quoted

+struct liveupdate_file_ops {
+     int (*prepare)(struct file *file, void *arg, u64 *data);
+     int (*freeze)(struct file *file, void *arg, u64 *data);
+     void (*cancel)(struct file *file, void *arg, u64 data);
+     void (*finish)(struct file *file, void *arg, u64 data, bool reclaimed);
+     int (*retrieve)(void *arg, u64 data, struct file **file);
+     bool (*can_preserve)(struct file *file, void *arg);
+};

ops structures often have an owner = THIS_MODULE

Added here, and to subsystems.

It wouldn't hurt to add it here too, and some appropriate module_get's
though I didn't try to figure what happens if userspace races a module
unload with other luo operations.

I added try_module_get()/module_put() to register/unregister functions.

quoted

+
+/**
+ * struct liveupdate_file_handler - Represents a handler for a live-updatable
+ * file type.
+ * @ops:           Callback functions
+ * @compatible:    The compatibility string (e.g., "memfd-v1", "vfiofd-v1")
+ *                 that uniquely identifies the file type this handler supports.
+ *                 This is matched against the compatible string associated with
+ *                 individual &struct liveupdate_file instances.
+ * @arg:           An opaque pointer to implementation-specific context data
+ *                 associated with this file handler registration.

Why? This is not the normal way, if you want context data then
allocate a struct driver_liveupdate_file_handler and embed a normal
struct liveupdate_file_handler inside it, then use container_of.

Good point. I removed arg, and added handler as an argument to the
callback functions.

quoted

+     fdt_for_each_subnode(file_node_offset, luo_file_fdt_in, 0) {
+             bool handler_found = false;
+             u64 token;
+
+             node_name = fdt_get_name(luo_file_fdt_in, file_node_offset,
+                                      NULL);
+             if (!node_name) {
+                     panic("FDT subnode at offset %d: Cannot get name\n",
+                           file_node_offset);

I think this approach will raise lots of questions..

I'd introduce a new function "luo_deserialize_failure" that does panic
internally.

Only called by places that are parsing the FDT & related but run into
trouble that cannot be savely recovered from.

Agreed. I added a new macro in luo_internal.h:

 11 /*
 12  * Handles a deserialization failure: devices and memory is in
unpredictable
 13  * state.
 14  *
 15  * Continuing the boot process after a failure is dangerous
because it could
 16  * lead to leaks of private data.
 17  */
 18 #define luo_restore_fail(__fmt, ...) panic(__fmt, ##__VA_ARGS__)

And use it in places where we panic during deserialization.

Pasha