[grsec] Kernel Hangs: Highmem and GRSECURITY

Gladiston Justini gadi at justisecure.com.br
Tue Sep 5 07:15:47 EDT 2006 

Marcelo,

	Teste agora, já acertei a data e horário.


At.
Gladiston Justini

On Tue, 05 Sep 2006 14:59:53 +0200
pageexec at freemail.hu wrote:

> On 5 Sep 2006 at 4:51, Syed Ahemed wrote:
> 
> > My linux kernel acting as a router with grsecurity and Highmem enabled
> > hangs after 3 hours of heavy traffic.
> 
> what version of linux/grsec is this exactly? if not the latest,
> you should at least try to reproduce it with that then. also, are
> any other patches applied? if yes, try to reproduce the problem
> with grsec applied alone.
> 
> > I have tried Magic-sysrq and KDB debugging unsuccessfully to find the
> > cause of the hang.
> 
> is anything logged on the console?
> 
> > The reason i suspect the connection is pretty straight
> > forward as a configuration.
> 
> you could also post your .config.
> 
> > Highmem has been there in my 1GB ram kernel for ages now.
> > When PAX is enabled via the grsecurity patch , We actually split the
> > 3GB user space to 1.5-1.5 of exec n no exec memory via the
> > segmentation feature .Right?
> 
> that's when you enable SEGMEXEC, PAGEEXEC doesn't do the split.
> 
> > But the statistics drags highmem into this .On a hightraffic load ,The
> > amount of Highmen available is very less just before the kernel hangs
> > (It reduces from 15MB available to 2 MB as shown below)
> 
> i don't see what highmem has to do with this, but what you describe
> above could be the result of some OOM situation the kernel can't
> recover from, or some memory leak, etc. to determine whether any of
> this is our fault or not we need more information from you as stated
> above.
> 
> > My questions
> > 
> > 1]Is there a connection between Highmem and Segmentation Exec feature of PAX ?
> 
> they're independent.
> 
> > 2] Highmem can be disabled but i want to retain Segmentation Exec
> > feature for security concerns.
> 
> are you saying that if you disable highmem but keep the rest of your
> grsec config, the problem doesn't manifest?
> 
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity

More information about the grsecurity mailing list