Ubuntu
linux package

selinux kernel panic 2.6.28-13.45

Bug #395219 reported by Caleb Case
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Medium
Andy Whitcroft
Jaunty
Fix Released
Medium
Manoj Iyer

Bug Description

SRU Justification:

Impact: kernel panics when SELinux is enabled.

Fix: A non-upstream patch from Eric Paris fixes this issue specifically for Ubuntu.

"Ubuntu users were experiencing a kernel panic when they enabled SELinuxdue to an old bug in our handling of the compatibility mode network controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
Most distros have not used the compat_net code since the new code was introduced and so noone has hit this problem before. Ubuntu is the only distro I know that enabled that legacy cruft by default. But, I was ask
to look at it and found that the above patch changed a call to avc_has_perm from if(send_perm) to if(!send_perm) in selinux_ip_postroute_iptables_compat(). The result is that users who turn on SELinux and have compat_net set can (and oftern will) BUG() in avc_has_perm_noaudit since they are requesting 0 permissions.

This patch corrects that accidental bug introduction."

Testcase: Testkernel (see below)

---

I believe this is an accidental regression related to:

https://bugs.launchpad.net/bugs/357041

Several patches were tried for this bug, with most of them causing kernel panics similar to the one attached. The final patch was tested out for the -14 kernel and worked ok.

Thanks,

Caleb

See original description
Revision history for this message
Caleb Case (calebcase) wrote :
tags: added: regression-potential
Manoj Iyer (manjo)
Changed in linux (Ubuntu):
assignee: nobody → Manoj Iyer (manjo)
Manoj Iyer (manjo)
Changed in linux (Ubuntu):
status: New → In Progress
Revision history for this message
Manoj Iyer (manjo) wrote :

Can you please test the kernel in

http://people.ubuntu.com/~manjo/lp395219-jaunty/

and verify that it fixes the panic ?

Changed in linux (Ubuntu):
status: In Progress → Incomplete
Revision history for this message
Caleb Case (calebcase) wrote :

That fixes the panic. Thanks Manoj!

Stefan Bader (smb)
description: updated
Stefan Bader (smb)
Changed in linux (Ubuntu Jaunty):
assignee: nobody → Manoj Iyer (manjo)
importance: Undecided → Medium
status: New → Fix Committed
Revision history for this message
Caleb Case (calebcase) wrote :

Which version of the kernel was this committed to? I'm still seeing this problem in the latest: 2.6.28-14.47

Revision history for this message
Martin Pitt (pitti) wrote :

Accepted linux into jaunty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Revision history for this message
Caleb Case (calebcase) wrote :

The kernel from -proposed looks ok.

root@jjs:~# uname -a
Linux jjs 2.6.28-15-server #52-Ubuntu SMP Wed Sep 9 11:50:50 UTC 2009 i686 GNU/Linux

root@jjs:~# apt-cache policy linux-image-2.6.28-15-server
linux-image-2.6.28-15-server:
  Installed: 2.6.28-15.52
  Candidate: 2.6.28-15.52
  Version table:
 *** 2.6.28-15.52 0
        500 http://192.168.1.101 jaunty-proposed/main Packages
        100 /var/lib/dpkg/status
     2.6.28-15.49 0
        500 http://192.168.1.101 jaunty-updates/main Packages
        500 http://192.168.1.101 jaunty-security/main Packages

Martin Pitt (pitti)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.28-15.52

---------------
linux (2.6.28-15.52) jaunty-proposed; urgency=low

  [ Stefan Bader ]

  * Revert "SAUCE: ACPI: Populate DIDL before registering ACPI video device
    on Intel"
    - LP: #423296
  * SAUCE: Allow less restrictive acpi video detection
    - LP: #333386

  [ Upstream Kernel Changes ]

  * include drivers/pci/hotplug/* in -virtual package
    - LP: #364916
  * ext4: don't call jbd2_journal_force_commit_nested without journal
    - LP: #418197
  * ext4: fix ext4_free_inode() vs. ext4_claim_inode() race
    - LP: #418197
  * ext4: fix bogus BUG_ONs in in mballoc code
    - LP: #418197
  * ext4: fix typo which causes a memory leak on error path
    - LP: #418197
  * ext4: Fix softlockup caused by illegal i_file_acl value in on-disk
    inode
    - LP: #418197
  * ext4: Fix sub-block zeroing for writes into preallocated extents
    - LP: #418197
  * jbd2: Call journal commit callback without holding j_list_lock
    - LP: #418197
  * ext4: Print the find_group_flex() warning only once
    - LP: #367065
  * ext4: really print the find_group_flex fallback warning only once
    - LP: #367065

linux (2.6.28-15.51) jaunty-proposed; urgency=low

  [ Colin Ian King ]

  * SAUCE: wireless: hostap, fix oops due to early probing interrupt
    - LP: #254837

  [ Leann Ogasawara ]

  * Add the atl1c driver to support Atheros AR8132
    - LP: #415358
  * Updating configs to enable the atl1c driver
    - LP: #415358

  [ Stefan Bader ]

  * Revert "SAUCE: input: Blacklist digitizers from joydev.c"
    - LP: #300143
  * SAUCE: Fix the exported name for e1000e-next
    - LP: #402890
  * SAUCE: Fix incorrect stable backport to bas_gigaset
    - LP: #417732
  * SAUCE: Remove the atl2 driver from the ubuntu subdirectory
    - LP: #419438

linux (2.6.28-15.50) jaunty-proposed; urgency=low

  [ Colin Ian King ]

  * SAUCE: radio-maestro: fix panics on probe failure
    - LP: #357724
  * SAUCE: HDA Intel, sigmatel: Enable speakers on HP Mini 1000
    - LP: #318942

  [ Jerone Young ]

  * SAUCE: Fix Soltech TA12 volume hotkeys not sending key release in
    Jaunty
    - LP: #397499

  [ John Johansen ]

  * SAUCE: remove AppArmor debug check for calls from interrupt context
    - LP: #350789

  [ Manoj Iyer ]

  * SAUCE: Fix kernel panic when SELinux is enabled.
    - LP: #395219

  [ Matthew Garrett ]

  * SAUCE: ACPI: Populate DIDL before registering ACPI video device on
    Intel

  [ Michael Frey (Senior Manager, MID ]

  * SAUCE: Fix for internal microphone for Dell Mini10V
    - LP: #394793

  [ Tim Gardner ]

  * SAUCE: Added e1000e from sourceforge.
    - LP: #402890

  [ Upstream Kernel Changes ]

  * Input: synaptics - report multi-taps only if supported by the device
    - LP: #399787
  * ftdi_sio: fix kref leak
    - LP: #396930, #376128
  * IPv6: add "disable" module parameter support to ipv6.ko
    - LP: #351656

 -- Stefan Bader <email address hidden> Thu, 27 Aug 2009 15:09:06 +0200

Changed in linux (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Andy Whitcroft (apw)
Changed in linux (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Andy Whitcroft (apw) wrote :

Ok this code was removed as it was deprecated in the commit below, therefore karmic is not affected. Closing Invalid.

  commit 58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2
  Author: Paul Moore <email address hidden>
  Date: Fri Mar 27 17:10:41 2009 -0400

    selinux: Remove the "compat_net" compatibility code

Changed in linux (Ubuntu):
assignee: Manoj Iyer (manjo) → Andy Whitcroft (apw)
importance: Medium → Undecided
status: Incomplete → Invalid
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.