** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS 10:58:56 [54/49654][ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea 10:58:56 [30/49654] [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: + https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <[email protected]> Date: Mon Sep 27 15:02:50 2021 -0700 - - floppy: fix add_disk() assumption on exit due to new developments - - After the patch titled "floppy: use blk_mq_alloc_disk and - blk_cleanup_disk" the floppy driver was modified to allocate - the blk_mq_alloc_disk() which allocates the disk with the - queue. This is further clarified later with the patch titled - "block: remove alloc_disk and alloc_disk_node". This clarifies - that: - - Most drivers should use and have been converted to use - blk_alloc_disk and blk_mq_alloc_disk. Only the scsi - ULPs and dasd still allocate a disk separately from the - request_queue so don't bother with convenience macros for - something that should not see significant new users and - remove these wrappers. - - And then we have the patch titled, "block: hold a request_queue - reference for the lifetime of struct gendisk" which ensures - that a queue is *always* present for sure during the entire - lifetime of a disk. - - In the floppy driver's case then the disk always comes with the - queue. So even if even if the queue was cleaned up on exit, putting - the disk *is* still required, and likewise, blk_cleanup_queue() on - a null queue should not happen now as disk->queue is valid from - disk allocation time on. - - Automatic backport code scrapers should hopefully not cherry pick - this patch as a stable fix candidate without full due dilligence to - ensure all the work done on the block layer to make this happen is - merged first. - - Signed-off-by: Luis Chamberlain <[email protected]> - Link: https://lore.kernel.org/r/[email protected] - Signed-off-by: Jens Axboe <[email protected]> + floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays.
** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: - [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS 10:58:56 [54/49654][ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode + [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea 10:58:56 [30/49654] [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <[email protected]> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. ** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> - [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea 10:58:56 [30/49654] + [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <[email protected]> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. ** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI - [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu + [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> - [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea + [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <[email protected]> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. ** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: - [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode + [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS + [ 26.615036] FDC 0 is a S82078B + [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI - [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu + [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <[email protected]> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. ** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: - [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS - [ 26.615036] FDC 0 is a S82078B - [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode + [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS + [ 26.615036] FDC 0 is a S82078B + [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 + [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <[email protected]> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. ** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B - [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 + [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <[email protected]> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments - The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid - queue for the disk's lifetime. This change removes the need to - conditionally clean up the queue and ensures put_disk() is still - required on exit. + The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. + This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. [Testcase] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. [Where problems can occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. ** Description changed: BugLink: https://bugs.launchpad.net/bugs/2104326 [Impact] Remove the floppy kernel module by "modprobe -r floppy" causes the following: [ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS [ 26.615036] FDC 0 is a S82078B [ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 37.356898] #PF: supervisor read access in kernel mode [ 37.357306] #PF: error_code(0x0000) - not-present page [ 37.357671] PGD 0 P4D 0 [ 37.357873] Oops: 0000 [#1] SMP NOPTI [ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu [ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.365063] PKRU: 55555554 [ 37.365276] Call Trace: [ 37.365474] <TASK> [ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea [ 37.366275] ? device_release+0x38/0xa0 [ 37.366555] ? show_regs.part.0+0x23/0x29 [ 37.366857] ? __die_body.cold+0x8/0xd [ 37.367143] ? __die+0x2b/0x37 [ 37.367382] ? page_fault_oops+0x13b/0x170 [ 37.367682] ? do_user_addr_fault+0x313/0x640 [ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150 [ 37.368322] ? __call_rcu+0xa8/0x270 [ 37.368592] ? exc_page_fault+0x77/0x170 [ 37.368882] ? asm_exc_page_fault+0x27/0x30 [ 37.369190] ? device_release+0x26/0xa0 [ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60 [ 37.369792] ? disk_release+0x31/0x80 [ 37.370060] device_release+0x38/0xa0 [ 37.370337] kobject_cleanup+0x3e/0x150 [ 37.370623] kobject_put+0x5b/0x80 [ 37.370881] put_device+0x13/0x20 [ 37.371133] put_disk+0x1b/0x30 [ 37.371379] floppy_module_exit+0x34b/0x105d [floppy] [ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290 [ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.372492] ? x64_sys_call+0x1dba/0x1fa0 [ 37.372785] ? do_syscall_64+0x63/0xb0 [ 37.373058] __x64_sys_delete_module+0x12/0x20 [ 37.373421] x64_sys_call+0x16cf/0x1fa0 [ 37.373720] do_syscall_64+0x56/0xb0 [ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50 [ 37.374339] ? x64_sys_call+0x1a55/0x1fa0 [ 37.374624] ? do_syscall_64+0x63/0xb0 [ 37.374891] ? x64_sys_call+0x1de6/0x1fa0 [ 37.375180] ? clear_bhb_loop+0x45/0xa0 [ 37.375469] ? clear_bhb_loop+0x45/0xa0 [ 37.375741] ? clear_bhb_loop+0x45/0xa0 [ 37.376013] ? clear_bhb_loop+0x45/0xa0 [ 37.376292] ? clear_bhb_loop+0x45/0xa0 [ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 37.376913] RIP: 0033:0x7f0a712ecaeb [ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 15 33 0f 00 f7 d8 64 89 01 48 [ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb [ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98 [ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000 [ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98 [ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78 [ 37.381256] </TASK> [ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover [ 37.385136] CR2: 0000000000000030 [ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]--- [ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60 [ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41 54 49 89 fc 48 8d bf 60 05 00 [ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246 [ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101 [ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000 [ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000 [ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0 [ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000 [ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0 [ 37.391478] PKRU: 55555554 This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of the change of kernel internal structure. [Fix] This upstream commit fixes it: https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246 commit 2598a2bb357d64baaa94368133ddbc900b9eb246 Author: Luis Chamberlain <[email protected]> Date: Mon Sep 27 15:02:50 2021 -0700 floppy: fix add_disk() assumption on exit due to new developments The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime. This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit. - [Testcase] + [Test Plan] Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs. - [Where problems can occur] + [Where problems could occur] If there is something wrong in this commit, removing floppy module might cause issues, but it won't affect the whole system, and also floppy is rarely used nowadays. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2104326 Title: Remove floppy kernel module causes null pointer deference To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2104326/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
