216102 – kernel BUG at arch/x86/kernel/traps.c:252 caused by CFI (Intel CET) and KVM

Bug 216102 - kernel BUG at arch/x86/kernel/traps.c:252 caused by CFI (Intel CET) and KVM

Summary: kernel BUG at arch/x86/kernel/traps.c:252 caused by CFI (Intel CET) and KVM

Status:	NEW

Alias:	None

Product:	Platform Specific/Hardware
Classification:	Unclassified
Component:	x86-64 (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	platform_x86_64@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-06-09 12:18 UTC by Laurent Bonnaud
Modified:	2023-01-31 03:22 UTC (History)
CC List:	8 users (show)

See Also:
Kernel Version:	5.18.3
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Full dmesg output (110.15 KB, text/plain) 2022-06-09 12:21 UTC, Laurent Bonnaud	Details
dmesg output (90.31 KB, text/plain) 2022-07-05 11:01 UTC, Victor	Details
Add an attachment (proposed patch, testcase, etc.)

Description Laurent Bonnaud 2022-06-09 12:18:58 UTC

Hi,

I am running Qemu on an Ubuntu 22.04 system and kernel 5.18.3.

The CPU is an 11th Gen Intel(R) Core(TM) i7-1165G7 and therefore has CFI (Intel CET) and support for this has been enabled in 5.18.x kernels.

The error I am seeing is:

[  206.052479] traps: Missing ENDBR: cmpl_eax_edx+0x0/0x10 [kvm]
[  206.052516] ------------[ cut here ]------------
[  206.052517] kernel BUG at arch/x86/kernel/traps.c:252!
[  206.052521] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[  206.052523] CPU: 1 PID: 7725 Comm: qemu-system-x86 Tainted: G           OE     5.18.3-051803-generic #202206090934
[  206.052525] Hardware name: TUXEDO TUXEDO InfinityBook S 15 Gen6/NS50_70MU, BIOS 1.07.15RTR2 04/11/2022
[  206.052525] RIP: 0010:exc_control_protection+0xd7/0xe0
[  206.052529] Code: 94 24 80 00 00 00 be f9 00 00 00 48 c7 c7 60 a5 9b a7 e8 3c 57 2e ff e9 70 ff ff ff 48 c7 c7 a2 a5 9b a7 e8 51 b2 f5 ff 0f 0b <0f> 0b 0f 1f 80 00 00 00 00 66 0f 1f 00 55 48 89 e5 41 55 41 54 49
[  206.052530] RSP: 0018:ffffbe13c4157b70 EFLAGS: 00010002
[  206.052532] RAX: 0000000000000031 RBX: 0000000000000001 RCX: 0000000000000000
[  206.052533] RDX: 0000000000000000 RSI: ffff9cf6514a15a0 RDI: ffff9cf6514a15a0
[  206.052534] RBP: ffffbe13c4157b88 R08: 0000000000000031 R09: 694d203a73706172
[  206.052535] R10: 4520676e69737369 R11: 4d203a7370617274 R12: ffffbe13c4157b98
[  206.052536] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  206.052537] FS:  00007f1336f3a640(0000) GS:ffff9cf651480000(0000) knlGS:0000000000000000
[  206.052538] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  206.052539] CR2: 0000000000000000 CR3: 000000030f0f8006 CR4: 0000000000f72ee0
[  206.052540] PKRU: 55555554
[  206.052541] Call Trace:
[  206.052542]  <TASK>
[  206.052543]  asm_exc_control_protection+0x22/0x30
[  206.052545] RIP: 0010:cmpl_eax_edx+0x0/0x10 [kvm]
[  206.052566] Code: d0 c3 cc 0f 1f 80 00 00 00 00 f3 0f 1e fa 38 d0 c3 cc 0f 1f 84 00 00 00 00 00 66 0f 1f 00 66 39 d0 c3 cc 0f 1f 80 00 00 00 00 <66> 0f 1f 00 39 d0 c3 cc 0f 1f 84 00 00 00 00 00 66 0f 1f 00 48 39
[  206.052567] RSP: 0018:ffffbe13c4157c48 EFLAGS: 00010287
[  206.052568] RAX: 00000000ffffffff RBX: 0000000000000001 RCX: 0000000000000000
[  206.052569] RDX: 0000000054464269 RSI: ffffffffc0d75c10 RDI: 0000000000000285
[  206.052570] RBP: ffffbe13c4157c50 R08: ffff9cf06db00000 R09: 0000000000000002
[  206.052571] R10: ffff9cf06db00000 R11: 0000000000000000 R12: ffff9cf06db00000
[  206.052572] R13: ffffffffc0dbd020 R14: 0000000000000001 R15: 0000000000000000
[  206.052573]  ? cmpw_ax_dx+0x10/0x10 [kvm]
[  206.052594]  ? fastop+0x5d/0xa0 [kvm]
[  206.052614]  x86_emulate_insn+0x7b6/0xe90 [kvm]
[  206.052633]  x86_emulate_instruction+0x4ce/0x830 [kvm]
[  206.052653]  ? kvm_arch_vcpu_load+0x80/0x230 [kvm]
[  206.052672]  complete_emulated_mmio+0x295/0x2f0 [kvm]
[  206.052690]  kvm_arch_vcpu_ioctl_run+0x2d7/0x5b0 [kvm]
[  206.052708]  kvm_vcpu_ioctl+0x29c/0x6f0 [kvm]
[  206.052722]  ? __seccomp_filter+0x4a/0x4b0
[  206.052726]  ? __fget_light+0xa7/0x130
[  206.052728]  __x64_sys_ioctl+0x93/0xd0
[  206.052730]  do_syscall_64+0x5d/0x90
[  206.052733]  ? kvm_on_user_return+0x88/0xe0 [kvm]
[  206.052751]  ? fire_user_return_notifiers+0x46/0x70
[  206.052753]  ? exit_to_user_mode_prepare+0x37/0xb0
[  206.052756]  ? syscall_exit_to_user_mode+0x2a/0x50
[  206.052758]  ? do_syscall_64+0x6d/0x90
[  206.052759]  ? do_syscall_64+0x6d/0x90
[  206.052760]  ? do_syscall_64+0x6d/0x90
[  206.052761]  ? do_syscall_64+0x6d/0x90
[  206.052762]  ? asm_sysvec_reschedule_ipi+0xe/0x20
[  206.052763]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  206.052765] RIP: 0033:0x7f1340f1aaff
[  206.052766] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
[  206.052767] RSP: 002b:00007f1336f39460 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  206.052768] RAX: ffffffffffffffda RBX: 000000000000ae80 RCX: 00007f1340f1aaff
[  206.052769] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000010
[  206.052770] RBP: 000055a0f6217d40 R08: 000055a0f3df40f0 R09: 00000000000000ff
[  206.052771] R10: 000055a0f68ffdc0 R11: 0000000000000246 R12: 0000000000000000
[  206.052772] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
[  206.052773]  </TASK>
[  206.052774] Modules linked in: rfcomm nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter nvme_fabrics xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 bridge stp llc cmac algif_hash algif_skcipher af_alg bnep overlay snd_sof_pci_intel_tgl snd_sof_intel_hda_common soundwire_intel pmt_telemetry pmt_class soundwire_generic_allocation intel_rapl_msr soundwire_cadence snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_hdac_hda snd_hda_codec_hdmi snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi soundwire_bus snd_soc_core snd_hda_codec_realtek snd_compress snd_hda_codec_generic ac97_bus ledtrig_audio snd_pcm_dmaengine snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp snd_seq_midi_event coretemp intel_cstate iwlmvm binfmt_misc
[  206.052800]  input_leds mac80211 joydev snd_rawmidi libarc4 serio_raw cmdlinepart btusb snd_seq spi_nor iwlwifi wmi_bmof btrtl btbcm uvcvideo videobuf2_vmalloc efi_pstore nls_iso8859_1 mtd ee1004 btintel btmtk videobuf2_memops iwlmei snd_seq_device snd_timer videobuf2_v4l2 snd cfg80211 bluetooth videobuf2_common soundcore ecdh_generic mei hid_multitouch videodev ecc mc processor_thermal_device_pci_legacy processor_thermal_device processor_thermal_rfim intel_vsec ucsi_acpi processor_thermal_mbox processor_thermal_rapl typec_ucsi intel_rapl_common intel_soc_dts_iosf typec igen6_edac int3403_thermal int340x_thermal_zone mac_hid clevo_acpi(OE) tuxedo_io(OE) int3400_thermal intel_hid tuxedo_keyboard(OE) acpi_pad acpi_thermal_rel sparse_keymap sch_fq_codel kvm_intel kvm nf_tables ipmi_devintf ipmi_msghandler nfnetlink msr drivetemp ip_tables x_tables autofs4 btrfs blake2b_generic xor raid6_pq zstd_compress libcrc32c i915 drm_buddy i2c_algo_bit ttm drm_dp_helper cec rc_core drm_kms_helper
[  206.052833]  syscopyarea sysfillrect usbhid crct10dif_pclmul hid_generic rtsx_pci_sdmmc crc32_pclmul sysimgblt fb_sys_fops nvme i2c_i801 spi_intel_pci ghash_clmulni_intel aesni_intel psmouse drm i2c_smbus spi_intel rtsx_pci crypto_simd cryptd r8169 thunderbolt nvme_core realtek intel_lpss_pci intel_lpss xhci_pci idma64 xhci_pci_renesas wmi i2c_hid_acpi i2c_hid hid video pinctrl_tigerlake
[  206.052847] ---[ end trace 0000000000000000 ]---
[  206.249710] RIP: 0010:exc_control_protection+0xd7/0xe0
[  206.249713] Code: 94 24 80 00 00 00 be f9 00 00 00 48 c7 c7 60 a5 9b a7 e8 3c 57 2e ff e9 70 ff ff ff 48 c7 c7 a2 a5 9b a7 e8 51 b2 f5 ff 0f 0b <0f> 0b 0f 1f 80 00 00 00 00 66 0f 1f 00 55 48 89 e5 41 55 41 54 49
[  206.249714] RSP: 0018:ffffbe13c4157b70 EFLAGS: 00010002
[  206.249715] RAX: 0000000000000031 RBX: 0000000000000001 RCX: 0000000000000000
[  206.249716] RDX: 0000000000000000 RSI: ffff9cf6514a15a0 RDI: ffff9cf6514a15a0
[  206.249717] RBP: ffffbe13c4157b88 R08: 0000000000000031 R09: 694d203a73706172
[  206.249718] R10: 4520676e69737369 R11: 4d203a7370617274 R12: ffffbe13c4157b98
[  206.249718] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  206.249719] FS:  00007f1336f3a640(0000) GS:ffff9cf651480000(0000) knlGS:0000000000000000
[  206.249720] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  206.249721] CR2: 0000000000000000 CR3: 000000030f0f8006 CR4: 0000000000f72ee0
[  206.249722] PKRU: 55555554

Comment 1 Laurent Bonnaud 2022-06-09 12:21:10 UTC

Created attachment 301135 [details]
Full dmesg output

Comment 2 Victor 2022-07-05 11:01:55 UTC

Created attachment 301336 [details]
dmesg output

Same issue by me. Can't start the virtual machine since updating to 5.18.x. Linux Mint 20.3, 12th Gen Intel(R) Core(TM) i9-12900K. I have also attached a full dmesg output.

Comment 3 Johannes Penßel 2022-07-29 17:39:40 UTC

This affects me as well on Gentoo with 5.19-rc8 / Core i5-1135G7. GNOME Boxes (both native and Flatpak version) freezes the entire system as soon as I boot up Windows 10/11 in a VM. The Gentoo installation medium seems to work fine though. Adding 'ibt=off' to the kernel commandline circumvents this issue.

Comment 4 basjetimmer 2023-01-07 13:19:42 UTC

I'm still seeing this with on an Intel 13600K running 6.1.3. Seeing as it affect more and more cpu's and 'ibt' is about to be enabled by default for 6.2, I expect more and more people to run into this.

A related Arch-bug links to the following commit as the problem: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6649fa876da4c505548b8e8945a6fc48e62e427c

Note You need to log in before you can comment on or make changes to this bug.