Starting dockerd causes system crash when using Deep Security Agent dsa_filter module in RHEL 7

Solution Verified - Updated -

Issue

  • Starting dockerd causes a system crash
crash> bt
PID: 1420   TASK: ffff880215350000  CPU: 1   COMMAND: "dockerd"
 #0 [ffff8800bb81b978] machine_kexec at ffffffff8105c4cb
 #1 [ffff8800bb81b9d8] __crash_kexec at ffffffff81104a42
 #2 [ffff8800bb81baa8] crash_kexec at ffffffff81104b30
 #3 [ffff8800bb81bac0] oops_end at ffffffff816ad338
 #4 [ffff8800bb81bae8] no_context at ffffffff8169d35a
 #5 [ffff8800bb81bb38] __bad_area_nosemaphore at ffffffff8169d3f0
 #6 [ffff8800bb81bb80] bad_area_nosemaphore at ffffffff8169d55a
 #7 [ffff8800bb81bb90] __do_page_fault at ffffffff816b01fe
 #8 [ffff8800bb81bbf0] do_page_fault at ffffffff816b03a5
 #9 [ffff8800bb81bc20] page_fault at ffffffff816ac5c8
    [exception RIP: unknown or invalid address]
    RIP: ffff8800ae84f9e0  RSP: ffff8800bb81bcd8  RFLAGS: 00010246
    RAX: ffff8801cf526040  RBX: ffff880095801d00  RCX: ffff8800ae84f9e0
    RDX: 0000000000008040  RSI: 0000000000000000  RDI: ffff88009665b180
    RBP: ffff8800bb81bce0   R8: 0000000000000000   R9: 0000000000000000
    R10: ffff88009665b180  R11: ffffea0002312e40  R12: ffff8800bb81be50
    R13: ffff8800bb81bdf0  R14: 0000000000000000  R15: ffff8800bb81be50
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
#10 [ffff8800bb81bcd8] d_real at ffffffff816a139e
#11 [ffff8800bb81bce8] vfs_open at ffffffff811fe7f5
#12 [ffff8800bb81bd10] do_last at ffffffff8120f80d
#13 [ffff8800bb81bdb0] path_openat at ffffffff812109a2
#14 [ffff8800bb81be48] do_filp_open at ffffffff81212f3b
#15 [ffff8800bb81bf18] do_sys_open at ffffffff811ffb83
#16 [ffff8800bb81bf70] sys_openat at ffffffff811ffcb4
#17 [ffff8800bb81bf80] system_call_fastpath at ffffffff816b5089
log from dmesg: 

[  880.989087] [1420(dockerd)]: gsch_mount_hook_fn(overlay,/cust/var/lib/docker/overlay/7b1776ed433ca69b50c74d2f5a4459a87d,overlay,0,000000c42011f600) done
[  880.990549] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[  880.990578] BUG: unable to handle kernel paging request at ffff8800ae84f9e0
[  880.990605] IP: [<ffff8800ae84f9e0>] 0xffff8800ae84f9df
[  880.990628] PGD 1fe9067 PUD 23ffff067 PMD ae8a4063 PTE 80000000ae84f163
[  880.990655] Oops: 0011 [#1] SMP
[  880.990673] Modules linked in: gsch(OE) redirfs(OE) ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter xt_conntrack nf_nat nf_conntrack br_netfilter bridge stp llc overlay(T) dsa_filter(POE) vmw_vsock_vmci_transport vsock sb_edac edac_core iosf_mbi crc32_pclmul 
.....
<downsized output>

Environment

  • Red Hat Enterprise Linux 7
    -Docker container environment
    - kernel-3.10.0-693.2.2.el7
  • Trend Micro Deep Security Agent
    -ds_agent-9.6.2-7516.el7
    - Kernel modules gsch, redifs, dsa_filter

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In