Overview
When debugging ramdump with stability issues, I have been spending most of time casting various data structure as belows.
v.v %s (struct task_struct*)0xC1917FCC
For this matter, I made several macros to minimize the debugging time.
The definition of the macro is below.
sYmbol.NEW.MACRO offsetof(type,member) ((int)(&((type*)0)->member)) sYmbol.NEW.MACRO container_of(ptr,type,member) ((type *)((char *)(ptr)-offsetof(type,member))) |
offsetof(type,member)
When analyzing assembly code, I have to know the offset of certain element, assembly code is generated based upon offset value of data structure.
[1]: offset: struct kgsl_context.device is calculated as 0x1C
v.v % offsetof(struct kgsl_context,device) (int) offsetof(struct kgsl_context,device) = 28 = 0x1C = '....' [assemble code] NSR:C0500F68|E594501C ldr r5,[r4,#0x1C] |
[2]: offset: struct adreno_context.rb
v.v % offsetof(struct adreno_context,rb) (int) offsetof(struct adreno_context,rb) = 768 = 0x0300 = '....' [assemble code] NSR:C0501054|E5943300 ldr r3,[r4,#0x300] |
Code segment for this example
449void adreno_drawctxt_detach(struct kgsl_context *context) 450{ 451 struct kgsl_device *device; 452 struct adreno_device *adreno_dev; 453 struct adreno_context *drawctxt; 454 struct adreno_ringbuffer *rb; 455 int ret, count, i; 456 struct kgsl_cmdbatch *list[ADRENO_CONTEXT_CMDQUEUE_SIZE]; //snip 460 461 device = context->device; // <<--[1] 462 adreno_dev = ADRENO_DEVICE(device); 463 drawctxt = ADRENO_CONTEXT(context); 464 rb = drawctxt->rb; // <<--[2] 465 |
container_of(ptr,type,member)
(Example1)
In order to find out the total element of "struct task_struct" as per "struct task_struct.tasks.next",
I have to manipulate the T32 many times. For this, let me introduce the container_of(ptr,type,member) macro
v.v %h container_of(0xEE458238,struct task_struct,tasks)
container_of(0xEE458238,struct task_struct,tasks) = 0xEE458000 -> ( state = 0x1, stack = 0xEE44A000, //snip cputime_expires = (utime = 0x0, stime = 0x0, sum_exec_runtime = 0x0), cpu_timers = ((next = 0xEE458380, prev = 0xEE458380), (next = 0xEE458388, pr real_cred = 0xE2494D00, cred = 0xE2494D00, comm = "init", |
(where) [D:0xC16141E8] init_task = ( [D:0xC16141E8] state = 0x0, [D:0xC16141EC] stack = 0xC1600000, //snip [D:0xC161441C] rcu_blocked_node = 0x0, [D:0xC1614420] tasks = ( [D:0xC1614420] next = 0xEE458238, // <<-- [D:0xC1614424] prev = 0xC288B938), [D:0xC1614428] pushable_tasks = ([D:0xC1614428] prio = 0x8C, [D:0xC161442C] prio_list = ([D:0xC161442C] next = 0x //snip [D:0xC1614584] cred = 0xC1619D18, [D:0xC1614588] comm = "swapper/0", [D:0xC1614598] link_count = 0x0, [D:0xC161459C] total_link_count = 0x0, |
v.v %h %s container_of(0xDB63FE68,struct mutex,wait_list)
container_of(0xDB63FE68,struct mutex,wait_list) = 0xDB63FE54 -> ( count = (counter = 0xC0C0A56C), wait_lock = (rlock = (raw_lock = (slock = 0xC16A057C, tickets = (owner = 0x057C, next = 0xC16A)), magic = 0xC0C08C70, o wait_list = (next = 0xDAC43DB8, prev = 0xC15DBC40), owner = 0xE0396E00, name = 0xDB63FE68 -> ".=..@.].", magic = 0xFFFFFFFF) |
container_of(0xDAC43DB8,struct mutex,wait_list) = 0xDAC43DA4 -> ( count = (counter = 0xC0C0A56C), wait_lock = (rlock = (raw_lock = (slock = 0xC16A057C, tickets = (owner = 0x0 wait_list = (next = 0xDAC55E68, prev = 0xDB63FE68), owner = 0xDD5C5D80, name = 0xDAC43DB8 -> "h^..h.c..]\..=..``v.,.].", magic = 0xDB766060) |
(where) binder_main_lock = ( count = (counter = 0xFFFFFFFF), wait_lock = (rlock = (raw_lock = (slock = 0xF1CCF1CC, tickets = (owner = 0xF wait_list = ( next = 0xDB63FE68 // <<-- next = 0xDAC43DB8 // <<-- next = 0xDAC55E68 -> ( next = 0xC15DBC40 -> ( next = 0xDB63FE68, |
container_of_double_vcast(ptr,type,member,new_member,cast_type)
Definition
sYmbol.NEW.MACRO container_double_vcast(ptr,type,member,new_member,cast_type) ((cast_type *)(*(type *)((char *)(ptr)-offsetof(type,member)+offsetof(type,new_member))))
(Example1: PHONEMODEL-1958)
container_of_double_vcast(0xDAC43DB8,struct mutex,wait_list,owner,struct task_struct)
container_of_double_vcast(0xDAC43DB8,struct mutex,wait_list,owner,struct task_struct) = 0xDD5C5D80 -> ( state = 0x2, stack = 0xDAC42000, usage = (counter = 0x2), flags = 0x00400040, ptrace = 0x0, wake_entry = (next = 0x0), on_cpu = 0x0, on_rq = 0x0, prio = 0x78, static_prio = 0x78, |
(where) binder_main_lock = ( // <<-- type: struct mutex count = (counter = 0xFFFFFFFF), wait_lock = (rlock = (raw_lock = (slock = 0xF1CCF1CC, tickets = (owner = 0xF wait_list // <<-- member next = 0xDB63FE68 next = 0xDAC43DB8 // <<-- ptr next = 0xDAC55E68 -> ( next = 0xC15DBC40 -> ( next = 0xDB63FE68, prev = 0xDAC55E68), prev = 0xDAC43DB8), prev = 0xDB63FE68), prev = 0xC15DBC40), prev = 0xDAC55E68), owner = 0xD9E6A100, // <<-- new_member, cast_type: struct task_struct name = 0x0, magic = 0xC15DBC2C) |
container_down_vcast(ptr,type,member,cast)
Definition
sYmbol.NEW.MACRO container_down_vcast(ptr,type,member,cast) ((cast *)(*(type *)((char *)(ptr)+offsetof(type,member))))
v.v % container_down_vcast(0xC15DBC2C,struct mutex,owner,struct task_struct)
v.v % container_down_vcast(0xC15DBC2C,struct mutex,owner,struct task_struct) container_down_vcast(0xC15DBC2C,struct mutex,owner,struct task_struct) = 0xD9E6A100 -> ( state = 1, stack = 0xD9ECC000, usage = (counter = 2), //snip min_flt = 304, maj_flt = 0, cputime_expires = (utime = 0, stime = 0, sum_exec_runtime = 0), cpu_timers = ((next = 0xD9E6A448, prev = 0xD9E6A448), (next = 0xD9E6A450, prev = 0xD9E6A450), (next = 0xD9E6A45 real_cred = 0xDEEF1900, cred = 0xDEEF1900, comm = "Binder_4", link_count = 0, |
(where) [D:0xC15DBC2C] binder_main_lock = ( // <<-- ptr: 0xC15DBC2C, type: struct mutex [D:0xC15DBC2C] count = ([D:0xC15DBC2C] counter = -1), [D:0xC15DBC30] wait_lock = ([D:0xC15DBC30] rlock = ([D:0xC15DBC30] raw_lock [D:0xC15DBC40] wait_list = ([D:0xC15DBC40] next = 0xDB63FE68, [D:0xC15DBC44] [D:0xC15DBC48] owner = 0xD9E6A100, // <<--member, cast: struct task_struct [D:0xC15DBC4C] name = 0x0, [D:0xC15DBC50] magic = 0xC15DBC2C) |
threadoffset(ptr)
Definition
sYmbol.NEW.MACRO threadoffset(ptr) ((ptr ~0x1fff))
sYmbol.NEW.MACRO thread_of(ptr) ((struct thread_info *)((int *)threadoffset(ptr)))
When kernel crash occurs, the kernel dumps below logs
[ 1894.897301] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM [ 1894.897314] Modules linked in: texfat(PO) [ 1894.897333] CPU: 2 PID: 4324 Comm: Binder_4 Tainted: P W O 3.10.49-g184f2e4 #1 [ 1894.897347] task: d9e6a100 ti: d9ecc000 task.ti: d9ecc000 [ 1894.897362] PC is at __list_add+0x9c/0xd0 [ 1894.897376] LR is at __list_add+0x58/0xd0 [ 1894.897390] pc : [<c032e9e8>] lr : [<c032e9a4>] psr: 000f0093 [ 1894.897390] sp : d9ecdd90 ip : 00000000 fp : dc08da00 [ 1894.897409] r10: d9ecc000 r9 : c16a39ec r8 : d9e6a100 [ 1894.897422] r7 : 00000000 r6 : d9ecddb8 r5 : c15dbc40 r4 : c0004860 [ 1894.897435] r3 : 00000000 r2 : 00001201 r1 : c16a28a8 r0 : 00000000 [ 1894.897450] Flags: nzcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user [ 1894.897464] Control: 10c0383d Table: 9e06006a DAC: 00000015 [ 1894.897476] Process Binder_4 (pid: 4324, stack limit = 0xd9ecc238) [ 1894.897489] Stack: (0xd9ecdd90 to 0xd9ece000) [ 1894.897504] dd80: 00000000 c0004860 c15dbc40 c15dbc2c [ 1894.897522] dda0: 600f0013 d9ecc030 c15dbc30 c0c08bcc d9ecdddc c15dbc40 d9ecddb8 d9ecddb8 [ 1894.897540] ddc0: 11111111 d9ecddb8 600f0013 c15dbc2c de364e00 b786a844 d9ecc038 c1660598 [ 1894.897557] dde0: 00000000 d9ecc000 dc08da00 c0c08e70 ddf0f000 c072d020 ded48000 c018b544 [ 1894.897574] de00: 00000000 800f0193 00000028 dd041600 c8002ab0 b781ee04 00000000 db0d1c00 [ 1894.897591] de20: c8002ad0 00000000 00000000 b786a840 b786a940 ddf0f01c d9ecdee0 d9ecc000 |
With any stack address, the (struct thread_info*) can be casted with the single command.
v.v %all thread_of(0xd9ecdd90)
(struct thread_info *) thread_of(0xd9ecdd90) = 0xD9ECC000 = __bss_stop+0x1855F (long unsigned int) flags = 0 = 0x0 = '....', (int) preempt_count = 3 = 0x3 = '....', (mm_segment_t) addr_limit = 3204448256 = 0xBF000000 = '....', (struct task_struct *) task = 0xD9E6A100 = __bss_stop+0x184FD964 -> ((long i (struct exec_domain *) exec_domain = 0xC1579CDC = default_exec_domain -> ((c (__u32) cpu = 2 = 0x2 = '....', (__u32) cpu_domain = 21 = 0x15 = '....', (struct cpu_context_save) cpu_context = ((__u32) r4 = 3740230976 = 0xDEEF654 (__u32) syscall = 0 = 0x0 = '....', (__u8 [16]) used_cp = "", (long unsigned int [2]) tp_value = ([0] = 3001371000 = 0xB2E54978 = '..Ix', (union fp_state) fpstate = ((struct fp_hard_struct) hard = ((unsigned int [3 (union vfp_state) vfpstate = ((struct vfp_hard_struct) hard = ((__u64 [32]) (struct restart_block) restart_block = ((long int (*)()) fn = 0xC0131A64 = d |
v.v %all thread_of(0xd9ecddc0)
(struct thread_info *) thread_of(0xd9ecddc0) = 0xD9ECC000 = __bss_stop+0x1855F (long unsigned int) flags = 0 = 0x0 = '....', (int) preempt_count = 3 = 0x3 = '....', (mm_segment_t) addr_limit = 3204448256 = 0xBF000000 = '....', (struct task_struct *) task = 0xD9E6A100 = __bss_stop+0x184FD964 -> ((long i (struct exec_domain *) exec_domain = 0xC1579CDC = default_exec_domain -> ((c (__u32) cpu = 2 = 0x2 = '....', (__u32) cpu_domain = 21 = 0x15 = '....', (struct cpu_context_save) cpu_context = ((__u32) r4 = 3740230976 = 0xDEEF654 (__u32) syscall = 0 = 0x0 = '....', (__u8 [16]) used_cp = "", (long unsigned int [2]) tp_value = ([0] = 3001371000 = 0xB2E54978 = '..Ix', (union fp_state) fpstate = ((struct fp_hard_struct) hard = ((unsigned int [3 (union vfp_state) vfpstate = ((struct vfp_hard_struct) hard = ((__u64 [32]) (struct restart_block) restart_block = ((long int (*)()) fn = 0xC0131A64 = d |
'리눅스 커널의 구조와 원리 > 3. 커널 디버깅과 코드 학습' 카테고리의 다른 글
| [LinuxKernel] Crash-Utility: add new command "ps -e" (0) | 2019.03.09 |
|---|