Bug#1103397: linux-image-amd64: Kernel Panic: copy_fpstate_to_sigfrane crashes.

[Ben Hutchings]

Control: tag -1 moreinfo

On Thu, 17 Apr 2025 11:57:47 +0800 root <larry...@yeah.net> wrote:
> Package: linux-image-amd64
> Version: 6.12.22-1
> Severity: important
> 
> Dear Maintainer,
> 
> After linux-image-6.11.9-amd64, my laptop has never booted from linux-image-
> amd64 any more. It shows "Kernel panic" after Grub. I took a screenshot for
> that. I do hope you maintainers can SAVE my laptop.
> 
> The Kernel panic print as follow:
> --------------------------------------------------------------------------------
> 0.93186510ops: general protection fault, naybe for address 0x0: 0000 [#1]
> PREEMPT SMP NOPTI
> 0.9318931 CPU: 1 UID:0 PID:1 Comn: init Not tainted 6.12.22-and64 #1 Debian
> 6.12.22-1
> 0.9319151 Harduare nane: GITSIAR GDC-1461/GM-1461,BIOS 03.04 08/03/2023
> 0.9319321 RIP: 0010:copy_fpstate_to_sigframe+0x1eb/0x3c0
> 0.9319521 Code: b9 01 00 00 00 of 01 d0 48 c1 e2 20 89 c0 48 01 c2 48 81 ca ff
> 02 00 00 49 21 d5 e9 f4 fe ff ff 0f 1f 44 00 00 b9 01 00 0 0 <0f> 01 d0 48 c1
> e2 20 89 c0 48 8d 8d 00 02 00 00 48 01 d0 4c 21 e8

We got a #GP exception on an XGETBV instruction, which means "ECX
specifies a reserved or unimplemented XCR address".  So this instruction
is wrongly being used on a CPU that doesn't support it.

To help confirm this, please can you send the contents of /proc/cpuinfo?

> 0.9319911 RSP:0018:ffffa6844002bc28EFLAGS:00010246
> 0.9320061RAX:   0 RBX: 00000000 RcX: 00000001
[...]

ECX is 1 (= XCR_XFEATURE_IN_USE_MASK).  So this is a use of
xfeatures_in_use() inlined into copy_fpstate_to_sigframe().

Since this is a regression after 6.11.9, my guess is that this is caused
by:

commit dd9478d54c738e86692b83cc992dc4fb643bcdbf
Author: Aruna Ramakrishna <aruna.ramakris...@oracle.com>
Date:   Tue Nov 19 17:45:20 2024 +0000
 
    x86/pkeys: Ensure updated PKRU value is XRSTOR'd
    
    [ Upstream commit ae6012d72fa60c9ff92de5bac7a8021a47458e5b ]

which went into 6.12.5 and adds a call to xfeatures_in_use() without an
obvious CPU feature check.  (The added call is not directly in
copy_fpstate_to_sigframe() but it's in a function that can be inlined
into it.)

Ben.

-- 
Ben Hutchings
compatible: Gracefully accepts erroneous data from any source

signature.asc
Description: This is a digitally signed message part