[RHEL8] Kernel crashes due to an invalid freelist pointer caused by a possible kmalloc-8k slab corruption / use-after-free

Solution Verified - Updated -

Issue

  • Kernel crashes due to an invalid freelist pointer caused by kmalloc-8k slab corruption.
[80470.323111] stack segment: 0000 [#1] SMP NOPTI
[80470.323115] CPU: 4 PID: 457267 Comm: kworker/u12:2 Kdump: loaded Tainted: P           OE    --------- -  - 4.18.0-193.14.3.el8_2.x86_64 #1
[80470.323116] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
[80470.323125] Workqueue: writeback wb_workfn (flush-253:0)
[80470.323132] RIP: 0010:__kmalloc+0xa0/0x200
[80470.323133] Code: 01 00 00 4d 8b 07 65 49 8b 50 08 65 4c 03 05 5f a6 77 5a 49 8b 28 48 85 ed 0f 84 21 01 00 00 41 8b 47 20 4d 8b 07 48 8d 4a 01 <48> 8b 5c 05 00 48 89 e8 65 49 0f c7 08 0f 94 c0 84 c0 74 c5 41 8b
[80470.323134] RSP: 0018:ffffad0d8352b6b0 EFLAGS: 00010206
[80470.323135] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000002028
[80470.323136] RDX: 0000000000002027 RSI: 0000000000600640 RDI: ffff931547c02400
[80470.323137] RBP: 0100000087c20d00 R08: 000000000002e1c0 R09: 0000000000000000
[80470.323138] R10: ffff9315f798e278 R11: 0000000000000001 R12: 0000000000600640
[80470.323139] R13: 0000000000001080 R14: ffff931547c02400 R15: ffff931547c02400
[80470.323140] FS:  0000000000000000(0000) GS:ffff9315f9b00000(0000) knlGS:0000000000000000
[80470.323141] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[80470.323142] CR2: 00007ff0f80ab000 CR3: 000000004860a004 CR4: 00000000001606e0
[80470.323192] Call Trace:
[80470.323282]  ? kmem_alloc+0x64/0x150 [xfs]
[80470.323313]  ? kmem_alloc_large+0x29/0x90 [xfs]
[80470.323341]  kmem_alloc+0x64/0x150 [xfs]
[80470.323379]  ? xfs_log_commit_cil+0x12d/0x630 [xfs]
[80470.323406]  kmem_alloc_large+0x29/0x90 [xfs]
[80470.323434]  xfs_log_commit_cil+0x12d/0x630 [xfs]
[80470.323466]  ? xfs_bmapi_convert_delalloc+0x333/0x460 [xfs]
[80470.323494]  __xfs_trans_commit+0xa4/0x350 [xfs]
[80470.323515]  xfs_bmapi_convert_delalloc+0x333/0x460 [xfs]
[80470.323551]  xfs_map_blocks+0x168/0x410 [xfs]
[80470.323580]  xfs_do_writepage+0x121/0x470 [xfs]
[80470.323587]  write_cache_pages+0x1aa/0x440
[80470.323612]  ? xfs_vm_releasepage+0x80/0x80 [xfs]
[80470.323617]  ? submit_bio+0x45/0x140
[80470.323641]  ? xfs_setfilesize_trans_alloc.isra.17+0x3d/0x90 [xfs]
[80470.323666]  xfs_vm_writepages+0x64/0xa0 [xfs]
[80470.323669]  do_writepages+0x41/0xd0
[80470.323672]  __writeback_single_inode+0x3d/0x360
[80470.323674]  writeback_sb_inodes+0x1e3/0x450
[80470.323676]  __writeback_inodes_wb+0x5d/0xb0
[80470.323678]  wb_writeback+0x25f/0x2f0
[80470.323682]  ? cpumask_next+0x17/0x20
[80470.323683]  wb_workfn+0x342/0x400
[80470.323686]  process_one_work+0x1a7/0x3b0
[80470.323688]  worker_thread+0x30/0x390
[80470.323689]  ? create_worker+0x1a0/0x1a0
[80470.323691]  kthread+0x112/0x130
[80470.323693]  ? kthread_flush_work_fn+0x10/0x10
[80470.323696]  ret_from_fork+0x1f/0x40
[80470.323698] Modules linked in: binfmt_misc nfsv3 nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace symap_custom_4_18_0_193_14_3_el8_2_x86_64(POE) fscache nf_nat_ftp nft_objref nf_conntrack_ftp nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 nft_chain_route_ipv6 nft_chain_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nft_chain_route_ipv4 ip6_tables nft_compat ip_set nf_tables nfnetlink symev_custom_4_18_0_193_14_3_el8_2_x86_64(OE) vmw_vsock_vmci_transport vsock sunrpc intel_rapl_msr intel_rapl_common crct10dif_pclmul crc32_pclmul ghash_clmulni_intel vmw_balloon joydev intel_rapl_perf pcspkr vmw_vmci i2c_piix4 ip_tables xfs libcrc32c sr_mod cdrom sd_mod sg ata_generic vmwgfx drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm ahci libahci crc32c_intel serio_raw ata_piix vmxnet3 vmw_pvscsi
[80470.323736]  libata dm_mirror dm_region_hash dm_log dm_mod

crash> bt -p
PID: 457267  TASK: ffff93145c35df00  CPU: 4   COMMAND: "kworker/u12:2"
 #0 [ffffad0d8352b450] machine_kexec at ffffffffa5659a5e
 #1 [ffffad0d8352b4a8] __crash_kexec at ffffffffa57591fd
 #2 [ffffad0d8352b570] crash_kexec at ffffffffa575a0dd
 #3 [ffffad0d8352b588] oops_end at ffffffffa5621edd
 #4 [ffffad0d8352b5a8] do_trap at ffffffffa561e75c
 #5 [ffffad0d8352b5f0] do_stack_segment at ffffffffa561f0c1
 #6 [ffffad0d8352b600] stack_segment at ffffffffa600114e
 #7 [ffffad0d8352b688] __kmalloc at ffffffffa5894b30
 #8 [ffffad0d8352b6d8] kmem_alloc_large at ffffffffc0711cc9 [xfs]
 #9 [ffffad0d8352b708] xfs_log_commit_cil at ffffffffc07171dd [xfs]
#10 [ffffad0d8352b7b0] xfs_bmapi_convert_delalloc at ffffffffc06b3bb3 [xfs]
#11 [ffffad0d8352b928] xfs_map_blocks at ffffffffc06e6608 [xfs]
#12 [ffffad0d8352b9c8] xfs_do_writepage at ffffffffc06e6ac1 [xfs]
#13 [ffffad0d8352ba40] write_cache_pages at ffffffffa5821c6a
#14 [ffffad0d8352bb40] xfs_vm_writepages at ffffffffc06e6464 [xfs]
#15 [ffffad0d8352bba8] do_writepages at ffffffffa5824481
#16 [ffffad0d8352bc10] __writeback_single_inode at ffffffffa58f78cd
#17 [ffffad0d8352bc58] writeback_sb_inodes at ffffffffa58f8063
#18 [ffffad0d8352bd38] __writeback_inodes_wb at ffffffffa58f832d
#19 [ffffad0d8352bd78] wb_writeback at ffffffffa58f86af
#20 [ffffad0d8352be08] wb_workfn at ffffffffa58f8fb2
#21 [ffffad0d8352be98] process_one_work at ffffffffa56ce7d7
#22 [ffffad0d8352bed8] worker_thread at ffffffffa56ceef0
#23 [ffffad0d8352bf10] kthread at ffffffffa56d4802
#24 [ffffad0d8352bf50] ret_from_fork at ffffffffa600023f

crash> kmem -s >/dev/null
kmem: kmalloc-8k: slab: ffffdf28c6de6200 invalid freepointer: 100000087c20d00

crash> kmem_cache.name,cpu_slab ffff931547c02400
  name = 0xffffffffa66af332 "kmalloc-8k"
  cpu_slab = 0x2e1c0

crash> kmem_cache_cpu 0x2e1c0:4
[4]: ffff9315f9b2e1c0
struct kmem_cache_cpu {
  freelist = 0x100000087c20d00, 
  tid = 8231, 
  page = 0xffffdf28c6de6200, 
  partial = 0xffffdf28c41b6800
}

crash> kmem 0x100000087c20d00
kmem: cannot determine page for 100000087c20d00
100000087c20d00: physical address not found in mem map

Environment

  • Red Hat Enterprise Linux 8.2 (kernel-4.18.0-193.14.3.el8_2)
  • Symantec SEP modules installed and loaded
    • symev_custom_4_18_0_193_14_3_el8_2_x86_64
    • symap_custom_4_18_0_193_14_3_el8_2_x86_64
crash> mod -t
NAME                                       TAINTS
symev_custom_4_18_0_193_14_3_el8_2_x86_64  OE
symap_custom_4_18_0_193_14_3_el8_2_x86_64  POE

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content