The kernel crashes due to the invalid instruction pointer coming out of nowhere

Solution Unverified - Updated -

Issue

  • The kernel crashes with the following call trace:
[47729345.138296] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[47729345.149423] BUG: unable to handle kernel paging request at ffff9529ae1ad280
[47729345.160999] IP: [<ffff9529ae1ad280>] 0xffff9529ae1ad280
[47729345.172636] PGD 13b674067 PUD 13b678067 PMD 102e2ac063 PTE 800000102e1ad063
[47729345.184625] Oops: 0011 [#1] SMP 
[47729345.196536] Modules linked in: falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE) falcon_kal(E) falcon_lsm_pinned_15805(E) falcon_lsm_pinned_15705(E) falcon_lsm_pinned_15604(E) falcon_lsm_pinned_15508(E) falcon_lsm_pinned_15402(E) falcon_lsm_pinned_15309(E) falcon_lsm_pinned_15110(E) falcon_lsm_pinned_15003(E) falcon_lsm_pinned_14812(E) falcon_lsm_pinned_14713(E) af_packet_diag netlink_diag tcp_diag udp_diag inet_diag unix_diag falcon_lsm_pinned_14504(E) falcon_lsm_pinned_14604(E) bonding amd64_edac_mod edac_mce_amd kvm_amd kvm irqbypass pcspkr sg hpilo hpwdt ipmi_ssif sp5100_tco k10temp i2c_piix4 acpi_power_meter ipmi_si ipmi_devintf ipmi_msghandler auth_rpcgss binfmt_misc sunrpc ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic crct10dif_common radeon qla2xxx i2c_algo_bit drm_kms_helper
[47729345.286372]  syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ahci drm ata_generic pata_acpi libahci pata_atiixp nvme_fc libata nvme_fabrics nvme_core hpsa scsi_transport_fc be2net serio_raw scsi_tgt scsi_transport_sas drm_panel_orientation_quirks dm_mirror dm_region_hash dm_log dm_mod [last unloaded: falcon_kal]
[47729345.339145] CPU: 13 PID: 1025 Comm: systemd-logind Kdump: loaded Tainted: P            E  ------------   3.10.0-1160.62.1.el7.x86_64 #1
[47729345.376904] Hardware name: HP ProLiant BL685c G7, BIOS A20 03/14/2018
[47729345.396265] task: ffff9529ae1ad280 ti: ffff9529aeb38000 task.ti: ffff9529aeb38000
[47729345.416153] RIP: 0010:[<ffff9529ae1ad280>]  [<ffff9529ae1ad280>] 0xffff9529ae1ad280
[47729345.436329] RSP: 0018:ffff9529aeb3b480  EFLAGS: 00010246
[47729345.456469] RAX: dead000000000200 RBX: 000000000000001e RCX: ffff952268229380
[47729345.477118] RDX: ffff9529ada205a8 RSI: ffff952268229080 RDI: ffff9529ada205a8
[47729345.497895] RBP: ffff9529aeb3b4e0 R08: 0000000000000000 R09: 0000000000000000
[47729345.518734] R10: fefefefefefefeff R11: ffff952268229380 R12: ffff952268229380
[47729345.539696] R13: ffff9529ada205a8 R14: 0000000000000000 R15: ffff95293992c058
[47729345.560748] FS:  00007f34db6a8900(0000) GS:ffff9529bfd00000(0000) knlGS:0000000000000000
[47729345.582368] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[47729345.604010] CR2: ffff9529ae1ad280 CR3: 000000042f830000 CR4: 00000000000007e0
[47729345.625900] Call Trace:
[47729345.647652]  [<ffffffffb80e497c>] ? update_curr+0x14c/0x1e0
[47729345.669915]  [<ffffffffb80dfd28>] ? __enqueue_entity+0x78/0x80
[47729345.692217]  [<ffffffffb80e7658>] ? enqueue_task_fair+0x208/0x6c0
[47729345.714661]  [<ffffffffb80e0e2c>] ? select_task_rq_fair+0x63c/0x760
[47729345.737024]  [<ffffffffb821cc39>] ? alloc_pages_vma+0xa9/0x200
[47729345.759544]  [<ffffffffc06a9787>] ? pinnedhook_security_inode_rename+0x77/0x80 [falcon_lsm_pinned_14604]
[47729345.782668]  [<ffffffffc06c3787>] ? pinnedhook_security_inode_rename+0x77/0x80 [falcon_lsm_pinned_14504]
[47729345.805545]  [<ffffffffc0998787>] ? pinnedhook_security_inode_rename+0x77/0x80 [falcon_lsm_pinned_14713]
[47729345.828287]  [<ffffffffc09b2787>] ? pinnedhook_security_inode_rename+0x77/0x80 [falcon_lsm_pinned_14812]
[47729345.851036]  [<ffffffffc09da787>] ? pinnedhook_security_inode_rename+0x77/0x80 [falcon_lsm_pinned_15003]
[47729345.873585]  [<ffffffffc0a21787>] ? pinnedhook_security_inode_rename+0x77/0x80 [falcon_lsm_pinned_15110]
[47729345.895942]  [<ffffffffc0a3f787>] ? pinnedhook_security_inode_rename+0x77/0x80 [falcon_lsm_pinned_15309]
[47729345.918127]  [<ffffffffc0a5d787>] ? pinnedhook_security_inode_rename+0x77/0x80 [falcon_lsm_pinned_15402]
[47729345.940323]  [<ffffffffc0a7b787>] ? pinnedhook_security_inode_rename+0x77/0x80 [falcon_lsm_pinned_15508]
[47729345.962317]  [<ffffffffc0a99787>] ? pinnedhook_security_inode_rename+0x77/0x80 [falcon_lsm_pinned_15604]
[47729345.984232]  [<ffffffffc0ab7787>] ? pinnedhook_security_inode_rename+0x77/0x80 [falcon_lsm_pinned_15705]
[47729346.005816]  [<ffffffffc0ad5787>] ? pinnedhook_security_inode_rename+0x77/0x80 [falcon_lsm_pinned_15805]
[47729346.027420]  [<ffffffffb8308d74>] ? security_inode_rename+0x54/0xa0
[47729346.049048]  [<ffffffffb825f897>] ? vfs_rename+0x167/0x8e0
[47729346.070414]  [<ffffffffb81d8210>] ? shmem_encode_fh+0xc0/0xc0
[47729346.091541]  [<ffffffffb8260f83>] ? SYSC_renameat2+0x503/0x5a0
[47729346.112464]  [<ffffffffb824f215>] ? SyS_write+0x55/0xd0
[47729346.133067]  [<ffffffffc09b96cf>] ? unload_network_ops_symbols+0x4eff/0x76d0 [falcon_lsm_pinned_14812]
[47729346.154097]  [<ffffffffb8261e8e>] ? SyS_renameat2+0xe/0x10
[47729346.174578]  [<ffffffffb8261ece>] ? SyS_rename+0x1e/0x20
[47729346.194321]  [<ffffffffc06b23eb>] ? unload_network_ops_symbols+0x6c1b/0x76d0 [falcon_lsm_pinned_14604]
[47729346.214205]  [<ffffffffc06cc3eb>] ? unload_network_ops_symbols+0x6c1b/0x76d0 [falcon_lsm_pinned_14504]
[47729346.233129]  [<ffffffffc09a13eb>] ? unload_network_ops_symbols+0x6c1b/0x76d0 [falcon_lsm_pinned_14713]
[47729346.251292]  [<ffffffffc09bb3eb>] ? unload_network_ops_symbols+0x6c1b/0x76d0 [falcon_lsm_pinned_14812]
[47729346.268659]  [<ffffffffc09e492b>] ? unload_network_ops_symbols+0x815b/0x8c80 [falcon_lsm_pinned_15003]
[47729346.285330]  [<ffffffffc0a2c48c>] ? unload_network_ops_symbols+0x8c4c/0x9720 [falcon_lsm_pinned_15110]
[47729346.301314]  [<ffffffffc0a4a34c>] ? unload_network_ops_symbols+0x8c4c/0x9720 [falcon_lsm_pinned_15309]
[47729346.316530]  [<ffffffffc0a6834c>] ? unload_network_ops_symbols+0x8c4c/0x9720 [falcon_lsm_pinned_15402]
[47729346.330959]  [<ffffffffc0a8634c>] ? unload_network_ops_symbols+0x8c4c/0x9720 [falcon_lsm_pinned_15508]
[47729346.344733]  [<ffffffffc0aa434c>] ? unload_network_ops_symbols+0x8c4c/0x9720 [falcon_lsm_pinned_15604]
[47729346.358130]  [<ffffffffc0ac234c>] ? unload_network_ops_symbols+0x8c4c/0x9720 [falcon_lsm_pinned_15705]
[47729346.371095]  [<ffffffffc0ae034c>] ? unload_network_ops_symbols+0x8c4c/0x9720 [falcon_lsm_pinned_15805]
[47729346.383595]  [<ffffffffb8799f92>] ? system_call_fastpath+0x25/0x2a
[47729346.395921]  [<ffffffffb8799ed5>] ? system_call_after_swapgs+0xa2/0x13a
[47729346.408082] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 80 b3 ae 29 95 ff ff 02 00 00 00 00 
[47729346.434096] RIP  [<ffff9529ae1ad280>] 0xffff9529ae1ad280
[47729346.446798]  RSP <ffff9529aeb3b480>
[47729346.459318] CR2: ffff9529ae1ad280

Environment

  • Red Hat Enterprise Linux 7.9.z
  • Lots of modules from CrowdStrike
falcon_nf_netcontain    
falcon_lsm_pinned_14604 
falcon_lsm_pinned_14504 
falcon_lsm_pinned_14713 
falcon_lsm_pinned_14812 
falcon_lsm_pinned_15003 
falcon_kal              
falcon_lsm_pinned_15110 
falcon_lsm_pinned_15309 
falcon_lsm_pinned_15402 
falcon_lsm_pinned_15508 
falcon_lsm_pinned_15604 
falcon_lsm_pinned_15705 
falcon_lsm_pinned_15805 
falcon_lsm_serviceable

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content