Skip to content
This repository has been archived by the owner on Sep 25, 2024. It is now read-only.

KASAN: null-ptr-deref in range [x-y] RIP: try_module_get #102

Open
ereshetova opened this issue Apr 6, 2023 · 2 comments
Open

KASAN: null-ptr-deref in range [x-y] RIP: try_module_get #102

ereshetova opened this issue Apr 6, 2023 · 2 comments
Labels
6.0.0-rc2 BOOT_VIRTIO_BLK_PROBE BPH_P9_VIRTIO_PROBE fuzz_finding Bugs discovered by the kafl fuzzer in the Linux kernel msi virtio virtio-related fuzzing findings

Comments

@ereshetova
Copy link
Contributor

Found in 6.0-rc2 via BOOT_VIRTIO_BLK_PROBE harness.

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 1 Comm: swapper Not tainted 6.0.0-rc2-g1d588de205f8 #1
RIP: 0010:try_module_get (kernel/module/main.c:829)
Code: 1a 48 c7 83 b8 00 00 00 00 00 01 00 00 00 5c 5d c3 4c 89 e7 e8 7d 37 35 00 eb 01 00 00 00 e8 13 38 35 00 eb dc 90 55 48 89 e5 <01> 00 00 00 01 00 00 00 41 54 53 48 83 ec 08 48 01 00 00 00 b5 00

All code

0: 1a 48 c7 sbb -0x39(%rax),%cl
3: 83 b8 00 00 00 00 00 cmpl $0x0,0x0(%rax)
a: 01 00 add %eax,(%rax)
c: 00 00 add %al,(%rax)
e: 5c pop %rsp
f: 5d pop %rbp
10: c3 retq
11: 4c 89 e7 mov %r12,%rdi
14: e8 7d 37 35 00 callq 0x353796
19: eb 01 jmp 0x1c
1b: 00 00 add %al,(%rax)
1d: 00 e8 add %ch,%al
1f: 13 38 adc (%rax),%edi
21: 35 00 eb dc 90 xor $0x90dceb00,%eax
26: 55 push %rbp
27: 48 89 e5 mov %rsp,%rbp
2a:* 01 00 add %eax,(%rax) <-- trapping instruction
2c: 00 00 add %al,(%rax)
2e: 01 00 add %eax,(%rax)
30: 00 00 add %al,(%rax)
32: 41 54 push %r12
34: 53 push %rbx
35: 48 83 ec 08 sub $0x8,%rsp
39: 48 01 00 add %rax,(%rax)
3c: 00 00 add %al,(%rax)
3e: b5 00 mov $0x0,%ch

Code starting with the faulting instruction

0: 01 00 add %eax,(%rax)
2: 00 00 add %al,(%rax)
4: 01 00 add %eax,(%rax)
6: 00 00 add %al,(%rax)
8: 41 54 push %r12
a: 53 push %rbx
b: 48 83 ec 08 sub $0x8,%rsp
f: 48 01 00 add %rax,(%rax)
12: 00 00 add %al,(%rax)
14: b5 00 mov $0x0,%ch
RSP: 0000:ffffc9000001f6c8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff888009f61400 RCX: 0000000000000000
RDX: 1ffff110013ec2a8 RSI: ffff888009f61400 RDI: 0000000000000000
RBP: ffffc9000001f6c8 R08: ffffffff8157f1f6 R09: ffff888021869db0
R10: ffffffff8157bcbd R11: ffffffff8157f2a7 R12: 000000000000000a
R13: ffff888009f61400 R14: ffff888009f61418 R15: ffff8880096e6418
FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0
Call Trace:

__setup_irq (kernel/irq/manage.c:1508)
? __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525)
? kmem_cache_alloc_trace (mm/slub.c:3286)
request_threaded_irq (kernel/irq/manage.c:2198)
vp_find_vqs_msix (include/linux/interrupt.h:168 drivers/virtio/virtio_pci_common.c:144 drivers/virtio/virtio_pci_common.c:310)
vp_find_vqs (drivers/virtio/virtio_pci_common.c:411)
? vsprintf (lib/vsprintf.c:2912)
vp_modern_find_vqs (drivers/virtio/virtio_pci_modern.c:357)
init_vq.cold (include/linux/virtio_config.h:227 drivers/block/virtio_blk.c:664)
? kafl_fuzz_buffer (arch/x86/coco/tdx/kafl-agent.c:438 arch/x86/coco/tdx/kafl-agent.c:495)
? virtblk_add_req (drivers/block/virtio_blk.c:602)
? kmem_cache_alloc_trace (mm/slub.c:3286)
__virtblk_probe (drivers/block/virtio_blk.c:934)
? memset (mm/kasan/shadow.c:48)
? kafl_agent_init (arch/x86/coco/tdx/kafl-agent.c:290)
? virtblk_getgeo (drivers/block/virtio_blk.c:888)
virtblk_probe (drivers/block/virtio_blk.c:1114)
virtio_dev_probe (drivers/virtio/virtio.c:307)
? sysfs_create_link (fs/sysfs/symlink.c:93)
really_probe (drivers/base/dd.c:530 drivers/base/dd.c:614)
__driver_probe_device (drivers/base/dd.c:753)
driver_probe_device (drivers/base/dd.c:783)
__driver_attach (drivers/base/dd.c:1156)
? __device_attach_driver (drivers/base/base.h:147 drivers/base/dd.c:1120)
bus_for_each_dev (drivers/base/bus.c:300)
? subsys_dev_iter_exit (drivers/base/bus.c:290)
? __kasan_check_write (mm/kasan/shadow.c:38)
? klist_node_init (arch/x86/include/asm/atomic.h:41 include/linux/atomic/atomic-instrumented.h:42 include/linux/refcount.h:136 include/linux/kref.h:31 lib/klist.c:111)
driver_attach (drivers/base/dd.c:1173)
bus_add_driver (drivers/base/bus.c:618)
driver_register (drivers/base/driver.c:240)
register_virtio_driver (drivers/virtio/virtio.c:360)
virtio_blk_init (drivers/block/virtio_blk.c:1230)
? loop_init (drivers/block/virtio_blk.c:1217)
do_one_initcall (init/main.c:1421)
? initcall_blacklisted (init/main.c:1394)
? parameq (kernel/params.c:98)
? __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525)
? __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424)
kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768)
? rest_init (init/main.c:1644)
kernel_init (init/main.c:1654)
ret_from_fork (arch/x86/entry/entry_64.S:312)

Modules linked in:
---[ end trace 0000000000000000 ]---
@ereshetova ereshetova added fuzz_finding Bugs discovered by the kafl fuzzer in the Linux kernel 6.0.0-rc2 virtio virtio-related fuzzing findings BOOT_VIRTIO_BLK_PROBE labels Apr 6, 2023
@ereshetova
Copy link
Contributor Author

Likely related one:

WARNING: CPU: 0 PID: 1 at arch/x86/mm/ioremap.c:223 __ioremap_caller (arch/x86/mm/ioremap.c:223 (discriminator 3))
Modules linked in:
CPU: 0 PID: 1 Comm: swapper Not tainted 6.0.0-rc2-g1d588de205f8 #1
RIP: 0010:__ioremap_caller (arch/x86/mm/ioremap.c:223 (discriminator 3))
Code: 4c 8b 85 20 ff ff ff 49 09 c0 e9 4c fd ff ff 48 8d 53 a0 48 8d 73 c0 48 c7 c7 e0 1d 45 83 c6 05 1f db e8 03 01 e8 90 26 d9 01 <0f> 0b 45 31 ed e9 29 fe ff ff 48 c7 c7 3d 9e f8 84 e8 75 84 49 00
All code

0: 4c 8b 85 20 ff ff ff mov -0xe0(%rbp),%r8
7: 49 09 c0 or %rax,%r8
a: e9 4c fd ff ff jmpq 0xfffffffffffffd5b
f: 48 8d 53 a0 lea -0x60(%rbx),%rdx
13: 48 8d 73 c0 lea -0x40(%rbx),%rsi
17: 48 c7 c7 e0 1d 45 83 mov $0xffffffff83451de0,%rdi
1e: c6 05 1f db e8 03 01 movb $0x1,0x3e8db1f(%rip) # 0x3e8db44
25: e8 90 26 d9 01 callq 0x1d926ba
2a:* 0f 0b ud2 <-- trapping instruction
2c: 45 31 ed xor %r13d,%r13d
2f: e9 29 fe ff ff jmpq 0xfffffffffffffe5d
34: 48 c7 c7 3d 9e f8 84 mov $0xffffffff84f89e3d,%rdi
3b: e8 75 84 49 00 callq 0x4984b5

Code starting with the faulting instruction

0: 0f 0b ud2
2: 45 31 ed xor %r13d,%r13d
5: e9 29 fe ff ff jmpq 0xfffffffffffffe33
a: 48 c7 c7 3d 9e f8 84 mov $0xffffffff84f89e3d,%rdi
11: e8 75 84 49 00 callq 0x49848b
RSP: 0000:ffffc9000001f498 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffffc9000001f570 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: fffff52000003e85
RBP: ffffc9000001f598 R08: 0000000000000000 R09: 00000000ffffffea
R10: ffffc9000001f1a7 R11: fffff52000003e34 R12: 000000000080c000
R13: 0000000000000003 R14: 00000000000055e0 R15: 00000000008115df
FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0
Call Trace:

? pci_read (arch/x86/pci/common.c:64)
? __pci_enable_msix_range (drivers/pci/msi/msi.c:503 drivers/pci/msi/msi.c:636 drivers/pci/msi/msi.c:836 drivers/pci/msi/msi.c:961)
? __ioremap_collect_map_flags (arch/x86/mm/ioremap.c:193)
? pci_write_config_word (drivers/pci/access.c:572)
? pci_bus_read_config_word (drivers/pci/access.c:68)
? pci_msi_vec_count (drivers/pci/msi/msi.c:788)
ioremap_driver_hardened (arch/x86/mm/ioremap.c:432)
__pci_enable_msix_range (drivers/pci/msi/msi.c:503 drivers/pci/msi/msi.c:636 drivers/pci/msi/msi.c:836 drivers/pci/msi/msi.c:961)
? kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768)
? kernel_init (init/main.c:1654)
? ret_from_fork (arch/x86/entry/entry_64.S:312)
? pci_irq_get_affinity (drivers/pci/msi/msi.c:941)
? alloc_debug_processing (mm/slub.c:1340)
? ___slab_alloc (mm/slub.c:3096)
? kasan_save_stack (mm/kasan/common.c:40)
pci_alloc_irq_vectors_affinity (drivers/pci/msi/msi.c:1032)
? pci_enable_msix_range (drivers/pci/msi/msi.c:1017)
? __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424)
vp_find_vqs_msix (drivers/virtio/virtio_pci_common.c:134 drivers/virtio/virtio_pci_common.c:310)
? pointer (lib/vsprintf.c:2713)
vp_find_vqs (drivers/virtio/virtio_pci_common.c:407)
? vsprintf (lib/vsprintf.c:2912)
vp_modern_find_vqs (drivers/virtio/virtio_pci_modern.c:357)
init_vq.cold (include/linux/virtio_config.h:227 drivers/block/virtio_blk.c:664)
? kafl_fuzz_buffer (arch/x86/coco/tdx/kafl-agent.c:438 arch/x86/coco/tdx/kafl-agent.c:495)
? virtblk_add_req (drivers/block/virtio_blk.c:602)
? kmem_cache_alloc_trace (mm/slub.c:3286)
__virtblk_probe (drivers/block/virtio_blk.c:934)
? memset (mm/kasan/shadow.c:48)
? kafl_agent_init (arch/x86/coco/tdx/kafl-agent.c:290)
? virtblk_getgeo (drivers/block/virtio_blk.c:888)
virtblk_probe (drivers/block/virtio_blk.c:1114)
virtio_dev_probe (drivers/virtio/virtio.c:307)
? sysfs_create_link (fs/sysfs/symlink.c:93)
really_probe (drivers/base/dd.c:530 drivers/base/dd.c:614)
__driver_probe_device (drivers/base/dd.c:753)
driver_probe_device (drivers/base/dd.c:783)
__driver_attach (drivers/base/dd.c:1156)
? __device_attach_driver (drivers/base/base.h:147 drivers/base/dd.c:1120)
bus_for_each_dev (drivers/base/bus.c:300)
? subsys_dev_iter_exit (drivers/base/bus.c:290)
? __kasan_check_write (mm/kasan/shadow.c:38)
? klist_node_init (arch/x86/include/asm/atomic.h:41 include/linux/atomic/atomic-instrumented.h:42 include/linux/refcount.h:136 include/linux/kref.h:31 lib/klist.c:111)
driver_attach (drivers/base/dd.c:1173)
bus_add_driver (drivers/base/bus.c:618)
driver_register (drivers/base/driver.c:240)
register_virtio_driver (drivers/virtio/virtio.c:360)
virtio_blk_init (drivers/block/virtio_blk.c:1230)
? loop_init (drivers/block/virtio_blk.c:1217)
do_one_initcall (init/main.c:1421)
? initcall_blacklisted (init/main.c:1394)
? parameq (kernel/params.c:98)
? __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525)
? __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424)
kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768)
? rest_init (init/main.c:1644)
kernel_init (init/main.c:1654)
ret_from_fork (arch/x86/entry/entry_64.S:312)

---[ end trace 0000000000000000 ]---
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 1 Comm: swapper Tainted: G W 6.0.0-rc2-g1d588de205f8 #1
RIP: 0010:try_module_get (kernel/module/main.c:829)
Code: 1a 48 c7 83 b8 00 00 00 00 00 01 00 00 00 5c 5d c3 4c 89 e7 e8 7d 37 35 00 eb 01 00 00 00 e8 13 38 35 00 eb dc 90 55 48 89 e5 <01> 00 00 00 01 00 00 00 41 54 53 48 83 ec 08 48 01 00 00 00 b5 00

All code

0: 1a 48 c7 sbb -0x39(%rax),%cl
3: 83 b8 00 00 00 00 00 cmpl $0x0,0x0(%rax)
a: 01 00 add %eax,(%rax)
c: 00 00 add %al,(%rax)
e: 5c pop %rsp
f: 5d pop %rbp
10: c3 retq
11: 4c 89 e7 mov %r12,%rdi
14: e8 7d 37 35 00 callq 0x353796
19: eb 01 jmp 0x1c
1b: 00 00 add %al,(%rax)
1d: 00 e8 add %ch,%al
1f: 13 38 adc (%rax),%edi
21: 35 00 eb dc 90 xor $0x90dceb00,%eax
26: 55 push %rbp
27: 48 89 e5 mov %rsp,%rbp
2a:* 01 00 add %eax,(%rax) <-- trapping instruction
2c: 00 00 add %al,(%rax)
2e: 01 00 add %eax,(%rax)
30: 00 00 add %al,(%rax)
32: 41 54 push %r12
34: 53 push %rbx
35: 48 83 ec 08 sub $0x8,%rsp
39: 48 01 00 add %rax,(%rax)
3c: 00 00 add %al,(%rax)
3e: b5 00 mov $0x0,%ch

Code starting with the faulting instruction

0: 01 00 add %eax,(%rax)
2: 00 00 add %al,(%rax)
4: 01 00 add %eax,(%rax)
6: 00 00 add %al,(%rax)
8: 41 54 push %r12
a: 53 push %rbx
b: 48 83 ec 08 sub $0x8,%rsp
f: 48 01 00 add %rax,(%rax)
12: 00 00 add %al,(%rax)
14: b5 00 mov $0x0,%ch
RSP: 0000:ffffc9000001f6c8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff888009f61400 RCX: 0000000000000000
RDX: 1ffff110013ec2a8 RSI: ffff888009f61400 RDI: 0000000000000000
RBP: ffffc9000001f6c8 R08: ffffffff8100c44f R09: ffff888021869db0
R10: ffffffff84fb2662 R11: ffffffff82f4faf9 R12: 000000000000000a
R13: ffff888009f61400 R14: ffff888009f61418 R15: ffff8880096e6418
FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0
Call Trace:

__setup_irq (kernel/irq/manage.c:1508)
? __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525)
? kmem_cache_alloc_trace (mm/slub.c:3286)
request_threaded_irq (kernel/irq/manage.c:2198)
vp_find_vqs_msix (include/linux/interrupt.h:168 drivers/virtio/virtio_pci_common.c:144 drivers/virtio/virtio_pci_common.c:310)
vp_find_vqs (drivers/virtio/virtio_pci_common.c:411)
? vsprintf (lib/vsprintf.c:2912)
vp_modern_find_vqs (drivers/virtio/virtio_pci_modern.c:357)
init_vq.cold (include/linux/virtio_config.h:227 drivers/block/virtio_blk.c:664)
? kafl_fuzz_buffer (arch/x86/coco/tdx/kafl-agent.c:438 arch/x86/coco/tdx/kafl-agent.c:495)
? virtblk_add_req (drivers/block/virtio_blk.c:602)
? kmem_cache_alloc_trace (mm/slub.c:3286)
__virtblk_probe (drivers/block/virtio_blk.c:934)
? memset (mm/kasan/shadow.c:48)
? kafl_agent_init (arch/x86/coco/tdx/kafl-agent.c:290)
? virtblk_getgeo (drivers/block/virtio_blk.c:888)
virtblk_probe (drivers/block/virtio_blk.c:1114)
virtio_dev_probe (drivers/virtio/virtio.c:307)
? sysfs_create_link (fs/sysfs/symlink.c:93)
really_probe (drivers/base/dd.c:530 drivers/base/dd.c:614)
__driver_probe_device (drivers/base/dd.c:753)
driver_probe_device (drivers/base/dd.c:783)
__driver_attach (drivers/base/dd.c:1156)
? __device_attach_driver (drivers/base/base.h:147 drivers/base/dd.c:1120)
bus_for_each_dev (drivers/base/bus.c:300)
? subsys_dev_iter_exit (drivers/base/bus.c:290)
? __kasan_check_write (mm/kasan/shadow.c:38)
? klist_node_init (arch/x86/include/asm/atomic.h:41 include/linux/atomic/atomic-instrumented.h:42 include/linux/refcount.h:136 include/linux/kref.h:31 lib/klist.c:111)
driver_attach (drivers/base/dd.c:1173)
bus_add_driver (drivers/base/bus.c:618)
driver_register (drivers/base/driver.c:240)
register_virtio_driver (drivers/virtio/virtio.c:360)
virtio_blk_init (drivers/block/virtio_blk.c:1230)
? loop_init (drivers/block/virtio_blk.c:1217)
do_one_initcall (init/main.c:1421)
? initcall_blacklisted (init/main.c:1394)
? parameq (kernel/params.c:98)
? __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525)
? __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424)
kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768)
? rest_init (init/main.c:1644)
kernel_init (init/main.c:1654)
ret_from_fork (arch/x86/entry/entry_64.S:312)

Modules linked in:
---[ end trace 0000000000000000 ]---

@ereshetova ereshetova added the msi label Apr 6, 2023
@ereshetova
Copy link
Contributor Author

Likely another related one, which was found on the same kernel but with BPH_P9_VIRTIO_PROBE harness:

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 1 Comm: swapper Not tainted 6.0.0-rc2-g1d588de205f8 #1
RIP: 0010:tdx_fuzz (arch/x86/coco/tdx/kafl-agent.c:523)
Code: ff ff 4c 89 55 c0 48 89 45 c8 48 89 75 d0 e8 c7 58 57 00 4c 8b 55 c0 48 8b 45 c8 48 8b 75 d0 e9 3f ff ff ff 66 0f 1f 44 00 00 <00> 00 e0 fe 00 00 00 00 ef 00 00 00 00 00 00 00 00 00 e0 fe 00 00
All code

0: ff (bad)
1: ff 4c 89 55 decl 0x55(%rcx,%rcx,4)
5: c0 48 89 45 rorb $0x45,-0x77(%rax)
9: c8 48 89 75 enterq $0x8948,$0x75
d: d0 e8 shr %al
f: c7 (bad)
10: 58 pop %rax
11: 57 push %rdi
12: 00 4c 8b 55 add %cl,0x55(%rbx,%rcx,4)
16: c0 48 8b 45 rorb $0x45,-0x75(%rax)
1a: c8 48 8b 75 enterq $0x8b48,$0x75
1e: d0 e9 shr %cl
20: 3f (bad)
21: ff (bad)
22: ff (bad)
23: ff 66 0f jmpq 0xf(%rsi)
26: 1f (bad)
27: 44 00 00 add %r8b,(%rax)
2a: 00 00 add %al,(%rax) <-- trapping instruction
2c: e0 fe loopne 0x2c
2e: 00 00 add %al,(%rax)
30: 00 00 add %al,(%rax)
32: ef out %eax,(%dx)
...
3b: 00 e0 add %ah,%al
3d: fe 00 incb (%rax)
...

Code starting with the faulting instruction

0: 00 00 add %al,(%rax)
2: e0 fe loopne 0x2
4: 00 00 add %al,(%rax)
6: 00 00 add %al,(%rax)
8: ef out %eax,(%dx)
...
11: 00 e0 add %ah,%al
13: fe 00 incb (%rax)
...
RSP: 0000:ffffc9000001f1a8 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff92000003e3a RCX: 0000000000000002
RDX: 0000000000000002 RSI: 0000000000000cfc RDI: 0000000000000407
RBP: ffffc9000001f278 R08: ffffc90000071048 R09: 000000000000000a
R10: ffffc9000001f428 R11: 0000000000000000 R12: ffffc9000001f388
R13: 000000000001ffff R14: ffffc9000001f250 R15: ffffc9000001f3d8
FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0
Call Trace:

? handle_io (arch/x86/coco/tdx/tdx.c:826 arch/x86/coco/tdx/tdx.c:869)
? tdx_write_msr (arch/x86/coco/tdx/tdx.c:856)
? __trace_tdx_module_call (arch/x86/coco/tdx/tdx.c:86)
? __kasan_check_write (mm/kasan/shadow.c:38)
? down_write (arch/x86/include/asm/atomic64_64.h:34 include/linux/atomic/atomic-long.h:41 include/linux/atomic/atomic-instrumented.h:1280 kernel/locking/rwsem.c:139 kernel/locking/rwsem.c:256 kernel/locking/rwsem.c:1296 kernel/locking/rwsem.c:1306 kernel/locking/rwsem.c:1553)
tdx_handle_virt_exception (arch/x86/coco/tdx/tdx.c:972 arch/x86/coco/tdx/tdx.c:986)
? tdx_get_ve_info (arch/x86/coco/tdx/tdx.c:153 arch/x86/coco/tdx/tdx.c:919)
? tdx_get_ve_info (arch/x86/coco/tdx/tdx.c:980)
exc_virtualization_exception (arch/x86/kernel/traps.c:1441 arch/x86/kernel/traps.c:1422)
asm_exc_virtualization_exception (arch/x86/include/asm/idtentry.h:636)
RIP: 0010:pci_conf1_read (arch/x86/include/asm/shared/io.h:23 arch/x86/pci/direct.c:44)
Code: ca 7c d3 84 c9 74 cf 4c 89 cf 89 45 cc 4c 89 4d d0 e8 2e 89 71 fe 8b 45 cc 4c 8b 4d d0 eb b7 41 83 e5 02 41 8d 95 fc 0c 00 00 <66> ed 48 ba 00 00 00 00 00 fc ff df 4c 89 c9 0f b7 c0 48 c1 e9 03
All code

0: ca 7c d3 lret $0xd37c
3: 84 c9 test %cl,%cl
5: 74 cf je 0xffffffffffffffd6
7: 4c 89 cf mov %r9,%rdi
a: 89 45 cc mov %eax,-0x34(%rbp)
d: 4c 89 4d d0 mov %r9,-0x30(%rbp)
11: e8 2e 89 71 fe callq 0xfffffffffe718944
16: 8b 45 cc mov -0x34(%rbp),%eax
19: 4c 8b 4d d0 mov -0x30(%rbp),%r9
1d: eb b7 jmp 0xffffffffffffffd6
1f: 41 83 e5 02 and $0x2,%r13d
23: 41 8d 95 fc 0c 00 00 lea 0xcfc(%r13),%edx
2a:* 66 ed in (%dx),%ax <-- trapping instruction
2c: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
33: fc ff df
36: 4c 89 c9 mov %r9,%rcx
39: 0f b7 c0 movzwl %ax,%eax
3c: 48 c1 e9 03 shr $0x3,%rcx

Code starting with the faulting instruction

0: 66 ed in (%dx),%ax
2: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
9: fc ff df
c: 4c 89 c9 mov %r9,%rcx
f: 0f b7 c0 movzwl %ax,%eax
12: 48 c1 e9 03 shr $0x3,%rcx
RSP: 0000:ffffc9000001f488 EFLAGS: 00000046
RAX: 0000000080000000 RBX: 0000000000000000 RCX: 1ffffffff0ac19f4
RDX: 0000000000000cfc RSI: 0000000000000000 RDI: ffff88802c448850
RBP: ffffc9000001f4c0 R08: 0000000000000002 R09: ffffc9000001f570
R10: ffffc9000001f62f R11: fffff52000003ec5 R12: 0000000000000297
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
? pci_conf1_read (arch/x86/pci/direct.c:33)
raw_pci_read (arch/x86/pci/common.c:48)
pci_read (arch/x86/pci/common.c:64)
pci_bus_read_config_word (drivers/pci/access.c:67 (discriminator 2))
? pci_bus_read_config_byte (drivers/pci/access.c:67)
pci_read_config_word (drivers/pci/access.c:545)
? __kasan_check_write (mm/kasan/shadow.c:38)
pci_intx (drivers/pci/pci.c:4638)
? __mutex_unlock_slowpath (kernel/locking/mutex.c:538)
? pcim_pin_device (drivers/pci/pci.c:4632)
? msi_domain_alloc_irqs_descs_locked (kernel/irq/msi.c:953)
__pci_enable_msix_range (drivers/pci/msi/msi.c:238 drivers/pci/msi/msi.c:649 drivers/pci/msi/msi.c:836 drivers/pci/msi/msi.c:961)
? ret_from_fork (arch/x86/entry/entry_64.S:312)
? pci_irq_get_affinity (drivers/pci/msi/msi.c:941)
? alloc_debug_processing (mm/slub.c:1340)
? ___slab_alloc (mm/slub.c:3096)
pci_alloc_irq_vectors_affinity (drivers/pci/msi/msi.c:1032)
? pci_enable_msix_range (drivers/pci/msi/msi.c:1017)
? __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424)
vp_find_vqs_msix (drivers/virtio/virtio_pci_common.c:134 drivers/virtio/virtio_pci_common.c:310)
? alloc_debug_processing (mm/slub.c:1340)
? p9_virtio_probe (include/linux/slab.h:600 net/9p/trans_virtio.c:605)
vp_find_vqs (drivers/virtio/virtio_pci_common.c:407)
vp_modern_find_vqs (drivers/virtio/virtio_pci_modern.c:357)
p9_virtio_probe (include/linux/virtio_config.h:216 net/9p/trans_virtio.c:615)
? __this_cpu_preempt_check (lib/smp_processor_id.c:67)
? opt_pre_handler (kernel/kprobes.c:426)
? req_done (net/9p/trans_virtio.c:593)
? optimized_callback (arch/x86/include/asm/preempt.h:103 (discriminator 22) arch/x86/kernel/kprobes/opt.c:202 (discriminator 22))
? 0xffffffffa0002039
? p9_virtio_remove (net/9p/trans_virtio.c:130)
trace_clock_x86_tsc (??:?)
? sysfs_create_link (fs/sysfs/symlink.c:93)
really_probe (drivers/base/dd.c:530 drivers/base/dd.c:614)
__driver_probe_device (drivers/base/dd.c:753)
driver_probe_device (drivers/base/dd.c:783)
__driver_attach (drivers/base/dd.c:1156)
? __device_attach_driver (drivers/base/base.h:147 drivers/base/dd.c:1120)
bus_for_each_dev (drivers/base/bus.c:300)
? subsys_dev_iter_exit (drivers/base/bus.c:290)
? __kasan_check_write (mm/kasan/shadow.c:38)
? klist_node_init (arch/x86/include/asm/atomic.h:41 include/linux/atomic/atomic-instrumented.h:42 include/linux/refcount.h:136 include/linux/kref.h:31 lib/klist.c:111)
driver_attach (drivers/base/dd.c:1173)
bus_add_driver (drivers/base/bus.c:618)
driver_register (drivers/base/driver.c:240)
register_virtio_driver (drivers/virtio/virtio.c:360)
? p9_trans_fd_init (net/9p/trans_virtio.c:811)
p9_virtio_init (net/9p/trans_virtio.c:817)
? p9_trans_fd_init (net/9p/trans_virtio.c:811)
do_one_initcall (init/main.c:1421)
? initcall_blacklisted (init/main.c:1394)
? parameq (kernel/params.c:98)
? __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525)
? __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424)
kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768)
? rest_init (init/main.c:1644)
kernel_init (init/main.c:1654)
ret_from_fork (arch/x86/entry/entry_64.S:312)

Modules linked in:
---[ end trace 0000000000000000 ]---

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
6.0.0-rc2 BOOT_VIRTIO_BLK_PROBE BPH_P9_VIRTIO_PROBE fuzz_finding Bugs discovered by the kafl fuzzer in the Linux kernel msi virtio virtio-related fuzzing findings
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ereshetova