Re: umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
On 06:33 26.05.20, Ricardo Neri wrote: > On Sat, May 23, 2020 at 04:17:39AM +0200, Andreas Rammhold wrote: > > On 12:43 19.05.20, Ricardo Neri wrote: > > > I have a patch for this already that I wrote for testing purposes: > > > https://github.com/ricardon/tip/commit/1692889cb3f8accb523d44b682458e234b93be50 > > > Perhaps it can be used as a starting point? Not sure what the spoofing > > > value should be, though. Perhaps 0? > > > > I tried the above patch (in modified/rebased version; hope that didn't > > kill it [0]). The results are negative, as without the patch. > > Ah. My patch above is based on a rather old kernel. There is a check in > fixup_umip_exception() for SLDT and STR. I think this causes the > exception you see. Perhaps you can try by removing such check: > > diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c > @@ -383,10 +389,6 @@ bool fixup_umip_exception(struct pt_regs *regs) > umip_pr_warn(regs, "%s instruction cannot be used by applications.\n", > umip_insns[umip_inst]); > > - /* Do not emulate (spoof) SLDT or STR. */ > - if (umip_inst == UMIP_INST_STR || umip_inst == UMIP_INST_SLDT) > - return false; > - > umip_pr_warn(regs, "For now, expensive software emulation returns the > result.\n"); > > if (emulate_umip_insn(, umip_inst, dummy_data, _data_size, > > You would still need my old patch. Thanks, that works for my application. Regards, Andi
Re: umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
On Sat, May 23, 2020 at 04:17:39AM +0200, Andreas Rammhold wrote: > On 12:43 19.05.20, Ricardo Neri wrote: > > I have a patch for this already that I wrote for testing purposes: > > https://github.com/ricardon/tip/commit/1692889cb3f8accb523d44b682458e234b93be50 > > Perhaps it can be used as a starting point? Not sure what the spoofing > > value should be, though. Perhaps 0? > > I tried the above patch (in modified/rebased version; hope that didn't > kill it [0]). The results are negative, as without the patch. Ah. My patch above is based on a rather old kernel. There is a check in fixup_umip_exception() for SLDT and STR. I think this causes the exception you see. Perhaps you can try by removing such check: diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c @@ -383,10 +389,6 @@ bool fixup_umip_exception(struct pt_regs *regs) umip_pr_warn(regs, "%s instruction cannot be used by applications.\n", umip_insns[umip_inst]); - /* Do not emulate (spoof) SLDT or STR. */ - if (umip_inst == UMIP_INST_STR || umip_inst == UMIP_INST_SLDT) - return false; - umip_pr_warn(regs, "For now, expensive software emulation returns the result.\n"); if (emulate_umip_insn(, umip_inst, dummy_data, _data_size, You would still need my old patch. Thanks and BR, Ricardo
Re: umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
On 11:56 19.05.20, Brendan Shanks wrote: > The problem is that the kernel does not emulate/spoof the SLDT instruction, > only SGDT, SIDT, and SMSW. > SLDT and STR weren't thought to be commonly used, so emulation/spoofing > wasn’t added. > In the last few months I have seen reports of one or two (32-bit) Windows > games that use SLDT though. > Can you share more information about the application you’re running? This is basically the "minimal" reproducer for the issue I've been observed (as by the previously linked article): https://gist.githubusercontent.com/andir/071981717460242a1df2e0fc20836fdc/raw/0c31877aa7ee59146596fe68934f9cecb5c998ae/test.c
Re: umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
On 12:43 19.05.20, Ricardo Neri wrote: > I have a patch for this already that I wrote for testing purposes: > https://github.com/ricardon/tip/commit/1692889cb3f8accb523d44b682458e234b93be50 > Perhaps it can be used as a starting point? Not sure what the spoofing > value should be, though. Perhaps 0? I tried the above patch (in modified/rebased version; hope that didn't kill it [0]). The results are negative, as without the patch. [0] https://github.com/andir/linux/commit/bda858f44a860762bc484da62833f57462220874
Re: umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
> On May 20, 2020, at 5:55 PM, Ricardo Neri > wrote: > > On Tue, May 19, 2020 at 05:54:53PM -0700, Andy Lutomirski wrote: >>> On Tue, May 19, 2020 at 12:43 PM Ricardo Neri >>> wrote: >>> >>> On Tue, May 19, 2020 at 11:56:40AM -0700, Brendan Shanks wrote: > On May 19, 2020, at 7:38 AM, Andreas Rammhold wrote: > > Hi, > > I've been running into a weird problem with UMIP on a current Ryzen > 3900x with kernel 5.6.11 where a process receives a page fault after the > kernel handled the SLDT (or SIDT) instruction (emulation). > > The program I am running is run through WINE in 32bit mode and tries to > figure out if it is running in a VMWare machine by comparing the results > of SLDT against well known constants (basically as shown in the > [example] linked below). > > In dmesg I see the following log lines: >> [99970.004756] umip: Program.exe[3080] ip:4373fb sp:32f3e0: SIDT >> instruction cannot be used by applications. >> [99970.004757] umip: Program.exe[3080] ip:4373fb sp:32f3e0: For now, >> expensive software emulation returns the result. >> [99970.004758] umip: Program.exe[3080] ip:437415 sp:32f3e0: SLDT >> instruction cannot be used by applications. > > Following that the process terminates with a page fault: >> Unhandled exception: page fault on read access to 0x in 32-bit >> code (0x00437415). > > Assembly at that address: >> 0x00437415: sldt0xffe8(%ebp) > > Running the same executable on the exact same kernel (and userland) but > on a Intel i7-8565U doesn't crash at this point. I am guessing the > emulation is supposed to do something different on AMD CPUs? >>> >>> I am surprised you don't see it on the Intel processor. Maybe it does >>> not have UMIP. Do you see umip when you do >>> >>> $ grep umip /proc/cpuinfo >>> >>> ? > > On the Ryzen the code executes successfully after setting > CONFIG_X86_UMIP=n. Hi Andreas, The problem is that the kernel does not emulate/spoof the SLDT instruction, only SGDT, SIDT, and SMSW. SLDT and STR weren't thought to be commonly used, so emulation/spoofing wasn’t added. In the last few months I have seen reports of one or two (32-bit) Windows games that use SLDT though. Can you share more information about the application you’re running? Maybe the best path is to add kernel emulation/spoofing for SLDT and STR on 32 and 64-bit, just to cover all the cases. It should be a pretty simple patch, I’ll start working on it. >>> >>> I have a patch for this already that I wrote for testing purposes: >>> >>> https://github.com/ricardon/tip/commit/1692889cb3f8accb523d44b682458e234b93be50 >>> >>> Perhaps it can be used as a starting point? Not sure what the spoofing >>> value should be, though. Perhaps 0? >> >> Possibly SLDT should return nonzero if there's an LDT. > > I guess the value should be in the same hole of the x86_64 memory map, > right? Currently sgdt and sidt return 0xfffe and > 0x, respectively. As far as I’m concerned, it makes no difference whether it’s a hole in the memory map. But sure. > > Thanks and BR, > Ricardo
Re: umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
On Tue, May 19, 2020 at 05:54:53PM -0700, Andy Lutomirski wrote: > On Tue, May 19, 2020 at 12:43 PM Ricardo Neri > wrote: > > > > On Tue, May 19, 2020 at 11:56:40AM -0700, Brendan Shanks wrote: > > > > > > > On May 19, 2020, at 7:38 AM, Andreas Rammhold > > > > wrote: > > > > > > > > Hi, > > > > > > > > I've been running into a weird problem with UMIP on a current Ryzen > > > > 3900x with kernel 5.6.11 where a process receives a page fault after the > > > > kernel handled the SLDT (or SIDT) instruction (emulation). > > > > > > > > The program I am running is run through WINE in 32bit mode and tries to > > > > figure out if it is running in a VMWare machine by comparing the results > > > > of SLDT against well known constants (basically as shown in the > > > > [example] linked below). > > > > > > > > In dmesg I see the following log lines: > > > >> [99970.004756] umip: Program.exe[3080] ip:4373fb sp:32f3e0: SIDT > > > >> instruction cannot be used by applications. > > > >> [99970.004757] umip: Program.exe[3080] ip:4373fb sp:32f3e0: For now, > > > >> expensive software emulation returns the result. > > > >> [99970.004758] umip: Program.exe[3080] ip:437415 sp:32f3e0: SLDT > > > >> instruction cannot be used by applications. > > > > > > > > Following that the process terminates with a page fault: > > > >> Unhandled exception: page fault on read access to 0x in 32-bit > > > >> code (0x00437415). > > > > > > > > Assembly at that address: > > > >> 0x00437415: sldt0xffe8(%ebp) > > > > > > > > Running the same executable on the exact same kernel (and userland) but > > > > on a Intel i7-8565U doesn't crash at this point. I am guessing the > > > > emulation is supposed to do something different on AMD CPUs? > > > > I am surprised you don't see it on the Intel processor. Maybe it does > > not have UMIP. Do you see umip when you do > > > > $ grep umip /proc/cpuinfo > > > > ? > > > > > > > > On the Ryzen the code executes successfully after setting > > > > CONFIG_X86_UMIP=n. > > > > > > Hi Andreas, > > > > > > The problem is that the kernel does not emulate/spoof the SLDT > > > instruction, only SGDT, SIDT, and SMSW. > > > SLDT and STR weren't thought to be commonly used, so emulation/spoofing > > > wasn’t added. > > > In the last few months I have seen reports of one or two (32-bit) Windows > > > games that use SLDT though. > > > Can you share more information about the application you’re running? > > > > > > Maybe the best path is to add kernel emulation/spoofing for SLDT and STR > > > on 32 and 64-bit, just to cover all the cases. It should be a pretty > > > simple patch, I’ll start working on it. > > > > I have a patch for this already that I wrote for testing purposes: > > > > https://github.com/ricardon/tip/commit/1692889cb3f8accb523d44b682458e234b93be50 > > > > Perhaps it can be used as a starting point? Not sure what the spoofing > > value should be, though. Perhaps 0? > > Possibly SLDT should return nonzero if there's an LDT. I guess the value should be in the same hole of the x86_64 memory map, right? Currently sgdt and sidt return 0xfffe and 0x, respectively. Thanks and BR, Ricardo
Re: umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
On 11:56 19.05.20, Brendan Shanks wrote: > The problem is that the kernel does not emulate/spoof the SLDT instruction, > only SGDT, SIDT, and SMSW. > SLDT and STR weren't thought to be commonly used, so emulation/spoofing > wasn’t added. > In the last few months I have seen reports of one or two (32-bit) Windows > games that use SLDT though. > Can you share more information about the application you’re running? I'll try to create a very simple reproducer for this case in the next days. Unfortunately I don't have the source of the original application. I can mail you instructions about it directly, if required. > Maybe the best path is to add kernel emulation/spoofing for SLDT and > STR on 32 and 64-bit, just to cover all the cases. It should be a > pretty simple patch, I’ll start working on it. Check the other mail from Ricardo, you can probably safe that effort :-) > Alternately, I did work on a Wine patch to emulate the UMIP > instructions in user-space, but it adds a lot of code and I don’t > think there’s much appetite for it in upstream Wine (especially since > the kernel emulation is sufficient for almost all cases). > https://www.winehq.org/pipermail/wine-devel/2020-February/160027.html Yeah that seems like the less favorable effort. My best guess is that this might not be limited to Wine thus handling in the kernel might be best. > In the meantime, an easy way to disable UMIP without rebuilding the > kernel is to pass 'clearcpuid=514’ on the kernel command line. Nice, I'll use that next time :-)
Re: umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
On 12:43 19.05.20, Ricardo Neri wrote: > > > Running the same executable on the exact same kernel (and userland) but > > > on a Intel i7-8565U doesn't crash at this point. I am guessing the > > > emulation is supposed to do something different on AMD CPUs? > > I am surprised you don't see it on the Intel processor. Maybe it does > not have UMIP. Do you see umip when you do > > $ grep umip /proc/cpuinfo Indeed it doesn't ahve the feature. I would have assumed that it is recent enough. Apparently not. > > > On the Ryzen the code executes successfully after setting > > > CONFIG_X86_UMIP=n. > > > > Hi Andreas, > > > > The problem is that the kernel does not emulate/spoof the SLDT instruction, > > only SGDT, SIDT, and SMSW. > > SLDT and STR weren't thought to be commonly used, so emulation/spoofing > > wasn’t added. > > In the last few months I have seen reports of one or two (32-bit) Windows > > games that use SLDT though. > > Can you share more information about the application you’re running? > > > > Maybe the best path is to add kernel emulation/spoofing for SLDT and STR on > > 32 and 64-bit, just to cover all the cases. It should be a pretty simple > > patch, I’ll start working on it. > > I have a patch for this already that I wrote for testing purposes: > > https://github.com/ricardon/tip/commit/1692889cb3f8accb523d44b682458e234b93be50 > > Perhaps it can be used as a starting point? Not sure what the spoofing > value should be, though. Perhaps 0? I am not entirely sure what it should return in the general case. My assumption is that 0 might work. Maybe making it configurable like with the other UMIP constants that I saw? I'll give the patch a shot and try to figure out what the authors of the code have to say about it.
Re: umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
On Tue, May 19, 2020 at 12:43 PM Ricardo Neri wrote: > > On Tue, May 19, 2020 at 11:56:40AM -0700, Brendan Shanks wrote: > > > > > On May 19, 2020, at 7:38 AM, Andreas Rammhold wrote: > > > > > > Hi, > > > > > > I've been running into a weird problem with UMIP on a current Ryzen > > > 3900x with kernel 5.6.11 where a process receives a page fault after the > > > kernel handled the SLDT (or SIDT) instruction (emulation). > > > > > > The program I am running is run through WINE in 32bit mode and tries to > > > figure out if it is running in a VMWare machine by comparing the results > > > of SLDT against well known constants (basically as shown in the > > > [example] linked below). > > > > > > In dmesg I see the following log lines: > > >> [99970.004756] umip: Program.exe[3080] ip:4373fb sp:32f3e0: SIDT > > >> instruction cannot be used by applications. > > >> [99970.004757] umip: Program.exe[3080] ip:4373fb sp:32f3e0: For now, > > >> expensive software emulation returns the result. > > >> [99970.004758] umip: Program.exe[3080] ip:437415 sp:32f3e0: SLDT > > >> instruction cannot be used by applications. > > > > > > Following that the process terminates with a page fault: > > >> Unhandled exception: page fault on read access to 0x in 32-bit > > >> code (0x00437415). > > > > > > Assembly at that address: > > >> 0x00437415: sldt0xffe8(%ebp) > > > > > > Running the same executable on the exact same kernel (and userland) but > > > on a Intel i7-8565U doesn't crash at this point. I am guessing the > > > emulation is supposed to do something different on AMD CPUs? > > I am surprised you don't see it on the Intel processor. Maybe it does > not have UMIP. Do you see umip when you do > > $ grep umip /proc/cpuinfo > > ? > > > > > > On the Ryzen the code executes successfully after setting > > > CONFIG_X86_UMIP=n. > > > > Hi Andreas, > > > > The problem is that the kernel does not emulate/spoof the SLDT instruction, > > only SGDT, SIDT, and SMSW. > > SLDT and STR weren't thought to be commonly used, so emulation/spoofing > > wasn’t added. > > In the last few months I have seen reports of one or two (32-bit) Windows > > games that use SLDT though. > > Can you share more information about the application you’re running? > > > > Maybe the best path is to add kernel emulation/spoofing for SLDT and STR on > > 32 and 64-bit, just to cover all the cases. It should be a pretty simple > > patch, I’ll start working on it. > > I have a patch for this already that I wrote for testing purposes: > > https://github.com/ricardon/tip/commit/1692889cb3f8accb523d44b682458e234b93be50 > > Perhaps it can be used as a starting point? Not sure what the spoofing > value should be, though. Perhaps 0? Possibly SLDT should return nonzero if there's an LDT. --Andy
Re: umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
On 2020-05-19 07:38, Andreas Rammhold wrote: > Hi, > > I've been running into a weird problem with UMIP on a current Ryzen > 3900x with kernel 5.6.11 where a process receives a page fault after the > kernel handled the SLDT (or SIDT) instruction (emulation). > > The program I am running is run through WINE in 32bit mode and tries to > figure out if it is running in a VMWare machine by comparing the results > of SLDT against well known constants (basically as shown in the > [example] linked below). > Extremely weird. What is it expecting to happen -- or rather, what do you *want* it to do? -hpa
Re: umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
On Tue, May 19, 2020 at 11:56:40AM -0700, Brendan Shanks wrote: > > > On May 19, 2020, at 7:38 AM, Andreas Rammhold wrote: > > > > Hi, > > > > I've been running into a weird problem with UMIP on a current Ryzen > > 3900x with kernel 5.6.11 where a process receives a page fault after the > > kernel handled the SLDT (or SIDT) instruction (emulation). > > > > The program I am running is run through WINE in 32bit mode and tries to > > figure out if it is running in a VMWare machine by comparing the results > > of SLDT against well known constants (basically as shown in the > > [example] linked below). > > > > In dmesg I see the following log lines: > >> [99970.004756] umip: Program.exe[3080] ip:4373fb sp:32f3e0: SIDT > >> instruction cannot be used by applications. > >> [99970.004757] umip: Program.exe[3080] ip:4373fb sp:32f3e0: For now, > >> expensive software emulation returns the result. > >> [99970.004758] umip: Program.exe[3080] ip:437415 sp:32f3e0: SLDT > >> instruction cannot be used by applications. > > > > Following that the process terminates with a page fault: > >> Unhandled exception: page fault on read access to 0x in 32-bit > >> code (0x00437415). > > > > Assembly at that address: > >> 0x00437415: sldt0xffe8(%ebp) > > > > Running the same executable on the exact same kernel (and userland) but > > on a Intel i7-8565U doesn't crash at this point. I am guessing the > > emulation is supposed to do something different on AMD CPUs? I am surprised you don't see it on the Intel processor. Maybe it does not have UMIP. Do you see umip when you do $ grep umip /proc/cpuinfo ? > > > > On the Ryzen the code executes successfully after setting CONFIG_X86_UMIP=n. > > Hi Andreas, > > The problem is that the kernel does not emulate/spoof the SLDT instruction, > only SGDT, SIDT, and SMSW. > SLDT and STR weren't thought to be commonly used, so emulation/spoofing > wasn’t added. > In the last few months I have seen reports of one or two (32-bit) Windows > games that use SLDT though. > Can you share more information about the application you’re running? > > Maybe the best path is to add kernel emulation/spoofing for SLDT and STR on > 32 and 64-bit, just to cover all the cases. It should be a pretty simple > patch, I’ll start working on it. I have a patch for this already that I wrote for testing purposes: https://github.com/ricardon/tip/commit/1692889cb3f8accb523d44b682458e234b93be50 Perhaps it can be used as a starting point? Not sure what the spoofing value should be, though. Perhaps 0? Thanks and BR, Ricardo
Re: umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
> On May 19, 2020, at 7:38 AM, Andreas Rammhold wrote: > > Hi, > > I've been running into a weird problem with UMIP on a current Ryzen > 3900x with kernel 5.6.11 where a process receives a page fault after the > kernel handled the SLDT (or SIDT) instruction (emulation). > > The program I am running is run through WINE in 32bit mode and tries to > figure out if it is running in a VMWare machine by comparing the results > of SLDT against well known constants (basically as shown in the > [example] linked below). > > In dmesg I see the following log lines: >> [99970.004756] umip: Program.exe[3080] ip:4373fb sp:32f3e0: SIDT instruction >> cannot be used by applications. >> [99970.004757] umip: Program.exe[3080] ip:4373fb sp:32f3e0: For now, >> expensive software emulation returns the result. >> [99970.004758] umip: Program.exe[3080] ip:437415 sp:32f3e0: SLDT instruction >> cannot be used by applications. > > Following that the process terminates with a page fault: >> Unhandled exception: page fault on read access to 0x in 32-bit code >> (0x00437415). > > Assembly at that address: >> 0x00437415: sldt0xffe8(%ebp) > > Running the same executable on the exact same kernel (and userland) but > on a Intel i7-8565U doesn't crash at this point. I am guessing the > emulation is supposed to do something different on AMD CPUs? > > On the Ryzen the code executes successfully after setting CONFIG_X86_UMIP=n. Hi Andreas, The problem is that the kernel does not emulate/spoof the SLDT instruction, only SGDT, SIDT, and SMSW. SLDT and STR weren't thought to be commonly used, so emulation/spoofing wasn’t added. In the last few months I have seen reports of one or two (32-bit) Windows games that use SLDT though. Can you share more information about the application you’re running? Maybe the best path is to add kernel emulation/spoofing for SLDT and STR on 32 and 64-bit, just to cover all the cases. It should be a pretty simple patch, I’ll start working on it. Alternately, I did work on a Wine patch to emulate the UMIP instructions in user-space, but it adds a lot of code and I don’t think there’s much appetite for it in upstream Wine (especially since the kernel emulation is sufficient for almost all cases). https://www.winehq.org/pipermail/wine-devel/2020-February/160027.html In the meantime, an easy way to disable UMIP without rebuilding the kernel is to pass 'clearcpuid=514’ on the kernel command line. Brendan Shanks CodeWeavers
umip: AMD Ryzen 3900X, pagefault after emulate SLDT/SIDT instruction
Hi, I've been running into a weird problem with UMIP on a current Ryzen 3900x with kernel 5.6.11 where a process receives a page fault after the kernel handled the SLDT (or SIDT) instruction (emulation). The program I am running is run through WINE in 32bit mode and tries to figure out if it is running in a VMWare machine by comparing the results of SLDT against well known constants (basically as shown in the [example] linked below). In dmesg I see the following log lines: > [99970.004756] umip: Program.exe[3080] ip:4373fb sp:32f3e0: SIDT instruction > cannot be used by applications. > [99970.004757] umip: Program.exe[3080] ip:4373fb sp:32f3e0: For now, > expensive software emulation returns the result. > [99970.004758] umip: Program.exe[3080] ip:437415 sp:32f3e0: SLDT instruction > cannot be used by applications. Following that the process terminates with a page fault: > Unhandled exception: page fault on read access to 0x in 32-bit code > (0x00437415). Assembly at that address: > 0x00437415: sldt0xffe8(%ebp) Running the same executable on the exact same kernel (and userland) but on a Intel i7-8565U doesn't crash at this point. I am guessing the emulation is supposed to do something different on AMD CPUs? On the Ryzen the code executes successfully after setting CONFIG_X86_UMIP=n. I'd love to contriubte a patch but I have no knowledge of the inner workings of how UMIP actually works. Is there anything else I can provide to help debugging/fixing this? Very happy to test patches as well. [example] https://www.aldeid.com/wiki/X86-assembly/Instructions/sldt
