diff mbox series

[kvmtool,1/2] cpu: vmexit: Handle KVM_EXIT_UNKNOWN exit reason correctly

Message ID 20250211073852.571625-1-aneesh.kumar@kernel.org (mailing list archive)
State New
Headers show
Series [kvmtool,1/2] cpu: vmexit: Handle KVM_EXIT_UNKNOWN exit reason correctly | expand

Commit Message

Aneesh Kumar K.V Feb. 11, 2025, 7:38 a.m. UTC 
The return value for the KVM_RUN ioctl is confusing and has led to
errors in different kernel exit handlers. A return value of 0 indicates
a return to the VMM, whereas a return value of 1 indicates resuming
execution in the guest. Some handlers mistakenly return 0 to force a
return to the guest.

This worked in kvmtool because the exit_reason defaulted to
0 (KVM_EXIT_UNKNOWN), and kvmtool did not error out on an unknown exit
reason. However, forcing a KVM panic on an unknown exit reason would
help catch these bugs early.

Signed-off-by: Aneesh Kumar K.V (Arm) <aneesh.kumar@kernel.org>
---
 kvm-cpu.c | 1 +
 1 file changed, 1 insertion(+)


base-commit: 6d754d01fe2cb366f3b636d8a530f46ccf3b10d8

Comments

Will Deacon Feb. 11, 2025, 11:47 a.m. UTC | #1 
On Tue, Feb 11, 2025 at 01:08:51PM +0530, Aneesh Kumar K.V (Arm) wrote:
> The return value for the KVM_RUN ioctl is confusing and has led to
> errors in different kernel exit handlers. A return value of 0 indicates
> a return to the VMM, whereas a return value of 1 indicates resuming
> execution in the guest. Some handlers mistakenly return 0 to force a
> return to the guest.

Oops. Did any of those broken handlers reach mainline?

> This worked in kvmtool because the exit_reason defaulted to
> 0 (KVM_EXIT_UNKNOWN), and kvmtool did not error out on an unknown exit
> reason. However, forcing a KVM panic on an unknown exit reason would
> help catch these bugs early.
> 
> Signed-off-by: Aneesh Kumar K.V (Arm) <aneesh.kumar@kernel.org>
> ---
>  kvm-cpu.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/kvm-cpu.c b/kvm-cpu.c
> index f66dcd07220c..66e30ba54e26 100644
> --- a/kvm-cpu.c
> +++ b/kvm-cpu.c
> @@ -170,6 +170,7 @@ int kvm_cpu__start(struct kvm_cpu *cpu)
>  
>  		switch (cpu->kvm_run->exit_reason) {
>  		case KVM_EXIT_UNKNOWN:
> +			goto panic_kvm;
>  			break;

The break is no longer needed.

Will
Alexandru Elisei Feb. 11, 2025, 12:12 p.m. UTC | #2 
Hi,

On Tue, Feb 11, 2025 at 01:08:51PM +0530, Aneesh Kumar K.V (Arm) wrote:
> The return value for the KVM_RUN ioctl is confusing and has led to
> errors in different kernel exit handlers. A return value of 0 indicates
> a return to the VMM, whereas a return value of 1 indicates resuming
> execution in the guest. Some handlers mistakenly return 0 to force a
> return to the guest.

I find this paragraph confusing. KVM_RUN, as per the documentation, returns 0 or
-1 (on error). As far as I can tell, at least on arm64, KVM_RUN can never return
1.

Are you referring to the loop in kvm_arch_vcpu_ioctl_run() by any chance? That's
the only place I found where a value of 1 from the handlers signifies return to
the guest.

> 
> This worked in kvmtool because the exit_reason defaulted to
> 0 (KVM_EXIT_UNKNOWN), and kvmtool did not error out on an unknown exit
> reason. However, forcing a KVM panic on an unknown exit reason would
> help catch these bugs early.

I would hope that a VMM cannot force KVM to panic at will, which will bring down
the host. Are you referring to kvmtool exiting with an error? That's what the
unfortunately named 'panic_kvm' label seems to be doing.

Thanks,
Alex

> 
> Signed-off-by: Aneesh Kumar K.V (Arm) <aneesh.kumar@kernel.org>
> ---
>  kvm-cpu.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/kvm-cpu.c b/kvm-cpu.c
> index f66dcd07220c..66e30ba54e26 100644
> --- a/kvm-cpu.c
> +++ b/kvm-cpu.c
> @@ -170,6 +170,7 @@ int kvm_cpu__start(struct kvm_cpu *cpu)
>  
>  		switch (cpu->kvm_run->exit_reason) {
>  		case KVM_EXIT_UNKNOWN:
> +			goto panic_kvm;
>  			break;
>  		case KVM_EXIT_DEBUG:
>  			kvm_cpu__show_registers(cpu);
> 
> base-commit: 6d754d01fe2cb366f3b636d8a530f46ccf3b10d8
> -- 
> 2.43.0
> 
>
Aneesh Kumar K.V Feb. 11, 2025, 4:58 p.m. UTC | #3 
Will Deacon <will@kernel.org> writes:

> On Tue, Feb 11, 2025 at 01:08:51PM +0530, Aneesh Kumar K.V (Arm) wrote:
>> The return value for the KVM_RUN ioctl is confusing and has led to
>> errors in different kernel exit handlers. A return value of 0 indicates
>> a return to the VMM, whereas a return value of 1 indicates resuming
>> execution in the guest. Some handlers mistakenly return 0 to force a
>> return to the guest.
>
> Oops. Did any of those broken handlers reach mainline?
>

Not that I noticed. We do have patches in review.

https://lore.kernel.org/all/20241212155610.76522-18-steven.price@arm.com


>> This worked in kvmtool because the exit_reason defaulted to
>> 0 (KVM_EXIT_UNKNOWN), and kvmtool did not error out on an unknown exit
>> reason. However, forcing a KVM panic on an unknown exit reason would
>> help catch these bugs early.
>> 
>> Signed-off-by: Aneesh Kumar K.V (Arm) <aneesh.kumar@kernel.org>
>> ---
>>  kvm-cpu.c | 1 +
>>  1 file changed, 1 insertion(+)
>> 
>> diff --git a/kvm-cpu.c b/kvm-cpu.c
>> index f66dcd07220c..66e30ba54e26 100644
>> --- a/kvm-cpu.c
>> +++ b/kvm-cpu.c
>> @@ -170,6 +170,7 @@ int kvm_cpu__start(struct kvm_cpu *cpu)
>>  
>>  		switch (cpu->kvm_run->exit_reason) {
>>  		case KVM_EXIT_UNKNOWN:
>> +			goto panic_kvm;
>>  			break;
>
> The break is no longer needed.
>

ok.

-aneesh
Aneesh Kumar K.V Feb. 11, 2025, 5:04 p.m. UTC | #4 
Alexandru Elisei <alexandru.elisei@arm.com> writes:

> Hi,
>
> On Tue, Feb 11, 2025 at 01:08:51PM +0530, Aneesh Kumar K.V (Arm) wrote:
>> The return value for the KVM_RUN ioctl is confusing and has led to
>> errors in different kernel exit handlers. A return value of 0 indicates
>> a return to the VMM, whereas a return value of 1 indicates resuming
>> execution in the guest. Some handlers mistakenly return 0 to force a
>> return to the guest.
>
> I find this paragraph confusing. KVM_RUN, as per the documentation, returns 0 or
> -1 (on error). As far as I can tell, at least on arm64, KVM_RUN can never return
> 1.
>
> Are you referring to the loop in kvm_arch_vcpu_ioctl_run() by any chance? That's
> the only place I found where a value of 1 from the handlers signifies return to
> the guest.
>

Yes. I will update the commit message to reflect that. It is the exit
handler return value rather than KVM_RUN ioctl return value.

>
>> 
>> This worked in kvmtool because the exit_reason defaulted to
>> 0 (KVM_EXIT_UNKNOWN), and kvmtool did not error out on an unknown exit
>> reason. However, forcing a KVM panic on an unknown exit reason would
>> help catch these bugs early.
>
> I would hope that a VMM cannot force KVM to panic at will, which will bring down
> the host. Are you referring to kvmtool exiting with an error? That's what the
> unfortunately named 'panic_kvm' label seems to be doing.
>

yes. I will update the commit message to indicate that for
KVM_EXIT_UNKNOWN exit reason, kvmtool will now exit with an error
instead of returning to the guest."

-aneesh
diff mbox series

Patch

diff --git a/kvm-cpu.c b/kvm-cpu.c
index f66dcd07220c..66e30ba54e26 100644
--- a/kvm-cpu.c
+++ b/kvm-cpu.c
@@ -170,6 +170,7 @@  int kvm_cpu__start(struct kvm_cpu *cpu)
 
 		switch (cpu->kvm_run->exit_reason) {
 		case KVM_EXIT_UNKNOWN:
+			goto panic_kvm;
 			break;
 		case KVM_EXIT_DEBUG:
 			kvm_cpu__show_registers(cpu);