Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.kernel > #92601

Bug#1135235: linux-image-6.19.13+deb14-amd64: Reoccuring host crash "Invalid SPTE change" with gaming win kvm/qemu guest and device passthrough

From Sean Christopherson <seanjc@google.com>
Newsgroups linux.debian.bugs.dist, linux.kernel, linux.debian.kernel
Subject Bug#1135235: linux-image-6.19.13+deb14-amd64: Reoccuring host crash "Invalid SPTE change" with gaming win kvm/qemu guest and device passthrough
Date 2026-05-18 15:50 +0200
Message-ID <MW6w1-64AA-5@gated-at.bofh.it> (permalink)
References <MPiBX-1lGE-1@gated-at.bofh.it> <MVJJ7-5Pih-1@gated-at.bofh.it> <MPiBX-1lGE-1@gated-at.bofh.it> <MVJJ7-5Pih-1@gated-at.bofh.it>
Organization linux.* mail to news gateway

Cross-posted to 3 groups.

Show all headers | View raw

On Sun, May 17, 2026, Salvatore Bonaccorso wrote:
> Control: forwwarded -1 https://lore.kernel.org/all/177902420697.2035014.8796825668567298024@eldamar.lan
> 
> Hi
> 
> Maximilian Senftleben reported the following in Debian (cf.
> https://bugs.debian.org/1135235), it should be noted while Maximilian
> uses the looking-glass application (which is acompanied with dkms
> modules, they are not loaded and do not tain the kernel). Do you have
> an idea how to debug this?
> 
> On Wed, Apr 29, 2026 at 09:17:14PM +0200, Maximilian Senftleben wrote:
> > Package: src:linux
> > Version: 6.19.13-1
> > Severity: important
> > 
> > Dear Maintainer,
> > 
> > - I have a Windows kvm/qemu guest that uses device passthrough for my GPU.
> > - Sometimes while playing the host system crashes/freezes, this only happens
> > during load/gaming, and sometimes 1-2 times a day, sometimes not at all.
> > 
> > 
> > System:
> > Linux myhost 6.19.13+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.19.13-1
> > (2026-04-18) x86_64 GNU/Linux
> > 
> > CPU:
> > vendor_id       : GenuineIntel
> > cpu family      : 6
> > model           : 183
> > model name      : Intel(R) Core(TM) i5-14400
> > [...]
> > 
> > Apr 29 12:10:33 myhost kernel: kvm: Invalid SPTE change: cannot replace a present leaf
> >                                        SPTE with another present leaf SPTE mapping a
> >                                        different PFN!
> >                                        as_id: 0 gfn: 80ec33 old_spte: 860000aae3d00bc8 new_spte: 86000009e3d00b77 level: 1
> > Apr 29 12:10:33 myhost kernel: ------------[ cut here ]------------
> > Apr 29 12:10:33 myhost kernel: kernel BUG at arch/x86/kvm/mmu/tdp_mmu.c:600!
> > Apr 29 12:10:33 myhost kernel: Oops: invalid opcode: 0000 [#1] SMP NOPTI
> > Apr 29 12:10:33 myhost kernel: CPU: 7 UID: 1000 PID: 8419 Comm: CPU 2/KVM Not tainted 6.19.13+deb14-amd64 #1 PREEMPT(lazy)  Debian 6.19.13-1 
> > Apr 29 12:10:33 myhost kernel: Hardware name: Micro-Star International Co., Ltd. MS-7D96/MAG B760 TOMAHAWK WIFI (MS-7D96), BIOS A.B0 10/07/2024
> > Apr 29 12:10:33 myhost kernel: RIP: 0010:handle_changed_spte.cold+0x1d/0x84 [kvm]
> > Apr 29 12:10:33 myhost kernel: Modules linked in: vhost_net vhost vhost_iotlb tap tun rfcomm snd_seq_dummy snd_hrtimer snd_seq xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat x_tables nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables bridge stp llc sunrpc uinput qrtr cmac algif_hash algif_skcipher af_alg bnep dm_crypt hid_corsair joydev snd_sof_pci_intel_tgl snd_sof_pci_intel_cnl snd_sof_intel_hda_generic soundwire_intel snd_sof_intel_hda_sdw_bpt snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda_mlink snd_sof_intel_hda soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp snd_hda_codec_intelhdmi snd_sof snd_hda_codec_hdmi intel_rapl_msr intel_rapl_common iwlmvm snd_sof_utils snd_soc_acpi_intel_match snd_soc_acpi_intel_sdca_quirks intel_uncore_frequency soundwire_generic_allocation intel_uncore_frequency_common snd_soc_sdw_utils snd_soc_acpi snd_hda_codec_alc662 x86_pkg_temp_thermal crc8 intel_powerclamp snd_hda_codec_realtek_lib uvcvideo soundwire_bus coretemp mac80211
> > Apr 29 12:10:33 myhost kernel:  snd_hda_codec_generic videobuf2_vmalloc snd_soc_sdca uvc videobuf2_memops snd_usb_audio videobuf2_v4l2 snd_soc_avs videodev snd_soc_hda_codec kvm_intel snd_hda_intel snd_usbmidi_lib snd_hda_ext_core snd_rawmidi snd_hda_codec videobuf2_common snd_seq_device nls_ascii mc hid_generic snd_soc_core nls_cp437 libarc4 iTCO_wdt snd_hda_core vfat intel_pmc_bxt kvm fat mei_hdcp mei_pxp spd5118 snd_intel_dspcfg iTCO_vendor_support snd_compress iwlwifi snd_intel_sdw_acpi watchdog snd_pcm_dmaengine snd_hwdep rapl snd_pcm intel_cstate r8169 battery snd_timer cfg80211 intel_uncore wmi_bmof mxm_wmi snd mei_me realtek pcspkr i2c_i801 i2c_smbus soundcore mei fan btusb intel_pmc_core btmtk uas btrtl btbcm btintel pmt_telemetry serial_multi_instantiate usb_storage bluetooth pmt_discovery pmt_class intel_pmc_ssram_telemetry acpi_tad acpi_pad usbhid ecdh_generic hid button evdev sg rfkill binfmt_misc dm_mod efi_pstore nfnetlink xe drm_ttm_helper drm_suballoc_helper gpu_sched drm_gpuvm drm_exec configfs drm_gpusvm_helper ext4
> > Apr 29 12:10:33 myhost kernel:  crc16 mbcache jbd2 crc32c_cryptoapi i915 drm_client_lib sd_mod i2c_algo_bit drm_buddy ttm drm_display_helper ahci drm_kms_helper libahci xhci_pci libata xhci_hcd drm nvme nvme_core usbcore scsi_mod nvme_keyring cec nvme_auth video ghash_clmulni_intel hkdf rc_core scsi_common intel_vsec usb_common wmi pinctrl_alderlake vfio_pci vfio_pci_core irqbypass vfio_iommu_type1 vfio parport_pc lp ppdev parport i2c_dev msr efivarfs autofs4 aesni_intel
> > Apr 29 12:10:33 myhost kernel: ---[ end trace 0000000000000000 ]---
> > Apr 29 12:10:33 myhost kernel: kvm: get_mmio_spte: reserved bits set on MMU-present spte, addr 0x80ec3098c, hierarchy:
> > Apr 29 12:10:33 myhost kernel: kvm: ------ spte = 0x8000000109193907 level = 4, rsvd bits = 0xfff80000000f8
> > Apr 29 12:10:33 myhost kernel: kvm: ------ spte = 0x80000008d8b33907 level = 3, rsvd bits = 0xfff8000000078
> > Apr 29 12:10:33 myhost kernel: kvm: ------ spte = 0x8000000371e37907 level = 2, rsvd bits = 0xfff8000000078
> > Apr 29 12:10:33 myhost kernel: kvm: ------ spte = 0x86000004e3cfdb26 level = 1, rsvd bits = 0xfff8000000000
> > Apr 29 12:10:33 myhost kernel: ------------[ cut here ]------------

Odds are very good this is due to host memory corruption, and is not a bug in
KVM's MMU.  We (Google) had a period of time where our kernel was triggering stack
overflows if a networking IRQ hit at just the right/wrong time, and whenever the
overflow wandered into KVM page tables, it would result in failures like these.
I got quite familiar with the signature :-)

If you aren't already, can you try running with CONFIG_VMAP_STACK=y?  Stack
overflow doesn't seem likely in this case since the gfn would put the SPTE in the
middle of the page table, but it's easy enough to rule out.

The other thing to try would be to run with CONFIG_KASAN=y.  That might make your
gaming quite miserable, but if this is indeed due to a rogue write, it's the best
shot for catching the culprit.

Or as Paolo suggested, you could try bisecting.

Back to linux.debian.kernel | Previous | NextPrevious in thread | Find similar

Thread

Bug#1135235: linux-image-6.19.13+deb14-amd64: Reoccuring host crash "Invalid SPTE change" with gaming win kvm/qemu guest and device passthrough Salvatore Bonaccorso <carnil@debian.org> - 2026-05-17 15:30 +0200
  Bug#1135235: linux-image-6.19.13+deb14-amd64: Reoccuring host crash "Invalid SPTE change" with gaming win kvm/qemu guest and device passthrough Sean Christopherson <seanjc@google.com> - 2026-05-18 15:50 +0200

csiph-web