KFENCE error and kernel panic are caused by a third-party module (CyProtectDrv)

Issue

• An unexpected kernel panic occurred, resulting in a reboot.
• An analysis of the vmcore-dmesg.txt file generated by kdump shows that the call trace at the time of the panic references a third-party kernel module named CyProtectDrv. In some cases, a KFENCE warning related to the same module may be logged before the panic.

[19949264.635635] ==================================================================
[19949264.636660] BUG: KFENCE: use-after-free read in FileUtil_IsInodeValid+0xc/0x20 [CyProtectDrv]

[19949264.638340] Use-after-free read at 0x0000000031d3d452 (in kfence-#114):
[19949264.639136]  FileUtil_IsInodeValid+0xc/0x20 [CyProtectDrv]
[19949264.639145]  hook_security_file_free+0x64/0xb0 [CyProtectDrv]
[19949264.639154]  security_file_free+0x1f/0x60
[19949264.639162]  __fput+0xff/0x250
[19949264.639167]  task_work_run+0x59/0x90
[19949264.639174]  exit_to_user_mode_loop+0x15a/0x160
[19949264.639179]  exit_to_user_mode_prepare+0xb6/0x100
[19949264.639181]  syscall_exit_to_user_mode+0x12/0x30
[19949264.639186]  do_syscall_64+0x69/0x90
[19949264.639187]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[19949264.639191] 
[19949264.639966] kfence-#114: 0x0000000039761580-0x0000000031a1d3e8, size=648, cache=inode_cache

[19949264.639968] allocated by task 3494994 on cpu 0 at 19949264.635574s:
[19949264.639977]  alloc_inode+0x91/0xc0
[19949264.639982]  new_inode_pseudo+0xd/0x60
[19949264.639984]  create_pipe_files+0x2b/0x280
[19949264.639988]  do_pipe2+0x3a/0xf0
[19949264.639990]  __x64_sys_pipe+0x10/0x20
[19949264.639992]  do_syscall_64+0x59/0x90
[19949264.640002]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[19949264.640006] 
[19949264.640007] freed by task 3494994 on cpu 0 at 19949264.635594s:
[19949264.640011]  destroy_inode+0x38/0x70
[19949264.640014]  __dentry_kill+0xdf/0x180
[19949264.640016]  __fput+0xe3/0x250
[19949264.640019]  task_work_run+0x59/0x90
[19949264.640023]  exit_to_user_mode_loop+0x15a/0x160
[19949264.640026]  exit_to_user_mode_prepare+0xb6/0x100
[19949264.640028]  syscall_exit_to_user_mode+0x12/0x30
[19949264.640031]  do_syscall_64+0x69/0x90
[19949264.640032]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[19949264.640035] 
[19949264.640803] CPU: 0 PID: 3494994 Comm: sh Kdump: loaded Tainted: P    B      OE    --------- ---  5.14.0-162.18.1.el9_1.x86_64 #1
[19949264.642368] Hardware name: VMware, Inc. VMware7,1/440BX Desktop Reference Platform, BIOS VMW71.00V.17369862.B64.2012240522 12/24/2020
[19949264.643975] ==================================================================
[...]
[20132224.744673] general protection fault, probably for non-canonical address 0x6c05eee03f02ba44: 0000 [#1] PREEMPT SMP NOPTI
[20132224.747004] CPU: 1 PID: 569044 Comm: sshd Kdump: loaded Tainted: P    B      OE    --------- ---  5.14.0-162.18.1.el9_1.x86_64 #1
[20132224.748681] Hardware name: VMware, Inc. VMware7,1/440BX Desktop Reference Platform, BIOS VMW71.00V.17369862.B64.2012240522 12/24/2020
[20132224.750356] RIP: 0010:d_path+0x3f/0x130
[20132224.751198] Code: 8b 7f 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 48 63 c2 89 54 24 08 48 01 f0 48 89 04 24 48 8b 47 60 48 85 c0 74 22 <48> 8b 40 48 48 85 c0 74 19 48 3b 7f 18 74 0a ff d0 0f 1f 00 e9 86
[20132224.752880] RSP: 0018:ffffb2c0c1473d80 EFLAGS: 00010206
[20132224.753745] RAX: 6c05eee03f02b9fc RBX: ffff90948a064910 RCX: 000000000000000b
[20132224.754595] RDX: 00000000000000f0 RSI: ffff9093a15883b8 RDI: ffff90938e8563c0
[20132224.755430] RBP: ffffb2c0c1473db8 R08: 0000000000000001 R09: ffff90948f3b00a8
[20132224.756267] R10: 000000000000003c R11: 0000000000546d88 R12: ffff90948a064910
[20132224.757072] R13: ffff90948cbdf480 R14: ffff90938e8563c0 R15: 0000000000000000
[20132224.757894] FS:  00007f689913c900(0000) GS:ffff9095b5e40000(0000) knlGS:0000000000000000
[20132224.758743] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[20132224.759561] CR2: 000055f8c5d19048 CR3: 000000005f048003 CR4: 00000000007706e0
[20132224.760396] PKRU: 55555554
[20132224.761215] Call Trace:
[20132224.762012]  FileUtil_GetPath_bypath+0x4e/0x150 [CyProtectDrv]
[20132224.762828]  hook_security_file_free+0x7c/0xb0 [CyProtectDrv]
[20132224.763635]  security_file_free+0x1f/0x60
[20132224.764430]  __fput+0xff/0x250
[20132224.765199]  task_work_run+0x59/0x90
[20132224.765948]  exit_to_user_mode_loop+0x15a/0x160
[20132224.766683]  exit_to_user_mode_prepare+0xb6/0x100
[20132224.767432]  syscall_exit_to_user_mode+0x12/0x30
[20132224.768171]  do_syscall_64+0x69/0x90
[20132224.768886]  ? exit_to_user_mode_prepare+0xb6/0x100
[20132224.769601]  ? syscall_exit_work+0x11a/0x150
[20132224.770319]  ? syscall_exit_to_user_mode+0x12/0x30
[20132224.771053]  ? do_syscall_64+0x69/0x90
[20132224.771753]  ? do_syscall_64+0x69/0x90
[20132224.772430]  ? exc_page_fault+0x62/0x150
[20132224.773088]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[20132224.773745] RIP: 0033:0x7f68996ebfd7
[20132224.774394] Code: ff e8 cd e3 01 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 03 cc f5 ff
[20132224.775728] RSP: 002b:00007ffc57368c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[20132224.776411] RAX: 0000000000000000 RBX: 000055a3792f6c42 RCX: 00007f68996ebfd7
[20132224.777077] RDX: 0000000000000000 RSI: 00007ffc573689f0 RDI: 0000000000000003
[20132224.777739] RBP: 000055a37a285010 R08: 0000000000000000 R09: 0000000000000000
[20132224.778405] R10: 0000000000000008 R11: 0000000000000246 R12: 000055a37a286d50
[20132224.779071] R13: 000000000000001c R14: 000055a3792f9b00 R15: 00000000ffffffff
[20132224.779722] Modules linked in: CyProtectDrv(POE) CyProtectDrvOpen(OE) binfmt_misc tls nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vfat fat intel_rapl_msr intel_rapl_common isst_if_mbox_msr isst_if_common nfit libnvdimm vmw_balloon rapl joydev pcspkr vmw_vmci i2c_piix4 xfs libcrc32c sr_mod cdrom ata_generic vmwgfx drm_ttm_helper ttm sd_mod t10_pi sg drm_kms_helper crct10dif_pclmul crc32_pclmul crc32c_intel syscopyarea sysfillrect sysimgblt fb_sys_fops ghash_clmulni_intel drm serio_raw ata_piix vmxnet3 libata vmw_pvscsi dm_mirror dm_region_hash dm_log dm_mod fuse [last unloaded: CyProtectDrvOpen]