Hello Christopher As you can see in Noble changelog: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/tree/debian.master/changelog?h=master-next
the fix was included in Noble 6.8.0-81.81. This means that 6.8.0-83.83 includes the fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2115447 Title: Ubuntu 24.04.2: NULL pointer dereference with Ceph and selinux Status in linux package in Ubuntu: Invalid Status in linux source package in Noble: Fix Committed Bug description: [ Impact ] fs/ceph,selinux: fix NULL pointer dereference on CephFS write with SELinux in permissive mode A NULL pointer dereference occurs in the Ceph kernel client (CephFS) when a file is created on a mounted CephFS volume while SELinux is enabled in permissive mode. [ 86.678570] BUG: kernel NULL pointer dereference, address: 000000000000001d [ 86.679238] #PF: supervisor read access in kernel mode [ 86.679859] #PF: error_code(0x0000) - not-present page [ 86.680445] PGD 0 P4D 0 [ 86.681021] Oops: 0000 [#1] PREEMPT SMP PTI [ 86.681558] CPU: 0 PID: 2818 Comm: touch Not tainted 6.8.0-62-generic #65-Ubuntu [ 86.682095] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 86.682716] RIP: 0010:memcpy_orig+0x54/0x130 [ 86.683267] Code: 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83 c2 20 eb 44 48 01 d6 48 01 d7 48 83 ea 20 0f 1f 00 48 83 ea 20 <4c> 8b 46 f8 4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 4c 89 [ 86.684464] RSP: 0018:ffffa79300b2f7e0 EFLAGS: 00010283 [ 86.685060] RAX: ffff9aeb6123a008 RBX: 0000000000000ff8 RCX: 0000000000000000 [ 86.685659] RDX: ffffffffffffffe5 RSI: 0000000000000025 RDI: ffff9aeb6123a02d [ 86.686265] RBP: ffffa79300b2f810 R08: 0000000000000025 R09: 0000000000000000 [ 86.686843] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000025 [ 86.687366] R13: 0000000000000000 R14: ffff9aeb408d5960 R15: ffffa79300b2f8e4 [ 86.687888] FS: 0000724d07b47740(0000) GS:ffff9aec77c00000(0000) knlGS:0000000000000000 [ 86.688416] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 86.688947] CR2: 000000000000001d CR3: 000000012038a004 CR4: 00000000001706f0 [ 86.689541] Call Trace: [ 86.690124] <TASK> [ 86.690704] ? show_regs+0x6d/0x80 [ 86.691256] ? __die+0x24/0x80 [ 86.691807] ? page_fault_oops+0x99/0x1b0 [ 86.692426] ? kernelmode_fixup_or_oops.isra.0+0x69/0x90 [ 86.692991] ? __bad_area_nosemaphore+0x19e/0x2c0 [ 86.693563] ? find_vma+0x34/0x60 [ 86.694214] ? bad_area_nosemaphore+0x16/0x30 [ 86.694835] ? do_user_addr_fault+0x29d/0x670 [ 86.695439] ? exc_page_fault+0x83/0x1b0 [ 86.696024] ? asm_exc_page_fault+0x27/0x30 [ 86.696614] ? memcpy_orig+0x54/0x130 [ 86.697202] ? ceph_pagelist_append+0x124/0x150 [libceph] [ 86.697995] ceph_security_init_secctx+0xce/0x1f0 [ceph] [ 86.698733] ceph_new_inode+0x80/0xe0 [ceph] [ 86.699484] ceph_atomic_open+0x3b2/0x9d0 [ceph] [ 86.700239] ? may_create+0x141/0x150 [ 86.700903] lookup_open.isra.0+0x3a9/0x570 [ 86.701534] open_last_lookups+0x14f/0x400 [ 86.702196] path_openat+0x99/0x2d0 [ 86.702815] do_filp_open+0xaf/0x170 [ 86.703475] do_sys_openat2+0xb3/0xe0 [ 86.704098] __x64_sys_openat+0x55/0xa0 [ 86.704804] x64_sys_call+0x1eb1/0x25a0 [ 86.705437] do_syscall_64+0x7f/0x180 [ 86.706120] ? filemap_map_pages+0x2fe/0x4c0 [ 86.706792] ? __lruvec_stat_mod_folio+0x70/0xc0 [ 86.707444] ? do_read_fault+0x112/0x200 [ 86.708157] ? do_fault+0xf0/0x260 [ 86.708850] ? handle_pte_fault+0x114/0x1d0 [ 86.709519] ? __handle_mm_fault+0x654/0x800 [ 86.710216] ? __count_memcg_events+0x6b/0x120 [ 86.710884] ? count_memcg_events.constprop.0+0x2a/0x50 [ 86.711505] ? handle_mm_fault+0xad/0x380 [ 86.712136] ? do_user_addr_fault+0x334/0x670 [ 86.712778] ? irqentry_exit_to_user_mode+0x7b/0x260 [ 86.713433] ? irqentry_exit+0x43/0x50 [ 86.714111] ? clear_bhb_loop+0x15/0x70 [ 86.714777] ? clear_bhb_loop+0x15/0x70 [ 86.715330] ? clear_bhb_loop+0x15/0x70 [ 86.715844] entry_SYSCALL_64_after_hwframe+0x78/0x80 [ 86.716378] RIP: 0033:0x724d0791b175 [ 86.716895] Code: 83 e2 40 75 50 89 f0 f7 d0 a9 00 00 41 00 74 45 80 3d de fe 0e 00 00 74 60 89 da 4c 89 e6 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 7f 00 00 00 48 8b 55 b8 64 48 2b 14 25 28 [ 86.718058] RSP: 002b:00007ffd9c151d40 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 86.718648] RAX: ffffffffffffffda RBX: 0000000000000941 RCX: 0000724d0791b175 [ 86.719225] RDX: 0000000000000941 RSI: 00007ffd9c153635 RDI: 00000000ffffff9c [ 86.719833] RBP: 00007ffd9c151db0 R08: 0000000000000000 R09: 0000000000000000 [ 86.720414] R10: 00000000000001b6 R11: 0000000000000202 R12: 00007ffd9c153635 [ 86.720982] R13: 0000724d07a03248 R14: 0000000000000000 R15: 0000000000000001 [ 86.721596] </TASK> [ Fix ] The issue must be solved modifying kernel code as follows: - In the SELinux hook selinux_dentry_init_security(), remove a faulty cast when assigning the context pointer is removed, allowing the LSM to populate the context buffer correctly, avoinding the NULL pointer dereference - In ceph_security_init_secctx(), add the missing encoding of the xattr name and it's length to the pagelist [ Test Plan ] The issue can be reproduced (before) and the fix tested (after) following the steps below: $ sudo snap install microceph $ sudo microceph cluster bootstrap $ sudo microceph.ceph osd crush rule rm replicated_rule $ sudo microceph.ceph osd crush rule create-replicated single default osd $ sudo microceph disk add /dev/sdb --wipe $ sudo microceph.ceph config set global osd_pool_default_size 1 $ sudo microceph.ceph osd pool create cephfs_metadata 8 $ sudo microceph.ceph osd pool create cephfs_data 8 $ sudo microceph.ceph fs new cephfs cephfs_metadata cephfs_data $ sudo apt install selinux-basics selinux-policy-default -y && sudo selinux-activate $ sudo reboot $ sudo mkdir -p /mnt/cephfs $ sudo microceph.ceph auth get-or-create client.admin mon 'allow *' mds 'allow *' osd 'allow *' mgr 'allow *' $ sudo mount -t ceph $(hostname -I | awk '{print $1}'):6789:/ /mnt/cephfs -o name=admin,secret= $ sudo touch /mnt/cephfs/test.txt $ ll /mnt/cephfs/ [ Regression Potential ] This fix modifies how SELinux provides security context data to the CephFS client and how that data is encoded for transmission. A regression could cause incorrect xattr encoding, resulting in file creation failures (EPERM or EIO) or LSM labeling errors. If the context pointer is mishandled, memory corruption or crashes may occur. Additionally, malformed pagelist encoding could cause client-MDS protocol mismatches. --- Upgraded ceph cluster running ceph to 24.04.2 from Ubuntu 22. Turning on selinux (permissive), hit a kernel null reference when mounting cephfs and trying to touch a file: 1. Update cluster to 24.04 2. Verify ceph is working as intended (able to mount cephFS, write out a file, unmount, etc.) 3. Installed selinux packages 4. Added following to grub on all 3 cluster members: "audit=1 audit_backlog_limit=8192 panic=10 security=selinux selinux=1 apparmor=0" 5. Selinux policy is permissive: root@ceph0:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 root@ceph0:~# 6. Mounted ceph fs: mount -t ceph [email protected]=/ /var/lib/libvirt/images -o ms_mode=secure 7. attempted to write a file, did not complete and null reference reported: [ 86.678570] BUG: kernel NULL pointer dereference, address: 000000000000001d [ 86.679238] #PF: supervisor read access in kernel mode [ 86.679859] #PF: error_code(0x0000) - not-present page [ 86.680445] PGD 0 P4D 0 [ 86.681021] Oops: 0000 [#1] PREEMPT SMP PTI [ 86.681558] CPU: 0 PID: 2818 Comm: touch Not tainted 6.8.0-62-generic #65-Ubuntu [ 86.682095] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 86.682716] RIP: 0010:memcpy_orig+0x54/0x130 [ 86.683267] Code: 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83 c2 20 eb 44 48 01 d6 48 01 d7 48 83 ea 20 0f 1f 00 48 83 ea 20 <4c> 8b 46 f8 4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 4c 89 [ 86.684464] RSP: 0018:ffffa79300b2f7e0 EFLAGS: 00010283 [ 86.685060] RAX: ffff9aeb6123a008 RBX: 0000000000000ff8 RCX: 0000000000000000 [ 86.685659] RDX: ffffffffffffffe5 RSI: 0000000000000025 RDI: ffff9aeb6123a02d [ 86.686265] RBP: ffffa79300b2f810 R08: 0000000000000025 R09: 0000000000000000 [ 86.686843] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000025 [ 86.687366] R13: 0000000000000000 R14: ffff9aeb408d5960 R15: ffffa79300b2f8e4 [ 86.687888] FS: 0000724d07b47740(0000) GS:ffff9aec77c00000(0000) knlGS:0000000000000000 [ 86.688416] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 86.688947] CR2: 000000000000001d CR3: 000000012038a004 CR4: 00000000001706f0 [ 86.689541] Call Trace: [ 86.690124] <TASK> [ 86.690704] ? show_regs+0x6d/0x80 [ 86.691256] ? __die+0x24/0x80 [ 86.691807] ? page_fault_oops+0x99/0x1b0 [ 86.692426] ? kernelmode_fixup_or_oops.isra.0+0x69/0x90 [ 86.692991] ? __bad_area_nosemaphore+0x19e/0x2c0 [ 86.693563] ? find_vma+0x34/0x60 [ 86.694214] ? bad_area_nosemaphore+0x16/0x30 [ 86.694835] ? do_user_addr_fault+0x29d/0x670 [ 86.695439] ? exc_page_fault+0x83/0x1b0 [ 86.696024] ? asm_exc_page_fault+0x27/0x30 [ 86.696614] ? memcpy_orig+0x54/0x130 [ 86.697202] ? ceph_pagelist_append+0x124/0x150 [libceph] [ 86.697995] ceph_security_init_secctx+0xce/0x1f0 [ceph] [ 86.698733] ceph_new_inode+0x80/0xe0 [ceph] [ 86.699484] ceph_atomic_open+0x3b2/0x9d0 [ceph] [ 86.700239] ? may_create+0x141/0x150 [ 86.700903] lookup_open.isra.0+0x3a9/0x570 [ 86.701534] open_last_lookups+0x14f/0x400 [ 86.702196] path_openat+0x99/0x2d0 [ 86.702815] do_filp_open+0xaf/0x170 [ 86.703475] do_sys_openat2+0xb3/0xe0 [ 86.704098] __x64_sys_openat+0x55/0xa0 [ 86.704804] x64_sys_call+0x1eb1/0x25a0 [ 86.705437] do_syscall_64+0x7f/0x180 [ 86.706120] ? filemap_map_pages+0x2fe/0x4c0 [ 86.706792] ? __lruvec_stat_mod_folio+0x70/0xc0 [ 86.707444] ? do_read_fault+0x112/0x200 [ 86.708157] ? do_fault+0xf0/0x260 [ 86.708850] ? handle_pte_fault+0x114/0x1d0 [ 86.709519] ? __handle_mm_fault+0x654/0x800 [ 86.710216] ? __count_memcg_events+0x6b/0x120 [ 86.710884] ? count_memcg_events.constprop.0+0x2a/0x50 [ 86.711505] ? handle_mm_fault+0xad/0x380 [ 86.712136] ? do_user_addr_fault+0x334/0x670 [ 86.712778] ? irqentry_exit_to_user_mode+0x7b/0x260 [ 86.713433] ? irqentry_exit+0x43/0x50 [ 86.714111] ? clear_bhb_loop+0x15/0x70 [ 86.714777] ? clear_bhb_loop+0x15/0x70 [ 86.715330] ? clear_bhb_loop+0x15/0x70 [ 86.715844] entry_SYSCALL_64_after_hwframe+0x78/0x80 [ 86.716378] RIP: 0033:0x724d0791b175 [ 86.716895] Code: 83 e2 40 75 50 89 f0 f7 d0 a9 00 00 41 00 74 45 80 3d de fe 0e 00 00 74 60 89 da 4c 89 e6 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 7f 00 00 00 48 8b 55 b8 64 48 2b 14 25 28 [ 86.718058] RSP: 002b:00007ffd9c151d40 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 86.718648] RAX: ffffffffffffffda RBX: 0000000000000941 RCX: 0000724d0791b175 [ 86.719225] RDX: 0000000000000941 RSI: 00007ffd9c153635 RDI: 00000000ffffff9c [ 86.719833] RBP: 00007ffd9c151db0 R08: 0000000000000000 R09: 0000000000000000 [ 86.720414] R10: 00000000000001b6 R11: 0000000000000202 R12: 00007ffd9c153635 [ 86.720982] R13: 0000724d07a03248 R14: 0000000000000000 R15: 0000000000000001 [ 86.721596] </TASK> ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: linux-image-6.8.0-62-generic 6.8.0-62.65 ProcVersionSignature: Ubuntu 6.8.0-62.65-generic 6.8.12 Uname: Linux 6.8.0-62-generic x86_64 AlsaDevices: total 0 crw-rw----. 1 root audio 116, 1 Jun 26 19:53 seq crw-rw----. 1 root audio 116, 33 Jun 26 19:53 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.28.1-0ubuntu3.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: N/A CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config Date: Thu Jun 26 20:01:43 2025 InstallationDate: Installed on 2024-03-19 (464 days ago) InstallationMedia: Ubuntu-Server 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240216.1) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Error: command ['lsusb'] failed with exit code 1: Lsusb-t: Lsusb-v: Error: command ['lsusb', '-v'] failed with exit code 1: MachineType: VMware, Inc. VMware Virtual Platform PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR=<set> ProcFB: 0 vmwgfxdrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-6.8.0-62-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ipv6.disable=1 ipv6.disable=1 audit=1 audit_backlog_limit=8192 panic=10 security=selinux selinux=1 apparmor=0 RelatedPackageVersions: linux-restricted-modules-6.8.0-62-generic N/A linux-backports-modules-6.8.0-62-generic N/A linux-firmware 20240318.git3b128b60-0ubuntu2.13 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: Upgraded to noble on 2025-06-26 (0 days ago) dmi.bios.date: 11/12/2020 dmi.bios.release: 4.6 dmi.bios.vendor: Phoenix Technologies LTD dmi.bios.version: 6.00 dmi.board.name: 440BX Desktop Reference Platform dmi.board.vendor: Intel Corporation dmi.board.version: None dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 1 dmi.chassis.vendor: No Enclosure dmi.chassis.version: N/A dmi.ec.firmware.release: 0.0 dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd11/12/2020:br4.6:efr0.0:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:sku: dmi.product.name: VMware Virtual Platform dmi.product.version: None dmi.sys.vendor: VMware, Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2115447/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
