl-number.rst
index 7c527a01d1cf..7232b3544cec 100644
--- a/Documentation/userspace-api/ioctl/ioctl-number.rst
+++ b/Documentation/userspace-api/ioctl/ioctl-number.rst
@@ -385,6 +385,8 @@ Code Seq# Include File Comments
0xB8 01-02 uapi/misc/mrvl_cn10k_dpi.h Marvell CN10K DPI driver
0xB8 all uapi/linux/mshv.h Microsoft Hyper-V /dev/mshv driver
<mailto:linux-hyperv@vger.kernel.org>
+0xBA 00-0F uapi/linux/liveupdate.h Pasha Tatashin
+ <mailto:pasha.tatashin@soleen.com>
0xC0 00-0F linux/usb/iowarrior.h
0xCA 00-0F uapi/misc/cxl.h Dead since 6.15
0xCA 10-2F uapi/misc/ocxl.h
diff --git a/include/linux/liveupdate.h b/include/linux/liveupdate.h
new file mode 100644
index 000000000000..c6a1d6bd90cb
--- /dev/null
+++ b/include/linux/liveupdate.h
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/*
+ * Copyright (c) 2025, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+#ifndef _LINUX_LIVEUPDATE_H
+#define _LINUX_LIVEUPDATE_H
+
+#include <linux/bug.h>
+#include <linux/list.h>
+#include <linux/types.h>
+
+#ifdef CONFIG_LIVEUPDATE
+
+/* Return true if live update orchestrator is enabled */
+bool liveupdate_enabled(void);
+
+/* Called during kexec to tell LUO that entered into reboot */
+int liveupdate_reboot(void);
+
+#else /* CONFIG_LIVEUPDATE */
+
+static inline bool liveupdate_enabled(void)
+{
+ return false;
+}
+
+static inline int liveupdate_reboot(void)
+{
+ return 0;
+}
+
+#endif /* CONFIG_LIVEUPDATE */
+#endif /* _LINUX_LIVEUPDATE_H */
diff --git a/include/uapi/linux/liveupdate.h b/include/uapi/linux/liveupdate.h
new file mode 100644
index 000000000000..df34c1642c4d
--- /dev/null
+++ b/include/uapi/linux/liveupdate.h
@@ -0,0 +1,46 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+
+/*
+ * Userspace interface for /dev/liveupdate
+ * Live Update Orchestrator
+ *
+ * Copyright (c) 2025, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+
+#ifndef _UAPI_LIVEUPDATE_H
+#define _UAPI_LIVEUPDATE_H
+
+#include <linux/ioctl.h>
+#include <linux/types.h>
+
+/**
+ * DOC: General ioctl format
+ *
+ * The ioctl interface follows a general format to allow for extensibility. Each
+ * ioctl is passed in a structure pointer as the argument providing the size of
+ * the structure in the first u32. The kernel checks that any structure space
+ * beyond what it understands is 0. This allows userspace to use the backward
+ * compatible portion while consistently using the newer, larger, structures.
+ *
+ * ioctls use a standard meaning for common errnos:
+ *
+ * - ENOTTY: The IOCTL number itself is not supported at all
+ * - E2BIG: The IOCTL number is supported, but the provided structure has
+ * non-zero in a part the kernel does not understand.
+ * - EOPNOTSUPP: The IOCTL number is supported, and the structure is
+ * understood, however a known field has a value the kernel does not
+ * understand or support.
+ * - EINVAL: Everything about the IOCTL was understood, but a field is not
+ * correct.
+ * - ENOENT: A provided token does not exist.
+ * - ENOMEM: Out of memory.
+ * - EOVERFLOW: Mathematics overflowed.
+ *
+ * As well as additional errnos, within specific ioctls.
+ */
+
+/* The ioctl type, documented in ioctl-number.rst */
+#define LIVEUPDATE_IOCTL_TYPE 0xBA
+
+#endif /* _UAPI_LIVEUPDATE_H */
diff --git a/kernel/liveupdate/Kconfig b/kernel/liveupdate/Kconfig
index a973a54447de..90857dccb359 100644
--- a/kernel/liveupdate/Kconfig
+++ b/kernel/liveupdate/Kconfig
@@ -1,4 +1,10 @@
# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (c) 2025, Google LLC.
+# Pasha Tatashin <pasha.tatashin@soleen.com>
+#
+# Live Update Orchestrator
+#
menu "Live Update and Kexec HandOver"
depends on !DEFERRED_STRUCT_PAGE_INIT
@@ -51,4 +57,25 @@ config KEXEC_HANDOVER_ENABLE_DEFAULT
The default behavior can still be overridden at boot time by
passing 'kho=off'.
+config LIVEUPDATE
+ bool "Live Update Orchestrator"
+ depends on KEXEC_HANDOVER
+ help
+ Enable the Live Update Orchestrator. Live Update is a mechanism,
+ typically based on kexec, that allows the kernel to be updated
+ while keeping selected devices operational across the transition.
+ These devices are intended to be reclaimed by the new kernel and
+ re-attached to their original workload without requiring a device
+ reset.
+
+ Ability to handover a device from current to the next kernel depends
+ on specific support within device drivers and related kernel
+ subsystems.
+
+ This feature primarily targets virtual machine hosts to quickly update
+ the kernel hypervisor with minimal disruption to the running virtual
+ machines.
+
+ If unsure, say N.
+
endmenu
diff --git a/kernel/liveupdate/Makefile b/kernel/liveupdate/Makefile
index f52ce1ebcf86..08954c1770c4 100644
--- a/kernel/liveupdate/Makefile
+++ b/kernel/liveupdate/Makefile
@@ -1,5 +1,10 @@
# SPDX-License-Identifier: GPL-2.0
+luo-y := \
+ luo_core.o
+
obj-$(CONFIG_KEXEC_HANDOVER) += kexec_handover.o
obj-$(CONFIG_KEXEC_HANDOVER_DEBUG) += kexec_handover_debug.o
obj-$(CONFIG_KEXEC_HANDOVER_DEBUGFS) += kexec_handover_debugfs.o
+
+obj-$(CONFIG_LIVEUPDATE) += luo.o
diff --git a/kernel/liveupdate/luo_core.c b/kernel/liveupdate/luo_core.c
new file mode 100644
index 000000000000..30ad8836360b
--- /dev/null
+++ b/kernel/liveupdate/luo_core.c
@@ -0,0 +1,111 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright (c) 2025, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+
+/**
+ * DOC: Live Update Orchestrator (LUO)
+ *
+ * Live Update is a specialized, kexec-based reboot process that allows a
+ * running kernel to be updated from one version to another while preserving
+ * the state of selected resources and keeping designated hardware devices
+ * operational. For these devices, DMA activity may continue throughout the
+ * kernel transition.
+ *
+ * While the primary use case driving this work is supporting live updates of
+ * the Linux kernel when it is used as a hypervisor in cloud environments, the
+ * LUO framework itself is designed to be workload-agnostic. Live Update
+ * facilitates a full kernel version upgrade for any type of system.
+ *
+ * For example, a non-hypervisor system running an in-memory cache like
+ * memcached with many gigabytes of data can use LUO. The userspace service
+ * can place its cache into a memfd, have its state preserved by LUO, and
+ * restore it immediately after the kernel kexec.
+ *
+ * Whether the system is running virtual machines, containers, a
+ * high-performance database, or networking services, LUO's primary goal is to
+ * enable a full kernel update by preserving critical userspace state and
+ * keeping essential devices operational.
+ *
+ * The core of LUO is a mechanism that tracks the progress of a live update,
+ * along with a callback API that allows other kernel subsystems to participate
+ * in the process. Example subsystems that can hook into LUO include: kvm,
+ * iommu, interrupts, vfio, participating filesystems, and memory management.
+ *
+ * LUO uses Kexec Handover to transfer memory state from the current kernel to
+ * the next kernel. For more details see
+ * Documentation/core-api/kho/concepts.rst.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/kobject.h>
+#include <linux/liveupdate.h>
+#include <linux/miscdevice.h>
+
+static struct {
+ bool enabled;
+} luo_global;
+
+static int __init early_liveupdate_param(char *buf)
+{
+ return kstrtobool(buf, &luo_global.enabled);
+}
+early_param("liveupdate", early_liveupdate_param);
+
+/* Public Functions */
+
+/**
+ * liveupdate_reboot() - Kernel reboot notifier for live update final
+ * serialization.
+ *
+ * This function is invoked directly from the reboot() syscall pathway
+ * if kexec is in progress.
+ *
+ * If any callback fails, this function aborts KHO, undoes the freeze()
+ * callbacks, and returns an error.
+ */
+int liveupdate_reboot(void)
+{
+ return 0;
+}
+
+/**
+ * liveupdate_enabled - Check if the live update feature is enabled.
+ *
+ * This function returns the state of the live update feature flag, which
+ * can be controlled via the ``liveupdate`` kernel command-line parameter.
+ *
+ * @return true if live update is enabled, false otherwise.
+ */
+bool liveupdate_enabled(void)
+{
+ return luo_global.enabled;
+}
+
+struct luo_device_state {
+ struct miscdevice miscdev;
+};
+
+static const struct file_operations luo_fops = {
+ .owner = THIS_MODULE,
+};
+
+static struct luo_device_state luo_dev = {
+ .miscdev = {
+ .minor = MISC_DYNAMIC_MINOR,
+ .name = "liveupdate",
+ .fops = &luo_fops,
+ },
+};
+
+static int __init liveupdate_ioctl_init(void)
+{
+ if (!liveupdate_enabled())
+ return 0;
+
+ return misc_register(&luo_dev.miscdev);
+}
+late_initcall(liveupdate_ioctl_init);
--
2.52.0.rc2.455.g230fcf2819-googOn Sat, Nov 22, 2025 at 05:23:28PM -0500, Pasha Tatashin wrote: > Introduce LUO, a mechanism intended to facilitate kernel updates while > keeping designated devices operational across the transition (e.g., via > kexec). The primary use case is updating hypervisors with minimal > disruption to running virtual machines. For userspace side of hypervisor > update we have copyless migration. LUO is for updating the kernel. > > This initial patch lays the groundwork for the LUO subsystem. > > Further functionality, including the implementation of state transition > logic, integration with KHO, and hooks for subsystems and file > descriptors, will be added in subsequent patches. > > Create a character device at /dev/liveupdate. > > A new uAPI header, <uapi/linux/liveupdate.h>, will define the necessary > structures. The magic number for IOCTL is registered in > Documentation/userspace-api/ioctl/ioctl-number.rst. > > Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com> > Reviewed-by: Pratyush Yadav <pratyush@kernel.org> Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org> with a few nits below > --- > diff --git a/kernel/liveupdate/Kconfig b/kernel/liveupdate/Kconfig > index a973a54447de..90857dccb359 100644 > --- a/kernel/liveupdate/Kconfig > +++ b/kernel/liveupdate/Kconfig > @@ -1,4 +1,10 @@ > # SPDX-License-Identifier: GPL-2.0-only > +# > +# Copyright (c) 2025, Google LLC. > +# Pasha Tatashin <pasha.tatashin@soleen.com> > +# > +# Live Update Orchestrator > +# If you are adding copyrights it should have Amazon and Microsoft as well. I believe those from kexec_handover.c would work. @Alex? > menu "Live Update and Kexec HandOver" > depends on !DEFERRED_STRUCT_PAGE_INIT > @@ -51,4 +57,25 @@ config KEXEC_HANDOVER_ENABLE_DEFAULT > The default behavior can still be overridden at boot time by > passing 'kho=off'. > > +config LIVEUPDATE > + bool "Live Update Orchestrator" > + depends on KEXEC_HANDOVER > + help > + Enable the Live Update Orchestrator. Live Update is a mechanism, > + typically based on kexec, that allows the kernel to be updated > + while keeping selected devices operational across the transition. > + These devices are intended to be reclaimed by the new kernel and > + re-attached to their original workload without requiring a device > + reset. > + > + Ability to handover a device from current to the next kernel depends > + on specific support within device drivers and related kernel > + subsystems. Sorry, somehow this slipped during v6 review. These days LUO is less about devices and more about file descriptors :) > + > + This feature primarily targets virtual machine hosts to quickly update > + the kernel hypervisor with minimal disruption to the running virtual > + machines. > + > + If unsure, say N. > + > endmenu -- Sincerely yours, Mike.
On Sun, Nov 23, 2025 at 6:12 AM Mike Rapoport <rppt@kernel.org> wrote: > > On Sat, Nov 22, 2025 at 05:23:28PM -0500, Pasha Tatashin wrote: > > Introduce LUO, a mechanism intended to facilitate kernel updates while > > keeping designated devices operational across the transition (e.g., via > > kexec). The primary use case is updating hypervisors with minimal > > disruption to running virtual machines. For userspace side of hypervisor > > update we have copyless migration. LUO is for updating the kernel. > > > > This initial patch lays the groundwork for the LUO subsystem. > > > > Further functionality, including the implementation of state transition > > logic, integration with KHO, and hooks for subsystems and file > > descriptors, will be added in subsequent patches. > > > > Create a character device at /dev/liveupdate. > > > > A new uAPI header, <uapi/linux/liveupdate.h>, will define the necessary > > structures. The magic number for IOCTL is registered in > > Documentation/userspace-api/ioctl/ioctl-number.rst. > > > > Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com> > > Reviewed-by: Pratyush Yadav <pratyush@kernel.org> > > Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Thank you > > with a few nits below > > > --- > > > diff --git a/kernel/liveupdate/Kconfig b/kernel/liveupdate/Kconfig > > index a973a54447de..90857dccb359 100644 > > --- a/kernel/liveupdate/Kconfig > > +++ b/kernel/liveupdate/Kconfig > > @@ -1,4 +1,10 @@ > > # SPDX-License-Identifier: GPL-2.0-only > > +# > > +# Copyright (c) 2025, Google LLC. > > +# Pasha Tatashin <pasha.tatashin@soleen.com> > > +# > > +# Live Update Orchestrator > > +# > > If you are adding copyrights it should have Amazon and Microsoft as well. > I believe those from kexec_handover.c would work. > > @Alex? Sure, or I can remove all of them from Kconfig, whatever you prefer :-) > > > menu "Live Update and Kexec HandOver" > > depends on !DEFERRED_STRUCT_PAGE_INIT > > @@ -51,4 +57,25 @@ config KEXEC_HANDOVER_ENABLE_DEFAULT > > The default behavior can still be overridden at boot time by > > passing 'kho=off'. > > > > +config LIVEUPDATE > > + bool "Live Update Orchestrator" > > + depends on KEXEC_HANDOVER > > + help > > + Enable the Live Update Orchestrator. Live Update is a mechanism, > > + typically based on kexec, that allows the kernel to be updated > > + while keeping selected devices operational across the transition. > > + These devices are intended to be reclaimed by the new kernel and > > + re-attached to their original workload without requiring a device > > + reset. > > + > > + Ability to handover a device from current to the next kernel depends > > + on specific support within device drivers and related kernel > > + subsystems. > > Sorry, somehow this slipped during v6 review. > These days LUO is less about devices and more about file descriptors :) Device preservation through file descriptors: memfd, iommufd, vfiofd are all dependencies for preserving devices. That Kconfig description is correct and essential because the core complexity of the LUO is the preservation of device state and I/O across a kernel transition, which is a harder problem than just preserving memory or files, for that we could have used a file system instead of inventing something new with logic of can_preserve() etc. Device preservation requires exactly what is stated in the description for this config: "Ability to handover a device from current to the next kernel depends on specific support within device drivers and related kernel subsystems." The only subsystem that is getting upstreamed with this series is MEMFD, it is a hard pre-requirement for iommufd preservation; the other subsystems: VFIO, PCI, IOMMU are WIP. > > + > > + This feature primarily targets virtual machine hosts to quickly update > > + the kernel hypervisor with minimal disruption to the running virtual > > + machines. > > + > > + If unsure, say N. > > + > > endmenu > > -- > Sincerely yours, > Mike.
On Sun, Nov 23, 2025 at 07:15:44AM -0500, Pasha Tatashin wrote: > On Sun, Nov 23, 2025 at 6:12 AM Mike Rapoport <rppt@kernel.org> wrote: > > > > On Sat, Nov 22, 2025 at 05:23:28PM -0500, Pasha Tatashin wrote: > > > Introduce LUO, a mechanism intended to facilitate kernel updates while > > > keeping designated devices operational across the transition (e.g., via > > > kexec). The primary use case is updating hypervisors with minimal > > > disruption to running virtual machines. For userspace side of hypervisor > > > update we have copyless migration. LUO is for updating the kernel. > > > > > > This initial patch lays the groundwork for the LUO subsystem. > > > > > > Further functionality, including the implementation of state transition > > > logic, integration with KHO, and hooks for subsystems and file > > > descriptors, will be added in subsequent patches. > > > > > > Create a character device at /dev/liveupdate. > > > > > > A new uAPI header, <uapi/linux/liveupdate.h>, will define the necessary > > > structures. The magic number for IOCTL is registered in > > > Documentation/userspace-api/ioctl/ioctl-number.rst. > > > > > > Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com> > > > Reviewed-by: Pratyush Yadav <pratyush@kernel.org> > > > > Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org> > > Thank you > > > > > with a few nits below > > > > > --- > > > > > diff --git a/kernel/liveupdate/Kconfig b/kernel/liveupdate/Kconfig > > > index a973a54447de..90857dccb359 100644 > > > --- a/kernel/liveupdate/Kconfig > > > +++ b/kernel/liveupdate/Kconfig > > > @@ -1,4 +1,10 @@ > > > # SPDX-License-Identifier: GPL-2.0-only > > > +# > > > +# Copyright (c) 2025, Google LLC. > > > +# Pasha Tatashin <pasha.tatashin@soleen.com> > > > +# > > > +# Live Update Orchestrator > > > +# > > > > If you are adding copyrights it should have Amazon and Microsoft as well. > > I believe those from kexec_handover.c would work. > > > > @Alex? > > Sure, or I can remove all of them from Kconfig, whatever you prefer :-) Quick grepping shows that the vast majority of Kconfigs does not have copyright, let's just drop it. > > > menu "Live Update and Kexec HandOver" > > > depends on !DEFERRED_STRUCT_PAGE_INIT > > > @@ -51,4 +57,25 @@ config KEXEC_HANDOVER_ENABLE_DEFAULT > > > The default behavior can still be overridden at boot time by > > > passing 'kho=off'. > > > > > > +config LIVEUPDATE > > > + bool "Live Update Orchestrator" > > > + depends on KEXEC_HANDOVER > > > + help > > > + Enable the Live Update Orchestrator. Live Update is a mechanism, > > > + typically based on kexec, that allows the kernel to be updated > > > + while keeping selected devices operational across the transition. > > > + These devices are intended to be reclaimed by the new kernel and > > > + re-attached to their original workload without requiring a device > > > + reset. > > > + > > > + Ability to handover a device from current to the next kernel depends > > > + on specific support within device drivers and related kernel > > > + subsystems. > > > > Sorry, somehow this slipped during v6 review. > > These days LUO is less about devices and more about file descriptors :) > > Device preservation through file descriptors: memfd, iommufd, vfiofd > are all dependencies for preserving devices. > > That Kconfig description is correct and essential because the core > complexity of the LUO is the preservation of device state and I/O > across a kernel transition, which is a harder problem than just > preserving memory or files, for that we could have used a file system > instead of inventing something new with logic of can_preserve() etc. > > Device preservation requires exactly what is stated in the description > for this config: > "Ability to handover a device from current to the next kernel depends > on specific support within device drivers and related kernel > subsystems." The only subsystem that is getting upstreamed with this > series is MEMFD, it is a hard pre-requirement for iommufd > preservation; the other subsystems: VFIO, PCI, IOMMU are WIP. Ok. -- Sincerely yours, Mike.
© 2016 - 2025 Red Hat, Inc.