** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS 10:58:56 [54/49654][ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea 10:58:56 [30/49654] [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: + https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <mcg...@kernel.org> Date: Mon Sep 27 15:02:50 2021 -0700 - - floppy: fix add_disk() assumption on exit due to new developments - - After the patch titled "floppy: use blk_mq_alloc_disk and - blk_cleanup_disk" the floppy driver was modified to allocate - the blk_mq_alloc_disk() which allocates the disk with the - queue. This is further clarified later with the patch titled - "block: remove alloc_disk and alloc_disk_node". This clarifies - that: - - Most drivers should use and have been converted to use - blk_alloc_disk and blk_mq_alloc_disk. Only the scsi - ULPs and dasd still allocate a disk separately from the - request_queue so don't bother with convenience macros for - something that should not see significant new users and - remove these wrappers. - - And then we have the patch titled, "block: hold a request_queue - reference for the lifetime of struct gendisk" which ensures - that a queue is *always* present for sure during the entire - lifetime of a disk. - - In the floppy driver's case then the disk always comes with the - queue. So even if even if the queue was cleaned up on exit, putting - the disk *is* still required, and likewise, blk_cleanup_queue() on - a null queue should not happen now as disk->queue is valid from - disk allocation time on. - - Automatic backport code scrapers should hopefully not cherry pick - this patch as a stable fix candidate without full due dilligence to - ensure all the work done on the block layer to make this happen is - merged first. - - Signed-off-by: Luis Chamberlain <mcg...@kernel.org> - Link: https://lore.kernel.org/r/20210927220302.1073499-3-mcg...@kernel.org - Signed-off-by: Jens Axboe <ax...@kernel.dk> + floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays.
** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: - [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS 10:58:56 [54/49654][ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode + [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea 10:58:56 [30/49654] [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <mcg...@kernel.org> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. ** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> - [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea 10:58:56 [30/49654] + [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <mcg...@kernel.org> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. ** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI - [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu + [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> - [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea + [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <mcg...@kernel.org> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. ** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: - [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode + [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS + [ 26.615036] FDC 0 is a S82078B + [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI - [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu + [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <mcg...@kernel.org> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. ** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: - [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS - [ 26.615036] FDC 0 is a S82078B - [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode + [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS + [ 26.615036] FDC 0 is a S82078B + [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 + [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <mcg...@kernel.org> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. ** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B - [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 + [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <mcg...@kernel.org> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments - The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid - queue for the disk's lifetime. This change removes the need to - conditionally clean up the queue and ensures put_disk() is still - required on exit. + The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. + This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. ** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <mcg...@kernel.org> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. - [Testcase] + [Test Plan] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. - [Where problems can occur] + [Where problems could occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2104326 Title: Remove floppy kernel module causes null pointer deference Status in linux package in Ubuntu: In Progress Status in linux source package in Jammy: In Progress Bug description: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <mcg...@kernel.org> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Test Plan] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems could occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2104326/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
