vmm: fix kicking vCPU out of KVM_RUN from signal handler

A common scenario for a VMM to regain control over the vCPU thread from
the hypervisor is to interrupt the vCPU. A use-case might be the `pause`
API call of CHV.

VMMs using KVM as hypervisor must use signals for this interception, i.e., a
thread sends a signal to the vCPU thread. Sending and handling these signals
is inherently racy because the signal sender does not know if the receiving
thread is currently in the RUN_VCPU [0] call, or executing userspace VMM
code.

If we are in kernel space in KVM_RUN, things are easy as KVM just exits with
-EINTR. For user-space this is more complicated. For example, it might
happen that we receive a signal but the vCPU thread was about to go into the
KVM_RUN system call as next instruction. There is no more opportunity to
check for any pending signal flag or similar.

KVM offers the `immediate_exit` flag [1] as part of the KVM_RUN structure
for that. The signal handler of a vCPU is supposed to set this flag, to
ensure that we do not miss any events. If the flag is set, KVM_RUN will
exit immediately [2].

We will miss signals to the vCPU if the vCPU thread is in userspace VMM
code and we do not use the `immediate_exit` flag.

We must have access to the KVM_RUN data structure when the signal
handler executes in a vCPU thread's context and set the
`immediate_exit` [1] flag. This way, the next invocation of KVM_RUN
exits immediately and the userspace VMM code can do the normal event
handling.

We must not use any shared locks between the normal vCPU thread VMM
code and the signal handler, as otherwise we might end up in deadlocks.

The signal handler therefore needs its dedicated mutable version of
KVM_RUN.

This commit introduces a (very hacky but good enough for a PoC) solution
to this problem.

[0] https://docs.kernel.org/virt/kvm/api.html#kvm-run
[1] https://docs.kernel.org/virt/kvm/api.html#the-kvm-run-structure
[2] https://elixir.bootlin.com/linux/v6.12/source/arch/x86/kvm/x86.c#L11566

Author: phip1611

Cargo.lock

@@ -52,6 +52,7 @@ linux-loader = { workspace = true, features = ["bzimage", "elf", "pe"] }
 log = "0.4.22"
 # Special fork of micro_http that combines HTTP traffic over a UNIX domain
 # socket with UNIX' SCM_RIGHTS mechanism for transferring file descriptors.
+kvm-bindings = "0.10.0"
 micro_http = { git = "https://github.com/firecracker-microvm/micro-http", branch = "main" }
 mshv-bindings = { workspace = true, features = [
   "fam-wrappers",

vmm/Cargo.toml

@@ -11,16 +11,15 @@
 // SPDX-License-Identifier: Apache-2.0 AND BSD-3-Clause
 //
 
+use std::cell::Cell;
 use std::collections::BTreeMap;
 #[cfg(all(target_arch = "x86_64", feature = "guest_debug"))]
 use std::io::Write;
 #[cfg(all(target_arch = "x86_64", feature = "guest_debug"))]
 use std::mem::size_of;
-#[cfg(feature = "kvm")]
-use std::os::fd::RawFd;
 use std::os::unix::thread::JoinHandleExt;
 use std::sync::atomic::{AtomicBool, Ordering};
-use std::sync::{Arc, Barrier, Mutex};
+use std::sync::{Arc, Barrier, Mutex, RwLock};
 use std::{cmp, io, result, thread};
 
 #[cfg(not(target_arch = "riscv64"))]
@@ -75,6 +74,8 @@ use vm_migration::{
 use vmm_sys_util::eventfd::EventFd;
 use vmm_sys_util::signal::{register_signal_handler, SIGRTMIN};
 use zerocopy::{FromBytes, Immutable, IntoBytes};
+#[cfg(feature = "kvm")]
+use {kvm_bindings::kvm_run, std::os::fd::RawFd};
 
 #[cfg(all(target_arch = "x86_64", feature = "guest_debug"))]
 use crate::coredump::{
@@ -92,6 +93,16 @@ use crate::vm::physical_bits;
 use crate::vm_config::CpusConfig;
 use crate::{GuestMemoryMmap, CPU_MANAGER_SNAPSHOT_ID};
 
+#[cfg(feature = "kvm")]
+thread_local! {
+    static KVM_RUN: Cell<*mut kvm_run> = const {Cell::new(core::ptr::null_mut())};
+}
+#[cfg(feature = "kvm")]
+/// Tell signal handler to not access certain stuff anymore during shutdown.
+/// Otherwise => panics.
+/// Better alternative would be to prevent signals there at all.
+pub static IS_IN_SHUTDOWN: RwLock<bool> = RwLock::new(false);
+
 #[cfg(all(target_arch = "aarch64", feature = "guest_debug"))]
 /// Extract the specified bits of a 64-bit integer.
 /// For example, to extrace 2 bits from offset 1 (zero based) of `6u64`,
@@ -991,6 +1002,28 @@ impl CpuManager {
         vcpu_thread_barrier: Arc<Barrier>,
         inserting: bool,
     ) -> Result<()> {
+        {
+            #[cfg(feature = "kvm")]
+            {
+                let raw_kvm_fd = vcpu.lock().unwrap().get_kvm_vcpu_raw_fd();
+
+                // SAFETY: We know the FD is valid and have the proper args.
+                let buffer = unsafe {
+                    libc::mmap(
+                        core::ptr::null_mut(),
+                        4096,
+                        libc::PROT_WRITE | libc::PROT_READ,
+                        libc::MAP_SHARED,
+                        raw_kvm_fd,
+                        0,
+                    )
+                };
+                assert_ne!(buffer, libc::MAP_FAILED);
+                let kvm_run = buffer.cast::<kvm_run>();
+                KVM_RUN.set(kvm_run);
+            }
+        }
+
         let reset_evt = self.reset_evt.try_clone().unwrap();
         let exit_evt = self.exit_evt.try_clone().unwrap();
         #[cfg(feature = "kvm")]
@@ -1069,7 +1102,29 @@ impl CpuManager {
                             return;
                         }
                     }
+
+                    #[cfg(not(feature = "kvm"))]
                     extern "C" fn handle_signal(_: i32, _: *mut siginfo_t, _: *mut c_void) {}
+                    #[cfg(feature = "kvm")]
+                    extern "C" fn handle_signal(_: i32, _: *mut siginfo_t, _: *mut c_void) {
+                        // Accessing the thread local panics for signals that are received in the shutdown phase.
+                        // The more graceful way would be to prevent sending signals during that phase at all.
+                        let lock = IS_IN_SHUTDOWN.read().unwrap();
+                        if *lock {
+                            return;
+                        }
+
+                        let kvm_run = KVM_RUN.get();
+                        // SAFETY: We mapped the whole structure.
+                        let ptr_kvm_run_immediate_exit = unsafe { kvm_run.cast::<u8>().add(1) };
+                        // SAFETY: We know the mapping is valid.
+                        unsafe {
+                            core::ptr::write_volatile(ptr_kvm_run_immediate_exit, 1);
+                        }
+
+                        // TODO ::Release?
+                        std::sync::atomic::fence(Ordering::SeqCst);
+                    }
                     // This uses an async signal safe handler to kill the vcpu handles.
                     register_signal_handler(SIGRTMIN(), handle_signal)
                         .expect("Failed to register vcpu signal handler");

vmm/src/cpu.rs

@@ -46,6 +46,8 @@ use vm_migration::{Migratable, MigratableError, Pausable, Snapshot, Snapshottabl
 use vmm_sys_util::eventfd::EventFd;
 use vmm_sys_util::signal::unblock_signal;
 use vmm_sys_util::sock_ctrl_msg::ScmSocket;
+#[cfg(feature = "kvm")]
+use {crate::cpu::IS_IN_SHUTDOWN, std::sync::atomic::Ordering};
 
 use crate::api::{
     ApiRequest, ApiResponse, RequestHandler, VmInfoResponse, VmReceiveMigrationData,
@@ -1373,6 +1375,14 @@ impl Vmm {
         vm.release_disk_locks()
             .map_err(|e| MigratableError::UnlockError(anyhow!("{e}")))?;
 
+        #[cfg(feature = "kvm")]
+        // Prevent signal handler to access thread local storage when signals are received
+        // close to the end when thread-local storage is already destroyed.
+        {
+            let mut lock = IS_IN_SHUTDOWN.write().unwrap();
+            *lock = true;
+        }
+
         // Capture snapshot and send it
         let vm_snapshot = vm.snapshot()?;
         let snapshot_data = serde_json::to_vec(&vm_snapshot).unwrap();