modules "gsch and redirfs" causing frequent kernel panic --Trend Deep Security Agent(Trend
作者:互联网
gsch和redirfs模块导致系统hang或者重启
报错信息:
1、
Jun 19 09:44:34 7eb106 kernel: redirfs: loading out-of-tree module taints kernel.
Jun 19 09:44:34 7eb106 kernel: redirfs: module verification failed: signature and/or required key missing - tainting kernel
Jun 19 09:44:34 7eb106 kernel: Redirecting File System Framework Version 0.10 <www.redirfs.org> with TrendMicro Patch 9.6.2.8793
Jun 19 09:44:34 7eb106 kernel: register_chrdev() done: 242
Jun 19 09:44:34 7eb106 kernel: gsch: loading vfs-filter 9.6.2.8793: OK
Jun 19 09:44:34 7eb106 kernel: gsch_dev_open() doing
Jun 19 09:44:34 7eb106 kernel: gsch_dev_open() done: pid:4574(ds_am)
Jun 19 09:44:34 7eb106 kernel: cannot uninstall hooks if location of sys_call_table is unknown
Jun 19 09:44:34 7eb106 kernel: gsch_remove_hooks(&gsch_hooks, &orig_hooks) done: -22
Jun 19 09:44:35 7eb106 kernel: lookup sys_call_table yields ffffffffb6e03300
Jun 19 09:44:35 7eb106 kernel: lookup sys_execve yields ffffffffb6824340
Jun 19 09:44:35 7eb106 kernel: lookup do_execve yields ffffffffb68240d0
Jun 19 09:44:35 7eb106 kernel: lookup ia32_sys_call_table yields ffffffffb6e0a880
Jun 19 09:44:35 7eb106 kernel: running: awk '/[0-9a-f]+ [RTrt] compat_do_execve$/ { print "0x" $1 >"/proc/driver/gsch/syshook/addr_compat_do_execve" ; exit }' /boot/System.map-3.10.0-862.9.1.el7.x86_64 doing
Jun 19 09:44:35 7eb106 kernel: running: awk '/[0-9a-f]+ [RTrt] compat_do_execve$/ { print "0x" $1 >"/proc/driver/gsch/syshook/addr_compat_do_execve" ; exit }' /boot/System.map-3.10.0-862.9.1.el7.x86_64 done(0)
Jun 19 09:44:35 7eb106 kernel: lookup compat_do_execve yields 0
Jun 19 09:44:35 7eb106 kernel: lookup int_ret_from_sys_call yields ffffffffb6d20a35
Jun 19 09:44:35 7eb106 kernel: lookup getname yields ffffffffb682cea0
Jun 19 09:44:35 7eb106 kernel: lookup putname yields ffffffffb682cca0
Jun 19 09:44:35 7eb106 kernel: hooking open NR=2 ... ffffffffb681a430 -> ffffffffc0946ab0
Jun 19 09:44:35 7eb106 kernel: hooking close NR=3 ... ffffffffb681a490 -> ffffffffc09458c0
Jun 19 09:44:35 7eb106 kernel: hooking exit NR=60 ... ffffffffb66986b0 -> ffffffffc09449a0
Jun 19 09:44:35 7eb106 kernel: hooking getpgid NR=121 ... ffffffffb66ae1f0 -> ffffffffc0944940
Jun 19 09:44:35 7eb106 kernel: hooking unlink NR=87 ... ffffffffb682e570 -> ffffffffc0944fb0
Jun 19 09:44:35 7eb106 kernel: hooking unlinkat NR=263 ... ffffffffb682e530 -> ffffffffc0945250
Jun 19 09:44:35 7eb106 kernel: hooking write NR=1 ... ffffffffb681c240 -> ffffffffc0944cf0
Jun 19 09:44:35 7eb106 kernel: hooking pwrite64 NR=18 ... ffffffffb681c3f0 -> ffffffffc0944dd0
Jun 19 09:44:35 7eb106 kernel: hooking writev NR=20 ... ffffffffb681ca00 -> ffffffffc0944ec0
Jun 19 09:44:35 7eb106 kernel: hooking dup2 NR=33 ... ffffffffb683bb20 -> ffffffffc0945aa0
Jun 19 09:44:35 7eb106 kernel: hooking mount NR=165 ... ffffffffb6840890 -> ffffffffc0946d30
Jun 19 09:44:35 7eb106 kernel: hooking umount NR=166 ... ffffffffb683e8a0 -> ffffffffc0946200
Jun 19 09:44:35 7eb106 kernel: hooking exit_group NR=231 ... ffffffffb6698770 -> ffffffffc0944a20
Jun 19 09:44:35 7eb106 kernel: hooking stub NR=59 @ ffffffffb6d20cd0 ... ffffffffb6824340 (-5229016) -> ffffffffc0946920 (163732488)
Jun 19 09:44:35 7eb106 kernel: gsch_install_hooks(&gsch_hooks, &orig_hooks) done: 0
Jun 19 09:44:35 7eb106 kernel: gsch_flt: loaded
Jun 19 09:44:35 7eb106 kernel: gsch_flt_add_mnt(/dev @ Unknown[1021994(devtmpfs)]) done: 0
Jun 19 09:44:35 7eb106 kernel: gsch_flt_add_mnt(/dev/shm @ Unknown[1021994(tmpfs)]) done: 0
Jun 19 09:44:35 7eb106 kernel: gsch_flt_add_mnt(/run @ Unknown[1021994(tmpfs)]) done: 0
Jun 19 09:44:35 7eb106 kernel: gsch_flt_add_mnt(/sys/fs/cgroup @ Unknown[1021994(tmpfs)]) done: 0
Jun 19 09:44:35 7eb106 kernel: gsch_flt_add_mnt(/sys/fs/pstore @ Unknown[6165676c(pstore)]) done: 0
Jun 19 09:44:35 7eb106 kernel: gsch_flt_add_mnt(/sys/kernel/config @ Unknown[62656570(configfs)]) done: 0
Jun 19 09:44:35 7eb106 kernel: gsch_flt_add_mnt(/ @ Unknown[58465342(xfs)]) done: 0
Jun 19 09:44:35 7eb106 kernel: gsch_flt_add_mnt(/dev/hugepages @ Unknown[958458f6(hugetlbfs)]) done: 0
2、
May 31 09:35:01 RRSDZBBAPP01 kernel: Redirecting File System Framework Version 0.10 <www.redirfs.org> with TrendMicro Patch 9.6.2.8760
May 31 09:35:01 RRSDZBBAPP01 kernel: register_chrdev() done: 252
May 31 09:35:01 RRSDZBBAPP01 kernel: gsch: loading vfs-filter 9.6.2.8760: OK
May 31 09:35:01 RRSDZBBAPP01 kernel: gsch_dev_open() doing
May 31 09:35:01 RRSDZBBAPP01 kernel: gsch_dev_open() done: pid:5135(ds_am)
May 31 09:35:01 RRSDZBBAPP01 kernel: cannot uninstall hooks if location of sys_call_table is unknown
May 31 09:35:01 RRSDZBBAPP01 kernel: gsch_remove_hooks(&gsch_hooks, &orig_hooks) done: -22
May 31 09:35:01 RRSDZBBAPP01 kernel: lookup sys_call_table yields ffffffff8028ff40
May 31 09:35:01 RRSDZBBAPP01 kernel: lookup sys_execve yields ffffffff80054c99
May 31 09:35:01 RRSDZBBAPP01 kernel: lookup do_execve yields ffffffff8003eadd
May 31 09:35:02 RRSDZBBAPP01 kernel: lookup ia32_sys_call_table yields ffffffff80291280
May 31 09:35:02 RRSDZBBAPP01 kernel: lookup compat_do_execve yields ffffffff800fead2
May 31 09:35:02 RRSDZBBAPP01 kernel: lookup int_ret_from_sys_call yields ffffffff8005d298
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking open NR=2 ... ffffffff8003140a -> ffffffff886640e2
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking close NR=3 ... ffffffff8001e189 -> ffffffff886651a5
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking exit NR=60 ... ffffffff80094f6b -> ffffffff88663e3e
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking getpgid NR=121 ... ffffffff8009e48e -> ffffffff8866432e
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking unlink NR=87 ... ffffffff800eb3d2 -> ffffffff886643a9
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking unlinkat NR=263 ... ffffffff800eb4bd -> ffffffff886645d5
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking write NR=1 ... ffffffff80017416 -> ffffffff88665391
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking pwrite64 NR=18 ... ffffffff80043c10 -> ffffffff88665488
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking writev NR=20 ... ffffffff800e34cb -> ffffffff88665589
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking dup2 NR=33 ... ffffffff800470c1 -> ffffffff88664826
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking mount NR=165 ... ffffffff8004c055 -> ffffffff88664a05
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking umount NR=166 ... ffffffff800f0bc1 -> ffffffff88664fdc
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking exit_group NR=231 ... ffffffff8004c8ff -> ffffffff88663eb6
May 31 09:35:02 RRSDZBBAPP01 kernel: hooking stub NR=59 @ ffffffff8005d46c ... ffffffff80054c99 (-34874) -> ffffffff886641cf (140537084)
May 31 09:35:02 RRSDZBBAPP01 kernel: gsch_install_hooks(&gsch_hooks, &orig_hooks) done: 0
May 31 09:35:02 RRSDZBBAPP01 kernel: gsch_flt: loaded
May 31 09:35:02 RRSDZBBAPP01 kernel: load_proc_mounts() failed: vfs_read() = -22
May 31 09:35:03 RRSDZBBAPP01 xinetd[5298]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.
May 31 09:35:03 RRSDZBBAPP01 xinetd[5298]: Started working: 1 available service
May 31 10:04:39 RRSDZBBAPP01 ntpdate[5311]: step time server 10.138.92.77 offset 1775.127678 sec
May 31 10:04:39 RRSDZBBAPP01 ntpd[5313]: ntpd 4.2.2p1@1.1570-o Mon May 30 15:43:16 UTC 2011 (1)
May 31 10:04:39 RRSDZBBAPP01 ntpd[5314]: precision = 1.000 usec
May 31 10:04:39 RRSDZBBAPP01 ntpd[5314]: Listening on interface wildcard, 0.0.0.0#123 Disabled
May 31 10:04:39 RRSDZBBAPP01 ntpd[5314]: Listening on interface wildcard, ::#123 Disabled
May 31 10:04:39 RRSDZBBAPP01 ntpd[5314]: Listening on interface lo, ::1#123 Enabled
May 31 10:04:39 RRSDZBBAPP01 ntpd[5314]: Listening on interface eth3, fe80::2a80:23ff:fea2:438b#123 Enabled
May 31 10:04:39 RRSDZBBAPP01 ntpd[5314]: Listening on interface bond0, fe80::2a80:23ff:fea2:4388#123 Enabled
May 31 10:04:39 RRSDZBBAPP01 ntpd[5314]: Listening on interface lo, 127.0.0.1#123 Enabled
May 31 10:04:39 RRSDZBBAPP01 ntpd[5314]: Listening on interface eth3, 172.24.178.114#123 Enabled
May 31 10:04:39 RRSDZBBAPP01 ntpd[5314]: Listening on interface bond0, 10.138.26.48#123 Enabled
May 31 10:04:39 RRSDZBBAPP01 ntpd[5314]: kernel time sync status 0040
May 31 10:04:39 RRSDZBBAPP01 ntpd[5314]: frequency initialized 16.302 PPM from /var/lib/ntp/drift
May 31 10:04:39 RRSDZBBAPP01 gpm[5335]: *** info [startup.c(95)]:
May 31 10:04:39 RRSDZBBAPP01 gpm[5335]: Started gpm successfully. Entered daemon mode.
May 31 10:04:41 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53840323,1,0) - interrupted & wait(1000)
May 31 10:04:41 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53840323,1,0) - interrupted & wait: done
May 31 10:04:42 RRSDZBBAPP01 kernel: [5398(rotatelogs)]: gsch_scan(19825259,1,0) - interrupted & wait(1000)
May 31 10:04:42 RRSDZBBAPP01 kernel: [5398(rotatelogs)]: gsch_scan(19825259,1,0) - interrupted & wait: done
May 31 10:04:42 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53840319,1,0) - interrupted & wait(1000)
May 31 10:04:42 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53840319,1,0) - interrupted & wait: done
May 31 10:04:43 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53903844,1,0) - interrupted & wait(1000)
May 31 10:04:43 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53903844,1,0) - interrupted & wait: done
May 31 10:04:43 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53903840,1,0) - interrupted & wait(1000)
May 31 10:04:43 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53903840,1,0) - interrupted & wait: done
May 31 10:04:43 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53903847,1,0) - interrupted & wait(1000)
May 31 10:04:43 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53903847,1,0) - interrupted & wait: done
May 31 10:04:43 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53903848,1,0) - interrupted & wait(1000)
May 31 10:04:43 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53903848,1,0) - interrupted & wait: done
May 31 10:04:43 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53840324,1,0) - interrupted & wait(1000)
May 31 10:04:43 RRSDZBBAPP01 kernel: [5100(PatrolAgent)]: gsch_scan(53840324,1,0) - interrupted & wait: done
May 31 10:04:48 RRSDZBBAPP01 avahi-daemon[5749]: Found user 'avahi' (UID 70) and group 'avahi' (GID 70).
3、
Feb 4 07:46:38 RRSDZBBAPP01 kernel: Redirecting File System Framework Version 0.10 <www.redirfs.org> with TrendMicro Patch 9.6.2.8760
Feb 4 07:46:38 RRSDZBBAPP01 kernel: register_chrdev() done: 252
Feb 4 07:46:38 RRSDZBBAPP01 kernel: gsch: loading vfs-filter 9.6.2.8760: OK
Feb 4 07:46:38 RRSDZBBAPP01 kernel: gsch_dev_open() doing
Feb 4 07:46:38 RRSDZBBAPP01 kernel: gsch_dev_open() done: pid:5133(ds_am)
Feb 4 07:46:38 RRSDZBBAPP01 kernel: cannot uninstall hooks if location of sys_call_table is unknown
Feb 4 07:46:38 RRSDZBBAPP01 kernel: gsch_remove_hooks(&gsch_hooks, &orig_hooks) done: -22
Feb 4 07:46:38 RRSDZBBAPP01 kernel: lookup sys_call_table yields ffffffff8028ff40
Feb 4 07:46:38 RRSDZBBAPP01 kernel: lookup sys_execve yields ffffffff80054c99
Feb 4 07:46:38 RRSDZBBAPP01 kernel: lookup do_execve yields ffffffff8003eadd
Feb 4 07:46:38 RRSDZBBAPP01 kernel: lookup ia32_sys_call_table yields ffffffff80291280
Feb 4 07:46:38 RRSDZBBAPP01 kernel: lookup compat_do_execve yields ffffffff800fead2
Feb 4 07:46:38 RRSDZBBAPP01 kernel: lookup int_ret_from_sys_call yields ffffffff8005d298
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking open NR=2 ... ffffffff8003140a -> ffffffff886660e2
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking close NR=3 ... ffffffff8001e189 -> ffffffff886671a5
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking exit NR=60 ... ffffffff80094f6b -> ffffffff88665e3e
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking getpgid NR=121 ... ffffffff8009e48e -> ffffffff8866632e
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking unlink NR=87 ... ffffffff800eb3d2 -> ffffffff886663a9
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking unlinkat NR=263 ... ffffffff800eb4bd -> ffffffff886665d5
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking write NR=1 ... ffffffff80017416 -> ffffffff88667391
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking pwrite64 NR=18 ... ffffffff80043c10 -> ffffffff88667488
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking writev NR=20 ... ffffffff800e34cb -> ffffffff88667589
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking dup2 NR=33 ... ffffffff800470c1 -> ffffffff88666826
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking mount NR=165 ... ffffffff8004c055 -> ffffffff88666a05
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking umount NR=166 ... ffffffff800f0bc1 -> ffffffff88666fdc
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking exit_group NR=231 ... ffffffff8004c8ff -> ffffffff88665eb6
Feb 4 07:46:38 RRSDZBBAPP01 kernel: hooking stub NR=59 @ ffffffff8005d46c ... ffffffff80054c99 (-34874) -> ffffffff886661cf (140545276)
Feb 4 07:46:38 RRSDZBBAPP01 kernel: gsch_install_hooks(&gsch_hooks, &orig_hooks) done: 0
Feb 4 07:46:38 RRSDZBBAPP01 kernel: gsch_flt: loaded
Feb 4 07:46:38 RRSDZBBAPP01 kernel: load_proc_mounts() failed: vfs_read() = -22
Feb 4 07:46:40 RRSDZBBAPP01 xinetd[5296]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.
Feb 4 07:46:40 RRSDZBBAPP01 xinetd[5296]: Started working: 1 available service
Feb 4 08:12:27 RRSDZBBAPP01 ntpdate[5309]: step time server 10.135.8.100 offset 1546.741556 sec
Feb 4 08:12:27 RRSDZBBAPP01 ntpd[5311]: ntpd 4.2.2p1@1.1570-o Mon May 30 15:43:16 UTC 2011 (1)
Feb 4 08:12:27 RRSDZBBAPP01 ntpd[5312]: precision = 1.000 usec
Feb 4 08:12:27 RRSDZBBAPP01 ntpd[5312]: Listening on interface wildcard, 0.0.0.0#123 Disabled
Feb 4 08:12:27 RRSDZBBAPP01 ntpd[5312]: Listening on interface wildcard, ::#123 Disabled
Feb 4 08:12:27 RRSDZBBAPP01 ntpd[5312]: Listening on interface lo, ::1#123 Enabled
Feb 4 08:12:27 RRSDZBBAPP01 ntpd[5312]: Listening on interface eth3, fe80::2a80:23ff:fea2:438b#123 Enabled
Feb 4 08:12:27 RRSDZBBAPP01 ntpd[5312]: Listening on interface bond0, fe80::2a80:23ff:fea2:4388#123 Enabled
Feb 4 08:12:27 RRSDZBBAPP01 ntpd[5312]: Listening on interface lo, 127.0.0.1#123 Enabled
Feb 4 08:12:27 RRSDZBBAPP01 ntpd[5312]: Listening on interface eth3, 172.24.178.114#123 Enabled
Feb 4 08:12:27 RRSDZBBAPP01 ntpd[5312]: Listening on interface bond0, 10.138.26.48#123 Enabled
Feb 4 08:12:27 RRSDZBBAPP01 ntpd[5312]: kernel time sync status 0040
Feb 4 08:12:27 RRSDZBBAPP01 ntpd[5312]: frequency initialized 13.965 PPM from /var/lib/ntp/drift
Feb 4 08:12:27 RRSDZBBAPP01 gpm[5333]: *** info [startup.c(95)]:
Feb 4 08:12:27 RRSDZBBAPP01 gpm[5333]: Started gpm successfully. Entered daemon mode.
Feb 4 08:12:29 RRSDZBBAPP01 kernel: [5394(rotatelogs)]: gsch_scan(19825259,1,0) - interrupted & wait(1000)
Feb 4 08:12:29 RRSDZBBAPP01 kernel: [5394(rotatelogs)]: gsch_scan(19825259,1,0) - interrupted & wait: done
Feb 4 08:12:37 RRSDZBBAPP01 avahi-daemon[5562]: Found user 'avahi' (UID 70) and group 'avahi' (GID 70).
Feb 4 08:12:37 RRSDZBBAPP01 avahi-daemon[5562]: Successfully dropped root privileges.
Feb 4 08:12:37 RRSDZBBAPP01 avahi-daemon[5562]: avahi-daemon 0.6.16 starting up.
Feb 4 08:12:37 RRSDZBBAPP01 avahi-daemon[5562]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Feb 4 08:12:37 RRSDZBBAPP01 avahi-daemon[5562]: Successfully called chroot().
Feb 4 08:12:37 RRSDZBBAPP01 avahi-daemon[5562]: Successfully dropped remaining capabilities.
redhat官方文档:
https://access.redhat.com/solutions/1376133
https://access.redhat.com/solutions/3227401
https://access.redhat.com/solutions/1443703
一篇网友的文章
标签:kernel,TrendMicro,Trend,31,09,35,May,RRSDZBBAPP01 来源: https://blog.csdn.net/vic_qxz/article/details/99850654