Bug 206795

Summary: 4.19.108 Ryzen 1600X , kvm BUG kvm_mmu_set_mmio_spte_mask
Product: Virtualization Reporter: Sami Farin (hvtaifwkbgefbaei)
Component: kvmAssignee: virtualization_kvm
Status: RESOLVED CODE_FIX    
Severity: blocking CC: bugs, thomas.lendacky, tv7iR8OPvrPi
Priority: P1    
Hardware: x86-64   
OS: Linux   
Kernel Version: 4.19.108 Subsystem:
Regression: Yes Bisected commit-id:
Attachments: lspci

Description Sami Farin 2020-03-09 07:30:40 UTC 
Created attachment 287841 [details]
lspci

4.19.106 works, 4.19.108 doesn't.
Cc: thomas.lendacky at amd.com
maybe guilty patch: a4e761c9f63ae12c5e2fc586b77082fd07e54212

I'd like to remind:
https://www.kernel.org/doc/html/v4.19/process/stable-kernel-rules.html
 - It must be obviously correct and tested.


I boot with mem_encrypt=off because it doesn't boot with `on`.  Maybe due to my RX550.

kvm: Nested Virtualization enabled
------------[ cut here ]------------
kernel BUG at arch/x86/kvm/mmu.c:296!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 5 PID: 5265 Comm: systemd-udevd Tainted: G                T 4.19.108+ #57
Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./X370 Taichi, BIOS P6.20 01/03/2020
RIP: 0010:kvm_mmu_set_mmio_spte_mask+0x2f/0x40 [kvm]
Code: 48 89 f8 48 21 f0 48 39 f0 75 1f 48 ba 00 00 00 00 00 00 00 40 48 09 d0 48 09 d7 48 89 05 b9 63 06 00 48 89 3d ba 63 06 00 c3 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00
RSP: 0018:ffffbba083c77b80 EFLAGS: 00010297
RAX: 0000000000000000 RBX: ffffbba083c77b9c RCX: 000000000000002b
RDX: 000000000000002f RSI: 0000000000000006 RDI: 000ff80000000001
RBP: ffffe6f65fdfcc00 R08: ffffbba083c77b98 R09: ffffbba083c77b9c
R10: 0000000000000000 R11: 0000000000000001 R12: ffffbba083c77b98
R13: ffffbba083c77b94 R14: ffffbba083c77b90 R15: ffffffffc073f448
FS:  00007fcf817eb940(0000) GS:ffffa1b33e540000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff902017db8 CR3: 00000007ed3ea000 CR4: 00000000003406e0
Call Trace:
 svm_hardware_setup+0x376/0x556 [kvm_amd]
 kvm_arch_hardware_setup+0x38/0x2e0 [kvm]
 ? preempt_count_sub+0x43/0x50
 kvm_init+0x76/0x270 [kvm]
 ? svm_hardware_setup+0x556/0x556 [kvm_amd]
 do_one_initcall+0x4f/0x20d
 ? free_unref_page_commit+0x8b/0x110
 ? preempt_count_sub+0x43/0x50
 ? kmem_cache_alloc_trace+0x1a3/0x1b0
 do_init_module+0x5f/0x220
 load_module+0x23f5/0x25b0
 ? __se_sys_finit_module+0xbe/0xf0
 __se_sys_finit_module+0xbe/0xf0
 do_syscall_64+0x6f/0x329
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fcf82812e0d
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4b 90 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffec9e12898 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 0000560b19730190 RCX: 00007fcf82812e0d
RDX: 0000000000000000 RSI: 0000560b196dcd50 RDI: 0000000000000010
RBP: 0000000000020000 R08: 0000000000000000 R09: 0000000000000005
R10: 0000000000000010 R11: 0000000000000246 R12: 0000560b196dcd50
R13: 0000000000000000 R14: 0000560b19718840 R15: 0000560b19730190
Modules linked in: kvm_amd(+) mac80211 kvm pktcdvd irqbypass iwlwifi wmi_bmof pcspkr k10temp sp5100_tco i2c_piix4 snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hda_core cfg80211 rtc_cmos acpi_cpufreq snd_pcm_oss snd_mixer_oss snd_seq binfmt_misc snd_seq_device snd_pcm sch_cake tcp_cubic tcp_westwood br_netfilter bridge stp llc ip_tables uas usb_storage usbhid rfkill mxm_wmi ccp igb xhci_pci xhci_hcd usbcore usb_common wmi button 8021q mrp sunrpc iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi snd_timer snd soundcore tun xt_tcpudp x_tables tcp_bbr nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sch_fq_codel sch_htb sch_pie fuse analog gameport joydev i2c_dev ecryptfs autofs4 amdkfd amd_iommu_v2
---[ end trace c1723d4d24214898 ]---


CPU:
   vendor_id = "AuthenticAMD"
   version information (1/eax):
      processor type  = primary processor (0)
      family          = 0xf (15)
      model           = 0x1 (1)
      stepping id     = 0x1 (1)
      extended family = 0x8 (8)
      extended model  = 0x0 (0)
      (family synth)  = 0x17 (23)
      (model synth)   = 0x1 (1)
      (simple synth)  = AMD (unknown type) (Summit Ridge/Naples ZP-B1) [Zen], 14nm
   miscellaneous (1/ebx):
      process local APIC physical ID = 0x9 (9)
      cpu count                      = 0x6 (6)
      CLFLUSH line size              = 0x8 (8)
      brand index                    = 0x0 (0)
   brand id = 0x00 (0): unknown
   feature information (1/edx):
      x87 FPU on chip                        = true
      VME: virtual-8086 mode enhancement     = true
      DE: debugging extensions               = true
      PSE: page size extensions              = true
      TSC: time stamp counter                = true
      RDMSR and WRMSR support                = true
      PAE: physical address extensions       = true
      MCE: machine check exception           = true
      CMPXCHG8B inst.                        = true
      APIC on chip                           = true
      SYSENTER and SYSEXIT                   = true
      MTRR: memory type range registers      = true
      PTE global bit                         = true
      MCA: machine check architecture        = true
      CMOV: conditional move/compare instr   = true
      PAT: page attribute table              = true
      PSE-36: page size extension            = true
      PSN: processor serial number           = false
      CLFLUSH instruction                    = true
      DS: debug store                        = false
      ACPI: thermal monitor and clock ctrl   = false
      MMX Technology                         = true
      FXSAVE/FXRSTOR                         = true
      SSE extensions                         = true
      SSE2 extensions                        = true
      SS: self snoop                         = false
      hyper-threading / multi-core supported = true
      TM: therm. monitor                     = false
      IA64                                   = false
      PBE: pending break event               = false
   feature information (1/ecx):
      PNI/SSE3: Prescott New Instructions     = true
      PCLMULDQ instruction                    = true
      DTES64: 64-bit debug store              = false
      MONITOR/MWAIT                           = true
      CPL-qualified debug store               = false
      VMX: virtual machine extensions         = false
      SMX: safer mode extensions              = false
      Enhanced Intel SpeedStep Technology     = false
      TM2: thermal monitor 2                  = false
      SSSE3 extensions                        = true
      context ID: adaptive or shared L1 data  = false
      SDBG: IA32_DEBUG_INTERFACE              = false
      FMA instruction                         = true
      CMPXCHG16B instruction                  = true
      xTPR disable                            = false
      PDCM: perfmon and debug                 = false
      PCID: process context identifiers       = false
      DCA: direct cache access                = false
      SSE4.1 extensions                       = true
      SSE4.2 extensions                       = true
      x2APIC: extended xAPIC support          = false
      MOVBE instruction                       = true
      POPCNT instruction                      = true
      time stamp counter deadline             = false
      AES instruction                         = true
      XSAVE/XSTOR states                      = true
      OS-enabled XSAVE/XSTOR                  = true
      AVX: advanced vector extensions         = true
      F16C half-precision convert instruction = true
      RDRAND instruction                      = true
      hypervisor guest status                 = false
   cache and TLB information (2):
   processor serial number = 0080-0F11-0000-0000-0000-0000
   MONITOR/MWAIT (5):
      smallest monitor-line size (bytes)       = 0x40 (64)
      largest monitor-line size (bytes)        = 0x40 (64)
      enum of Monitor-MWAIT exts supported     = true
      supports intrs as break-event for MWAIT  = true
      number of C0 sub C-states using MWAIT    = 0x0 (0)
      number of C1 sub C-states using MWAIT    = 0x0 (0)
      number of C2 sub C-states using MWAIT    = 0x0 (0)
      number of C3 sub C-states using MWAIT    = 0x0 (0)
      number of C4 sub C-states using MWAIT    = 0x0 (0)
      number of C5 sub C-states using MWAIT    = 0x0 (0)
      number of C6 sub C-states using MWAIT    = 0x0 (0)
      number of C7 sub C-states using MWAIT    = 0x0 (0)
   Thermal and Power Management Features (6):
      digital thermometer                     = false
      Intel Turbo Boost Technology            = false
      ARAT always running APIC timer          = true
      PLN power limit notification            = false
      ECMD extended clock modulation duty     = false
      PTM package thermal management          = false
      HWP base registers                      = false
      HWP notification                        = false
      HWP activity window                     = false
      HWP energy performance preference       = false
      HWP package level request               = false
      HDC base registers                      = false
      Intel Turbo Boost Max Technology 3.0    = false
      HWP capabilities                        = false
      HWP PECI override                       = false
      flexible HWP                            = false
      IA32_HWP_REQUEST MSR fast access mode   = false
      HW_FEEDBACK                             = false
      ignoring idle logical processor HWP req = false
      digital thermometer thresholds          = 0x0 (0)
      hardware coordination feedback          = true
      ACNT2 available                         = false
      performance-energy bias capability      = false
      performance capability reporting        = false
      energy efficiency capability reporting  = false
      size of feedback struct (4KB pages)     = 0x0 (0)
      index of CPU's row in feedback struct   = 0x0 (0)
   extended feature flags (7):
      FSGSBASE instructions                    = true
      IA32_TSC_ADJUST MSR supported            = false
      SGX: Software Guard Extensions supported = false
      BMI1 instructions                        = true
      HLE hardware lock elision                = false
      AVX2: advanced vector extensions 2       = true
      FDP_EXCPTN_ONLY                          = false
      SMEP supervisor mode exec protection     = true
      BMI2 instructions                        = true
      enhanced REP MOVSB/STOSB                 = false
      INVPCID instruction                      = false
      RTM: restricted transactional memory     = false
      RDT-CMT/PQoS cache monitoring            = false
      deprecated FPU CS/DS                     = false
      MPX: intel memory protection extensions  = false
      RDT-CAT/PQE cache allocation             = false
      AVX512F: AVX-512 foundation instructions = false
      AVX512DQ: double & quadword instructions = false
      RDSEED instruction                       = true
      ADX instructions                         = true
      SMAP: supervisor mode access prevention  = true
      AVX512IFMA: fused multiply add           = false
      PCOMMIT instruction                      = false
      CLFLUSHOPT instruction                   = true
      CLWB instruction                         = false
      Intel processor trace                    = false
      AVX512PF: prefetch instructions          = false
      AVX512ER: exponent & reciprocal instrs   = false
      AVX512CD: conflict detection instrs      = false
      SHA instructions                         = true
      AVX512BW: byte & word instructions       = false
      AVX512VL: vector length                  = false
      PREFETCHWT1                              = false
      AVX512VBMI: vector byte manipulation     = false
      UMIP: user-mode instruction prevention   = false
      PKU protection keys for user-mode        = false
      OSPKE CR4.PKE and RDPKRU/WRPKRU          = false
      WAITPKG instructions                     = false
      AVX512_VBMI2: byte VPCOMPRESS, VPEXPAND  = false
      CET_SS: CET shadow stack                 = false
      GFNI: Galois Field New Instructions      = false
      VAES instructions                        = false
      VPCLMULQDQ instruction                   = false
      AVX512_VNNI: neural network instructions = false
      AVX512_BITALG: bit count/shiffle         = false
      TME: Total Memory Encryption             = false
      AVX512: VPOPCNTDQ instruction            = false
      5-level paging                           = false
      BNDLDX/BNDSTX MAWAU value in 64-bit mode = 0x0 (0)
      RDPID: read processor D supported        = false
      CLDEMOTE supports cache line demote      = false
      MOVDIRI instruction                      = false
      MOVDIR64B instruction                    = false
      ENQCMD instruction                       = false
      SGX_LC: SGX launch config supported      = false
      AVX512_4VNNIW: neural network instrs     = false
      AVX512_4FMAPS: multiply acc single prec  = false
      fast short REP MOV                       = false
      AVX512_VP2INTERSECT: intersect mask regs = false
      VERW md-clear microcode support          = false
      hybrid part                              = false
      PCONFIG instruction                      = false
      CET_IBT: CET indirect branch tracking    = false
      IBRS/IBPB: indirect branch restrictions  = false
      STIBP: 1 thr indirect branch predictor   = false
      L1D_FLUSH: IA32_FLUSH_CMD MSR            = false
      IA32_ARCH_CAPABILITIES MSR               = false
      IA32_CORE_CAPABILITIES MSR               = false
      SSBD: speculative store bypass disable   = false
   Direct Cache Access Parameters (9):
      PLATFORM_DCA_CAP MSR bits = 0
   Architecture Performance Monitoring Features (0xa/eax):
      version ID                               = 0x0 (0)
      number of counters per logical processor = 0x0 (0)
      bit width of counter                     = 0x0 (0)
      length of EBX bit vector                 = 0x0 (0)
   Architecture Performance Monitoring Features (0xa/ebx):
      core cycle event not available           = false
      instruction retired event not available  = false
      reference cycles event not available     = false
      last-level cache ref event not available = false
      last-level cache miss event not avail    = false
      branch inst retired event not available  = false
      branch mispred retired event not avail   = false
   Architecture Performance Monitoring Features (0xa/edx):
      number of fixed counters    = 0x0 (0)
      bit width of fixed counters = 0x0 (0)
      anythread deprecation       = false
   XSAVE features (0xd/0):
      XCR0 lower 32 bits valid bit field mask = 0x00000007
      XCR0 upper 32 bits valid bit field mask = 0x00000000
         XCR0 supported: x87 state            = true
         XCR0 supported: SSE state            = true
         XCR0 supported: AVX state            = true
         XCR0 supported: MPX BNDREGS          = false
         XCR0 supported: MPX BNDCSR           = false
         XCR0 supported: AVX-512 opmask       = false
         XCR0 supported: AVX-512 ZMM_Hi256    = false
         XCR0 supported: AVX-512 Hi16_ZMM     = false
         IA32_XSS supported: PT state         = false
         XCR0 supported: PKRU state           = false
         XCR0 supported: CET_U state          = false
         XCR0 supported: CET_S state          = false
         IA32_XSS supported: HDC state        = false
      bytes required by fields in XCR0        = 0x00000340 (832)
      bytes required by XSAVE/XRSTOR area     = 0x00000340 (832)
   XSAVE features (0xd/1):
      XSAVEOPT instruction                        = true
      XSAVEC instruction                          = true
      XGETBV instruction                          = true
      XSAVES/XRSTORS instructions                 = true
      SAVE area size in bytes                     = 0x00000340 (832)
      IA32_XSS lower 32 bits valid bit field mask = 0x00000000
      IA32_XSS upper 32 bits valid bit field mask = 0x00000000
   AVX/YMM features (0xd/2):
      AVX/YMM save state byte size             = 0x00000100 (256)
      AVX/YMM save state byte offset           = 0x00000240 (576)
      supported in IA32_XSS or XCR0            = XCR0 (user state)
      64-byte alignment in compacted XSAVE     = false
   extended processor signature (0x80000001/eax):
      family/generation = 0xf (15)
      model           = 0x1 (1)
      stepping id     = 0x1 (1)
      extended family = 0x8 (8)
      extended model  = 0x0 (0)
      (family synth)  = 0x17 (23)
      (model synth)   = 0x1 (1)
      (simple synth)  = AMD (unknown type) (Summit Ridge/Naples ZP-B1) [Zen], 14nm
   extended feature flags (0x80000001/edx):
      x87 FPU on chip                       = true
      virtual-8086 mode enhancement         = true
      debugging extensions                  = true
      page size extensions                  = true
      time stamp counter                    = true
      RDMSR and WRMSR support               = true
      physical address extensions           = true
      machine check exception               = true
      CMPXCHG8B inst.                       = true
      APIC on chip                          = true
      SYSCALL and SYSRET instructions       = true
      memory type range registers           = true
      global paging extension               = true
      machine check architecture            = true
      conditional move/compare instruction  = true
      page attribute table                  = true
      page size extension                   = true
      multiprocessing capable               = false
      no-execute page protection            = true
      AMD multimedia instruction extensions = true
      MMX Technology                        = true
      FXSAVE/FXRSTOR                        = true
      SSE extensions                        = true
      1-GB large page support               = true
      RDTSCP                                = true
      long mode (AA-64)                     = true
      3DNow! instruction extensions         = false
      3DNow! instructions                   = false
   extended brand id (0x80000001/ebx):
      raw     = 0x20000000 (536870912)
      BrandId = 0x0 (0)
      PkgType = AM4 (2)
   AMD feature flags (0x80000001/ecx):
      LAHF/SAHF supported in 64-bit mode     = true
      CMP Legacy                             = true
      SVM: secure virtual machine            = true
      extended APIC space                    = true
      AltMovCr8                              = true
      LZCNT advanced bit manipulation        = true
      SSE4A support                          = true
      misaligned SSE mode                    = true
      3DNow! PREFETCH/PREFETCHW instructions = true
      OS visible workaround                  = true
      instruction based sampling             = false
      XOP support                            = false
      SKINIT/STGI support                    = true
      watchdog timer support                 = true
      lightweight profiling support          = false
      4-operand FMA instruction              = false
      TCE: translation cache extension       = true
      NodeId MSR C001100C                    = false
      TBM support                            = false
      topology extensions                    = true
      core performance counter extensions    = true
      NB/DF performance counter extensions   = true
      data breakpoint extension              = true
      performance time-stamp counter support = false
      LLC performance counter extensions     = true
      MWAITX/MONITORX supported              = true
      Address mask extension support         = false
   brand = "AMD Ryzen 5 1600X Six-Core Processor           "
   L1 TLB/cache information: 2M/4M pages & L1 TLB (0x80000005/eax):
      instruction # entries     = 0x40 (64)
      instruction associativity = 0xff (255)
      data # entries            = 0x40 (64)
      data associativity        = 0xff (255)
   L1 TLB/cache information: 4K pages & L1 TLB (0x80000005/ebx):
      instruction # entries     = 0x40 (64)
      instruction associativity = 0xff (255)
      data # entries            = 0x40 (64)
      data associativity        = 0xff (255)
   L1 data cache information (0x80000005/ecx):
      line size (bytes) = 0x40 (64)
      lines per tag     = 0x1 (1)
      associativity     = 0x8 (8)
      size (KB)         = 0x20 (32)
   L1 instruction cache information (0x80000005/edx):
      line size (bytes) = 0x40 (64)
      lines per tag     = 0x1 (1)
      associativity     = 0x4 (4)
      size (KB)         = 0x40 (64)
   L2 TLB/cache information: 2M/4M pages & L2 TLB (0x80000006/eax):
      instruction # entries     = 0x400 (1024)
      instruction associativity = 8-way (6)
      data # entries            = 0x600 (1536)
      data associativity        = 2-way (2)
   L2 TLB/cache information: 4K pages & L2 TLB (0x80000006/ebx):
      instruction # entries     = 0x400 (1024)
      instruction associativity = 8-way (6)
      data # entries            = 0x600 (1536)
      data associativity        = 8-way (6)
   L2 unified cache information (0x80000006/ecx):
      line size (bytes) = 0x40 (64)
      lines per tag     = 0x1 (1)
      associativity     = 8-way (6)
      size (KB)         = 0x200 (512)
   L3 cache information (0x80000006/edx):
      line size (bytes)     = 0x40 (64)
      lines per tag         = 0x1 (1)
      associativity         = 16-way (8)
      size (in 512KB units) = 0x20 (32)
   RAS Capability (0x80000007/ebx):
      MCA overflow recovery support = true
      SUCCOR support                = true
      HWA: hardware assert support  = false
      scalable MCA support          = true
   Advanced Power Management Features (0x80000007/ecx):
      CmpUnitPwrSampleTimeRatio = 0x0 (0)
   Advanced Power Management Features (0x80000007/edx):
      TS: temperature sensing diode           = true
      FID: frequency ID control               = false
      VID: voltage ID control                 = false
      TTP: thermal trip                       = true
      TM: thermal monitor                     = true
      STC: software thermal control           = false
      100 MHz multiplier control              = false
      hardware P-State control                = true
      TscInvariant                            = true
      CPB: core performance boost             = false
      read-only effective frequency interface = true
      processor feedback interface            = false
      APM power reporting                     = false
      connected standby                       = true
      RAPL: running average power limit       = true
   Physical Address and Linear Address Size (0x80000008/eax):
      maximum physical address bits         = 0x30 (48)
      maximum linear (virtual) address bits = 0x30 (48)
      maximum guest physical address bits   = 0x0 (0)
   Extended Feature Extensions ID (0x80000008/ebx):
      CLZERO instruction                       = true
      instructions retired count support       = true
      always save/restore error pointers       = true
      RDPRU instruction                        = false
      memory bandwidth enforcement             = false
      WBNOINVD instruction                     = false
      IBPB: indirect branch prediction barrier = true
      IBRS: indirect branch restr speculation  = false
      STIBP: 1 thr indirect branch predictor   = false
      STIBP always on preferred mode           = false
      ppin processor id number supported       = false
      SSBD: speculative store bypass disable   = false
      virtualized SSBD                         = false
      SSBD fixed in hardware                   = false
   Size Identifiers (0x80000008/ecx):
      number of threads                   = 0x6 (6)
      ApicIdCoreIdSize                    = 0x4 (4)
      performance time-stamp counter size = 0x0 (0)
   Feature Extended Size (0x80000008/edx):
      RDPRU instruction max input support = 0x0 (0)
   SVM Secure Virtual Machine (0x8000000a/eax):
      SvmRev: SVM revision = 0x1 (1)
   SVM Secure Virtual Machine (0x8000000a/edx):
      nested paging                           = true
      LBR virtualization                      = true
      SVM lock                                = true
      NRIP save                               = true
      MSR based TSC rate control              = true
      VMCB clean bits support                 = true
      flush by ASID                           = true
      decode assists                          = true
      SSSE3/SSE5 opcode set disable           = false
      pause intercept filter                  = true
      pause filter threshold                  = true
      AVIC: AMD virtual interrupt controller  = true
      virtualized VMLOAD/VMSAVE               = true
      virtualized global interrupt flag (GIF) = true
      GMET: guest mode execute trap           = false
      guest Spec_ctl support                  = false
   NASID: number of address space identifiers = 0x8000 (32768):
   L1 TLB information: 1G pages (0x80000019/eax):
      instruction # entries     = 0x40 (64)
      instruction associativity = full (15)
      data # entries            = 0x40 (64)
      data associativity        = full (15)
   L2 TLB information: 1G pages (0x80000019/ebx):
      instruction # entries     = 0x0 (0)
      instruction associativity = L2 off (0)
      data # entries            = 0x0 (0)
      data associativity        = L2 off (0)
   SVM Secure Virtual Machine (0x8000001a/eax):
      128-bit SSE executed full-width = true
      MOVU* better than MOVL*/MOVH*   = true
      256-bit SSE executed full-width = false
   Instruction Based Sampling Identifiers (0x8000001b/eax):
      IBS feature flags valid                  = true
      IBS fetch sampling                       = true
      IBS execution sampling                   = true
      read write of op counter                 = true
      op counting mode                         = true
      branch target address reporting          = true
      IbsOpCurCnt and IbsOpMaxCnt extend 7     = true
      invalid RIP indication support           = true
      fused branch micro-op indication support = true
      IBS fetch control extended MSR support   = true
      IBS op data 4 MSR support                = false
   Lightweight Profiling Capabilities: Availability (0x8000001c/eax):
      lightweight profiling                  = false
      LWPVAL instruction                     = false
      instruction retired event              = false
      branch retired event                   = false
      DC miss event                          = false
      core clocks not halted event           = false
      core reference clocks not halted event = false
      interrupt on threshold overflow        = false
   Lightweight Profiling Capabilities: Supported (0x8000001c/edx):
      lightweight profiling                  = false
      LWPVAL instruction                     = false
      instruction retired event              = false
      branch retired event                   = false
      DC miss event                          = false
      core clocks not halted event           = false
      core reference clocks not halted event = false
      interrupt on threshold overflow        = false
   Lightweight Profiling Capabilities (0x8000001c/ebx):
      LWPCB byte size             = 0x0 (0)
      event record byte size      = 0x0 (0)
      maximum EventId             = 0x0 (0)
      EventInterval1 field offset = 0x0 (0)
   Lightweight Profiling Capabilities (0x8000001c/ecx):
      latency counter bit size          = 0x0 (0)
      data cache miss address valid     = false
      amount cache latency is rounded   = 0x0 (0)
      LWP implementation version        = 0x0 (0)
      event ring buffer size in records = 0x0 (0)
      branch prediction filtering       = false
      IP filtering                      = false
      cache level filtering             = false
      cache latency filteing            = false
   Cache Properties (0x8000001d):
      --- cache 0 ---
      type                            = data (1)
      level                           = 0x1 (1)
      self-initializing               = true
      fully associative               = false
      extra cores sharing this cache  = 0x0 (0)
      line size in bytes              = 0x40 (64)
      physical line partitions        = 0x1 (1)
      number of ways                  = 0x8 (8)
      number of sets                  = 64
      write-back invalidate           = false
      cache inclusive of lower levels = false
      (synth size)                    = 32768 (32 KB)
      --- cache 1 ---
      type                            = instruction (2)
      level                           = 0x1 (1)
      self-initializing               = true
      fully associative               = false
      extra cores sharing this cache  = 0x0 (0)
      line size in bytes              = 0x40 (64)
      physical line partitions        = 0x1 (1)
      number of ways                  = 0x4 (4)
      number of sets                  = 256
      write-back invalidate           = false
      cache inclusive of lower levels = false
      (synth size)                    = 65536 (64 KB)
      --- cache 2 ---
      type                            = unified (3)
      level                           = 0x2 (2)
      self-initializing               = true
      fully associative               = false
      extra cores sharing this cache  = 0x0 (0)
      line size in bytes              = 0x40 (64)
      physical line partitions        = 0x1 (1)
      number of ways                  = 0x8 (8)
      number of sets                  = 1024
      write-back invalidate           = false
      cache inclusive of lower levels = true
      (synth size)                    = 524288 (512 KB)
      --- cache 3 ---
      type                            = unified (3)
      level                           = 0x3 (3)
      self-initializing               = true
      fully associative               = false
      extra cores sharing this cache  = 0x2 (2)
      line size in bytes              = 0x40 (64)
      physical line partitions        = 0x1 (1)
      number of ways                  = 0x10 (16)
      number of sets                  = 8192
      write-back invalidate           = true
      cache inclusive of lower levels = false
      (synth size)                    = 8388608 (8 MB)
   extended APIC ID = 9
   Core Identifiers (0x8000001e/ebx):
      core ID          = 0x9 (9)
      threads per core = 0x1 (1)
   Node Identifiers (0x8000001e/ecx):
      node ID             = 0x0 (0)
      nodes per processor = 0x1 (1)
   AMD Secure Encryption (0x8000001f):
      SME: secure memory encryption support    = true
      SEV: secure encrypted virtualize support = true
      VM page flush MSR support                = true
      SEV-ES: SEV encrypted state support      = false
      encryption bit position in PTE           = 0x2f (47)
      physical address space width reduction   = 0x5 (5)
      number of SEV-enabled guests supported   = 0xf (15)
      minimum SEV guest ASID                   = 0x0 (0)
   (instruction supported synth):
      CMPXCHG8B                = true
      conditional move/compare = true
      PREFETCH/PREFETCHW       = true
   (multi-processing synth) = multi-core (c=6)
   (multi-processing method) = AMD
   (APIC widths synth): CORE_width=3 SMT_width=0
   (APIC synth): PKG_ID=1 CORE_ID=1 SMT_ID=0
   (uarch synth) = AMD Zen, 14nm
   (synth) = AMD Ryzen (Summit Ridge ZP-B1) [Zen], 14nm
Comment 1 thomas.lendacky 2020-03-10 19:32:07 UTC 
Looks like the backport to the stable tree wasn't correct and I didn't notice it when it came through my inbox. The change from the upstream form:
  kvm_mmu_set_mmio_spte_mask(mask, mask, PT_WRITABLE_MASK | PT_USER_MASK);

to the 4.19 (and 4.14) tree should be:
  kvm_mmu_set_mmio_spte_mask(mask, mask);

Instead it was:
  kvm_mmu_set_mmio_spte_mask(mask, PT_WRITABLE_MASK | PT_USER_MASK);

which triggers the BUG_ON().
Comment 2 Sami Farin 2020-03-10 20:38:54 UTC 
Thanks! Is it too late to get it for 4.19.109?
Comment 3 thomas.lendacky 2020-03-11 14:50:46 UTC 
Not sure. The stable maintainer is aware of the issue and working on it, so stay tuned.
Comment 4 Sami Farin 2020-03-11 15:14:24 UTC 
4.19.109 was already released and I rebooted it with your fix in comment #1 , qemu works OK.

[   32.839932] kvm: Nested Virtualization enabled
[   32.839939] kvm: Nested Paging enabled
[   32.839940] SVM: Virtual VMLOAD VMSAVE supported
[   32.839940] SVM: Virtual GIF supported
Comment 5 David 2020-03-16 22:13:03 UTC 
*** Bug 206825 has been marked as a duplicate of this bug. ***