On Fri, 2023-05-12 at 16:50 -0700, Sean Christopherson wrote:
> Assert that IRQs are disabled when turning off virtualization in an
> emergency. KVM enables hardware via on_each_cpu(), i.e. could re-enable
> hardware if a pending IPI were delivered after disabling virtualization.
>
> Remove a misleading comment from emergency_reboot_disable_virtualization()
> about "just" needing to guarantee the CPU is stable (see above).
>
> Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
Reviewed-by: Kai Huang <kai.huang@xxxxxxxxx>
> ---
> arch/x86/kernel/reboot.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
> index 20f7bdabc52e..fddfea5f1d20 100644
> --- a/arch/x86/kernel/reboot.c
> +++ b/arch/x86/kernel/reboot.c
> @@ -531,7 +531,6 @@ static inline void nmi_shootdown_cpus_on_restart(void);
>
> static void emergency_reboot_disable_virtualization(void)
> {
> - /* Just make sure we won't change CPUs while doing this */
> local_irq_disable();
>
> /*
> @@ -820,6 +819,13 @@ void cpu_emergency_disable_virtualization(void)
> {
> cpu_emergency_virt_cb *callback;
>
> + /*
> + * IRQs must be disabled as KVM enables virtualization in hardware via
> + * function call IPIs, i.e. IRQs need to be disabled to guarantee
> + * virtualization stays disabled.
> + */
> + lockdep_assert_irqs_disabled();
> +
> rcu_read_lock();
> callback = rcu_dereference(cpu_emergency_virt_callback);
> if (callback)
> --
> 2.40.1.606.ga4b1b128d6-goog
>
