The kernel crashes in lock_get_status() likely caused by a use-after-free (UAF) condition
Issue
- The kernel crashes due to General Protection Fault in lock_get_status().
[1279294.634263] general protection fault, probably for non-canonical address 0x434355532d454d4f: 0000 [#1] SMP NOPTI
[1279294.634308] CPU: 1 PID: 1812156 Comm: lsof Kdump: loaded Not tainted 4.18.0-553.27.1.el8_10.x86_64 #1
[1279294.634325] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[1279294.634344] RIP: 0010:lock_get_status+0x1a4/0x330
[1279294.634358] Code: 48 c7 c2 90 5d 92 bb 48 c7 c0 84 5d 92 bb 48 0f 49 d0 48 c7 c6 3d dd 97 bb 48 89 ef e8 85 3b fc ff 4d 85 e4 0f 84 da 00 00 00 <49> 8b 44 24 28 4d 8b 4c 24 40 44 89 ea 48 89 ef 48 c7 c6 0d 5e 92
[1279294.634390] RSP: 0018:ffffb4cfc2223df0 EFLAGS: 00010202
[1279294.634401] RAX: 0000000000000000 RBX: ffff98c6c7f035f0 RCX: 0000000000000001
[1279294.634415] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff98c95c0772bc
[1279294.634428] RBP: ffff98c6e0a22780 R08: 0000000000001000 R09: 0000000000000000
[1279294.634442] R10: ffff98c95c078000 R11: ffff98c95c0772a3 R12: 434355532d454d4f
[1279294.634455] R13: 0000000000199e12 R14: ffffffffbb925e4c R15: ffff98c6e0a22780
[1279294.634469] FS: 00007f5e9ed5a840(0000) GS:ffff98c9ede40000(0000) knlGS:0000000000000000
[1279294.634500] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1279294.634511] CR2: 0000562e28aadb88 CR3: 0000000120766002 CR4: 0000000000770ee0
[1279294.634551] PKRU: 55555554
[1279294.634558] Call Trace:
[1279294.634573] ? __die_body+0x1a/0x60
[1279294.634584] ? die_addr+0x38/0x51
[1279294.634593] ? do_general_protection+0x135/0x280
[1279294.634604] ? general_protection+0x1e/0x30
[1279294.634618] ? lock_get_status+0x1a4/0x330
[1279294.634628] locks_show+0x6f/0xb0
[1279294.634637] seq_read+0x303/0x420
[1279294.634649] proc_reg_read+0x39/0x60
[1279294.634662] vfs_read+0x91/0x150
[1279294.634677] ksys_read+0x4f/0xb0
[1279294.634688] do_syscall_64+0x5b/0x1a0
[1279294.634703] entry_SYSCALL_64_after_hwframe+0x66/0xcb
[1279294.634718] RIP: 0033:0x7f5e9e435505
[1279294.634734] Code: fe ff ff 50 48 8d 3d ea ec 06 00 e8 e5 08 02 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 55 72 2a 00 8b 00 85 c0 75 0f 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 53 c3 66 90 41 54 49 89 d4 55 48 89 f5 53 89
[1279294.634767] RSP: 002b:00007ffed1d4b8e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[1279294.634782] RAX: ffffffffffffffda RBX: 0000562e28aa62e0 RCX: 00007f5e9e435505
[1279294.634795] RDX: 0000000000001000 RSI: 0000562e28aacb80 RDI: 0000000000000003
[1279294.634809] RBP: 0000000000000d68 R08: 0000000000000001 R09: 0000000000000000
[1279294.634822] R10: 00007f5e9ed5a840 R11: 0000000000000246 R12: 00007f5e9e6d3860
[1279294.634836] R13: 00007f5e9e6d43a0 R14: 0000000000000fff R15: 0000562e28aa62e0
[1279294.634849] Modules linked in: ...
...
[1279294.635486] Red Hat flags: eBPF/event
- The panic task is of
lsofthat is performing "list open files" operation on /proc/locks.
Environment
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- No 3rd-party/Proprietary Modules/Drivers
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
