| Summary: | sys-kernel/hardened-sources 2.6.36-r6 kernel panic | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Dillon <developer> |
| Component: | Hardened | Assignee: | The Gentoo Linux Hardened Kernel Team (OBSOLETE) <hardened-kernel+disabled> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | CC: | andrej, hardened, kallamej, pageexec, spender |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | x86 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: |
kernel .config
hardened sources kernel panic Hardened-sources 2.6.32-r31 crash |
||
Created attachment 258038 [details]
kernel .config
Created attachment 258039 [details]
hardened sources kernel panic
Okay after a back and forth on IRC/#gentoo-hardened, I'm not sure what's going on yet. Can you try your working config file from hardened-sources-2.6.32-r22 with 2.6.32-r31 and see if that works. Also try your current *failing* config file with vanilla-2.6.36.2. Both should isolate whether this is an issue with the vanilla kernel vs grsec hardened. If I can't narrow it from there, I'll pass the bug upstream. Created attachment 258090 [details]
Hardened-sources 2.6.32-r31 crash
h-s-2.6.32-r31 crashes with the kernel config that was working on h-s-2.6.32-r22
v-s-2.6.36.2 works with the config that fails on h-s-2.6.36-r6
I'm experiencing the same problems, though slightly different call trace. In addition to comment #4, hardened-sources-2.6.36-r6 boots if both grsec and pax are disabled (i.e after answering N to all questions when using oldconfig on the vanilla .config). Hardware wise it's an Asus A7N8X2.0 deluxe with one pata disk. Thanks guys, its clearly hardened-kernel issue. I'm alerting upstream. In the mean time, there are some newer grsec patches out that may address this issue. I'll see if the diff shows some new code that may address this and then roll them out. In the mean time, if you continue using 2.6.32-r22 with ECONET off you are secure. as i asked on the list as well, which grsec is included in r6? this particular issue with the recent UDEREF changes should be fixed in the latest grsec but there's another outstanding issue with the IP checksum code that will be fixed in the next patch only. (In reply to comment #7) > as i asked on the list as well, which grsec is included in r6? this particular > issue with the recent UDEREF changes should be fixed in the latest grsec but > there's another outstanding issue with the IP checksum code that will be fixed > in the next patch only. > hardened-sources-2.6.32-r31 has grsecurity-2.2.1-2.6.32.27-201012121726 hardened-sources-2.6.36-r6 has grsecurity-2.2.1-2.6.36.2-201012121726 (In reply to comment #8) > hardened-sources-2.6.32-r31 has grsecurity-2.2.1-2.6.32.27-201012121726 > > hardened-sources-2.6.36-r6 has grsecurity-2.2.1-2.6.36.2-201012121726 yeah so they're a bit dated now ;), so you can either pull in the changes since then or wait a bit more for an even newer patch to fix one more issue. (In reply to comment #9) > (In reply to comment #8) > > hardened-sources-2.6.32-r31 has grsecurity-2.2.1-2.6.32.27-201012121726 > > > > hardened-sources-2.6.36-r6 has grsecurity-2.2.1-2.6.36.2-201012121726 > > yeah so they're a bit dated now ;), so you can either pull in the changes since > then or wait a bit more for an even newer patch to fix one more issue. > I'm rolling out the latest: hardened-sources-2.6.32-r32 based on grsecurity-2.2.1-2.6.32.27-201012182005 hardened-sources-2.6.36-r7 based on grsecurity-2.2.1-2.6.36.2-201012221906 They'll be added to the tree after I compile/run test them --- about 24 hrs. I'll leave them marked ~arch (testing needed) and will aim at stabilizing the next set of patches which solve the other issue. It might be useful for the users to inform us if this set fixes the kernel panic. (In reply to comment #10) > I'm rolling out the latest: > > hardened-sources-2.6.32-r32 based on grsecurity-2.2.1-2.6.32.27-201012182005 > hardened-sources-2.6.36-r7 based on grsecurity-2.2.1-2.6.36.2-201012221906 Tried .36-r7 and it boots. Thanks guys! r7 had this build error until I removed the const from line 321 of include/linux/compiler.h The bug is fixed now. # make bzImage CHK include/linux/version.h CHK include/generated/utsrelease.h CALL scripts/checksyscalls.sh CHK include/generated/compile.h CC kernel/rcutree.o In file included from kernel/rcutree.c:1966: kernel/rcutree_plugin.h: In function ‘__rcu_read_lock’: kernel/rcutree_plugin.h:204: error: increment of read-only location ‘*(const volatile int *)&get_current()->rcu_read_lock_nesting’ kernel/rcutree_plugin.h: In function ‘__rcu_read_unlock’: kernel/rcutree_plugin.h:347: error: decrement of read-only location ‘*(const volatile int *)&t->rcu_read_lock_nesting’ kernel/rcutree_plugin.h: In function ‘synchronize_rcu_expedited’: kernel/rcutree_plugin.h:718: error: increment of read-only location ‘*(const volatile long int *)&sync_rcu_preempt_exp_count’ make[1]: *** [kernel/rcutree.o] Error 1 make: *** [kernel] Error 2 (In reply to comment #12) > r7 had this build error until I removed the const from line 321 of > include/linux/compiler.h compile errors should be directly reported to spender and me ;). (In reply to comment #13) > (In reply to comment #12) > > r7 had this build error until I removed the const from line 321 of > > include/linux/compiler.h > > compile errors should be directly reported to spender and me ;). > By direct do you mean via email rather than via bugzilla? Other than the const volitile issue (which is a repeat of the x86_64 case [1]) your latest changes fixed the issue. Thanks pipacs! Ref: [1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2501&start=0 I had the very same kernel panic with 2.6.36-r6, now r7 boots fine, testing it further. (In reply to comment #14) > By direct do you mean via email rather than via bugzilla? yes (for email/irc), it's more effective than posting this kind of problem into a random gentoo bugzilla entry that's about something else ;). > Other than the const volitile issue (which is a repeat of the x86_64 case [1]) the next patch will fix it properly as well. I just marked 2.6.36-r9 stable. Closing this one. |
The kernel panics on boot. Reproducible: Always Steps to Reproduce: 1. Build kernel 2. Boot machine 3. Get panic Actual Results: The system does not boot Expected Results: The system should boot ThunderFox ~ # emerge --info hardened-sources Portage 2.1.9.25 (hardened/linux/x86, gcc-4.4.4, glibc-2.11.2-r3, 2.6.32-hardened-r22 i686) ================================================================= System Settings ================================================================= System uname: Linux-2.6.32-hardened-r22-i686-Genuine_Intel-R-_CPU_T2250_@_1.73GHz-with-gentoo-1.12.14 Timestamp of tree: Fri, 24 Dec 2010 07:55:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] ccache version 2.4 [disabled] app-shells/bash: 4.1_p7 dev-java/java-config: 2.1.11-r1 dev-lang/python: 2.6.6-r1, 3.1.2-r4 dev-util/ccache: 2.4-r9 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.14-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.4-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=prescott -O2 -pipe -ggdb" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=prescott -O2 -pipe -ggdb" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://gentoo.arcticnetwork.ca/pub/gentoo/ ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/ ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en en_US" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/roslin /var/lib/layman/techwolf /usr/portage/local" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aac acl acpi alsa ao avahi berkdb bzip2 cairo caps cdda cddb cdinstall clamav cli consolekit cracklib crypt css cups cvs cxx daap dbus dga direcftb directfb djvu dri dv dvd dvdr dvdread emovix encode exif faac faad fbcon fbcondecor ffmpeg flac fortran gcj gdbm geoip gif gnutls gphoto2 gpm graphviz gstreamer h323 hardened iconv id3tag ieee1394 imagemagick imlib iphone ipod ipv6 java jpeg jpeg2k kde kontact lame laptop lcms libnotify libsamplerate lm_sensors mad mikmod mmx mmxext modules mp3 mp4 mpeg mudflap multislot musicbrainz mysql ncurses nis nls nptl nptlonly nsplugin ogg openal opengl openmp oss otr pam pcmcia pcre pdf perl phonon pic png portaudio postgres pppd pulseaudio python qt3support qt4 quicktime rdesktop readline rtc ruby samba scanner sdl semantic-desktop session silc sip smp snmp socks5 speex spell sqlite sqlite3 sse sse2 ssl startup-notification subversion svg sysfs sysvipc taglib tcpd theora threads tiff truetype twolame udev unicode upnp urandom usb v4l v4l2 vcd videos vnc vorbis wav wifi win32codecs wmf wxwindows x264 x86 xcomposite xine xml xorg xv xvid xvmc yahoo zeroconf zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev mouse synaptics keyboard joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev vesa intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= sys-kernel/hardened-sources-2.6.36-r6 was built with the following: USE="-build -deblob -symlink"