Fix thread_invoke and thread_dispatch TSC non-monotonic panic on Darwin 25.4.0+

[laobamac]

Description

This PR addresses a kernel panic issue that occurs on AMD systems (specifically observed on laptops) when updating to Darwin Kernel Version 25.4.0 (macOS 26.4 Beta/RC).

The existing AMD kernel patch for bypassing the non-monotonic time panic (TSC sync issue) in thread_invoke and thread_dispatch fails to apply on Darwin 25.4.0 due to a structure shift in the XNU kernel.

Root Cause Analysis

Upon analyzing the disassembled XNU kernel, it is evident that the offset for the TSC tracking variables within the thread struct has shifted by 8 bytes.

In Darwin <= 25.3.x, the comparison instruction in thread_invoke looks like this:

4D 3B AE 88 04 00 00    cmp r13, [r14 + 0x488]
0F 82 E6 04 00 00       jb <panic_address>

Click to see

---

However, in Darwin 25.4.0, the struct has grown, and the instruction uses a new offset of 0x490:

4D 3B A6 90 04 00 00    cmp r12, [r14 + 0x490]
0F 82 C8 04 00 00       jb <panic_address>

Click to see

---

Why the current patch fails:
The current patch looks for the signature 48 00 00 80 04 00 00 0F 00 00 00 00 00 with the mask 48 00 00 F0 FF FF FF FF 00 00 00 00 00.
Because the mask applies F0 to the target byte, it successfully matches values from 80 04 to 8F 04 (0x480 - 0x48F). When the offset shifted to 90 04 (0x490), the masking logic no longer matches the expected 0x80, causing the patch engine to skip this instruction entirely. This results in an immediate panic on boot.

---

(Note: The first patch handling thread_quantum_expire and thread_unblock remains unaffected, as their offsets (0x250 and 0x58) have not changed in this Darwin release.)

Testing

• Hardware: AMD Ryzen 7 4800U Laptop
• OS: macOS 26.4 (Darwin 25.4.0)
• Result: The system boots successfully without TSC-related panics.

[VGerris]

tested on Lenovo Legion laptop with update from 26.3 to 26.4.1 , works for me