I haven't been able to successfully boot any hardened-sources-4.2.x kernels so far. However hardened-sources-4.1.7-r1 runs fine. After correcting various problems in earlier hardened-sources-4.2.x kernels, this BUG still remains. It seems right after the kernel reaches init, it just BUGs out. Please communicate any idea on how to proceed with this problem. Thx: Dw. Reproducible: Always
Created attachment 416886 [details] BUG image part1
Created attachment 416888 [details] BUG image part2
Can you test the 4.2.6-r2 which is the latest in the tree. Also, can you please attach your kernel config file. Also, did you test vanilla with the same settings (minus the grsec/pax stuff)?
(In reply to Anthony Basile from comment #3) > Can you test the 4.2.6-r2 which is the latest in the tree. Also, can you > please attach your kernel config file. Also, did you test vanilla with the > same settings (minus the grsec/pax stuff)? Synced yesterday afternoon, the latest was 4.2.6-hardened-r1. Couldn't find -r2. This kernel shows the same symptoms.
Created attachment 417052 [details] hardened-sources-4.2.6-r1 configuration As requested
4.2.6-gentoo passes boot stages. It has some problems after completion because of hardened user space.
I've just tried hardened-sources-4.2.6-r3 and it BUGs exactly the same way. Still couldn't boot any 4.2.x-hardened kernel so far...
(In reply to Anthony Basile from comment #3) > Also, did you test vanilla with the same settings (minus the grsec/pax stuff)? This BUG_ON is from grsec/pax patch.
Looks like you can workaround this bug by disabling CONFIG_PAX_KERNEXEC
(In reply to Alexander Tsoy from comment #8) > (In reply to Anthony Basile from comment #3) > > Also, did you test vanilla with the same settings (minus the grsec/pax stuff)? > > This BUG_ON is from grsec/pax patch. hardened-sources-4.2.6-r6 BUGs exactly the same way as prior hardened-4.2.6-* versions. I tried a modified config, but I run into some crypto-related PANICs. I still have to hang on using hardened-4.1.7-r1. That is the last one that boots flawlessly.
(In reply to Alexander Tsoy from comment #9) > Looks like you can workaround this bug by disabling CONFIG_PAX_KERNEXEC The boxes are real physical computers, I'm not booting virtual machines. I would rather keep KERNEXEC as it isn't feature told be useless or deprecated. Hardened-4.1.7-r1 kernel boots fine. Something happened while bumping to 4.2.6*.
hardened-sources-4.2.6-r8 still BUGs (invalid opcode 0000) while kernel poking init during early boot, if CONFIG_PAX_KERNEXEC is enabled on a real physical hardware (both with bts or or). The issue appeared by the advent of 4.2.6* kernels. 4.1.7-hardened-r1 boots fine with KERNEXEC enabled.
It would be disappointing if I have to neglect this hardening feature (CONFIG_PAX_KERNEXEC)...
some time ago i added some self-checking code to detect any leftover rwx kernel memory that KERNEXEC should have taken care of, my guess is that it's the one that triggers here. one thing i noticed is that you enabled DEBUG_PAGEALLOC, is there a reason for it?
(In reply to PaX Team from comment #14) > some time ago i added some self-checking code to detect any leftover rwx > kernel memory that KERNEXEC should have taken care of, my guess is that it's > the one that triggers here. one thing i noticed is that you enabled > DEBUG_PAGEALLOC, is there a reason for it? You are right, that was the problem. I don't remember when it was enabled, but disabling DEBUG_PAGEALLOC let me select boot the kernel with KERNEXEC enabled. These two configuration option therefore incompatible. It would be good to make them mutually exclusive. Many thanks: Dw.
(In reply to Attila Tóth from comment #15) > You are right, that was the problem. I don't remember when it was enabled, > but disabling DEBUG_PAGEALLOC let me select boot the kernel with KERNEXEC > enabled. These two configuration option therefore incompatible. It would be > good to make them mutually exclusive. they're not necessarily incompatible, just a combination that noone used in production so far (DEBUG_PAGEALLOC is a debugging option with a non-trivial performance impact, i'm surprised you didn't notice ;). i'll try to reproduce this in qemu and see what the best way to resolve it is.
(In reply to PaX Team from comment #16) > (In reply to Attila Tóth from comment #15) > > You are right, that was the problem. I don't remember when it was enabled, > > but disabling DEBUG_PAGEALLOC let me select boot the kernel with KERNEXEC > > enabled. These two configuration option therefore incompatible. It would be > > good to make them mutually exclusive. > > they're not necessarily incompatible, just a combination that noone used in > production so far (DEBUG_PAGEALLOC is a debugging option with a non-trivial > performance impact, i'm surprised you didn't notice ;). i'll try to > reproduce this in qemu and see what the best way to resolve it is. Thanks for you effort, Pipacs: Békés Karácsonyt!