Description of problem: [ 4149.472387] ksmtuned[32540]: segfault at 3303fb3a00 ip 0000003303cbb5aa sp 00007fff66c998b0 error 7 in libc-2.16.so[3303c00000+1ad000] [ 4149.477498] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a1 [ 4149.477534] IP: [<ffffffff811f3770>] elf_core_dump+0xaf0/0x1530 [ 4149.477560] PGD 135fb7067 PUD 138c30067 PMD 0 [ 4149.477581] Oops: 0000 [#1] SMP [ 4149.477597] Modules linked in: ebtable_nat ebtables xt_CHECKSUM iptable_mangle bridge stp llc be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_addr ib_sa ib_mad ib_core raid1 iTCO_wdt iTCO_vendor_support acpi_cpufreq snd_hda_codec_hdmi mperf coretemp arc4 snd_hda_codec_realtek microcode serio_raw i2c_i801 rt2800pci rt2800lib rt2x00pci rt2x00mmio rt2x00lib eeprom_93cx6 snd_hda_intel mac80211 lpc_ich snd_hda_codec mfd_core r8169 snd_hwdep mii snd_seq snd_seq_device cfg80211 snd_pcm snd_page_alloc rfkill snd_timer crc_ccitt mei snd soundcore vhost_net [ 4149.477948] tun macvtap macvlan kvm_intel kvm nfsd auth_rpcgss nfs_acl lockd uinput sunrpc binfmt_misc crc32_pclmul crc32c_intel i915 ghash_clmulni_intel video i2c_algo_bit drm_kms_helper drm i2c_core [ 4149.478033] CPU 3 [ 4149.478043] Pid: 32540, comm: ksmtuned Not tainted 3.9.5-201.fc18.x86_64 #1 /H67 [ 4149.478077] RIP: 0010:[<ffffffff811f3770>] [<ffffffff811f3770>] elf_core_dump+0xaf0/0x1530 [ 4149.478116] RSP: 0018:ffff880136331a68 EFLAGS: 00010202 [ 4149.478135] RAX: 0000000000000000 RBX: 0000000000000b7a RCX: ffffc90027c68000 [ 4149.478160] RDX: 0000000000000018 RSI: ffffc90027c67fe8 RDI: ffffc90027c6746e [ 4149.478184] RBP: ffff880136331c48 R08: 006f732e36312e32 R09: 2d6362696c2f3436 [ 4149.478209] R10: 2d6362696c2f3436 R11: 62696c2f7273752f R12: 0000000000000018 [ 4149.478233] R13: 0000000000000001 R14: ffffc90027c67486 R15: ffffc90027c67178 [ 4149.478258] FS: 00007f66ba994740(0000) GS:ffff88013fb80000(0000) knlGS:0000000000000000 [ 4149.478286] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4149.478306] CR2: 00000000000000a1 CR3: 000000011dadc000 CR4: 00000000000427f0 [ 4149.478331] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4149.478356] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 4149.478380] Process ksmtuned (pid: 32540, threadinfo ffff880136330000, task ffff88011915ddc0) [ 4149.478409] Stack: [ 4149.478417] ffff880119159770 ffff880118f42400 0000000000000340 ffff88011915ddc0 [ 4149.478447] 0000000000000340 0000002400000024 ffff880100000340 ffffffff81c21f20 [ 4149.478477] ffff880136331cf8 ffff880100001000 ffffc90027c67340 ffff88008d4f9980 [ 4149.478507] Call Trace: [ 4149.478520] [<ffffffff81093db7>] ? wake_up_process+0x27/0x50 [ 4149.478543] [<ffffffff810798ef>] ? call_usermodehelper_fns+0x11f/0x220 [ 4149.478568] [<ffffffff811fb300>] ? cn_printf+0x100/0x100 [ 4149.478588] [<ffffffff811fba40>] do_coredump+0x600/0xd10 [ 4149.478609] [<ffffffff81074322>] get_signal_to_deliver+0x1b2/0x5d0 [ 4149.478633] [<ffffffff810143a7>] do_signal+0x57/0x5b0 [ 4149.478653] [<ffffffff816578e0>] ? printk+0x61/0x63 [ 4149.478672] [<ffffffff81014980>] do_notify_resume+0x80/0xb0 [ 4149.478694] [<ffffffff8166203c>] retint_signal+0x48/0x8c [ 4149.478713] Code: 48 8b 81 90 02 00 00 4c 8b 28 4d 85 ed 0f 84 da 09 00 00 4c 8b b5 70 fe ff ff c7 85 88 fe ff ff 00 00 00 00 0f 1f 80 00 00 00 00 <49> 8b 85 a0 00 00 00 48 85 c0 74 60 48 8d 78 10 89 da 4c 89 f6 [ 4149.478862] RIP [<ffffffff811f3770>] elf_core_dump+0xaf0/0x1530 [ 4149.479937] RSP <ffff880136331a68> [ 4149.481021] CR2: 00000000000000a1 [ 4149.485469] ---[ end trace 958e51ffea97c6c0 ]--- [ 4149.486559] BUG: unable to handle kernel NULL pointer dereference at 0000000000000009 [ 4149.487665] IP: [<ffffffff810c7b00>] acct_collect+0x60/0x1b0 [ 4149.488745] PGD 135fb7067 PUD 138c30067 PMD 0 [ 4149.489828] Oops: 0000 [#2] SMP [ 4149.490906] Modules linked in: ebtable_nat ebtables xt_CHECKSUM iptable_mangle bridge stp llc be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_addr ib_sa ib_mad ib_core raid1 iTCO_wdt iTCO_vendor_support acpi_cpufreq snd_hda_codec_hdmi mperf coretemp arc4 snd_hda_codec_realtek microcode serio_raw i2c_i801 rt2800pci rt2800lib rt2x00pci rt2x00mmio rt2x00lib eeprom_93cx6 snd_hda_intel mac80211 lpc_ich snd_hda_codec mfd_core r8169 snd_hwdep mii snd_seq snd_seq_device cfg80211 snd_pcm snd_page_alloc rfkill snd_timer crc_ccitt mei snd soundcore vhost_net [ 4149.497674] tun macvtap macvlan kvm_intel kvm nfsd auth_rpcgss nfs_acl lockd uinput sunrpc binfmt_misc crc32_pclmul crc32c_intel i915 ghash_clmulni_intel video i2c_algo_bit drm_kms_helper drm i2c_core [ 4149.499883] CPU 3 [ 4149.499893] Pid: 32540, comm: ksmtuned Tainted: G D 3.9.5-201.fc18.x86_64 #1 /H67 [ 4149.502037] RIP: 0010:[<ffffffff810c7b00>] [<ffffffff810c7b00>] acct_collect+0x60/0x1b0 [ 4149.503128] RSP: 0018:ffff8801363316b8 EFLAGS: 00010202 [ 4149.504206] RAX: 0000000000000001 RBX: ffff880119274840 RCX: 000000000000002d [ 4149.505291] RDX: 000000015808f7c0 RSI: 0000000000000001 RDI: ffff880118725568 [ 4149.506382] RBP: ffff8801363316d8 R08: ffffffffffffffff R09: 00000000ffffffff [ 4149.507473] R10: 0000000000000001 R11: 00007ffffffff000 R12: ffff88011915ddc0 [ 4149.508565] R13: 0000000000000009 R14: 0000000000000000 R15: ffff88011915ddc0 [ 4149.509646] FS: 00007f66ba994740(0000) GS:ffff88013fb80000(0000) knlGS:0000000000000000 [ 4149.510735] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4149.511810] CR2: 0000000000000009 CR3: 000000011dadc000 CR4: 00000000000427f0 [ 4149.512894] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4149.513981] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 4149.515067] Process ksmtuned (pid: 32540, threadinfo ffff880136330000, task ffff88011915ddc0) [ 4149.516212] Stack: [ 4149.517284] 0000000000000009 0000000000007f1c 0000000000000246 0000000000000000 [ 4149.518383] ffff880136331778 ffffffff81064f11 0000000000000000 00000000000000a1 [ 4149.519478] 0000000136331758 ffffffff816578e0 0000000000aaaaaa 0000000000000010 [ 4149.520571] Call Trace: [ 4149.521641] [<ffffffff81064f11>] do_exit+0x7a1/0xa30 [ 4149.522713] [<ffffffff816578e0>] ? printk+0x61/0x63 [ 4149.523780] [<ffffffff81662de2>] oops_end+0xa2/0xf0 [ 4149.524845] [<ffffffff816571cd>] no_context+0x253/0x27e [ 4149.525910] [<ffffffff816573b8>] __bad_area_nosemaphore+0x1c0/0x1df [ 4149.526979] [<ffffffff81657610>] bad_area+0x44/0x4c [ 4149.528045] [<ffffffff81665975>] __do_page_fault+0x225/0x4f0 [ 4149.529118] [<ffffffff8116e28b>] ? vmap_page_range_noflush+0x23b/0x340 [ 4149.530198] [<ffffffff81665c4e>] do_page_fault+0xe/0x10 [ 4149.531277] [<ffffffff81662218>] page_fault+0x28/0x30 [ 4149.532323] [<ffffffff811f3770>] ? elf_core_dump+0xaf0/0x1530 [ 4149.533338] [<ffffffff811f37b7>] ? elf_core_dump+0xb37/0x1530 [ 4149.534336] [<ffffffff81093db7>] ? wake_up_process+0x27/0x50 [ 4149.535329] [<ffffffff810798ef>] ? call_usermodehelper_fns+0x11f/0x220 [ 4149.536331] [<ffffffff811fb300>] ? cn_printf+0x100/0x100 [ 4149.537329] [<ffffffff811fba40>] do_coredump+0x600/0xd10 [ 4149.538317] [<ffffffff81074322>] get_signal_to_deliver+0x1b2/0x5d0 [ 4149.539297] [<ffffffff810143a7>] do_signal+0x57/0x5b0 [ 4149.540270] [<ffffffff816578e0>] ? printk+0x61/0x63 [ 4149.541242] [<ffffffff81014980>] do_notify_resume+0x80/0xb0 [ 4149.542197] [<ffffffff8166203c>] retint_signal+0x48/0x8c [ 4149.543124] Code: 00 00 00 74 56 49 8b bc 24 90 02 00 00 48 83 c7 68 e8 55 79 59 00 49 8b 84 24 90 02 00 00 48 8b 00 48 85 c0 74 1c 31 d2 0f 1f 00 <48> 03 50 08 48 2b 10 48 8b 40 10 48 85 c0 75 f0 49 89 d6 49 c1 [ 4149.545191] RIP [<ffffffff810c7b00>] acct_collect+0x60/0x1b0 [ 4149.546135] RSP <ffff8801363316b8> [ 4149.547050] CR2: 0000000000000009 [ 4149.547952] ---[ end trace 958e51ffea97c6c1 ]--- [ 4149.547952] Fixing recursive fault but reboot is needed! [ 4149.547941] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a1 [ 4149.550630] IP: [<ffffffff81203bee>] show_map_vma+0x2e/0x270 [ 4149.551513] PGD 104002067 PUD 12296a067 PMD 0 [ 4149.552386] Oops: 0000 [#3] SMP [ 4149.553245] Modules linked in: ebtable_nat ebtables xt_CHECKSUM iptable_mangle bridge stp llc be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_addr ib_sa ib_mad ib_core raid1 iTCO_wdt iTCO_vendor_support acpi_cpufreq snd_hda_codec_hdmi mperf coretemp arc4 snd_hda_codec_realtek microcode serio_raw i2c_i801 rt2800pci rt2800lib rt2x00pci rt2x00mmio rt2x00lib eeprom_93cx6 snd_hda_intel mac80211 lpc_ich snd_hda_codec mfd_core r8169 snd_hwdep mii snd_seq snd_seq_device cfg80211 snd_pcm snd_page_alloc rfkill snd_timer crc_ccitt mei snd soundcore vhost_net [ 4149.559085] tun macvtap macvlan kvm_intel kvm nfsd auth_rpcgss nfs_acl lockd uinput sunrpc binfmt_misc crc32_pclmul crc32c_intel i915 ghash_clmulni_intel video i2c_algo_bit drm_kms_helper drm i2c_core [ 4149.561099] CPU 1 [ 4149.561111] Pid: 32541, comm: abrt-hook-ccpp Tainted: G D 3.9.5-201.fc18.x86_64 #1 /H67 [ 4149.563105] RIP: 0010:[<ffffffff81203bee>] [<ffffffff81203bee>] show_map_vma+0x2e/0x270 [ 4149.564117] RSP: 0018:ffff880135c9dda8 EFLAGS: 00010282 [ 4149.565120] RAX: ffff880138bf7dc0 RBX: 0000000000000001 RCX: ffff8800800c34c8 [ 4149.566130] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff8800962a6000 [ 4149.567142] RBP: ffff880135c9de48 R08: 0000000000001000 R09: 00000000000006a5 [ 4149.568151] R10: 0000000000000000 R11: 000000000000000f R12: ffff8800962a6000 [ 4149.569159] R13: ffff88011915ddc0 R14: ffff880135c9df50 R15: ffff8800962a6000 [ 4149.570192] FS: 00007fad986e47c0(0000) GS:ffff88013fa80000(0000) knlGS:0000000000000000 [ 4149.571224] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4149.572254] CR2: 00000000000000a1 CR3: 000000010410f000 CR4: 00000000000427f0 [ 4149.573296] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4149.574340] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 4149.575382] Process abrt-hook-ccpp (pid: 32541, threadinfo ffff880135c9c000, task ffff880119159770) [ 4149.576441] Stack: [ 4149.577490] ffff88010000002d ffffffff00000070 0000000000000000 ffffffff00000000 [ 4149.578581] ffff880100000000 0000000000000000 ffff880135c9de14 ffffffff8106c082 [ 4149.579686] ffff88011915ddc0 ffff880118725500 ffff88011915ddc0 000000018105c454 [ 4149.580786] Call Trace: [ 4149.581873] [<ffffffff8106c082>] ? ptrace_may_access+0x32/0x50 [ 4149.582967] [<ffffffff81203e5c>] show_map+0x2c/0x90 [ 4149.584081] [<ffffffff81203ef3>] show_pid_map+0x13/0x20 [ 4149.585189] [<ffffffff811c1a30>] seq_read+0x230/0x3b0 [ 4149.586271] [<ffffffff811a01b9>] vfs_read+0xa9/0x180 [ 4149.587348] [<ffffffff811a0432>] sys_read+0x52/0xa0 [ 4149.588431] [<ffffffff810dfd8c>] ? __audit_syscall_exit+0x20c/0x2c0 [ 4149.589526] [<ffffffff8166a2d9>] system_call_fastpath+0x16/0x1b [ 4149.590607] Code: 66 90 55 48 89 e5 48 81 ec a0 00 00 00 48 89 5d d8 4c 89 65 e0 48 89 f3 4c 89 6d e8 4c 89 75 f0 49 89 fc 4c 89 7d f8 48 8b 47 68 <4c> 8b b6 a0 00 00 00 4c 8b 6e 40 89 55 bc 48 8b 76 50 48 8b 40 [ 4149.592950] RIP [<ffffffff81203bee>] show_map_vma+0x2e/0x270 [ 4149.594047] RSP <ffff880135c9dda8> [ 4149.595125] CR2: 00000000000000a1 [ 4149.596268] ---[ end trace 958e51ffea97c6c2 ]--- Version-Release number of selected component (if applicable): 3.9.5-201.fc18.x86_64 How reproducible: First time it happened Steps to Reproduce: 1. It seems that ksmtuned crashing triggered the oops 2. 3. Actual results: Expected results: Additional info:
Oleg, have you seen anything like this?
(In reply to Josh Boyer from comment #1) > Oleg, have you seen anything like this? No... Josh, if you have 3.9.5-201.fc18 sources installed, could you send me (privately) the result of "make fs/binfmt_elf.s" ? And "objdump -d fs/binfmt_elf.o" just in case. Not sure this will help, but elf_core_dump+0xaf0 tells me almost nothing :/ Is it easy to reproduce? I mean, does the kernel crashes every time / often if you send a coredumping sig to ksmtuned?
Hi Oleg, nope definitely not reproduceable. I just tried sending SIGSEGV to ksmtuned multiple times and nothing out of the ordinary showed up. (The box was upgraded to 3.9.6-200 for the record). I'll try fiddling some more and update here if I can somehow reproduce regards, Michele
Hi Michele, (In reply to Michele Baldessari from comment #3) > > nope definitely not reproduceable. As expected ;) > I'll try fiddling some more and update here if I can somehow reproduce Thanks. Meanwhile I am trying to guess where does it crash. scripts/decodecode reports: All code ======== 0: 48 8b 81 90 02 00 00 mov 0x290(%rcx),%rax 7: 4c 8b 28 mov (%rax),%r13 a: 4d 85 ed test %r13,%r13 d: 0f 84 da 09 00 00 je 0x9ed 13: 4c 8b b5 70 fe ff ff mov -0x190(%rbp),%r14 1a: c7 85 88 fe ff ff 00 movl $0x0,-0x178(%rbp) 21: 00 00 00 24: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 2b:* 49 8b 85 a0 00 00 00 mov 0xa0(%r13),%rax <-- trapping instruction 32: 48 85 c0 test %rax,%rax 35: 74 60 je 0x97 37: 48 8d 78 10 lea 0x10(%rax),%rdi 3b: 89 da mov %ebx,%edx 3d: 4c 89 f6 mov %r14,%rsi Code starting with the faulting instruction =========================================== 0: 49 8b 85 a0 00 00 00 mov 0xa0(%r13),%rax 7: 48 85 c0 test %rax,%rax a: 74 60 je 0x6c c: 48 8d 78 10 lea 0x10(%rax),%rdi 10: 89 da mov %ebx,%edx 12: 4c 89 f6 mov %r14,%rsi My fs/binfmt_elf.s is quite different, but I tried to search for the constants above. And this part looks promising: movq 160(%r12), %rax # <variable>.vm_file, file testq %rax, %rax # file je .L82 #, leaq 16(%rax), %rdi #, tmp429 movl %r14d, %edx # remaining, remaining movq %r13, %rsi # name_curpos.1180, name_curpos.1180 call d_path # If my wild guess is correct, this is fill_files_note()... r13 is vma. But it is not mm->mmap, rax == 0... looks like vma->next is corrupted? Unlikely.
I recompiled 3.9.5-201.fc18.x86_64 on my machine (meaning: same source, different gcc). Attaching resulting binfmt_elf.{o,s}
Created attachment 772764 [details] binfmt_elf.o
Created attachment 772765 [details] binfmt_elf.s
Disassembly of binfmt_elf.o: fa6: 48 89 85 80 fe ff ff mov %rax,-0x180(%rbp) fad: 48 8b 85 48 fe ff ff mov -0x1b8(%rbp),%rax fb4: 48 8b 80 90 02 00 00 mov 0x290(%rax),%rax fbb: 4c 8b 28 mov (%rax),%r13 fbe: 4d 85 ed test %r13,%r13 fc1: 0f 84 ee 0c 00 00 je 1cb5 <elf_core_dump+0x1895> fc7: c7 85 90 fe ff ff 00 movl $0x0,-0x170(%rbp) fce: 00 00 00 fd1: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) fd8: 49 8b 85 a0 00 00 00 mov 0xa0(%r13),%rax ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ fdf: 48 85 c0 test %rax,%rax fe2: 74 61 je 1045 <elf_core_dump+0xc25> fe4: 48 8d 78 10 lea 0x10(%rax),%rdi fe8: 89 da mov %ebx,%edx fea: 4c 89 f6 mov %r14,%rsi fed: e8 00 00 00 00 callq ff2 <elf_core_dump+0xbd2> fee: R_X86_64_PC32 d_path-0x4 ff2: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax ff8: 0f 87 74 0c 00 00 ja 1c72 <elf_core_dump+0x1852> ffe: 89 d9 mov %ebx,%ecx 1000: 4c 89 f7 mov %r14,%rdi 1003: 48 89 c6 mov %rax,%rsi 1006: 4c 01 f1 add %r14,%rcx 1009: 89 c3 mov %eax,%ebx 100b: 49 83 c7 18 add $0x18,%r15 100f: 41 89 cc mov %ecx,%r12d 1012: 44 29 f3 sub %r14d,%ebx 1015: 41 29 c4 sub %eax,%r12d 1018: 4c 89 e2 mov %r12,%rdx 101b: 4d 01 e6 add %r12,%r14 101e: e8 00 00 00 00 callq 1023 <elf_core_dump+0xc03> 101f: R_X86_64_PC32 memmove-0x4 Corresponding binfmt_elf.s: movq %rax, -384(%rbp) # name_curpos, %sfp .LVL288: .loc 1 1439 0 movq -440(%rbp), %rax # %sfp, pfo_ret__ .LVL289: movq 656(%rax), %rax # pfo_ret___772->mm, pfo_ret___772->mm movq (%rax), %r13 # _773->mmap, vma .LVL290: testq %r13, %r13 # vma je .L273 #, .loc 1 1438 0 movl $0, -368(%rbp) #, %sfp .LVL291: .p2align 4,,10 .p2align 3 .L199: .LBB1503: .loc 1 1443 0 movq 160(%r13), %rax # vma_1103->vm_file, file ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .LVL292: .loc 1 1444 0 testq %rax, %rax # file je .L194 #, .loc 1 1446 0 leaq 16(%rax), %rdi #, D.32731 movl %ebx, %edx # remaining, movq %r14, %rsi # name_curpos, call d_path # .LVL293: .loc 1 1447 0 cmpq $-4096, %rax #, filename ja .L515 #, .loc 1 1458 0 movl %ebx, %ecx # remaining, D.32709 .loc 1 1460 0 movq %r14, %rdi # name_curpos, movq %rax, %rsi # filename, .loc 1 1458 0 addq %r14, %rcx # name_curpos, D.32732 .LVL294: .loc 1 1459 0 movl %eax, %ebx # filename, remaining .LVL295: .loc 1 1465 0 addq $24, %r15 #, start_end_ofs .LVL296: movl %ecx, %r12d # D.32732, D.32699 .loc 1 1459 0 subl %r14d, %ebx # name_curpos, remaining .LVL297: subl %eax, %r12d # filename, D.32699 .loc 1 1460 0 movq %r12, %rdx # D.32699, .loc 1 1461 0 addq %r12, %r14 # D.32699, name_curpos .LVL298: .loc 1 1460 0 call memmove # binfmt_elf.c: static void fill_files_note(struct memelfnote *note) ... for (vma = current->mm->mmap; vma != NULL; vma = vma->vm_next) { struct file *file; const char *filename; file = vma->vm_file; ^^^^^^^^^^^^^^^^^^^^^^^^^^^ if (!file) continue; filename = d_path(&file->f_path, name_curpos, remaining); if (IS_ERR(filename)) { if (PTR_ERR(filename) == -ENAMETOOLONG) { vfree(data); size = size * 5 / 4; goto alloc; } continue; } /* d_path() fills at the end, move name down */ /* n = strlen(filename) + 1: */ n = (name_curpos + remaining) - filename; remaining = filename - name_curpos; memmove(name_curpos, filename, n);
Corresponding part of kernel-3.9.5-201.fc18.x86_64's vmlinux.bin: ffffffff811f373a: 48 8b 8d 38 fe ff ff mov -0x1c8(%rbp),%rcx ffffffff811f3741: 49 83 c7 10 add $0x10,%r15 ffffffff811f3745: 48 8b 81 90 02 00 00 mov 0x290(%rcx),%rax ffffffff811f374c: 4c 8b 28 mov (%rax),%r13 ffffffff811f374f: 4d 85 ed test %r13,%r13 ffffffff811f3752: 0f 84 da 09 00 00 je 0xffffffff811f4132 ffffffff811f3758: 4c 8b b5 70 fe ff ff mov -0x190(%rbp),%r14 ffffffff811f375f: c7 85 88 fe ff ff 00 movl $0x0,-0x178(%rbp) ffffffff811f3766: 00 00 00 ffffffff811f3769: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) ffffffff811f3770: 49 8b 85 a0 00 00 00 mov 0xa0(%r13),%rax ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ffffffff811f3777: 48 85 c0 test %rax,%rax ffffffff811f377a: 74 60 je 0xffffffff811f37dc ffffffff811f377c: 48 8d 78 10 lea 0x10(%rax),%rdi ffffffff811f3780: 89 da mov %ebx,%edx ffffffff811f3782: 4c 89 f6 mov %r14,%rsi ffffffff811f3785: e8 26 18 fc ff callq 0xffffffff811b4fb0 ffffffff811f378a: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax ffffffff811f3790: 0f 87 21 09 00 00 ja 0xffffffff811f40b7 ffffffff811f3796: 89 d9 mov %ebx,%ecx ffffffff811f3798: 4c 89 f7 mov %r14,%rdi
Thanks Denys! So you came to the same conclusion... Unfortunately, this means we need more info. Because this really looks like we have a bug somewhere else, just in manifests itself in elf_core_dump(). vma list is corrupted or we race with someone which plays with mm->mmap (nobody should not).
Hi Oleg & Denys, I've never managed to reproduce it here. I guess we can either close this one out or leave it open to see if some other soul stumbles into this. Whatever works for you ;) thanks again, Michele
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 18 kernel bugs. Fedora 18 has now been rebased to 3.11.4-101.fc18. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 19, and are still experiencing this issue, please change the version to Fedora 19. If you experience different issues, please open a new bug report for those.
Never seen this one since I reported it. Closing