The kernel crashes in __list_del_entry_valid() called from iucv_path_sever() due to a known use-after-free bug

Solution Verified - Updated -

Issue

  • The kernel crashes in __list_del_entry_valid() called from iucv_path_sever() due to a known use-after-free bug.
[195054.990461] Unable to handle kernel pointer dereference in virtual kernel address space
[195054.990472] Failing address: 1fe7c34a1ba01000 TEID: 1fe7c34a1ba01803
[195054.990475] Fault in home space mode while using kernel ASCE.
[195054.990477] AS:0000000e6a258007 R3:0000000000000024 
[195054.990498] Oops: 0038 ilc:3 [#1] SMP 
[195054.990502] Modules linked in: ...
[195054.990559] Red Hat flags: eBPF/event
[195054.990561] CPU: 2 PID: 2325 Comm: iucvserv Kdump: loaded Tainted: G           OE     -------- -  - 4.18.0-553.el8_10.s390x #1
[195054.990563] Hardware name: IBM 3931 LA1 401 (z/VM 7.3.0)
[195054.990564] Krnl PSW : 0704e00180000000 0000000e693c0856 (__list_del_entry_valid+0x3e/0xc0)
[195054.990571]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
[195054.990573] Krnl GPRS: 000000000000000f 000000016a858318 000000016a858318 1fe7c34a1ba017ef
[195054.990575]            0000000000000200 0000000000000000 0000000000000000 000000008650ba20
[195054.990577]            000003ff803c2bca 000003ff00000001 000000016a858318 000000016a858300
[195054.990578]            00000000ddca0000 0000000126a03710 00000000e23d7c20 00000000e23d7c08
[195054.990585] Krnl Code: 0000000e693c0846: ec14001b8064   cgrj    %r1,%r4,8,e693c087c
                           0000000e693c084c: a7490200       lghi    %r4,512
                          #0000000e693c0850: ec3400388064   cgrj    %r3,%r4,8,e693c08c0
                          >0000000e693c0856: e34030000004   lg  %r4,0(%r3)
                           0000000e693c085c: ec4200286064   cgrj    %r4,%r2,6,e693c08ac
                           0000000e693c0862: e34010080020   cg  %r4,8(%r1)
                           0000000e693c0868: a7740014       brc 7,e693c0890
                           0000000e693c086c: a7290001       lghi    %r2,1
[195054.990619] Call Trace:
[195054.990620] ([<000000016a858300>] 0x16a858300)
[195054.990624]  [<0000000e6971cd9e>] iucv_path_sever+0x96/0x138 
[195054.990633]  [<000003ff803c2bca>] iucv_sever_path+0xc2/0xd0 [af_iucv] 
[195054.990639]  [<000003ff803c51b6>] iucv_sock_close+0xa6/0x310 [af_iucv] 
[195054.990643]  [<000003ff803c58cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] 
[195054.990647]  [<0000000e695340e6>] __sock_release+0x5e/0xe8 
[195054.990652]  [<0000000e695341a4>] sock_close+0x34/0x48 
[195054.990656]  [<0000000e6920c742>] __fput+0xba/0x268 
[195054.990662]  [<0000000e68f9bb3c>] task_work_run+0xbc/0xf0 
[195054.990672]  [<0000000e68f2d718>] do_notify_resume+0x88/0x90 
[195054.990676]  [<0000000e69764f7e>] system_call+0xe2/0x2c8 
[195054.990680] Last Breaking-Event-Address:
[195054.990681]  [<0000000e6971cd98>] iucv_path_sever+0x90/0x138
[195054.990687]  
[195054.990688] Kernel panic - not syncing: Fatal exception in interrupt

Environment

  • Red Hat Enterprise Linux 8.10.z
    • kernel older than 4.18.0-553.22.1.el8_10

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content