s390x RHEL guest running on z/VM OS crashes in cgroup_iter_next(). A possible process data corruption caused by a possible slab use-after-free bug.

Solution Unverified - Updated -

Issue

  • s390x RHEL guest running on z/VM OS crashes in cgroup_iter_next().
[4369428.629284] Unable to handle kernel pointer dereference at virtual kernel address aa064e77a0e25000
[4369428.629320] Oops: 0038 [#1] SMP 
[4369428.629324] Modules linked in: tcp_diag inet_diag rpcsec_gss_krb5 nfsv4 dns_resolver nfs lockd appldata_net_sum grace appldata_mem fscache appldata_os ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_limit nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack iptable_filter dm_mirror dm_region_hash dm_log dm_mod vmur zcrypt_cex4 auth_rpcgss binfmt_misc sunrpc ip_tables xfs libcrc32c dasd_fba_mod dasd_eckd_mod dasd_mod pkey zcrypt ap sha512_s390 ghash_s390 des_s390 des_generic aes_s390 qeth_l2 qeth ccwgroup qdio prng 8021q garp stp llc mrp [last unloaded: sg]
[4369428.629384] CPU: 0 PID: 1 Comm: systemd Kdump: loaded Not tainted 3.10.0-1160.11.1.el7.s390x #1
[4369428.629388] task: 00000000f4c18000 ti: 00000000f4c14000 task.ti: 00000000f4c14000
[4369428.629391] Krnl PSW : 0704e00180000000 00000000001ebfe4 (cgroup_iter_next+0x4c/0xd0)
[4369428.629401]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 EA:3
                 Krnl GPRS: 00000000001ebfb0 0000000074a63f80 00000000ea73fa00 00000000f4c17bf8
[4369428.630278]            00000000001ec1f0 00000000f3d1d680 00000000f30f6f00 00000000f153bb00
[4369428.630280]            000000004d410c00 00000000001e8838 0000000000000050 00000000ea73fa00
[4369428.630283]            aa064e77a0e25ee5 0000000000000089 00000000f4c17b48 00000000f4c17b20
[4369428.654391] Krnl Code: 00000000001ebfd4: e3c030080004  lg  %r12,8(%r3)
                       00000000001ebfda: a7840040       brc 8,1ec05a
                      #00000000001ebfde: e35010280004   lg  %r5,40(%r1)
                      >00000000001ebfe4: e340c0000004   lg  %r4,0(%r12)
                       00000000001ebfea: a75b0018       aghi    %r5,24
                       00000000001ebfee: ec4500128064   cgrj    %r4,%r5,8,1ec012
                       00000000001ebff4: e34030080024   stg %r4,8(%r3)
                       00000000001ebffa: e320c820ff71   lay %r2,-2016(%r12)
[4369428.654469] Call Trace:
[4369428.654474] ([<00000000001e8838>] cgroup_file_open+0x0/0x138)
[4369428.654496]  [<00000000001ec1f0>] cgroup_pidlist_open+0x128/0x3d0
[4369428.654499]  [<00000000003039b6>] do_dentry_open+0x206/0x300
[4369428.654503]  [<000000000031af42>] do_last+0x392/0x9d8
[4369428.654506]  [<000000000031b670>] path_openat+0xe8/0x678
[4369428.654508]  [<000000000031d2ae>] do_filp_open+0x5e/0xc0
[4369428.654510]  [<00000000003056fc>] do_sys_open+0x18c/0x270
[4369428.654512]  [<0000000000763a00>] sysc_nr_ok+0x26/0x2c
[4369428.654518]  [<000003ffafb7c63c>] 0x3ffafb7c63c
[4369428.665741] Last Breaking-Event-Address:
[4369428.665745]  [<00000000001ebf9e>] cgroup_iter_next+0x6/0xd0
[4369428.665755]  
[4369428.665760] Kernel panic - not syncing: Fatal exception: panic_on_oops

Environment

  • rhel7.9.z kernel-3.10.0-1160.11.1.el7.s390x
  • RHEL guest running on IBM z/VM OS

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content