** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only - happens on 5.15 kernel, because of the change of kernel internal + happens on 5.15 kernel, because of some changes in kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <mcg...@kernel.org> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Test Plan] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems could occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays.
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2104326 Title: Remove floppy kernel module causes null pointer deference Status in linux package in Ubuntu: In Progress Status in linux source package in Jammy: In Progress Bug description: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of some changes in kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <mcg...@kernel.org> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Test Plan] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems could occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2104326/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
