[SRU][J][PATCH 0/1] Remove floppy kernel module causes null pointer deference

Gerald Yang gerald.yang at canonical.com
Wed Apr 2 06:50:05 UTC 2025 

BugLink: https://bugs.launchpad.net/bugs/2104326

[Impact]

Remove the floppy kernel module by "modprobe -r floppy" causes the following:

[ 26.594748] Floppy drive(s): fd0 is 2.88M AMI BIOS
[ 26.615036] FDC 0 is a S82078B
[ 37.356072] BUG: kernel NULL pointer dereference, address: 0000000000000030
[ 37.356898] #PF: supervisor read access in kernel mode
[ 37.357306] #PF: error_code(0x0000) - not-present page
[ 37.357671] PGD 0 P4D 0
[ 37.357873] Oops: 0000 [#1] SMP NOPTI
[ 37.358143] CPU: 1 PID: 1005 Comm: modprobe Not tainted 5.15.0-135-generic #146-Ubuntu
[ 37.358715] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 37.359333] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60
[ 37.359718] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41
 54 49 89 fc 48 8d bf 60 05 00
[ 37.360912] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246
[ 37.361273] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101
[ 37.361746] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000
[ 37.362219] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000
[ 37.362697] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0
[ 37.363169] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 37.363655] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000
[ 37.364192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 37.364586] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0
[ 37.365063] PKRU: 55555554
[ 37.365276] Call Trace:
[ 37.365474] <TASK>
[ 37.365649] ? show_trace_log_lvl+0x1d6/0x2ea
[ 37.365961] ? show_trace_log_lvl+0x1d6/0x2ea
[ 37.366275] ? device_release+0x38/0xa0
[ 37.366555] ? show_regs.part.0+0x23/0x29
[ 37.366857] ? __die_body.cold+0x8/0xd
[ 37.367143] ? __die+0x2b/0x37
[ 37.367382] ? page_fault_oops+0x13b/0x170
[ 37.367682] ? do_user_addr_fault+0x313/0x640
[ 37.367991] ? fsnotify_destroy_marks+0x2a/0x150
[ 37.368322] ? __call_rcu+0xa8/0x270
[ 37.368592] ? exc_page_fault+0x77/0x170
[ 37.368882] ? asm_exc_page_fault+0x27/0x30
[ 37.369190] ? device_release+0x26/0xa0
[ 37.369471] ? blk_mq_cancel_work_sync+0x5/0x60
[ 37.369792] ? disk_release+0x31/0x80
[ 37.370060] device_release+0x38/0xa0
[ 37.370337] kobject_cleanup+0x3e/0x150
[ 37.370623] kobject_put+0x5b/0x80
[ 37.370881] put_device+0x13/0x20
[ 37.371133] put_disk+0x1b/0x30
[ 37.371379] floppy_module_exit+0x34b/0x105d [floppy]
[ 37.371740] __do_sys_delete_module.constprop.0+0x184/0x290
[ 37.372140] ? syscall_exit_to_user_mode+0x2c/0x50
[ 37.372492] ? x64_sys_call+0x1dba/0x1fa0
[ 37.372785] ? do_syscall_64+0x63/0xb0
[ 37.373058] __x64_sys_delete_module+0x12/0x20
[ 37.373421] x64_sys_call+0x16cf/0x1fa0
[ 37.373720] do_syscall_64+0x56/0xb0
[ 37.374001] ? syscall_exit_to_user_mode+0x2c/0x50
[ 37.374339] ? x64_sys_call+0x1a55/0x1fa0
[ 37.374624] ? do_syscall_64+0x63/0xb0
[ 37.374891] ? x64_sys_call+0x1de6/0x1fa0
[ 37.375180] ? clear_bhb_loop+0x45/0xa0
[ 37.375469] ? clear_bhb_loop+0x45/0xa0
[ 37.375741] ? clear_bhb_loop+0x45/0xa0
[ 37.376013] ? clear_bhb_loop+0x45/0xa0
[ 37.376292] ? clear_bhb_loop+0x45/0xa0
[ 37.376568] entry_SYSCALL_64_after_hwframe+0x6c/0xd6
[ 37.376913] RIP: 0033:0x7f0a712ecaeb
[ 37.377176] Code: 73 01 c3 48 8b 0d 45 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d
 15 33 0f 00 f7 d8 64 89 01 48
[ 37.378351] RSP: 002b:00007ffc33b3bc48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[ 37.378870] RAX: ffffffffffffffda RBX: 00005615695dbe30 RCX: 00007f0a712ecaeb
[ 37.379368] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615695dbe98
[ 37.379837] RBP: 00005615695dbe30 R08: 0000000000000000 R09: 0000000000000000
[ 37.380308] R10: 00007f0a71384ac0 R11: 0000000000000206 R12: 00005615695dbe98
[ 37.380785] R13: 0000000000000000 R14: 00005615695dbe98 R15: 00007ffc33b3df78
[ 37.381256] </TASK>
[ 37.381438] Modules linked in: floppy(-) isofs intel_rapl_msr intel_rapl_common binfmt_misc nls_iso8859_1 kvm_intel kvm rapl joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_c
odel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua drm efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy asyn
c_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel i2c_i801 crypto_simd x
hci_pci virtio_net ahci net_failover cryptd i2c_smbus psmouse libahci virtio_scsi lpc_ich virtio_blk virtio_rng xhci_pci_renesas failover
[ 37.385136] CR2: 0000000000000030
[ 37.385412] ---[ end trace 09bc3a6935dc73e0 ]---
[ 37.385730] RIP: 0010:blk_mq_cancel_work_sync+0x5/0x60
[ 37.386080] Code: 00 00 89 45 d0 89 de e8 d9 8b 09 00 8b 45 d0 e9 71 ff ff ff b8 ea ff ff ff eb 94 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 83 7f 30 00 74 49 55 48 89 e5 41
 54 49 89 fc 48 8d bf 60 05 00
[ 37.387332] RSP: 0018:ffffb9cb00b87d70 EFLAGS: 00010246
[ 37.387702] RAX: ffff95f905452908 RBX: ffff95f90d38c900 RCX: 0000000082000101
[ 37.388179] RDX: 00000000820001bf RSI: ffffffffa8a92b36 RDI: 0000000000000000
[ 37.388646] RBP: ffffb9cb00b87d80 R08: 0000000000000001 R09: 0000000000000000
[ 37.389126] R10: 0000000000000001 R11: ffff000000000000 R12: ffff95f9054525c0
[ 37.389607] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 37.390073] FS: 00007f0a711c4c40(0000) GS:ffff96005fc40000(0000) knlGS:0000000000000000
[ 37.390620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 37.391005] CR2: 0000000000000030 CR3: 000000010fcb0000 CR4: 0000000000750ee0
[ 37.391478] PKRU: 55555554

This can be simply reproduced on a VM with a floppy disk added and only happens on 5.15 kernel, because of some changes in kernel internal structure.

[Fix]

This upstream commit fixes it:
https://github.com/torvalds/linux/commit/2598a2bb357d64baaa94368133ddbc900b9eb246

commit 2598a2bb357d64baaa94368133ddbc900b9eb246
Author: Luis Chamberlain <mcgrof at kernel.org>
Date: Mon Sep 27 15:02:50 2021 -0700
floppy: fix add_disk() assumption on exit due to new developments

The floppy driver now uses blk_mq_alloc_disk(), which guarantees a valid queue for the disk's lifetime.
This change removes the need to conditionally clean up the queue and ensures put_disk() is still required on exit.

[Test Plan]

Create a VM and add a floppy disk to it, remove the floppy module by "modprobe -r floppy" to check if the null pointer deference occurs in the kernel logs.

[Where problems could occur]

If there is something wrong in this commit, removing floppy module might cause issues,
but it won't affect the whole system, and also floppy is rarely used nowadays.

Luis Chamberlain (1):
  floppy: fix add_disk() assumption on exit due to new developments

 drivers/block/floppy.c | 13 -------------
 1 file changed, 13 deletions(-)

-- 
2.34.1

More information about the kernel-team mailing list