The kernel-rt crashes in eventpoll_release_file() due to a possible use-after-free bug fixed with a patch from upstream ebe06187bf2a
Issue
- The kernel crashes in eventpoll_release_file() due to a possible use-after-free bug fixed with a patch from upstream ebe06187bf2a
[2029170.978424] BUG: unable to handle kernel paging request at fffffffffffffff8
[2029170.978430] IP: [<ffffffff8dc8dec0>] eventpoll_release_file+0x50/0xc0
[2029170.978433] PGD fcec18067 PUD fcec1a067 PMD 0
[2029170.978436] Oops: 0000 [#1] PREEMPT SMP
...
[2029170.978534] CPU: 1 PID: 227464 Comm: containerd Kdump: loaded Tainted: G W OEL ------------ T 3.10.0-1127.18.2.rt56.1116.el7.x86_64 #1
[2029170.978535] Hardware name: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[2029170.978536] task: ffff8ff0f8084540 ti: ffff8ff04c248000 task.ti: ffff8ff04c248000
[2029170.978541] RIP: 0010:[<ffffffff8dc8dec0>] [<ffffffff8dc8dec0>] eventpoll_release_file+0x50/0xc0
[2029170.978542] RSP: 0018:ffff8ff04c24bc10 EFLAGS: 00010286
[2029170.978544] RAX: 0000000000000000 RBX: ffffffffffffffa8 RCX: 0000000000000000
[2029170.978545] RDX: ffffffff8e667e40 RSI: ffffffff8dc8ca50 RDI: ffff8fef959d8430
[2029170.978546] RBP: ffff8ff04c24bc40 R08: 0000000000000000 R09: ffffffff8dc8cfd3
[2029170.978547] R10: ffff8feed6ed1530 R11: ffff8ff20d2c1990 R12: ffff8fef959d8430
[2029170.978549] R13: ffff8fef959d8400 R14: ffff8ff20d2c1a88 R15: ffff8fe60cb908e0
[2029170.978551] FS: 00007f5a963fb740(0000) GS:ffff8ffb5c640000(0000) knlGS:0000000000000000
[2029170.978552] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[2029170.978553] CR2: fffffffffffffff8 CR3: 00000005165ea000 CR4: 00000000007607a0
[2029170.978555] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[2029170.978556] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[2029170.978557] PKRU: 55555554
[2029170.978557] Call Trace:
[2029170.978564] [<ffffffff8dc3d73b>] __fput+0x1cb/0x230
[2029170.978568] [<ffffffff8dc3d88e>] ____fput+0xe/0x10
[2029170.978573] [<ffffffff8dab612b>] task_work_run+0xbb/0xe0
[2029170.978577] [<ffffffff8da92f9f>] do_exit+0x2df/0xa50
[2029170.978583] [<ffffffff8e185ae0>] ? kprobe_flush_task+0xd0/0x170
[2029170.978586] [<ffffffff8da9379c>] do_group_exit+0x4c/0xd0
[2029170.978590] [<ffffffff8daa61fe>] get_signal_to_deliver+0x2ce/0x650
[2029170.978595] [<ffffffff8da1b5d7>] do_signal+0x57/0x730
[2029170.978599] [<ffffffff8dabed19>] ? __hrtimer_nanosleep+0xc9/0x190
[2029170.978602] [<ffffffff8dabd770>] ? hrtimer_get_res+0x50/0x50
[2029170.978605] [<ffffffff8da1bd68>] do_notify_resume+0xb8/0x110
[2029170.978608] [<ffffffff8e1884f3>] int_signal+0x12/0x17
[2029170.978640] Code: 65 48 8b 04 25 28 00 00 00 48 89 45 d8 31 c0 e8 67 02 4f 00 49 8b 06 48 89 45 d0 48 8b 45 d0 49 39 c6 48 8d 58 a8 74 3b 0f 1f 00 <4c> 8b 6b 50 4d 8d 65 30 4c 89 e7 e8 40 02 4f 00 48 89 de 4c 89
[2029170.978643] RIP [<ffffffff8dc8dec0>] eventpoll_release_file+0x50/0xc0
[2029170.978644] RSP <ffff8ff04c24bc10>
[2029170.978644] CR2: fffffffffffffff8
Environment
- Red Hat Enterprise Linux 7.8 Realtime (kernel-rt-3.10.0-1127.18.2.rt56.1116.el7)
- Red Hat Enterprise Linux 7.9 (kernel-3.10.0-1160.el7)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.