Page 1 of 1

2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Sun Aug 23, 2009 8:09 pm
by x14sg1
Hello,

I have had this problem since vmalloc was changed (after 2.6.28.10) on a quad core machine, but not on a uni-processsor machine. I am running the standard 2.6.30.4 kernel with the latest 2.6.30.4 patch (200908132040). The only thing I did was select "HIGH" for the grsecurity config. I can supply my .config file via email. I will see if I can post it somewhere.

One other thing, increasing vmalloc at the boot prompt (error msg recommends this) does not help.

Thank you

Tim

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Sun Aug 23, 2009 8:24 pm
by x14sg1
Hello,

Here is the config file: http://home.comcast.net/~x14sg1/.config

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Mon Aug 24, 2009 2:57 am
by PaX Team
x14sg1 wrote:I have had this problem
uhm, what is exactly the problem? ;)

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Mon Aug 24, 2009 12:05 pm
by x14sg1
Hello,

I run an iptables firewall. The iptables modules do not load, I get these errors in /var/adm/syslog (don't always see that first line)
and trying to increase vmalloc at boot time doesn't help (at least not upto 512M)

Aug 24 11:45:33 pc100 kernel: __ratelimit: 991 callbacks suppressed
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 12288 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 16384 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 8192 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 36864 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 12288 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 36864 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 8192 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 12288 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 36864 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 8192 failed: use vmalloc=<size> to increase size.

On the screen I see these when module loading is attempted

probe ip_tables (1): FATAL: Error inserting ip_tables (/lib/modules/2.6.30.4-grsec-smp/kernel/net/ipv4/netfilter/ip_tables.ko): Cannot allocate memory

probe ip_conntrack (1): FATAL: Error inserting nf_conntrack_ipv4 (/lib/modules/2.6.30.4-grsec-smp/kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko): Cannot allocate memory

probe ip_conntrack_ftp (1): FATAL: Error inserting nf_conntrack_ftp (/lib/modules/2.6.30.4-grsec-smp/kernel/net/netfilter/nf_conntrack_ftp.ko): Cannot allocate memory

probe ipt_conntrack (1): FATAL: Error inserting xt_conntrack (/lib/modules/2.6.30.4-grsec-smp/kernel/net/netfilter/xt_conntrack.ko): Cannot allocate memory

probe ipt_limit (1): FATAL: Error inserting xt_limit (/lib/modules/2.6.30.4-grsec-smp/kernel/net/netfilter/xt_limit.ko): Cannot allocate memory

probe ipt_state (1): FATAL: Error inserting xt_state (/lib/modules/2.6.30.4-grsec-smp/kernel/net/netfilter/xt_state.ko): Cannot allocate memory

probe ipt_multiport (1): FATAL: Error inserting xt_multiport (/lib/modules/2.6.30.4-grsec-smp/kernel/net/netfilter/xt_multiport.ko): Cannot allocate memory

probe iptable_filter (1): FATAL: Error inserting iptable_filter (/lib/modules/2.6.30.4-grsec-smp/kernel/net/ipv4/netfilter/iptable_filter.ko): Cannot allocate memory

probe iptable_mangle (1): FATAL: Error inserting iptable_mangle (/lib/modules/2.6.30.4-grsec-smp/kernel/net/ipv4/netfilter/iptable_mangle.ko): Cannot allocate memory

probe ipt_REJECT (1): FATAL: Error inserting ipt_REJECT (/lib/modules/2.6.30.4-grsec-smp/kernel/net/ipv4/netfilter/ipt_REJECT.ko): Cannot allocate memory

probe ipt_LOG (1): FATAL: Error inserting ipt_LOG (/lib/modules/2.6.30.4-grsec-smp/kernel/net/ipv4/netfilter/ipt_LOG.ko): Cannot allocate memory

probe ipt_TCPMSS (1): FATAL: Error inserting xt_TCPMSS (/lib/modules/2.6.30.4-grsec-smp/kernel/net/netfilter/xt_TCPMSS.ko): Cannot allocate memory

then some msgs on iptables variables that can't be set, followed by tables that can't be initialized

I do not have these issues if I do not use the grsecurity patch


Hope this helps

Tim

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Mon Aug 24, 2009 1:45 pm
by PaX Team
x14sg1 wrote:I run an iptables firewall. The iptables modules do not load, I get these errors in /var/adm/syslog (don't always see that first line)
and trying to increase vmalloc at boot time doesn't help (at least not upto 512M)
does this work if you turn off KERNEXEC? also, can you send me the 'cat /proc/modules' and 'readelf -ed vmlinux' outputs please?

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Tue Aug 25, 2009 12:18 am
by x14sg1

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Wed Aug 26, 2009 5:56 pm
by PaX Team
x14sg1 wrote:As you suspected, turning off KERNEXEC did the trick. I have uploaded 4 files for you.
ok, it's the usual problem of the binary nvidia driver taking up all the space for executable module code (under i386/KERNEXEC it has to be pre-allocated at link time, it's around 6-7 MB). i'll increase it to >8MB in the next patch, but there should be a better way to size this area, maybe a .config option...

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Wed Aug 26, 2009 10:48 pm
by x14sg1
Thank you.

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Sun Aug 30, 2009 1:35 am
by x14sg1
Thanks

The patch fixed my problem.

You mentioned a kernel option as a possible future solution to this problem.

Is it possible for grsecurity to honor the vmalloc=64M boot parameter?

Tim

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Sun Aug 30, 2009 6:20 pm
by PaX Team
x14sg1 wrote:Is it possible for grsecurity to honor the vmalloc=64M boot parameter?
it already does, what i was talking about is a region used for module code (which is separate from the normal vmalloc region under i386/KERNEXEC).

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Sun Feb 14, 2010 6:21 am
by kamil
Hi.
IMHO this should get at least .config option + info in docs.
I've wasted half of a day trying to understand why I get vmap errors regardless of how much free vmalloc memory I have.

My problem was triggered by loading both nvidia & snd_ctxfi modules - raising code limit to 10 MB fixed it.

Best regards.

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Thu Feb 18, 2010 9:44 pm
by PaX Team
kamil wrote:IMHO this should get at least .config option + info in docs.
ok, i bit the bullet and added the .config option, i hope people won't get it wrong :P. also fixed a memory area leak reported by another user that manifested during repeated module loads/unloads.

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Sat Feb 20, 2010 10:54 am
by specs
The option is only visible in the i386 tree. With the x86_64 tree I did not see the option (which is OK for me).
With i386 the default seems to be 4MB.
Code: Select all
CONFIG_PAX_KERNEXEC_MODULE_TEXT=4

Re: 2.6.30.4 many vmalloc errors loading iptables/sound modules

PostPosted: Mon Feb 22, 2010 8:30 am
by PaX Team
specs wrote:The option is only visible in the i386 tree.
only i386/KERNEXEC is 'special', other archs aren't/won't be since they lack the kind of segmentation logic that i386/KERNEXEC relies on.
With i386 the default seems to be 4MB.
yes it is. what was the question? ;) if you mean why i reduced it from the earlier 8+ MB then it's because the former figure was based on the nvidia kernel module size that people ran into in the past so i accomodated them but since it's easier to change now, they can bump up the number themselves.