ASLR seems to cause hibernate-related regressions on at least one test
system: https://linux-hardware.org/index.php?probe=e6a06c64c7
When the system tries to resume, it automatically reboots after the
hibernation image has been loaded into memory.
git bisect pointed to the following commit as the first "bad" one:
commit 65fe935dd2387a4faf15314c73f5e6d31ef0217e
Author: Kees Cook <keescook@chromium.org>
Date: Mon Jun 13 15:10:02 2016 -0700
x86/KASLR, x86/power: Remove x86 hibernation restrictions
Before this commit, KASLR was disabled (unless enabled explicitly) if
the system supported hibernation.
Let us just disable KASLR for now in the 32-bit kernels - not a big deal
for home & office use, I suppose.
The following commit seems to cause problems with hibernation on 32-bit
systems:
commit 92923ca3aacef63c92dc297a75ad0c6dfe4eab37
Author: Nathan Zimmer <nzimmer@sgi.com>
Date: Tue Jun 30 14:56:48 2015 -0700
mm: meminit: only set page reserved in the memblock region
Without this commit, it takes less than 10-15 seconds on our test system
(https://linux-hardware.org/index.php?probe=e6a06c64c7) from
"systemctl hibernate" command till the system powers off. With the
mainline kernels 4.2-4.7, the system resumes OK.
With this commit, it takes more than 2 minutes for that system to
hibernate and it usually hangs on resume.
Let us revert the main parts of this commit in the 32-bit kernels for
now.
Among other things:
* BFQ was updated to v8r7 for 4.9.0
* AUFS was updated to version 4.9-20161219
* inotify-increase-max-user-watches.patch was dropped: it is better to
tune such things from user space instead.
1. Got rid of statistics to simplify maintenance. Changing global
kernel structures is not a thing to take lightly.
2. Removed sanitization of pages. Starting from kernel 4.6, page
poisoning should be used instead. To enable it, set page_poison=on in
the boot options for the kernel.
3. The sanitization patch is now applied only if enhanced security is
enabled (disabled by default for ROSA Fresh, enabled for cert. builds).
You can also use "rpmbuild -ba --with enhanced_security <...>" to force
enable the feature.
