From nobody Sat Feb 7 08:44:17 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B506B1917CD for ; Fri, 23 Jan 2026 09:59:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769162349; cv=none; b=JY35fpfmt9DL2dqs1nWOt4Y9HhSxcLnp9cFAlcCYjkXjcCj+rBAVqHbWXedGBu3i1PpC/qZMmvro1pGhq32jsUMP01xmif4nWyRCRQ/e7LcmgvqWXZILKhh5BpgyWNIwHQ4+L8vMnRjzmO4q8P90Iftc3J9f3PRIPqR+N3fZ4G4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769162349; c=relaxed/simple; bh=JvST1LRGXZAf6Fyp43JKlkKdk/TN8dTyoER4Anwc9lI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=V4OnlS6k+8HPQa25Y3Cb2v8yRIdZj/mXeuDIS3RXWXW6dJyxT7SpqMFAkZOfI3KrCqaLcoP0/HHHHZwBencQQjESgtlwWzi3vAhFZmRwr2mJDHfNp/YZtW/iYmU+xnvACbLuN6RA/RdxliJ2QoSyjHIJBpzzhZKapEs1pdeV34Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Ty+NY1Hr; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Ty+NY1Hr" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 18175C19425; Fri, 23 Jan 2026 09:59:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1769162349; bh=JvST1LRGXZAf6Fyp43JKlkKdk/TN8dTyoER4Anwc9lI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ty+NY1Hrg5UajXyM+Q53oJKE4lYESs2Ndf+rrFZyw5pJWcm5xsIKI1M81U/M88o4t 6IJzU0w8L9WRwVIjLWvHI6yTSrh2shg2g1jDjpzIzu9SLF22HeiOs8HZUSkeMOO554 eNrgEcRxRSUE8dV4e6skUucVCyYLm/CgKNAlktZzmlkPPqEaas8BY6rSMTLzYKEo8/ 0bS7kgysYI3H0JHAYcpov9Epz6ufCGqgafeXowxD4ICwP0M2xtAyQYsDZUw1BqM3fp DynHLuIgjz6nJpa/6iPihIquJZcegVo5xCJaTBInm4jlAIDGmKek8t1d/Q5A8b3n/C ntzq4giz/m+Xg== From: Pratyush Yadav To: Alexander Graf , Mike Rapoport , Pasha Tatashin , Pratyush Yadav , Hugh Dickins , Baolin Wang , Andrew Morton Cc: Jason Gunthorpe , Samiullah Khawaja , kexec@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] memfd: export memfd_{add,get}_seals() Date: Fri, 23 Jan 2026 10:58:50 +0100 Message-ID: <20260123095854.535058-2-pratyush@kernel.org> X-Mailer: git-send-email 2.52.0.457.g6b5491de43-goog In-Reply-To: <20260123095854.535058-1-pratyush@kernel.org> References: <20260123095854.535058-1-pratyush@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: "Pratyush Yadav (Google)" Support for preserving file seals will be added to memfd preservation using the Live Update Orchestrator (LUO). Export memfd_{add,get}_seals)() so memfd_luo can use them to manipulate the seals. Signed-off-by: Pratyush Yadav (Google) Acked-by: Mike Rapoport (Microsoft) --- include/linux/memfd.h | 12 ++++++++++++ mm/memfd.c | 4 ++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/include/linux/memfd.h b/include/linux/memfd.h index c328a7b356d0..b4fda09dab9f 100644 --- a/include/linux/memfd.h +++ b/include/linux/memfd.h @@ -18,6 +18,8 @@ struct folio *memfd_alloc_folio(struct file *memfd, pgoff= _t idx); */ int memfd_check_seals_mmap(struct file *file, vm_flags_t *vm_flags_ptr); struct file *memfd_alloc_file(const char *name, unsigned int flags); +int memfd_get_seals(struct file *file); +int memfd_add_seals(struct file *file, unsigned int seals); #else static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned in= t a) { @@ -37,6 +39,16 @@ static inline struct file *memfd_alloc_file(const char *= name, unsigned int flags { return ERR_PTR(-EINVAL); } + +static inline int memfd_get_seals(struct file *file) +{ + return -EINVAL; +} + +static inline int memfd_add_seals(struct file *file, unsigned int seals) +{ + return -EINVAL; +} #endif =20 #endif /* __LINUX_MEMFD_H */ diff --git a/mm/memfd.c b/mm/memfd.c index f032c6052926..46c5508beea4 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -228,7 +228,7 @@ static unsigned int *memfd_file_seals_ptr(struct file *= file) F_SEAL_WRITE | \ F_SEAL_FUTURE_WRITE) =20 -static int memfd_add_seals(struct file *file, unsigned int seals) +int memfd_add_seals(struct file *file, unsigned int seals) { struct inode *inode =3D file_inode(file); unsigned int *file_seals; @@ -310,7 +310,7 @@ static int memfd_add_seals(struct file *file, unsigned = int seals) return error; } =20 -static int memfd_get_seals(struct file *file) +int memfd_get_seals(struct file *file) { unsigned int *seals =3D memfd_file_seals_ptr(file); =20 --=20 2.52.0.457.g6b5491de43-goog From nobody Sat Feb 7 08:44:17 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A0A1F340293 for ; Fri, 23 Jan 2026 09:59:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769162353; cv=none; b=mL4KYQxm2TpbGXoqxhUfHjqlM+8jDIN2PNdEfdMh/YDpOhxF9J0QSA0Mb9bDl3OxvBlcpmYax7MutVk1YQS3t7n+24NG4n6ZRME1x0lvBmg+NxVULqWcVgNE399RaAUndAzcP0oTGfcfCHHjmI+CDZDkULBpwrpRmamWvb1tZyQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769162353; c=relaxed/simple; bh=1YfoW2OKTDLDdQexCVzUsywJpWB4iHKtpLSFlvpGsVc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WU0+yU8GZsa9ym84iLfqw8ZcgKhH9vzT1I0VlL67mHkKBuwbw4cDZs8/Or5tlqOdfGhRyq2HkB/7d8itnGalyFWz5dtFSL1zuiQ8bbP3Qol26OwzB4BudJCuB+hdYp/4votxwIkbpNRfHORh6XNXvk9x04DCAymVcy/uZ6oe1Ks= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ADfhbIZT; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ADfhbIZT" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 60E86C4CEF1; Fri, 23 Jan 2026 09:59:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1769162351; bh=1YfoW2OKTDLDdQexCVzUsywJpWB4iHKtpLSFlvpGsVc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ADfhbIZTSW/JeHR3m/hz+tmXTOVNIVfm+MKoDbN+kLAceLLgcSgGVmiFUwx+c+zcY FC5L7IfKDwsbAqBAksQ6Yk4y6gVTtG7esgGKTU3o4wPt/TCtdh7fXxpDmSXhFJi3Bw Kl/hP7XfTv20AtEEn1vfEgbgmh0TP1GMTkIYJCyc2fj8xglrmb7uH0HSgWlIvPW1hs 0JVk6V2QLP11QJAhxWozOh2KbEDeTmrhvjmD9vr3tN+BuEVLNBd4z2R4eRiUzgspV2 JMLAk7RMMJROoinzwI+5QqxR8KTz4imQSg2wN1KdiSdw/s9IKfGV5i9pH0tdES+VH2 yz/w/e4tN1+PA== From: Pratyush Yadav To: Alexander Graf , Mike Rapoport , Pasha Tatashin , Pratyush Yadav , Hugh Dickins , Baolin Wang , Andrew Morton Cc: Jason Gunthorpe , Samiullah Khawaja , kexec@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH 2/2] mm: memfd_luo: preserve file seals Date: Fri, 23 Jan 2026 10:58:51 +0100 Message-ID: <20260123095854.535058-3-pratyush@kernel.org> X-Mailer: git-send-email 2.52.0.457.g6b5491de43-goog In-Reply-To: <20260123095854.535058-1-pratyush@kernel.org> References: <20260123095854.535058-1-pratyush@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: "Pratyush Yadav (Google)" File seals are used on memfd for making shared memory communication with untrusted peers safer and simpler. Seals provide a guarantee that certain operations won't be allowed on the file such as writes or truncations. Maintaining these guarantees across a live update will help keeping such use cases secure. These guarantees will also be needed for IOMMUFD preservation with LUO. Normally when IOMMUFD maps a memfd, it pins all its pages to make sure any truncation operations on the memfd don't lead to IOMMUFD using freed memory. This doesn't work with LUO since the preserved memfd might have completely different pages after a live update, and mapping them back to the IOMMUFD will cause all sorts of problems. Using and preserving the seals allows IOMMUFD preservation logic to trust the memfd. Preserve the seals by introducing a new 8-bit-wide bitfield. There are currently only 6 possible seals but 2 extra bits are used to provide room for future expansion. Since the seals are UAPI, it is safe to use them directly in the ABI. Back the 8-bit field with a u64, leaving 56 unused bits. This is done to keep the struct nice and aligned. The unused bits can be used to add new flags later, potentially without even needing to bump the version number. Since the serialization structure is changed, bump the version number to "memfd-v2". Signed-off-by: Pratyush Yadav (Google) --- include/linux/kho/abi/memfd.h | 9 ++++++++- mm/memfd_luo.c | 23 +++++++++++++++++++++-- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/include/linux/kho/abi/memfd.h b/include/linux/kho/abi/memfd.h index 68cb6303b846..bd549c81f1d2 100644 --- a/include/linux/kho/abi/memfd.h +++ b/include/linux/kho/abi/memfd.h @@ -60,6 +60,11 @@ struct memfd_luo_folio_ser { * struct memfd_luo_ser - Main serialization structure for a memfd. * @pos: The file's current position (f_pos). * @size: The total size of the file in bytes (i_size). + * @seals: The seals present on the memfd. The seals are UAPI so it is= safe + * to directly use them in the ABI. Note: currently there are 6 + * seals possible but this field is 8 bits to leave room for f= uture + * expansion. + * @__reserved: Reserved bits. May be used later to add more flags. * @nr_folios: Number of folios in the folios array. * @folios: KHO vmalloc descriptor pointing to the array of * struct memfd_luo_folio_ser. @@ -67,11 +72,13 @@ struct memfd_luo_folio_ser { struct memfd_luo_ser { u64 pos; u64 size; + u64 seals:8; + u64 __reserved:56; u64 nr_folios; struct kho_vmalloc folios; } __packed; =20 /* The compatibility string for memfd file handler */ -#define MEMFD_LUO_FH_COMPATIBLE "memfd-v1" +#define MEMFD_LUO_FH_COMPATIBLE "memfd-v2" =20 #endif /* _LINUX_KHO_ABI_MEMFD_H */ diff --git a/mm/memfd_luo.c b/mm/memfd_luo.c index a34fccc23b6a..eb68e0b5457f 100644 --- a/mm/memfd_luo.c +++ b/mm/memfd_luo.c @@ -79,6 +79,8 @@ #include #include #include +#include + #include "internal.h" =20 static int memfd_luo_preserve_folios(struct file *file, @@ -222,7 +224,7 @@ static int memfd_luo_preserve(struct liveupdate_file_op= _args *args) struct memfd_luo_folio_ser *folios_ser; struct memfd_luo_ser *ser; u64 nr_folios; - int err =3D 0; + int err =3D 0, seals; =20 inode_lock(inode); shmem_freeze(inode, true); @@ -234,8 +236,15 @@ static int memfd_luo_preserve(struct liveupdate_file_o= p_args *args) goto err_unlock; } =20 + seals =3D memfd_get_seals(args->file); + if (seals < 0) { + err =3D seals; + goto err_free_ser; + } + ser->pos =3D args->file->f_pos; ser->size =3D i_size_read(inode); + ser->seals =3D seals; =20 err =3D memfd_luo_preserve_folios(args->file, &ser->folios, &folios_ser, &nr_folios); @@ -444,13 +453,23 @@ static int memfd_luo_retrieve(struct liveupdate_file_= op_args *args) if (!ser) return -EINVAL; =20 - file =3D memfd_alloc_file("", 0); + /* + * The seals are preserved. Allow sealing here so they can be added + * later. + */ + file =3D memfd_alloc_file("", MFD_ALLOW_SEALING); if (IS_ERR(file)) { pr_err("failed to setup file: %pe\n", file); err =3D PTR_ERR(file); goto free_ser; } =20 + err =3D memfd_add_seals(file, ser->seals); + if (err) { + pr_err("failed to add seals: %pe\n", ERR_PTR(err)); + goto put_file; + } + vfs_setpos(file, ser->pos, MAX_LFS_FILESIZE); file->f_inode->i_size =3D ser->size; =20 --=20 2.52.0.457.g6b5491de43-goog