[Crash-utility] using crash without vmlinux OR dump memory at specific vaddr

[HAGIO KAZUHITO(萩尾 一仁)]

-----Original Message-----
> From: crash-utility-bounces at redhat.com <crash-utility-bounces at redhat.com> On Behalf Of Andrej Ras
> Sent: Friday, July 31, 2020 2:48 AM
> To: crash-utility at redhat.com
> Subject: [Crash-utility] using crash without vmlinux OR dump memory at specific vaddr
> 
> Hi Folks,
> 
> I have a simple question --
> 
> How can I use the crash utility to examine a live system without
> having vmlinux ?

If you cannot get the vmlinux compiled with -g option, you cannot use
the crash utility.

(but if you can build a vmlinux from the same source and config as the
running kernel, you might be able to use crash with it and System.map
or /proc/kallsyms?  I've not tried this though..)

> 
> If not is there a way to dump memory for a virtual memory address?

If you want only to dump a kernel virtual address, you might be able to
use /proc/kcore.

For example, to dump ffffffffad200100, which is linux_banner on a machine
btw, determine which segment the address is in,

# readelf -l /proc/kcore

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
...
  LOAD           0x00007fffaca02000 0xffffffffaca00000 0x0000000c7a000000
                 0x000000000169b000 0x000000000169b000  RWE    1000
...

calculate the offset from its start address,

# echo $((0xffffffffad200100 - 0xffffffffaca00000))
8388864

and dump the file offset in /proc/kcore.

# dd if=/proc/kcore bs=1 skip=$((0x00007fffaca02000 + 8388864)) count=16 2>/dev/null
Linux version 3.

Thanks,
Kazu