#21435 closed defect (fixed)
Vboxdrv module triggers IBT protection. VM's fail to start
| Reported by: | bepaald | Owned by: | |
|---|---|---|---|
| Component: | other | Version: | VirtualBox-7.0.6 |
| Keywords: | vboxdrv IBT | Cc: | |
| Guest type: | all | Host type: | Linux |
Description
This has been a problem for a while: The vboxdrv triggers IBT (indirect branch tracking) protection on modern Intel cpu's. This causes the VM to refuse to load.
Disabling IBT (booting the kernel with ibt=off) will make the problem disappear, but the protections are there for a reason. IBT is enabled by default on Arch Linux, but I believe IBT will be enabled by default in the upcoming 6.2 linux kernel release for Intel CPU's from the 11th generation up to the current (13th) gen. More and more CPU's will be affected.
A full log from trying to start a VM is attached. Though it is very short, nothing more happens. Also attached is dmesg output showing the protection being triggered in the kernel when starting a VM.
A bug report was also made filed with the kernel (https://bugzilla.kernel.org/show_bug.cgi?id=216102) and in Arch (https://bugs.archlinux.org/task/75481), but the latter suggested to file a bug with Virtualbox, which is what I'm doing now. Please let me know if I can provide more information.
Thanks!
Attachments (4)
Change History (15)
by , 15 months ago
by , 13 months ago
| Attachment: | vbox-fail-ibt.log added |
|---|
by , 13 months ago
| Attachment: | vbox-fail-ibt-kernel.log added |
|---|
comment:1 by , 13 months ago
After having waited nearly a year since kernel 6.18 introduced IBT, for nVidia to get their act together and support IBT in their proprietary modules (530.41.03 finally!) I come to realize that the latest Virtualbox 7.0.6 fails with IBT enabled.
This has been the default config as of kernel 6.2.x. Currently running 6.2.7 here.
Log and journal errors attached, though they are effectively the same as the reporter's.
What is the status here? Can we expect IBT support in Virtualbox 7.0.8? Is it supported in the latest test builds?
comment:2 by , 11 months ago
Virtualbox 7.0.8 also fails to launch with IBT enabled (the default kernel config).
System journal errors are consistent with kernel modules being built without support for Indirect Branch Tracking.
May 20 08:50:12 kernel: traps: Missing ENDBR: 0xffffa99507f4a430 May 20 08:50:12 kernel: kernel BUG at arch/x86/kernel/traps.c:255! May 20 08:50:12 kernel: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
This has been the default kernel config on Arch Linux for 14 months now, and will soon be the default in Debian, Ubuntu, etc.
Can we expect IBT support in Virtualbox 7.0.10? Is it supported in the latest test builds?
comment:3 by , 11 months ago
I am facing the same issue. I need to disable IBT in order to get my VM to boot.
I encourage VirtualBox developers to support IBT.
comment:4 by , 11 months ago
Looks like fedora users are starting to run into this issue as well:
https://forums.virtualbox.org/viewtopic.php?t=109458
Original ongoing thread tracking each version of VB that still does _not_ support IBT:
https://forums.virtualbox.org/viewtopic.php?t=108948
Here's hoping for 7.0.10. I'll update here and forums when released.
comment:5 by , 11 months ago
A duplicate of this bug was filed in the issue tracker:
https://www.virtualbox.org/ticket/21698
And yet another forum thread in which IBT was again the culprit:
https://forums.virtualbox.org/viewtopic.php?t=109439
See original thread: https://forums.virtualbox.org/viewtopic.php?t=108948
comment:6 by , 10 months ago
Also several linked reports of this problem in this thread:
https://forums.virtualbox.org/viewtopic.php?t=109488
This seems to be a systematic issue that needs to be solved. I'm not a developer but am happy to help test a fix on my Fedora system if available.
comment:7 by , 10 months ago
Hi!
Any backport in 6.1 appreciated 🙂
I'm using VirtualBox 6.1 on Fedora Linux 37 with Vagrant 2.2 And just lost 2 days figuring out why, after kernel upgrade 6.2 => 6.3, VirtalBox was completely stuck.
Disabling kernel's IBT did the trick at the moment, but I'm not comfortable with disabling security feature to make things work… 😕
comment:8 by , 9 months ago
Unfortunately it's not possible to safely enable IBT completely with 6.1. Please consider upgrading to VirtualBox 7.0.
The code for the Oracle Extension Pack in version 6.1 is built (for compatibility reasons) using a much too old gcc, which means if you have EHCI, xHCI or NVMe enabled you'll run into crashes even with 6.1 packages which are built with a new enough gcc. Likewise you need to stay away from the distribution agnostic .run package, because that's also built with a too old gcc.
Best is to use the upcoming 7.0.10 release.
comment:9 by , 9 months ago
To be clear: 6.1.46 should be usable with enabled IBT if you use the deb/rpm installer package (or build it yourself) for a distribution which has a new enough gcc (around version 8.x or later IIRC) and you can avoid using the extension pack.
follow-up: 11 comment:10 by , 9 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Hello,
We just released VirtualBox 7.0.10. This issue should be fixed in this release. Culd you please give it a try? Packages are available on our downloads page.
Please note limited support for 6.1 version (packages are here https://www.virtualbox.org/wiki/Download_Old_Builds_6_1).
comment:11 by , 9 months ago
Replying to galitsyn:
Hello,
We just released VirtualBox 7.0.10. This issue should be fixed in this release. Culd you please give it a try?
Confirmed resolved here. Thanks for addressing this!
VBox log