commit 81106b7e0b13 can break asm_int80_emulation on x86_64

From: Bert Karwatzki
Date: Wed Aug 07 2024 - 21:58:55 EST

Next message: Andrew Jeffery: "Re: [PATCH 1/2] dt-bindings: interrupt-controller: aspeed,ast2400-vic: Convert to DT schema"
Previous message: Baolin Wang: "Re: [RFC PATCH 2/3] mm: shmem: add large folio support to the write and fallocate paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Since linux-next-20240730 and in versions next-202408{05,06} the error below
can appear when trying to start a game using wine. The error does not always
appear but after some failed attempts at bisecting this I found a way to
reliably trigger this by first creating high system load (by compiling a kernel
with make -j 16) and then trying to start the game until the error occurs. If the
error does not occur during the time it take to compile the kernel (about ~6.5min)
I declared the commit as good. Usually the bad commit did not take more than
three attempts of starting wine to trigger the error.
With this I bisected the problem to commit 81106b7e0b13.

To revert this commit in next-20240806 the following commits have to be reverted:
(HEAD -> wine_usercopy_bug) Revert "x86/fpu: Make task_struct::thread constant size"
Revert "x86/fpu: Remove the thread::fpu pointer"
Revert "x86/fpu: Remove init_task FPU state dependencies, add debugging warning for PF_KTHREAD tasks"
Revert "x86/CPU/AMD: Always inline amd_clear_divider()"

After reverting these commit the next-20240806 seems to be free from the error.
The machine used is an Ryzen 5800H (Msi Alpha15 Laptop) running a fully updated
(as of 20240807) debian sid.

Bert Karwatzki

Error message:
[T34926] usercopy: Kernel memory overwrite attempt detected to SLUB object 'task_struct' (offset 3072, size 160)!
[T34926] ------------[ cut here ]------------
[T34926] kernel BUG at mm/usercopy.c:102!
[T34926] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[T34926] CPU: 12 UID: 1000 PID: 34926 Comm: start.exe Not tainted 6.11.0-rc2-next-20240806-master-dirty #178
[T34926] Hardware name: Micro-Star International Co., Ltd. Alpha 15 B5EEK/MS-158L, BIOS E158LAMS.107 11/10/2021
[T34926] RIP: 0010:usercopy_abort+0x73/0x75
[T34926] Code: e0 f2 06 86 eb 0e 48 c7 c2 81 6b 08 86 48 c7 c7 e9 f2 06 86 56 48 89 fe 48 c7 c7 d8 47 0c 86 51 48 89 c1 41 52 e8 6d 70 ff ff <0f> 0b 48 89 d9 49 89 e8 44 89 e2 31 f6 48 81 e9 00 00 20 85 48 c7
[T34926] RSP: 0000:ffffa58a47e73cd0 EFLAGS: 00010246
[T34926] RAX: 0000000000000068 RBX: ffff8e1eec1a4a00 RCX: 0000000000000000
[T34926] RDX: 0000000000000000 RSI: ffff8e2cae9177c0 RDI: ffff8e2cae9177c0
[T34926] RBP: 00000000000000a0 R08: 0000000000000000 R09: ffffa58a47e73b78
[T34926] R10: ffffffff8627fe88 R11: 0000000000000003 R12: 0000000000000000
[T34926] R13: ffff8e1eec1a4aa0 R14: ffff8e1eec1a4a00 R15: 0000000000000001
[T34926] FS: 000000003ffe2000(006b) GS:ffff8e2cae900000(0063) knlGS:00000000f7ed20c0
[T34926] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[T34926] CR2: 000000003ffed324 CR3: 00000002a58da000 CR4: 0000000000750ef0
[T34926] PKRU: 55555554
[T34926] Call Trace:
[T34926] <TASK>
[T34926] ? __die+0x51/0x92
[T34926] ? die+0x29/0x50
[T34926] ? do_trap+0x105/0x110
[T34926] ? do_error_trap+0x60/0x80
[T34926] ? usercopy_abort+0x73/0x75
[T34926] ? exc_invalid_op+0x4d/0x70
[T34926] ? usercopy_abort+0x73/0x75
[T34926] ? asm_exc_invalid_op+0x1a/0x20
[T34926] ? usercopy_abort+0x73/0x75
[T34926] ? __check_heap_object+0x7d/0xa0
[T34926] ? __check_object_size+0x1f9/0x210
[T34926] ? copy_from_buffer+0x40/0x60
[T34926] ? copy_uabi_to_xstate+0xe1/0x1e0
[T34926] ? __fpu_restore_sig+0x403/0x480
[T34926] ? fpu__restore_sig+0x4c/0x90
[T34926] ? ia32_restore_sigcontext+0x129/0x170
[T34926] ? __do_compat_sys_rt_sigreturn+0x68/0xc0
[T34926] ? do_int80_emulation+0x88/0x140
[T34926] ? asm_int80_emulation+0x1a/0x20
[T34926] </TASK>
[T34926] Modules linked in: ccm snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device rfcomm bnep nls_ascii nls_cp437 vfat fat snd_ctl_led snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi btusb btrtl btintel snd_hda_intel btbcm btmtk snd_intel_dspcfg snd_acp3x_pdm_dma snd_soc_dmic snd_acp3x_rn uvcvideo bluetooth snd_hda_codec videobuf2_vmalloc snd_soc_core uvc snd_hwdep videobuf2_memops videobuf2_v4l2 snd_hda_core snd_pcm_oss videodev snd_mixer_oss snd_pcm snd_rn_pci_acp3x videobuf2_common snd_acp_config msi_wmi snd_soc_acpi ecdh_generic amd_atl ecc mc sparse_keymap edac_mce_amd wmi_bmof snd_timer snd ccp snd_pci_acp3x k10temp soundcore battery ac joydev button hid_sensor_accel_3d hid_sensor_prox hid_sensor_als hid_sensor_magn_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf industrialio amd_pmc hid_sensor_iio_common evdev hid_multitouch serio_raw mt7921e mt7921_common mt792x_lib mt76_connac_lib mt76
[T34926] mac80211 libarc4 cfg80211 rfkill msr fuse nvme_fabrics efi_pstore configfs efivarfs autofs4 ext4 crc32c_generic mbcache jbd2 usbhid amdgpu i2c_algo_bit drm_ttm_helper xhci_pci ttm drm_exec drm_suballoc_helper xhci_hcd amdxcp drm_buddy hid_sensor_hub usbcore mfd_core nvme gpu_sched i2c_piix4 hid_generic crc32c_intel psmouse drm_display_helper amd_sfh usb_common i2c_smbus nvme_core crc16 r8169 i2c_hid_acpi i2c_hid hid i2c_designware_platform i2c_designware_core
[T34926] ---[ end trace 0000000000000000 ]---

Next message: Andrew Jeffery: "Re: [PATCH 1/2] dt-bindings: interrupt-controller: aspeed,ast2400-vic: Convert to DT schema"
Previous message: Baolin Wang: "Re: [RFC PATCH 2/3] mm: shmem: add large folio support to the write and fallocate paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]