Closed ereshetova closed 3 months ago
Likely related one:
general protection fault, probably for non-canonical address 0xe0003c0000020003: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN KASAN: maybe wild-memory-access in range [0x0002000000100018-0x000200000010001f] CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: events control_work_handler RIP: 0010:handle_control_message (drivers/char/virtio_console.c:1575) Code: 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 05 07 00 00 48 b8 00 00 00 00 00 fc ff df 49 03 5e 18 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 6b
All code
0: 00 fc add %bh,%ah
2: ff (bad)
3: df 4c 89 fa fisttps -0x6(%rcx,%rcx,4)
7: 48 c1 ea 03 shr $0x3,%rdx
b: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
f: 0f 85 05 07 00 00 jne 0x71a
15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1c: fc ff df
1f: 49 03 5e 18 add 0x18(%r14),%rbx
23: 48 89 da mov %rbx,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
2e: 48 89 d8 mov %rbx,%rax
31: 83 e0 07 and $0x7,%eax
34: 83 c0 03 add $0x3,%eax
37: 38 d0 cmp %dl,%al
39: 7c 08 jl 0x43
3b: 84 d2 test %dl,%dl
3d: 0f .byte 0xf
3e: 85 .byte 0x85
3f: 6b .byte 0x6b
Code starting with the faulting instruction
0: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx 4: 48 89 d8 mov %rbx,%rax 7: 83 e0 07 and $0x7,%eax a: 83 c0 03 add $0x3,%eax d: 38 d0 cmp %dl,%al f: 7c 08 jl 0x19 11: 84 d2 test %dl,%dl 13: 0f .byte 0xf 14: 85 .byte 0x85 15: 6b .byte 0x6b RSP: 0000:ffffc9000017fca0 EFLAGS: 00010207 RAX: dffffc0000000000 RBX: 000200000010001e RCX: 1ffff11000d073a3 RDX: 0000400000020003 RSI: ffff88802c51cab8 RDI: ffff888007ad9c00 RBP: ffffc9000017fcd8 R08: 000200000010001e R09: 0000000000800000 R10: 000200000010001e R11: 0000000000800000 R12: ffff888009e28a00 R13: ffff88802c51cab8 R14: ffff888006839d08 R15: ffff888006839d20 FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0 Call Trace:
Modules linked in: ---[ end trace 0000000000000000 ]---
Another one:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: events control_work_handler RIP: 0010:handle_control_message (drivers/char/virtio_console.c:1575) Code: 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 05 07 00 00 48 b8 00 00 00 00 00 fc ff df 49 03 5e 18 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 6b
All code
0: 00 fc add %bh,%ah
2: ff (bad)
3: df 4c 89 fa fisttps -0x6(%rcx,%rcx,4)
7: 48 c1 ea 03 shr $0x3,%rdx
b: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
f: 0f 85 05 07 00 00 jne 0x71a
15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1c: fc ff df
1f: 49 03 5e 18 add 0x18(%r14),%rbx
23: 48 89 da mov %rbx,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
2e: 48 89 d8 mov %rbx,%rax
31: 83 e0 07 and $0x7,%eax
34: 83 c0 03 add $0x3,%eax
37: 38 d0 cmp %dl,%al
39: 7c 08 jl 0x43
3b: 84 d2 test %dl,%dl
3d: 0f .byte 0xf
3e: 85 .byte 0x85
3f: 6b .byte 0x6b
Code starting with the faulting instruction
0: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx 4: 48 89 d8 mov %rbx,%rax 7: 83 e0 07 and $0x7,%eax a: 83 c0 03 add $0x3,%eax d: 38 d0 cmp %dl,%al f: 7c 08 jl 0x19 11: 84 d2 test %dl,%dl 13: 0f .byte 0xf 14: 85 .byte 0x85 15: 6b .byte 0x6b RSP: 0000:ffffc9000017fca0 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff11000d073a3 RDX: 0000000000000000 RSI: ffff88802c51cab8 RDI: ffff888007ad9c00 RBP: ffffc9000017fcd8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e28a00 R13: ffff88802c51cab8 R14: ffff888006839d08 R15: ffff888006839d20 FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0 Call Trace:
Modules linked in: ---[ end trace 0000000000000000 ]---
And one more:
general protection fault, probably for non-canonical address 0xdffffc000001a000: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN KASAN: probably user-memory-access in range [0x00000000000d0000-0x00000000000d0007] CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: events control_work_handler RIP: 0010:handle_control_message (drivers/char/virtio_console.c:1575) Code: 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 05 07 00 00 48 b8 00 00 00 00 00 fc ff df 49 03 5e 18 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 6b All code
0: 00 fc add %bh,%ah
2: ff (bad)
3: df 4c 89 fa fisttps -0x6(%rcx,%rcx,4)
7: 48 c1 ea 03 shr $0x3,%rdx
b: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
f: 0f 85 05 07 00 00 jne 0x71a
15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1c: fc ff df
1f: 49 03 5e 18 add 0x18(%r14),%rbx
23: 48 89 da mov %rbx,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
2e: 48 89 d8 mov %rbx,%rax
31: 83 e0 07 and $0x7,%eax
34: 83 c0 03 add $0x3,%eax
37: 38 d0 cmp %dl,%al
39: 7c 08 jl 0x43
3b: 84 d2 test %dl,%dl
3d: 0f .byte 0xf
3e: 85 .byte 0x85
3f: 6b .byte 0x6b
Code starting with the faulting instruction
0: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx 4: 48 89 d8 mov %rbx,%rax 7: 83 e0 07 and $0x7,%eax a: 83 c0 03 add $0x3,%eax d: 38 d0 cmp %dl,%al f: 7c 08 jl 0x19 11: 84 d2 test %dl,%dl 13: 0f .byte 0xf 14: 85 .byte 0x85 15: 6b .byte 0x6b RSP: 0000:ffffc9000017fca0 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 00000000000d0000 RCX: 1ffff11000d073a3 RDX: 000000000001a000 RSI: ffff88802c51cab8 RDI: ffff888007ad9c00 RBP: ffffc9000017fcd8 R08: 00000000000d0000 R09: 000f0000e9000000 R10: 002310a100000000 R11: 0000010000000000 R12: ffff888009e28a00 R13: ffff88802c51cab8 R14: ffff888006839d08 R15: ffff888006839d20 FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0 Call Trace:
Modules linked in: ---[ end trace 0000000000000000 ]---
This has been confirmed as false positive. The reason was fuzzing of the whole buf structure returned from virtqueue_get_buf() vs. the correct buf->buf buffer. Closing this one.
Found on 6.0.-rc2 via BOOT_DOINITCALLS_VIRTIO harness.
BUG: KASAN: slab-out-of-bounds in handle_control_message (drivers/char/virtio_console.c:1575) Read of size 4 at addr ffff888006560000 by task kworker/0:1/23
CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: events control_work_handler Call Trace:
Allocated by task 1: kasan_save_stack (mm/kasan/common.c:39) kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525) __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424) vring_alloc_desc_extra (include/linux/slab.h:640 drivers/virtio/virtio_ring.c:1823) vring_alloc_state_extra_split (drivers/virtio/virtio_ring.c:1011) vring_new_virtqueue (drivers/virtio/virtio_ring.c:2522) vring_create_virtqueue (drivers/virtio/virtio_ring.c:1109 drivers/virtio/virtio_ring.c:2556) setup_vq (drivers/virtio/virtio_pci_modern.c:321) vp_setup_vq (drivers/virtio/virtio_pci_common.c:190) vp_find_vqs_msix (drivers/virtio/virtio_pci_common.c:329) vp_find_vqs (drivers/virtio/virtio_pci_common.c:411) vp_modern_find_vqs (drivers/virtio/virtio_pci_modern.c:357) virtcons_probe (drivers/char/virtio_console.c:1901 drivers/char/virtio_console.c:2063) virtio_dev_probe (drivers/virtio/virtio.c:307) really_probe (drivers/base/dd.c:530 drivers/base/dd.c:614) driver_probe_device (drivers/base/dd.c:753) driver_probe_device (drivers/base/dd.c:783) driver_attach (drivers/base/dd.c:1156) bus_for_each_dev (drivers/base/bus.c:300) driver_attach (drivers/base/dd.c:1173) bus_add_driver (drivers/base/bus.c:618) driver_register (drivers/base/driver.c:240) register_virtio_driver (drivers/virtio/virtio.c:360) virtio_console_init (drivers/char/virtio_console.c:2268) do_one_initcall (init/main.c:1421) kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768) kernel_init (init/main.c:1654) ret_from_fork (arch/x86/entry/entry_64.S:312)
The buggy address belongs to the object at ffff888006560800 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 2048 bytes to the left of 2048-byte region [ffff888006560800, ffff888006561000)
The buggy address belongs to the physical page: page:ffffea0000195800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6560 head:ffffea0000195800 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=1) raw: 4000000000010200 ffffea000019ee08 ffffea0000195608 ffff888005c42340 raw: 0000000000000000 0000000000050005 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff88800655ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800655ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Disabling lock debugging due to kernel taint
Similar taint:
BUG: KASAN: slab-out-of-bounds in kafl_fuzz_buffer (arch/x86/coco/tdx/kafl-agent.c:438 arch/x86/coco/tdx/kafl-agent.c:495) Write of size 100 at addr ffff888006839d08 by task kworker/0:1/23
CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: events control_work_handler Call Trace:
Allocated by task 1: kasan_save_stack (mm/kasan/common.c:39) kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525) __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424) alloc_buf (include/linux/slab.h:605 drivers/char/virtio_console.c:424) fill_queue (drivers/char/virtio_console.c:1335) virtcons_probe (drivers/char/virtio_console.c:2083) virtio_dev_probe (drivers/virtio/virtio.c:307) really_probe (drivers/base/dd.c:530 drivers/base/dd.c:614) driver_probe_device (drivers/base/dd.c:753) driver_probe_device (drivers/base/dd.c:783) __driver_attach (drivers/base/dd.c:1156) bus_for_each_dev (drivers/base/bus.c:300) driver_attach (drivers/base/dd.c:1173) bus_add_driver (drivers/base/bus.c:618) driver_register (drivers/base/driver.c:240) register_virtio_driver (drivers/virtio/virtio.c:360) virtio_console_init (drivers/char/virtio_console.c:2268) do_one_initcall (init/main.c:1421) kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768) kernel_init (init/main.c:1654) ret_from_fork (arch/x86/entry/entry_64.S:312)
The buggy address belongs to the object at ffff888006839d08 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 0 bytes inside of 96-byte region [ffff888006839d08, ffff888006839d68)
The buggy address belongs to the physical page: page:ffffea00001a0e40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6839 flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 ffffea00001a3488 ffffea00001aa3c8 ffff888005c41940 raw: 0000000000000000 0000000000130013 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff888006839c00: fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 ffff888006839c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Disabling lock debugging due to kernel taint