Re: Linux 3.2: backports some features from mainline kernel (3.7)?
Hi, You have written that the sysctl kernel.modules_disabled=1 option is available. I know that, but with cryptographically signed modules the kernel can check the signature and refuse to load any module that can't be verified. Whether this sysctl option offers something similar? By writing, that symlink and hardlink restrictions are already backported and enabled by default in the Debian package, You mean a kernel package, right? Best regards!
Bug#696425: additional log entries
We enabled verbose logging of qla2xxx driver and get these messages, where the 6 lines Dec 21 12:59:02 ivt-namoluk kernel: [251878.590150] qla2xxx [:04:00.0]-382b:11: Dec 21 12:59:02 ivt-namoluk kernel: [251878.590155] qla2xxx [:04:00.0]-381c:11: Check condition Sense data, scsi(11:0:0:0) cmd=8807b2cd2880. Dec 21 12:59:02 ivt-namoluk kernel: [251878.590162] qla2xxx [:04:00.0]-382b:11: 0 1 2 3 4 5 6 7 8 9 Ah Bh Ch Dh Eh Fh Dec 21 12:59:02 ivt-namoluk kernel: [251878.590165] qla2xxx [:04:00.0]-382b:11: -- Dec 21 12:59:02 ivt-namoluk kernel: [251878.590168] qla2xxx [:04:00.0]-382b:11: f0 00 02 00 00 00 00 0b 00 00 00 00 04 01 00 00 Dec 21 12:59:02 ivt-namoluk kernel: [251878.590179] 00 00 are repeated 7689 times before the error occurs. Dec 21 12:59:02 ivt-namoluk kernel: [251878.582150] 00 00 Dec 21 12:59:02 ivt-namoluk kernel: [251878.582154] qla2xxx [:04:00.0]-382b:11: Dec 21 12:59:02 ivt-namoluk kernel: [251878.582159] qla2xxx [:04:00.0]-381c:11: Check condition Sense data, scsi(11:0:0:0) cmd=8807b2cd2380. Dec 21 12:59:02 ivt-namoluk kernel: [251878.582166] qla2xxx [:04:00.0]-382b:11: 0 1 2 3 4 5 6 7 8 9 Ah Bh Ch Dh Eh Fh Dec 21 12:59:02 ivt-namoluk kernel: [251878.582169] qla2xxx [:04:00.0]-382b:11: -- Dec 21 12:59:02 ivt-namoluk kernel: [251878.582172] qla2xxx [:04:00.0]-382b:11: f0 00 02 00 00 00 00 0b 00 00 00 00 04 01 00 00 Dec 21 12:59:02 ivt-namoluk kernel: [251878.582183] 00 00 Dec 21 12:59:02 ivt-namoluk kernel: [251878.582186] qla2xxx [:04:00.0]-382b:11: Dec 21 12:59:02 ivt-namoluk kernel: [251878.590121] qla2xxx [:04:00.0]-381c:11: Check condition Sense data, scsi(11:0:0:0) cmd=8807b2cd2380. Dec 21 12:59:02 ivt-namoluk kernel: [251878.590126] qla2xxx [:04:00.0]-382b:11: 0 1 2 3 4 5 6 7 8 9 Ah Bh Ch Dh Eh Fh Dec 21 12:59:02 ivt-namoluk kernel: [251878.590130] qla2xxx [:04:00.0]-382b:11: -- Dec 21 12:59:02 ivt-namoluk kernel: [251878.590133] qla2xxx [:04:00.0]-382b:11: f0 00 02 00 00 00 00 0b 00 00 00 00 04 01 00 00 Dec 21 12:59:02 ivt-namoluk kernel: [251878.590146] 00 00 Dec 21 12:59:02 ivt-namoluk kernel: [251878.590150] qla2xxx [:04:00.0]-382b:11: Dec 21 12:59:02 ivt-namoluk kernel: [251878.590155] qla2xxx [:04:00.0]-381c:11: Check condition Sense data, scsi(11:0:0:0) cmd=8807b2cd2880. Dec 21 12:59:02 ivt-namoluk kernel: [251878.590162] qla2xxx [:04:00.0]-382b:11: 0 1 2 3 4 5 6 7 8 9 Ah Bh Ch Dh Eh Fh Dec 21 12:59:02 ivt-namoluk kernel: [251878.590165] qla2xxx [:04:00.0]-382b:11: -- Dec 21 12:59:02 ivt-namoluk kernel: [251878.590168] qla2xxx [:04:00.0]-382b:11: f0 00 02 00 00 00 00 0b 00 00 00 00 04 01 00 00 Dec 21 12:59:02 ivt-namoluk kernel: [251878.590179] 00 00 Dec 21 12:59:02 ivt-namoluk kernel: [251878.590182] qla2xxx [:04:00.0]-382b:11: Dec 21 12:59:09 ivt-namoluk kernel: [251885.556011] qla2xxx [:04:00.0]-3822:11: FCP command status: 0x15-0xb00 (0x7) oxid=0x23c cdb=8a len=0x7000 rsp_info=0x0 resid=0x7000 fw_resid=0x7000. Dec 21 12:59:09 ivt-namoluk kernel: [251885.556108] qla2xxx [:04:00.0]-3822:11: FCP command status: 0x15-0xb00 (0x7) oxid=0x23d cdb=8a len=0x1000 rsp_info=0x0 resid=0x1000 fw_resid=0x1000. Dec 21 12:59:09 ivt-namoluk kernel: [251885.556117] sd 11:0:0:0: [sda] Unhandled error code Dec 21 12:59:09 ivt-namoluk kernel: [251885.556120] sd 11:0:0:0: [sda] Result: hostbyte=DID_ERROR driverbyte=DRIVER_OK Dec 21 12:59:09 ivt-namoluk kernel: [251885.556124] sd 11:0:0:0: [sda] CDB: Write(16): 8a 00 00 00 00 03 a3 42 06 b8 00 00 00 38 00 00 Dec 21 12:59:09 ivt-namoluk kernel: [251885.556194] sd 11:0:0:0: [sda] Unhandled error code Dec 21 12:59:09 ivt-namoluk kernel: [251885.556196] sd 11:0:0:0: [sda] Result: hostbyte=DID_ERROR driverbyte=DRIVER_OK Dec 21 12:59:09 ivt-namoluk kernel: [251885.556199] sd 11:0:0:0: [sda] CDB: Write(16): 8a 00 00 00 00 04 26 6d a1 68 00 00 00 08 00 00 Dec 21 12:59:09 ivt-namoluk kernel: [251885.556319] EXT4-fs warning (device sda2): ext4_end_bio:251: I/O error writing to inode 190719341 (offset 0 size 4096 starting block 2228073518) Dec 21 12:59:09 ivt-namoluk kernel: [251885.556367] JBD2: Detected IO errors while flushing file data on sda2-8 -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/f7f53d7a0eb5274e89563a1888b0919c0ea7e...@mbx20.d.ethz.ch
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
On Fri, 2012-12-21 at 12:45 +0100, daniel curtis wrote: Hi, You have written that the sysctl kernel.modules_disabled=1 option is available. I know that, but with cryptographically signed modules the kernel can check the signature and refuse to load any module that can't be verified. Whether this sysctl option offers something similar? It's even more secure! :-) By writing, that symlink and hardlink restrictions are already backported and enabled by default in the Debian package, You mean a kernel package, right? Yes, the Debian package of the Linux kernel, that's what we talk about here... Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert. signature.asc Description: This is a digitally signed message part
Re: Bug#696038: ITP: compat-wireless-3.5.4 -- backported linux wireless drivers
On Mon, 2012-12-17 at 12:41 +1100, Jayen Ashar wrote: On Mon, Dec 17, 2012 at 12:07 PM, Ben Hutchings b...@decadent.org.uk wrote: On Mon, 2012-12-17 at 11:14 +1100, Jayen Ashar wrote: Hi kernel team, I intend to package the stable versions of compat-wireless and compat-drivers (when available) as module-assistant packages, starting with compat-wireless 3.5.4. The reason I am using module-assistant (instead of dkms) is so that embedded users of debian can compile distribute kernel module packages without needing a compiler on the embedded device. This is not a reason to avoid DKMS, as you can use 'dkms mkdeb' to build a package for installation elsewhere. didn't know about mkdeb. will start looking at dkms (at least for our internal use). thanks. I am starting with 3.5.4 because I have already packaged it for my company and have tested it internally with the squeeze kernel. Since wheezy is now frozen, this cannot be added to wheezy and therefore cannot be added to squeeze-backports either. So this will not be a very effective way to help other squeeze users. Could it be added to wheezy-backports? Yes, once it's in testing for jessie. The official kernel package (linux-2.6/linux source package) does get stable updates to extend hardware support, but not as many as I would like. I would really like to see compat-drivers integrated into the linux source package so users don't need to look for extra package or a special installer. But we will need to ensure that there is adequate regression testing whenever we update compat-drivers in stable. Would you be interesting in working on this? It would help many more users than a separate package. Are you asking for work on adding it to linux-source, or doing some testing? I'm not sure I could provide adequate testing on any version other than the one's my company is running. I'm requesting that you work on adding it to the linux source package and do what testing you can. In any case we'll have to ask users for beta testing. Before you do that work, though, it would need to be agreed among the kernel and release teams that we should update drivers in this way. But I hope that's not too controversial. Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert. signature.asc Description: This is a digitally signed message part
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
Hi Mr Hutchings, Could you explain, in short, why it is more secure? It seems, that cryptographically signed modules are something... don't know, more secure, *because before loading the module, the kernel can check the signature and refuse to load any that can't be verified.* ;-) symlink and hardlink protection also applies to the 2.6.32-5 kernel or it is backported only to the 3.2 version? Both protection seems to be implemented some time ago, right? I mean patch for kernel (not only Debian). I have to apologize for such naive questions, but I started to using Debian a couple of weeks ago and I want to know something more about Project, Debian and everything related etc. One more thing; Is there any website where I can to find any informations about patches, changes backported, for example, from PAX/Grsecurity projects to the Debian kernel - 2.6.32 and 3.2? Best regards!
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
On Fri, 2012-12-21 at 17:48 +0100, daniel curtis wrote: Hi Mr Hutchings, Could you explain, in short, why it is more secure? It seems, that cryptographically signed modules are something... don't know, more secure, because before loading the module, the kernel can check the signature and refuse to load any that can't be verified. ;-) I suppose you're right. If an attacker can overwrite modules but not the kernel image, and they can force a reboot, then a signature check will prevent the modified modules being loaded whereas setting kernel.modules_disabled=1 during the boot process will not. symlink and hardlink protection also applies to the 2.6.32-5 kernel or it is backported only to the 3.2 version? Both protection seems to be implemented some time ago, right? I mean patch for kernel (not only Debian). Only for 3.2. I have to apologize for such naive questions, but I started to using Debian a couple of weeks ago and I want to know something more about Project, Debian and everything related etc. One more thing; Is there any website where I can to find any informations about patches, changes backported, for example, from PAX/Grsecurity projects to the Debian kernel - 2.6.32 and 3.2? I don't think there's any summary of that, though I am intending to write a blog entry along these lines for the wheezy release (based on 3.2). Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert. signature.asc Description: This is a digitally signed message part
Bug#696505: linux-image-3.2.0-4-amd64: saa7146 based DVB-C card causes repeated error messages
Package: src:linux Version: 3.2.32-1 Severity: normal Dear Maintainer, I have some problems getting my system running stable after upgrading it to wheezy. My system is used as a vdr and is equipped with multiple DVB cards. It seems that the 2 installed Terratec Cinergy 1200 DVB-C (saa-7146) cards cause some problems when running an actual kernel. The same system including these DVB cards is running stable with Squeeze on a homebrew 2.6.33 kernel with extra DVB drivers (dvb-s2api-liplianin-0~2010-06-11.hg15345) When booting wheezy – system usually comes up ok all DVB cards are usable until programs like update-grub2 are executed (seems like it has to do with HDD access) . Often while update-grub2 is detecting the other installations the system starts showing error messages like: [ 528.416023] DVB: TDA10023(3): tda10023_readreg: readreg error (reg == 0x1c, ret == -1) [ 528.428071] saa7146: saa7146 (1): unexpected i2c irq: isr e7fffbff psr ssr [ 528.428081] saa7146: interrupt_hw: warning: interrupt enabled, but not handled properly.(0xe7fcfbff) [ 528.428088] saa7146: interrupt_hw: disabling interrupt source(s)! I tried to compile and install a new kernel (3.7.1)- but I could not see any change compared to the installed debian kernel. I also tried a similar kernel (2.6.33 ) and driver combination than the one in used by my squeeze installation. I could not reproduce the error but did not succeed getting all hardware running. After removing the two Cinergy (saa-7146) cards from the system I could not reproduce the problem anymore. p_body -- Package-specific info: ** Version: Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-12) ) #1 SMP Debian 3.2.32-1 ** Command line: BOOT_IMAGE=/boot/vmlinuz-3.2.0-4-amd64 root=UUID=c361d309-f014-460d-aa29-63cb9a8fa73d ro irqpoll ** Tainted: PO (4097) * Proprietary module has been loaded. * Out-of-tree module has been loaded. ** Kernel log: [ 1780.518620] saa7146: interrupt_hw: disabling interrupt source(s)! [ 1780.538602] saa7146: saa7146 (1): unexpected i2c irq: isr e7fffbff psr ssr [ 1780.538610] saa7146: interrupt_hw: warning: interrupt enabled, but not handled properly.(0xe7fcfbff) [ 1780.538618] saa7146: interrupt_hw: disabling interrupt source(s)! [ 1780.558602] saa7146: saa7146 (1): unexpected i2c irq: isr e7fffbff psr ssr [ 1780.558611] saa7146: interrupt_hw: warning: interrupt enabled, but not handled properly.(0xe7fcfbff) [ 1780.558619] saa7146: interrupt_hw: disabling interrupt source(s)! [ 1780.578603] saa7146: saa7146 (1): unexpected i2c irq: isr e7fffbff psr ssr [ 1780.578612] saa7146: interrupt_hw: warning: interrupt enabled, but not handled properly.(0xe7fcfbff) [ 1780.578620] saa7146: interrupt_hw: disabling interrupt source(s)! [ 1780.598601] saa7146: saa7146 (1): unexpected i2c irq: isr e7fffbff psr ssr [ 1780.598610] saa7146: interrupt_hw: warning: interrupt enabled, but not handled properly.(0xe7fcfbff) [ 1780.598617] saa7146: interrupt_hw: disabling interrupt source(s)! [ 1780.618601] saa7146: saa7146 (1): unexpected i2c irq: isr e7fffbff psr ssr [ 1780.618610] saa7146: interrupt_hw: warning: interrupt enabled, but not handled properly.(0xe7fcfbff) [ 1780.618618] saa7146: interrupt_hw: disabling interrupt source(s)! [ 1780.638600] saa7146: saa7146 (1): unexpected i2c irq: isr e7fffbff psr ssr [ 1780.638609] saa7146: interrupt_hw: warning: interrupt enabled, but not handled properly.(0xe7fcfbff) [ 1780.638618] saa7146: interrupt_hw: disabling interrupt source(s)! [ 1780.658603] saa7146: saa7146 (1): unexpected i2c irq: isr e7fffbff psr ssr [ 1780.658611] saa7146: interrupt_hw: warning: interrupt enabled, but not handled properly.(0xe7fcfbff) [ 1780.658619] saa7146: interrupt_hw: disabling interrupt source(s)! [ 1780.678600] saa7146: saa7146 (1): unexpected i2c irq: isr e7fffbff psr ssr [ 1780.678609] saa7146: interrupt_hw: warning: interrupt enabled, but not handled properly.(0xe7fcfbff) [ 1780.678616] saa7146: interrupt_hw: disabling interrupt source(s)! [ 1780.698597] saa7146: saa7146 (1): unexpected i2c irq: isr e7fffbff psr ssr [ 1780.698606] saa7146: interrupt_hw: warning: interrupt enabled, but not handled properly.(0xe7fcfbff) [ 1780.698614] saa7146: interrupt_hw: disabling interrupt source(s)! [ 1780.718596] saa7146: saa7146 (1): unexpected i2c irq: isr e7fffbff psr ssr [ 1780.718606] saa7146: interrupt_hw: warning: interrupt enabled, but not handled properly.(0xe7fcfbff) [ 1780.718613] saa7146: interrupt_hw: disabling interrupt source(s)! [ 1780.738600] saa7146: saa7146 (1): unexpected i2c irq: isr e7fffbff psr ssr [ 1780.738609] saa7146: interrupt_hw: warning: interrupt enabled,