이번 시간에는 64비트 기반 ARMv8 아키텍처(커널 4.19 버전)에서의 슬럽 오브젝트의 디버깅 정보를 확인해보겠습니다. 슬럽 오브젝트의 패턴을 빨리 확인하는 좋은 컨텐츠였으면 좋겠습니다.
크래시 유틸리티로 슬랩 페이지(kmalloc-256)를 확인
ffffffbf50925d00 슬럽 오브젝트의 속성을 확인하기 위해 'kmem ffffffbf50925d00' 명령어를 입력하겠습니다. 여기서 kmem 오른쪽에 보이는 주소는 슬랩 페이지 디스크립터입니다.
crash64> kmem ffffffbf50925d00
1 CACHE OBJSIZE ALLOCATED TOTAL SLABS SSIZE NAME
2 ffffffd3c08e7780 256 36025 36046 1718 16k kmalloc-256
3 SLAB MEMORY NODE TOTAL ALLOCATED FREE
4 ffffffbf50925d00 ffffffd424974000 0 21 21 0
5 FREE / [ALLOCATED]
6 [ffffffd424974000]
7 [ffffffd424974300]
8 [ffffffd424974600]
9 [ffffffd424974900]
10 [ffffffd424974c00]
11 [ffffffd424974f00]
12 [ffffffd424975200]
13 [ffffffd424975500]
14 [ffffffd424975800]
15 [ffffffd424975b00]
16 [ffffffd424975e00]
17 [ffffffd424976100]
18 [ffffffd424976400]
19 [ffffffd424976700]
20 [ffffffd424976a00]
21 [ffffffd424976d00]
22 [ffffffd424977000]
23 [ffffffd424977300]
24 [ffffffd424977600]
25 [ffffffd424977900]
26 [ffffffd424977c00]
27
28 PAGE PHYSICAL MAPPING INDEX CNT FLAGS
29 ffffffbf50925d00 e4974000 ffffffd3c08e7780 0 1 10200 slab,head
6~26번째 줄의 정보로 20여개의 슬럽 오브젝트가 할당된 상태임을 알 수 있습니다.
위 항목의 12번째 줄에 보이는 FFFFFFD424975200 주소에 해당하는 슬럽 오브젝트를 확인해봅시다.
다음은 TRACE32에서 'd.v %y.ll 0xFFFFFFD424975200' 명령어를 입력했을 때 출력 결과입니다.
$ d.v %y.ll 0xFFFFFFD424975200
1 ________________address|_data____________________|value_____________|symbol
2 NSD:FFFFFFD424975200| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
3 NSD:FFFFFFD424975208| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
4 NSD:FFFFFFD424975210| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
5 NSD:FFFFFFD424975218| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
6 NSD:FFFFFFD424975220| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
7 NSD:FFFFFFD424975228| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
8 NSD:FFFFFFD424975230| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
9 NSD:FFFFFFD424975238| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
10 NSD:FFFFFFD424975240| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
11 NSD:FFFFFFD424975248| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
12 NSD:FFFFFFD424975250| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
13 NSD:FFFFFFD424975258| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
14 NSD:FFFFFFD424975260| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
15 NSD:FFFFFFD424975268| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
16 NSD:FFFFFFD424975270| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
17 NSD:FFFFFFD424975278| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
18 NSD:FFFFFFD424975280| 00 F8 24 01 00 00 00 00 0x124F800
19 NSD:FFFFFFD424975288| 00 01 00 00 00 00 00 00 0x100
20 NSD:FFFFFFD424975290| 00 00 00 00 00 00 00 00 0x0
21 NSD:FFFFFFD424975298| 00 48 E8 01 00 00 00 00 0x1E84800
22 NSD:FFFFFFD4249752A0| 02 01 08 00 4B 00 00 00 0x4B00080102
23 NSD:FFFFFFD4249752A8| 00 00 00 00 00 00 00 00 0x0
24 NSD:FFFFFFD4249752B0| 00 6C DC 02 00 00 00 00 0x2DC6C00
25 NSD:FFFFFFD4249752B8| 02 01 04 00 19 00 00 00 0x1900040102
26 NSD:FFFFFFD4249752C0| 00 00 00 00 00 00 00 00 0x0
27 NSD:FFFFFFD4249752C8| 00 90 D0 03 00 00 00 00 0x3D09000
28 NSD:FFFFFFD4249752D0| 02 01 10 00 4B 00 00 00 0x4B00100102
29 NSD:FFFFFFD4249752D8| 00 00 00 00 00 00 00 00 0x0
30 NSD:FFFFFFD4249752E0| 00 D8 B8 05 00 00 00 00 0x5B8D800
31 NSD:FFFFFFD4249752E8| 02 01 08 00 19 00 00 00 0x1900080102
32 NSD:FFFFFFD4249752F0| 00 00 00 00 00 00 00 00 0x0
33 NSD:FFFFFFD4249752F8| 00 E1 F5 05 00 00 00 00 0x5F5E100
34 NSD:FFFFFFD424975300| 02 05 00 00 00 00 00 00 0x502
35 NSD:FFFFFFD424975308| 00 00 00 00 00 00 00 00 0x0
36 NSD:FFFFFFD424975310| 00 0E 27 07 00 00 00 00 0x7270E00
37 NSD:FFFFFFD424975318| 02 04 00 00 00 00 00 00 0x402
38 NSD:FFFFFFD424975320| 00 00 00 00 00 00 00 00 0x0
39 NSD:FFFFFFD424975328| 00 F8 24 01 00 00 00 00 0x124F800
40 NSD:FFFFFFD424975330| 00 01 00 00 00 00 00 00 0x100
41 NSD:FFFFFFD424975338| 00 00 00 00 00 00 00 00 0x0
42 NSD:FFFFFFD424975340| 00 00 00 00 00 00 00 00 0x0
43 NSD:FFFFFFD424975348| 00 00 00 00 00 00 00 00 0x0
44 NSD:FFFFFFD424975350| 00 00 00 00 00 00 00 00 0x0
45 NSD:FFFFFFD424975358| 00 00 00 00 00 00 00 00 0x0
46 NSD:FFFFFFD424975360| 00 00 00 00 00 00 00 00 0x0
47 NSD:FFFFFFD424975368| 00 00 00 00 00 00 00 00 0x0
48 NSD:FFFFFFD424975370| 00 00 00 00 00 00 00 00 0x0
49 NSD:FFFFFFD424975378| 00 00 00 00 00 00 00 00 0x0
50 NSD:FFFFFFD424975380| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
51 NSD:FFFFFFD424975388| 31 BC 8E 72 65 1F 5E 13 0x135E1F65728EBC31
52 NSD:FFFFFFD424975390| D0 E3 9C 2E 90 FF FF FF 0xFFFFFF902E9CE3D0 \\vmlinux\clk-rcg2\clk_rcg2_dfs_determine_rate+0x110
53 NSD:FFFFFFD424975398| A8 1B 03 2E 90 FF FF FF 0xFFFFFF902E031BA8 \\vmlinux\slub\kmem_cache_alloc_trace+0x358
54 NSD:FFFFFFD4249753A0| D0 E3 9C 2E 90 FF FF FF 0xFFFFFF902E9CE3D0 \\vmlinux\clk-rcg2\clk_rcg2_dfs_determine_rate+0x110
55 NSD:FFFFFFD4249753A8| C4 CD 98 2E 90 FF FF FF 0xFFFFFF902E98CDC4 \\vmlinux\clk\clk_core_round_rate_nolock+0x2CC
56 NSD:FFFFFFD4249753B0| F0 D0 98 2E 90 FF FF FF 0xFFFFFF902E98D0F0 \\vmlinux\clk\clk_hw_round_rate+0x278
57 NSD:FFFFFFD4249753B8| 0C F1 9C 2E 90 FF FF FF 0xFFFFFF902E9CF10C \\vmlinux\clk-branch\clk_branch2_round_rate+0x3C
58 NSD:FFFFFFD4249753C0| 44 CE 98 2E 90 FF FF FF 0xFFFFFF902E98CE44 \\vmlinux\clk\clk_core_round_rate_nolock+0x34C
59 NSD:FFFFFFD4249753C8| C0 D4 98 2E 90 FF FF FF 0xFFFFFF902E98D4C0 \\vmlinux\clk\clk_round_rate+0x358
60 NSD:FFFFFFD4249753D0| 8C 80 9B 30 90 FF FF FF 0xFFFFFF90309B808C \\vmlinux\qcom-geni-se\geni_se_clk_tbl_get+0x19C
61 NSD:FFFFFFD4249753D8| B4 82 9B 30 90 FF FF FF 0xFFFFFF90309B82B4 \\vmlinux\qcom-geni-se\geni_se_clk_freq_match+0xA4
62 NSD:FFFFFFD4249753E0| 5C D4 10 2F 90 FF FF FF 0xFFFFFF902F10D45C \\vmlinux\spi-geni-qcom\get_spi_clk_cfg+0xBC
63 NSD:FFFFFFD4249753E8| DC 95 10 2F 90 FF FF FF 0xFFFFFF902F1095DC \\vmlinux\spi-geni-qcom\spi_geni_transfer_one+0x574
64 NSD:FFFFFFD4249753F0| B8 15 10 2F 90 FF FF FF 0xFFFFFF902F1015B8 \\vmlinux\spi\spi_transfer_one_message+0x458
65 NSD:FFFFFFD4249753F8| 24 92 0F 2F 90 FF FF FF 0xFFFFFF902F0F9224 \\vmlinux\spi\__spi_pump_messages+0x1034
66 NSD:FFFFFFD424975400| 58 E1 0F 2F 90 FF FF FF 0xFFFFFF902F0FE158 \\vmlinux\spi\__spi_sync+0x358
67 NSD:FFFFFFD424975408| D4 EA 0F 2F 90 FF FF FF 0xFFFFFF902F0FEAD4 \\vmlinux\spi\spi_write_then_read+0x3DC
68 NSD:FFFFFFD424975410| 48 2D AB 30 90 FF FF FF 0xFFFFFF9030AB2D48 \\vmlinux\ice40-spi\ice40_fpga_ops_write+0x1B8
69 NSD:FFFFFFD424975418| 00 00 00 00 07 00 00 00 0x700000000
70 NSD:FFFFFFD424975420| DC E9 FF FF 00 00 00 00 0xFFFFE9DC
71 NSD:FFFFFFD424975428| F0 E9 03 2E 90 FF FF FF 0xFFFFFF902E03E9F0 \\vmlinux\quarantine\qlink_free+0x18
72 NSD:FFFFFFD424975430| 08 EA 03 2E 90 FF FF FF 0xFFFFFF902E03EA08 \\vmlinux\quarantine\qlink_free+0x30
73 NSD:FFFFFFD424975438| 68 E6 03 2E 90 FF FF FF 0xFFFFFF902E03E668 \\vmlinux\quarantine\quarantine_reduce+0x158
74 NSD:FFFFFFD424975440| 94 BD 03 2E 90 FF FF FF 0xFFFFFF902E03BD94 \\vmlinux\kasan\kasan_kmalloc+0x44
75 NSD:FFFFFFD424975448| 44 BD 03 2E 90 FF FF FF 0xFFFFFF902E03BD44 \\vmlinux\kasan\kasan_slab_alloc+0x14
76 NSD:FFFFFFD424975450| BC 17 03 2E 90 FF FF FF 0xFFFFFF902E0317BC \\vmlinux\slub\kmem_cache_alloc+0x2EC
77 NSD:FFFFFFD424975458| F4 B7 08 2E 90 FF FF FF 0xFFFFFF902E08B7F4 \\vmlinux\file_table\__alloc_file+0x3C
78 NSD:FFFFFFD424975460| E4 B6 08 2E 90 FF FF FF 0xFFFFFF902E08B6E4 \\vmlinux\file_table\alloc_empty_file+0x94
79 NSD:FFFFFFD424975468| E0 B2 0A 2E 90 FF FF FF 0xFFFFFF902E0AB2E0 \\vmlinux\fs/namei\path_openat+0x100
80 NSD:FFFFFFD424975470| D4 AF 0A 2E 90 FF FF FF 0xFFFFFF902E0AAFD4 \\vmlinux\fs/namei\do_filp_open+0x1B4
81 NSD:FFFFFFD424975478| C8 E9 07 2E 90 FF FF FF 0xFFFFFF902E07E9C8 \\vmlinux\open\do_sys_open+0x250
82 NSD:FFFFFFD424975480| 2C EE 07 2E 90 FF FF FF 0xFFFFFF902E07EE2C \\vmlinux\open\__arm64_sys_openat+0x9C
83 NSD:FFFFFFD424975488| 00 05 AB 2D 90 FF FF FF 0xFFFFFF902DAB0500 \\vmlinux\kernel/syscall\el0_svc_common+0x158
84 NSD:FFFFFFD424975490| 40 03 AB 2D 90 FF FF FF 0xFFFFFF902DAB0340 \\vmlinux\kernel/syscall\el0_svc_handler+0x108
85 NSD:FFFFFFD424975498| 88 57 A8 2D 90 FF FF FF 0xFFFFFF902DA85788 \\vmlinux\Global\el0_svc+0x8
86 NSD:FFFFFFD4249754A0| 00 00 00 00 00 00 00 00 0x0
87 NSD:FFFFFFD4249754A8| 00 00 00 00 00 00 00 00 0x0
88 NSD:FFFFFFD4249754B0| 07 00 00 00 CD 05 00 00 0x5CD00000007
89 NSD:FFFFFFD4249754B8| DA E9 FF FF 00 00 00 00 0xFFFFE9DA
90 NSD:FFFFFFD4249754C0| 07 00 00 00 31 04 80 BB 0xBB80043100000007
91 NSD:FFFFFFD4249754C8| FB 16 00 00 BA 02 80 96 0x968002BA000016FB
92 NSD:FFFFFFD4249754D0| 5A 5A 5A 5A 5A 5A 5A 5A 0x5A5A5A5A5A5A5A5A
93 NSD:FFFFFFD4249754D8| 5A 5A 5A 5A 5A 5A 5A 5A 0x5A5A5A5A5A5A5A5A
94 NSD:FFFFFFD4249754E0| 5A 5A 5A 5A 5A 5A 5A 5A 0x5A5A5A5A5A5A5A5A
95 NSD:FFFFFFD4249754E8| 5A 5A 5A 5A 5A 5A 5A 5A 0x5A5A5A5A5A5A5A5A
96 NSD:FFFFFFD4249754F0| 5A 5A 5A 5A 5A 5A 5A 5A 0x5A5A5A5A5A5A5A5A
97 NSD:FFFFFFD4249754F8| 5A 5A 5A 5A 5A 5A 5A 5A 0x5A5A5A5A5A5A5A5A
98 NSD:FFFFFFD424975500| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
위 메모리 덤프의 내용은 다음과 같이 해석할 수 있습니다.
* 1~17번째 줄: 0xCC 값으로 채워져 있는데 이는 SLUB_RED_ACTIVE 매크로를 의미한다.
#define SLUB_RED_ACTIVE 0xcc
* 18~49번째 줄: 슬럽 오브젝트에 해당하는 메모리 공간이다.
슬럽 오브젝트의 사이즈는 0x100이다.
- FFFFFFD424975380 - FFFFFFD424975280 = 0x100
* 52~70번째: 해당 슬럽 오브젝트를 할당 했을 때의 콜 스택과 프로세스의 정보이며 track 구조체로 이를 표현한다.
* 71~89번째: 해당 슬럽 오브젝트를 해제 했을 때의 콜 스택과 프로세스의 정보이며 track 구조체로 이를 표현한다.
슬럽 오브젝트의 track 정보 확인하기
이어서 해당 슬럽 오브젝트의 track 정보를 확인해봅시다.
먼저 슬럽 오브젝트를 할당할 때의 track 구조체를 점검하겠습니다.
1 (struct track *) (struct track*)0xFFFFFFD424975390 = 0xFFFFFFD424975390 = end+0x43F00B7390 -> (
2 (long unsigned int) addr = 18446743593455248336 = 0xFFFFFF902E9CE3D0,
3 (long unsigned int [16]) addrs = (
4 [0] = 18446743593445170088 = 0xFFFFFF902E031BA8,
5 [1] = 18446743593455248336 = 0xFFFFFF902E9CE3D0,
6 [2] = 18446743593454980548 = 0xFFFFFF902E98CDC4,
7 [3] = 18446743593454981360 = 0xFFFFFF902E98D0F0,
8 [4] = 18446743593455251724 = 0xFFFFFF902E9CF10C,
9 [5] = 18446743593454980676 = 0xFFFFFF902E98CE44,
10 [6] = 18446743593454982336 = 0xFFFFFF902E98D4C0,
11 [7] = 18446743593488711820 = 0xFFFFFF90309B808C,
12 [8] = 18446743593488712372 = 0xFFFFFF90309B82B4,
13 [9] = 18446743593462846556 = 0xFFFFFF902F10D45C,
14 [10] = 18446743593462830556 = 0xFFFFFF902F1095DC,
15 [11] = 18446743593462797752 = 0xFFFFFF902F1015B8,
16 [12] = 18446743593462764068 = 0xFFFFFF902F0F9224,
17 [13] = 18446743593462784344 = 0xFFFFFF902F0FE158,
18 [14] = 18446743593462786772 = 0xFFFFFF902F0FEAD4,
19 [15] = 18446743593489739080 = 0xFFFFFF9030AB2D48),
20 (int) cpu = 0 = 0x0,
21 (int) pid = 7 = 0x7,
22 (long unsigned int) when = 4294961628 = 0xFFFFE9DC)
위에서 보이는 디버깅 정보는 아래와 같이 요약할 수 잇습니다.
* 2~19번째: 함수의 콜 스택 주소이다.
* 20번째: CPU번호다.
* 21번째: PID이다.
* 22번째: 해당 슬럽 오브젝트를 할당할 때 jiffies 이다.
이번에는 슬럽 오브젝트를 해제할 때의 track 구조체를 점검하자.
1 (struct track *) (struct track*)0xFFFFFFD424975428 = 0xFFFFFFD424975428 = end+0x43F00B7428 -> (
2 (long unsigned int) addr = 18446743593445222896 = 0xFFFFFF902E03E9F0,
3 (long unsigned int [16]) addrs = (
4 [0] = 18446743593445222920 = 0xFFFFFF902E03EA08,
5 [1] = 18446743593445221992 = 0xFFFFFF902E03E668,
6 [2] = 18446743593445211540 = 0xFFFFFF902E03BD94,
7 [3] = 18446743593445211460 = 0xFFFFFF902E03BD44,
8 [4] = 18446743593445169084 = 0xFFFFFF902E0317BC,
9 [5] = 18446743593445537780 = 0xFFFFFF902E08B7F4,
10 [6] = 18446743593445537508 = 0xFFFFFF902E08B6E4,
11 [7] = 18446743593445667552 = 0xFFFFFF902E0AB2E0,
12 [8] = 18446743593445666772 = 0xFFFFFF902E0AAFD4,
13 [9] = 18446743593445485000 = 0xFFFFFF902E07E9C8,
14 [10] = 18446743593445486124 = 0xFFFFFF902E07EE2C,
15 [11] = 18446743593439397120 = 0xFFFFFF902DAB0500,
16 [12] = 18446743593439396672 = 0xFFFFFF902DAB0340,
17 [13] = 18446743593439221640 = 0xFFFFFF902DA85788,
18 [14] = 0 = 0x0,
19 [15] = 0 = 0x0),
20 (int) cpu = 7 = 0x7,
21 (int) pid = 1485 = 0x05CD,
22 (long unsigned int) when = 4294961626 = 0xFFFFE9DA)
위에서 보이는 디버깅 정보는 아래와 같습니다.
* 2~19번째: 함수의 콜 스택 주소이다.
* 20번째: CPU번호다.
* 21번째: PID이다.
* 22번째: 해당 슬럽 오브젝트를 할당할 때 jiffies 이다.
이처럼 슬럽 오브젝트를 할당하고 해제할 때의 콜 스택과 프로세스 정보를 확인할 수 있습니다.
슬럽 오브젝트를 할당할 때의 코드 확인하기
track 구조체의 정보를 잘 활용하면 해당 슬럽 오브젝트를 할당할 때의 코드와 슬럽 오브젝트를 할당 받아 사용하는 구조체를 확인할 수 있습니다.
이를 위해 먼저 슬럽 오브젝트를 할당할 때의 디버깅 정보를 보겠습니다.
52 NSD:FFFFFFD424975390| D0 E3 9C 2E 90 FF FF FF 0xFFFFFF902E9CE3D0 \\vmlinux\clk-rcg2\clk_rcg2_dfs_determine_rate+0x110
53 NSD:FFFFFFD424975398| A8 1B 03 2E 90 FF FF FF 0xFFFFFF902E031BA8 \\vmlinux\slub\kmem_cache_alloc_trace+0x358
54 NSD:FFFFFFD4249753A0| D0 E3 9C 2E 90 FF FF FF 0xFFFFFF902E9CE3D0 \\vmlinux\clk-rcg2\clk_rcg2_dfs_determine_rate+0x110
55 NSD:FFFFFFD4249753A8| C4 CD 98 2E 90 FF FF FF 0xFFFFFF902E98CDC4 \\vmlinux\clk\clk_core_round_rate_nolock+0x2CC
위 디버깅 정보로 슬럽 오브젝트를 할당한 심벌의 주소는 '0xFFFFFF902E031BA8'이고 kmem_cache_alloc_trace+0x358 심벌임을 알 수 있습니다.
크래시 유틸리티를 활용해 확인하니 해당 '0xFFFFFF902E031BA8' 주소에 해당하는 코드의 정보를 다음과 같습니다.
crash64> sym 0xFFFFFF902E9CE3D0
ffffff902e9ce3d0 (t) clk_rcg2_dfs_determine_rate+272 /home/baldcandy/drivers/clk/qcom/clk-rcg2.c: 1471
해당 코드를 열어보면 clk_rcg2_dfs_populate_freq_table() 함수에서 슬럽 오브젝트를 할당한다는 사실을 알 수 있습니다.
다음은 clk_rcg2_dfs_populate_freq_table() 함수의 구현부입니다.
1 static int clk_rcg2_dfs_populate_freq_table(struct clk_rcg2 *rcg)
2 {
3 struct freq_tbl *freq_tbl;
4 int i, ret;
5
6 freq_tbl = kcalloc(MAX_PERF_LEVEL + 1, sizeof(*freq_tbl), GFP_KERNEL);
7 if (!freq_tbl)
8 return -ENOMEM;
9 rcg->freq_tbl = freq_tbl;
3~6번째 줄로 해당 슬럽 오브젝트는 struct freq_tbl 구조체로 사용한다는 사실을 알 수 있습니다.
그런데 아래와 같이 해당 슬럽 오브젝트의 덤프와 같이 레드 존 정보를 제외한 패이로드의 시작 주소는 0xFFFFFFD424975280입니다.
1 ________________address|_data____________________|value_____________|symbol
2 NSD:FFFFFFD424975200| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
3 NSD:FFFFFFD424975208| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
4 NSD:FFFFFFD424975210| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
5 NSD:FFFFFFD424975218| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
6 NSD:FFFFFFD424975220| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
7 NSD:FFFFFFD424975228| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
8 NSD:FFFFFFD424975230| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
9 NSD:FFFFFFD424975238| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
10 NSD:FFFFFFD424975240| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
11 NSD:FFFFFFD424975248| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
12 NSD:FFFFFFD424975250| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
13 NSD:FFFFFFD424975258| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
14 NSD:FFFFFFD424975260| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
15 NSD:FFFFFFD424975268| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
16 NSD:FFFFFFD424975270| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
17 NSD:FFFFFFD424975278| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
18 NSD:FFFFFFD424975280| 00 F8 24 01 00 00 00 00 0x124F800
19 NSD:FFFFFFD424975288| 00 01 00 00 00 00 00 00 0x100
20 NSD:FFFFFFD424975290| 00 00 00 00 00 00 00 00 0x0
21 NSD:FFFFFFD424975298| 00 48 E8 01 00 00 00 00 0x1E84800
22 NSD:FFFFFFD4249752A0| 02 01 08 00 4B 00 00 00 0x4B00080102
이 정보를 토대로 0xFFFFFFD424975280 주소를 struct freq_tbl 구조체로 캐스팅하면 필드의 정보를 확인할 수 있습니다.
$ v.v %t %d %i %y (struct freq_tbl*)0xFFFFFFD424975280
(struct freq_tbl *) (struct freq_tbl*)0xFFFFFFD424975280 = 0xFFFFFFD424975280
(long unsigned int) freq = 19200000,
(u8) src = 0,
(u8) pre_div = 1,
(u16) m = 0,
(u16) n = 0,
(long unsigned int) src_freq = 0)
크래시 유틸리티로 슬랩 페이지(kmalloc-256)를 확인
이번에는 다른 슬럽 오브젝트(kmalloc-256)의 디버깅 정보를 확인해 봅시다.
crash64> kmem ffffffbf50925d00
1 CACHE OBJSIZE ALLOCATED TOTAL SLABS SSIZE NAME
2 ffffffd3c08e7780 256 36025 36046 1718 16k kmalloc-256
3 SLAB MEMORY NODE TOTAL ALLOCATED FREE
4 ffffffbf50925d00 ffffffd424974000 0 21 21 0
5 FREE / [ALLOCATED]
6 [ffffffd424974000]
7 [ffffffd424974300]
8 [ffffffd424974600]
9 [ffffffd424974900]
10 [ffffffd424974c00]
11 [ffffffd424974f00]
12 [ffffffd424975200]
13 [ffffffd424975500]
14 [ffffffd424975800]
15 [ffffffd424975b00]
16 [ffffffd424975e00]
17 [ffffffd424976100]
18 [ffffffd424976400]
19 [ffffffd424976700]
20 [ffffffd424976a00]
21 [ffffffd424976d00]
22 [ffffffd424977000]
23 [ffffffd424977300]
24 [ffffffd424977600]
25 [ffffffd424977900]
26 [ffffffd424977c00]
27
28 PAGE PHYSICAL MAPPING INDEX CNT FLAGS
29 ffffffbf50925d00 e4974000 ffffffd3c08e7780 0 1 10200 slab,head
위 항목의 22번째 줄에 보이는 FFFFFFD424977000 주소에 해당하는 슬럽 오브젝트를 확인합시다.
1 ________________address|_data____________________|value_____________|symbol
2 NSD:FFFFFFD424977000| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
3 NSD:FFFFFFD424977008| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
4 NSD:FFFFFFD424977010| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
5 NSD:FFFFFFD424977018| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
6 NSD:FFFFFFD424977020| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
7 NSD:FFFFFFD424977028| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
8 NSD:FFFFFFD424977030| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
9 NSD:FFFFFFD424977038| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
10 NSD:FFFFFFD424977040| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
11 NSD:FFFFFFD424977048| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
12 NSD:FFFFFFD424977050| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
13 NSD:FFFFFFD424977058| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
14 NSD:FFFFFFD424977060| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
15 NSD:FFFFFFD424977068| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
16 NSD:FFFFFFD424977070| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
17 NSD:FFFFFFD424977078| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
18 NSD:FFFFFFD424977080| 80 55 9B AF D4 FF FF FF 0xFFFFFFD4AF9B5580
19 NSD:FFFFFFD424977088| 80 4C 97 24 D4 FF FF FF 0xFFFFFFD424974C80
20 NSD:FFFFFFD424977090| 01 00 00 00 00 77 6C 61 0x616C770000000001
21 NSD:FFFFFFD424977098| 6E 5F 69 70 61 5F 63 6F 0x6F635F6170695F6E
22 NSD:FFFFFFD4249770A0| 72 65 2E 63 00 00 00 00 0x632E6572
23 NSD:FFFFFFD4249770A8| 00 00 00 00 00 00 00 00 0x0
24 NSD:FFFFFFD4249770B0| 00 00 00 00 00 00 00 00 0x0
25 NSD:FFFFFFD4249770B8| 00 00 00 00 00 00 00 00 0x0
26 NSD:FFFFFFD4249770C0| 00 00 00 00 00 00 00 00 0x0
27 NSD:FFFFFFD4249770C8| 45 08 00 00 28 00 00 00 0x2800000845
28 NSD:FFFFFFD4249770D0| A0 40 58 30 90 FF FF FF 0xFFFFFF90305840A0 \\vmlinux\wlan_ipa_core\wlan_ipa_setup+0xDC0
29 NSD:FFFFFFD4249770D8| 68 67 66 65 64 63 62 61 0x6162636465666768
30 NSD:FFFFFFD4249770E0| 14 39 97 B8 00 00 00 00 0xB8973914
31 NSD:FFFFFFD4249770E8| E8 4C 97 24 D4 FF FF FF 0xFFFFFFD424974CE8
32 NSD:FFFFFFD4249770F0| E8 55 9B AF D4 FF FF FF 0xFFFFFFD4AF9B55E8
33 NSD:FFFFFFD4249770F8| 00 00 00 00 00 00 00 00 0x0
34 NSD:FFFFFFD424977100| 0A 00 00 00 00 00 00 00 0x0A
35 NSD:FFFFFFD424977108| 00 00 00 00 00 00 00 00 0x0
36 NSD:FFFFFFD424977110| 87 86 85 84 83 82 81 80 0x8081828384858687
37 NSD:FFFFFFD424977118| 00 00 00 00 00 00 00 00 0x0
38 NSD:FFFFFFD424977120| 00 00 00 00 00 00 00 00 0x0
39 NSD:FFFFFFD424977128| 00 00 00 00 00 00 00 00 0x0
40 NSD:FFFFFFD424977130| 00 00 00 00 00 00 00 00 0x0
41 NSD:FFFFFFD424977138| 00 00 00 00 00 00 00 00 0x0
42 NSD:FFFFFFD424977140| 00 00 00 00 00 00 00 00 0x0
43 NSD:FFFFFFD424977148| 00 00 00 00 00 00 00 00 0x0
44 NSD:FFFFFFD424977150| 00 00 00 00 00 00 00 00 0x0
45 NSD:FFFFFFD424977158| 00 00 00 00 00 00 00 00 0x0
46 NSD:FFFFFFD424977160| 00 00 00 00 00 00 00 00 0x0
47 NSD:FFFFFFD424977168| 00 00 00 00 00 00 00 00 0x0
48 NSD:FFFFFFD424977170| 00 00 00 00 00 00 00 00 0x0
49 NSD:FFFFFFD424977178| 00 00 00 00 00 00 00 00 0x0
50 NSD:FFFFFFD424977180| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
51 NSD:FFFFFFD424977188| 31 8C 8E 72 65 1F 5E 13 0x135E1F65728E8C31
52 NSD:FFFFFFD424977190| 44 B8 1A 30 90 FF FF FF 0xFFFFFF90301AB844 \\vmlinux\qdf_mem\qdf_mem_malloc_debug+0x13C
53 NSD:FFFFFFD424977198| 3C 43 03 2E 90 FF FF FF 0xFFFFFF902E03433C \\vmlinux\slub\__kmalloc+0x3AC
54 NSD:FFFFFFD4249771A0| 44 B8 1A 30 90 FF FF FF 0xFFFFFF90301AB844 \\vmlinux\qdf_mem\qdf_mem_malloc_debug+0x13C
55 NSD:FFFFFFD4249771A8| B8 4A 58 30 90 FF FF FF 0xFFFFFF9030584AB8 \\vmlinux\wlan_ipa_core\wlan_ipa_setup_sys_pipe+0x3A8
56 NSD:FFFFFFD4249771B0| A0 40 58 30 90 FF FF FF 0xFFFFFF90305840A0 \\vmlinux\wlan_ipa_core\wlan_ipa_setup+0xDC0
57 NSD:FFFFFFD4249771B8| 78 E3 57 30 90 FF FF FF 0xFFFFFF903057E378 \\vmlinux\wlan_ipa_main\ipa_obj_setup+0x28
58 NSD:FFFFFFD4249771C0| 00 DD 57 30 90 FF FF FF 0xFFFFFF903057DD00 \\vmlinux\wlan_ipa_obj_mgmt_api\ipa_pdev_obj_create_notification+0x138
59 NSD:FFFFFFD4249771C8| B0 C0 48 30 90 FF FF FF 0xFFFFFF903048C0B0 \\vmlinux\wlan_objmgr_pdev_obj\wlan_objmgr_pdev_obj_create+0x338
60 NSD:FFFFFFD4249771D0| C8 FF DF 2F 90 FF FF FF 0xFFFFFF902FDFFFC8 \\vmlinux\wlan_hdd_object_manager\hdd_objmgr_create_and_store_pdev+0xF8
61 NSD:FFFFFFD4249771D8| 80 61 DC 2F 90 FF FF FF 0xFFFFFF902FDC6180 \\vmlinux\wlan_hdd_main\hdd_update_tgt_cfg+0xC0
62 NSD:FFFFFFD4249771E0| 20 9D 1F 30 90 FF FF FF 0xFFFFFF90301F9D20 \\vmlinux\wma_main\wma_rx_ready_event+0x2910
63 NSD:FFFFFFD4249771E8| F8 C9 1E 30 90 FF FF FF 0xFFFFFF90301EC9F8 \\vmlinux\wma_main\wma_legacy_service_ready_event_handler+0x70
64 NSD:FFFFFFD4249771F0| 60 D2 42 30 90 FF FF FF 0xFFFFFF903042D260 \\vmlinux\init_event_handler\init_deinit_ready_event_handler+0x490
65 NSD:FFFFFFD4249771F8| E8 FB 2D 30 90 FF FF FF 0xFFFFFF90302DFBE8 \\vmlinux\wmi_unified\__wmi_control_rx+0xA78
66 NSD:FFFFFFD424977200| B8 11 2E 30 90 FF FF FF 0xFFFFFF90302E11B8 \\vmlinux\wmi_unified\wmi_rx_event_work+0x4E0
67 NSD:FFFFFFD424977208| 50 5E 1A 30 90 FF FF FF 0xFFFFFF90301A5E50 \\vmlinux\qdf_defer\__qdf_defer_func+0x68
68 NSD:FFFFFFD424977210| B8 3F B5 2D 90 FF FF FF 0xFFFFFF902DB53FB8 \\vmlinux\workqueue\process_one_work+0x900
69 NSD:FFFFFFD424977218| 06 00 00 00 37 09 00 00 0x93700000006
70 NSD:FFFFFFD424977220| 1A C4 FF FF 00 00 00 00 0xFFFFC41A
71 NSD:FFFFFFD424977228| F0 E9 03 2E 90 FF FF FF 0xFFFFFF902E03E9F0 \\vmlinux\quarantine\qlink_free+0x18
72 NSD:FFFFFFD424977230| 08 EA 03 2E 90 FF FF FF 0xFFFFFF902E03EA08 \\vmlinux\quarantine\qlink_free+0x30
73 NSD:FFFFFFD424977238| 68 E6 03 2E 90 FF FF FF 0xFFFFFF902E03E668 \\vmlinux\quarantine\quarantine_reduce+0x158
74 NSD:FFFFFFD424977240| 94 BD 03 2E 90 FF FF FF 0xFFFFFF902E03BD94 \\vmlinux\kasan\kasan_kmalloc+0x44
75 NSD:FFFFFFD424977248| 44 BD 03 2E 90 FF FF FF 0xFFFFFF902E03BD44 \\vmlinux\kasan\kasan_slab_alloc+0x14
76 NSD:FFFFFFD424977250| BC 17 03 2E 90 FF FF FF 0xFFFFFF902E0317BC \\vmlinux\slub\kmem_cache_alloc+0x2EC
77 NSD:FFFFFFD424977258| 50 52 0A 2E 90 FF FF FF 0xFFFFFF902E0A5250 \\vmlinux\fs/namei\getname_flags+0xC8
78 NSD:FFFFFFD424977260| 58 9A 0A 2E 90 FF FF FF 0xFFFFFF902E0A9A58 \\vmlinux\fs/namei\user_path_at_empty+0x40
79 NSD:FFFFFFD424977268| 18 50 09 2E 90 FF FF FF 0xFFFFFF902E095018 \\vmlinux\fs/stat\vfs_statx+0xF8
80 NSD:FFFFFFD424977270| CC 54 09 2E 90 FF FF FF 0xFFFFFF902E0954CC \\vmlinux\fs/stat\__arm64_sys_newfstatat+0x11C
81 NSD:FFFFFFD424977278| 00 05 AB 2D 90 FF FF FF 0xFFFFFF902DAB0500 \\vmlinux\kernel/syscall\el0_svc_common+0x158
82 NSD:FFFFFFD424977280| 40 03 AB 2D 90 FF FF FF 0xFFFFFF902DAB0340 \\vmlinux\kernel/syscall\el0_svc_handler+0x108
83 NSD:FFFFFFD424977288| 88 57 A8 2D 90 FF FF FF 0xFFFFFF902DA85788 \\vmlinux\Global\el0_svc+0x8
84 NSD:FFFFFFD424977290| 00 00 00 00 00 00 00 00 0x0
85 NSD:FFFFFFD424977298| 00 00 00 00 00 00 00 00 0x0
86 NSD:FFFFFFD4249772A0| 00 00 00 00 00 00 00 00 0x0
87 NSD:FFFFFFD4249772A8| 00 00 00 00 00 00 00 00 0x0
88 NSD:FFFFFFD4249772B0| 06 00 00 00 CA 07 00 00 0x7CA00000006
89 NSD:FFFFFFD4249772B8| 16 C4 FF FF 00 00 00 00 0xFFFFC416
90 NSD:FFFFFFD4249772C0| 37 09 00 00 AC 03 E0 BB 0xBBE003AC00000937
91 NSD:FFFFFFD4249772C8| 7C 04 00 00 CA 02 60 F7 0xF76002CA0000047C
92 NSD:FFFFFFD4249772D0| 5A 5A 5A 5A 5A 5A 5A 5A 0x5A5A5A5A5A5A5A5A
93 NSD:FFFFFFD4249772D8| 5A 5A 5A 5A 5A 5A 5A 5A 0x5A5A5A5A5A5A5A5A
94 NSD:FFFFFFD4249772E0| 5A 5A 5A 5A 5A 5A 5A 5A 0x5A5A5A5A5A5A5A5A
95 NSD:FFFFFFD4249772E8| 5A 5A 5A 5A 5A 5A 5A 5A 0x5A5A5A5A5A5A5A5A
96 NSD:FFFFFFD4249772F0| 5A 5A 5A 5A 5A 5A 5A 5A 0x5A5A5A5A5A5A5A5A
97 NSD:FFFFFFD4249772F8| 5A 5A 5A 5A 5A 5A 5A 5A 0x5A5A5A5A5A5A5A5A
슬럽 오브젝트의 track 정보 확인하기
이번에는 해당 슬럽 오브젝트를 할당했을 때의 track 구조체를 확인해봅시다.
(struct track *) (struct track*)0xFFFFFFD424977190 = 0xFFFFFFD424977190 = end+0x43F00B9190 -> (
(long unsigned int) addr = 18446743593480271940 = 0xFFFFFF90301AB844, // qdf_mem\qdf_mem_malloc_debug+0x13C
(long unsigned int [16]) addrs = (
[0] = 18446743593445180220 = 0xFFFFFF902E03433C, // __kmalloc+0x3AC
[1] = 18446743593480271940 = 0xFFFFFF90301AB844, // qdf_mem\qdf_mem_malloc_debug+0x13C
[2] = 18446743593484307128 = 0xFFFFFF9030584AB8, // wlan_ipa_core\wlan_ipa_setup_sys_pipe+0x3A8
[3] = 18446743593484304544 = 0xFFFFFF90305840A0, // wlan_ipa_core\wlan_ipa_setup+0xDC0
[4] = 18446743593484280696 = 0xFFFFFF903057E378, // wlan_ipa_main\ipa_obj_setup+0x28
[5] = 18446743593484279040 = 0xFFFFFF903057DD00, // ipa_pdev_obj_create_notification+0x138
[6] = 18446743593483288752 = 0xFFFFFF903048C0B0, // wlan_objmgr_pdev_obj_create+0x338
[7] = 18446743593476423624 = 0xFFFFFF902FDFFFC8, // hdd_objmgr_create_and_store_pdev+0xF8
[8] = 18446743593476186496 = 0xFFFFFF902FDC6180, // hdd_update_tgt_cfg+0xC0
[9] = 18446743593480592672 = 0xFFFFFF90301F9D20, // wma_rx_ready_event+0x2910
[10] = 18446743593480538616 = 0xFFFFFF90301EC9F8, // wma_legacy_service_ready_event_handler+0x70
[11] = 18446743593482900064 = 0xFFFFFF903042D260, // init_deinit_ready_event_handler+0x490
[12] = 18446743593481534440 = 0xFFFFFF90302DFBE8, // __wmi_control_rx+0xA78
[13] = 18446743593481540024 = 0xFFFFFF90302E11B8, // wmi_rx_event_work+0x4E0
[14] = 18446743593480248912 = 0xFFFFFF90301A5E50, // __qdf_defer_func+0x68
[15] = 18446743593440067512 = 0xFFFFFF902DB53FB8), // process_one_work+0x900
(int) cpu = 6 = 0x6,
(int) pid = 2359 = 0x0937,
(long unsigned int) when = 4294951962 = 0xFFFFC41A)
0xFFFFFF90301AB844 주소에 해당하는 심벌은 qdf_mem_malloc_debug+0x13C이고 해당 함수의 구현부는 다음과 같습니다.
1 void *qdf_mem_malloc_debug(size_t size, const char *file, uint32_t line,
2 void *caller, uint32_t flag)
3 {
4 QDF_STATUS status;
5 enum qdf_debug_domain current_domain = qdf_debug_domain_get();
6 qdf_list_t *mem_list = qdf_mem_list_get(current_domain);
7 struct qdf_mem_header *header;
8 void *ptr;
9 unsigned long start, duration;
10 ...
11 start = qdf_mc_timer_get_system_time();
12 header = kzalloc(size + QDF_MEM_DEBUG_SIZE, flag);
13 duration = qdf_mc_timer_get_system_time() - start;
7번째와 12번째 줄로 보아 qdf_mem_header 구조체로 해당 슬럽 오브젝트를 사용했음을 알 수 있습니다.
0xFFFFFFD424977080 주소를 qdf_mem_header 구조체로 캐스팅하면 다음과 같은 출력 결과를 확인할 수 있습니다.
(struct qdf_mem_header *) (struct qdf_mem_header*)0xFFFFFFD424977080
(qdf_list_node_t) node = (
(struct list_head *) next = 0xFFFFFFD4AF9B5580,
(struct list_head *) prev = 0xFFFFFFD424974C80),
(enum qdf_debug_domain) domain = QDF_DEBUG_DOMAIN_ACTIVE = 1,
(uint8_t) freed = 0,
(char [48]) file = "wlan_ipa_core.c",
(uint32_t) line = 2117,
(uint32_t) size = 40,
(void *) caller = 0xFFFFFF90305840A0 = wlan_ipa_setup+0xDC0,
(uint64_t) header = 7017280452245743464,
(uint64_t) time = 3096918292)
크래시 유틸리티로 슬랩 페이지(kmalloc-512)를 확인
이번에는 kmalloc-512 슬럽 오브젝트를 확인해보자.
1 crash64> kmem 0xFFFFFFBF4F6EA200
2 CACHE OBJSIZE ALLOCATED TOTAL SLABS SSIZE NAME
3 ffffffd3c08e0780 512 16918 18276 572 32k kmalloc-512
4 SLAB MEMORY NODE TOTAL ALLOCATED FREE
5 ffffffbf4f6ea200 ffffffd3dba88000 0 32 28 4
6 FREE / [ALLOCATED]
7 [ffffffd3dba88000]
8 [ffffffd3dba88400]
9 [ffffffd3dba88800]
10 [ffffffd3dba88c00]
11 ffffffd3dba89000
12 [ffffffd3dba89400]
13 [ffffffd3dba89800]
14 [ffffffd3dba89c00]
15 [ffffffd3dba8a000]
16 [ffffffd3dba8a400]
17 [ffffffd3dba8a800]
18 [ffffffd3dba8ac00]
19 [ffffffd3dba8b000]
20 [ffffffd3dba8b400]
21 [ffffffd3dba8b800]
22 ffffffd3dba8bc00
23 [ffffffd3dba8c000]
24 [ffffffd3dba8c400]
25 [ffffffd3dba8c800]
26 [ffffffd3dba8cc00]
27 [ffffffd3dba8d000]
28 ffffffd3dba8d400
29 [ffffffd3dba8d800]
30 ffffffd3dba8dc00
31 [ffffffd3dba8e000]
32 [ffffffd3dba8e400]
33 [ffffffd3dba8e800]
34 [ffffffd3dba8ec00]
35 [ffffffd3dba8f000]
36 [ffffffd3dba8f400]
37 [ffffffd3dba8f800]
38 [ffffffd3dba8fc00]
39
40 PAGE PHYSICAL MAPPING INDEX CNT FLAGS
41 ffffffbf4f6ea200 9ba88000 ffffffd3c08e0780 ffffffd3dba8bc80 1 10200 slab,head
42
위 출력 결과에서 ffffffd3dba88000 주소에 해당하는 슬럽 오브젝트를 확인해보자.
1 ________________address|_data____________________|value_____________|symbol
2 NSD:FFFFFFD3DBA88000| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
3 NSD:FFFFFFD3DBA88008| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
4 NSD:FFFFFFD3DBA88010| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
5 NSD:FFFFFFD3DBA88018| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
6 NSD:FFFFFFD3DBA88020| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
7 NSD:FFFFFFD3DBA88028| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
8 NSD:FFFFFFD3DBA88030| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
9 NSD:FFFFFFD3DBA88038| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
10 NSD:FFFFFFD3DBA88040| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
11 NSD:FFFFFFD3DBA88048| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
12 NSD:FFFFFFD3DBA88050| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
13 NSD:FFFFFFD3DBA88058| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
14 NSD:FFFFFFD3DBA88060| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
15 NSD:FFFFFFD3DBA88068| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
16 NSD:FFFFFFD3DBA88070| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
17 NSD:FFFFFFD3DBA88078| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
18 NSD:FFFFFFD3DBA88080| 80 D4 47 6E D4 FF FF FF 0xFFFFFFD46E47D480
19 NSD:FFFFFFD3DBA88088| 88 D0 4B 75 D4 FF FF FF 0xFFFFFFD4754BD088
20 NSD:FFFFFFD3DBA88090| 00 00 00 00 00 00 00 00 0x0
21 NSD:FFFFFFD3DBA88098| 00 00 00 00 00 00 00 00 0x0
22 NSD:FFFFFFD3DBA880A0| A0 80 A8 DB D3 FF FF FF 0xFFFFFFD3DBA880A0
23 NSD:FFFFFFD3DBA880A8| A0 80 A8 DB D3 FF FF FF 0xFFFFFFD3DBA880A0
24 NSD:FFFFFFD3DBA880B0| B0 05 00 00 00 00 00 00 0x5B0
25 NSD:FFFFFFD3DBA880B8| 00 00 00 00 00 00 00 00 0x0
26 NSD:FFFFFFD3DBA880C0| 00 00 00 00 00 00 00 00 0x0
27 NSD:FFFFFFD3DBA880C8| C8 80 A8 DB D3 FF FF FF 0xFFFFFFD3DBA880C8
28 NSD:FFFFFFD3DBA880D0| C8 80 A8 DB D3 FF FF FF 0xFFFFFFD3DBA880C8
29 NSD:FFFFFFD3DBA880D8| 00 00 00 00 00 00 00 00 0x0
30 NSD:FFFFFFD3DBA880E0| 00 00 00 00 00 00 00 00 0x0
31 NSD:FFFFFFD3DBA880E8| 00 00 00 00 00 00 00 00 0x0
32 NSD:FFFFFFD3DBA880F0| 03 00 00 00 00 00 00 00 0x3
33 NSD:FFFFFFD3DBA880F8| 01 72 00 00 00 00 00 00 0x7201
34 NSD:FFFFFFD3DBA88100| 00 00 00 00 00 00 00 00 0x0
35 NSD:FFFFFFD3DBA88108| 00 00 00 00 00 00 00 00 0x0
36 NSD:FFFFFFD3DBA88110| 03 00 00 00 00 00 00 00 0x3
37 NSD:FFFFFFD3DBA88118| 01 72 00 00 00 00 00 00 0x7201
38 NSD:FFFFFFD3DBA88120| 00 00 00 00 00 00 00 00 0x0
39 NSD:FFFFFFD3DBA88128| 28 81 A8 DB D3 FF FF FF 0xFFFFFFD3DBA88128
40 NSD:FFFFFFD3DBA88130| 28 81 A8 DB D3 FF FF FF 0xFFFFFFD3DBA88128
41 NSD:FFFFFFD3DBA88138| 00 00 00 00 00 00 00 00 0x0
42 NSD:FFFFFFD3DBA88140| 00 00 00 00 3C 00 00 00 0x3C00000000
43 ...
44 NSD:FFFFFFD3DBA88270| 00 00 00 00 00 00 00 00 0x0
45 NSD:FFFFFFD3DBA88278| 00 00 00 00 00 00 00 00 0x0
46 NSD:FFFFFFD3DBA88280| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
47 NSD:FFFFFFD3DBA88288| 1E AF 63 1C B1 1B 93 8D 0x8D931BB11C63AF1E
48 NSD:FFFFFFD3DBA88290| CC A8 A8 30 90 FF FF FF 0xFFFFFF9030A8A8CC \\vmlinux\binder\binder_get_thread+0x1EC
49 NSD:FFFFFFD3DBA88298| A8 1B 03 2E 90 FF FF FF 0xFFFFFF902E031BA8 \\vmlinux\slub\kmem_cache_alloc_trace+0x358
50 NSD:FFFFFFD3DBA882A0| CC A8 A8 30 90 FF FF FF 0xFFFFFF9030A8A8CC \\vmlinux\binder\binder_get_thread+0x1EC
51 NSD:FFFFFFD3DBA882A8| F0 36 A8 30 90 FF FF FF 0xFFFFFF9030A836F0 \\vmlinux\binder\binder_ioctl+0x368
52 NSD:FFFFFFD3DBA882B0| 74 64 0C 2E 90 FF FF FF 0xFFFFFF902E0C6474 \\vmlinux\fs/ioctl\do_vfs_ioctl+0xA14
53 NSD:FFFFFFD3DBA882B8| 28 71 0C 2E 90 FF FF FF 0xFFFFFF902E0C7128 \\vmlinux\fs/ioctl\__arm64_sys_ioctl+0xB8
54 NSD:FFFFFFD3DBA882C0| 00 05 AB 2D 90 FF FF FF 0xFFFFFF902DAB0500 \\vmlinux\kernel/syscall\el0_svc_common+0x158
55 NSD:FFFFFFD3DBA882C8| 40 03 AB 2D 90 FF FF FF 0xFFFFFF902DAB0340 \\vmlinux\kernel/syscall\el0_svc_handler+0x108
56 NSD:FFFFFFD3DBA882D0| 88 57 A8 2D 90 FF FF FF 0xFFFFFF902DA85788 \\vmlinux\Global\el0_svc+0x8
57 NSD:FFFFFFD3DBA882D8| 00 00 00 00 00 00 00 00 0x0
58 NSD:FFFFFFD3DBA882E0| 00 00 00 00 00 00 00 00 0x0
59 NSD:FFFFFFD3DBA882E8| 00 00 00 00 00 00 00 00 0x0
60 NSD:FFFFFFD3DBA882F0| 00 00 00 00 00 00 00 00 0x0
61 NSD:FFFFFFD3DBA882F8| 00 00 00 00 00 00 00 00 0x0
62 NSD:FFFFFFD3DBA88300| 00 00 00 00 00 00 00 00 0x0
63 NSD:FFFFFFD3DBA88308| 00 00 00 00 00 00 00 00 0x0
64 NSD:FFFFFFD3DBA88310| 00 00 00 00 00 00 00 00 0x0
65 NSD:FFFFFFD3DBA88318| 06 00 00 00 B0 05 00 00 0x5B000000006
66 NSD:FFFFFFD3DBA88320| 96 C3 FF FF 00 00 00 00 0xFFFFC396
67 NSD:FFFFFFD3DBA88328| F0 E9 03 2E 90 FF FF FF 0xFFFFFF902E03E9F0 \\vmlinux\quarantine\qlink_free+0x18
68 NSD:FFFFFFD3DBA88330| 08 EA 03 2E 90 FF FF FF 0xFFFFFF902E03EA08 \\vmlinux\quarantine\qlink_free+0x30
69 NSD:FFFFFFD3DBA88338| 68 E6 03 2E 90 FF FF FF 0xFFFFFF902E03E668 \\vmlinux\quarantine\quarantine_reduce+0x158
70 NSD:FFFFFFD3DBA88340| 94 BD 03 2E 90 FF FF FF 0xFFFFFF902E03BD94 \\vmlinux\kasan\kasan_kmalloc+0x44
71 NSD:FFFFFFD3DBA88348| 44 BD 03 2E 90 FF FF FF 0xFFFFFF902E03BD44 \\vmlinux\kasan\kasan_slab_alloc+0x14
72 NSD:FFFFFFD3DBA88350| BC 17 03 2E 90 FF FF FF 0xFFFFFF902E0317BC \\vmlinux\slub\kmem_cache_alloc+0x2EC
73 NSD:FFFFFFD3DBA88358| 00 AF AE 2D 90 FF FF FF 0xFFFFFF902DAEAF00 \\vmlinux\fork\vm_area_dup+0x30
74 NSD:FFFFFFD3DBA88360| D8 63 FF 2D 90 FF FF FF 0xFFFFFF902DFF63D8 \\vmlinux\mm/mmap\__split_vma+0xA8
75 NSD:FFFFFFD3DBA88368| B4 31 FF 2D 90 FF FF FF 0xFFFFFF902DFF31B4 \\vmlinux\mm/mmap\do_munmap+0x24C
76 NSD:FFFFFFD3DBA88370| 18 1F FF 2D 90 FF FF FF 0xFFFFFF902DFF1F18 \\vmlinux\mm/mmap\mmap_region+0x4E0
77 NSD:FFFFFFD3DBA88378| E0 13 FF 2D 90 FF FF FF 0xFFFFFF902DFF13E0 \\vmlinux\mm/mmap\do_mmap+0x8E8
78 NSD:FFFFFFD3DBA88380| A8 BC F9 2D 90 FF FF FF 0xFFFFFF902DF9BCA8 \\vmlinux\mm/util\vm_mmap_pgoff+0x160
79 NSD:FFFFFFD3DBA88388| FC 2B FF 2D 90 FF FF FF 0xFFFFFF902DFF2BFC \\vmlinux\mm/mmap\ksys_mmap_pgoff+0x10C
80 NSD:FFFFFFD3DBA88390| C0 E1 A9 2D 90 FF FF FF 0xFFFFFF902DA9E1C0 \\vmlinux\arch/arm64/kernel/sys\__arm64_sys_mmap+0xE8
81 NSD:FFFFFFD3DBA88398| 00 05 AB 2D 90 FF FF FF 0xFFFFFF902DAB0500 \\vmlinux\kernel/syscall\el0_svc_common+0x158
82 NSD:FFFFFFD3DBA883A0| 40 03 AB 2D 90 FF FF FF 0xFFFFFF902DAB0340 \\vmlinux\kernel/syscall\el0_svc_handler+0x108
83 NSD:FFFFFFD3DBA883A8| 88 57 A8 2D 90 FF FF FF 0xFFFFFF902DA85788 \\vmlinux\Global\el0_svc+0x8
84 NSD:FFFFFFD3DBA883B0| 07 00 00 00 89 02 00 00 0x28900000007
슬럽 오브젝트의 track 정보 확인하기
track 구조체로 보아 binder_get_thread+0x1EC 함수에서 kmalloc-512 슬럽 오브젝트를 할당했음을 알 수 있다.
binder_get_thread() 함수를 보자.
1 static struct binder_thread *binder_get_thread(struct binder_proc *proc)
2 {
3 struct binder_thread *thread;
4 struct binder_thread *new_thread;
5
6 binder_inner_proc_lock(proc);
7 thread = binder_get_thread_ilocked(proc, NULL);
8 binder_inner_proc_unlock(proc);
9 if (!thread) {
10 new_thread = kzalloc(sizeof(*thread), GFP_KERNEL);
11 if (new_thread == NULL)
4번째와 10번째 줄로 kmalloc-512 슬럽 오브젝트를 binder_thread 구조체로 사용한다는 사실을 알 수 있습니다.
슬럽 오브젝트의 패이 로드 주소는 다음과 같이 FFFFFFD3DBA88080 이니;
17 NSD:FFFFFFD3DBA88078| CC CC CC CC CC CC CC CC 0xCCCCCCCCCCCCCCCC
18 NSD:FFFFFFD3DBA88080| 80 D4 47 6E D4 FF FF FF 0xFFFFFFD46E47D480
19 NSD:FFFFFFD3DBA88088| 88 D0 4B 75 D4 FF FF FF 0xFFFFFFD4754BD088
20 NSD:FFFFFFD3DBA88090| 00 00 00 00 00 00 00 00 0x0
FFFFFFD3DBA88080 주소를 binder_thread 구조체로 캐스팅해보자.
$ v.v %t %h %i %y %s %d (struct binder_thread*)0xFFFFFFD3DBA88080
(struct binder_thread *) (struct binder_thread*)0xFFFFFFD3DBA88080 = 0xFFFFFFD3DBA88080 = end+0x43
(struct binder_proc *) proc = 0xFFFFFFD46E47D480 = end+0x4439BBF480,
(struct rb_node) rb_node = ((long unsigned int) __rb_parent_color = 18446743886698893448 = 0xFFF
(struct list_head) waiting_thread_node = ((struct list_head *) next = 0xFFFFFFD3DBA880A0 = end+0
(int) pid = 1456 = 0x05B0,
(int) looper = 0 = 0x0,
(bool) looper_need_return = FALSE,
(struct binder_transaction *) transaction_stack = 0x0 = ,
(struct list_head) todo = (
(struct list_head *) next = 0xFFFFFFD3DBA880C8 = end+0x43A71CA0C8,
(struct list_head *) prev = 0xFFFFFFD3DBA880C8 = end+0x43A71CA0C8),
(bool) process_todo = FALSE,
(struct binder_error) return_error = ((struct binder_work) work = ((struct list_head) entry = ((
(struct binder_error) reply_error = ((struct binder_work) work = ((struct list_head) entry = ((s
(wait_queue_head_t) wait = ((spinlock_t) lock = ((struct raw_spinlock) rlock = ((arch_spinlock_t
(struct binder_stats) stats = ((atomic_t [18]) br = ([0] = ((int) counter = 0 = 0x0), [1] = ((in
(atomic_t) tmp_ref = ((int) counter = 0 = 0x0),
(bool) is_dead = FALSE,
(struct task_struct *) task = 0xFFFFFFD4DD85B340 = end+0x44A8F9D340 -> (
(struct thread_info) thread_info = ((long unsigned int) flags = 2048 = 0x0800, (long unsigned
(long int) state = 1 = 0x1,
(void *) stack = 0xFFFFFFD4652D0000 = end+0x4430A12000,
(atomic_t) usage = ((int) counter = 5 = 0x5),
(unsigned int) flags = 1077952576 = 0x40404040,
(unsigned int) ptrace = 0 = 0x0,
위와 같은 정보를 확인할 수 있습니다.
'Core BSP 분석 > 리눅스 커널 핵심 분석' 카테고리의 다른 글
| [리눅스커널] 디버깅: 커널 로그 레벨(/proc/sys/kernel/printk)을 누가 설정하나? (0) | 2023.05.06 |
|---|---|
| [리눅스커널] 유저 프로세스의 레지스터 세트인 struct pt_regs 파악하기 (0) | 2023.05.06 |
| [리눅스커널] ftrace: 콜 스택을 메시지로 출력하기(CALLER_ADDR0~CALLER_ADDR3) (0) | 2023.05.06 |
| [리눅스커널] 특정 CPU를 Isolation 시키고 싶은 경우 (0) | 2023.05.06 |
| [리눅스커널] GCC: notrace 옵션 - no_instrument_function (0) | 2023.05.06 |
