Handle VMs misbehaving.
If a VM accesses memory it is not allowed to or otherwise triggers and
unhandled exception it will be aborted such that none of the vCPUs can
be run again.
The VM remains unchanged from the point of view of other VMs other than
it will not make any further progress.
Change-Id: I352e1c714f1e4b1b43185269f92e7fa41e09a4db
diff --git a/inc/hf/api.h b/inc/hf/api.h
index e9ffe88..2d956ef 100644
--- a/inc/hf/api.h
+++ b/inc/hf/api.h
@@ -27,7 +27,7 @@
int64_t api_vm_get_count(void);
int64_t api_vcpu_get_count(uint32_t vm_id, const struct vcpu *current);
struct hf_vcpu_run_return api_vcpu_run(uint32_t vm_id, uint32_t vcpu_idx,
- const struct vcpu *current,
+ struct vcpu *current,
struct vcpu **next);
int64_t api_vm_configure(ipaddr_t send, ipaddr_t recv, struct vcpu *current,
struct vcpu **next);
@@ -45,6 +45,7 @@
struct vcpu *api_preempt(struct vcpu *current);
struct vcpu *api_yield(struct vcpu *current);
struct vcpu *api_wait_for_interrupt(struct vcpu *current);
+struct vcpu *api_abort(struct vcpu *current);
int64_t api_interrupt_enable(uint32_t intid, bool enable, struct vcpu *current);
uint32_t api_interrupt_get(struct vcpu *current);
diff --git a/inc/hf/cpu.h b/inc/hf/cpu.h
index 10bb01f..865713f 100644
--- a/inc/hf/cpu.h
+++ b/inc/hf/cpu.h
@@ -45,6 +45,9 @@
/** The vcpu is waiting for an interrupt. */
vcpu_state_blocked_interrupt,
+
+ /** The vcpu has aborted. */
+ vcpu_state_aborted,
};
struct interrupts {
diff --git a/inc/hf/vm.h b/inc/hf/vm.h
index c29b6bc..be49524 100644
--- a/inc/hf/vm.h
+++ b/inc/hf/vm.h
@@ -16,6 +16,8 @@
#pragma once
+#include <stdatomic.h>
+
#include "hf/cpu.h"
#include "hf/list.h"
#include "hf/mm.h"
@@ -83,6 +85,8 @@
/** Wait entries to be used when waiting on other VM mailboxes. */
struct wait_entry wait_entries[MAX_VMS];
+
+ atomic_bool aborting;
};
/** Encapsulates a VM whose lock is held. */
diff --git a/inc/vmapi/hf/abi.h b/inc/vmapi/hf/abi.h
index 4716f01..39d6fb6 100644
--- a/inc/vmapi/hf/abi.h
+++ b/inc/vmapi/hf/abi.h
@@ -24,14 +24,14 @@
* scheduling quantum has not expired, the scheduler MUST call
* `hf_vcpu_run` on the vCPU to allow it to continue.
*/
- HF_VCPU_RUN_PREEMPTED,
+ HF_VCPU_RUN_PREEMPTED = 0,
/**
* The vCPU has voluntarily yielded the CPU. The scheduler SHOULD take a
* scheduling decision to give cycles to those that need them but MUST
* call `hf_vcpu_run` on the vCPU at a later point.
*/
- HF_VCPU_RUN_YIELD,
+ HF_VCPU_RUN_YIELD = 1,
/**
* The vCPU is blocked waiting for an interrupt. The scheduler MUST take
@@ -39,7 +39,7 @@
* has injected an interrupt, sent it a message, or got a
* `HF_VCPU_RUN_WAKE_UP` for it from another vCPU.
*/
- HF_VCPU_RUN_WAIT_FOR_INTERRUPT,
+ HF_VCPU_RUN_WAIT_FOR_INTERRUPT = 2,
/**
* The vCPU would like `hf_vcpu_run` to be called on another vCPU,
@@ -48,13 +48,13 @@
* re-run it if it is already running somewhere. This gives Hafnium a
* chance to update any CPU state which might have changed.
*/
- HF_VCPU_RUN_WAKE_UP,
+ HF_VCPU_RUN_WAKE_UP = 3,
/**
* A new message is available for the scheduler VM, as specified by
* `hf_vcpu_run_return.message`.
*/
- HF_VCPU_RUN_MESSAGE,
+ HF_VCPU_RUN_MESSAGE = 4,
/**
* Like `HF_VCPU_RUN_WAIT_FOR_INTERRUPT`, but for a limited amount of
@@ -63,14 +63,21 @@
* `HF_VCPU_RUN_WAIT_FOR_INTERRUPT` occur, the scheduler MUST call
* `hf_vcpu_run` on it again.
*/
- HF_VCPU_RUN_SLEEP,
+ HF_VCPU_RUN_SLEEP = 5,
/**
* The vCPU has made the mailbox writable and there are pending waiters.
* The scheduler MUST call hf_mailbox_waiter_get() repeatedly and notify
* all waiters by injecting an HF_MAILBOX_WRITABLE_INTID interrupt.
*/
- HF_VCPU_RUN_NOTIFY_WAITERS,
+ HF_VCPU_RUN_NOTIFY_WAITERS = 6,
+
+ /**
+ * The vCPU has aborted triggering the whole VM to abort. The scheduler
+ * MUST treat this as `HF_VCPU_RUN_WAIT_FOR_INTERRUPT` for this vCPU and
+ * `HF_VCPU_RUN_WAKE_UP` for all the other vCPUs of the VM.
+ */
+ HF_VCPU_RUN_ABORTED = 7,
};
struct hf_vcpu_run_return {