Don't panic on KVM initialization if can't create new vCPU.

This should be an indication to the user to set greater memory limits, a clean
exit with an error should do that.

PiperOrigin-RevId: 759294902

Author: konstantin-s-bogom

pkg/sentry/platform/kvm/machine.go

@@ -32,6 +32,7 @@ import (
 	"gvisor.dev/gvisor/pkg/ring0"
 	"gvisor.dev/gvisor/pkg/ring0/pagetables"
 	"gvisor.dev/gvisor/pkg/seccomp"
+	"gvisor.dev/gvisor/pkg/sentry/platform"
 	ktime "gvisor.dev/gvisor/pkg/sentry/time"
 	"gvisor.dev/gvisor/pkg/sighandling"
 	"gvisor.dev/gvisor/pkg/sync"
@@ -227,10 +228,15 @@ type dieState struct {
 // createVCPU creates and returns a new vCPU.
 //
 // Precondition: mu must be held.
-func (m *machine) createVCPU(id int) *vCPU {
+func (m *machine) createVCPU(id int) (*vCPU, error) {
 	// Create the vCPU.
 	fd, errno := hostsyscall.RawSyscall(unix.SYS_IOCTL, uintptr(m.fd), KVM_CREATE_VCPU, uintptr(id))
-	if errno != 0 {
+	if errno == unix.ENOMEM {
+		return nil, &platform.InitializationError{
+			Err:   fmt.Errorf("error creating new vCPU(id=%d): %v", id, errno),
+			Errno: errno,
+		}
+	} else if errno != 0 {
 		panic(fmt.Sprintf("error creating new vCPU(id=%d): %v", id, errno))
 	}
 
@@ -259,7 +265,7 @@ func (m *machine) createVCPU(id int) *vCPU {
 		panic(fmt.Sprintf("error initializing vCPU(id=%d) state: %v", id, err))
 	}
 
-	return c // Done.
+	return c, nil // Done.
 }
 
 // forceMappingEntireAddressSpace forces mapping the entire process address

pkg/sentry/platform/kvm/machine_amd64.go

@@ -50,10 +50,12 @@ func (m *machine) initArchState() error {
 
 	// Initialize all vCPUs to minimize kvm ioctl-s allowed by seccomp filters.
 	m.mu.Lock()
+	defer m.mu.Unlock()
 	for i := 0; i < m.maxVCPUs; i++ {
-		m.createVCPU(i)
+		if _, err := m.createVCPU(i); err != nil {
+			return err
+		}
 	}
-	m.mu.Unlock()
 
 	return nil
 }

pkg/sentry/platform/kvm/machine_arm64_unsafe.go

@@ -49,15 +49,19 @@ func (m *machine) initArchState() error {
 		panic(fmt.Sprintf("error setting KVM_ARM_PREFERRED_TARGET failed: %v", errno))
 	}
 
-	// Initialize all vCPUs on ARM64, while this does not happen on x86_64.
-	// The reason for the difference is that ARM64 and x86_64 have different KVM timer mechanisms.
-	// If we create vCPU dynamically on ARM64, the timer for vCPU would mess up for a short time.
+	// Initialize all vCPUs on ARM64 (we also do this on x86_64, but for
+	// ARM64 it is especially important as it has a different KVM timer
+	// mechanism).
+	// If we create vCPU dynamically on ARM64, the timer for vCPU would mess
+	// up for a short time.
 	// For more detail, please refer to https://github.com/google/gvisor/issues/5739
 	m.mu.Lock()
+	defer m.mu.Unlock()
 	for i := 0; i < m.maxVCPUs; i++ {
-		m.createVCPU(i)
+		if _, err := m.createVCPU(i); err != nil {
+			return err
+		}
 	}
-	m.mu.Unlock()
 	return nil
 }
 

pkg/sentry/platform/platform.go

@@ -254,15 +254,29 @@ type Context interface {
 	PrepareSleep()
 }
 
-// ContextError is one of the possible errors returned by Context.Switch().
-type ContextError struct {
+type qualifiedError struct {
 	// Err is the underlying error.
 	Err error
 	// Errno is an approximation of what type of error this is supposed to
 	// be as defined by the linux errnos.
 	Errno unix.Errno
 }
 
+func (e *qualifiedError) Error() string {
+	return e.Err.Error()
+}
+
+// InitializationError is returned by Platform.New() when the platform fails
+// to initialize.
+type InitializationError qualifiedError
+
+func (e *InitializationError) Error() string {
+	return e.Err.Error()
+}
+
+// ContextError is one of the possible errors returned by Context.Switch().
+type ContextError qualifiedError
+
 func (e *ContextError) Error() string {
 	return e.Err.Error()
 }