Open ereshetova opened 1 year ago
Likely related one:
WARNING: CPU: 0 PID: 1 at arch/x86/mm/ioremap.c:223 __ioremap_caller (arch/x86/mm/ioremap.c:223 (discriminator 3)) Modules linked in: CPU: 0 PID: 1 Comm: swapper Not tainted 6.0.0-rc2-g1d588de205f8 #1 RIP: 0010:__ioremap_caller (arch/x86/mm/ioremap.c:223 (discriminator 3)) Code: 4c 8b 85 20 ff ff ff 49 09 c0 e9 4c fd ff ff 48 8d 53 a0 48 8d 73 c0 48 c7 c7 e0 1d 45 83 c6 05 1f db e8 03 01 e8 90 26 d9 01 <0f> 0b 45 31 ed e9 29 fe ff ff 48 c7 c7 3d 9e f8 84 e8 75 84 49 00 All code
0: 4c 8b 85 20 ff ff ff mov -0xe0(%rbp),%r8 7: 49 09 c0 or %rax,%r8 a: e9 4c fd ff ff jmpq 0xfffffffffffffd5b f: 48 8d 53 a0 lea -0x60(%rbx),%rdx 13: 48 8d 73 c0 lea -0x40(%rbx),%rsi 17: 48 c7 c7 e0 1d 45 83 mov $0xffffffff83451de0,%rdi 1e: c6 05 1f db e8 03 01 movb $0x1,0x3e8db1f(%rip) # 0x3e8db44 25: e8 90 26 d9 01 callq 0x1d926ba 2a:* 0f 0b ud2 <-- trapping instruction 2c: 45 31 ed xor %r13d,%r13d 2f: e9 29 fe ff ff jmpq 0xfffffffffffffe5d 34: 48 c7 c7 3d 9e f8 84 mov $0xffffffff84f89e3d,%rdi 3b: e8 75 84 49 00 callq 0x4984b5
Code starting with the faulting instruction
0: 0f 0b ud2
2: 45 31 ed xor %r13d,%r13d
5: e9 29 fe ff ff jmpq 0xfffffffffffffe33
a: 48 c7 c7 3d 9e f8 84 mov $0xffffffff84f89e3d,%rdi
11: e8 75 84 49 00 callq 0x49848b
RSP: 0000:ffffc9000001f498 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffffc9000001f570 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: fffff52000003e85
RBP: ffffc9000001f598 R08: 0000000000000000 R09: 00000000ffffffea
R10: ffffc9000001f1a7 R11: fffff52000003e34 R12: 000000000080c000
R13: 0000000000000003 R14: 00000000000055e0 R15: 00000000008115df
FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0
Call Trace:
---[ end trace 0000000000000000 ]--- general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 1 Comm: swapper Tainted: G W 6.0.0-rc2-g1d588de205f8 #1 RIP: 0010:try_module_get (kernel/module/main.c:829) Code: 1a 48 c7 83 b8 00 00 00 00 00 01 00 00 00 5c 5d c3 4c 89 e7 e8 7d 37 35 00 eb 01 00 00 00 e8 13 38 35 00 eb dc 90 55 48 89 e5 <01> 00 00 00 01 00 00 00 41 54 53 48 83 ec 08 48 01 00 00 00 b5 00
All code
0: 1a 48 c7 sbb -0x39(%rax),%cl
3: 83 b8 00 00 00 00 00 cmpl $0x0,0x0(%rax)
a: 01 00 add %eax,(%rax)
c: 00 00 add %al,(%rax)
e: 5c pop %rsp
f: 5d pop %rbp
10: c3 retq
11: 4c 89 e7 mov %r12,%rdi
14: e8 7d 37 35 00 callq 0x353796
19: eb 01 jmp 0x1c
1b: 00 00 add %al,(%rax)
1d: 00 e8 add %ch,%al
1f: 13 38 adc (%rax),%edi
21: 35 00 eb dc 90 xor $0x90dceb00,%eax
26: 55 push %rbp
27: 48 89 e5 mov %rsp,%rbp
2a:* 01 00 add %eax,(%rax) <-- trapping instruction
2c: 00 00 add %al,(%rax)
2e: 01 00 add %eax,(%rax)
30: 00 00 add %al,(%rax)
32: 41 54 push %r12
34: 53 push %rbx
35: 48 83 ec 08 sub $0x8,%rsp
39: 48 01 00 add %rax,(%rax)
3c: 00 00 add %al,(%rax)
3e: b5 00 mov $0x0,%ch
Code starting with the faulting instruction
0: 01 00 add %eax,(%rax) 2: 00 00 add %al,(%rax) 4: 01 00 add %eax,(%rax) 6: 00 00 add %al,(%rax) 8: 41 54 push %r12 a: 53 push %rbx b: 48 83 ec 08 sub $0x8,%rsp f: 48 01 00 add %rax,(%rax) 12: 00 00 add %al,(%rax) 14: b5 00 mov $0x0,%ch RSP: 0000:ffffc9000001f6c8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff888009f61400 RCX: 0000000000000000 RDX: 1ffff110013ec2a8 RSI: ffff888009f61400 RDI: 0000000000000000 RBP: ffffc9000001f6c8 R08: ffffffff8100c44f R09: ffff888021869db0 R10: ffffffff84fb2662 R11: ffffffff82f4faf9 R12: 000000000000000a R13: ffff888009f61400 R14: ffff888009f61418 R15: ffff8880096e6418 FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0 Call Trace:
Modules linked in: ---[ end trace 0000000000000000 ]---
Likely another related one, which was found on the same kernel but with BPH_P9_VIRTIO_PROBE harness:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 1 Comm: swapper Not tainted 6.0.0-rc2-g1d588de205f8 #1 RIP: 0010:tdx_fuzz (arch/x86/coco/tdx/kafl-agent.c:523) Code: ff ff 4c 89 55 c0 48 89 45 c8 48 89 75 d0 e8 c7 58 57 00 4c 8b 55 c0 48 8b 45 c8 48 8b 75 d0 e9 3f ff ff ff 66 0f 1f 44 00 00 <00> 00 e0 fe 00 00 00 00 ef 00 00 00 00 00 00 00 00 00 e0 fe 00 00 All code
0: ff (bad)
1: ff 4c 89 55 decl 0x55(%rcx,%rcx,4)
5: c0 48 89 45 rorb $0x45,-0x77(%rax)
9: c8 48 89 75 enterq $0x8948,$0x75
d: d0 e8 shr %al
f: c7 (bad)
10: 58 pop %rax
11: 57 push %rdi
12: 00 4c 8b 55 add %cl,0x55(%rbx,%rcx,4)
16: c0 48 8b 45 rorb $0x45,-0x75(%rax)
1a: c8 48 8b 75 enterq $0x8b48,$0x75
1e: d0 e9 shr %cl
20: 3f (bad)
21: ff (bad)
22: ff (bad)
23: ff 66 0f jmpq 0xf(%rsi)
26: 1f (bad)
27: 44 00 00 add %r8b,(%rax)
2a: 00 00 add %al,(%rax) <-- trapping instruction
2c: e0 fe loopne 0x2c
2e: 00 00 add %al,(%rax)
30: 00 00 add %al,(%rax)
32: ef out %eax,(%dx)
...
3b: 00 e0 add %ah,%al
3d: fe 00 incb (%rax)
...
Code starting with the faulting instruction
0: 00 00 add %al,(%rax) 2: e0 fe loopne 0x2 4: 00 00 add %al,(%rax) 6: 00 00 add %al,(%rax) 8: ef out %eax,(%dx) ... 11: 00 e0 add %ah,%al 13: fe 00 incb (%rax) ... RSP: 0000:ffffc9000001f1a8 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: 1ffff92000003e3a RCX: 0000000000000002 RDX: 0000000000000002 RSI: 0000000000000cfc RDI: 0000000000000407 RBP: ffffc9000001f278 R08: ffffc90000071048 R09: 000000000000000a R10: ffffc9000001f428 R11: 0000000000000000 R12: ffffc9000001f388 R13: 000000000001ffff R14: ffffc9000001f250 R15: ffffc9000001f3d8 FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0 Call Trace:
Modules linked in: ---[ end trace 0000000000000000 ]---
Found in 6.0-rc2 via BOOT_VIRTIO_BLK_PROBE harness.
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 1 Comm: swapper Not tainted 6.0.0-rc2-g1d588de205f8 #1 RIP: 0010:try_module_get (kernel/module/main.c:829) Code: 1a 48 c7 83 b8 00 00 00 00 00 01 00 00 00 5c 5d c3 4c 89 e7 e8 7d 37 35 00 eb 01 00 00 00 e8 13 38 35 00 eb dc 90 55 48 89 e5 <01> 00 00 00 01 00 00 00 41 54 53 48 83 ec 08 48 01 00 00 00 b5 00
All code
0: 1a 48 c7 sbb -0x39(%rax),%cl 3: 83 b8 00 00 00 00 00 cmpl $0x0,0x0(%rax) a: 01 00 add %eax,(%rax) c: 00 00 add %al,(%rax) e: 5c pop %rsp f: 5d pop %rbp 10: c3 retq
11: 4c 89 e7 mov %r12,%rdi 14: e8 7d 37 35 00 callq 0x353796 19: eb 01 jmp 0x1c 1b: 00 00 add %al,(%rax) 1d: 00 e8 add %ch,%al 1f: 13 38 adc (%rax),%edi 21: 35 00 eb dc 90 xor $0x90dceb00,%eax 26: 55 push %rbp 27: 48 89 e5 mov %rsp,%rbp 2a:* 01 00 add %eax,(%rax) <-- trapping instruction 2c: 00 00 add %al,(%rax) 2e: 01 00 add %eax,(%rax) 30: 00 00 add %al,(%rax) 32: 41 54 push %r12 34: 53 push %rbx 35: 48 83 ec 08 sub $0x8,%rsp 39: 48 01 00 add %rax,(%rax) 3c: 00 00 add %al,(%rax) 3e: b5 00 mov $0x0,%ch
Code starting with the faulting instruction
0: 01 00 add %eax,(%rax) 2: 00 00 add %al,(%rax) 4: 01 00 add %eax,(%rax) 6: 00 00 add %al,(%rax) 8: 41 54 push %r12 a: 53 push %rbx b: 48 83 ec 08 sub $0x8,%rsp f: 48 01 00 add %rax,(%rax) 12: 00 00 add %al,(%rax) 14: b5 00 mov $0x0,%ch RSP: 0000:ffffc9000001f6c8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff888009f61400 RCX: 0000000000000000 RDX: 1ffff110013ec2a8 RSI: ffff888009f61400 RDI: 0000000000000000 RBP: ffffc9000001f6c8 R08: ffffffff8157f1f6 R09: ffff888021869db0 R10: ffffffff8157bcbd R11: ffffffff8157f2a7 R12: 000000000000000a R13: ffff888009f61400 R14: ffff888009f61418 R15: ffff8880096e6418 FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0 Call Trace:
Modules linked in: ---[ end trace 0000000000000000 ]---