KVM + fortnite = BSOD - Kernel_Security_Check_Failure

Software & Operating Systems VFIO
,
1

Running fortnite in a KVM on Pop_OS! is something I haven’t been able to do yet. However I am able to run overwatch at nearly native fps. But when I attempt to run fortnite on there it BSODs with Kernel_Security_Check_Failure error. I have a memory dump from that down here. I dont really know what to make of it, other than that the fortnite game exe is triggering it. And just in case its something vm configuration related I have my whole KVM XML down here as well.

Pop_OS! 19.10 is my main OS, and Windows 10 as the KVM OS. This KVM has a GPU dedicated to the VM with vfio, PCI passthrough, its also possible for me to natively boot into this same windows installation. And it converts back and forth between VM and non-VM mode. Fortnite is working just fine when I natively boot into this Windows installation.

Thank you all in advance! ^^

KVM XML

<domain xmlns:qemu="http://libvirt.org/schemas/domain/qemu/1.0" type="kvm">
  <name>win10</name>
  <uuid>40575e23-c6b5-42ff-b070-6a9a6d0b3328</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://microsoft.com/win/10"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit="KiB">16000000</memory>
  <currentMemory unit="KiB">16000000</currentMemory>
  <memoryBacking>
    <hugepages/>
  </memoryBacking>
  <vcpu placement="static" current="4">12</vcpu>
  <os>
    <type arch="x86_64" machine="pc-q35-4.0">hvm</type>
    <loader readonly="yes" type="pflash">/usr/share/OVMF/OVMF_CODE.fd</loader>
    <nvram>/var/lib/libvirt/qemu/nvram/win10_VARS.fd</nvram>
    <bootmenu enable="yes"/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <hyperv>
      <relaxed state="on"/>
      <vapic state="on"/>
      <spinlocks state="on" retries="8191"/>
      <vendor_id state="on" value="Ceremco"/>
    </hyperv>
    <kvm>
      <hidden state="on"/>
    </kvm>
    <vmport state="off"/>
    <ioapic driver="kvm"/>
  </features>
  <cpu mode="host-model" check="partial">
    <model fallback="allow"/>
    <topology sockets="1" cores="6" threads="2"/>
  </cpu>
  <clock offset="localtime">
    <timer name="rtc" tickpolicy="catchup"/>
    <timer name="pit" tickpolicy="delay"/>
    <timer name="hpet" present="no"/>
    <timer name="hypervclock" present="yes"/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled="no"/>
    <suspend-to-disk enabled="no"/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type="file" device="cdrom">
      <driver name="qemu" type="raw" cache="none" io="native"/>
      <source file="/home/ceremco/Downloads/virtio-win-0.1.171.iso"/>
      <target dev="sda" bus="sata"/>
      <readonly/>
      <address type="drive" controller="0" bus="0" target="0" unit="0"/>
    </disk>
    <controller type="usb" index="0" model="qemu-xhci" ports="15">
      <address type="pci" domain="0x0000" bus="0x02" slot="0x00" function="0x0"/>
    </controller>
    <controller type="pci" index="0" model="pcie-root"/>
    <controller type="pci" index="1" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="1" port="0x8"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0" multifunction="on"/>
    </controller>
    <controller type="pci" index="2" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="2" port="0x9"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x1"/>
    </controller>
    <controller type="pci" index="3" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="3" port="0xa"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x2"/>
    </controller>
    <controller type="pci" index="4" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="4" port="0xb"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x3"/>
    </controller>
    <controller type="pci" index="5" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="5" port="0xc"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x4"/>
    </controller>
    <controller type="pci" index="6" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="6" port="0xd"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x5"/>
    </controller>
    <controller type="pci" index="7" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="7" port="0xe"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x6"/>
    </controller>
    <controller type="pci" index="8" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="8" port="0xf"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x7"/>
    </controller>
    <controller type="pci" index="9" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="9" port="0x10"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0" multifunction="on"/>
    </controller>
    <controller type="pci" index="10" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="10" port="0x11"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x1"/>
    </controller>
    <controller type="pci" index="11" model="pcie-to-pci-bridge">
      <model name="pcie-pci-bridge"/>
      <address type="pci" domain="0x0000" bus="0x07" slot="0x00" function="0x0"/>
    </controller>
    <controller type="pci" index="12" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="12" port="0x12"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x2"/>
    </controller>
    <controller type="sata" index="0">
      <address type="pci" domain="0x0000" bus="0x00" slot="0x1f" function="0x2"/>
    </controller>
    <interface type="bridge">
      <mac address="52:54:00:6c:47:81"/>
      <source bridge="bridge0"/>
      <model type="virtio"/>
      <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
    </interface>
    <interface type="network">
      <mac address="52:54:00:e6:8e:0d"/>
      <source network="formula"/>
      <model type="virtio"/>
      <link state="up"/>
      <address type="pci" domain="0x0000" bus="0x06" slot="0x00" function="0x0"/>
    </interface>
    <input type="mouse" bus="virtio">
      <address type="pci" domain="0x0000" bus="0x09" slot="0x00" function="0x0"/>
    </input>
    <input type="keyboard" bus="virtio">
      <address type="pci" domain="0x0000" bus="0x0a" slot="0x00" function="0x0"/>
    </input>
    <input type="mouse" bus="ps2"/>
    <input type="keyboard" bus="ps2"/>
    <sound model="ich6">
      <address type="pci" domain="0x0000" bus="0x0b" slot="0x02" function="0x0"/>
    </sound>
    <hostdev mode="subsystem" type="pci" managed="yes">
      <source>
        <address domain="0x0000" bus="0x03" slot="0x00" function="0x0"/>
      </source>
      <rom bar="on"/>
      <address type="pci" domain="0x0000" bus="0x03" slot="0x00" function="0x0"/>
    </hostdev>
    <hostdev mode="subsystem" type="pci" managed="yes">
      <source>
        <address domain="0x0000" bus="0x03" slot="0x00" function="0x1"/>
      </source>
      <rom bar="on"/>
      <address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/>
    </hostdev>
    <hostdev mode="subsystem" type="pci" managed="yes">
      <source>
        <address domain="0x0000" bus="0x02" slot="0x00" function="0x0"/>
      </source>
      <boot order="1"/>
      <rom bar="on"/>
      <address type="pci" domain="0x0000" bus="0x08" slot="0x00" function="0x0"/>
    </hostdev>
    <memballoon model="virtio">
      <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
    </memballoon>
    <shmem name="looking-glass">
      <model type="ivshmem-plain"/>
      <size unit="M">32</size>
      <address type="pci" domain="0x0000" bus="0x0b" slot="0x01" function="0x0"/>
    </shmem>
  </devices>
  <qemu:commandline>
    <qemu:arg value="-object"/>
    <qemu:arg value="input-linux,id=mouse1,evdev=/dev/input/by-id/usb-Logitech_Gaming_Mouse_G502_066A34783437-event-mouse"/>
    <qemu:arg value="-object"/>
    <qemu:arg value="input-linux,id=kbd1,evdev=/dev/input/by-id/usb-Logitech_G510_Gaming_Keyboard-event-kbd,grab_all=on,repeat=on"/>
    <qemu:env name="QEMU_AUDIO_DRV" value="pa"/>
    <qemu:env name="QEMU_PA_SAMPLES" value="8192"/>
    <qemu:env name="QEMU_AUDIO_TIMER_PERIOD" value="99"/>
    <qemu:env name="QEMU_PA_SERVER" value="/run/user/1000/pulse/native"/>
  </qemu:commandline>
</domain>

Windows 10 BSOD memory.dmp

> KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000004, The thread's stack pointer was outside the legal stack extents for the thread.
Arg2: ffffc381cb85eff0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffc381cb85ef48, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:

KEY_VALUES_STRING: 1

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202

SYSTEM_MANUFACTURER:  QEMU

SYSTEM_PRODUCT_NAME:  Standard PC (Q35 + ICH9, 2009)

SYSTEM_VERSION:  pc-q35-4.0

BIOS_VENDOR:  EFI Development Kit II / OVMF

BIOS_VERSION:  0.0.0

BIOS_DATE:  02/06/2015

DUMP_TYPE:  1

BUGCHECK_P1: 4

BUGCHECK_P2: ffffc381cb85eff0

BUGCHECK_P3: ffffc381cb85ef48

BUGCHECK_P4: 0

TRAP_FRAME:  ffffc381cb85eff0 -- (.trap 0xffffc381cb85eff0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffd0524acc000 rbx=0000000000000000 rcx=0000000000000004
rdx=fffffd0524ad2000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80234c4ecc7 rsp=ffffc381cb85f180 rbp=ffffc381cb85f6f0
 r8=fffffd0524ad2000  r9=ffffc381cb85f701 r10=ffff828b237ea080
r11=0000003f0072d5b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up di pl zr na po nc
nt!RtlpGetStackLimitsEx+0x12e6cb:
fffff802`34c4ecc7 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: fffff80234bc10a0 (nt!KeBugCheckEx)
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000001
NumberParameters: 0

CPU_COUNT: 4

CPU_MHZ: d4b

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3a

CPU_STEPPING: 9

CPU_MICROCODE: 6,3a,9,0 (F,M,S,R)  SIG: 1'00000000 (cache) 1'00000000 (init)

BUGCHECK_STR:  0x139

PROCESS_NAME:  FortniteClient-Win64-Shipping.exe

CURRENT_IRQL:  0

DEFAULT_BUCKET_ID:  FAIL_FAST_INCORRECT_STACK

WATSON_BKT_EVENT:  BEX

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000004

ANALYSIS_SESSION_HOST:  DESKTOP-9P3C7E0

ANALYSIS_SESSION_TIME:  11-11-2019 19:01:49.0974

ANALYSIS_VERSION: 10.0.18362.1 x86fre

BAD_STACK_POINTER:  ffffc381cb85ecc8

LAST_CONTROL_TRANSFER:  from fffff80234bd2ee9 to fffff80234bc10a0

STACK_TEXT:  
ffffc381`cb85ecc8 fffff802`34bd2ee9 : 00000000`00000139 00000000`00000004 ffffc381`cb85eff0 ffffc381`cb85ef48 : nt!KeBugCheckEx
ffffc381`cb85ecd0 fffff802`34bd3310 : 00000000`00000000 00000000`00000000 ffffffff`ffffffff ffffffff`ffffffff : nt!KiBugCheckDispatch+0x69
ffffc381`cb85ee10 fffff802`34bd16a5 : fffff802`34b271d8 fffff802`34e0de14 ffffc381`cb85f7d0 00000000`00000000 : nt!KiFastFailDispatch+0xd0
ffffc381`cb85eff0 fffff802`34c4ecc7 : 00000000`00000000 00000000`00000267 0005e554`00ab5000 00000000`0010001f : nt!KiRaiseSecurityCheckFailure+0x325
ffffc381`cb85f180 fffff802`34c2e600 : 00000000`0000008e 00000000`00000000 ffffc381`cb85f6f0 00007fff`00000003 : nt!RtlpGetStackLimitsEx+0x12e6cb
ffffc381`cb85f1b0 fffff802`34ac7aee : fffffd05`24ad18b8 ffffc381`cb85fe30 fffffd05`24ad18b8 00000000`001cf750 : nt!RtlDispatchException+0x16b550
ffffc381`cb85f900 fffff802`34bc1f22 : ffffffff`ffffffff ffffffff`ffffffff ffffffff`ffffffff ffffffff`ffffffff : nt!KiDispatchException+0x16e
ffffc381`cb85ffb0 fffff802`34bc1ef0 : fffff802`34bd3016 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxExceptionDispatchOnExceptionStack+0x12
fffffd05`24ad1778 fffff802`34bd3016 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExceptionDispatchOnExceptionStackContinue
fffffd05`24ad1780 fffff802`34bceda2 : 00000000`00000000 00000000`00000001 fffffd05`24ad1ac0 ffff828b`237ea080 : nt!KiExceptionDispatch+0x116
fffffd05`24ad1960 fffff802`34bc167e : fffff802`34bc7a07 00007ff7`e4046e00 fffffd05`24ad1b80 ffff828b`237ea080 : nt!KiGeneralProtectionFault+0x322
fffffd05`24ad1af8 fffff802`34bc7a07 : 00007ff7`e4046e00 fffffd05`24ad1b80 ffff828b`237ea080 00000000`001cf750 : nt!KiSaveDebugRegisterState+0x8e
fffffd05`24ad1b00 00007fff`56edb404 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiIpiInterrupt+0x267
0000003f`0072d5b0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`56edb404


THREAD_SHA1_HASH_MOD_FUNC:  439169631f0b674993a50adabe97ebb00283d757

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  35f648a188b2f1cdd98e5abedd1c72f7b99570c6

THREAD_SHA1_HASH_MOD:  fe34192f63d13620a8987d294372ee74d699cfee

FOLLOWUP_IP: 
nt!KiFastFailDispatch+d0
fffff802`34bd3310 c644242000      mov     byte ptr [rsp+20h],0

FAULT_INSTR_CODE:  202444c6

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  nt!KiFastFailDispatch+d0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  d0

FAILURE_BUCKET_ID:  0x139_MISSING_GSFRAME_STACKPTR_ERROR_nt!KiFastFailDispatch

BUCKET_ID:  0x139_MISSING_GSFRAME_STACKPTR_ERROR_nt!KiFastFailDispatch

PRIMARY_PROBLEM_CLASS:  0x139_MISSING_GSFRAME_STACKPTR_ERROR_nt!KiFastFailDispatch

TARGET_TIME:  2019-11-11T17:30:42.000Z

OSBUILD:  18362

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  190318-1202

BUILDLAB_STR:  19h1_release

BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME:  2dde

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_missing_gsframe_stackptr_error_nt!kifastfaildispatch

FAILURE_ID_HASH:  {7b0febb5-6007-4f2b-3d38-57fef278d8d5}

Followup:     MachineOwner
2

It’s almost certainly Easy Anti Cheat being badly coded, and they will not support you in this.

Passthrough a whole USB controller and use your mouse and keyboard through that instead of using USB passthrough. USB passthrough can result in problems like this if you’re doing special evdev passthroughs. Don’t use Spice neither. Also use a USB audio card.

3

I had the same issue with Fortnite, do the below:

Avoiding Blue screen of death on Windows:

$ sudo -s
$ echo 1 > /sys/module/kvm/parameters/ignore_msrs

To make this permanent:
$ sudo nano /etc/modprobe.d/kvm.conf

Add this in:
options kvm ignore_msrs=Y
options kvm report_ignored_msrs=N

Hope this helps.

3 Likes
4

I dont think its anti-cheat, this is just some form of instruction/code/something breaking the whole machine, easy anti cheat may be using that or it could be fortnite itself. But just in the grand scheme of things a bsod is never good, certenly not when some instructions/code can incur bsods. And for all I know (i already knew) other programs could cause the same bsods.

And I did find my answer form speedyrazor on this thread marked as Solution.

And thank you for the tips on making my KVM better. I am aware evdev can be buggy as with all things made by mankind, but I even had this problem just when passing through a GPU. I had no evdev setup then just a plane USB keyboard and mouse.

The sound thing Im still working on for my own uses, but this pulseaudio solution works ok most times. Even though it has some micro delay that is noticeable when you really look for it. Like people talking in a video sounds a fraction too late, but that might be between my ears.

Your input is much appreciated.

Thank you! =)

5

Thank you, thank you, thank you!

This worked!

$ sudo -s
$ echo 1 > /sys/module/kvm/parameters/ignore_msrs

The permanent version works like a charm too!

Thank you very much! =D

6

Had the same problem when running alice madness returns, this was the solution!

2 Likes