Re: [Crash-utility] [PATCH] arm64: exclude mapping symbols in modules

Thursday, 6 October 2016

Hi Akashi,

I was playing around with this, and noted that if a module's debuginfo data is not
loaded into a crash session with the "mod" command, branch instruction targets 
that are within the module space are not translated.  For example, note the handful
of "bl" instructions with module address targets are empty:

  crash> dis dm_create | grep bl
  0xfffffdfffc003814 <dm_create+60>:	bl	0xfffffe0000226ce0
<kmem_cache_alloc_trace>
  0xfffffdfffc003828 <dm_create+80>:	bl	0xfffffe0000143754 <try_module_get>
  0xfffffdfffc003850 <dm_create+120>:	bl	0xfffffe00003c4f08 <idr_preload>
  0xfffffdfffc00385c <dm_create+132>:	bl	0xfffffe000078241c <_raw_spin_lock>
  0xfffffdfffc003874 <dm_create+156>:	bl	0xfffffe00003c5d90 <idr_alloc>
  0xfffffdfffc00388c <dm_create+180>:	bl	0xfffffe0000123044
<init_srcu_struct>
  0xfffffdfffc0038b0 <dm_create+216>:	bl	0xfffffe000010f9d0 <__mutex_init>
  0xfffffdfffc0038c0 <dm_create+232>:	bl	0xfffffe000010f9d0 <__mutex_init>
  0xfffffdfffc0038d4 <dm_create+252>:	bl	0xfffffe000010f9d0 <__mutex_init>
  0xfffffdfffc003918 <dm_create+320>:	bl	0xfffffe00003968c4 <blk_alloc_queue>
  0xfffffdfffc003948 <dm_create+368>:	bl	0xfffffe00003ab298 <alloc_disk>
  0xfffffdfffc003968 <dm_create+400>:	bl	0xfffffe000010a878
<__init_waitqueue_head>
  0xfffffdfffc003994 <dm_create+444>:	bl	0xfffffe000010a878
<__init_waitqueue_head>
  0xfffffdfffc0039a8 <dm_create+464>:	bl	0xfffffe000010a878
<__init_waitqueue_head>
  0xfffffdfffc0039f8 <dm_create+544>:	bl	0xfffffe00003d1224 <sprintf>
  0xfffffdfffc003a00 <dm_create+552>:	bl	0xfffffe00003aab08 <add_disk>
  0xfffffdfffc003a1c <dm_create+580>:	bl	0xfffffe00003d1224 <sprintf>
  0xfffffdfffc003a34 <dm_create+604>:	bl	0xfffffe00000e3acc
<__alloc_workqueue_key>
  0xfffffdfffc003a48 <dm_create+624>:	bl	0xfffffe00003a9a8c <bdget_disk>
  0xfffffdfffc003a58 <dm_create+640>:	bl	0xfffffe000038ea84 <bio_init>
  0xfffffdfffc003a70 <dm_create+664>:	bl	0xfffffdfffc00e418
  0xfffffdfffc003a78 <dm_create+672>:	bl	0xfffffe000078241c <_raw_spin_lock>
  0xfffffdfffc003a88 <dm_create+688>:	bl	0xfffffe00003c4e54 <idr_replace>
  0xfffffdfffc003aa4 <dm_create+716>:	bl	0xfffffdfffc00d270
  0xfffffdfffc003ad8 <dm_create+768>:	bl	0xfffffe0000143860 <module_put>
  0xfffffdfffc003ae0 <dm_create+776>:	bl	0xfffffe0000228464 <kfree>
  0xfffffdfffc003b08 <dm_create+816>:	bl	0xfffffe00003c4f08 <idr_preload>
  0xfffffdfffc003b14 <dm_create+828>:	bl	0xfffffe000078241c <_raw_spin_lock>
  0xfffffdfffc003b2c <dm_create+852>:	bl	0xfffffe00003c5d90 <idr_alloc>
  0xfffffdfffc003b4c <dm_create+884>:	bl	0xfffffdfffc001220
  0xfffffdfffc003b54 <dm_create+892>:	bl	0xfffffdfffc0012e0
  0xfffffdfffc003b60 <dm_create+904>:	bl	0xfffffe00001c4828 <printk>
  crash> 

With this patch: 

  --- a/arm64.c
  +++ b/arm64.c
  @@ -2977,6 +2977,16 @@ arm64_dis_filter(ulong vaddr, char *inbuf, unsigned int
output_radix)
                  sprintf(p1, "%s", buf1);
          }

  +       if (IS_MODULE_VADDR(vaddr)) {
  +               p1 = &inbuf[strlen(inbuf)-1];
  +               strcpy(buf1, inbuf);
  +               argc = parse_line(buf1, argv);
  +               if (STREQ(argv[argc-2], "bl") &&
  +                   extract_hex(argv[argc-1], &value, NULLCHAR, TRUE))
  +                       sprintf(p1, " <%s>\n",
  +                               value_to_symstr(value, buf2, output_radix));
  +       }
  +
          console("    %s", inbuf);

          return TRUE;

module addresses are translated without having to load the module's debuginfo:

  crash> dis dm_create | grep bl
  0xfffffdfffc003814 <dm_create+60>:	bl	0xfffffe0000226ce0
<kmem_cache_alloc_trace>
  0xfffffdfffc003828 <dm_create+80>:	bl	0xfffffe0000143754 <try_module_get>
  0xfffffdfffc003850 <dm_create+120>:	bl	0xfffffe00003c4f08 <idr_preload>
  0xfffffdfffc00385c <dm_create+132>:	bl	0xfffffe000078241c <_raw_spin_lock>
  0xfffffdfffc003874 <dm_create+156>:	bl	0xfffffe00003c5d90 <idr_alloc>
  0xfffffdfffc00388c <dm_create+180>:	bl	0xfffffe0000123044
<init_srcu_struct>
  0xfffffdfffc0038b0 <dm_create+216>:	bl	0xfffffe000010f9d0 <__mutex_init>
  0xfffffdfffc0038c0 <dm_create+232>:	bl	0xfffffe000010f9d0 <__mutex_init>
  0xfffffdfffc0038d4 <dm_create+252>:	bl	0xfffffe000010f9d0 <__mutex_init>
  0xfffffdfffc003918 <dm_create+320>:	bl	0xfffffe00003968c4 <blk_alloc_queue>
  0xfffffdfffc003948 <dm_create+368>:	bl	0xfffffe00003ab298 <alloc_disk>
  0xfffffdfffc003968 <dm_create+400>:	bl	0xfffffe000010a878
<__init_waitqueue_head>
  0xfffffdfffc003994 <dm_create+444>:	bl	0xfffffe000010a878
<__init_waitqueue_head>
  0xfffffdfffc0039a8 <dm_create+464>:	bl	0xfffffe000010a878
<__init_waitqueue_head>
  0xfffffdfffc0039f8 <dm_create+544>:	bl	0xfffffe00003d1224 <sprintf>
  0xfffffdfffc003a00 <dm_create+552>:	bl	0xfffffe00003aab08 <add_disk>
  0xfffffdfffc003a1c <dm_create+580>:	bl	0xfffffe00003d1224 <sprintf>
  0xfffffdfffc003a34 <dm_create+604>:	bl	0xfffffe00000e3acc
<__alloc_workqueue_key>
  0xfffffdfffc003a48 <dm_create+624>:	bl	0xfffffe00003a9a8c <bdget_disk>
  0xfffffdfffc003a58 <dm_create+640>:	bl	0xfffffe000038ea84 <bio_init>
  0xfffffdfffc003a70 <dm_create+664>:	bl	0xfffffdfffc00e418 <dm_stats_init>
  0xfffffdfffc003a78 <dm_create+672>:	bl	0xfffffe000078241c <_raw_spin_lock>
  0xfffffdfffc003a88 <dm_create+688>:	bl	0xfffffe00003c4e54 <idr_replace>
  0xfffffdfffc003aa4 <dm_create+716>:	bl	0xfffffdfffc00d270 <dm_sysfs_init>
  0xfffffdfffc003ad8 <dm_create+768>:	bl	0xfffffe0000143860 <module_put>
  0xfffffdfffc003ae0 <dm_create+776>:	bl	0xfffffe0000228464 <kfree>
  0xfffffdfffc003b08 <dm_create+816>:	bl	0xfffffe00003c4f08 <idr_preload>
  0xfffffdfffc003b14 <dm_create+828>:	bl	0xfffffe000078241c <_raw_spin_lock>
  0xfffffdfffc003b2c <dm_create+852>:	bl	0xfffffe00003c5d90 <idr_alloc>
  0xfffffdfffc003b4c <dm_create+884>:	bl	0xfffffdfffc001220
<cleanup_mapped_device>
  0xfffffdfffc003b54 <dm_create+892>:	bl	0xfffffdfffc0012e0 <free_minor>
  0xfffffdfffc003b60 <dm_create+904>:	bl	0xfffffe00001c4828 <printk>
  crash> 

Now, this sample patch doesn't deal with branch instructions other than
"bl",
so perhaps it could just check whether the last argument in the instruction
line is a translatable address.  

On the other hand, for the PLT veneer issue, it would have to:

 (1) make sure it's a "bl", and
 (2) instead of blindly doing a translation of the PLT veneer label address,
     it would first have to check whether it points to a 12-byte chunk of 
     kernel address construction, and if so, translate the reconstructed 
     address.

So I'm thinking something along these lines, say, where "value" may or may
not be
modified by your new function:

       if (IS_MODULE_VADDR(vaddr)) {
               p1 = &inbuf[strlen(inbuf)-1];
               strcpy(buf1, inbuf);
               argc = parse_line(buf1, argv);
               if (STREQ(argv[argc-2], "bl") &&
                   extract_hex(argv[argc-1], &value, NULLCHAR, TRUE)) {
+                      value = PLT_veneer_to_kvaddr(value);
                       sprintf(p1, " <%s>\n",
                               value_to_symstr(value, buf2, output_radix));
	       }
       }

However, another thing to consider is what "dis" shows if the "mod"
command
has already loaded the debuginfo data.  In that case, I'm guessing that gdb
would translate the address of the PLT veneer location?  The sample KASLR
vmcore you gave me doesn't have any modules, so I don't know. 

Dave

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [Crash-utility] [PATCH] arm64: exclude mapping symbols in modules