KVM busted in linux 5.18 due to Intel CET

liewkj · 2022-05-25 22:40:45

For running legacy VMs that requiring real-mode to protected-mode switch, such as DOS/WinXP/Win7.
Legacy-free Linux VMs with OVMF UEFI are not affected.

100% reproducible with exactly the same bug trace.

[  803.988221] traps: Missing ENDBR: cmpw_ax_dx+0x0/0x10 [kvm]
[  803.988258] ------------[ cut here ]------------
[  803.988259] kernel BUG at arch/x86/kernel/traps.c:252!
[  803.988262] invalid opcode: 0000 [#3] PREEMPT SMP NOPTI
[  803.988264] CPU: 1 PID: 3290 Comm: qemu-system-i38 Tainted: G      D           5.18.0-arch1-1 #1 b71a70fe104889aac2f32556bc52f649da2881d2
[  803.988266] Hardware name: Acer Swift SF313-53/Skol_TL, BIOS V1.08 06/03/2021
[  803.988267] RIP: 0010:exc_control_protection+0xc2/0xd0
[  803.988270] Code: 8b 93 80 00 00 00 be f9 00 00 00 48 c7 c7 d3 ab 66 a0 e8 d1 01 50 ff e9 72 ff ff ff 48 c7 c7 ba ab 66 a0 e8 c7 31 fb ff 0f 0b <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 66 0f 1f 00 55 53 48 89
[  803.988272] RSP: 0018:ffffb33943a97bc8 EFLAGS: 00010002
[  803.988273] RAX: 000000000000002f RBX: ffffb33943a97be8 RCX: 0000000000000000
[  803.988274] RDX: 0000000000000000 RSI: ffff9d70684616a0 RDI: ffff9d70684616a0
[  803.988275] RBP: 0000000000000003 R08: 0000000000000000 R09: ffffb33943a979e8
[  803.988276] R10: 0000000000000003 R11: ffffffffa0ecaa08 R12: 0000000000000000
[  803.988276] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  803.988277] FS:  00007f18dbdff640(0000) GS:ffff9d7068440000(0000) knlGS:0000000000000000
[  803.988278] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  803.988279] CR2: 0000000000000000 CR3: 0000000117bca003 CR4: 0000000000f72ee0
[  803.988280] PKRU: 55555554
[  803.988281] Call Trace:
[  803.988282]  <TASK>
[  803.988283]  asm_exc_control_protection+0x22/0x30
[  803.988285] RIP: 0010:cmpw_ax_dx+0x0/0x10 [kvm]
[  803.988306] Code: c3 cc 0f 1f 84 00 00 00 00 00 66 0f 1f 00 48 31 d0 c3 cc 0f 1f 80 00 00 00 00 f3 0f 1e fa 38 d0 c3 cc 0f 1f 84 00 00 00 00 00 <66> 0f 1f 00 66 39 d0 c3 cc 0f 1f 80 00 00 00 00 66 0f 1f 00 39 d0
[  803.988307] RSP: 0018:ffffb33943a97c98 EFLAGS: 00010286
[  803.988308] RAX: 000000000000ffff RBX: ffff9d6f385e0a80 RCX: 0000000000000000
[  803.988309] RDX: 000000000000aaaa RSI: ffffffffc10d1030 RDI: 0000000000000284
[  803.988309] RBP: 0000000000000001 R08: ffff9d6f385e0a80 R09: 0000000000003202
[  803.988310] R10: ffff9d6ed9ea0000 R11: ffff9d6ed9ea00c8 R12: ffffffffc110c380
[  803.988311] R13: 0000000000000000 R14: 0000000000000000 R15: ffff9d6f385e0a80
[  803.988313]  ? cmpb_al_dl+0x10/0x10 [kvm db3c7a88bf101c39d9e215d66cd0ad42c132fef6]
[  803.988334]  fastop+0x59/0xa0 [kvm db3c7a88bf101c39d9e215d66cd0ad42c132fef6]
[  803.988354]  x86_emulate_insn+0x721/0xde0 [kvm db3c7a88bf101c39d9e215d66cd0ad42c132fef6]
[  803.988373]  x86_emulate_instruction+0x32e/0x5c0 [kvm db3c7a88bf101c39d9e215d66cd0ad42c132fef6]
[  803.988394]  kvm_arch_vcpu_ioctl_run+0x10e7/0x1eb0 [kvm db3c7a88bf101c39d9e215d66cd0ad42c132fef6]
[  803.988414]  ? vmx_vcpu_put+0x110/0x1f0 [kvm_intel 93937da4795beebc0bd8ea1bb371c8b44fab3796]
[  803.988419]  kvm_vcpu_ioctl+0x24b/0x6c0 [kvm db3c7a88bf101c39d9e215d66cd0ad42c132fef6]
[  803.988436]  ? kvm_vcpu_ioctl+0x2ac/0x6c0 [kvm db3c7a88bf101c39d9e215d66cd0ad42c132fef6]
[  803.988452]  __x64_sys_ioctl+0x8e/0xc0
[  803.988455]  do_syscall_64+0x5c/0x90
[  803.988457]  ? __x64_sys_ioctl+0xa9/0xc0
[  803.988458]  ? syscall_exit_to_user_mode+0x26/0x50
[  803.988459]  ? do_syscall_64+0x6b/0x90
[  803.988461]  ? syscall_exit_to_user_mode+0x26/0x50
[  803.988461]  ? do_syscall_64+0x6b/0x90
[  803.988463]  ? do_syscall_64+0x6b/0x90
[  803.988464]  ? do_syscall_64+0x6b/0x90
[  803.988465]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  803.988467] RIP: 0033:0x7f190d107b1f

I believe Intel CET (IBT & Shadow Stack) is only available on 11th Gen Intel Core CPU. So older Intel CPUs are likely unaffected, too.
I am looking for ways to disable Intel CET. The documented "no_user_ibt & no_user_shstk" kernel parameters do not seem to do anything at all.

loqs · 2022-05-25 23:48:05

Try either ibt=off or ibt=warn https://github.com/torvalds/linux/commi … f8fa264b21
Edit:
no_user_ibt and no_user_shstk are for user space support that has not been merged.

Last edited by loqs (2022-05-25 23:49:16)

liewkj · 2022-05-26 02:13:20

loqs wrote:

Try either ibt=off or ibt=warn https://github.com/torvalds/linux/commi … f8fa264b21
Edit:
no_user_ibt and no_user_shstk are for user space support that has not been merged.

Thanks, ibt=off works. KVM is back to normal in linux 5.18.

loqs · 2022-05-26 23:53:35

Please consider opening a bug report on the Arch bug tracker so the package maintainer can take it into account when deciding on when to move the package out of testing or upstream so the issue can get fixed.

imyavetra · 2022-06-01 12:16:56

loqs wrote:

Try either ibt=off or ibt=warn https://github.com/torvalds/linux/commi … f8fa264b21
Edit:
no_user_ibt and no_user_shstk are for user space support that has not been merged.

Thank you, VirtualBox and QEMU weren't working and ibt=off fixed it.

MS-DTYP · 2022-08-01 14:56:20

Same issue.

Created a bug report: https://bugs.archlinux.org/task/75481

Aug 01 17:39:07 desktop kernel: audit: type=1131 audit(1659364747.146:103): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user-runtime-dir@120 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 01 17:39:07 desktop kernel: SUPR0GipMap: fGetGipCpu=0x1b
Aug 01 17:39:08 desktop kernel: traps: Missing ENDBR: 0xffffae16c31f33b0
Aug 01 17:39:08 desktop kernel: ------------[ cut here ]------------
Aug 01 17:39:08 desktop kernel: kernel BUG at arch/x86/kernel/traps.c:252!
Aug 01 17:39:08 desktop kernel: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
Aug 01 17:39:08 desktop kernel: CPU: 0 PID: 1869 Comm: EMT-0 Tainted: G           OE     5.18.15-arch1-1 #1 9ff3be2e7813d5f2c07119812e1642852fe6c646
Aug 01 17:39:08 desktop kernel: Hardware name: LENOVO 20W0004KRT/20W0004KRT, BIOS N34ET34W (1.34 ) 04/08/2021
Aug 01 17:39:08 desktop kernel: RIP: 0010:exc_control_protection+0xc2/0xd0
Aug 01 17:39:08 desktop kernel: Code: 8b 93 80 00 00 00 be f9 00 00 00 48 c7 c7 93 eb a6 a8 e8 e1 8d 4d ff e9 72 ff ff ff 48 c7 c7 7a eb a6 a8 e8 26 24 fb ff 0f 0b <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 66 0f 1f 00 55 53 48 89
Aug 01 17:39:08 desktop kernel: RSP: 0018:ffffae16c3167c48 EFLAGS: 00010002
Aug 01 17:39:08 desktop kernel: RAX: 0000000000000028 RBX: ffffae16c3167c68 RCX: 0000000000000000
Aug 01 17:39:08 desktop kernel: RDX: 0000000000000000 RSI: ffff9075776216a0 RDI: ffff9075776216a0
Aug 01 17:39:08 desktop kernel: RBP: 0000000000000003 R08: 0000000000000000 R09: ffffae16c3167a68
Aug 01 17:39:08 desktop kernel: R10: 0000000000000003 R11: ffffffffa92caa08 R12: 0000000000000000
Aug 01 17:39:08 desktop kernel: R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Aug 01 17:39:08 desktop kernel: FS:  00007f949a9ff640(0000) GS:ffff907577600000(0000) knlGS:0000000000000000
Aug 01 17:39:08 desktop kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Aug 01 17:39:08 desktop kernel: CR2: 00007f948b000000 CR3: 0000000112b34003 CR4: 0000000000f70ef0
Aug 01 17:39:08 desktop kernel: PKRU: 55555554
Aug 01 17:39:08 desktop kernel: Call Trace:
Aug 01 17:39:08 desktop kernel:  <TASK>
Aug 01 17:39:08 desktop kernel:  asm_exc_control_protection+0x25/0x30
Aug 01 17:39:08 desktop kernel: RIP: 0010:0xffffae16c31f33b0
Aug 01 17:39:08 desktop kernel: Code: 31 c0 0f b7 cb 21 ce 39 f1 75 04 48 8d 42 18 48 8b 5d f8 c9 c3 0f 1f 44 00 00 89 df 48 8b 5d f8 c9 e9 a4 cc fc ff 31 c0 eb e5 <55> 48 8d 35 48 9c 15 00 48 89 e5 41 54 49 89 fc 53 e8 0a c0 fc ff
Aug 01 17:39:08 desktop kernel: RSP: 0018:ffffae16c3167d10 EFLAGS: 00010282
Aug 01 17:39:08 desktop kernel: RAX: ffffae16c31f33b0 RBX: ffffae16c336e010 RCX: ffffae16c3171000
Aug 01 17:39:08 desktop kernel: RDX: ffffae16c31f2550 RSI: 0000000000000000 RDI: ffff906c9298c850
Aug 01 17:39:08 desktop kernel: RBP: ffffae16c3167d98 R08: ffffae16c336d000 R09: 0000000000000001
Aug 01 17:39:08 desktop kernel: R10: ffff9075776395f8 R11: 0000000000000000 R12: 0000000000000024
Aug 01 17:39:08 desktop kernel: R13: 0000000000000004 R14: ffff906c9298c850 R15: ffffffffc0704860
Aug 01 17:39:08 desktop kernel:  ? supdrvIOCtl+0x2ef5/0x3280 [vboxdrv 6dc203d6f41b1d3f81b5827e2e9e7b67ab55cafb]
Aug 01 17:39:08 desktop kernel:  ? _copy_from_user+0x47/0x60
Aug 01 17:39:08 desktop kernel:  ? VBoxDrvLinuxIOCtl_6_1_36+0x162/0x260 [vboxdrv 6dc203d6f41b1d3f81b5827e2e9e7b67ab55cafb]
Aug 01 17:39:08 desktop kernel:  ? __x64_sys_ioctl+0x91/0xd0
Aug 01 17:39:08 desktop kernel:  ? do_syscall_64+0x5c/0x90
Aug 01 17:39:08 desktop kernel:  ? vfs_write+0x178/0x270
Aug 01 17:39:08 desktop kernel:  ? vfs_write+0x178/0x270
Aug 01 17:39:08 desktop kernel:  ? syscall_exit_to_user_mode+0x26/0x50
Aug 01 17:39:08 desktop kernel:  ? do_syscall_64+0x6b/0x90
Aug 01 17:39:08 desktop kernel:  ? do_syscall_64+0x6b/0x90
Aug 01 17:39:08 desktop kernel:  ? entry_SYSCALL_64_after_hwframe+0x61/0xcb
Aug 01 17:39:08 desktop kernel:  </TASK>
Aug 01 17:39:08 desktop kernel: Modules linked in: ec_sys ipheth joydev snd_ctl_led snd_soc_skl_hda_dsp snd_soc_intel_hda_dsp_common snd_soc_hdac_hdmi snd_sof_probes snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_soc_dmic snd_sof_pci_intel_tgl snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match spi_nor snd_soc_acpi iTCO_wdt soundwire_bus mtd intel_pmc_bxt ee1004 iTCO_vendor_support intel_tcc_cooling mei_pxp iwlmvm snd_soc_core mei_hdcp x86_pkg_temp_thermal intel_powerclamp coretemp snd_compress think_lmi ac97_bus intel_rapl_msr firmware_attributes_class wmi_bmof mac80211 kvm_intel snd_pcm_dmaengine snd_hda_intel libarc4 snd_intel_dspcfg kvm mousedev irqbypass snd_intel_sdw_acpi intel_cstate iwlwifi intel_uncore snd_hda_codec pcspkr iwlmei psmouse snd_hda_core e1000e snd_hwdep i2c_i801 spi_intel_pci snd_pcm spi_intel btusb
Aug 01 17:39:08 desktop kernel:  i2c_smbus cfg80211 uvcvideo snd_timer btrtl videobuf2_vmalloc mei_me btbcm videobuf2_memops mei btintel videobuf2_v4l2 btmtk videobuf2_common hid_logitech_hidpp bluetooth videodev i915 mc ecdh_generic processor_thermal_device_pci_legacy drm_buddy processor_thermal_device ttm processor_thermal_rfim ucsi_acpi processor_thermal_mbox apple_mfi_fastcharge thunderbolt tpm_crb drm_dp_helper typec_ucsi processor_thermal_rapl intel_rapl_common intel_gtt typec intel_soc_dts_iosf igen6_edac roles tpm_tis thinkpad_acpi tpm_tis_core ledtrig_audio platform_profile wmi rfkill snd soundcore int3403_thermal int340x_thermal_zone video mac_hid intel_hid int3400_thermal sparse_keymap acpi_tad acpi_pad acpi_thermal_rel vboxnetflt(OE) vboxnetadp(OE) vboxdrv(OE) crypto_user fuse bpf_preload ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 hid_logitech_dj usbhid mmc_block dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core dm_mod crct10dif_pclmul sdhci_pci serio_raw cqhci
Aug 01 17:39:08 desktop kernel:  crc32_pclmul atkbd crc32c_intel sdhci libps2 ghash_clmulni_intel vivaldi_fmap aesni_intel mmc_core crypto_simd nvme xhci_pci cryptd nvme_core xhci_pci_renesas i8042 serio
Aug 01 17:39:08 desktop kernel: ---[ end trace 0000000000000000 ]---
Aug 01 17:39:08 desktop kernel: RIP: 0010:exc_control_protection+0xc2/0xd0
Aug 01 17:39:08 desktop kernel: Code: 8b 93 80 00 00 00 be f9 00 00 00 48 c7 c7 93 eb a6 a8 e8 e1 8d 4d ff e9 72 ff ff ff 48 c7 c7 7a eb a6 a8 e8 26 24 fb ff 0f 0b <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 66 0f 1f 00 55 53 48 89
Aug 01 17:39:08 desktop kernel: RSP: 0018:ffffae16c3167c48 EFLAGS: 00010002
Aug 01 17:39:08 desktop kernel: RAX: 0000000000000028 RBX: ffffae16c3167c68 RCX: 0000000000000000
Aug 01 17:39:08 desktop kernel: RDX: 0000000000000000 RSI: ffff9075776216a0 RDI: ffff9075776216a0
Aug 01 17:39:08 desktop kernel: RBP: 0000000000000003 R08: 0000000000000000 R09: ffffae16c3167a68
Aug 01 17:39:08 desktop kernel: R10: 0000000000000003 R11: ffffffffa92caa08 R12: 0000000000000000
Aug 01 17:39:08 desktop kernel: R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Aug 01 17:39:08 desktop kernel: FS:  00007f949a9ff640(0000) GS:ffff907577600000(0000) knlGS:0000000000000000
Aug 01 17:39:08 desktop kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Aug 01 17:39:08 desktop kernel: CR2: 00007f948b000000 CR3: 0000000112b34003 CR4: 0000000000f70ef0
Aug 01 17:39:08 desktop kernel: PKRU: 55555554
Aug 01 17:39:14 desktop gnome-shell[1207]: Can't update stage views actor <unnamed>[<MetaWindowGroup>:0x556e8e406310] is on because it needs an allocation.
Aug 01 17:39:14 desktop gnome-shell[1207]: Can't update stage views actor <unnamed>[<MetaWindowActorX11>:0x556e8f652760] is on because it needs an allocation.
Aug 01 17:39:14 desktop gnome-shell[1207]: Can't update stage views actor <unnamed>[<MetaSurfaceActorX11>:0x556e8f6566b0] is on because it needs an allocation.
Aug 01 17:39:15 desktop systemd[1054]: Started VTE child process 1873 launched by gnome-terminal-server process 1717.

Last edited by MS-DTYP (2022-08-01 14:57:20)

Arch Linux

#1 2022-05-25 22:40:45

KVM busted in linux 5.18 due to Intel CET

#2 2022-05-25 23:48:05

Re: KVM busted in linux 5.18 due to Intel CET

#3 2022-05-26 02:13:20

Re: KVM busted in linux 5.18 due to Intel CET

#4 2022-05-26 23:53:35

Re: KVM busted in linux 5.18 due to Intel CET

#5 2022-06-01 12:16:56

Re: KVM busted in linux 5.18 due to Intel CET

#6 2022-08-01 14:56:20

Re: KVM busted in linux 5.18 due to Intel CET

Board footer