Hi Will, On 9/21/20 2:43 PM, Will Deacon wrote: > On Wed, Aug 19, 2020 at 02:34:17PM +0100, Alexandru Elisei wrote: >> From: Julien Thierry <julien.thierry@xxxxxxx> >> >> kvm_vcpu_kick() is not NMI safe. When the overflow handler is called from >> NMI context, defer waking the vcpu to an irq_work queue. >> >> Cc: Julien Thierry <julien.thierry.kdev@xxxxxxxxx> >> Cc: Marc Zyngier <marc.zyngier@xxxxxxx> >> Cc: Will Deacon <will.deacon@xxxxxxx> >> Cc: Mark Rutland <mark.rutland@xxxxxxx> >> Cc: Catalin Marinas <catalin.marinas@xxxxxxx> >> Cc: James Morse <james.morse@xxxxxxx> >> Cc: Suzuki K Pouloze <suzuki.poulose@xxxxxxx> >> Cc: kvm@xxxxxxxxxxxxxxx >> Cc: kvmarm@xxxxxxxxxxxxxxxxxxxxx >> Signed-off-by: Julien Thierry <julien.thierry@xxxxxxx> >> Signed-off-by: Alexandru Elisei <alexandru.elisei@xxxxxxx> >> --- >> arch/arm64/kvm/pmu-emul.c | 25 ++++++++++++++++++++++++- >> include/kvm/arm_pmu.h | 1 + >> 2 files changed, 25 insertions(+), 1 deletion(-) > I'd like an Ack from the KVM side on this one, but some minor comments > inline. > >> diff --git a/arch/arm64/kvm/pmu-emul.c b/arch/arm64/kvm/pmu-emul.c >> index f0d0312c0a55..30268397ed06 100644 >> --- a/arch/arm64/kvm/pmu-emul.c >> +++ b/arch/arm64/kvm/pmu-emul.c >> @@ -433,6 +433,22 @@ void kvm_pmu_sync_hwstate(struct kvm_vcpu *vcpu) >> kvm_pmu_update_state(vcpu); >> } >> >> +/** >> + * When perf interrupt is an NMI, we cannot safely notify the vcpu corresponding >> + * to the event. >> + * This is why we need a callback to do it once outside of the NMI context. >> + */ >> +static void kvm_pmu_perf_overflow_notify_vcpu(struct irq_work *work) >> +{ >> + struct kvm_vcpu *vcpu; >> + struct kvm_pmu *pmu; >> + >> + pmu = container_of(work, struct kvm_pmu, overflow_work); >> + vcpu = kvm_pmc_to_vcpu(&pmu->pmc[0]); > Can you spell this kvm_pmc_to_vcpu(pmu->pmc); ? Of course, that is much better. > >> + >> + kvm_vcpu_kick(vcpu); > How do we guarantee that the vCPU is still around by the time this runs? > Sorry to ask such a horrible question, but I don't see anything associating > the workqueue with the lifetime of the vCPU. That's a very nice catch, indeed the code doesn't guarantee that the VM is still around when the work is executed. I will add an irq_work_sync() call to kvm_pmu_vcpu_destroy() (which is called by kvm_vcpu_destroy() -> kvm_arch_vcpu_destroy()), and to kvm_pmu_vcpu_reset(), similar to how x86 handles it. Thanks, Alex