A system hang occurs with McAfee lshook module in RHEL6

Solution Verified - Updated -


  • A system mounts NFS server sequentially. After the mount command had been done, the system went to hung.

  • A vmcore which was generated includes following message:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
IP: [<ffffffffa02be6fa>] patchFilesystem+0x55a/0x6b0 [lshook]
PGD 13c981067 PUD 13a029067 PMD 0 
Oops: 0000 [#1] SMP 
last sysfs file: /sys/module/sunrpc/initstate
CPU 0 
Modules linked in: nfs lockd fscache auth_rpcgss nfs_acl lshook(U) autofs4 sunrpc 8021q garp stp llc vsock(U) ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 uinput ppdev parport_pc parport sg microcode vmware_balloon vmci(U) i2c_piix4 i2c_core shpchp ext3 jbd mbcache sr_mod cdrom sd_mod crc_t10dif pata_acpi ata_generic ata_piix vmw_pvscsi vmxnet3 dm_mirror dm_region_hash dm_log dm_mod [last unloaded: linuxshield]

Pid: 11, comm: events/0 Not tainted 2.6.32-358.6.2.el6.x86_64 #1 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
RIP: 0010:[<ffffffffa02be6fa>]  [<ffffffffa02be6fa>] patchFilesystem+0x55a/0x6b0 [lshook]
RSP: 0018:ffff88013dc47da0  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88013c969180 RCX: 0000000000000000
RDX: ffffffffa02bcac0 RSI: ffff88013c9691d8 RDI: 000000008005003b
RBP: ffff88013dc47de0 R08: 0000000000000073 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88013a92f400
R13: 0000000000000000 R14: ffffffffa031ea40 R15: ffffffffa031e720
FS:  0000000000000000(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000060 CR3: 000000013c987000 CR4: 00000000000407f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process events/0 (pid: 11, threadinfo ffff88013dc46000, task ffff88013dc3e080)
 ffffffff81fc1968 ffff88013cc99a50 ffff88013dc47de0 ffff88013cc99580
<d> ffff88013e645d80 ffffffff81a83fc0 ffff88013cc99580 ffff880028219448
<d> ffff88013dc47e10 ffffffffa02be952 ffff88013ab153c0 ffff880028219440
Call Trace:
 [<ffffffffa02be952>] T.1239+0xe2/0x1a0 [lshook]
 [<ffffffffa02bea10>] ? checkMountPoints+0x0/0x40 [lshook]
 [<ffffffffa02bea26>] checkMountPoints+0x16/0x40 [lshook]
 [<ffffffff81090ae0>] worker_thread+0x170/0x2a0
 [<ffffffff81096ca0>] ? autoremove_wake_function+0x0/0x40
 [<ffffffff81090970>] ? worker_thread+0x0/0x2a0
 [<ffffffff81096936>] kthread+0x96/0xa0
 [<ffffffff8100c0ca>] child_rip+0xa/0x20
 [<ffffffff810968a0>] ? kthread+0x0/0xa0
 [<ffffffff8100c0c0>] ? child_rip+0x0/0x20
Code: fd 80 01 2c a0 0f 18 0a 75 e7 45 31 ed e9 f0 fd ff ff 4d 85 ed 0f 84 e7 fd ff ff 49 8d 7d 28 66 90 e8 9b 1d 25 e1 e9 d7 fd ff ff <49> 8b 45 60 48 89 43 60 e9 3d fe ff ff 49 8b 4c 24 68 49 8b 44 
RIP  [<ffffffffa02be6fa>] patchFilesystem+0x55a/0x6b0 [lshook]
 RSP <ffff88013dc47da0>
CR2: 0000000000000060


  • Red Hat Enterprise Linux 6
  • McAfee lshook kernel module is loaded

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content