vmm: fix kicking vCPU out of KVM_RUN from signal handler

phip1611 · phip1611 · commit c5c20b5e8ec6 · 2025-09-11T09:31:14.000+02:00
A common scenario for a VMM to regain control over the vCPU thread from the hypervisor is to interrupt the vCPU. A use-case might be the `pause` API call of CHV. VMMs using KVM as hypervisor must use signals for this interception, i.e., a thread sends a signal to the vCPU thread. Sending and handling these signals is inherently racy because the signal sender does not know if the receiving thread is currently in the RUN_VCPU [0] call, or executing userspace VMM code. If we are in kernel space in KVM_RUN, things are easy as KVM just exits with -EINTR. For user-space this is more complicated. For example, it might happen that we receive a signal but the vCPU thread was about to go into the KVM_RUN system call as next instruction. There is no more opportunity to check for any pending signal flag or similar. KVM offers the `immediate_exit` flag [1] as part of the KVM_RUN structure for that. The signal handler of a vCPU is supposed to set this flag, to ensure that we do not miss any events. If the flag is set, KVM_RUN will exit immediately [2]. We will miss signals to the vCPU if the vCPU thread is in userspace VMM code and we do not use the `immediate_exit` flag. We must have access to the KVM_RUN data structure when the signal handler executes in a vCPU thread's context and set the `immediate_exit` [1] flag. This way, the next invocation of KVM_RUN exits immediately and the userspace VMM code can do the normal event handling. We must not use any shared locks between the normal vCPU thread VMM code and the signal handler, as otherwise we might end up in deadlocks. The signal handler therefore needs its dedicated mutable version of KVM_RUN. This commit introduces a (very hacky but good enough for a PoC) solution to this problem. [0] https://docs.kernel.org/virt/kvm/api.html#kvm-run [1] https://docs.kernel.org/virt/kvm/api.html#the-kvm-run-structure [2] https://elixir.bootlin.com/linux/v6.12/source/arch/x86/kvm/x86.c#L11566
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/hypervisor/src/mshv/mod.rs b/hypervisor/src/mshv/mod.rs
@@ -1581,7 +1581,7 @@ impl cpu::Vcpu for MshvVcpu {
 
     #[cfg(feature = "kvm")]
     unsafe fn get_kvm_vcpu_raw_fd(&self) -> RawFd {
-        todo!()
+        unimplemented!()
     }
 }
 
diff --git a/vmm/Cargo.toml b/vmm/Cargo.toml
@@ -52,6 +52,7 @@ linux-loader = { workspace = true, features = ["bzimage", "elf", "pe"] }
 log = "0.4.22"
 # Special fork of micro_http that combines HTTP traffic over a UNIX domain
 # socket with UNIX' SCM_RIGHTS mechanism for transferring file descriptors.
+kvm-bindings = "0.10.0"
 micro_http = { git = "https://github.com/firecracker-microvm/micro-http", branch = "main" }
 mshv-bindings = { workspace = true, features = [
   "fam-wrappers",
diff --git a/vmm/src/cpu.rs b/vmm/src/cpu.rs
@@ -16,8 +16,6 @@ use std::collections::BTreeMap;
 use std::io::Write;
 #[cfg(all(target_arch = "x86_64", feature = "guest_debug"))]
 use std::mem::size_of;
-#[cfg(feature = "kvm")]
-use std::os::fd::RawFd;
 use std::os::unix::thread::JoinHandleExt;
 use std::sync::atomic::{AtomicBool, Ordering};
 use std::sync::{Arc, Barrier, Mutex};
@@ -75,6 +73,8 @@ use vm_migration::{
 use vmm_sys_util::eventfd::EventFd;
 use vmm_sys_util::signal::{register_signal_handler, SIGRTMIN};
 use zerocopy::{FromBytes, Immutable, IntoBytes};
+#[cfg(feature = "kvm")]
+use {kvm_bindings::kvm_run, std::cell::Cell, std::os::fd::RawFd, std::sync::RwLock};
 
 #[cfg(all(target_arch = "x86_64", feature = "guest_debug"))]
 use crate::coredump::{
@@ -92,6 +92,16 @@ use crate::vm::physical_bits;
 use crate::vm_config::CpusConfig;
 use crate::{GuestMemoryMmap, CPU_MANAGER_SNAPSHOT_ID};
 
+#[cfg(feature = "kvm")]
+thread_local! {
+    static KVM_RUN: Cell<*mut kvm_run> = const {Cell::new(core::ptr::null_mut())};
+}
+#[cfg(feature = "kvm")]
+/// Tell signal handler to not access certain stuff anymore during shutdown.
+/// Otherwise => panics.
+/// Better alternative would be to prevent signals there at all.
+pub static IS_IN_SHUTDOWN: RwLock<bool> = RwLock::new(false);
+
 #[cfg(all(target_arch = "aarch64", feature = "guest_debug"))]
 /// Extract the specified bits of a 64-bit integer.
 /// For example, to extrace 2 bits from offset 1 (zero based) of `6u64`,
@@ -1039,6 +1049,28 @@ impl CpuManager {
             thread::Builder::new()
                 .name(format!("vcpu{vcpu_id}"))
                 .spawn(move || {
+                    // init thread-local kvm_run structure
+                    #[cfg(feature = "kvm")]
+                    {
+                        let raw_kvm_fd = vcpu.lock().unwrap().get_kvm_vcpu_raw_fd();
+
+                        // SAFETY: We know the FD is valid and have the proper args.
+                        let buffer = unsafe {
+                            libc::mmap(
+                                core::ptr::null_mut(),
+                                4096,
+                                libc::PROT_WRITE | libc::PROT_READ,
+                                libc::MAP_SHARED,
+                                raw_kvm_fd,
+                                0,
+                            )
+                        };
+                        assert!(!buffer.is_null());
+                        assert_ne!(buffer, libc::MAP_FAILED);
+                        let kvm_run = buffer.cast::<kvm_run>();
+                        KVM_RUN.set(kvm_run);
+                    }
+
                     // Schedule the thread to run on the expected CPU set
                     if let Some(cpuset) = cpuset.as_ref() {
                         // SAFETY: FFI call with correct arguments
@@ -1069,7 +1101,37 @@ impl CpuManager {
                             return;
                         }
                     }
+
+                    #[cfg(not(feature = "kvm"))]
                     extern "C" fn handle_signal(_: i32, _: *mut siginfo_t, _: *mut c_void) {}
+                    #[cfg(feature = "kvm")]
+                    extern "C" fn handle_signal(_: i32, _: *mut siginfo_t, _: *mut c_void) {
+                        // This lock prevents accessing thread locals when a signal is received
+                        // in the teardown phase of the Rust standard library. Otherwise, we would
+                        // panic.
+                        //
+                        // Masking signals would be a nicer approach but this is the pragmatic
+                        // solution.
+                        //
+                        // We don't have lock contention in normal operation. When the writer
+                        // sets the bool to true, the lock is only held for a couple of µs.
+                        let lock = IS_IN_SHUTDOWN.read().unwrap();
+                        if *lock {
+                            return;
+                        }
+
+                        let kvm_run = KVM_RUN.get();
+                        assert!(!kvm_run.is_null(), "kvm_run should have been mapped as part of vCPU setup");
+                        // SAFETY: We mapped the whole structure.
+                        let ptr_kvm_run_immediate_exit = unsafe { kvm_run.cast::<u8>().add(1) };
+                        // SAFETY: We know the mapping is valid.
+                        unsafe {
+                            core::ptr::write_volatile(ptr_kvm_run_immediate_exit, 1);
+                        }
+
+                        // TODO ::Release?
+                        std::sync::atomic::fence(Ordering::SeqCst);
+                    }
                     // This uses an async signal safe handler to kill the vcpu handles.
                     register_signal_handler(SIGRTMIN(), handle_signal)
                         .expect("Failed to register vcpu signal handler");
diff --git a/vmm/src/lib.rs b/vmm/src/lib.rs
@@ -54,6 +54,8 @@ use crate::api::{
 use crate::config::{add_to_config, RestoreConfig};
 #[cfg(all(target_arch = "x86_64", feature = "guest_debug"))]
 use crate::coredump::GuestDebuggable;
+#[cfg(feature = "kvm")]
+use crate::cpu::IS_IN_SHUTDOWN;
 use crate::landlock::Landlock;
 use crate::memory_manager::MemoryManager;
 #[cfg(all(feature = "kvm", target_arch = "x86_64"))]
@@ -1373,6 +1375,14 @@ impl Vmm {
         vm.release_disk_locks()
             .map_err(|e| MigratableError::UnlockError(anyhow!("{e}")))?;
 
+        #[cfg(feature = "kvm")]
+        // Prevent signal handler to access thread local storage when signals are received
+        // close to the end when thread-local storage is already destroyed.
+        {
+            let mut lock = IS_IN_SHUTDOWN.write().unwrap();
+            *lock = true;
+        }
+
         // Capture snapshot and send it
         let vm_snapshot = vm.snapshot()?;
         let snapshot_data = serde_json::to_vec(&vm_snapshot).unwrap();

Original file line number	Diff line number	Diff line change
`@@ -1581,7 +1581,7 @@ impl cpu::Vcpu for MshvVcpu {`
`1581`	`1581`
`1582`	`1582`	`#[cfg(feature = "kvm")]`
`1583`	`1583`	`unsafe fn get_kvm_vcpu_raw_fd(&self) -> RawFd {`
`1584`		`- todo!()`
	`1584`	`+ unimplemented!()`
`1585`	`1585`	`}`
`1586`	`1586`	`}`
`1587`	`1587`