home bbs files messages ]

Forums before death by AOL, social media and spammers... "We can't have nice things"

   linux.debian.kernel      Debian kernel discussions      2,884 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 2,331 of 2,884   
   Salvatore Bonaccorso to Simon Marsh   
   Bug#1125711: Kernel oops / NULL pointer    
   16 Jan 26 22:50:01   
   
   XPost: linux.debian.bugs.dist   
   From: carnil@debian.org   
      
   Control: tags -1 + moreinfo   
      
   Hi Simon,   
      
   On Fri, Jan 16, 2026 at 01:55:17PM +0000, Simon Marsh wrote:   
   > Package: linux-image   
   > Version: 6.17+   
   > Severity: important   
   >   
   > Kernel oops following NULL pointer dereference in aa_file_perm() when   
   > running containers with podman + crun under Incus, triggered during   
   > UNIX socket file-descriptor passing (SCM_RIGHTS).   
   >   
   > This appears to be an AppArmor regression somewhere around 6.17, and   
   > seems likely related to AppArmor AF_UNIX mediation and refactoring ?   
   >   
   > https://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-appar   
   or.git/commit/?h=apparmor-next&id=c05e705812d179f4b85aeacc34a555a42bc4f9ac   
   >   
   > Confirmed not working: 6.17.8+deb13, 6.18.4 (non debian kernel)   
   > Confirmed working: 6.16.12+deb13   
   >   
   > Steps I used to reproduce:   
   >   
   > - Starting with a clean Debian 13/Trixie install (VM or bare metal)   
   > running kernel version >= ~6.17   
   > - Install Incus (latest 6.20 for reference)   
   > - Create a non-privileged debian 13 container under incus with   
   > 'security.nesting=true' enabled   
   > - Install podman in to the incus container (from debian distribution   
   > v5.4.2 / apt get podman)   
   > - Attempt to run a rootful woodpecker-ci pod:   
   >   
   > # podman run --rm -v /run/podman/podman.sock:/var/run/docker.sock -e   
   > 'WOODPECKER_SERVER=xxxxx' -e 'WOODPECKER_AGENT_SECRET=xxxx'-p   
   > 3000:3000 docker.io/woodpeckerci/woodpecker-agent:v3   
   >   
   > Key points that trigger the issue:   
   >  - Podman is running nested inside a non-privileged container   
   >  - The podman container bind mounts the /run/podman/podman.sock UNIX   
   > socket (this is within the incus container)   
   >  - Accessing the podman UNIX socket from within the nested podman   
   > container is what triggers the oops   
   >   
   > What does work:   
   >  - Podman on its own without nesting works fine   
   >  - Using crun instead of runc (I understand crun makes more use of FD   
   > passing which is what appears to trigger the issue)   
   >  - Kernels earlier than 6.17   
   >   
   > Full trace below   
   >   
   > Jan 16 11:06:59 incus-podman kernel: BUG: kernel NULL pointer   
   > dereference, address: 0000000000000018   
   > Jan 16 11:06:59 incus-podman kernel: #PF: supervisor read access in kernel   
   mode   
   > Jan 16 11:06:59 incus-podman kernel: #PF: error_code(0x0000) - not-present   
   page   
   > Jan 16 11:06:59 incus-podman kernel: PGD 0 P4D 0   
   > Jan 16 11:06:59 incus-podman kernel: Oops: Oops: 0000 [#1] SMP PTI   
   > Jan 16 11:06:59 incus-podman kernel: CPU: 1 UID: 1000000 PID: 981   
   > Comm: crun Not tainted 6.18.4-zabbly+ #debian13 PREEMPT(voluntary)   
   > Jan 16 11:06:59 incus-podman kernel: Hardware name: QEMU Standard PC   
   > (Q35 + ICH9, 2009)/Incus, BIOS unknown 02/02/2022   
   > Jan 16 11:06:59 incus-podman kernel: RIP: 0010:aa_file_perm+0xc0/0x5d0   
   > Jan 16 11:06:59 incus-podman kernel: Code: 45 31 c9 c3 cc cc cc cc 49   
   > 8b 46 20 41 8b 57 10 0f b7 00 66 25 00 f0 66 3d 00 c0 75 1c 41 f7 c4   
   > 46 00 10 00   
   > 75 13 49 8b 46 18 <48> 8b 40 18 66 83 78 10 01 0f 84 d9 02 00 00 89 d0   
   > f7 d0 44 21 e0   
   > Jan 16 11:06:59 incus-podman kernel: RSP: 0018:ffffcc4900efb5f0 EFLAGS:   
   00010246   
   > Jan 16 11:06:59 incus-podman kernel: RAX: 0000000000000000 RBX:   
   > ffff898294ff8180 RCX: ffff898283610b40   
   > Jan 16 11:06:59 incus-podman kernel: RDX: 0000000000000000 RSI:   
   > ffff898282ae13c0 RDI: ffffffffa88e8430   
   > Jan 16 11:06:59 incus-podman kernel: RBP: ffffcc4900efb6a0 R08:   
   > 0000000000000000 R09: 0000000000000000   
   > Jan 16 11:06:59 incus-podman kernel: R10: 0000000000000000 R11:   
   > 0000000000000000 R12: 0000000000000000   
   > Jan 16 11:06:59 incus-podman kernel: R13: ffff898294ff8180 R14:   
   > ffff898283610b40 R15: ffff898282e6d3d0   
   > Jan 16 11:06:59 incus-podman kernel: FS:  00007f3616418840(0000)   
   > GS:ffff898340c3c000(0000) knlGS:0000000000000000   
   > Jan 16 11:06:59 incus-podman kernel: CS:  0010 DS: 0000 ES: 0000 CR0:   
   > 0000000080050033   
   > Jan 16 11:06:59 incus-podman kernel: CR2: 0000000000000018 CR3:   
   > 0000000103626002 CR4: 0000000000372ef0   
   > Jan 16 11:06:59 incus-podman kernel: Call Trace:   
   > Jan 16 11:06:59 incus-podman kernel:     
   > Jan 16 11:06:59 incus-podman kernel:  ? __slab_free+0xdf/0x2c0   
   > Jan 16 11:06:59 incus-podman kernel:  common_file_perm+0x69/0x1b0   
   > Jan 16 11:06:59 incus-podman kernel:  apparmor_file_receive+0x42/0x80   
   > Jan 16 11:06:59 incus-podman kernel:  security_file_receive+0x4a/0x120   
   > Jan 16 11:06:59 incus-podman kernel:  receive_fd+0x1d/0xf0   
   > Jan 16 11:06:59 incus-podman kernel:  scm_detach_fds+0xad/0x1c0   
   > Jan 16 11:06:59 incus-podman kernel:  __scm_recv_common.isra.0+0x66/0x180   
   > Jan 16 11:06:59 incus-podman kernel:  scm_recv_unix+0x30/0x130   
   > Jan 16 11:06:59 incus-podman kernel:  ? unix_destroy_fpl+0x3a/0xa0   
   > Jan 16 11:06:59 incus-podman kernel:  __unix_dgram_recvmsg+0x2ac/0x450   
   > Jan 16 11:06:59 incus-podman kernel:  unix_seqpacket_recvmsg+0x43/0x70   
   > Jan 16 11:06:59 incus-podman kernel:  sock_recvmsg+0xe1/0xf0   
   > Jan 16 11:06:59 incus-podman kernel:  ____sys_recvmsg+0xa0/0x230   
   > Jan 16 11:06:59 incus-podman kernel:  ___sys_recvmsg+0xc7/0xf0   
   > Jan 16 11:06:59 incus-podman kernel:  __sys_recvmsg+0x89/0x100   
   > Jan 16 11:06:59 incus-podman kernel:  __x64_sys_recvmsg+0x1d/0x30   
   > Jan 16 11:06:59 incus-podman kernel:  x64_sys_call+0x840/0x2350   
   > Jan 16 11:06:59 incus-podman kernel:  do_syscall_64+0x80/0x590   
   > Jan 16 11:06:59 incus-podman kernel:  ? ___sys_recvmsg+0xd2/0xf0   
   > Jan 16 11:06:59 incus-podman kernel:  ? ____sys_recvmsg+0x10e/0x230   
   > Jan 16 11:06:59 incus-podman kernel:  ? __sys_recvmsg+0x89/0x100   
   > Jan 16 11:06:59 incus-podman kernel:  ? __x64_sys_recvmsg+0x1d/0x30   
   > Jan 16 11:06:59 incus-podman kernel:  ? x64_sys_call+0x840/0x2350   
   > Jan 16 11:06:59 incus-podman kernel:  ? do_syscall_64+0xb8/0x590   
   > Jan 16 11:06:59 incus-podman kernel:  ? __sys_recvmsg+0x89/0x100   
   > Jan 16 11:06:59 incus-podman kernel:  ? __x64_sys_recvmsg+0x1d/0x30   
   > Jan 16 11:06:59 incus-podman kernel:  ? x64_sys_call+0x840/0x2350   
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca