On Mon, Jul 24, 2023, Peter Zijlstra wrote:
> On Fri, Jul 21, 2023 at 01:18:45PM -0700, Sean Christopherson wrote:
> > Assert that IRQs are disabled when turning off virtualization in an
> > emergency. KVM enables hardware via on_each_cpu(), i.e. could re-enable
> > hardware if a pending IPI were delivered after disabling virtualization.
> >
> > Remove a misleading comment from emergency_reboot_disable_virtualization()
> > about "just" needing to guarantee the CPU is stable (see above).
> >
> > Reviewed-by: Kai Huang <kai.huang@xxxxxxxxx>
> > Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
> > ---
> > arch/x86/kernel/reboot.c | 8 +++++++-
> > 1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
> > index 48ad2d1ff83d..4cad7183b89e 100644
> > --- a/arch/x86/kernel/reboot.c
> > +++ b/arch/x86/kernel/reboot.c
> > @@ -532,7 +532,6 @@ static inline void nmi_shootdown_cpus_on_restart(void);
> >
> > static void emergency_reboot_disable_virtualization(void)
> > {
> > - /* Just make sure we won't change CPUs while doing this */
> > local_irq_disable();
> >
> > /*
> > @@ -821,6 +820,13 @@ void cpu_emergency_disable_virtualization(void)
> > {
> > cpu_emergency_virt_cb *callback;
> >
> > + /*
> > + * IRQs must be disabled as KVM enables virtualization in hardware via
> > + * function call IPIs, i.e. IRQs need to be disabled to guarantee
> > + * virtualization stays disabled.
> > + */
> > + lockdep_assert_irqs_disabled();
> > +
> > rcu_read_lock();
> > callback = rcu_dereference(cpu_emergency_virt_callback);
> > if (callback)
>
> Strictly speaking you don't need rcu_read_lock() when IRQs are already
> disabled, but since this is non-performance critical code, it might be
> best to keep it super obvious. IOW, carry on.
Ha! IIRC, I even had a patch to drop the explicit rcu_read_lock(), but decided
I didn't want to tie the use of cpu_emergency_virt_callback to KVM's behavior of
enabling virtualization via IPIs.
