Bug#529870: linux-image-2.6.26-2-686: Kernel panic when using SE Linux
Package: linux-image-2.6.26-2-686
Version: 2.6.26-15lenny2
Severity: important
In my tests the latest 2.6 kernels for i386 (both Xen and non-Xen) and for
AMD64 Xen will crash if SE Linux is enabled. The crash occurs even if SE Linux
is in permissive mode, so the kernel parameter "selinux=0" is required to
boot the machine after installing such a kernel.
Here is a back-trace from an AMD64 system:
[ 8.252947] kernel BUG at security/selinux/avc.c:883!
[ 8.252954] invalid opcode: 0000 [1] SMP
[ 8.252961] CPU 0
[ 8.252966] Modules linked in: ext3 jbd mbcache thermal_sys
[ 8.252978] Pid: 0, comm: swapper Not tainted 2.6.26-2-xen-amd64 #1
[ 8.252985] RIP: e030:[<ffffffff802e61dd>] [<ffffffff802e61dd>] avc_has_perm_noaudit+0x26/0x379
[ 8.253002] RSP: e02b:ffffffff80595a00 EFLAGS: 00010246
[ 8.253008] RAX: 0000000000000000 RBX: 0000000000000011 RCX: 0000000000000000
[ 8.253015] RDX: 0000000000000011 RSI: 0000000000000009 RDI: 0000000000000001
[ 8.253022] RBP: 0000000000000009 R08: 0000000000000000 R09: ffffffff80595ab0
[ 8.253028] R10: 0000000000000007 R11: ffffffff803e932b R12: 0000000000000011
[ 8.253034] R13: 0000000000000001 R14: 0000000000000009 R15: ffffffff80595b40
[ 8.253044] FS: 00007f7e2649f6e0(0000) GS:ffffffff80539000(0000) knlGS:0000000000000000
[ 8.253053] CS: e033 DS: 0000 ES: 0000
[ 8.253059] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 8.253066] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 8.253073] Process swapper (pid: 0, threadinfo ffffffff80552000, task ffffffff804fe460)
[ 8.253081] Stack: 0000000000000000 ffffffff80595ab0 0000000000000000 0000001200000000
[ 8.253095] 0012880000000012 000000010000000c ffffffff804fe460 ffffffff00000000
[ 8.253106] 00000000ffffffff 00000001ffffffff ffffffff80595b90 ffffffff8026fe3e
[ 8.253115] Call Trace:
[ 8.253122] <IRQ> [<ffffffff8026fe3e>] ? mod_zone_page_state+0x2c/0x5b
[ 8.253135] [<ffffffff802e7049>] ? avc_has_perm+0x2b/0x5b
[ 8.253143] [<ffffffff802efd58>] ? sel_netport_sid+0x13b/0x16b
[ 8.253151] [<ffffffff802e9ec1>] ? selinux_ip_postroute+0x1eb/0x38b
[ 8.253160] [<ffffffff803dfab8>] ? nf_iterate+0x41/0x7d
[ 8.253168] [<ffffffff803e8e81>] ? ip_finish_output+0x0/0x241
[ 8.253175] [<ffffffff803dfb51>] ? nf_hook_slow+0x5d/0xbe
[ 8.253182] [<ffffffff803e8e81>] ? ip_finish_output+0x0/0x241
[ 8.253189] [<ffffffff803e93b4>] ? ip_output+0x89/0xa1
[ 8.253196] [<ffffffff803e8b3d>] ? ip_local_out+0x9/0x1f
[ 8.253204] [<ffffffff803e8e12>] ? ip_push_pending_frames+0x2bf/0x32e
[ 8.253211] [<ffffffff804075b4>] ? icmp_send+0x4fc/0x54b
[ 8.253220] [<ffffffff8020e911>] ? xen_clocksource_read+0xd/0x9c
[ 8.253228] [<ffffffff8020e9f1>] ? profile_pc+0x21/0x53
[ 8.253235] [<ffffffff803e08a8>] ? ipv4_link_failure+0x15/0x45
[ 8.253242] [<ffffffff804051cb>] ? arp_error_report+0x24/0x2d
[ 8.253250] [<ffffffff803cdcb2>] ? neigh_timer_handler+0x21d/0x313
[ 8.253257] [<ffffffff803cda95>] ? neigh_timer_handler+0x0/0x313
[ 8.253264] [<ffffffff802356b7>] ? run_timer_softirq+0x190/0x237
[ 8.253273] [<ffffffff80231ca0>] ? __do_softirq+0x77/0x103
[ 8.253280] [<ffffffff8020c13c>] ? call_softirq+0x1c/0x28
[ 8.253287] [<ffffffff8020e08a>] ? do_softirq+0x55/0xbb
[ 8.253294] [<ffffffff8020e16d>] ? do_IRQ+0x7d/0x9a
[ 8.253301] [<ffffffff8037d41c>] ? evtchn_do_upcall+0x13c/0x1fc
[ 8.253309] [<ffffffff8020bbde>] ? do_hypervisor_callback+0x1e/0x30
[ 8.253315] <EOI> [<ffffffff8020e795>] ? xen_safe_halt+0x90/0xa6
[ 8.253326] [<ffffffff8020a0c8>] ? xen_idle+0x2e/0x66
[ 8.253332] [<ffffffff80209cd6>] ? cpu_idle+0x97/0xb9
[ 8.253338]
[ 8.253342]
[ 8.253346] Code: 41 5e 41 5f c3 41 57 41 56 41 89 f6 41 55 41 89 fd 41 54 55 53 48 83 ec 68 85 c9 89 4c 24 18 44 89 44 24 14 4c 89 4c 24 08 75 04 <0f> 0b eb fe 0f b7 f2 48 c7 c0 50 f6 58 80 46 8d 24 b5 00 00 00
[ 8.253408] RIP [<ffffffff802e61dd>] avc_has_perm_noaudit+0x26/0x379
[ 8.253417] RSP <ffffffff80595a00>
[ 8.253424] ---[ end trace a7e19496a9366ab4 ]---
[ 8.253431] Kernel panic - not syncing: Aiee, killing interrupt handler!
I can provide i386 back-traces if desired. If you want a non-Xen back-trace I
could do that too, but getting a serial console going would take a little
time so I hope you can track this down without it.
-- Package-specific info:
-- System Information:
Debian Release: 5.0.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash
Versions of packages linux-image-2.6.26-2-686 depends on:
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii initramfs-tools [linux-initra 0.92o tools for generating an initramfs
ii module-init-tools 3.4-1 tools for managing Linux kernel mo
Versions of packages linux-image-2.6.26-2-686 recommends:
ii libc6-i686 2.7-18 GNU C Library: Shared libraries [i
Versions of packages linux-image-2.6.26-2-686 suggests:
ii grub 0.97-47lenny2 GRand Unified Bootloader (Legacy v
pn linux-doc-2.6.26 <none> (no description available)
-- debconf information excluded
Reply to: