** Also affects: linux (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu)
       Status: New => In Progress

** Changed in: linux (Ubuntu Jammy)
       Status: New => In Progress

** Changed in: linux (Ubuntu)
     Assignee: (unassigned) => gerald.yang (gerald-yang-tw)

** Changed in: linux (Ubuntu Jammy)
     Assignee: (unassigned) => gerald.yang (gerald-yang-tw)

** Changed in: linux (Ubuntu Jammy)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2104326

Title:
  Remove floppy kernel module causes null pointer deference

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Jammy:
  In Progress

Bug description:
  BugLink: https://bugs.launchpad.net/bugs/2104326

  [Impact]

  Remove the floppy kernel module by "modprobe -r floppy" causes the
  following:

  [   26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS                         
                                                                                
       10:58:56 [54/49654][   26.615036] FDC 0 is a S82078B                     
                                                                                
                                                  [   37.356072] BUG: kernel 
NULL pointer dereference, address: 0000000000000030                             
                                                                             [  
 37.356898] #PF: supervisor read access in kernel mode
  [   37.357306] #PF: error_code(0x0000) - not-present page
  [   37.357671] PGD 0 P4D 0
  [   37.357873] Oops: 0000 [#1] SMP NOPTI
  [   37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic 
#146-Ubuntu                                                                     
                          [   37.358715] Hardware name: QEMU Standard PC (Q35 + 
ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
  [   37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60
  [   37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff 
ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 
30 00 74 49 55 48 89 e5 41
   54 49 89 fc 48 8d bf 60 05 00
  [   37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246
  [   37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 
0000000082000101
  [   37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 
0000000000000000
  [   37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 
0000000000000000
  [   37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: 
ffff95f9054525c0
  [   37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 
0000000000000000
  [   37.363655] FS:  00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) 
knlGS:0000000000000000
  [   37.364192] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [   37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 
0000000000750ee0
  [   37.365063] PKRU: 55555554
  [   37.365276] Call Trace:
  [   37.365474]  <TASK>
  [   37.365649]  ? show_trace_log_lvl+0x1d6/0x2ea                              
                                                                                
       10:58:56 [30/49654]
  [   37.365961]  ? show_trace_log_lvl+0x1d6/0x2ea
  [   37.366275]  ? device_release+0x38/0xa0
  [   37.366555]  ? show_regs.part.0+0x23/0x29
  [   37.366857]  ? __die_body.cold+0x8/0xd
  [   37.367143]  ? __die+0x2b/0x37
  [   37.367382]  ? page_fault_oops+0x13b/0x170
  [   37.367682]  ? do_user_addr_fault+0x313/0x640
  [   37.367991]  ? fsnotify_destroy_marks+0x2a/0x150
  [   37.368322]  ? __call_rcu+0xa8/0x270
  [   37.368592]  ? exc_page_fault+0x77/0x170
  [   37.368882]  ? asm_exc_page_fault+0x27/0x30
  [   37.369190]  ? device_release+0x26/0xa0
  [   37.369471]  ? blk_mq_cancel_work_sync+0x5/0x60
  [   37.369792]  ? disk_release+0x31/0x80
  [   37.370060]  device_release+0x38/0xa0
  [   37.370337]  kobject_cleanup+0x3e/0x150
  [   37.370623]  kobject_put+0x5b/0x80
  [   37.370881]  put_device+0x13/0x20
  [   37.371133]  put_disk+0x1b/0x30
  [   37.371379]  floppy_module_exit+0x34b/0x105d [floppy]
  [   37.371740]  __do_sys_delete_module.constprop.0+0x184/0x290
  [   37.372140]  ? syscall_exit_to_user_mode+0x2c/0x50
  [   37.372492]  ? x64_sys_call+0x1dba/0x1fa0
  [   37.372785]  ? do_syscall_64+0x63/0xb0
  [   37.373058]  __x64_sys_delete_module+0x12/0x20
  [   37.373421]  x64_sys_call+0x16cf/0x1fa0
  [   37.373720]  do_syscall_64+0x56/0xb0
  [   37.374001]  ? syscall_exit_to_user_mode+0x2c/0x50
  [   37.374339]  ? x64_sys_call+0x1a55/0x1fa0
  [   37.374624]  ? do_syscall_64+0x63/0xb0
  [   37.374891]  ? x64_sys_call+0x1de6/0x1fa0
  [   37.375180]  ? clear_bhb_loop+0x45/0xa0
  [   37.375469]  ? clear_bhb_loop+0x45/0xa0
  [   37.375741]  ? clear_bhb_loop+0x45/0xa0
  [   37.376013]  ? clear_bhb_loop+0x45/0xa0
  [   37.376292]  ? clear_bhb_loop+0x45/0xa0
  [   37.376568]  entry_SYSCALL_64_after_hwframe+0x6c/0xd6
  [   37.376913] RIP: 0033:0x7f0a712ecaeb
  [   37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff 
c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 
f0 ff ff 73 01 c3 48 8b 0d
   15 33 0f 00 f7 d8 64 89 01 48
  [   37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 
00000000000000b0
  [   37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 
00007f0a712ecaeb
  [   37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 
00005615695dbe98
  [   37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 
0000000000000000
  [   37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 
00005615695dbe98
  [   37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 
00007ffc33b3df78
  [   37.381256]  </TASK>
  [   37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr 
intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev 
input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c
  odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore 
ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 
async_raid6_recov async_memcpy asyn
  c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 
aesni_intel i2c_i801 crypto_simd x
  hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci 
virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover
  [   37.385136] CR2: 0000000000000030
  [   37.385412] ---[ end trace 09bc3a6935dc73e0 ]---
  [   37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60
  [   37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff 
ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 
30 00 74 49 55 48 89 e5 41
   54 49 89 fc 48 8d bf 60 05 00
  [   37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246
  [   37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 
0000000082000101
  [   37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 
0000000000000000
  [   37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 
0000000000000000
  [   37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: 
ffff95f9054525c0
  [   37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 
0000000000000000
  [   37.390073] FS:  00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) 
knlGS:0000000000000000
  [   37.390620] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [   37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 
0000000000750ee0
  [   37.391478] PKRU: 55555554

  This can be simply reproduced on a VM with a floppy disk added and
  only happens on 5.15 kernel, because of the change of kernel internal
  structure.

  [Fix]

  This upstream commit fixes it:

  commit 2598a2bb357d64baaa94368133ddbc900b9eb246
  Author: Luis Chamberlain <mcg...@kernel.org>
  Date:   Mon Sep 27 15:02:50 2021 -0700

      floppy: fix add_disk() assumption on exit due to new developments

      After the patch titled "floppy: use blk_mq_alloc_disk and
      blk_cleanup_disk" the floppy driver was modified to allocate
      the blk_mq_alloc_disk() which allocates the disk with the
      queue. This is further clarified later with the patch titled
      "block: remove alloc_disk and alloc_disk_node". This clarifies
      that:

         Most drivers should use and have been converted to use
         blk_alloc_disk and blk_mq_alloc_disk.  Only the scsi
         ULPs and dasd still allocate a disk separately from the
         request_queue so don't bother with convenience macros for
         something that should not see significant new users and
         remove these wrappers.

      And then we have the patch titled, "block: hold a request_queue
      reference for the lifetime of struct gendisk" which ensures
      that a queue is *always* present for sure during the entire
      lifetime of a disk.

      In the floppy driver's case then the disk always comes with the
      queue. So even if even if the queue was cleaned up on exit, putting
      the disk *is* still required, and likewise, blk_cleanup_queue() on
      a null queue should not happen now as disk->queue is valid from
      disk allocation time on.

      Automatic backport code scrapers should hopefully not cherry pick
      this patch as a stable fix candidate without full due dilligence to
      ensure all the work done on the block layer to make this happen is
      merged first.

      Signed-off-by: Luis Chamberlain <mcg...@kernel.org>
      Link: https://lore.kernel.org/r/20210927220302.1073499-3-mcg...@kernel.org
      Signed-off-by: Jens Axboe <ax...@kernel.dk>

  The floppy driver now uses blk_mq_alloc_disk(), which guarantees a
  valid queue for the disk's lifetime. This change removes the need to
  conditionally clean up the queue and ensures put_disk() is still
  required on exit.

  [Testcase]

  Create a VM and add a floppy disk to it, remove the floppy module by
  "modprobe -r floppy" to check if the null pointer deference occurs in
  the kernel logs.

  [Where problems can occur]

  If there is something wrong in this commit, removing floppy module might 
cause issues,
  but it won't affect the whole system, and also floppy is rarely used nowadays.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2104326/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to