<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello all, <br>
<br>
First of all, I wish a Happy New Year (with less crash, but still
enhanced tools...)<br>
<br>
Thanks for the links, they were very useful.<br>
I dig further in the way of analyzing the User Space, but it seems
that I'm linked to a dead-end way.<br>
Below is a snapshot of kernel / userland stack dump.<br>
<br>
What I've done :<br>
- Crash is triggered by a page fault inside a kernel module (write
0 in 0xFFFFFFFF, classic).<br>
- Using gcore to create the 'core.<pid>.bash (which is the
user task running at time of crash).<br>
- Evaluating an EBP (between { }) chaining value (hypothesis), EIP
value (between [ ]) is then just pushed beside<br>
<br>
The purpose of this study is to find a method to analyze futur
crashes from kernel space down to user space applications.<br>
<br>
Do you have an idea about the cause of this non-dumping of the
memory in user-space ?<br>
Should I use other extension as 'gcore' ?<br>
<br>
Thank in advance.<br>
Best regards,<br>
Patrick Agrain<br>
<br>
<br>
-------<br>
<tt>===============================================================================</tt><tt><br>
</tt><tt>--------------------- Go down into User Space Territory
-----------------------</tt><tt><br>
</tt><tt><br>
</tt><tt>Last pt_regs of kernel stack is:</tt><tt><br>
</tt><tt>
| pt_regs</tt><tt><br>
</tt><tt> 00000001 094a5408 00000003
..~......TJ..... | bx cx dx</tt><tt><br>
</tt><tt>c2699fc0: 00000003 094a5408 bfd1b704 00000004
.....TJ......... | si di bp ax</tt><tt><br>
</tt><tt>c2699fd0: 0000007b ffff007b c07e0000 00000033
{...{.....~.3... | ds es fs gs</tt><tt><br>
</tt><tt>c2699fe0: 00000004 b776a416 00000073 00000246
......v.s...F... | orig_eax ip cs flags</tt><tt><br>
</tt><tt>c2699ff0: bfd1b6d8
0000007b | sp ss</tt><tt><br>
</tt><tt> v cccccccc cccccccc
....{........... | padding </tt><tt><br>
</tt><tt> |</tt><tt><br>
</tt><tt>
|----------------------------------------------------------------|</tt><tt><br>
</tt><tt>
|</tt><tt><br>
</tt><tt>(gdb) x/32xw
0xbfd1b680
|</tt><tt><br>
</tt><tt>0xbfd1b680: 0xbfd1b6d0 0x0000000f
0x094b4568 0x080c90b9 |</tt><tt><br>
</tt><tt>0xbfd1b690: 0x094b4568 0x080cd160
0x00001936 0x00000001 |</tt><tt><br>
</tt><tt>0xbfd1b6a0: 0x094ab9c8 0x00000000
0x094b4b48 0xbfd1b7c8 |</tt><tt><br>
</tt><tt>0xbfd1b6b0: 0x080ce9e8 0x094b4b48
0x094b4b48 0xbfd1b728 |</tt><tt><br>
</tt><tt>0xbfd1b6c0: 0x094aed28 0x00000020
0x00000000 0x00000070 |</tt><tt><br>
</tt><tt>0xbfd1b6d0: 0x094b4588
0x080cc080 |</tt><tt><br>
</tt><tt>
0xb7698b43 <--|</tt><tt><br>
</tt><tt>
0xb7757ff4</tt><tt><br>
</tt><tt>0xbfd1b6e0: 0xb76343b4 0x00000001
0x094a5408 0x00000003</tt><tt><br>
</tt><tt>0xbfd1b6f0: 0xb77584e0 0x080cc080
0xbfd1b728 0xb77584e0</tt><tt><br>
</tt><tt><br>
</tt><tt>
|------------------------------------------ Hypothesis : this is
an EBP value...</tt><tt><br>
</tt><tt> v</tt><tt><br>
</tt><tt>0xbfd1b700: 0x00000003 {0xbfd1b72c}
[0xb7635c90] 0xb77584e0</tt><tt><br>
</tt><tt>0xbfd1b710: 0x094a5408 0x00000003
0x094b4b48 0xbfd1b7c8</tt><tt><br>
</tt><tt>0xbfd1b720: 0xb7757ff4 0xb77584e0
0x0000000a {0xbfd1b750}</tt><tt><br>
</tt><tt>0xbfd1b730: [0xb7634e80] 0xb77584e0
0x094a5408 0x00000003</tt><tt><br>
</tt><tt>0xbfd1b740: 0x0000000a 0xb7757ff4
0xb77584e0 0x0000000a</tt><tt><br>
</tt><tt>0xbfd1b750: {0xbfd1b768} [0xb7637d2a]
0xb77584e0 0x0000000a</tt><tt><br>
</tt><tt>0xbfd1b760: 0xb7757ff4 0xb77584e0
{0xbfd1b788} [0xb76312b5]</tt><tt> >-|<br>
</tt><tt>0xbfd1b770: 0xb77584e0 0x0000000a
0xb75c9940 0x094a3e48 |</tt><tt><br>
</tt><tt>0xbfd1b780: 0x00000001 0x00000000
0x00000000 0x0809b64b |</tt><tt><br>
</tt><tt>
|<br>
</tt><tt>Disassemble Try: EIP@0xb76312b5
<---------------------------------------------|</tt><tt><br>
</tt><tt>(gdb) disassemble 0xb7631200, 0xb7631300</tt><tt><br>
</tt><tt>Dump of assembler code from 0xb7631200 to 0xb7631300:</tt><tt><br>
</tt><tt> 0xb7631200: Cannot access memory at address
0xb7631200</tt><tt><br>
</tt><tt>(gdb)</tt><br>
----------<br>
<br>
<br>
Le 17/12/2013 19:12, Buland Kumar Singh a écrit :<br>
</div>
<blockquote
cite="mid:CAKLDxDp_icrV-BF3bj5BdS86+M3uBfJ0v5qu+-e=9cE=9X4Tig@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div dir="ltr">Hi Patrick,<br>
<br>
The following links may also be helpful to understand gdb and <br>
it's usage for application core analysis. <br>
<br>
<a moz-do-not-send="true"
href="http://web.eecs.umich.edu/%7Esugih/pointers/gdb_core.html">http://web.eecs.umich.edu/~sugih/pointers/gdb_core.html</a><br>
<a moz-do-not-send="true"
href="https://sourceware.org/gdb/onlinedocs/gdb/">https://sourceware.org/gdb/onlinedocs/gdb/</a><br>
<br>
-- BKS<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 17 December 2013 21:36, Patrick
Agrain <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:patrick.agrain@alcatel-lucent.com"
target="_blank">patrick.agrain@alcatel-lucent.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hello all,<br>
<br>
Now that we have dumped the kernel stack, I'm intesresting
in the user process from which we came just before the
'panic'.<br>
Googling around, I found mention of the 'gcore' extension.<br>
<br>
I compiled version 1.22 and installed it.<br>
Using it on crash 6.1.0-1.el6, I get a file core.845.bash
on process 'bash' (in which I trigger a kernel panic) :<br>
<br>
<blockquote><tt>crash> gcore -v 1 845</tt><br>
<tt>gcore: Opening file core.845.bash ...</tt><br>
<tt>gcore: done.</tt><br>
<tt>gcore: Writing ELF header ...</tt><br>
<tt>gcore: done.</tt><br>
<tt>gcore: Retrieving and writing note information ...</tt><br>
<tt>gcore: done.</tt><br>
<tt>gcore: Writing PT_NOTE program header ...</tt><br>
<tt>gcore: done.</tt><br>
<tt>gcore: Writing PT_LOAD program headers ...</tt><br>
<tt>gcore: done.</tt><br>
<tt>gcore: Writing PT_LOAD segment ...</tt><br>
<tt>gcore: PT_LOAD[0]: 8048000 - 8048000</tt><br>
<tt>gcore: PT_LOAD[1]: 80e2000 - 80e9000</tt><br>
<tt>gcore: PT_LOAD[2]: 80e9000 - 80ed000</tt><br>
<tt>gcore: PT_LOAD[3]: 94a2000 - 94d1000</tt><br>
<tt>gcore: PT_LOAD[4]: b7374000 - b7374000</tt><br>
<tt>gcore: PT_LOAD[5]: b7375000 - b7376000</tt><br>
<tt>gcore: PT_LOAD[6]: b7376000 - b7377000</tt><br>
<tt>gcore: PT_LOAD[7]: b7377000 - b7377000</tt><br>
<tt>gcore: PT_LOAD[8]: b737e000 - b737e000</tt><br>
<tt>gcore: PT_LOAD[9]: b737f000 - b737f000</tt><br>
<tt>gcore: PT_LOAD[10]: b73bb000 - b73bb000</tt><br>
<tt>gcore: PT_LOAD[11]: b75bb000 - b75bb000</tt><br>
<tt>gcore: PT_LOAD[12]: b75c7000 - b75c8000</tt><br>
<tt>gcore: PT_LOAD[13]: b75c8000 - b75c9000</tt><br>
<tt>gcore: PT_LOAD[14]: b75c9000 - b75ca000</tt><br>
<tt>gcore: PT_LOAD[15]: b75ca000 - b75ca000</tt><br>
<tt>gcore: PT_LOAD[16]: b7756000 - b7758000</tt><br>
<tt>gcore: PT_LOAD[17]: b7758000 - b7759000</tt><br>
<tt>gcore: PT_LOAD[18]: b7759000 - b775c000</tt><br>
<tt>gcore: PT_LOAD[19]: b775c000 - b775c000</tt><br>
<tt>gcore: PT_LOAD[20]: b775f000 - b7760000</tt><br>
<tt>gcore: PT_LOAD[21]: b7760000 - b7761000</tt><br>
<tt>gcore: PT_LOAD[22]: b7761000 - b7761000</tt><br>
<tt>gcore: PT_LOAD[23]: b7764000 - b7765000</tt><br>
<tt>gcore: PT_LOAD[24]: b7769000 - b776a000</tt><br>
<tt>gcore: PT_LOAD[25]: b776a000 - b776b000</tt><br>
<tt>gcore: PT_LOAD[26]: b776b000 - b776b000</tt><br>
<tt>gcore: PT_LOAD[27]: b7789000 - b778a000</tt><br>
<tt>gcore: PT_LOAD[28]: b778a000 - b778b000</tt><br>
<tt>gcore: PT_LOAD[29]: bfd07000 - bfd1d000</tt><br>
<tt>gcore: done.</tt><br>
<tt>Saved core.845.bash</tt><br>
<tt>crash></tt><br>
</blockquote>
<br>
So far, so good... But<br>
<br>
Question: Are there anywhere some hints about how to use
this core.<pid> file ?<br>
<br>
Thanks in advance.<br>
Regards,<br>
Patrick Agrain<br>
</div>
<br>
--<br>
Crash-utility mailing list<br>
<a moz-do-not-send="true"
href="mailto:Crash-utility@redhat.com">Crash-utility@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/crash-utility"
target="_blank">https://www.redhat.com/mailman/listinfo/crash-utility</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div dir="ltr">BKS<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
Crash-utility mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Crash-utility@redhat.com">Crash-utility@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/crash-utility">https://www.redhat.com/mailman/listinfo/crash-utility</a></pre>
</blockquote>
<br>
</body>
</html>