# Warning: /boot/System.map has an incorrect kernel version.

## Atom2

Hallo Forum,

I have a strange message when using

```
# ps -l | grep xyz

Warning: /boot/System.map has an incorrect kernel version.

Warning: /usr/src/linux/System.map has an incorrect kernel version.

#
```

The warning message is only produced when the -l option is part of the ps command.

I have already done the obvious: Recompiled the kernel, even with a prior

```
# make mrproper
```

Properly re-installed all modules, copied the kernel to /boot, copied (and alternatively) symlinked the current newly created System.map (checked by modify date) to /boot but the message persists after a reboot of the system.

During the compile a high number of section mismatch warnings came up, but those apparently should/could be ignored (source: http://www.gossamer-threads.com/lists/gentoo/user/223422; I could not really find any real solution for those mismatches).

There is currently no other kernel installed on the system (in /boot). The kernel used is 3.2.11-hardened on a x86_64 architecture.

Any idea what I could do to get rid of that or any further information I could provide to aid in solving this.

Many thanks in advance and best regards Atom2

----------

## BillWho

Atom2,

For lack of any brilliant ideas, I would check the use flags and try to rebuild sys-process/procps and all its dependencies.

```
emerge -pv $(equery g =sys-process/procps-3.3.3|sed -e 's/\[  [0-1]\]//'|cut -d: -f2|while read f; do ! [[ -z $f ]] && echo =$f;done|xargs)
```

Replace '=sys-process/procps-3.3.3' with your version.

Good luck   :Wink: 

----------

## Atom2

Bill, thanks for your try. I did what you suggested, but unfortunately to no avail.

The only two packages that were (re)emerged was procps and ncurses:

```
sys-process/procps-3.2.8_p11

   sys-libs/ncurses-5.9-r2
```

Also a strace of ps shows that it actually finds the System.map and is also able to open it. But then it is obviously unhappy about what it finds and prints the error message. A second try with other common locations yields the same result - that's why the error message turns up twice. The problem I have - and I was not successful in googling - is that I don't know how ps determines if it's happy with a map or not. If somebody could shed some light on this, I might be able to track the source of the problem a step further:

```
execve("/bin/ps", ["ps", "-l"], [/* 22 vars */]) = 0

brk(0)                                  = 0x6fd9e313f90

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x67f4dae25000

access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)

open("/etc/ld.so.cache", O_RDONLY)      = 3

fstat(3, {st_mode=S_IFREG|0644, st_size=48786, ...}) = 0

mmap(NULL, 48786, PROT_READ, MAP_PRIVATE, 3, 0) = 0x67f4dae19000

close(3)                                = 0

open("/lib64/libproc-3.2.8.so", O_RDONLY) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`B\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0555, st_size=67512, ...}) = 0

mmap(NULL, 2240480, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x67f4da9e5000

mprotect(0x67f4da9f5000, 2093056, PROT_NONE) = 0

mmap(0x67f4dabf4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xf000) = 0x67f4dabf4000

mmap(0x67f4dabf6000, 73696, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x67f4dabf6000

close(3)                                = 0

open("/lib64/libc.so.6", O_RDONLY)      = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200#\2\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=1616968, ...}) = 0

mmap(NULL, 3727112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x67f4da657000

mprotect(0x67f4da7dc000, 2093056, PROT_NONE) = 0

mmap(0x67f4da9db000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x184000) = 0x67f4da9db000

mmap(0x67f4da9e0000, 20232, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x67f4da9e0000

close(3)                                = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x67f4dae18000

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x67f4dae17000

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x67f4dae16000

arch_prctl(ARCH_SET_FS, 0x67f4dae17700) = 0

mprotect(0x67f4da9db000, 16384, PROT_READ) = 0

mprotect(0x67f4dabf4000, 4096, PROT_READ) = 0

mprotect(0x6fd9e2e7000, 16384, PROT_READ) = 0

mprotect(0x67f4dae28000, 4096, PROT_READ) = 0

munmap(0x67f4dae19000, 48786)           = 0

brk(0)                                  = 0x6fd9e313f90

brk(0x6fd9e334f90)                      = 0x6fd9e334f90

brk(0x6fd9e335000)                      = 0x6fd9e335000

open("/proc/version", O_RDONLY)         = 3

fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x67f4dae24000

read(3, "Linux version 3.2.11-hardened (r"..., 1024) = 145

close(3)                                = 0

munmap(0x67f4dae24000, 4096)            = 0

brk(0x6fd9e334000)                      = 0x6fd9e334000

open("/proc/stat", O_RDONLY|O_CLOEXEC)  = 3

read(3, "cpu  177 0 369 299765 1305 0 6 0"..., 8192) = 1935

close(3)                                = 0

rt_sigaction(SIGSYS, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGPWR, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGIO, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGVTALRM, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGXFSZ, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGXCPU, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGURG, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGTTIN, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGCONT, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGCHLD, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGSTKFLT, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGTERM, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGALRM, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGPIPE, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGUSR2, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGSEGV, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGUSR1, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGFPE, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGBUS, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGABRT, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGTRAP, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGILL, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

rt_sigaction(SIGHUP, {0x6fd9e0d6570, ~[RTMIN RT_1], SA_RESTORER, 0x67f4da68ca50}, NULL, 8) = 0

open("/proc/self/stat", O_RDONLY)       = 3

read(3, "1912 (ps) R 1911 1911 1899 34816"..., 1023) = 198

close(3)                                = 0

ioctl(1, TIOCGWINSZ, {ws_row=43, ws_col=132, ws_xpixel=0, ws_ypixel=0}) = 0

ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0

geteuid()                               = 0

open("/proc/uptime", O_RDONLY)          = 3

lseek(3, 0, SEEK_SET)                   = 0

read(3, "377.87 2997.80\n", 2047)       = 15

open("/proc/sys/kernel/pid_max", O_RDONLY) = 4

read(4, "32768\n", 24)                  = 6

close(4)                                = 0

mmap(NULL, 139264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x67f4dadf4000

mprotect(0x67f4dae15000, 4096, PROT_NONE) = 0

open("/proc/meminfo", O_RDONLY)         = 4

lseek(4, 0, SEEK_SET)                   = 0

read(4, "MemTotal:       32937632 kB\nMemF"..., 2047) = 1142

stat("/proc/self/wchan", 0x771e2dae5df0) = -1 ENOENT (No such file or directory)

uname({sys="Linux", node="vm-host", ...}) = 0

NOTE: Here ps starts trying to open the System.map from various locations:

stat("/boot/System.map-3.2.11-hardened", 0x771e2dae5df0) = -1 ENOENT (No such file or directory)

stat("/boot/System.map", {st_mode=S_IFREG|0644, st_size=1857500, ...}) = 0

open("/boot/System.map", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 5

fstat(5, {st_mode=S_IFREG|0644, st_size=1857500, ...}) = 0

mmap(NULL, 1857501, PROT_READ|PROT_WRITE, MAP_PRIVATE, 5, 0) = 0x67f4dac2e000

close(5)                                = 0

mmap(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x67f4da636000

mremap(0x67f4da636000, 135168, 266240, MREMAP_MAYMOVE) = 0x67f4da5f5000

mremap(0x67f4da5f5000, 266240, 528384, MREMAP_MAYMOVE) = 0x67f4da574000

mremap(0x67f4da574000, 528384, 1052672, MREMAP_MAYMOVE) = 0x67f4da473000

write(2, "Warning: /boot/System.map has an"..., 59Warning: /boot/System.map has an incorrect kernel version.

) = 59

munmap(0x67f4da473000, 1052672)         = 0

munmap(0x67f4dac2e000, 1857501)         = 0

stat("/lib/modules/3.2.11-hardened/System.map", 0x771e2dae5df0) = -1 ENOENT (No such file or directory)

stat("/usr/src/linux/System.map", {st_mode=S_IFREG|0644, st_size=1857500, ...}) = 0

open("/usr/src/linux/System.map", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 5

fstat(5, {st_mode=S_IFREG|0644, st_size=1857500, ...}) = 0

mmap(NULL, 1857501, PROT_READ|PROT_WRITE, MAP_PRIVATE, 5, 0) = 0x67f4dac2e000

close(5)                                = 0

brk(0x6fd9e365000)                      = 0x6fd9e365000

brk(0x6fd9e3f5000)                      = 0x6fd9e3f5000

brk(0x6fd9e4b5000)                      = 0x6fd9e4b5000

write(2, "Warning: /usr/src/linux/System.m"..., 68Warning: /usr/src/linux/System.map has an incorrect kernel version.

) = 68

munmap(0x67f4dac2e000, 1857501)         = 0

stat("/System.map", 0x771e2dae5df0)     = -1 ENOENT (No such file or directory)
```

----------

## BillWho

Atom2,

I noticed that procps-3.2.8_p11  is pulled from stable and ncurses-5.9-r2 from unstable.

```
 * dependency graph for sys-process/procps-3.2.8_p11

 `--  sys-process/procps-3.2.8_p11  amd64 

   `--  sys-libs/ncurses-5.9-r2  (>=sys-libs/ncurses-5.2-r2) ~amd64  [unicode?]

[ sys-process/procps-3.2.8_p11 stats: packages (2), max depth (1) ]

```

Was wondering if you would want to give sys-process/procps-3.3.2_p2-r1 a shot   :Question:  if you can with the hardened kernel.

Again, this is for lack of any brilliant ideas on this end   :Rolling Eyes: 

----------

## Jaglover

Simple things first, is your /boot on a separate partition? Are you running the kernel you think you are? uname -v

----------

## Atom2

Jaglover,

thanks for your reply.

 *Jaglover wrote:*   

> Simple things first, is your /boot on a separate partition?

 

Yes, /boot is a separate partition, ext4 formated and not part of a LVM. GRUB is the bootloader.

 *Jaglover wrote:*   

> Are you running the kernel you think you are? uname -v

 

```
# uname -v

#2 SMP Fri May 25 21:45:57 UTC 2012
```

What I find interesting is the output of uname -v - I have never used that before, I usually use uname -a:

```
# uname -a

Linux vm-host 3.2.11-hardened #2 SMP Fri May 25 21:45:57 UTC 2012 x86_64 Intel(R) Xeon(R) CPU E31260L @ 2.40GHz GenuineIntel GNU/Linux
```

But it appears that uname -v (according to the manual: the kernel version) comes up with #2 as the version ... I have no clue where that comes from, but I guess we are on some sort of track to the root of the problem here ...

Regards Atom2

----------

## Jaglover

Any chance you forgot to mount the /boot when messing with kernels? Try mounting and umounting, is it empty after umount?

----------

## Atom2

Jaglover,

thanks for your continued support.

 *Jaglover wrote:*   

> Any chance you forgot to mount the /boot when messing with kernels? Try mounting and umounting, is it empty after umount?

 

Yep, /boot is empty after umount - so I guess that's a strong indication that it has never been unmounted when I worked on the kernel.

Regards Atom2

----------

## Jaglover

Hmmm ... mmm ... any chance you are hacked? If everything else matches then the only reason for this warning I'm aware of is rootkit. Hope it's not the case.

----------

## Atom2

 *Jaglover wrote:*   

> Hmmm ... mmm ... any chance you are hacked? If everything else matches then the only reason for this error I'm aware of is rootkit. Hope it's not the case.

 

Would not hope so as well and honestly don't think so. It's a pretty fresh install (only a few weeks old) and I am just testing a few things on KVM and PCI passthrough (pretty difficult task with PCI cards that have shared interrupts - currently seems to be impossible, but still working with a few ideas ...). 

Furthermore the system is sitting behing a hardware firewall from LANCOM with only a private IP adress (192.168.xx.yy range) and outgoing Internet connection only. At the moment ssh is the only externaly (in the sense of from the internal network; the firewall does not forward any ports to the box) available service running.

Tow ideas are left:

1.) Why does uname -v actually show #2 as version (see above)?

2.) Could somebody with an identical hardened system (X86_64) try out the command ps -l and in case it works probably post his/her .config for kernel configuration for me to be able to figure out any differences?

Thanks and best regards Atom2

P.S. Trying to switch to a newer version of ps (sys-process/procps-3.3.2_p2-r1) resulted in the following Q&A warning - so I did not pursue that any further. But might do, if nothing else comes up ...

```
 * QA Notice: Package triggers severe warnings which indicate that it

 *            may exhibit random runtime failures.

 * pgrep.c:782:4: warning: too few arguments for format

 * Please do not file a Gentoo bug and instead report the above QA

 * issues directly to the upstream developers of this software.

 * Homepage: http://procps.sourceforge.net/ http://gitorious.org/procps http://packages.debian.org/sid/procps
```

----------

## BillWho

Atom2,

 *Quote:*   

> 1.) Why does uname -v actually show #2 as version (see above)? 

 

You mentioned recompiling the kernel and running mrproper. The #2 denotes the second compile for that kernel source so it's not an avenue to pursue for the error.

As far as the qa notice goes, it's probably best not to bump the procps version.

----------

## Atom2

Billwho,

 *BillWho wrote:*   

> You mentioned recompiling the kernel and running mrproper. The #2 denotes the second compile for that kernel source so it's not an avenue to pursue for the error.

 

Thanks for clarifying this.

----------

