How to get object virtual address from a kernel core dump

How to get object virtual address from a kernel core dump

[Mohammad Y. Zachariah]

Hello everyone,

I'm taking the way of analysing kernel core dumps as a learning approach
using 'crash tool'. One of the interesting crash commands is 'struct' which
can print kernel struct definition and/or the actual contents of the
structure.

According to struct help page, I need the virtual address of the struct in
order to view/print its contents, for example:

    crash> mm_struct.pgd ffff810022e7d080 -px
      pgd_t *pgd = 0xffff81000e3ac000
      -> {
           pgd = 0x2c0a6067
         }

My question is how to find the mm_struct address "ffff810022e7d080" in the
above example in the first place??

Thank you for your help in advance.
Zach
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20160318/aff2cddf/attachment.html 

How to get object virtual address from a kernel core dump

[Arun Sudhilal]

Hello Zach,

On Fri, Mar 18, 2016 at 3:28 PM, Mohammad Y. Zachariah <eng.myz@gmail.com>
wrote:

> Hello everyone,
>
> I'm taking the way of analysing kernel core dumps as a learning approach
> using 'crash tool'. One of the interesting crash commands is 'struct' which
> can print kernel struct definition and/or the actual contents of the
> structure.
>
> According to struct help page, I need the virtual address of the struct in
> order to view/print its contents, for example:
>
>     crash> mm_struct.pgd ffff810022e7d080 -px
>       pgd_t *pgd = 0xffff81000e3ac000
>       -> {
>            pgd = 0x2c0a6067
>          }
>
> My question is how to find the mm_struct address "ffff810022e7d080" in the
> above example in the first place??
>

crash tool has a 'ps'  command, which outputs all the task and their task
struct address.

Thanks,
Arun

>
> Thank you for your help in advance.
> Zach
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20160322/676f2c2d/attachment.html 

How to get object virtual address from a kernel core dump

[Buland Kumar Singh]

On 18 March 2016 at 15:28, Mohammad Y. Zachariah <eng.myz@gmail.com> wrote:
>
> Hello everyone,
>
> I'm taking the way of analysing kernel core dumps as a learning approach using 'crash tool'. One of the interesting crash commands is 'struct' which can print kernel struct definition and/or the actual contents of the structure.
>
> According to struct help page, I need the virtual address of the struct in order to view/print its contents, for example:
>
>     crash> mm_struct.pgd ffff810022e7d080 -px
>       pgd_t *pgd = 0xffff81000e3ac000
>       -> {
>            pgd = 0x2c0a6067
>          }
>
> My question is how to find the mm_struct address "ffff810022e7d080" in the above example in the first place??
>

Hello Zach,

1) Determine the struct task_struct * from ps or set command of crash.

Eg:
crash> set 1
    PID: 1
COMMAND: "init"
   TASK: ffff881029867500  [THREAD_INFO: ffff882029b32000]
    CPU: 2
  STATE: TASK_INTERRUPTIBLE

crash> ps 1
   PID    PPID  CPU       TASK        ST  %MEM     VSZ    RSS  COMM
      1      0   2  ffff881029867500  IN   0.0   24852   1632  init

In above example, struct task_struct * is 0xffff881029867500

2) Determine struct mm_struct * from struct task_struct *

crash> task_struct.mm -ox
struct task_struct {
  [0x480] struct mm_struct *mm;
}

crash> task_struct.mm ffff881029867500
  mm = 0xffff882026b68700

In above example, struct mm_struct * is 0xffff882026b68700

3) Finally determine pgd_t from struct mm_struct *

crash> mm_struct.pgd -ox
struct mm_struct {
   [0x50] pgd_t *pgd;
}

crash> mm_struct.pgd 0xffff882026b68700
  pgd = 0xffff882026a9e000


You achieve the above steps in one line;

Eg:
crash> px ((struct task_struct *)0xffff881029867500)->mm.pgd
$1 = (pgd_t *) 0xffff882026a9e000

-- 
BKS

How to get object virtual address from a kernel core dump

[Manoj Nayak]

task_struct contains mm_struct.

If we have pid of the process then task_struct can be obtained from pid
using following two methods.

1.
Please check find_task_by_pid() function in kernel. We can write a similar
macro to convert pid to task_struct.

2. We can write a macro that traverses all task starting from init_task and
check the required pid.

#define for_each_task(p) \
        for (p = &init_task ; (p = p->next_task) != &init_task ; )


If process is the current one then current_thread_info()->task provides
task_struct for current task.
We can write a macro similar to current_thread_info().

pid-> task_struct->mm_struct.

Regards
Manoj Nayak
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20160322/09d53114/attachment-0001.html