McAfee Linuxshield panics RHEL with "unable to handle kernel paging request"

Solution Verified - Updated -

Issue

1] The system panics after installing Linux shield/McAfee antivirus (linuxshield and lshook modules), with Oops: 0003 and BUG: unable to handle kernel paging request. And prior to the crash we see messages indicating the lschook and linuxshield 'fixups' are being applied due to an old version of these modules.

lshook module is older than RHEL 6.2 ... applying fixups
linuxshield module is older than RHEL 6.2 ... applying fixups
...
Oops: 0003 [#1] SMP 
BUG: unable to handle kernel paging request at ffffffffa0281bd4
...
Modules linked in: nfsd lockd nfs_acl auth_rpcgss sunrpc exportfs linuxshield(U) lshook(U) autofs4 ipv6 ppdev microcode vmware_balloon parport_pc parport sg i2c_piix4 i2c_core shpchp ext3 jbd mbcache sd_mod crc_t10dif sr_mod cdrom vmxnet3 vmw_pvscsi pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod [last unloaded: speedstep_lib]
  • Example1: nfsd thread crashes in svc_tcp_recvfrom called from svc_recv
Oops: 0003 [#1] SMP 
...
Modules linked in: ... linuxshield(U) lshook(U) ...
Pid: 3873, comm: nfsd Not tainted 2.6.32-504.16.2.el6.x86_64 #1 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
RIP: 0010:[<ffffffffa024ce29>]  [<ffffffffa024ce29>] svc_tcp_recvfrom+0x4e9/0x760 [sunrpc]
...
Call Trace:
 [<ffffffff81087520>] ? process_timeout+0x0/0x10
 [<ffffffffa0259928>] svc_recv+0x818/0x850 [sunrpc]
 [<ffffffff81064bc0>] ? default_wake_function+0x0/0x20
 [<ffffffffa02c2b35>] nfsd+0xa5/0x160 [nfsd]
  • Example 2: nfsd thread crashes in svc_tcp_accept called from svc_recv
Oops: 0003 [#1] SMP 
...
Modules linked in: ... linuxshield(U) lshook(U) ...
Pid: 7722, comm: nfsd Not tainted 2.6.32-504.el6.x86_64 #1 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
RIP: 0010:[<ffffffffa020eb07>]  [<ffffffffa020eb07>] svc_tcp_accept+0x177/0x310 [sunrpc]
...
Call Trace:
 [<ffffffff81088062>] ? del_timer_sync+0x22/0x30
 [<ffffffff8152a84a>] ? schedule_timeout+0x19a/0x2e0
 [<ffffffff810874f0>] ? process_timeout+0x0/0x10
 [<ffffffffa021a598>] svc_recv+0x488/0x850 [sunrpc]
 [<ffffffff81064b90>] ? default_wake_function+0x0/0x20
 [<ffffffffa0252b35>] nfsd+0xa5/0x160 [nfsd]

2] Server panic due to list corruption after schook module is loaded.

Environment

  • RHEL6
    • seen on kernel 2.6.32-504.el6
    • seen on kernel 2.6.32-431.el6
    • seen on kernel 2.6.32-696.3.2.el6
  • McAfee Antivirus / Linuxshield kernel modules (older than RHEL 6.2)
    • modules: linuxshield(U) lshook(U) schook (U)
  • often seen with nfsd (nfs server)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content