Crashing with CPU soft lock on GA kernel 5.15.0.79.76 and HWE kernel 5.19.0-46.47-22.04.1

The problem is the missing start of the issue. What is there indicates that the VM ran into a page fault situation and is stuck in a lock. From other reports the console display might be part of a soft cpu lockup detected message. This is often the result of a previous crash (which leaves locks in locked state). Would it be possible to reset a stuck instance and retrieve the rotated journal?

The other problem is that the virtualization stack cannot really be deducted from the given info. There is at least one level of VM. The instance in openstack. Question: is the juju "machine" a secondary VM on the openstack instance? The available trace suggests that the lockup occurred on an AMD CPU. This is relevant for VMs as Intel and AMD use different virt. extensions (SVM vs VMX).

Other note on 5.19: the HWE kernel rolled to 6.2 with 22.04.3. I know this could result in other issues but maybe it is one possible option for the current situation.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 2032176

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

Machine with the HWE kernel 5.19.0-46.47-22.04.1 has been stable in the past two days.
Four machine with the GA kernel 5.15.0.79.76 has crashed again.

One of the machine with the GA kernel 5.15.0.79.76 was rebooted and the logs are collected.
I have also ran `apport-collect 2032176` within the machine.

openstack console logs: https://pastebin.canonical.com/p/xVnhKd3fRR/

The kern.log is attached.

Also the syslog for the same machine.

So this looks to be the origin of the lockup (extracted from kernel.log):

[ 117.132909] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 117.133529] #PF: supervisor write access in kernel mode
[ 117.133968] #PF: error_code(0x0002) - not-present page
[ 117.134383] PGD 0 P4D 0
[ 117.134570] Oops: 0002 [#1] SMP NOPTI
[ 117.134810] CPU: 0 PID: 6720 Comm: qemu-system-x86 Tainted: P O 5.15.0-83-generic #92-Ubuntu
[ 117.135424] Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 117.135987] RIP: 0010:handle_removed_tdp_mmu_page+0x88/0x280 [kvm]
[ 117.136483] Code: 8b 40 28 83 e3 0f 48 89 45 a8 0f 1f 44 00 00 41 0f b6 c5 89 45 b4 45 84 ed 0f 85 b8 01 00 00 48 8b 7d b8 48 8b 47 08 48 8b 17 <48> 89 42 08 48 89 10 44 0f b6 67 23 48 b8 00 01 00 00 00 00 ad de
[ 117.137696] RSP: 0018:ffffa85380c5b7f0 EFLAGS: 00010246
[ 117.138054] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 000000000000001e
[ 117.138531] RDX: 0000000000000000 RSI: ffff8e4e0cb04000 RDI: ffff8e4e0caf5398
[ 117.139015] RBP: ffffa85380c5b858 R08: 0000000000000000 R09: 0000000000000003
[ 117.139488] R10: 000000000cb04800 R11: 0000000000000000 R12: 000000010cb04827
[ 117.139938] R13: 0000000000000001 R14: ffffa85381781000 R15: 000000010cb04801
[ 117.140407] FS: 00007fa8515be640(0000) GS:ffff8e5813c00000(0000) knlGS:0000000000000000
[ 117.140920] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 117.141286] CR2: 0000000000000008 CR3: 00000001101fa000 CR4: 0000000000350ef0
[ 117.141744] Call Trace:
[ 117.141909] <TASK>
[ 117.142063] ? show_trace_log_lvl+0x1d6/0x2ea
[ 117.142349] ? show_trace_log_lvl+0x1d6/0x2ea
[ 117.142632] ? __handle_changed_spte+0x1bc/0x3f0 [kvm]
[ 117.142997] ? show_regs.part.0+0x23/0x29
[ 117.143259] ? __die_body.cold+0x8/0xd
[ 117.143505] ? __die+0x2b/0x37
[ 117.143707] ? page_fault_oops+0x13b/0x170
[ 117.143974] ? kvm_make_all_cpus_request_except+0xca/0x120 [kvm]
[ 117.144400] ? do_user_addr_fault+0x321/0x670
[ 117.144701] ? exc_page_fault+0x77/0x170
[ 117.144986] ? asm_exc_page_fault+0x27/0x30
[ 117.145292] ? handle_removed_tdp_mmu_page+0x88/0x280 [kvm]
[ 117.145709] __handle_changed_spte+0x1bc/0x3f0 [kvm]
[ 117.146086] ? update_load_avg+0x82/0x620
[ 117.146375] handle_removed_tdp_mmu_page+0x138/0x280 [kvm]
[ 117.146787] __handle_changed_spte+0x1bc/0x3f0 [kvm]
[ 117.147166] ? psi_task_switch+0xc6/0x220
[ 117.147455] ? tdp_iter_refresh_sptep+0x90/0x90 [kvm]
[ 117.147891] zap_gfn_range+0x216/0x360 [kvm]
[ 117.148235] ? __traceiter_kvm_test_age_hva+0x40/0x40 [kvm]
[ 117.148647] kvm_tdp_mmu_zap_invalidated_roots+0x5b/0xb0 [kvm]
[ 117.149076] kvm_mmu_zap_all_fast+0x18e/0x1c0 [kvm]
[ 117.149451] kvm_mmu_invalidate_zap_pages_in_memslot+0xe/0x20 [kvm]
[ 117.149907] kvm_page_track_flush_slot+0x59/0x90 [kvm]
[ 117.150849] kvm_arch_flush_shadow_memslot+0xe/0x20 [kvm]
[ 117.151813] kvm_set_memslot+0x36f/0x600 [kvm]
[ 117.152897] kvm_delete_memslot+0x65/0x90 [kvm]
[ 117.153756] __kvm_set_memory_region+0x440/0x7c0 [kvm]
[ 117.154633] ? _copy_to_user+0x20/0x30
[ 117.155396] ? kvm_get_dirty_log_protect+0x1de/0x290 [kvm]
[ 117.1563...

If the kernel.log came from the same instance as the cpu info, this happened on an AMD CPU instance. Are there any Intel CPU hosts available in that openstack domain and if yes would it be possible to let the same 5.15.0-83-generic be used on that for a juju runner?
If that does not crash we could greatly limit the scope to search for changes to SVM. Otherwise it would be the wider area of generic memory management.

I dug a little deeper and this is possibly a missing fixup to the patches added for fixing CVE-2023-0597 ("x86/mm: Randomize per-cpu entry area"). This pulled in the following change as a pre-req:

commit e131d62bc709a4aa437bd92686d95a8c96227ed7
Author: Andrey Ryabinin <email address hidden>
Date: Thu Jun 8 05:10:51 2023 +0300

    x86/kasan: Map shadow for percpu pages on demand

This had a couple of fixups but we seem to miss the following:

commit 1cfaac2400c73378e78182a706be0f3ac8b93cd7
Author: Sean Christopherson <email address hidden>
Date: Thu Nov 10 20:35:04 2022 +0000

    x86/kasan: Populate shadow for shared chunk of the CPU entry area

    Popuplate the shadow for the shared portion of the CPU entry area, i.e.
    the read-only IDT mapping, during KASAN initialization. A recent change
    modified KASAN to map the per-CPU areas on-demand, but forgot to keep a
    shadow for the common area that is shared amongst all CPUs.

    Map the common area in KASAN init instead of letting idt_map_in_cea() do
    the dirty work so that it Just Works in the unlikely event more shared
    data is shoved into the CPU entry area.

    The bug manifests as a not-present #PF when software attempts to lookup
    an IDT entry, e.g. when KVM is handling IRQs on Intel CPUs (KVM performs
    direct CALL to the IRQ handler to avoid the overhead of INTn):

     BUG: unable to handle page fault for address: fffffbc0000001d8
     #PF: supervisor read access in kernel mode
     #PF: error_code(0x0000) - not-present page
     PGD 16c03a067 P4D 16c03a067 PUD 0
     Oops: 0000 [#1] PREEMPT SMP KASAN
  ...

However the Oops we see has no KASAN set, so I am not completely sure. If I would provide an unsigned(!) test kernel in a PPA, would you be able to get that installed in a juju runner manually?

We can get a few application with the unsigned test kernel running on the staging env, and see whether they are stable over a few days.
Can you provide us the PPA for the kernel?

I have uploaded a test kernel to ppa:smb/jammy (https://launchpad.net/~smb/+archive/ubuntu/jammy). The build is still ongoing at this time.

Something that could be attempted in parallel to follow a different hint: Deploy a second instance and for that openstack instance create a file /etc/modprobe.d/kvm.conf with the following line:

options kvm tdp_mmu=false

Instead of "false" I hear "0" might work. For me "false" was good. In any way, when you reboot the instance you should get a "N" from "cat /sys/module/kvm/parameters/tdp_mmu". Then you could deploy the juju runner VM inside the openstack instance and see how that works.

It seems the build failed for https://launchpad.net/~smb/+archive/ubuntu/jammy. I tried the PPA but it seem I was unable to install `linux-generic` due to:
```
Package linux-image-5.15.0-83-generic is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
```

I have 5 instances of the charm with the VM set to tdp_mmu=false. I have check the output is "N" for "cat /sys/module/kvm/parameters/tdp_mmu" on all the VM. Because I do not have direct access to the openstack instance, I can only create the juju application, get the instance allocated, then set the tdp_mmu config and reboot.

The build PPA has been fixed up now. Sorry about that.

I have managed to reproduce this by using a large openstack instance (64GiB on an AMD CPU that will use SVM as virtualization technology) and creating an LXD VM with large amounts of memory (32GiB). Then starting and stopping the VM in a loop reproduces the issue. I am running it with tdp_mmu off and so far, I haven't seen it fail.

Given that tdp_mmu may set set as off by default on 5.15.y upstream (see https://<email address hidden>/), this might be the solution for this issue now on our 5.15 trees.

I will test 6.2 with the "reproducer" and we can look into any necessary arrangements on that version as well.

As for 5.19, we don't plan for any updates there anymore.

Cascardo.

Confirmed that I could not reproduce with tdp_mmu=0 and neither with 6.2.

Confirm the instances with tdp_mmu=0 does not seem to crash. Had 5 instances running for 4 days.

We are still seeing this issue on 5.15.0-82-generic for 22.04 (Jammy)

Since the (Ubuntu Jammy) is on Fix Committed and not Fix Released, I would assume this is normal right? And the Fix Released status on (Ubuntu) means the bug is not present on other Ubuntu versions?

Right, fix-committed means it is applied to git and will be included in the 2023.09.04 SRU cycle. The fix for 5.15 is to change the default of tdp_mmu to off (like you did for testing). Changing the deployments like you did would be the work-around in the mean-time.

The parent Ubuntu state refers to current development (Mantic right now). This should be fixed. This would leave Lunar (6.2). That should at least contain improvements to leave this enabled by default. And I read Thadeu's comment as he was not able to reproduce with 6.2 (to me it sounded like without changing the value there, but it is a bit ambigous).

This bug is awaiting verification that the linux/5.15.0-85.95 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux' to 'verification-done-jammy-linux'. If the problem still exists, change the tag 'verification-needed-jammy-linux' to 'verification-failed-jammy-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Currently, testing out the linux/5.15.0-85.95 version of kernel.

No crashes observed with the proposed kernel. Changed the tag to 'verification-done-jammy-linux'.

Hi, is there a timeline on when this patch will reach the general availability kernel?

This bug was fixed in the package linux - 5.15.0-86.96

---------------
linux (5.15.0-86.96) jammy; urgency=medium

  * jammy/linux: 5.15.0-86.96 -proposed tracker (LP: #2036575)

  * 5.15.0-85 live migration regression (LP: #2036675)
    - Revert "KVM: x86: Always enable legacy FP/SSE in allowed user XFEATURES"
    - Revert "x86/kvm/fpu: Limit guest user_xfeatures to supported bits of XCR0"

  * Regression for ubuntu_bpf test build on Jammy 5.15.0-85.95 (LP: #2035181)
    - selftests/bpf: fix static assert compilation issue for test_cls_*.c

  * `refcount_t: underflow; use-after-free.` on hidon w/ 5.15.0-85-generic
    (LP: #2034447)
    - crypto: rsa-pkcs1pad - Use helper to set reqsize

linux (5.15.0-85.95) jammy; urgency=medium

  * jammy/linux: 5.15.0-85.95 -proposed tracker (LP: #2033821)

  * Please enable Renesas RZ platform serial installer (LP: #2022361)
    - [Config] enable hihope RZ/G2M serial console
    - [Config] Mark sh-sci as built-in

  * Request backport of xen timekeeping performance improvements (LP: #2033122)
    - x86/xen/time: prefer tsc as clocksource when it is invariant

  * kdump doesn't work with UEFI secure boot and kernel lockdown enabled on
    ARM64 (LP: #2033007)
    - [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG
    - kexec, KEYS: make the code in bzImage64_verify_sig generic
    - arm64: kexec_file: use more system keyrings to verify kernel image signature

  * ubuntu_kernel_selftests:net:vrf-xfrm-tests.sh: 8 failed test cases on
    jammy/fips (LP: #2019880)
    - selftests: net: vrf-xfrm-tests: change authentication and encryption algos

  * ubuntu_kernel_selftests:net:tls: 88 failed test cases on jammy/fips
    (LP: #2019868)
    - selftests/harness: allow tests to be skipped during setup
    - selftests: net: tls: check if FIPS mode is enabled

  * A general-proteciton exception during guest migration to unsupported PKRU
    machine (LP: 2032164, reverted)
    - x86/kvm/fpu: Limit guest user_xfeatures to supported bits of XCR0
    - KVM: x86: Always enable legacy FP/SSE in allowed user XFEATURES

  * CVE-2023-4569
    - netfilter: nf_tables: deactivate catchall elements in next generation

  * CVE-2023-20569
    - x86/cpu, kvm: Add support for CPUID_80000021_EAX
    - x86/srso: Add a Speculative RAS Overflow mitigation
    - x86/srso: Add IBPB_BRTYPE support
    - x86/srso: Add SRSO_NO support
    - x86/srso: Add IBPB
    - x86/srso: Add IBPB on VMEXIT
    - x86/srso: Fix return thunks in generated code
    - x86/srso: Tie SBPB bit setting to microcode patch detection
    - x86: fix backwards merge of GDS/SRSO bit
    - x86/srso: Fix build breakage with the LLVM linker
    - x86/cpu: Fix __x86_return_thunk symbol type
    - x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk()
    - x86/alternative: Make custom return thunk unconditional
    - objtool: Add frame-pointer-specific function ignore
    - x86/ibt: Add ANNOTATE_NOENDBR
    - x86/cpu: Clean up SRSO return thunk mess
    - x86/cpu: Rename original retbleed methods
    - x86/cpu: Rename srso_(.*)_alias to srso_alias_\1
    - x86/cpu: Cleanup the untrain mess
    - x86/srso: Explain the untraining sequences a bit more
    - x86/static_call:...

This bug is awaiting verification that the linux-azure/5.15.0-1050.57 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-azure' to 'verification-done-jammy-linux-azure'. If the problem still exists, change the tag 'verification-needed-jammy-linux-azure' to 'verification-failed-jammy-linux-azure'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the linux-aws/5.15.0-1048.53 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-aws' to 'verification-done-jammy-linux-aws'. If the problem still exists, change the tag 'verification-needed-jammy-linux-aws' to 'verification-failed-jammy-linux-aws'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the linux-nvidia-tegra/5.15.0-1018.18 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-tegra' to 'verification-done-jammy-linux-nvidia-tegra'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-tegra' to 'verification-failed-jammy-linux-nvidia-tegra'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the linux-raspi/5.15.0-1040.43 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-raspi' to 'verification-done-jammy-linux-raspi'. If the problem still exists, change the tag 'verification-needed-jammy-linux-raspi' to 'verification-failed-jammy-linux-raspi'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the linux-bluefield/5.15.0-1027.29 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-bluefield' to 'verification-done-jammy-linux-bluefield'. If the problem still exists, change the tag 'verification-needed-jammy-linux-bluefield' to 'verification-failed-jammy-linux-bluefield'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the linux-nvidia-tegra-igx/5.15.0-1005.5 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-tegra-igx' to 'verification-done-jammy-linux-nvidia-tegra-igx'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-tegra-igx' to 'verification-failed-jammy-linux-nvidia-tegra-igx'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the linux-nvidia-tegra-5.15/5.15.0-1018.18~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-nvidia-tegra-5.15' to 'verification-done-focal-linux-nvidia-tegra-5.15'. If the problem still exists, change the tag 'verification-needed-focal-linux-nvidia-tegra-5.15' to 'verification-failed-focal-linux-nvidia-tegra-5.15'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the linux-xilinx-zynqmp/5.15.0-1025.29 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-xilinx-zynqmp' to 'verification-done-jammy-linux-xilinx-zynqmp'. If the problem still exists, change the tag 'verification-needed-jammy-linux-xilinx-zynqmp' to 'verification-failed-jammy-linux-xilinx-zynqmp'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the linux-mtk/5.15.0-1030.34 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-mtk' to 'verification-done-jammy-linux-mtk'. If the problem still exists, change the tag 'verification-needed-jammy-linux-mtk' to 'verification-failed-jammy-linux-mtk'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!