# Hardened Gentoo panic on ifconfig eth0/eth1 with 2 8169 NICs

## morgenstern

I have a laptop with a built-in RTL8101/8102E (100BaseTX) and a Carbus connected RTL8169 (Netgear GA511) GigE NIC.

I just installed Gentoo with the latest portage + hardened Stage 3 (32 bit) as of 22 April 2010 via the latest release boot ISO CD.

lspci output: http://pastebin.com/8YXR9a0N

.config: http://pastebin.com/xmEnepHD

I have the "yenta_socket" modules built into the kernel and "r8169" built as a module, or statically compiled into the kernel. Either configuration results in a kernel panic as soon as I ifconfig it with a network cable plugged into the interface.

When I boot with the normal sources (not hardened-sources), I get linux-2.6.32-gentoo-r7 with the same config (for the most part, obviously excepting the grsecurity stuff), which works perfectly.

When I use "Interactive" service startup mode, if I skip net.eth0, I can boot the hardened kernel just fine.

Its dmesg output is here: http://pastebin.com/44DSSE8X

Windoze XP and 7 Ultimate work flawlessly with both NICs.  This is not a "bad switch" or cable problem, guys.

I prefer to use the GigE card when I can for speed of course, but I share it with another laptop. 

-------- GENERAL Gentoo Network Config Issue *NOT* Hardened Related --------

Configuring gentoo to deal with this "elegantly" seems a bit hard, since it insists upon assigning eth0 to the INTERNAL NIC. (I don't connect them both simultaneously, it's just an either/or proposition).

Changing /etc/conf.d/rc to:

RC_HOTPLUG="no"

RC_COLDPLUG="yes"

RC_PLUG_SERVICES="!*"

Does seem to help, but I still need to mess with net.eth[01]. It'd be nice to be able to setup something that tries to configure eth0 only if eth1 isn't uppable.  I can probably jury rig it by grepping dmesg, but that seems ugly, ugly, ugly.

The kernel panic with the 8169 shocked the hell out of me, though.  I use grsecurity-patched "vanilla" 2.6 kernels (on Slackware-derived) systems without any dramas, but those are SuperMicro servers in hosting facilities. Those use Intel NICs exclusively as well.

----------

## richard.scott

Have you tried re-compiling the kernel without any hardened features activated?

----------

## morgenstern

 *richard.scott wrote:*   

> Have you tried re-compiling the kernel without any hardened features activated?

 You mean the 2.6.28, since the 2.6.32 kernel works fine?

OK, I suppose I can try that.

Why are the hardened-sources so lagged from the mainline 2.6/grsecurity releases, by the way?  I used to manually integrate a large custom patchset when I used Slackware which incorporate some of Con Kolivas's LCK, along with grsecurity and a few other things without THAT much drama.

----------

## richard.scott

 *morgenstern wrote:*   

> Why are the hardened-sources so lagged from the mainline 2.6/grsecurity releases, by the way? 

 

I've no idea... I've taken to using the overlay to get my kernel releases... seems stable enough for me.

Rich.

----------

## morgenstern

 *richard.scott wrote:*   

> Have you tried re-compiling the kernel without any hardened features activated?

 When I disable PaX + grsecurity, but leave everything else alone, I don't get kernel panics when I UP eth0 or eth1.

But that's hardly a solution, since I already have a working "non-hardened" kernel (and a newer one at that). I guess that rules out RTL 8169 bugs in that specific kernel revision (ones that aren't affected by PaX/grsecurity).

I'll try "pure" vanilla 2.6.33.3+grsecurity next.  From what I can see from portage, the patches to the mainline kernel don't look very large or "important".

I'm not at all new to Linux, but I'm trying out gentoo given that I've historically preferred "lean" distros where I only install what I want/need onto a system. I used to use Slackware for that reason, but it was very slow with moving to x64, which is what the vast bulk of my systems are these days.  The FreeBSD "ports" style "make world" rebuilding capability has strong appeal to me as well.

Update: Pure 2.6.33.2+grsecurity works perfectly. How odd.

I guess it's "routine" for hardened-gentoo users to go "vanilla", then?

----------

## Rexilion

Hardened-sources seems to lag since the gentoo dev's want to test them real good before stabling them. You can use the anarchy overlay for newer hardened-sources:

http://git.overlays.gentoo.org/gitweb/?p=dev/anarchy.git;a=tree;f=sys-kernel/hardened-sources;h=a4869ab71bcaf4ffff201aec1db930d1dd821e66;hb=HEAD

```
layman -a anarchy
```

???

----------

