Guest

Preview Tool

Cisco Bug: CSCvt13313 - Kernel panic on CentOS/RHEL 7 while unloading AMP service

Last Modified

Jul 17, 2020

Products (1)

  • Cisco AMP for Endpoints

Known Affected Releases

1.10(0) 1.10(1) 1.10(2) 1.11(0) 1.11(1) 1.12(0) 1.12(1) 1.3(0) 1.3(1) 1.5(0) 1.5(1) 1.6(0) 1.7(0) 1.8(0) 1.8(1) 1.8(4) 1.9(0) 1.9(1)

Description (partial)

Host kernel panics while running a supported version of CentOS/RHEL 7 and AMP for Endpoints Linux Connector. Fixed in Linux Connector versions 1.12.2+

Symptom:
Host kernel panics while running a supported version of CentOS/RHEL 7 and AMP for Endpoints Linux Connector.

On affected machine, /var/log/messages would contain evidence of an int3 in jprobe_return_end. In an AMP support package, /var/log/messages is captured in messages.log.

For example:

[7652402.620048] int3: 0000 [#1] SMP
[7652402.621320] Modules linked in: ampnetworkflow(OE) ampfsm(OE-) . . .
[7652402.641016] CPU: 0 PID: 58904 Comm: SchedulerRunner Kdump: loaded
Tainted: G OE ------------ 3.10.0-862.11.6.el7.x86_64 #1
[7652402.643727] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/21/2015
[7652402.646229] task: ffff9508e9fb0000 ti: ffff950b70f6c000 task.ti: ffff950b70f6c000
[7652402.648208] RIP: 0010:[<ffffffff8471e461>] [<ffffffff8471e461>] jprobe_return_end+0x0/0xf
. . .
[7652402.667784] Call Trace:
[7652402.669009] [<ffffffff8471e3e9>] ? kretprobe_trampoline_holder+0x9/0x9
[7652402.670929] Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 c7 c0 60 33 01 00 48 89 e5 53 65 48 03 05 47 2d 8f 7b 48 8b 58 18 48 87 dc cc <90> 5b 5d c3 90 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55
[7652402.677805] RIP [<ffffffff8471e461>] jprobe_return_end+0x0/0xf
[7652402.679750] RSP <ffff950b70f6ff50>

In an AMP support package, /var/log/messages is captured in messages.log.

Conditions:
CentOS/RHEL 7 machine with the AMP for Endpoints Linux Connector prior to v1.12.2 installed on it experiences a kernel panic when the ampfsm kernel module is unloaded.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.