How to get object virtual address from a kernel core dump

[Buland Kumar Singh]

On 18 March 2016 at 15:28, Mohammad Y. Zachariah <eng.myz at gmail.com> wrote:
>
> Hello everyone,
>
> I'm taking the way of analysing kernel core dumps as a learning approach using 'crash tool'. One of the interesting crash commands is 'struct' which can print kernel struct definition and/or the actual contents of the structure.
>
> According to struct help page, I need the virtual address of the struct in order to view/print its contents, for example:
>
>     crash> mm_struct.pgd ffff810022e7d080 -px
>       pgd_t *pgd = 0xffff81000e3ac000
>       -> {
>            pgd = 0x2c0a6067
>          }
>
> My question is how to find the mm_struct address "ffff810022e7d080" in the above example in the first place??
>

Hello Zach,

1) Determine the struct task_struct * from ps or set command of crash.

Eg:
crash> set 1
    PID: 1
COMMAND: "init"
   TASK: ffff881029867500  [THREAD_INFO: ffff882029b32000]
    CPU: 2
  STATE: TASK_INTERRUPTIBLE

crash> ps 1
   PID    PPID  CPU       TASK        ST  %MEM     VSZ    RSS  COMM
      1      0   2  ffff881029867500  IN   0.0   24852   1632  init

In above example, struct task_struct * is 0xffff881029867500

2) Determine struct mm_struct * from struct task_struct *

crash> task_struct.mm -ox
struct task_struct {
  [0x480] struct mm_struct *mm;
}

crash> task_struct.mm ffff881029867500
  mm = 0xffff882026b68700

In above example, struct mm_struct * is 0xffff882026b68700

3) Finally determine pgd_t from struct mm_struct *

crash> mm_struct.pgd -ox
struct mm_struct {
   [0x50] pgd_t *pgd;
}

crash> mm_struct.pgd 0xffff882026b68700
  pgd = 0xffff882026a9e000


You achieve the above steps in one line;

Eg:
crash> px ((struct task_struct *)0xffff881029867500)->mm.pgd
$1 = (pgd_t *) 0xffff882026a9e000

-- 
BKS