[РЕШЕНО] Ошибка № ... : [Bug 2147374] [NEW] BUG: kernel NULL pointer dereference when starting VM inside a container

Public bug reported: With a 24.04 machine (physical or VM), it's possible to trigger a kernel NULL pointer dereference when running with the 6.17 HWE kernel. Here is the PoC: ``` cat << EOF > poc.sh #!/bin/bash set -eux # VM inside container causes a kernel NULL pointer dereference on 6.17 if [[ "$(uname -r)" =~ ^6\.17\.0 ]]; then echo "::warning:: 6.17 kernel detected, expect failure then check 'dmesg'" else echo "::info:: 6.17 kernel NOT detected, expect success and consider switching to 'linux-image-generic-hwe-24.04'" fi snap install lxd --channel latest/edge lxd init --auto # prepare ctn to be used for nested VM testing lxc init ubuntu-minimal-daily:24.04 ctn -c security.devlxd.images=true -c security.nesting=true -s default lxc config device add ctn kvm unix-char source=/dev/kvm lxc config device add ctn vhost-net unix-char source=/dev/vhost-net lxc config device add ctn vhost-vsock unix-char source=/dev/vhost-vsock lxc config device add ctn vsock unix-char source=/dev/vsock lxc start ctn sleep 30 lxc exec ctn -- snap wait system seed.loaded lxc exec ctn -- snap install lxd --channel latest/edge lxc exec ctn -- lxd init --auto # launch small nested VM lxc exec ctn -- lxc launch ubuntu-minimal-daily:24.04 nested-vm --vm -c limits.memory=512MiB -d root,size=3584MiB # cleanup lxc delete -f ctn EOF ``` Running the PoC will look like this: ``` # bash ./poc.sh ... + lxc exec ctn -- lxd init --auto + lxc exec ctn -- lxc launch ubuntu-minimal-daily:24.04 nested-vm --vm -c limits.memory=512MiB -d root,size=3584MiB Launching nested-vm Error: Failed instance creation: Failed running: forklimits fd=3 fd=4 fd=5 -- /snap/lxd/38854/bin/qemu-system-x86_64 -S -name nested-vm -uuid 44280c7e-ddfe-4c74-9101-e861139cad41 -daemonize -cpu host,hv_passthrough -nographic -serial chardev:console -nodefaults -no-user-config -sandbox on,obsolete=deny,elevateprivileges=allow,spawn=allow,resourcecontrol=deny -readconfig /var/snap/lxd/common/lxd/logs/nested-vm/qemu.conf -spice unix=on,disable-ticketing=on,addr=/var/snap/lxd/common/lxd/logs/nested-vm/qemu.spice -pidfile /var/snap/lxd/common/lxd/logs/nested-vm/qemu.pid -D /var/snap/lxd/common/lxd/logs/nested-vm/qemu.log -smbios type=2,manufacturer=Canonical Ltd.,product=LXD -run-with user=lxd: : signal: killed ``` ``` # dmesg ... [ 1284.623266] audit: type=1400 audit(1775505789.403:672): apparmor="STATUS" operation="profile_load" label="lxd-ctn_</var/snap/lxd/common/lxd>//&:lxd-ctn_<var-snap-lxd-common-lxd>:unconfined" name="lxd-nested-vm_</var/snap/lxd/common/lxd>" pid=7635 comm="apparmor_parser" [ 1284.759224] workqueue: drm_fb_helper_damage_work hogged CPU for >10000us 4 times, consider switching to WQ_UNBOUND [ 1285.251153] workqueue: drm_fb_helper_damage_work hogged CPU for >10000us 5 times, consider switching to WQ_UNBOUND [ 1285.431391] BUG: kernel NULL pointer dereference, address: 0000000000000018 [ 1285.448025] #PF: supervisor read access in kernel mode [ 1285.449951] #PF: error_code(0x0000) - not-present page [ 1285.452811] PGD 0 P4D 0 [ 1285.454155] Oops: Oops: 0000 [#4] SMP NOPTI [ 1285.455950] CPU: 3 UID: 1000000 PID: 7636 Comm: aa-exec Tainted: P D O 6.17.0-20-generic #20~24.04.1-Ubuntu PREEMPT(voluntary) [ 1285.460690] Tainted: [P]=PROPRIETARY_MODULE, [D]=DIE, [O]=OOT_MODULE [ 1285.462968] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS 2025.11-3ubuntu6 03/17/2026 [ 1285.466160] RIP: 0010:aa_file_perm+0xb9/0x3b0 [ 1285.467982] Code: ff 45 31 c0 45 31 c9 e9 90 4c 68 ff 49 8b 47 20 49 8b 4f 18 0f b7 00 66 25 00 f0 66 3d 00 c0 75 18 41 f7 c4 46 00 10 00 75 0f <48> 8b 41 18 66 83 78 10 01 0f 84 44 01 00 00 f7 d2 44 21 e2 89 55 [ 1285.474719] RSP: 0018:ffffccd888edb8b8 EFLAGS: 00010246 [ 1285.476824] RAX: 000000000000c000 RBX: ffff8b29c3655900 RCX: 0000000000000000 [ 1285.479640] RDX: 0000000000000000 RSI: ffff8b29e0a25900 RDI: ffffffffa1bc6817 [ 1285.482118] RBP: ffffccd888edb910 R08: 0000000000000000 R09: 0000000000000001 [ 1285.485600] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 1285.488328] R13: ffff8b2a26aada10 R14: ffff8b29c3655e00 R15: ffff8b2a367ff600 [ 1285.491553] FS: 0000000000000000(0000) GS:ffff8b2d8cbe2000(0000) knlGS:0000000000000000 [ 1285.495022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1285.497152] CR2: 0000000000000018 CR3: 00000001767c9000 CR4: 0000000000750ef0 [ 1285.499746] PKRU: 55555554 [ 1285.501910] Call Trace: [ 1285.503323] <TASK> [ 1285.504533] ? __pfx_match_file+0x10/0x10 [ 1285.506124] match_file+0x7b/0xa0 [ 1285.507839] iterate_fd+0x6b/0xb0 [ 1285.509416] aa_inherit_files+0x101/0x280 [ 1285.511796] apparmor_bprm_committing_creds+0x6f/0xa0 [ 1285.514681] security_bprm_committing_creds+0x27/0x40 [ 1285.517415] begin_new_exec+0x2ac/0x420 [ 1285.518990] load_elf_binary+0x32d/0xf40 [ 1285.520707] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.522687] ? ima_bprm_check+0x71/0xa0 [ 1285.524556] exec_binprm+0x138/0x310 [ 1285.526049] bprm_execve.part.0+0x166/0x220 [ 1285.528406] bprm_execve+0x45/0x80 [ 1285.530753] do_execveat_common.isra.0+0x194/0x1f0 [ 1285.532636] __x64_sys_execve+0x39/0x60 [ 1285.534164] x64_sys_call+0x1c28/0x2680 [ 1285.536381] do_syscall_64+0x80/0xa40 [ 1285.537896] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.540575] ? filp_flush+0x91/0xb0 [ 1285.541999] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.544368] ? filp_close+0x1f/0x30 [ 1285.546371] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.548126] ? do_dup2+0xc2/0x160 [ 1285.549630] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.555534] ? ksys_dup3+0x9d/0x120 [ 1285.556865] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.623421] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.625736] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0 [ 1285.628448] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.671728] ? do_syscall_64+0xb6/0xa40 [ 1285.677888] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.846163] ? ksys_dup3+0x9d/0x120 [ 1285.850353] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.852366] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.853980] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0 [ 1285.855886] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.858582] ? do_syscall_64+0xb6/0xa40 [ 1285.860923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.863547] ? __x64_sys_rt_sigprocmask+0x7d/0xe0 [ 1285.865343] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.866890] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0 [ 1285.870395] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.871990] ? do_syscall_64+0xb6/0xa40 [ 1285.873879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.878556] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0 [ 1285.880740] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.882436] ? do_syscall_64+0xb6/0xa40 [ 1285.883790] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.886428] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 1285.888210] RIP: 0033:0x4272ce [ 1285.889680] Code: Unable to access opcode bytes at 0x4272a4. [ 1285.893743] RSP: 002b:000025a3d044c278 EFLAGS: 00000202 ORIG_RAX: 000000000000003b [ 1285.896482] RAX: ffffffffffffffda RBX: 000025a3d11749f0 RCX: 00000000004272ce [ 1285.901072] RDX: 000025a3d064b500 RSI: 000025a3d12a6280 RDI: 000025a3d11749f0 [ 1285.903353] RBP: 000025a3d044c2b8 R08: 0000000000000000 R09: 0000000000000000 [ 1285.905720] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000026 [ 1285.910249] R13: 0000000000000006 R14: 000025a3d098c5a0 R15: 0000000000000006 [ 1285.915743] </TASK> [ 1285.921980] Modules linked in: veth nft_masq nft_chain_nat bridge stp llc zfs(PO) spl(O) ebtable_filter ebtables ip6table_raw ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter nf_tables vhost_vsock vhost vhost_iotlb cfg80211 intel_rapl_msr intel_rapl_common binfmt_misc kvm_amd ccp nls_iso8859_1 joydev kvm irqbypass polyval_clmulni 9pnet_virtio ghash_clmulni_intel aesni_intel 9pnet psmouse i2c_i801 i2c_smbus lpc_ich vmw_vsock_virtio_transport ahci i2c_mux netfs virtiofs libahci vmw_vsock_virtio_transport_common virtio_gpu vsock vmgenid virtio_dma_buf virtio_input input_leds mac_hid serio_raw sch_fq_codel efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg virtio_rng ip_tables x_tables autofs4 [ 1286.010588] CR2: 0000000000000018 [ 1286.012064] ---[ end trace 0000000000000000 ]--- [ 1289.457331] RIP: 0010:aa_file_perm+0xb9/0x3b0 [ 1289.461328] Code: ff 45 31 c0 45 31 c9 e9 90 4c 68 ff 49 8b 47 20 49 8b 4f 18 0f b7 00 66 25 00 f0 66 3d 00 c0 75 18 41 f7 c4 46 00 10 00 75 0f <48> 8b 41 18 66 83 78 10 01 0f 84 44 01 00 00 f7 d2 44 21 e2 89 55 [ 1289.465382] RSP: 0018:ffffccd882fb3b78 EFLAGS: 00010246 [ 1289.466585] RAX: 000000000000c000 RBX: ffff8b29c3655580 RCX: 0000000000000000 [ 1289.468081] RDX: 0000000000000000 RSI: ffff8b29ceb97b40 RDI: ffffffffa1bc6817 [ 1289.469567] RBP: ffffccd882fb3bd0 R08: 0000000000000000 R09: 0000000000000001 [ 1289.471018] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 1289.472454] R13: ffff8b29c3d35bc8 R14: ffff8b29c0927080 R15: ffff8b29e0a1d240 [ 1289.473856] FS: 0000000000000000(0000) GS:ffff8b2d8cbe2000(0000) knlGS:0000000000000000 [ 1289.475626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1289.476946] CR2: 00000000004272a4 CR3: 00000001767c9000 CR4: 0000000000750ef0 [ 1289.478331] PKRU: 55555554 [ 1289.479036] note: aa-exec[7636] exited with irqs disabled [ 1289.480253] clocksource: Long readout interval, skipping watchdog check: cs_nsec: 2968251915 wd_nsec: 2968254099 [ 1289.482291] note: aa-exec[7636] exited with preempt_count 1 [ 1289.519692] tap6e10c87b: left allmulticast mode [ 1289.520854] tap6e10c87b: left promiscuous mode [ 1289.522179] lxdbr0: port 1(tap6e10c87b) entered disabled state ``` Using older kernels like 6.8, 6.11 or 6.14 shows no problem. The issue was initially noticed on GitHub Action runners when images switched from 6.14 to 6.17. https://github.com/canonical/lxd- ci/actions/runs/24022621190/job/70054463342#step:15:1028 is one recent failed run. Additional information: # lsb_release -rd No LSB modules are available. Description: Ubuntu 24.04.4 LTS Release: 24.04 # uname -a Linux v2 6.17.0-20-generic #20~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 19 01:28:37 UTC 2 x86_64 x86_64 x86_64 GNU/Linux ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Description changed: With a 24.04 machine (physical or VM), it's possible to trigger a kernel NULL pointer dereference when running with the 6.17 HWE kernel. - Here is the PoC: ``` cat << EOF > poc.sh #!/bin/bash set -eux # VM inside container causes a kernel NULL pointer dereference on 6.17 if [[ "$(uname -r)" =~ ^6\.17\.0 ]]; then - echo "::warning:: 6.17 kernel detected, expect failure then check 'dmesg'" + echo "::warning:: 6.17 kernel detected, expect failure then check 'dmesg'" else - echo "::info:: 6.17 kernel NOT detected, expect success and consider switching to 'linux-image-generic-hwe-24.04'" + echo "::info:: 6.17 kernel NOT detected, expect success and consider switching to 'linux-image-generic-hwe-24.04'" fi snap install lxd --channel latest/edge lxd init --auto # prepare ctn to be used for nested VM testing lxc init ubuntu-minimal-daily:24.04 ctn -c security.devlxd.images=true -c security.nesting=true -s default lxc config device add ctn kvm unix-char source=/dev/kvm lxc config device add ctn vhost-net unix-char source=/dev/vhost-net lxc config device add ctn vhost-vsock unix-char source=/dev/vhost-vsock lxc config device add ctn vsock unix-char source=/dev/vsock lxc start ctn sleep 30 lxc exec ctn -- snap wait system seed.loaded lxc exec ctn -- snap install lxd --channel latest/edge lxc exec ctn -- lxd init --auto # launch small nested VM lxc exec ctn -- lxc launch ubuntu-minimal-daily:24.04 nested-vm --vm -c limits.memory=512MiB -d root,size=3584MiB # cleanup lxc delete -f ctn EOF ``` - Running the PoC will look like this: ``` # bash ./poc.sh ... + lxc exec ctn -- lxd init --auto + lxc exec ctn -- lxc launch ubuntu-minimal-daily:24.04 nested-vm --vm -c limits.memory=512MiB -d root,size=3584MiB Launching nested-vm Error: Failed instance creation: Failed running: forklimits fd=3 fd=4 fd=5 -- /snap/lxd/38854/bin/qemu-system-x86_64 -S -name nested-vm -uuid 44280c7e-ddfe-4c74-9101-e861139cad41 -daemonize -cpu host,hv_passthrough -nographic -serial chardev:console -nodefaults -no-user-config -sandbox on,obsolete=deny,elevateprivileges=allow,spawn=allow,resourcecontrol=deny -readconfig /var/snap/lxd/common/lxd/logs/nested-vm/qemu.conf -spice unix=on,disable-ticketing=on,addr=/var/snap/lxd/common/lxd/logs/nested-vm/qemu.spice -pidfile /var/snap/lxd/common/lxd/logs/nested-vm/qemu.pid -D /var/snap/lxd/common/lxd/logs/nested-vm/qemu.log -smbios type=2,manufacturer=Canonical Ltd.,product=LXD -run-with user=lxd: : signal: killed ``` ``` # dmesg ... [ 1284.623266] audit: type=1400 audit(1775505789.403:672): apparmor="STATUS" operation="profile_load" label="lxd-ctn_</var/snap/lxd/common/lxd>//&:lxd-ctn_<var-snap-lxd-common-lxd>:unconfined" name="lxd-nested-vm_</var/snap/lxd/common/lxd>" pid=7635 comm="apparmor_parser" [ 1284.759224] workqueue: drm_fb_helper_damage_work hogged CPU for >10000us 4 times, consider switching to WQ_UNBOUND [ 1285.251153] workqueue: drm_fb_helper_damage_work hogged CPU for >10000us 5 times, consider switching to WQ_UNBOUND [ 1285.431391] BUG: kernel NULL pointer dereference, address: 0000000000000018 [ 1285.448025] #PF: supervisor read access in kernel mode [ 1285.449951] #PF: error_code(0x0000) - not-present page - [ 1285.452811] PGD 0 P4D 0 + [ 1285.452811] PGD 0 P4D 0 [ 1285.454155] Oops: Oops: 0000 [#4] SMP NOPTI - [ 1285.455950] CPU: 3 UID: 1000000 PID: 7636 Comm: aa-exec Tainted: P D O 6.17.0-20-generic #20~24.04.1-Ubuntu PREEMPT(voluntary) + [ 1285.455950] CPU: 3 UID: 1000000 PID: 7636 Comm: aa-exec Tainted: P D O 6.17.0-20-generic #20~24.04.1-Ubuntu PREEMPT(voluntary) [ 1285.460690] Tainted: [P]=PROPRIETARY_MODULE, [D]=DIE, [O]=OOT_MODULE [ 1285.462968] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS 2025.11-3ubuntu6 03/17/2026 [ 1285.466160] RIP: 0010:aa_file_perm+0xb9/0x3b0 [ 1285.467982] Code: ff 45 31 c0 45 31 c9 e9 90 4c 68 ff 49 8b 47 20 49 8b 4f 18 0f b7 00 66 25 00 f0 66 3d 00 c0 75 18 41 f7 c4 46 00 10 00 75 0f <48> 8b 41 18 66 83 78 10 01 0f 84 44 01 00 00 f7 d2 44 21 e2 89 55 [ 1285.474719] RSP: 0018:ffffccd888edb8b8 EFLAGS: 00010246 [ 1285.476824] RAX: 000000000000c000 RBX: ffff8b29c3655900 RCX: 0000000000000000 [ 1285.479640] RDX: 0000000000000000 RSI: ffff8b29e0a25900 RDI: ffffffffa1bc6817 [ 1285.482118] RBP: ffffccd888edb910 R08: 0000000000000000 R09: 0000000000000001 [ 1285.485600] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 1285.488328] R13: ffff8b2a26aada10 R14: ffff8b29c3655e00 R15: ffff8b2a367ff600 [ 1285.491553] FS: 0000000000000000(0000) GS:ffff8b2d8cbe2000(0000) knlGS:0000000000000000 [ 1285.495022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1285.497152] CR2: 0000000000000018 CR3: 00000001767c9000 CR4: 0000000000750ef0 [ 1285.499746] PKRU: 55555554 [ 1285.501910] Call Trace: [ 1285.503323] <TASK> [ 1285.504533] ? __pfx_match_file+0x10/0x10 [ 1285.506124] match_file+0x7b/0xa0 [ 1285.507839] iterate_fd+0x6b/0xb0 [ 1285.509416] aa_inherit_files+0x101/0x280 [ 1285.511796] apparmor_bprm_committing_creds+0x6f/0xa0 [ 1285.514681] security_bprm_committing_creds+0x27/0x40 [ 1285.517415] begin_new_exec+0x2ac/0x420 [ 1285.518990] load_elf_binary+0x32d/0xf40 [ 1285.520707] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.522687] ? ima_bprm_check+0x71/0xa0 [ 1285.524556] exec_binprm+0x138/0x310 [ 1285.526049] bprm_execve.part.0+0x166/0x220 [ 1285.528406] bprm_execve+0x45/0x80 [ 1285.530753] do_execveat_common.isra.0+0x194/0x1f0 [ 1285.532636] __x64_sys_execve+0x39/0x60 [ 1285.534164] x64_sys_call+0x1c28/0x2680 [ 1285.536381] do_syscall_64+0x80/0xa40 [ 1285.537896] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.540575] ? filp_flush+0x91/0xb0 [ 1285.541999] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.544368] ? filp_close+0x1f/0x30 [ 1285.546371] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.548126] ? do_dup2+0xc2/0x160 [ 1285.549630] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.555534] ? ksys_dup3+0x9d/0x120 [ 1285.556865] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.623421] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.625736] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0 [ 1285.628448] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.671728] ? do_syscall_64+0xb6/0xa40 [ 1285.677888] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.846163] ? ksys_dup3+0x9d/0x120 [ 1285.850353] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.852366] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.853980] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0 [ 1285.855886] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.858582] ? do_syscall_64+0xb6/0xa40 [ 1285.860923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.863547] ? __x64_sys_rt_sigprocmask+0x7d/0xe0 [ 1285.865343] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.866890] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0 [ 1285.870395] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.871990] ? do_syscall_64+0xb6/0xa40 [ 1285.873879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.878556] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0 [ 1285.880740] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.882436] ? do_syscall_64+0xb6/0xa40 [ 1285.883790] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.886428] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 1285.888210] RIP: 0033:0x4272ce [ 1285.889680] Code: Unable to access opcode bytes at 0x4272a4. [ 1285.893743] RSP: 002b:000025a3d044c278 EFLAGS: 00000202 ORIG_RAX: 000000000000003b [ 1285.896482] RAX: ffffffffffffffda RBX: 000025a3d11749f0 RCX: 00000000004272ce [ 1285.901072] RDX: 000025a3d064b500 RSI: 000025a3d12a6280 RDI: 000025a3d11749f0 [ 1285.903353] RBP: 000025a3d044c2b8 R08: 0000000000000000 R09: 0000000000000000 [ 1285.905720] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000026 [ 1285.910249] R13: 0000000000000006 R14: 000025a3d098c5a0 R15: 0000000000000006 [ 1285.915743] </TASK> [ 1285.921980] Modules linked in: veth nft_masq nft_chain_nat bridge stp llc zfs(PO) spl(O) ebtable_filter ebtables ip6table_raw ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter nf_tables vhost_vsock vhost vhost_iotlb cfg80211 intel_rapl_msr intel_rapl_common binfmt_misc kvm_amd ccp nls_iso8859_1 joydev kvm irqbypass polyval_clmulni 9pnet_virtio ghash_clmulni_intel aesni_intel 9pnet psmouse i2c_i801 i2c_smbus lpc_ich vmw_vsock_virtio_transport ahci i2c_mux netfs virtiofs libahci vmw_vsock_virtio_transport_common virtio_gpu vsock vmgenid virtio_dma_buf virtio_input input_leds mac_hid serio_raw sch_fq_codel efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg virtio_rng ip_tables x_tables autofs4 [ 1286.010588] CR2: 0000000000000018 [ 1286.012064] ---[ end trace 0000000000000000 ]--- [ 1289.457331] RIP: 0010:aa_file_perm+0xb9/0x3b0 [ 1289.461328] Code: ff 45 31 c0 45 31 c9 e9 90 4c 68 ff 49 8b 47 20 49 8b 4f 18 0f b7 00 66 25 00 f0 66 3d 00 c0 75 18 41 f7 c4 46 00 10 00 75 0f <48> 8b 41 18 66 83 78 10 01 0f 84 44 01 00 00 f7 d2 44 21 e2 89 55 [ 1289.465382] RSP: 0018:ffffccd882fb3b78 EFLAGS: 00010246 [ 1289.466585] RAX: 000000000000c000 RBX: ffff8b29c3655580 RCX: 0000000000000000 [ 1289.468081] RDX: 0000000000000000 RSI: ffff8b29ceb97b40 RDI: ffffffffa1bc6817 [ 1289.469567] RBP: ffffccd882fb3bd0 R08: 0000000000000000 R09: 0000000000000001 [ 1289.471018] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 1289.472454] R13: ffff8b29c3d35bc8 R14: ffff8b29c0927080 R15: ffff8b29e0a1d240 [ 1289.473856] FS: 0000000000000000(0000) GS:ffff8b2d8cbe2000(0000) knlGS:0000000000000000 [ 1289.475626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1289.476946] CR2: 00000000004272a4 CR3: 00000001767c9000 CR4: 0000000000750ef0 [ 1289.478331] PKRU: 55555554 [ 1289.479036] note: aa-exec[7636] exited with irqs disabled [ 1289.480253] clocksource: Long readout interval, skipping watchdog check: cs_nsec: 2968251915 wd_nsec: 2968254099 [ 1289.482291] note: aa-exec[7636] exited with preempt_count 1 [ 1289.519692] tap6e10c87b: left allmulticast mode [ 1289.520854] tap6e10c87b: left promiscuous mode [ 1289.522179] lxdbr0: port 1(tap6e10c87b) entered disabled state ``` - Using older kernels like 6.8, 6.11 or 6.14 shows no problem. + Using older kernels like 6.8, 6.11 or 6.14 shows no problem. The issue + was initially noticed on GitHub Action runners when images switched from + 6.14 to 6.17. https://github.com/canonical/lxd- + ci/actions/runs/24022621190/job/70054463342#step:15:1028 is one recent + failed run. Additional information: # lsb_release -rd No LSB modules are available. Description: Ubuntu 24.04.4 LTS Release: 24.04 # uname -a Linux v2 6.17.0-20-generic #20~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 19 01:28:37 UTC 2 x86_64 x86_64 x86_64 GNU/Linux -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2147374 Title: BUG: kernel NULL pointer dereference when starting VM inside a container Status in linux package in Ubuntu: New Bug description: With a 24.04 machine (physical or VM), it's possible to trigger a kernel NULL pointer dereference when running with the 6.17 HWE kernel. Here is the PoC: ``` cat << EOF > poc.sh #!/bin/bash set -eux # VM inside container causes a kernel NULL pointer dereference on 6.17 if [[ "$(uname -r)" =~ ^6\.17\.0 ]]; then echo "::warning:: 6.17 kernel detected, expect failure then check 'dmesg'" else echo "::info:: 6.17 kernel NOT detected, expect success and consider switching to 'linux-image-generic-hwe-24.04'" fi snap install lxd --channel latest/edge lxd init --auto # prepare ctn to be used for nested VM testing lxc init ubuntu-minimal-daily:24.04 ctn -c security.devlxd.images=true -c security.nesting=true -s default lxc config device add ctn kvm unix-char source=/dev/kvm lxc config device add ctn vhost-net unix-char source=/dev/vhost-net lxc config device add ctn vhost-vsock unix-char source=/dev/vhost-vsock lxc config device add ctn vsock unix-char source=/dev/vsock lxc start ctn sleep 30 lxc exec ctn -- snap wait system seed.loaded lxc exec ctn -- snap install lxd --channel latest/edge lxc exec ctn -- lxd init --auto # launch small nested VM lxc exec ctn -- lxc launch ubuntu-minimal-daily:24.04 nested-vm --vm -c limits.memory=512MiB -d root,size=3584MiB # cleanup lxc delete -f ctn EOF ``` Running the PoC will look like this: ``` # bash ./poc.sh ... + lxc exec ctn -- lxd init --auto + lxc exec ctn -- lxc launch ubuntu-minimal-daily:24.04 nested-vm --vm -c limits.memory=512MiB -d root,size=3584MiB Launching nested-vm Error: Failed instance creation: Failed running: forklimits fd=3 fd=4 fd=5 -- /snap/lxd/38854/bin/qemu-system-x86_64 -S -name nested-vm -uuid 44280c7e-ddfe-4c74-9101-e861139cad41 -daemonize -cpu host,hv_passthrough -nographic -serial chardev:console -nodefaults -no-user-config -sandbox on,obsolete=deny,elevateprivileges=allow,spawn=allow,resourcecontrol=deny -readconfig /var/snap/lxd/common/lxd/logs/nested-vm/qemu.conf -spice unix=on,disable-ticketing=on,addr=/var/snap/lxd/common/lxd/logs/nested-vm/qemu.spice -pidfile /var/snap/lxd/common/lxd/logs/nested-vm/qemu.pid -D /var/snap/lxd/common/lxd/logs/nested-vm/qemu.log -smbios type=2,manufacturer=Canonical Ltd.,product=LXD -run-with user=lxd: : signal: killed ``` ``` # dmesg ... [ 1284.623266] audit: type=1400 audit(1775505789.403:672): apparmor="STATUS" operation="profile_load" label="lxd-ctn_</var/snap/lxd/common/lxd>//&:lxd-ctn_<var-snap-lxd-common-lxd>:unconfined" name="lxd-nested-vm_</var/snap/lxd/common/lxd>" pid=7635 comm="apparmor_parser" [ 1284.759224] workqueue: drm_fb_helper_damage_work hogged CPU for >10000us 4 times, consider switching to WQ_UNBOUND [ 1285.251153] workqueue: drm_fb_helper_damage_work hogged CPU for >10000us 5 times, consider switching to WQ_UNBOUND [ 1285.431391] BUG: kernel NULL pointer dereference, address: 0000000000000018 [ 1285.448025] #PF: supervisor read access in kernel mode [ 1285.449951] #PF: error_code(0x0000) - not-present page [ 1285.452811] PGD 0 P4D 0 [ 1285.454155] Oops: Oops: 0000 [#4] SMP NOPTI [ 1285.455950] CPU: 3 UID: 1000000 PID: 7636 Comm: aa-exec Tainted: P D O 6.17.0-20-generic #20~24.04.1-Ubuntu PREEMPT(voluntary) [ 1285.460690] Tainted: [P]=PROPRIETARY_MODULE, [D]=DIE, [O]=OOT_MODULE [ 1285.462968] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS 2025.11-3ubuntu6 03/17/2026 [ 1285.466160] RIP: 0010:aa_file_perm+0xb9/0x3b0 [ 1285.467982] Code: ff 45 31 c0 45 31 c9 e9 90 4c 68 ff 49 8b 47 20 49 8b 4f 18 0f b7 00 66 25 00 f0 66 3d 00 c0 75 18 41 f7 c4 46 00 10 00 75 0f <48> 8b 41 18 66 83 78 10 01 0f 84 44 01 00 00 f7 d2 44 21 e2 89 55 [ 1285.474719] RSP: 0018:ffffccd888edb8b8 EFLAGS: 00010246 [ 1285.476824] RAX: 000000000000c000 RBX: ffff8b29c3655900 RCX: 0000000000000000 [ 1285.479640] RDX: 0000000000000000 RSI: ffff8b29e0a25900 RDI: ffffffffa1bc6817 [ 1285.482118] RBP: ffffccd888edb910 R08: 0000000000000000 R09: 0000000000000001 [ 1285.485600] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 1285.488328] R13: ffff8b2a26aada10 R14: ffff8b29c3655e00 R15: ffff8b2a367ff600 [ 1285.491553] FS: 0000000000000000(0000) GS:ffff8b2d8cbe2000(0000) knlGS:0000000000000000 [ 1285.495022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1285.497152] CR2: 0000000000000018 CR3: 00000001767c9000 CR4: 0000000000750ef0 [ 1285.499746] PKRU: 55555554 [ 1285.501910] Call Trace: [ 1285.503323] <TASK> [ 1285.504533] ? __pfx_match_file+0x10/0x10 [ 1285.506124] match_file+0x7b/0xa0 [ 1285.507839] iterate_fd+0x6b/0xb0 [ 1285.509416] aa_inherit_files+0x101/0x280 [ 1285.511796] apparmor_bprm_committing_creds+0x6f/0xa0 [ 1285.514681] security_bprm_committing_creds+0x27/0x40 [ 1285.517415] begin_new_exec+0x2ac/0x420 [ 1285.518990] load_elf_binary+0x32d/0xf40 [ 1285.520707] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.522687] ? ima_bprm_check+0x71/0xa0 [ 1285.524556] exec_binprm+0x138/0x310 [ 1285.526049] bprm_execve.part.0+0x166/0x220 [ 1285.528406] bprm_execve+0x45/0x80 [ 1285.530753] do_execveat_common.isra.0+0x194/0x1f0 [ 1285.532636] __x64_sys_execve+0x39/0x60 [ 1285.534164] x64_sys_call+0x1c28/0x2680 [ 1285.536381] do_syscall_64+0x80/0xa40 [ 1285.537896] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.540575] ? filp_flush+0x91/0xb0 [ 1285.541999] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.544368] ? filp_close+0x1f/0x30 [ 1285.546371] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.548126] ? do_dup2+0xc2/0x160 [ 1285.549630] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.555534] ? ksys_dup3+0x9d/0x120 [ 1285.556865] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.623421] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.625736] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0 [ 1285.628448] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.671728] ? do_syscall_64+0xb6/0xa40 [ 1285.677888] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.846163] ? ksys_dup3+0x9d/0x120 [ 1285.850353] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.852366] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.853980] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0 [ 1285.855886] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.858582] ? do_syscall_64+0xb6/0xa40 [ 1285.860923] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.863547] ? __x64_sys_rt_sigprocmask+0x7d/0xe0 [ 1285.865343] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.866890] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0 [ 1285.870395] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.871990] ? do_syscall_64+0xb6/0xa40 [ 1285.873879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.878556] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0 [ 1285.880740] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.882436] ? do_syscall_64+0xb6/0xa40 [ 1285.883790] ? srso_alias_return_thunk+0x5/0xfbef5 [ 1285.886428] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 1285.888210] RIP: 0033:0x4272ce [ 1285.889680] Code: Unable to access opcode bytes at 0x4272a4. [ 1285.893743] RSP: 002b:000025a3d044c278 EFLAGS: 00000202 ORIG_RAX: 000000000000003b [ 1285.896482] RAX: ffffffffffffffda RBX: 000025a3d11749f0 RCX: 00000000004272ce [ 1285.901072] RDX: 000025a3d064b500 RSI: 000025a3d12a6280 RDI: 000025a3d11749f0 [ 1285.903353] RBP: 000025a3d044c2b8 R08: 0000000000000000 R09: 0000000000000000 [ 1285.905720] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000026 [ 1285.910249] R13: 0000000000000006 R14: 000025a3d098c5a0 R15: 0000000000000006 [ 1285.915743] </TASK> [ 1285.921980] Modules linked in: veth nft_masq nft_chain_nat bridge stp llc zfs(PO) spl(O) ebtable_filter ebtables ip6table_raw ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter nf_tables vhost_vsock vhost vhost_iotlb cfg80211 intel_rapl_msr intel_rapl_common binfmt_misc kvm_amd ccp nls_iso8859_1 joydev kvm irqbypass polyval_clmulni 9pnet_virtio ghash_clmulni_intel aesni_intel 9pnet psmouse i2c_i801 i2c_smbus lpc_ich vmw_vsock_virtio_transport ahci i2c_mux netfs virtiofs libahci vmw_vsock_virtio_transport_common virtio_gpu vsock vmgenid virtio_dma_buf virtio_input input_leds mac_hid serio_raw sch_fq_codel efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg virtio_rng ip_tables x_tables autofs4 [ 1286.010588] CR2: 0000000000000018 [ 1286.012064] ---[ end trace 0000000000000000 ]--- [ 1289.457331] RIP: 0010:aa_file_perm+0xb9/0x3b0 [ 1289.461328] Code: ff 45 31 c0 45 31 c9 e9 90 4c 68 ff 49 8b 47 20 49 8b 4f 18 0f b7 00 66 25 00 f0 66 3d 00 c0 75 18 41 f7 c4 46 00 10 00 75 0f <48> 8b 41 18 66 83 78 10 01 0f 84 44 01 00 00 f7 d2 44 21 e2 89 55 [ 1289.465382] RSP: 0018:ffffccd882fb3b78 EFLAGS: 00010246 [ 1289.466585] RAX: 000000000000c000 RBX: ffff8b29c3655580 RCX: 0000000000000000 [ 1289.468081] RDX: 0000000000000000 RSI: ffff8b29ceb97b40 RDI: ffffffffa1bc6817 [ 1289.469567] RBP: ffffccd882fb3bd0 R08: 0000000000000000 R09: 0000000000000001 [ 1289.471018] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 1289.472454] R13: ffff8b29c3d35bc8 R14: ffff8b29c0927080 R15: ffff8b29e0a1d240 [ 1289.473856] FS: 0000000000000000(0000) GS:ffff8b2d8cbe2000(0000) knlGS:0000000000000000 [ 1289.475626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1289.476946] CR2: 00000000004272a4 CR3: 00000001767c9000 CR4: 0000000000750ef0 [ 1289.478331] PKRU: 55555554 [ 1289.479036] note: aa-exec[7636] exited with irqs disabled [ 1289.480253] clocksource: Long readout interval, skipping watchdog check: cs_nsec: 2968251915 wd_nsec: 2968254099 [ 1289.482291] note: aa-exec[7636] exited with preempt_count 1 [ 1289.519692] tap6e10c87b: left allmulticast mode [ 1289.520854] tap6e10c87b: left promiscuous mode [ 1289.522179] lxdbr0: port 1(tap6e10c87b) entered disabled state ``` Using older kernels like 6.8, 6.11 or 6.14 shows no problem. The issue was initially noticed on GitHub Action runners when images switched from 6.14 to 6.17. https://github.com/canonical/lxd- ci/actions/runs/24022621190/job/70054463342#step:15:1028 is one recent failed run. Additional information: # lsb_release -rd No LSB modules are available. Description: Ubuntu 24.04.4 LTS Release: 24.04 # uname -a Linux v2 6.17.0-20-generic #20~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 19 01:28:37 UTC 2 x86_64 x86_64 x86_64 GNU/Linux To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2147374/+subscriptions

[РЕШЕНО] Ошибка № ...

понедельник

[Bug 2147374] [NEW] BUG: kernel NULL pointer dereference when starting VM inside a container

Комментариев нет:

Отправить комментарий