After enabling CONFIG_PAX_KERNEXEC and as a result disabling EFI and PARAVIRT, many modules will no longer load, with such an error as FATAL: Error inserting ipt_REJECT (/lib/modules/2.6.28-hardened-r9/kernel/net/ipv4/netfilter/ipt_REJECT.ko): Cannot allocate memory Reproducible: Always Steps to Reproduce: 1. emerge -av =sys-kernel/hardened-sources-2.6.28-hardened-r9 2. cp config-broken-2.6.28-hardened-r9 to the /usr/src/linux-2.6.28-hardened-r9 3. cd /usr/src/linux-2.6.28-hardened-r9 && make all && make modules_install && cp arch/x86/boot/bzImage /boot/kernel-2.6.28-hardened-r9 4. genkernel --no-clean --no-mrproper --splash=PLF5 ramdisk 5. add the kernel/ramdisk to grubconf and boot 6. modprobe something, many modules will fail (/etc/init.d/shorewall start) for example Actual Results: ThunderFox tmp # /etc/init.d/shorewall start * Service shorewall starting FATAL: Error inserting xt_hashlimit (/lib/modules/2.6.28-hardened-r9/kernel/net/netfilter/xt_hashlimit.ko): Cannot allocate memory ... (more failures) FATAL: Error inserting ipt_ULOG (/lib/modules/2.6.28-hardened-r9/kernel/net/ipv4/netfilter/ipt_ULOG.ko): Cannot allocate memory iptables: No chain/target/match by that name. /sbin/shorewall: line 375: 27206 Terminated ${VARDIR}/.start $debugging start [ !! ] * ERROR: shorewall failed to start Expected Results: ThunderFox tmp # /etc/init.d/shorewall start * Service shorewall starting * Service shorewall started emerge --info Portage 2.1.6.13 (hardened/x86, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9 i686) ================================================================= System uname: Linux-2.6.28-hardened-r9-i686-Genuine_Intel-R-_CPU_T2250_@_1.73GHz-with-glibc2.1.3 Timestamp of tree: Wed, 29 Jul 2009 20:55:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p39 dev-java/java-config: 2.1.8-r1 dev-lang/python: 2.5.4-r3 dev-python/pycrypto: 2.0.1-r8 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.6.4 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-mtune=i686 -march=i686 -O2 -fno-gcse -fforce-addr" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-mtune=i686 -march=i686 -O2 -fno-gcse -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://gentoo.arcticnetwork.ca/pub/gentoo/ ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/ ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/" LANG="en_US.ISO-8859-1" LDFLAGS="-Wl,-O1" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/oss-overlay /usr/local/portage/layman/armagetron /usr/local/portage/layman/games /usr/local/portage/layman/vmware /usr/local/portage/layman/secondlife /usr/local/portage/layman/voip /usr/portage/local" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aac acl acpi aim alsa ao arts avahi berkdb bonjour branding bzip2 cairo cddb cdparanoia clamav cracklib crypt css cups cvs daap dbus debug device-mapper dga direcftb directfb divx djvu doc dri dv dvd dvdr dvdread emovix encode exif fbcon fbcondecor ffmpeg firefox flac fluidsynth ftp fuse gcj geoip gif glib glut gnutls gphoto2 gpm graphviz gstreamer h323 hal hardened httpd iceweasel icq id2tag ieee1394 ilbc imagemagick imap imlib ipod ipv6 jabber jack jadetex java javascript joystick jpeg jpeg2k kde kdehiddenvisibility kvm laptop ldap libcaca libnotify lm_sensors logitech-mouse logrotate mdnsresponder-compat memlimit midi mikmod mmap mmx mmxext mp3 mp4 mpeg mplayer msn multislot musicbrainz mysql mysqli ncurses networkmanager nis nls nntp nptl nptlonly nsplugin offensive ogg openal opengl oscar oss oss4 pam pcmcia pda pdf pic pnctl png portaudio postgres ppds python qt3 qt4 quicktime radius rdesktop readline rtc ruby samba scanner sdl session sharedmem shorten silc sip smp snmp sockets socks5 speex spell sqlite sqlite3 srtp sse sse2 ssl startup-notification subversion svg symlink sysfs sysvipc taglib tcl tcpd tga threads thunderbird tiff tordns truetype twolame unicode upnp urandom usb v4l v4l2 vcd vesa videos visualization vorbis wav wifi win32codecs wmf wxwindows x264 x86 xcomposite xine xml xorg xv xvid yahoo zeroconf zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev mouse synaptics keyboard joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="vga v4l intel i810" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ========== Attempted vmalloc fix suggested by dmesg in boot options but 256,384 and, 512M did not suffice
Created attachment 199693 [details] kernel Config file that produces module errors
Created attachment 199695 [details] Functional config file
Created attachment 199696 [details, diff] diff of the Changes between the functional and non-functional config file
Created attachment 199698 [details] Log of shorewall failing to initialize leaving no netfilter rules established (open firewall)
We are working towards stabilizing 2.6.32-r9 for x86. Its already stable for amd64. Can the reporter try 2.6.32-r9 since the required SELinux patch should already have been applied.
(In reply to comment #5) > We are working towards stabilizing 2.6.32-r9 for x86. Its already stable for > amd64. Can the reporter try 2.6.32-r9 since the required SELinux patch should > already have been applied. > I've been using 2.6.32-hardened-r9 for several months now without issue, should this be RESOLVED FIXED?
(In reply to comment #6) > (In reply to comment #5) > > We are working towards stabilizing 2.6.32-r9 for x86. Its already stable for > > amd64. Can the reporter try 2.6.32-r9 since the required SELinux patch should > > already have been applied. > > > > I've been using 2.6.32-hardened-r9 for several months now without issue, should > this be RESOLVED FIXED? > Yes.
