The kernel crashes due to a corrupted freelist pointer caused by a possible kmalloc-64 slab use-after-free.

Solution Verified - Updated -

Issue

  • The kernel crashes due to a corrupted freelist pointer caused by a possible kmalloc-64 slab use-after-free.
[989300.678005] BUG: unable to handle kernel paging request at 0000000100003c1c
[989300.678710] IP: [<ffffffffa6e28734>] kmem_cache_alloc+0x74/0x1f0
[989300.678710] PGD 8000001d07547067 PUD 0 
[989300.678710] Oops: 0000 [#1] SMP 
[989300.678710] Modules linked in: iptable_nat nf_nat_ipv4 nf_nat dmpjbod(POE) dmpap(POE) dmpaa(POE) vxfen(POE) vxodm(POE) vxgms(POE) vxglm(POE) gab(POE) nf_conntrack_ipv4 nf_defrag_ipv4 ip6_tables iptable_filter xt_owner iptable_security xt_conntrack nf_conntrack vxspec(POE) vxio(POE) llt(POE) vxdmp(POE) rdma_cm amf(POE) iw_cm ib_cm vxcafs(POE) vxportal(POE) fdd(POE) falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE) falcon_lsm_pinned_9917(E) vxfs(POE) sunrpc veki(POE) dm_mirror dm_region_hash dm_log mlx5_ib ib_uverbs ib_core mlx5_core mlxfw devlink joydev iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw dm_mod gf128mul glue_helper ablk_helper cryptd pcspkr i2c_piix4 hv_utils ptp pps_core hv_balloon pci_hyperv sg binfmt_misc ip_tables xfs libcrc32c sd_mod crc_t10dif
[989300.745071]  crct10dif_generic ata_generic pata_acpi hv_storvsc scsi_transport_fc hv_netvsc hid_hyperv hyperv_keyboard hyperv_fb scsi_tgt ata_piix libata crct10dif_pclmul crct10dif_common hv_vmbus crc32c_intel floppy serio_raw
[989300.745071] CPU: 9 PID: 22851 Comm: ovconfd Kdump: loaded Tainted: P           OE  ------------   3.10.0-1127.18.2.el7.x86_64 #1
[989300.745071] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008  12/07/2018
[989300.745071] task: ffff9ca45c30a0e0 ti: ffff9c99ea718000 task.ti: ffff9c99ea718000
[989300.745071] RIP: 0010:[<ffffffffa6e28734>]  [<ffffffffa6e28734>] kmem_cache_alloc+0x74/0x1f0
[989300.745071] RSP: 0018:ffff9c99ea71bce0  EFLAGS: 00010286
[989300.745071] RAX: 0000000000000000 RBX: ffff9ca45b0e8000 RCX: 000000000d53fa8b
[989300.745071] RDX: 000000000d53fa8a RSI: 0000000000000200 RDI: ffff9c857fc03b00
[989300.745071] RBP: ffff9c99ea71bd10 R08: 000000000001f0a0 R09: ffffffffa6e028d4
[989300.745071] R10: ffff9ca1b18b76c8 R11: 0000000000000000 R12: 0000000100003c1c
[989300.745071] R13: 0000000000000200 R14: ffff9c857fc03b00 R15: ffff9c857fc03b00
[989300.745071] FS:  00007fb36bdfd700(0000) GS:ffff9ca45f040000(0000) knlGS:0000000000000000
[989300.745071] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[989300.745071] CR2: 0000000100003c1c CR3: 0000001fdbe2a000 CR4: 00000000003606e0
[989300.745071] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[989300.745071] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[989300.745071] Call Trace:
[989300.745071]  [<ffffffffa6e028d4>] anon_vma_clone+0x64/0x1c0
[989300.745071]  [<ffffffffa6e02a62>] anon_vma_fork+0x32/0x120
[989300.745071]  [<ffffffffa6c98df3>] dup_mm+0x453/0x760
[989300.745071]  [<ffffffffa6c9a5b6>] copy_process+0x1486/0x1a70
[989300.745071]  [<ffffffffa6c9ad51>] do_fork+0x91/0x330
[989300.745071]  [<ffffffffa6c9b076>] SyS_clone+0x16/0x20
[989300.745071]  [<ffffffffa73932b4>] stub_clone+0x44/0x70
[989300.745071]  [<ffffffffa7393166>] ? tracesys+0xa6/0xcc
[989300.745071] Code: 8a 1e 59 49 8b 50 08 4d 8b 20 49 8b 40 10 4d 85 e4 0f 84 28 01 00 00 48 85 c0 0f 84 1f 01 00 00 49 63 46 20 48 8d 4a 01 4d 8b 06 <49> 8b 1c 04 4c 89 e0 65 49 0f c7 08 0f 94 c0 84 c0 74 ba 49 63 
[989300.745071] RIP  [<ffffffffa6e28734>] kmem_cache_alloc+0x74/0x1f0
[989300.745071]  RSP <ffff9c99ea71bce0>
[989300.745071] CR2: 0000000100003c1c
  • Another crash pattern
[7578608.624457] general protection fault: 0000 [#1] SMP 
[7578608.629838] Modules linked in: xfs libcrc32c lp parport nfsv3 nfs_acl nfs lockd grace fscache fat uas usb_storage vxfen(POE) vxodm(POE) vxglm(POE) gab(POE) mpt3sas mpt2sas raid_class scsi_transport_sas mptctl mptbase dell_rbu dmpjbod(POE) dmpap(POE) dmpaa(POE) vxspec(POE) llt(POE) vxio(POE) rdma_cm vxdmp(POE) iw_cm amf(POE) ib_cm ib_core bonding vxcafs(POE) vxportal(POE) fdd(POE) vxfs(POE) veki(POE) dm_mirror dm_region_hash dm_log dell_smbios iTCO_wdt iTCO_vendor_support dell_wmi_descriptor dcdbas skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd lpfc pcspkr nvmet_fc nvmet nvme_fc nvme_fabrics nvme_core scsi_transport_fc scsi_tgt joydev i2c_i801 lpc_ich mei_me mei wmi ipmi_si ipmi_devintf
[7578608.704042]  ipmi_msghandler tpm_crb acpi_power_meter acpi_pad pcc_cpufreq binfmt_misc auth_rpcgss sunrpc ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic sg mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm mlx5_core ahci libahci mlxfw igb devlink crct10dif_pclmul drm crct10dif_common dca crc32c_intel libata ptp i2c_algo_bit megaraid_sas pps_core drm_panel_orientation_quirks nfit libnvdimm dm_mod
[7578608.743168] CPU: 28 PID: 105610 Comm: date Kdump: loaded Tainted: P           OE  ------------   3.10.0-1062.12.1.el7.x86_64 #1
[7578608.755380] Hardware name: Dell Inc. PowerEdge R740/0WXD1Y, BIOS 2.5.4 01/13/2020
[7578608.763334] task: ffff91885970e2a0 ti: ffff9197f8618000 task.ti: ffff9197f8618000
[7578608.771305] RIP: 0010:[<ffffffffa4224fb4>]  [<ffffffffa4224fb4>] kmem_cache_alloc+0x74/0x1f0
[7578608.780259] RSP: 0018:ffff9197f861bd28  EFLAGS: 00010286
[7578608.786066] RAX: 0000000000000000 RBX: ffff9170cd252958 RCX: 0000000059e6af7e
[7578608.793702] RDX: 0000000059e6af7d RSI: 0000000000000200 RDI: ffff91723fc07b00
[7578608.801342] RBP: ffff9197f861bd58 R08: 000000000001f0a0 R09: ffffffffa42008d4
[7578608.808988] R10: ffff9197f861bf00 R11: 0000000000000000 R12: 3032363439353038
[7578608.816635] R13: 0000000000000200 R14: ffff91723fc07b00 R15: ffff91723fc07b00
[7578608.824297] FS:  00007f4ddcf8e740(0000) GS:ffff91889f580000(0000) knlGS:0000000000000000
[7578608.832918] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[7578608.839208] CR2: 0000000000401010 CR3: 000000027ca4a000 CR4: 00000000007607e0
[7578608.846891] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[7578608.854573] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[7578608.862262] PKRU: 55555554
[7578608.865536] Call Trace:
[7578608.868560]  [<ffffffffa42008d4>] anon_vma_clone+0x64/0x1c0
[7578608.874705]  [<ffffffffa41f95af>] ? __split_vma+0x4f/0x240
[7578608.880760]  [<ffffffffa41f962e>] __split_vma+0xce/0x240
[7578608.886653]  [<ffffffffa41f97c0>] split_vma+0x20/0x30
[7578608.892285]  [<ffffffffa41fc84c>] mprotect_fixup+0x2cc/0x3a0
[7578608.898529]  [<ffffffffa41fcb72>] do_mprotect_pkey+0x252/0x360
[7578608.904951]  [<ffffffffa41fcc93>] SyS_mprotect+0x13/0x20
[7578608.910856]  [<ffffffffa478dede>] system_call_fastpath+0x25/0x2a
[7578608.917458] Code: c2 de 5b 49 8b 50 08 4d 8b 20 49 8b 40 10 4d 85 e4 0f 84 28 01 00 00 48 85 c0 0f 84 1f 01 00 00 49 63 46 20 48 8d 4a 01 4d 8b 06 <49> 8b 1c 04 4c 89 e0 65 49 0f c7 08 0f 94 c0 84 c0 74 ba 49 63 
[7578608.938962] RIP  [<ffffffffa4224fb4>] kmem_cache_alloc+0x74/0x1f0
[7578608.945703]  RSP <ffff9197f861bd28>

Environment

  • Red Hat Enterprise Linux 7.8 (kernel-3.10.0-1127.18.2.el7)
  • Red Hat Enterprise Linux 7.7 (kernel-3.10.0-1062.12.1.el7)
  • Veritas File System VxFS

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content