Starting dockerd causes system crash when using Deep Security Agent dsa_filter module in RHEL 7

Solution Verified - Updated -

Issue

  • Starting dockerd causes a system crash
crash> bt
PID: 1420   TASK: ffff880215350000  CPU: 1   COMMAND: "dockerd"
 #0 [ffff8800bb81b978] machine_kexec at ffffffff8105c4cb
 #1 [ffff8800bb81b9d8] __crash_kexec at ffffffff81104a42
 #2 [ffff8800bb81baa8] crash_kexec at ffffffff81104b30
 #3 [ffff8800bb81bac0] oops_end at ffffffff816ad338
 #4 [ffff8800bb81bae8] no_context at ffffffff8169d35a
 #5 [ffff8800bb81bb38] __bad_area_nosemaphore at ffffffff8169d3f0
 #6 [ffff8800bb81bb80] bad_area_nosemaphore at ffffffff8169d55a
 #7 [ffff8800bb81bb90] __do_page_fault at ffffffff816b01fe
 #8 [ffff8800bb81bbf0] do_page_fault at ffffffff816b03a5
 #9 [ffff8800bb81bc20] page_fault at ffffffff816ac5c8
    [exception RIP: unknown or invalid address]
    RIP: ffff8800ae84f9e0  RSP: ffff8800bb81bcd8  RFLAGS: 00010246
    RAX: ffff8801cf526040  RBX: ffff880095801d00  RCX: ffff8800ae84f9e0
    RDX: 0000000000008040  RSI: 0000000000000000  RDI: ffff88009665b180
    RBP: ffff8800bb81bce0   R8: 0000000000000000   R9: 0000000000000000
    R10: ffff88009665b180  R11: ffffea0002312e40  R12: ffff8800bb81be50
    R13: ffff8800bb81bdf0  R14: 0000000000000000  R15: ffff8800bb81be50
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
#10 [ffff8800bb81bcd8] d_real at ffffffff816a139e
#11 [ffff8800bb81bce8] vfs_open at ffffffff811fe7f5
#12 [ffff8800bb81bd10] do_last at ffffffff8120f80d
#13 [ffff8800bb81bdb0] path_openat at ffffffff812109a2
#14 [ffff8800bb81be48] do_filp_open at ffffffff81212f3b
#15 [ffff8800bb81bf18] do_sys_open at ffffffff811ffb83
#16 [ffff8800bb81bf70] sys_openat at ffffffff811ffcb4
#17 [ffff8800bb81bf80] system_call_fastpath at ffffffff816b5089

log from dmesg: 

[  880.989087] [1420(dockerd)]: gsch_mount_hook_fn(overlay,/cust/var/lib/docker/overlay/7b1776ed433ca69b50c74d2f5a4459a87d,overlay,0,000000c42011f600) done
[  880.990549] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[  880.990578] BUG: unable to handle kernel paging request at ffff8800ae84f9e0
[  880.990605] IP: [<ffff8800ae84f9e0>] 0xffff8800ae84f9df
[  880.990628] PGD 1fe9067 PUD 23ffff067 PMD ae8a4063 PTE 80000000ae84f163
[  880.990655] Oops: 0011 [#1] SMP
[  880.990673] Modules linked in: gsch(OE) redirfs(OE) ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter xt_conntrack nf_nat nf_conntrack br_netfilter bridge stp llc overlay(T) dsa_filter(POE) vmw_vsock_vmci_transport vsock sb_edac edac_core iosf_mbi crc32_pclmul 
.....
<downsized output>

Environment

  • Red Hat Enterprise Linux 7
    -Docker container environment
    - kernel-3.10.0-693.2.2.el7
  • Trend Micro Deep Security Agent
    -ds_agent-9.6.2-7516.el7
    - Kernel modules gsch, redirfs, dsa_filter

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content