【linux内核】- kallsyms

在内核开发的过程中，我们会经常用到或者听别人提到kallsyms, 但是这个是什么东西，有什么作用呢，这里就来分析记录下。

一、何为kallsyms

kallsyms包含内核中所有导出的 符号表，名字大概的是 kernel all symbols。
在2.6版本内核中，为了更好地调试内核，引入了kallsyms信息。kallsyms抽取了内核用到的所有函数地址(全局的、静态的)和非栈数据变量地址，生成一个数据块，作为只读数据链接进kernel image，相当于内核中存了一个System.map.

二、如何才会有kallsyms

如果想要使用kallsyms，需要开启配置才行：
CONFIG_KALLSYMS=y
在操作系统中查看kallsyms命令：

[root@localhost boot]# cat /proc/kallsyms | head -10
0000000000000000 D per_cpu__irq_stack_union
0000000000000000 D __per_cpu_start
0000000000004000 D per_cpu__gdt_page
0000000000005000 d per_cpu__exception_stacks
000000000000b000 d per_cpu__idt_desc
000000000000b010 d per_cpu__xen_cr0_value
000000000000b018 D per_cpu__xen_vcpu
000000000000b020 D per_cpu__xen_vcpu_info
000000000000b060 d per_cpu__mc_buffer
000000000000c570 D per_cpu__xen_mc_irq_flags

当然也可以用另一种方式查看，其实就是说的System.map，在boot下面：

[root@localhost boot]# cat /boot/System.map-2.6.32-431.el6.x86_64 | head -10
0000000000000000 A VDSO32_PRELINK
0000000000000000 D __per_cpu_start
0000000000000000 D per_cpu__irq_stack_union
0000000000000000 A xen_irq_disable_direct_reloc
0000000000000000 A xen_save_fl_direct_reloc
0000000000000040 A VDSO32_vsyscall_eh_frame_size
00000000000001e7 A kexec_control_code_size
00000000000001f0 A VDSO32_NOTE_MASK
0000000000000400 A VDSO32_sigreturn
0000000000000410 A VDSO32_rt_sigreturn

三、开启kallsyms配置

这个配置默认是开启的，可以从默认的配置文件查看：

[root@localhost boot]# cat /boot/config-2.6.32-431.el6.x86_64 | grep KALLSYM
CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
CONFIG_KALLSYMS_EXTRA_PASS=y

那么如果是未开启的，需要自己编译源码开启
make menuconfig 这个请参考另一篇，内核编译
中修改 参数

General setup —>
[*] Configure standard kernel features (for small systems) —>
[*] Load all symbols for debugging/ksymoops （选中此项，才有/proc/kallsyms接口文件, oops问题，选中此选项即可，子选项可以忽略）

          [*]   Include all symbols in kallsyms
          [*]   Do an extra kallsyms pass  

四、作用

① 方便我们在进行 hook调用的时候，查看具体的 内核地址 与 内核符号之间的映射；通过符号来获取地址，我们已知的符号是sys_call_table，通过这个可以找到对应其他的系统调用__NR_open 等。在livepatch中就是通过查找这个符号表，根据符号名得到符号的地址

② 在机器遇到Oops的时候帮助增加查看信息，如果没有 kallsyms 的帮助，内核只能将十六进制的符号地址呈现给外界，因为它能理解的只有符号地址，而并不包括人类可读的符号名称。这个时候我们再看 core日志的时候，是无法看到具体的函数调用。

五、其他

在上面第二步操作的时候我们看到有些符号，例如第二列的 D：

[root@localhost boot]# cat /proc/kallsyms | head -10
0000000000000000 D per_cpu__irq_stack_union
0000000000000000 D __per_cpu_start
0000000000004000 D per_cpu__gdt_page

这个是符号的标记，其实可以通过 nm 工具查看这些符号的具体含义：

DESCRIPTION
       GNU nm lists the symbols from object files objfile....  If no object files are listed as arguments, nm assumes the file a.out.

       For each symbol, nm shows:

       ·   The symbol value, in the radix selected by options (see below), or hexadecimal by default.

       ·   The symbol type.  At least the following types are used; others are, as well, depending on the object file format.  If lowercase, the symbol is local; if uppercase, the symbol is global (external).

           "A" The symbol’s value is absolute, and will not be changed by further linking.

           "B"
           "b" The symbol is in the uninitialized data section (known as BSS).

           "C" The symbol is common.  Common symbols are uninitialized data.  When linking, multiple common symbols may appear with the same name.  If the symbol is defined anywhere, the common symbols are
               treated as undefined references.

           "D"
           "d" The symbol is in the initialized data section.

           "G"
           "g" The symbol is in an initialized data section for small objects.  Some object file formats permit more efficient access to small data objects, such as a global int variable as opposed to a large
               global array.

           "i" For PE format files this indicates that the symbol is in a section specific to the implementation of DLLs.  For ELF format files this indicates that the symbol is an indirect function.  This is a
               GNU extension to the standard set of ELF symbol types.  It indicates a symbol which if referenced by a relocation does not evaluate to its address, but instead must be invoked at runtime.  The
               runtime execution will then return the value to be used in the relocation.

           "N" The symbol is a debugging symbol.

           "p" The symbols is in a stack unwind section.

           "R"
           "r" The symbol is in a read only data section.

           "S"
           "s" The symbol is in an uninitialized data section for small objects.

           "T"
           "t" The symbol is in the text (code) section.

           "U" The symbol is undefined.

           "u" The symbol is a unique global symbol.  This is a GNU extension to the standard set of ELF symbol bindings.  For such a symbol the dynamic linker will make sure that in the entire process there is
               just one symbol with this name and type in use.

           "V"
           "v" The symbol is a weak object.  When a weak defined symbol is linked with a normal defined symbol, the normal defined symbol is used with no error.  When a weak undefined symbol is linked and the
               symbol is not defined, the value of the weak symbol becomes zero with no error.  On some systems, uppercase indicates that a default value has been specified.

           "W"
           "w" The symbol is a weak symbol that has not been specifically tagged as a weak object symbol.  When a weak defined symbol is linked with a normal defined symbol, the normal defined symbol is used
               with no error.  When a weak undefined symbol is linked and the symbol is not defined, the value of the symbol is determined in a system-specific manner without error.  On some systems, uppercase
               indicates that a default value has been specified.

           "-" The symbol is a stabs symbol in an a.out object file.  In this case, the next values printed are the stabs other field, the stabs desc field, and the stab type.  Stabs symbols are used to hold
               debugging information.

           "?" The symbol type is unknown, or object file format specific.

       ·   The symbol name.