Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 456922

Summary: Unable to start any java-vm on hardened gentoo icedtea-bin-6.1.11.5: Could not reserve enough space for code cache
Product: Gentoo Linux Reporter: bsod
Component: [OLD] UnspecifiedAssignee: The Gentoo Linux Hardened Team <hardened>
Status: RESOLVED FIXED    
Severity: normal CC: java
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Same error when trying to emerge oracle java
My Kernel Configuration
emerge --info

Description bsod 2013-02-12 12:18:20 UTC
It could be a missconfiguration on my part, but I read the following (maybe related) bugs: 389751 and 344135

mediaserv-gentoo ~ # java -version
Error occurred during initialization of VM
Could not reserve enough space for code cache

mediaserv-gentoo ~ # java -Xms64m -Xmx64m
Error occurred during initialization of VM
Could not reserve enough space for code cache

mediaserv-gentoo ~ # java -server -Xms64m -Xmx64m
Error occurred during initialization of VM
Could not reserve enough space for code cache

mediaserv-gentoo ~ # java -client -Xms64m -Xmx64m
Error occurred during initialization of VM
Could not reserve enough space for code cache

mediaserv-gentoo ~ # ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 27432
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 2144
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 27432
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

mediaserv-gentoo ~ # free
             total       used       free     shared    buffers     cached
Mem:       3515788    1882368    1633420          0     536360     801068
-/+ buffers/cache:     544940    2970848
Swap:     16383996      14276   16369720

The default PAX Settings are:
mediaserv-gentoo ~ # paxctl -v /opt/icedtea-bin-6.1.11.5/bin/java
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/opt/icedtea-bin-6.1.11.5/bin/java]
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled


I tried with all disabled:
mediaserv-gentoo ~ # paxctl -v /opt/icedtea-bin-6.1.11.5/bin/java
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-s-m-x-e-r [/opt/icedtea-bin-6.1.11.5/bin/java]
        PAGEEXEC is disabled
        SEGMEXEC is disabled
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled
        RANDMMAP is disabled

mediaserv-gentoo ~ # java-config-2 -L
The following VMs are available for generation-2:
*)      IcedTea JDK 6.1.11.5 [icedtea-bin-6]

I tried http://serverfault.com/questions/438670/can-not-run-java-inside-grsec-chroot but "Sanitize all freed memory" was not enabled in my kernel and after changing the jvm.cfg I get:

mediaserv-gentoo ~ # java -version
Error: no `client' JVM at `/opt/icedtea-bin-6.1.11.5/jre/lib/amd64/client/libjvm.so'.

Note: This doesn't only happen for the icedtea-bin but also for other java-vms like dev-java/oracle-jre-bin-1.7.0.13 (see attachment for emerge log)


Reproducible: Always

Steps to Reproduce:
1.emerge icedtea-bin
2.java -version
Actual Results:  
Error occurred during initialization of VM
Could not reserve enough space for code cache

Expected Results:  
Print version information

Selinux is compiled into the kernel but currently disabled.

mediaserv-gentoo ~ # gunzip < /proc/config.gz | grep -i pax
CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX_USERCOPY_SLABS=y
# PaX
CONFIG_PAX=y
# PaX Control
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_PT_PAX_FLAGS is not set
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="or"
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_LATENT_ENTROPY=y

mediaserv-gentoo ~ # gunzip < /proc/config.gz | grep -i grkern
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_RAND_THREADSTACK is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_BRUTE is not set
# CONFIG_GRKERNSEC_MODHARDEN is not set
# CONFIG_GRKERNSEC_HIDESYM is not set
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
# CONFIG_GRKERNSEC_NO_RBAC is not set
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
# CONFIG_GRKERNSEC_PROC is not set
# CONFIG_GRKERNSEC_LINK is not set
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
# CONFIG_GRKERNSEC_FIFO is not set
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
# CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL is not set
# CONFIG_GRKERNSEC_CHROOT is not set
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
# CONFIG_GRKERNSEC_FORKFAIL is not set
# CONFIG_GRKERNSEC_TIME is not set
# CONFIG_GRKERNSEC_PROC_IPADDR is not set
# CONFIG_GRKERNSEC_RWXMAP_LOG is not set
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
# CONFIG_GRKERNSEC_DMESG is not set
# CONFIG_GRKERNSEC_HARDEN_PTRACE is not set
# CONFIG_GRKERNSEC_PTRACE_READEXEC is not set
# CONFIG_GRKERNSEC_SETXID is not set
# CONFIG_GRKERNSEC_TPE is not set
# CONFIG_GRKERNSEC_RANDNET is not set
# CONFIG_GRKERNSEC_BLACKHOLE is not set
# CONFIG_GRKERNSEC_NO_SIMULT_CONNECT is not set
# CONFIG_GRKERNSEC_SOCKET is not set
# CONFIG_GRKERNSEC_SYSCTL is not set
# CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6
Comment 1 bsod 2013-02-12 12:19:05 UTC
Created attachment 338686 [details]
Same error when trying to emerge oracle java
Comment 2 bsod 2013-02-12 12:19:46 UTC
Created attachment 338688 [details]
My Kernel Configuration
Comment 3 bsod 2013-02-12 12:21:18 UTC
Created attachment 338690 [details]
emerge --info
Comment 4 bsod 2013-02-12 22:51:24 UTC
After upgrading to hardened-sources-3.7.6 java is working fine, so this seems to be a bug in the 3.7.4-hardened-r1 kernel.
Comment 5 Magnus Granberg gentoo-dev 2013-11-23 14:17:36 UTC
(In reply to bsod from comment #4)
> After upgrading to hardened-sources-3.7.6 java is working fine, so this
> seems to be a bug in the 3.7.4-hardened-r1 kernel.
Closeing it for looks like it works for the user with a updated kernel.