Interestingly, Linux crashes in a far return(opcode C3) to 0x79536e61, while the CS has a limit of 3FFFFFFF(the top part of the 32-bit address space). It's in kernel mode at said point.
It happens at 0010:001e3439.
That's an invalid return address. Probably something set up by code?
Edit: I've placed breakpoints on stack pushes that write the high 4 bits of the 32-bit value as value 7. I see no stack pushes that write said value, but I do see a near return using said value(popped from the stack)? So the cause isn't a stack push instruction, but instead some instruction that might be malfunctioning and writing to that location on the stack?
Edit: ESP was 00205716 before the instruction, so at 00205716(actually 00205719) is an invalid byte(or dword at the first mentioned) address? That ESP address is one of the few information that is correctly reported by the Linux fault handler on the screen.
Edit: I now see it returning to 746f6e20. Interestingly, ESP doesn't seem to be aligned to a dword address(MOD 4 == 0)?
Edit: I see a MOVSB writing said value to said location(it's a REP(or some variant of) MOVSB)? ECX has a pretty large value(in the 2MB range)?
Edit: Now something strange, a kernel Oops due to a page fault on address e0xxxxxx, which the kernel doesn't like?
Edit: It seems that said value is written by the very first REP MOVSB executed by the linux kernel while it's booting(or extracting itself into memory?)? The ECX count at the start of it is 8E0000.
Edit: That's the instruction at 0010:00001000(probably in head.S of the arch\i386\boot\compressed\head.S, row 109).
Edit: The decompression method seems to have written said value to memory at that location. So the issue might be in stack management somewhere?
Edit: After the boot.S, said memory locations aren't overwritten by ANY instructions, including 32-bit stack pushes, it seems. So is the kernel setting a custom stack pointer to return to?
Edit: Weirdly, I see ESP or EBP being loaded with the value of 2. That seems a bit odd? I see it loaded with a value of 3 afterwards, then normal values again? Then I see a value of 1D and then 4. Those are quite strange (if not disturbing) values for EBP(and maybe even ESP, since they're used together)? That happens at EIP 8160ED. I see 20710a (or was it 21710a) being loaded, just before the fault being raised?