Bug 975360

Summary: A userspace app crash made the kernel OOPS in elf_core_dump
Product: [Fedora] Fedora Reporter: Michele Baldessari <michele>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 18CC: dvlasenk, gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, michele, onestero
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-02 20:20:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
binfmt_elf.o
none
binfmt_elf.s none

Description Michele Baldessari 2013-06-18 08:51:48 UTC 
Description of problem:
[ 4149.472387] ksmtuned[32540]: segfault at 3303fb3a00 ip 0000003303cbb5aa sp 00007fff66c998b0 error 7 in libc-2.16.so[3303c00000+1ad000]
[ 4149.477498] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a1
[ 4149.477534] IP: [<ffffffff811f3770>] elf_core_dump+0xaf0/0x1530
[ 4149.477560] PGD 135fb7067 PUD 138c30067 PMD 0 
[ 4149.477581] Oops: 0000 [#1] SMP 
[ 4149.477597] Modules linked in: ebtable_nat ebtables xt_CHECKSUM iptable_mangle bridge stp llc be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_addr ib_sa ib_mad ib_core raid1 iTCO_wdt iTCO_vendor_support acpi_cpufreq snd_hda_codec_hdmi mperf coretemp arc4 snd_hda_codec_realtek microcode serio_raw i2c_i801 rt2800pci rt2800lib rt2x00pci rt2x00mmio rt2x00lib eeprom_93cx6 snd_hda_intel mac80211 lpc_ich snd_hda_codec mfd_core r8169 snd_hwdep mii snd_seq snd_seq_device cfg80211 snd_pcm snd_page_alloc rfkill snd_timer crc_ccitt mei snd soundcore vhost_net
[ 4149.477948]  tun macvtap macvlan kvm_intel kvm nfsd auth_rpcgss nfs_acl lockd uinput sunrpc binfmt_misc crc32_pclmul crc32c_intel i915 ghash_clmulni_intel video i2c_algo_bit drm_kms_helper drm i2c_core
[ 4149.478033] CPU 3 
[ 4149.478043] Pid: 32540, comm: ksmtuned Not tainted 3.9.5-201.fc18.x86_64 #1                  /H67
[ 4149.478077] RIP: 0010:[<ffffffff811f3770>]  [<ffffffff811f3770>] elf_core_dump+0xaf0/0x1530
[ 4149.478116] RSP: 0018:ffff880136331a68  EFLAGS: 00010202
[ 4149.478135] RAX: 0000000000000000 RBX: 0000000000000b7a RCX: ffffc90027c68000
[ 4149.478160] RDX: 0000000000000018 RSI: ffffc90027c67fe8 RDI: ffffc90027c6746e
[ 4149.478184] RBP: ffff880136331c48 R08: 006f732e36312e32 R09: 2d6362696c2f3436
[ 4149.478209] R10: 2d6362696c2f3436 R11: 62696c2f7273752f R12: 0000000000000018
[ 4149.478233] R13: 0000000000000001 R14: ffffc90027c67486 R15: ffffc90027c67178
[ 4149.478258] FS:  00007f66ba994740(0000) GS:ffff88013fb80000(0000) knlGS:0000000000000000
[ 4149.478286] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4149.478306] CR2: 00000000000000a1 CR3: 000000011dadc000 CR4: 00000000000427f0
[ 4149.478331] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4149.478356] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 4149.478380] Process ksmtuned (pid: 32540, threadinfo ffff880136330000, task ffff88011915ddc0)
[ 4149.478409] Stack:
[ 4149.478417]  ffff880119159770 ffff880118f42400 0000000000000340 ffff88011915ddc0
[ 4149.478447]  0000000000000340 0000002400000024 ffff880100000340 ffffffff81c21f20
[ 4149.478477]  ffff880136331cf8 ffff880100001000 ffffc90027c67340 ffff88008d4f9980
[ 4149.478507] Call Trace:
[ 4149.478520]  [<ffffffff81093db7>] ? wake_up_process+0x27/0x50
[ 4149.478543]  [<ffffffff810798ef>] ? call_usermodehelper_fns+0x11f/0x220
[ 4149.478568]  [<ffffffff811fb300>] ? cn_printf+0x100/0x100
[ 4149.478588]  [<ffffffff811fba40>] do_coredump+0x600/0xd10
[ 4149.478609]  [<ffffffff81074322>] get_signal_to_deliver+0x1b2/0x5d0
[ 4149.478633]  [<ffffffff810143a7>] do_signal+0x57/0x5b0
[ 4149.478653]  [<ffffffff816578e0>] ? printk+0x61/0x63
[ 4149.478672]  [<ffffffff81014980>] do_notify_resume+0x80/0xb0
[ 4149.478694]  [<ffffffff8166203c>] retint_signal+0x48/0x8c
[ 4149.478713] Code: 48 8b 81 90 02 00 00 4c 8b 28 4d 85 ed 0f 84 da 09 00 00 4c 8b b5 70 fe ff ff c7 85 88 fe ff ff 00 00 00 00 0f 1f 80 00 00 00 00 <49> 8b 85 a0 00 00 00 48 85 c0 74 60 48 8d 78 10 89 da 4c 89 f6 
[ 4149.478862] RIP  [<ffffffff811f3770>] elf_core_dump+0xaf0/0x1530
[ 4149.479937]  RSP <ffff880136331a68>
[ 4149.481021] CR2: 00000000000000a1
[ 4149.485469] ---[ end trace 958e51ffea97c6c0 ]---
[ 4149.486559] BUG: unable to handle kernel NULL pointer dereference at 0000000000000009
[ 4149.487665] IP: [<ffffffff810c7b00>] acct_collect+0x60/0x1b0
[ 4149.488745] PGD 135fb7067 PUD 138c30067 PMD 0 
[ 4149.489828] Oops: 0000 [#2] SMP 
[ 4149.490906] Modules linked in: ebtable_nat ebtables xt_CHECKSUM iptable_mangle bridge stp llc be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_addr ib_sa ib_mad ib_core raid1 iTCO_wdt iTCO_vendor_support acpi_cpufreq snd_hda_codec_hdmi mperf coretemp arc4 snd_hda_codec_realtek microcode serio_raw i2c_i801 rt2800pci rt2800lib rt2x00pci rt2x00mmio rt2x00lib eeprom_93cx6 snd_hda_intel mac80211 lpc_ich snd_hda_codec mfd_core r8169 snd_hwdep mii snd_seq snd_seq_device cfg80211 snd_pcm snd_page_alloc rfkill snd_timer crc_ccitt mei snd soundcore vhost_net
[ 4149.497674]  tun macvtap macvlan kvm_intel kvm nfsd auth_rpcgss nfs_acl lockd uinput sunrpc binfmt_misc crc32_pclmul crc32c_intel i915 ghash_clmulni_intel video i2c_algo_bit drm_kms_helper drm i2c_core
[ 4149.499883] CPU 3 
[ 4149.499893] Pid: 32540, comm: ksmtuned Tainted: G      D      3.9.5-201.fc18.x86_64 #1                  /H67
[ 4149.502037] RIP: 0010:[<ffffffff810c7b00>]  [<ffffffff810c7b00>] acct_collect+0x60/0x1b0
[ 4149.503128] RSP: 0018:ffff8801363316b8  EFLAGS: 00010202
[ 4149.504206] RAX: 0000000000000001 RBX: ffff880119274840 RCX: 000000000000002d
[ 4149.505291] RDX: 000000015808f7c0 RSI: 0000000000000001 RDI: ffff880118725568
[ 4149.506382] RBP: ffff8801363316d8 R08: ffffffffffffffff R09: 00000000ffffffff
[ 4149.507473] R10: 0000000000000001 R11: 00007ffffffff000 R12: ffff88011915ddc0
[ 4149.508565] R13: 0000000000000009 R14: 0000000000000000 R15: ffff88011915ddc0
[ 4149.509646] FS:  00007f66ba994740(0000) GS:ffff88013fb80000(0000) knlGS:0000000000000000
[ 4149.510735] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4149.511810] CR2: 0000000000000009 CR3: 000000011dadc000 CR4: 00000000000427f0
[ 4149.512894] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4149.513981] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 4149.515067] Process ksmtuned (pid: 32540, threadinfo ffff880136330000, task ffff88011915ddc0)
[ 4149.516212] Stack:
[ 4149.517284]  0000000000000009 0000000000007f1c 0000000000000246 0000000000000000
[ 4149.518383]  ffff880136331778 ffffffff81064f11 0000000000000000 00000000000000a1
[ 4149.519478]  0000000136331758 ffffffff816578e0 0000000000aaaaaa 0000000000000010
[ 4149.520571] Call Trace:
[ 4149.521641]  [<ffffffff81064f11>] do_exit+0x7a1/0xa30
[ 4149.522713]  [<ffffffff816578e0>] ? printk+0x61/0x63
[ 4149.523780]  [<ffffffff81662de2>] oops_end+0xa2/0xf0
[ 4149.524845]  [<ffffffff816571cd>] no_context+0x253/0x27e
[ 4149.525910]  [<ffffffff816573b8>] __bad_area_nosemaphore+0x1c0/0x1df
[ 4149.526979]  [<ffffffff81657610>] bad_area+0x44/0x4c
[ 4149.528045]  [<ffffffff81665975>] __do_page_fault+0x225/0x4f0
[ 4149.529118]  [<ffffffff8116e28b>] ? vmap_page_range_noflush+0x23b/0x340
[ 4149.530198]  [<ffffffff81665c4e>] do_page_fault+0xe/0x10
[ 4149.531277]  [<ffffffff81662218>] page_fault+0x28/0x30
[ 4149.532323]  [<ffffffff811f3770>] ? elf_core_dump+0xaf0/0x1530
[ 4149.533338]  [<ffffffff811f37b7>] ? elf_core_dump+0xb37/0x1530
[ 4149.534336]  [<ffffffff81093db7>] ? wake_up_process+0x27/0x50
[ 4149.535329]  [<ffffffff810798ef>] ? call_usermodehelper_fns+0x11f/0x220
[ 4149.536331]  [<ffffffff811fb300>] ? cn_printf+0x100/0x100
[ 4149.537329]  [<ffffffff811fba40>] do_coredump+0x600/0xd10
[ 4149.538317]  [<ffffffff81074322>] get_signal_to_deliver+0x1b2/0x5d0
[ 4149.539297]  [<ffffffff810143a7>] do_signal+0x57/0x5b0
[ 4149.540270]  [<ffffffff816578e0>] ? printk+0x61/0x63
[ 4149.541242]  [<ffffffff81014980>] do_notify_resume+0x80/0xb0
[ 4149.542197]  [<ffffffff8166203c>] retint_signal+0x48/0x8c
[ 4149.543124] Code: 00 00 00 74 56 49 8b bc 24 90 02 00 00 48 83 c7 68 e8 55 79 59 00 49 8b 84 24 90 02 00 00 48 8b 00 48 85 c0 74 1c 31 d2 0f 1f 00 <48> 03 50 08 48 2b 10 48 8b 40 10 48 85 c0 75 f0 49 89 d6 49 c1 
[ 4149.545191] RIP  [<ffffffff810c7b00>] acct_collect+0x60/0x1b0
[ 4149.546135]  RSP <ffff8801363316b8>
[ 4149.547050] CR2: 0000000000000009
[ 4149.547952] ---[ end trace 958e51ffea97c6c1 ]---
[ 4149.547952] Fixing recursive fault but reboot is needed!
[ 4149.547941] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a1
[ 4149.550630] IP: [<ffffffff81203bee>] show_map_vma+0x2e/0x270
[ 4149.551513] PGD 104002067 PUD 12296a067 PMD 0 
[ 4149.552386] Oops: 0000 [#3] SMP 
[ 4149.553245] Modules linked in: ebtable_nat ebtables xt_CHECKSUM iptable_mangle bridge stp llc be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_addr ib_sa ib_mad ib_core raid1 iTCO_wdt iTCO_vendor_support acpi_cpufreq snd_hda_codec_hdmi mperf coretemp arc4 snd_hda_codec_realtek microcode serio_raw i2c_i801 rt2800pci rt2800lib rt2x00pci rt2x00mmio rt2x00lib eeprom_93cx6 snd_hda_intel mac80211 lpc_ich snd_hda_codec mfd_core r8169 snd_hwdep mii snd_seq snd_seq_device cfg80211 snd_pcm snd_page_alloc rfkill snd_timer crc_ccitt mei snd soundcore vhost_net
[ 4149.559085]  tun macvtap macvlan kvm_intel kvm nfsd auth_rpcgss nfs_acl lockd uinput sunrpc binfmt_misc crc32_pclmul crc32c_intel i915 ghash_clmulni_intel video i2c_algo_bit drm_kms_helper drm i2c_core
[ 4149.561099] CPU 1 
[ 4149.561111] Pid: 32541, comm: abrt-hook-ccpp Tainted: G      D      3.9.5-201.fc18.x86_64 #1                  /H67
[ 4149.563105] RIP: 0010:[<ffffffff81203bee>]  [<ffffffff81203bee>] show_map_vma+0x2e/0x270
[ 4149.564117] RSP: 0018:ffff880135c9dda8  EFLAGS: 00010282
[ 4149.565120] RAX: ffff880138bf7dc0 RBX: 0000000000000001 RCX: ffff8800800c34c8
[ 4149.566130] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff8800962a6000
[ 4149.567142] RBP: ffff880135c9de48 R08: 0000000000001000 R09: 00000000000006a5
[ 4149.568151] R10: 0000000000000000 R11: 000000000000000f R12: ffff8800962a6000
[ 4149.569159] R13: ffff88011915ddc0 R14: ffff880135c9df50 R15: ffff8800962a6000
[ 4149.570192] FS:  00007fad986e47c0(0000) GS:ffff88013fa80000(0000) knlGS:0000000000000000
[ 4149.571224] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4149.572254] CR2: 00000000000000a1 CR3: 000000010410f000 CR4: 00000000000427f0
[ 4149.573296] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4149.574340] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 4149.575382] Process abrt-hook-ccpp (pid: 32541, threadinfo ffff880135c9c000, task ffff880119159770)
[ 4149.576441] Stack:
[ 4149.577490]  ffff88010000002d ffffffff00000070 0000000000000000 ffffffff00000000
[ 4149.578581]  ffff880100000000 0000000000000000 ffff880135c9de14 ffffffff8106c082
[ 4149.579686]  ffff88011915ddc0 ffff880118725500 ffff88011915ddc0 000000018105c454
[ 4149.580786] Call Trace:
[ 4149.581873]  [<ffffffff8106c082>] ? ptrace_may_access+0x32/0x50
[ 4149.582967]  [<ffffffff81203e5c>] show_map+0x2c/0x90
[ 4149.584081]  [<ffffffff81203ef3>] show_pid_map+0x13/0x20
[ 4149.585189]  [<ffffffff811c1a30>] seq_read+0x230/0x3b0
[ 4149.586271]  [<ffffffff811a01b9>] vfs_read+0xa9/0x180
[ 4149.587348]  [<ffffffff811a0432>] sys_read+0x52/0xa0
[ 4149.588431]  [<ffffffff810dfd8c>] ? __audit_syscall_exit+0x20c/0x2c0
[ 4149.589526]  [<ffffffff8166a2d9>] system_call_fastpath+0x16/0x1b
[ 4149.590607] Code: 66 90 55 48 89 e5 48 81 ec a0 00 00 00 48 89 5d d8 4c 89 65 e0 48 89 f3 4c 89 6d e8 4c 89 75 f0 49 89 fc 4c 89 7d f8 48 8b 47 68 <4c> 8b b6 a0 00 00 00 4c 8b 6e 40 89 55 bc 48 8b 76 50 48 8b 40 
[ 4149.592950] RIP  [<ffffffff81203bee>] show_map_vma+0x2e/0x270
[ 4149.594047]  RSP <ffff880135c9dda8>
[ 4149.595125] CR2: 00000000000000a1
[ 4149.596268] ---[ end trace 958e51ffea97c6c2 ]---


Version-Release number of selected component (if applicable):
3.9.5-201.fc18.x86_64

How reproducible:
First time it happened

Steps to Reproduce:
1. It seems that ksmtuned crashing triggered the oops
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Josh Boyer 2013-07-01 17:48:45 UTC 
Oleg, have you seen anything like this?
Comment 2 Oleg Nesterov 2013-07-01 19:30:21 UTC 
(In reply to Josh Boyer from comment #1)
> Oleg, have you seen anything like this?

No...

Josh, if you have 3.9.5-201.fc18 sources installed, could
you send me (privately) the result of "make fs/binfmt_elf.s" ?
And "objdump -d fs/binfmt_elf.o" just in case.

Not sure this will help, but elf_core_dump+0xaf0 tells me
almost nothing :/

Is it easy to reproduce? I mean, does the kernel crashes
every time / often if you send a coredumping sig to ksmtuned?
Comment 3 Michele Baldessari 2013-07-01 20:36:59 UTC 
Hi Oleg,

nope definitely not reproduceable. I just tried sending SIGSEGV to ksmtuned multiple times and nothing out of the ordinary showed up. (The box was upgraded to 3.9.6-200 for the record).

I'll try fiddling some more and update here if I can somehow reproduce

regards,
Michele
Comment 4 Oleg Nesterov 2013-07-02 22:15:51 UTC 
Hi Michele,

(In reply to Michele Baldessari from comment #3)
>
> nope definitely not reproduceable.

As expected ;)

> I'll try fiddling some more and update here if I can somehow reproduce

Thanks.

Meanwhile I am trying to guess where does it crash. scripts/decodecode
reports:

	All code
	========
	   0:	48 8b 81 90 02 00 00 	mov    0x290(%rcx),%rax
	   7:	4c 8b 28             	mov    (%rax),%r13
	   a:	4d 85 ed             	test   %r13,%r13
	   d:	0f 84 da 09 00 00    	je     0x9ed
	  13:	4c 8b b5 70 fe ff ff 	mov    -0x190(%rbp),%r14
	  1a:	c7 85 88 fe ff ff 00 	movl   $0x0,-0x178(%rbp)
	  21:	00 00 00
	  24:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
	  2b:*	49 8b 85 a0 00 00 00 	mov    0xa0(%r13),%rax		<-- trapping instruction
	  32:	48 85 c0             	test   %rax,%rax
	  35:	74 60                	je     0x97
	  37:	48 8d 78 10          	lea    0x10(%rax),%rdi
	  3b:	89 da                	mov    %ebx,%edx
	  3d:	4c 89 f6             	mov    %r14,%rsi

	Code starting with the faulting instruction
	===========================================
	   0:	49 8b 85 a0 00 00 00 	mov    0xa0(%r13),%rax
	   7:	48 85 c0             	test   %rax,%rax
	   a:	74 60                	je     0x6c
	   c:	48 8d 78 10          	lea    0x10(%rax),%rdi
	  10:	89 da                	mov    %ebx,%edx
	  12:	4c 89 f6             	mov    %r14,%rsi

My fs/binfmt_elf.s is quite different, but I tried to search for the
constants above. And this part looks promising:

	movq	160(%r12), %rax	# <variable>.vm_file, file
	testq	%rax, %rax	# file
	je	.L82	#,
	leaq	16(%rax), %rdi	#, tmp429
	movl	%r14d, %edx	# remaining, remaining
	movq	%r13, %rsi	# name_curpos.1180, name_curpos.1180
	call	d_path	#

If my wild guess is correct, this is fill_files_note()... r13 is vma.
But it is not mm->mmap, rax == 0... looks like vma->next is corrupted?
Unlikely.
Comment 5 Denys Vlasenko 2013-07-12 15:30:14 UTC 
I recompiled 3.9.5-201.fc18.x86_64 on my machine (meaning: same source, different gcc). Attaching resulting binfmt_elf.{o,s}
Comment 6 Denys Vlasenko 2013-07-12 15:31:26 UTC 
Created attachment 772764 [details]
binfmt_elf.o
Comment 7 Denys Vlasenko 2013-07-12 15:32:02 UTC 
Created attachment 772765 [details]
binfmt_elf.s
Comment 8 Denys Vlasenko 2013-07-12 15:44:21 UTC 
Disassembly of binfmt_elf.o:

     fa6:       48 89 85 80 fe ff ff    mov    %rax,-0x180(%rbp)
     fad:       48 8b 85 48 fe ff ff    mov    -0x1b8(%rbp),%rax
     fb4:       48 8b 80 90 02 00 00    mov    0x290(%rax),%rax
     fbb:       4c 8b 28                mov    (%rax),%r13
     fbe:       4d 85 ed                test   %r13,%r13
     fc1:       0f 84 ee 0c 00 00       je     1cb5 <elf_core_dump+0x1895>
     fc7:       c7 85 90 fe ff ff 00    movl   $0x0,-0x170(%rbp)
     fce:       00 00 00
     fd1:       0f 1f 80 00 00 00 00    nopl   0x0(%rax)
     fd8:       49 8b 85 a0 00 00 00    mov    0xa0(%r13),%rax
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     fdf:       48 85 c0                test   %rax,%rax
     fe2:       74 61                   je     1045 <elf_core_dump+0xc25>
     fe4:       48 8d 78 10             lea    0x10(%rax),%rdi
     fe8:       89 da                   mov    %ebx,%edx
     fea:       4c 89 f6                mov    %r14,%rsi
     fed:       e8 00 00 00 00          callq  ff2 <elf_core_dump+0xbd2>
                        fee: R_X86_64_PC32      d_path-0x4
     ff2:       48 3d 00 f0 ff ff       cmp    $0xfffffffffffff000,%rax
     ff8:       0f 87 74 0c 00 00       ja     1c72 <elf_core_dump+0x1852>
     ffe:       89 d9                   mov    %ebx,%ecx
    1000:       4c 89 f7                mov    %r14,%rdi
    1003:       48 89 c6                mov    %rax,%rsi
    1006:       4c 01 f1                add    %r14,%rcx
    1009:       89 c3                   mov    %eax,%ebx
    100b:       49 83 c7 18             add    $0x18,%r15
    100f:       41 89 cc                mov    %ecx,%r12d
    1012:       44 29 f3                sub    %r14d,%ebx
    1015:       41 29 c4                sub    %eax,%r12d
    1018:       4c 89 e2                mov    %r12,%rdx
    101b:       4d 01 e6                add    %r12,%r14
    101e:       e8 00 00 00 00          callq  1023 <elf_core_dump+0xc03>
                        101f: R_X86_64_PC32     memmove-0x4

Corresponding binfmt_elf.s:

        movq    %rax, -384(%rbp)        # name_curpos, %sfp
.LVL288:
        .loc 1 1439 0
        movq    -440(%rbp), %rax        # %sfp, pfo_ret__
.LVL289:
        movq    656(%rax), %rax # pfo_ret___772->mm, pfo_ret___772->mm
        movq    (%rax), %r13    # _773->mmap, vma
.LVL290:
        testq   %r13, %r13      # vma
        je      .L273   #,
        .loc 1 1438 0
        movl    $0, -368(%rbp)  #, %sfp
.LVL291:
        .p2align 4,,10
        .p2align 3
.L199:
.LBB1503:
        .loc 1 1443 0
        movq    160(%r13), %rax # vma_1103->vm_file, file
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.LVL292:
        .loc 1 1444 0
        testq   %rax, %rax      # file
        je      .L194   #,
        .loc 1 1446 0
        leaq    16(%rax), %rdi  #, D.32731
        movl    %ebx, %edx      # remaining,
        movq    %r14, %rsi      # name_curpos,
        call    d_path  #
.LVL293:
        .loc 1 1447 0
        cmpq    $-4096, %rax    #, filename
        ja      .L515   #,
        .loc 1 1458 0
        movl    %ebx, %ecx      # remaining, D.32709
        .loc 1 1460 0
        movq    %r14, %rdi      # name_curpos,
        movq    %rax, %rsi      # filename,
        .loc 1 1458 0
        addq    %r14, %rcx      # name_curpos, D.32732
.LVL294:
        .loc 1 1459 0
        movl    %eax, %ebx      # filename, remaining
.LVL295:
        .loc 1 1465 0
        addq    $24, %r15       #, start_end_ofs
.LVL296:
        movl    %ecx, %r12d     # D.32732, D.32699
        .loc 1 1459 0
        subl    %r14d, %ebx     # name_curpos, remaining
.LVL297:
        subl    %eax, %r12d     # filename, D.32699
        .loc 1 1460 0
        movq    %r12, %rdx      # D.32699,
        .loc 1 1461 0
        addq    %r12, %r14      # D.32699, name_curpos
.LVL298:
        .loc 1 1460 0
        call    memmove #

binfmt_elf.c:

static void fill_files_note(struct memelfnote *note)
...
        for (vma = current->mm->mmap; vma != NULL; vma = vma->vm_next) {
                struct file *file;
                const char *filename;

                file = vma->vm_file;
^^^^^^^^^^^^^^^^^^^^^^^^^^^
                if (!file)
                        continue;
                filename = d_path(&file->f_path, name_curpos, remaining);
                if (IS_ERR(filename)) {
                        if (PTR_ERR(filename) == -ENAMETOOLONG) {
                                vfree(data);
                                size = size * 5 / 4;
                                goto alloc;
                        }
                        continue;
                }
                                
                /* d_path() fills at the end, move name down */
                /* n = strlen(filename) + 1: */
                n = (name_curpos + remaining) - filename;
                remaining = filename - name_curpos;
                memmove(name_curpos, filename, n);
Comment 9 Denys Vlasenko 2013-07-12 17:12:29 UTC 
Corresponding part of kernel-3.9.5-201.fc18.x86_64's vmlinux.bin:

ffffffff811f373a:       48 8b 8d 38 fe ff ff    mov    -0x1c8(%rbp),%rcx
ffffffff811f3741:       49 83 c7 10             add    $0x10,%r15
ffffffff811f3745:       48 8b 81 90 02 00 00    mov    0x290(%rcx),%rax
ffffffff811f374c:       4c 8b 28                mov    (%rax),%r13
ffffffff811f374f:       4d 85 ed                test   %r13,%r13
ffffffff811f3752:       0f 84 da 09 00 00       je     0xffffffff811f4132
ffffffff811f3758:       4c 8b b5 70 fe ff ff    mov    -0x190(%rbp),%r14
ffffffff811f375f:       c7 85 88 fe ff ff 00    movl   $0x0,-0x178(%rbp)
ffffffff811f3766:       00 00 00
ffffffff811f3769:       0f 1f 80 00 00 00 00    nopl   0x0(%rax)
ffffffff811f3770:       49 8b 85 a0 00 00 00    mov    0xa0(%r13),%rax
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ffffffff811f3777:       48 85 c0                test   %rax,%rax
ffffffff811f377a:       74 60                   je     0xffffffff811f37dc
ffffffff811f377c:       48 8d 78 10             lea    0x10(%rax),%rdi
ffffffff811f3780:       89 da                   mov    %ebx,%edx
ffffffff811f3782:       4c 89 f6                mov    %r14,%rsi
ffffffff811f3785:       e8 26 18 fc ff          callq  0xffffffff811b4fb0
ffffffff811f378a:       48 3d 00 f0 ff ff       cmp    $0xfffffffffffff000,%rax
ffffffff811f3790:       0f 87 21 09 00 00       ja     0xffffffff811f40b7
ffffffff811f3796:       89 d9                   mov    %ebx,%ecx
ffffffff811f3798:       4c 89 f7                mov    %r14,%rdi
Comment 10 Oleg Nesterov 2013-07-13 14:47:17 UTC 
Thanks Denys!

So you came to the same conclusion...

Unfortunately, this means we need more info. Because this really
looks like we have a bug somewhere else, just in manifests itself
in elf_core_dump(). vma list is corrupted or we race with someone
which plays with mm->mmap (nobody should not).
Comment 11 Michele Baldessari 2013-09-07 20:00:26 UTC 
Hi Oleg & Denys,

I've never managed to reproduce it here. I guess we can either close this one out or leave it open to see if some other soul stumbles into this. Whatever works
for you ;)

thanks again,
Michele
Comment 12 Justin M. Forbes 2013-10-18 20:57:12 UTC 
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 18 kernel bugs.

Fedora 18 has now been rebased to 3.11.4-101.fc18.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 19, and are still experiencing this issue, please change the version to Fedora 19.

If you experience different issues, please open a new bug report for those.
Comment 13 Michele Baldessari 2013-11-02 20:20:38 UTC 
Never seen this one since I reported it. Closing