** Also affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Status: New => In Progress
** Changed in: linux (Ubuntu Jammy)
Status: New => In Progress
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => gerald.yang (gerald-yang-tw)
** Changed in: linux (Ubuntu Jammy)
Assignee: (unassigned) => gerald.yang (gerald-yang-tw)
** Changed in: linux (Ubuntu Jammy)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2104326
Title:
Remove floppy kernel module causes null pointer deference
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Jammy:
In Progress
Bug description:
BugLink: https://bugs.launchpad.net/bugs/2104326
[Impact]
Remove the floppy kernel module by "modprobe -r floppy" causes the
following:
[ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS
10:58:56 [54/49654][ 26.615036] FDC 0 is a S82078B
[ 37.356072] BUG: kernel
NULL pointer dereference, address: 0000000000000030
[
37.356898] #PF: supervisor read access in kernel mode
[ 37.357306] #PF: error_code(0x0000) - not-present page
[ 37.357671] PGD 0 P4D 0
[ 37.357873] Oops: 0000 [#1] SMP NOPTI
[ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic
#146-Ubuntu
[ 37.358715] Hardware name: QEMU Standard PC (Q35 +
ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60
[ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff
ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f
30 00 74 49 55 48 89 e5 41
54 49 89 fc 48 8d bf 60 05 00
[ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246
[ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX:
0000000082000101
[ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI:
0000000000000000
[ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09:
0000000000000000
[ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12:
ffff95f9054525c0
[ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000000000
[ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000)
knlGS:0000000000000000
[ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4:
0000000000750ee0
[ 37.365063] PKRU: 55555554
[ 37.365276] Call Trace:
[ 37.365474] <TASK>
[ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea
10:58:56 [30/49654]
[ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea
[ 37.366275] ? device_release+0x38/0xa0
[ 37.366555] ? show_regs.part.0+0x23/0x29
[ 37.366857] ? __die_body.cold+0x8/0xd
[ 37.367143] ? __die+0x2b/0x37
[ 37.367382] ? page_fault_oops+0x13b/0x170
[ 37.367682] ? do_user_addr_fault+0x313/0x640
[ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150
[ 37.368322] ? __call_rcu+0xa8/0x270
[ 37.368592] ? exc_page_fault+0x77/0x170
[ 37.368882] ? asm_exc_page_fault+0x27/0x30
[ 37.369190] ? device_release+0x26/0xa0
[ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60
[ 37.369792] ? disk_release+0x31/0x80
[ 37.370060] device_release+0x38/0xa0
[ 37.370337] kobject_cleanup+0x3e/0x150
[ 37.370623] kobject_put+0x5b/0x80
[ 37.370881] put_device+0x13/0x20
[ 37.371133] put_disk+0x1b/0x30
[ 37.371379] floppy_module_exit+0x34b/0x105d [floppy]
[ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290
[ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50
[ 37.372492] ? x64_sys_call+0x1dba/0x1fa0
[ 37.372785] ? do_syscall_64+0x63/0xb0
[ 37.373058] __x64_sys_delete_module+0x12/0x20
[ 37.373421] x64_sys_call+0x16cf/0x1fa0
[ 37.373720] do_syscall_64+0x56/0xb0
[ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50
[ 37.374339] ? x64_sys_call+0x1a55/0x1fa0
[ 37.374624] ? do_syscall_64+0x63/0xb0
[ 37.374891] ? x64_sys_call+0x1de6/0x1fa0
[ 37.375180] ? clear_bhb_loop+0x45/0xa0
[ 37.375469] ? clear_bhb_loop+0x45/0xa0
[ 37.375741] ? clear_bhb_loop+0x45/0xa0
[ 37.376013] ? clear_bhb_loop+0x45/0xa0
[ 37.376292] ? clear_bhb_loop+0x45/0xa0
[ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6
[ 37.376913] RIP: 0033:0x7f0a712ecaeb
[ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff
c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d
15 33 0f 00 f7 d8 64 89 01 48
[ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX:
00000000000000b0
[ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX:
00007f0a712ecaeb
[ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI:
00005615695dbe98
[ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09:
0000000000000000
[ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12:
00005615695dbe98
[ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15:
00007ffc33b3df78
[ 37.381256] </TASK>
[ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr
intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev
input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c
odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore
ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456
async_raid6_recov async_memcpy asyn
c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3
aesni_intel i2c_i801 crypto_simd x
hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci
virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover
[ 37.385136] CR2: 0000000000000030
[ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]---
[ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60
[ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff
ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f
30 00 74 49 55 48 89 e5 41
54 49 89 fc 48 8d bf 60 05 00
[ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246
[ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX:
0000000082000101
[ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI:
0000000000000000
[ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09:
0000000000000000
[ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12:
ffff95f9054525c0
[ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000000000
[ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000)
knlGS:0000000000000000
[ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4:
0000000000750ee0
[ 37.391478] PKRU: 55555554
This can be simply reproduced on a VM with a floppy disk added and
only happens on 5.15 kernel, because of the change of kernel internal
structure.
[Fix]
This upstream commit fixes it:
commit 2598a2bb357d64baaa94368133ddbc900b9eb246
Author: Luis Chamberlain <mcg...@kernel.org>
Date: Mon Sep 27 15:02:50 2021 -0700
floppy: fix add_disk() assumption on exit due to new developments
After the patch titled "floppy: use blk_mq_alloc_disk and
blk_cleanup_disk" the floppy driver was modified to allocate
the blk_mq_alloc_disk() which allocates the disk with the
queue. This is further clarified later with the patch titled
"block: remove alloc_disk and alloc_disk_node". This clarifies
that:
Most drivers should use and have been converted to use
blk_alloc_disk and blk_mq_alloc_disk. Only the scsi
ULPs and dasd still allocate a disk separately from the
request_queue so don't bother with convenience macros for
something that should not see significant new users and
remove these wrappers.
And then we have the patch titled, "block: hold a request_queue
reference for the lifetime of struct gendisk" which ensures
that a queue is *always* present for sure during the entire
lifetime of a disk.
In the floppy driver's case then the disk always comes with the
queue. So even if even if the queue was cleaned up on exit, putting
the disk *is* still required, and likewise, blk_cleanup_queue() on
a null queue should not happen now as disk->queue is valid from
disk allocation time on.
Automatic backport code scrapers should hopefully not cherry pick
this patch as a stable fix candidate without full due dilligence to
ensure all the work done on the block layer to make this happen is
merged first.
Signed-off-by: Luis Chamberlain <mcg...@kernel.org>
Link: https://lore.kernel.org/r/20210927220302.1073499-3-mcg...@kernel.org
Signed-off-by: Jens Axboe <ax...@kernel.dk>
The floppy driver now uses blk_mq_alloc_disk(), which guarantees a
valid queue for the disk's lifetime. This change removes the need to
conditionally clean up the queue and ensures put_disk() is still
required on exit.
[Testcase]
Create a VM and add a floppy disk to it, remove the floppy module by
"modprobe -r floppy" to check if the null pointer deference occurs in
the kernel logs.
[Where problems can occur]
If there is something wrong in this commit, removing floppy module might
cause issues,
but it won't affect the whole system, and also floppy is rarely used nowadays.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2104326/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
