** Changed in: linux (Ubuntu Jammy)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2104326
Title:
Remove floppy kernel module causes null pointer deference
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Jammy:
Fix Committed
Bug description:
BugLink: https://bugs.launchpad.net/bugs/2104326
[Impact]
Remove the floppy kernel module by "modprobe -r floppy" causes the
following:
[ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS
[ 26.615036] FDC 0 is a S82078B
[ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030
[ 37.356898] #PF: supervisor read access in kernel mode
[ 37.357306] #PF: error_code(0x0000) - not-present page
[ 37.357671] PGD 0 P4D 0
[ 37.357873] Oops: 0000 [#1] SMP NOPTI
[ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic
#146-Ubuntu
[ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
[ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60
[ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff
ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f
30 00 74 49 55 48 89 e5 41
54 49 89 fc 48 8d bf 60 05 00
[ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246
[ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX:
0000000082000101
[ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI:
0000000000000000
[ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09:
0000000000000000
[ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12:
ffff95f9054525c0
[ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000000000
[ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000)
knlGS:0000000000000000
[ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4:
0000000000750ee0
[ 37.365063] PKRU: 55555554
[ 37.365276] Call Trace:
[ 37.365474] <TASK>
[ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea
[ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea
[ 37.366275] ? device_release+0x38/0xa0
[ 37.366555] ? show_regs.part.0+0x23/0x29
[ 37.366857] ? __die_body.cold+0x8/0xd
[ 37.367143] ? __die+0x2b/0x37
[ 37.367382] ? page_fault_oops+0x13b/0x170
[ 37.367682] ? do_user_addr_fault+0x313/0x640
[ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150
[ 37.368322] ? __call_rcu+0xa8/0x270
[ 37.368592] ? exc_page_fault+0x77/0x170
[ 37.368882] ? asm_exc_page_fault+0x27/0x30
[ 37.369190] ? device_release+0x26/0xa0
[ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60
[ 37.369792] ? disk_release+0x31/0x80
[ 37.370060] device_release+0x38/0xa0
[ 37.370337] kobject_cleanup+0x3e/0x150
[ 37.370623] kobject_put+0x5b/0x80
[ 37.370881] put_device+0x13/0x20
[ 37.371133] put_disk+0x1b/0x30
[ 37.371379] floppy_module_exit+0x34b/0x105d [floppy]
[ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290
[ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50
[ 37.372492] ? x64_sys_call+0x1dba/0x1fa0
[ 37.372785] ? do_syscall_64+0x63/0xb0
[ 37.373058] __x64_sys_delete_module+0x12/0x20
[ 37.373421] x64_sys_call+0x16cf/0x1fa0
[ 37.373720] do_syscall_64+0x56/0xb0
[ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50
[ 37.374339] ? x64_sys_call+0x1a55/0x1fa0
[ 37.374624] ? do_syscall_64+0x63/0xb0
[ 37.374891] ? x64_sys_call+0x1de6/0x1fa0
[ 37.375180] ? clear_bhb_loop+0x45/0xa0
[ 37.375469] ? clear_bhb_loop+0x45/0xa0
[ 37.375741] ? clear_bhb_loop+0x45/0xa0
[ 37.376013] ? clear_bhb_loop+0x45/0xa0
[ 37.376292] ? clear_bhb_loop+0x45/0xa0
[ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6
[ 37.376913] RIP: 0033:0x7f0a712ecaeb
[ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff
c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d
15 33 0f 00 f7 d8 64 89 01 48
[ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX:
00000000000000b0
[ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX:
00007f0a712ecaeb
[ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI:
00005615695dbe98
[ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09:
0000000000000000
[ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12:
00005615695dbe98
[ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15:
00007ffc33b3df78
[ 37.381256] </TASK>
[ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr
intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev
input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c
odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore
ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456
async_raid6_recov async_memcpy asyn
c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3
aesni_intel i2c_i801 crypto_simd x
hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci
virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover
[ 37.385136] CR2: 0000000000000030
[ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]---
[ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60
[ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff
ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f
30 00 74 49 55 48 89 e5 41
54 49 89 fc 48 8d bf 60 05 00
[ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246
[ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX:
0000000082000101
[ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI:
0000000000000000
[ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09:
0000000000000000
[ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12:
ffff95f9054525c0
[ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000000000
[ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000)
knlGS:0000000000000000
[ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4:
0000000000750ee0
[ 37.391478] PKRU: 55555554
This can be simply reproduced on a VM with a floppy disk added and
only happens on 5.15 kernel, because of some changes in kernel
internal structure.
[Fix]
This upstream commit fixes it:
https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246
commit 2598a2bb357d64baaa94368133ddbc900b9eb246
Author: Luis Chamberlain <[email protected]>
Date: Mon Sep 27 15:02:50 2021 -0700
floppy: fix add_disk() assumption on exit due to new developments
The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid
queue for the disk's lifetime.
This change removes the need to conditionally clean up the queue and ensures
put_disk() is still required on exit.
[Test Plan]
Create a VM and add a floppy disk to it, remove the floppy module by
"modprobe -r floppy" to check if the null pointer deference occurs in
the kernel logs.
[Where problems could occur]
If there is something wrong in this commit, removing floppy module might
cause issues,
but it won't affect the whole system, and also floppy is rarely used nowadays.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2104326/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
