Was found in the Linux kernels implementation (UEK6) of reading SVC RDMA counters. Reading the counter sysctl panics the system. This allows a local attacker with local access ot be able to create a denial of service while the system reboots.

The panic log is pasted below:

[ 54.696004] BUG: unable to handle page fault for address: 00005633bd69cd50
[ 54.696166] #PF: supervisor write access in kernel mode
[ 54.696321] #PF: error_code(0x0003) - permissions violation
[ 54.696481] PGD 438f0d067 P4D 438f0d067 PUD 41656a067 PMD 437e7c067 PTE 80000003ea5e9867
[ 54.696665] Oops: 0003 [#1] SMP NOPTI
[ 54.696844] CPU: 13 PID: 3918 Comm: sysctl Kdump: loaded Tainted: P OE 5.4.17-2102.203.6.el8uek.x86_64 #2
[ 54.697047] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1.fc35 04/01/2014
[ 54.697278] RIP: 0010:memcpy_erms+0x6/0x9
[ 54.697486] Code: ff ff ff 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[ 54.697964] RSP: 0018:ffffc1bacb323dd0 EFLAGS: 00010297
[ 54.698208] RAX: 00005633bd69cd50 RBX: 0000000000000002 RCX: 0000000000000002
[ 54.698462] RDX: 0000000000000002 RSI: ffffc1bacb323ddf RDI: 00005633bd69cd50
[ 54.698731] RBP: ffffc1bacb323e18 R08: ffffc1bacb323ee8 R09: 0000000000000000
[ 54.698992] R10: 0000000000000000 R11: ffffc1bacb323de0 R12: ffffc1bacb323ee8
[ 54.699257] R13: ffffc1bacb323e38 R14: 00005633bd69cd50 R15: 0000000000000002
[ 54.699529] FS: 00007f7c04190940(0000) GS:ffff9d122f940000(0000) knlGS:0000000000000000
[ 54.699817] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 54.700102] CR2: 00005633bd69cd50 CR3: 0000000437e76003 CR4: 0000000000360ee0
[ 54.700401] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 54.700712] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 54.701015] Call Trace:
[ 54.701330] ? svcrdma_counter_handler+0xbe/0x10c [rpcrdma]
[ 54.701667] proc_sys_call_handler+0x1a0/0x1ad
[ 54.702057] proc_sys_read+0x11/0x13
[ 54.702428] __vfs_read+0x1b/0x34
[ 54.702778] vfs_read+0x99/0x152
[ 54.703109] ksys_read+0x61/0xd2
[ 54.703445] __x64_sys_read+0x1a/0x1c
[ 54.703803] do_syscall_64+0x60/0x1cb
[ 54.704155] entry_SYSCALL_64_after_hwframe+0x170/0x0
[ 54.704498] RIP: 0033:0x7f7c035305b5
[ 54.704857] Code: fe ff ff 50 48 8d 3d 82 f7 09 00 e8 85 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 e5 6f 2d 00 8b 00 85 c0 75 0f 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 53 c3 66 90 41 54 49 89 d4 55 48 89 f5 53 89
[ 54.705593] RSP: 002b:00007ffd1cdbfc38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 54.705984] RAX: ffffffffffffffda RBX: 00005633bd6b33a0 RCX: 00007f7c035305b5
[ 54.706373] RDX: 0000000000002000 RSI: 00005633bd69cd50 RDI: 0000000000000006
[ 54.706774] RBP: 0000000000000d68 R08: 00005633bd69ed50 R09: 0000000000000003
[ 54.707166] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000002000
[ 54.707560] R13: 00005633bd69ed60 R14: 0000000000000000 R15: 0000000000000000
[ 54.707966] Modules linked in: binfmt_misc dm_mod vhost_net vhost vhost_iotlb tap xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_tables nfnetlink tun bridge rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache rpcrdma rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm openvswitch 8021q garp mrp nf_conncount stp nf_nat llc nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 intel_rapl_msr intel_rapl_common isst_if_common sunrpc i40iw ib_uverbs skx_edac nfit ib_core libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel iTCO_wdt iTCO_vendor_support kvm ipmi_ssif irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate acpi_ipmi mei_me intel_uncore ioatdma ipmi_si i2c_i801 pcspkr mei joydev lpc_ich dca wmi ipmi_devintf ipmi_msghandler acpi_power_meter acpi_pad xfs libcrc32c sd_mod t10_pi sg ast i2c_algo_bit drm_vram_helper

This is fixed by upstream commit: 3292739 sysctl: pass kernel pointers to ->proc_handler

Thank you for your report. However, one function displayed in the stack trace, svcrdma_counter_handler, is not present in kernel-uek-5.4.17-2102.203.6.el8uek.x86_64. It was not, in fact, introduced into the mainline kernel until 5.12 and has not been backported to UEK.

From the taint codes, it looks as though you have built and installed an rpcrdma module yourself from a later kernel source tree and it simply crashes.

If you can reproduce a crash without your own modules loaded, then please re-open this issue.