----- Original Message -----
Hmm, the /dev/mem does not reflect the kernel and symbols I am
trying
to read, because I do not have a core dump of the crash.
I just tried to read the kernel and modules in crash to read it.
I think we have a basic misunderstanding -- although I'm not sure...
The crash utility requires two pieces:
(1) a vmlinux file built with debuginfo data, and
(2) a memory source -- which can be either:
(a) a kernel core dump, or
(b) a device driver to access physical memory on a live system.
If analyzing a kernel core dump, the vmlinux must be the same kernel
version that was running when the system crashed.
If analyzing a live system, the vmlinux must be the same kernel that
is running on the live system.
When running against a core dump, the crash utility needs at least
two arguments:
$ crash vmlinux vmcore
When running against a live system, you can simply enter:
$ crash vmlinux
because the crash utility will try to find the correct device driver,
which is typically /dev/mem. If /dev/mem is restricted to its first 1MB
of physical memory, you can try to use /proc/kcore:
$ crash vmlinux /proc/kcore
Or if that doesn't work, you can create your own /dev/crash kernel module
for physical memory access. I don't know whether the sample /dev/crash
memory driver supplied with the crash utility sources will compile cleanly
in a 2.4 kernel environment -- it may require some tweaking. In the
crash-5.1.8/memory_driver sub-directory, there is the memory driver's
crash.c file, a Makefile, and this README file:
For live system analysis, the physical memory source must be one
of the following devices:
/dev/mem
/proc/kcore
/dev/crash
If the live system kernel was configured with CONFIG_STRICT_DEVMEM,
then /dev/mem cannot be used.
If the live system kernel was configured without CONFIG_PROC_KCORE,
or if /proc/kcore is non-functional, then /proc/kcore cannot be used.
The third alternative is this /dev/crash driver. Presuming that
/lib/modules/`uname -r`/build points to a kernel build tree or
kernel "devel" package tree, the module can simply be built and
installed like so:
# make
...
# insmod crash.ko
Once installed, the /dev/crash driver will be used by default for
live system crash sessions.
So when you say "the /dev/mem does not reflect the kernel and symbols
I am trying to read", by that I understand you to mean that the vmlinux
file that you built is not the same kernel version as is running on your
host machine. If that is true, then the crash utility is not an
appropriate tool for looking at your new vmlinux -- again, the crash
utility expects a memory source where the vmlinux is currently running,
or a core dump of the system that was running it when it crashed.
You could do this:
$ gdb vmlinux
and then poke around the kernel's static text and data as they
are initially loaded into memory. But the crash utility cannot
be used that way.
Dave