[Bug 2150636] Re: overlayfs crash while network install

Hopefully https://lore.kernel.org/r/20260511062057.2365769-1-nirmoyd@nvidia.com is the fix -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2150636 Title: overlayfs crash while network install Status in subiquity: New Status in linux package in Ubuntu: Confirmed Bug description: Hallo Ubuntu team: We found some issue while trying to install New resolute over the network. We have exact same setup for Noble and Jammy and those works without any issues, issue seems to be isolated to new Resolute version. How to reproduce: Perform an unattended installation over the network like: ```   linux /images/resolute_install.vmlinuz console=tty0 console=ttyS1,115200n8 ip=dhcp cloud-config-url=/dev/null url=http://myhttpserver.net/images/ubuntu-resolute-live-server-amd64.iso autoinstall ds="nocloud-net;s=http://myhttpserver.net/cloud-init/resolute/" interface=$net_default_mac systemdisk=$instdev modprobe.blacklist=cdc_ether   initrd /images/resolute_install.initrd } ``` One the installation start, the installer give up due the following crash: ``` RIP: 0010:ovl_iterate_merged+0x1d8/0x2b0 [overlay] ``` ``` [ 199.877233] BUG: unable to handle page fault for address: ffffffffc58efed0 [ 199.885471] #PF: supervisor read access in kernel mode [ 199.891591] #PF: error_code(0x0000) - not-present page [ 199.897673] PGD 12f3646067 P4D 12f3647067 PUD 12f3649067 PMD 0 [ 199.904629] Oops: Oops: 0000 [#2] SMP NOPTI [ 199.909631] CPU: 4 UID: 0 PID: 5833 Comm: rsync Tainted: P S D O 7.0.0-14-generic #14-Ubuntu PREEMPT(lazy) [ 199.922141] Tainted: [P]=PROPRIETARY_MODULE, [S]=CPU_OUT_OF_SPEC, [D]=DIE, [O]=OOT_MODULE [ 199.931623] Hardware name: Lenovo ThinkSystem SR630 V3/XXXXXXX, BIOS ESE138F-3.80 11/12/2025 [ 199.941687] RIP: 0010:ovl_iterate_merged+0x1d8/0x2b0 [overlay] [ 199.948544] Code: 41 08 48 89 ce e8 28 49 ff ff 48 8b 4d d0 41 89 ce 48 81 f9 00 f0 ff ff 0f 87 f5 fe ff ff 48 89 4b 08 49 8b 55 08 48 83 c1 10 <4c> 8b 39 48 85 d2 7e 21 49 39 cf 74 1c 31 c0 eb 0c 0f 1f 80 00 00 [ 199.970203] RSP: 0018:ff75651c6a9f7c58 EFLAGS: 00010282 [ 199.976365] RAX: 0000000000000000 RBX: ff3f74fac56b4bc0 RCX: ffffffffc58efed0 [ 199.984669] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 199.992969] RBP: ff75651c6a9f7c98 R08: 0000000000000000 R09: 0000000000000000 [ 200.001261] R10: 0000000000000000 R11: 0000000000000000 R12: ff3f74fac6c820c0 [ 200.009552] R13: ff75651c6a9f7d70 R14: 00000000c58efec0 R15: ff3f74fb249bb2b8 [ 200.017839] FS: 0000730fb2f91100(0000) GS:ff3f750a6d800000(0000) knlGS:0000000000000000 [ 200.027199] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 200.033925] CR2: ffffffffc58efed0 CR3: 0000000155cee003 CR4: 0000000000f73ef0 [ 200.042213] PKRU: 55555554 [ 200.045525] Call Trace: [ 200.048539] <TASK> [ 200.051160] ovl_iterate+0xd3/0x120 [overlay] [ 200.056318] ? __pfx_ovl_iterate+0x10/0x10 [overlay] [ 200.062154] wrap_directory_iterator+0x4f/0x80 [ 200.067399] shared_ovl_iterate+0x15/0x30 [overlay] [ 200.073126] iterate_dir+0xc1/0x2a0 [ 200.077288] __x64_sys_getdents64+0x76/0x140 [ 200.082321] ? __pfx_filldir64+0x10/0x10 [ 200.086959] x64_sys_call+0x100b/0x2390 [ 200.091498] do_syscall_64+0x115/0x5a0 [ 200.095936] ? count_memcg_events+0x103/0x250 [ 200.101051] ? handle_mm_fault+0x1c0/0x2e0 [ 200.105867] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0x100 [ 200.112632] ? irqentry_exit+0x97/0x5a0 [ 200.117138] ? exc_page_fault+0x94/0x1e0 [ 200.121745] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 200.127616] RIP: 0033:0x730fb30887d7 [ 200.131825] Code: 11 00 64 c7 00 16 00 00 00 31 c0 eb 9f e8 61 ec 04 00 90 f3 0f 1e fa b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 01 b6 11 00 f7 d8 64 89 02 48 [ 200.153288] RSP: 002b:00007ffcd0778138 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 200.161982] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000730fb30887d7 [ 200.170185] RDX: 0000000000008000 RSI: 00005a7baefe4060 RDI: 0000000000000003 [ 200.178384] RBP: 00007ffcd0778170 R08: 00005a7baefe4034 R09: 0000730fb31a4ac8 [ 200.186582] R10: 0000000000008040 R11: 0000000000000293 R12: 0000000000000001 [ 200.194775] R13: 00005a7baefe4030 R14: 00007ffcd0778270 R15: 0000730fb2f910b0 start: subiqu[ 200.202972] </TASK> [ 200.202973] Modules linked in: nls_iso8859_1 xfs zfs(PO) spl(O) bcache qrtr cfg80211 intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common intel_ifs i10nm_edac skx_edac_common nfit x86_pkg_temp_thermal coretemp kvm_intel kvm irqbypass ghash_clmulni_intel rapl intel_cstate cmdlinepart spi_nor pmt_telemetry mtd iaa_crypto pmt_discovery pmt_class intel_sdsi dax_hmem binfmt_misc cxl_acpi cxl_port cxl_pmem ses cxl_core einj ast enclosure mlx5_fwctl fwctl isst_if_mbox_pci i2c_algo_bit ipmi_ssif joydev input_leds acpi_power_meter ipmi_si isst_if_mmio acpi_ipmi mei_me ipmi_devintf spi_intel_pci idxd isst_if_common intel_vsec ipmi_msghandler mei spi_intel idxd_bus mac_hid sch_fq_codel msr nvme_fabrics nvme_core nvme_keyring nvme_auth hkdf efi_pstore nfnetlink dmi_sysfs autofs4 overlay isofs 8021q garp mrp stp llc raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 linear mlx5_ib ib_uverbs macsec ib_core hid_generic usbhid hid wmi mlx5_core mpt3sas [ 200.207023] mlxfw psample raid_class tls pinctrl_emmitsburg scsi_transport_sas pci_hyperv_intf ahci libahci scsi_dh_emc scsi_dh_rdac scsi_dh_alua dm_multipath aesni_intel [ 200.207035] CR2: ffffffffc58efed0 [ 200.207037] ---[ end trace 0000000000000000 ]--- [ 201.117859] RIP: 0010:ovl_iterate_merged+0x1d8/0x2b0 [overlay] [ 201.249949] Code: 41 08 48 89 ce e8 28 49 ff ff 48 8b 4d d0 41 89 ce 48 81 f9 00 f0 ff ff 0f 87 f5 fe ff ff 48 89 4b 08 49 8b 55 08 48 83 c1 10 <4c> 8b 39 48 85 d2 7e 21 49 39 cf 74 1c 31 c0 eb 0c 0f 1f 80 00 00 ity/Install/inst[ 201.249950] RSP: 0018:ff75651c494d3d18 EFLAGS: 00010282 all/curtin_insta[ 201.249952] RAX: 0000000000000000 RBX: ff3f750a4bf28040 RCX: ffffffffc58efed0 ll/run_curtin_st[ 201.249953] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 ep/cmd-install: [ 201.249954] RBP: ff75651c494d3d58 R08: 0000000000000000 R09: 0000000000000000 curtin command i[ 201.249955] R10: 0000000000000000 R11: 0000000000000000 R12: ff3f750a4d3569c0 nstall start: [ 201.249955] R13: ff75651c494d3e30 R14: 00000000c58efec0 R15: ff3f750a6286acb8    subiquity/Ins[ 201.249956] FS: 0000730fb2f91100(0000) GS:ff3f750a6d800000(0000) knlGS:0000000000000000 tall/install/cur[ 201.249957] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 tin_install/run_[ 201.249958] CR2: ffffffffc58efed0 CR3: 0000000155cee003 CR4: 0000000000f73ef0 curtin_step/cmd-[ 201.249959] PKRU: 55555554 install/stage-ex[ 201.249960] note: rsync[5833] exited with irqs disabled ``` So far we believe this issue is kinda related with these links: Some google bot also found the issue: https://syzkaller.appspot.com/bug?extid=a16fb0cce329a320661c Reported in January 2026 to Overlay FS maintainers https://lore.kernel.org/all/697a03f6.a00a0220.35f26.0000.GAE@google.com/T/ It seems like the (ovl_iterate_merged) function was introduced here: (Kernel 6.19) https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d0deeb803cd65c41c37ac106063c46c51d5d43ab ### We also notice that if we add `modprobe.blacklist=zfs` to our boot parameters will help a little bit to mitigate the issue, but the installation still fails time to time, but less frequently. When booting with: `modprobe.blacklist=zfs` : ``` [ 197.829405] Tainted: [S]=CPU_OUT_OF_SPEC, [D]=DIE [ 197.835674] Hardware name: Lenovo ThinkSystem SR630 V3/XXXXXX, BIOS ESE138F-3.80 11/12/2025 [ 197.845738] RIP: 0010:ovl_iterate_merged+0x1d8/0x2b0 [overlay] [ 197.852592] Code: 41 08 48 89 ce e8 28 49 ff ff 48 8b 4d d0 41 89 ce 48 81 f9 00 f0 ff ff 0f 87 f5 fe ff ff 48 89 4b 08 49 8b 55 08 48 83 c1 10 <4c> 8b 39 48 85 d2 7e 21 49 39 cf 74 1c 31 c0 eb 0c 0f 1f 80 00 00 [ 197.874250] RSP: 0018:ff75adff62803a08 EFLAGS: 00010286 [ 197.880407] RAX: 0000000000000000 RBX: ff21db08a8775cc0 RCX: ffffffff85acb050 [ 197.888708] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 197.897006] RBP: ff75adff62803a48 R08: 0000000000000000 R09: 0000000000000000 [ 197.905302] R10: 0000000000000000 R11: 0000000000000000 R12: ff21db0886b3cfc0 [ 197.913596] R13: ff75adff62803b20 R14: 0000000085acb040 R15: ff21db08efb224b8 [ 197.921891] FS: 00007a1db9f93100(0000) GS:ff21db1825600000(0000) knlGS:0000000000000000 [ 197.931261] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 197.937984] CR2: ffffffff85acb050 CR3: 000000015cd01006 CR4: 0000000000f73ef0 [ 197.946273] PKRU: 55555554 [ 197.949582] Call Trace: [ 197.952595] <TASK> [ 197.955215] ovl_iterate+0xd3/0x120 [overlay] [ 197.960373] ? __pfx_ovl_iterate+0x10/0x10 [overlay] [ 197.966207] wrap_directory_iterator+0x4f/0x80 [ 197.971449] shared_ovl_iterate+0x15/0x30 [overlay] [ 197.977175] iterate_dir+0xc1/0x2a0 [ 197.981334] __x64_sys_getdents64+0x76/0x140 [ 197.986364] ? __pfx_filldir64+0x10/0x10 [ 197.991001] x64_sys_call+0x100b/0x2390 [ 197.995537] do_syscall_64+0x115/0x5a0 [ 197.999971] ? __alloc_frozen_pages_noprof+0x187/0x360 [ 198.005954] ? mod_memcg_lruvec_state+0x101/0x2f0 [ 198.011452] ? lruvec_stat_mod_folio+0x8d/0x100 [ 198.016741] ? set_ptes.isra.0+0x3b/0x90 [ 198.021353] ? do_anonymous_page+0x105/0x4d0 [ 198.026348] ? handle_pte_fault+0x1cb/0x1f0 [ 198.031241] ? __handle_mm_fault+0x493/0x720 [ 198.036228] ? count_memcg_events+0x103/0x250 [ 198.041300] ? handle_mm_fault+0x1c0/0x2e0 [ 198.046082] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0x100 [ 198.052813] ? irqentry_exit+0x97/0x5a0 [ 198.057300] ? exc_page_fault+0x94/0x1e0 [ 198.061879] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 198.067721] RIP: 0033:0x7a1dba08a7d7 [ 198.071902] Code: 11 00 64 c7 00 16 00 00 00 31 c0 eb 9f e8 61 ec 04 00 90 f3 0f 1e fa b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 01 b6 11 00 f7 d8 64 89 02 48 [ 198.093310] RSP: 002b:00007ffc13ab5908 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 198.101982] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007a1dba08a7d7 [ 198.110165] RDX: 0000000000008000 RSI: 000058c315bca060 RDI: 0000000000000003 [ 198.118347] RBP: 00007ffc13ab5940 R08: 000058c315bca034 R09: 00007a1dba1a6ac8 [ 198.126529] R10: 0000000000008040 R11: 0000000000000293 R12: 0000000000000001 [ 198.134708] R13: 000058c315bca030 R14: 00007ffc13ab5a40 R15: 00007a1db9f930b0 [ 198.142889] </TASK> [ 198.145506] Modules linked in: nls_iso8859_1 xfs bcache qrtr cfg80211 binfmt_misc intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common intel_ifs i10nm_edac skx_edac_common nfit x86_pkg_temp_thermal coretemp kvm_intel kvm irqbypass ghash_clmulni_intel rapl intel_cstate cmdlinepart dax_hmem cxl_acpi spi_nor pmt_telemetry cxl_port iaa_crypto pmt_discovery mtd pmt_class cxl_pmem intel_sdsi cxl_core ses einj enclosure mlx5_fwctl fwctl ast acpi_power_meter isst_if_mbox_pci i2c_algo_bit ipmi_ssif input_leds joydev isst_if_mmio ipmi_si acpi_ipmi ipmi_devintf isst_if_common mei_me spi_intel_pci ipmi_msghandler idxd intel_vsec spi_intel mei idxd_bus mac_hid sch_fq_codel msr nvme_fabrics nvme_core nvme_keyring nvme_auth hkdf efi_pstore nfnetlink dmi_sysfs autofs4 overlay isofs 8021q garp mrp stp llc raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 linear mlx5_ib ib_uverbs macsec ib_core mlx5_core hid_generic usbhid hid mlxfw mpt3sas psample tls [ 198.145576] raid_class scsi_transport_sas pci_hyperv_intf ahci libahci wmi pinctrl_emmitsburg scsi_dh_emc scsi_dh_rdac scsi_dh_alua dm_multipath aesni_intel [ 198.264212] CR2: ffffffff85acb050 [ 198.268126] ---[ end trace 0000000000000000 ]--- start: subiquity/Install/i[ 199.157669] RIP: 0010:ovl_iterate_merged+0x1d8/0x2b0 [overlay] nstall/curtin_in[ 199.164461] Code: 41 08 48 89 ce e8 28 49 ff ff 48 8b 4d d0 41 89 ce 48 81 f9 00 f0 ff ff 0f 87 f5 fe ff ff 48 89 4b 08 49 8b 55 08 48 83 c1 10 <4c> 8b 39 48 85 d2 7e 21 49 39 cf 74 1c 31 c0 eb 0c 0f 1f 80 00 00 stall/run_curtin[ 199.187319] RSP: 0018:ff75adff70b67be8 EFLAGS: 00010286 _step/cmd-instal[ 199.194535] RAX: 0000000000000000 RBX: ff21db08a59c5480 RCX: ffffffff85acb050 l/stage-extract/[ 199.204115] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 builtin/cmd-extr[ 199.213707] RBP: ff75adff70b67c28 R08: 0000000000000000 R09: 0000000000000000 act: curtin comm[ 199.223298] R10: 0000000000000000 R11: 0000000000000000 R12: ff21db088bb2f140 and extract sta[ 199.232876] R13: ff75adff70b67d00 R14: 0000000085acb040 R15: ff21db08a4679d78 rt: subiq[ 199.242467] FS: 00007a1db9f93100(0000) GS:ff21db1825600000(0000) knlGS:0000000000000000 uity/Install/ins[ 199.253132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 tall/curtin_inst[ 199.261165] CR2: ffffffff85acb050 CR3: 000000015cd01006 CR4: 0000000000f73ef0 all/run_curtin_s[ 199.270760] PKRU: 55555554 tep/cmd-install/[ 199.275378] note: rsync[5810] exited with irqs disabled stage-extract/builtin/cmd-extract/: acquiring and extracting image from cp:///tmp/tmpdd344ar8/mount ``` To manage notifications about this bug go to: https://bugs.launchpad.net/subiquity/+bug/2150636/+subscriptions