结合自己的实践和网上的文章,介绍手工调试内核bug的通用方法。
1.步骤1).Collect oops output, System.map, /proc/ksyms, vmlinux, /proc/modules 2).Use ksymoops to interpret oops Instructions is /usr/src/linux/Documentation/oops-tracing.txt Ksymoops(8) man page (http://www.die.net/doc/linux/man/man8/ksymoops.8.html) 2.简单分析1)Ksymoops disassembles the code section 2)The EIP points to the failing instruction 3)The call trace section shows how you got there Caution: Noise on the stack?3.找到出错代码
oops 例子C Source Code
int test_read_proc(char *buf, char **start, off_t offset, int count, int *eof, void*data) { int *ptr; ptr=0; printk("%d/n",*ptr); return 0; } 写个内核模块程序test.c,使用上面的代码来在/proc/下创建文件。读去文件的时候会调用这个函数,从而产生下面的oops:
Unable to handle kernel NULL pointer dereference at virtual address 00000000c2483069 <---EIP (Instruction Pointer or Program Counter)*pde = 00000000Oops: 0000CPU: 0EIP: 0010:[ipv6:__insmod_ipv6_O/lib/modules/2.4.10-4GB/kernel/net/ipv6 ipv6+-472895383/96]EFLAGS: 00010283eax: db591f98 ebx: de2aeb60 ecx: de2aeb80 edx: c2483060esi: 00000c00 edi: d41d0000 ebp: db591f5c esp: db591f4cds: 0018 es: 0018 ss: 0018Process cat (pid: 1986, stackpage=db591000)Stack: c012ca65 000001f0 ffffffea 00000000 00001000 c014e878 d41d0000 db591f98 00000000 00000c00 db591f94 00000000 de2aeb60 ffffffea 00000000 00001000 deae6f40 00000000 00000000 00000000 c01324d6 de2aeb60 0804db50 00001000Call Trace: [__alloc_pages+65/452] [proc_file_read+204/420] [sys_read+146/200][system_call+51/64]Code:a1 00 00 00 00 50 68 10 31 48 c2 e8 67 38 c9 fd 31 c0 89 ec
使用ksysmoops来获取内河函数地址,(也可以读取/proc/kallsym或者/proc/ksyms文件察看export出来的函数地址)Using defaults from ksymoops -t elf32-i386 -a i386
Code; 00000000 Before first symbol00000000 <_EIP>:Code; 00000000 Before first symbol0: a1 00 00 00 00 mov 0x0,
