kvm: Enhance debugging of unexpected vCPU exits

avagin · gvisor-bot · commit 51ef1933885b · 2025-07-15T05:17:48.000-07:00
This change introduces a mechanism to capture additional diagnostic information
when a vCPU exits unexpectedly.

PiperOrigin-RevId: 783290361
diff --git a/pkg/sentry/platform/kvm/bluepill.go b/pkg/sentry/platform/kvm/bluepill.go
@@ -91,7 +91,17 @@ func (c *vCPU) die(context *arch.SignalContext64, msg string) {
 	c.dieState.message = msg
 
 	// Setup the trampoline.
-	dieArchSetup(c, context, &c.dieState.guestRegs)
+	c.dieArchSetup(context, &c.dieState.guestRegs, false)
+}
+
+// dieAndDumpExitReason populates registers with the vCPU's exit reason and
+// associated data from c.runData. Then it sets the instruction pointer to
+// an invalid address (0xabc) to trigger a memory fault immediately after
+// sigreturn.
+//
+//go:nosplit
+func (c *vCPU) dieAndDumpExitReason(context *arch.SignalContext64) {
+	c.dieArchSetup(context, &c.dieState.guestRegs, true)
 }
 
 func init() {
diff --git a/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go b/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go
@@ -35,7 +35,7 @@ import (
 // provided RIP.
 //
 //go:nosplit
-func dieArchSetup(c *vCPU, context *arch.SignalContext64, guestRegs *userRegs) {
+func (c *vCPU) dieArchSetup(context *arch.SignalContext64, guestRegs *userRegs, dumpExitReason bool) {
 	// Reload all registers to have an accurate stack trace when we return
 	// to host mode. This means that the stack should be unwound correctly.
 	if errno := c.getUserRegisters(&c.dieState.guestRegs); errno != 0 {
@@ -55,8 +55,26 @@ func dieArchSetup(c *vCPU, context *arch.SignalContext64, guestRegs *userRegs) {
 		context.Rbp = guestRegs.RBP
 		context.Eflags = guestRegs.RFLAGS
 	}
-	context.Rbx = uint64(uintptr(unsafe.Pointer(c)))
-	context.Rip = uint64(dieTrampolineAddr)
+	if dumpExitReason {
+		// Store the original instruction pointer in R9 and populates
+		// registers R10-R14 with the vCPU's exit reason and associated
+		// data from c.runData. To ensure this information is preserved
+		// in a crash report, RIP is set to an invalid address (0xabc).
+		// This forces a memory fault immediately after a sigreturn,
+		// triggering a crash report that includes the altered register
+		// state, providing diagnostic details about why the vCPU
+		// exited.
+		context.R9 = context.Rip
+		context.Rip = 0xabc
+		context.R10 = uint64(c.runData.exitReason)
+		context.R11 = c.runData.data[0]
+		context.R12 = c.runData.data[1]
+		context.R13 = c.runData.data[2]
+		context.R14 = c.runData.data[3]
+	} else {
+		context.Rbx = uint64(uintptr(unsafe.Pointer(c)))
+		context.Rip = uint64(dieTrampolineAddr)
+	}
 }
 
 // getHypercallID returns hypercall ID.
@@ -142,7 +160,7 @@ func bluepillReadyStopGuest(c *vCPU) bool {
 //
 //go:nosplit
 func bluepillArchHandleExit(c *vCPU, context unsafe.Pointer) {
-	c.die(bluepillArchContext(context), "unknown")
+	c.dieAndDumpExitReason(bluepillArchContext(context))
 }
 
 func addrOfBluepillUserHandler() uintptr
diff --git a/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go b/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go
@@ -40,7 +40,7 @@ func fpsimdPtr(addr *byte) *arch.FpsimdContext {
 // provided PC.
 //
 //go:nosplit
-func dieArchSetup(c *vCPU, context *arch.SignalContext64, guestRegs *userRegs) {
+func (c *vCPU) dieArchSetup(context *arch.SignalContext64, guestRegs *userRegs, dumpExitReason bool) {
 	// If the vCPU is in user mode, we set the stack to the stored stack
 	// value in the vCPU itself. We don't want to unwind the user stack.
 	if guestRegs.Regs.Pstate&ring0.PsrModeMask == ring0.UserFlagsSet {
@@ -54,15 +54,26 @@ func dieArchSetup(c *vCPU, context *arch.SignalContext64, guestRegs *userRegs) {
 		context.Regs[29] = guestRegs.Regs.Regs[29]
 		context.Pstate = guestRegs.Regs.Pstate
 	}
-	context.Regs[1] = uint64(uintptr(unsafe.Pointer(c)))
-	context.Pc = uint64(dieTrampolineAddr)
-}
-
-// bluepillArchFpContext returns the arch-specific fpsimd context.
-//
-//go:nosplit
-func bluepillArchFpContext(context unsafe.Pointer) *arch.FpsimdContext {
-	return &((*arch.SignalContext64)(context).Fpsimd64)
+	if dumpExitReason {
+		// Store the original instruction pointer in R9 and populates
+		// registers R10-R14 with the vCPU's exit reason and associated
+		// data from c.runData. To ensure this information is preserved
+		// in a crash report, PC is set to an invalid address (0xabc).
+		// This forces a memory fault immediately after a sigreturn,
+		// triggering a crash report that includes the altered register
+		// state, providing diagnostic details about why the vCPU
+		// exited.
+		context.Regs[9] = context.Pc
+		context.Pc = 0xabc
+		context.Regs[10] = uint64(c.runData.exitReason)
+		context.Regs[11] = c.runData.data[0]
+		context.Regs[12] = c.runData.data[1]
+		context.Regs[13] = c.runData.data[2]
+		context.Regs[14] = c.runData.data[3]
+	} else {
+		context.Regs[1] = uint64(uintptr(unsafe.Pointer(c)))
+		context.Pc = uint64(dieTrampolineAddr)
+	}
 }
 
 // getHypercallID returns hypercall ID.
@@ -174,6 +185,6 @@ func bluepillArchHandleExit(c *vCPU, context unsafe.Pointer) {
 	case _KVM_EXIT_ARM_NISV:
 		bluepillExtDabt(c)
 	default:
-		c.die(bluepillArchContext(context), "unknown")
+		c.dieAndDumpExitReason(bluepillArchContext(context))
 	}
 }
diff --git a/pkg/sentry/platform/kvm/bluepill_unsafe.go b/pkg/sentry/platform/kvm/bluepill_unsafe.go
@@ -219,7 +219,7 @@ func bluepillHandler(context unsafe.Pointer) {
 			c.die(bluepillArchContext(context), "shutdown")
 			return
 		case _KVM_EXIT_FAIL_ENTRY:
-			c.die(bluepillArchContext(context), "entry failed")
+			c.dieAndDumpExitReason(bluepillArchContext(context))
 			return
 		default:
 			bluepillArchHandleExit(c, context)
