续【Linux内核|调试】Crash工具帮助信息PART 1
26. net - network command
26.1. SYNOPSIS
net [[-s | -S] [-xd] [-R ref] [pid | task]] [-a] [ -n [pid | task]] [-N addr]
26.2. DESCRIPTION
Displays various network related data.
If no arguments are entered, the list of network devices, names and IP
addresses are displayed. For kernels supporting namespaces, the -n option
may be used to display the list of network devices with respect to the
network namespace of a current context or a task specified by pid or task:
-n the namespace of the current context.
-n pid a process PID.
-n task a hexadecimal task_struct pointer.
The -s and -S options display data with respect to the current context, but
may be appended with an argument to show the socket data with respect
to a specified task:
-s display open network socket/sock addresses, their family and type,
and for INET and INET6 families, their source and destination
addresses and ports.
-s pid same as above, for task with process PID pid.
-s task same as above, for task with hexadecimal task_struct pointer task.
-S displays open network socket/sock addresses followed by a dump
of both data structures.
-S pid same as above, with respect to process PID.
-S task same as above, with respect to hexadecimal task_struct pointer.
The -R option, typically invoked from "foreach net", and in conjunction
with the -s or -S options, searches for references to a socket address,
sock address, or a file descriptor; if found, only the referenced fd, socket
or sock data will be displayed:
-R ref socket or sock address, or file descriptor.
Other options:
-a display the ARP cache.
-N addr translates an IPv4 address expressed as a decimal or hexadecimal
value into a standard numbers-and-dots notation.
-x override default output format with hexadecimal format.
-d override default output format with decimal format.
26.3. EXAMPLES
Display the system's network device list:
crash> net
NET_DEVICE NAME IP ADDRESS(ES)
ffff8803741c0000 lo 127.0.0.1
fff88037059c0000 eth0 10.226.229.141
ffff8803705c0000 eth1 10.226.228.250
ffff880374ad6000 usb0 169.254.95.120
Display the network device list with respect to the network namespace
of PID 2618:
crash> net -n 2618
NET_DEVICE NAME IP ADDRESS(ES)
ffff880456ee7020 lo 127.0.0.1
ffff8804516a1020 eth0 10.1.9.223
Dump the ARP cache:
crash> net -a
NEIGHBOUR IP ADDRESS HW TYPE HW ADDRESS DEVICE STATE
f38d1b00 10.16.64.14 ETHER 00:16:3e:4b:a5:4a eth1 STALE
f38d1080 0.0.0.0 UNKNOWN 00 00 00 00 00 00 lo NOARP
f38d1bc0 10.16.71.254 ETHER 00:00:0c:07:ac:00 eth1 REACHABLE
f38d1200 10.16.64.21 ETHER 00:16:3e:51:d8:09 eth1 REACHABLE
Display the sockets for PID 2517, using both -s and -S output formats:
crash> net -s 2517
PID: 2517 TASK: c1598000 CPU: 1 COMMAND: "rlogin"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
3 c57375dc c1ff1850 INET:STREAM 10.1.8.20-1023 10.1.16.62-513
crash> net -S 2517
PID: 2517 TASK: c1598000 CPU: 1 COMMAND: "rlogin"
FD SOCKET SOCK
3 c57375dc c1ff1850
struct socket {
state = SS_CONNECTED,
flags = 131072,
ops = 0xc023f820,
inode = 0xc5737540,
fasync_list = 0x0,
file = 0xc58892b0,
sk = 0xc1ff1850,
wait = 0xc14d9ed4,
type = 1,
passcred = 0 '\000',
tli = 0 '\000'
}
struct sock {
sklist_next = 0xc1ff12f0,
sklist_prev = 0xc216bc00,
bind_next = 0x0,
bind_pprev = 0xc0918448,
daddr = 1041236234,
rcv_saddr = 336068874,
dport = 258,
num = 1023,
bound_dev_if = 0,
next = 0x0,
pprev = 0xc0286dd4,
state = 1 '\001',
zapped = 0 '\000',
sport = 65283,
family = 2,
reuse = 0 '\000',
...
Translate the rcv_saddr from above into dotted-decimal notation:
crash> net -N 1041236234
10.1.16.62
From "foreach", find all tasks with references to socket c08ea3cc:
crash> foreach net -s -R c08ea3cc
PID: 2184 TASK: c7026000 CPU: 1 COMMAND: "klines.kss"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2200 TASK: c670a000 CPU: 1 COMMAND: "kpanel"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2201 TASK: c648a000 CPU: 1 COMMAND: "kbgndwm"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 19294 TASK: c250a000 CPU: 0 COMMAND: "prefdm"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2194 TASK: c62dc000 CPU: 1 COMMAND: "kaudioserver"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2195 TASK: c6684000 CPU: 1 COMMAND: "maudio"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2196 TASK: c6b58000 CPU: 1 COMMAND: "kwmsound"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2197 TASK: c6696000 CPU: 0 COMMAND: "kfm"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2199 TASK: c65ec000 CPU: 0 COMMAND: "krootwm"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 694 TASK: c1942000 CPU: 0 COMMAND: "prefdm"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 698 TASK: c6a2c000 CPU: 1 COMMAND: "X"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
PID: 2159 TASK: c4a5a000 CPU: 1 COMMAND: "kwm"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 c08ea3cc c50d3c80 INET:STREAM 0.0.0.0-1026 0.0.0.0-0
27. p - print the value of an expression
27.1. SYNOPSIS
p [-x|-d][-u] [expression | symbol[:cpuspec]]
27.2. DESCRIPTION
This command passes its arguments on to gdb "print" command for evaluation.
expression an expression to be evaluated.
symbol a kernel symbol.
:cpuspec CPU specification for a per-cpu symbol:
: CPU of the currently selected task.
:a[ll] all CPUs.
:#[-#][,...] CPU list(s), e.g. "1,3,5", "1-3",
or "1,3,5-7,10".
-x override default output format with hexadecimal format.
-d override default output format with decimal format.
-u the expression evaluates to a user address reference.
The default output format is decimal, but that can be changed at any time
with the two built-in aliases "hex" and "dec". Alternatively, there
are two other built-in aliases, "px" and "pd", which force the command
output to be displayed in hexadecimal or decimal, without changing the
default mode.
27.3. EXAMPLES
Print the contents of jiffies:
crash> p jiffies
jiffies = $6 = 166532620
crash> px jiffies
jiffies = $7 = 0x9ed174b
crash> pd jiffies
jiffies = $8 = 166533160
Print the contents of the vm_area_struct "init_mm":
crash> p init_mm
init_mm = $5 = {
mmap = 0xc022d540,
mmap_avl = 0x0,
mmap_cache = 0x0,
pgd = 0xc0101000,
count = {
counter = 0x6
},
map_count = 0x1,
mmap_sem = {
count = {
counter = 0x1
},
waking = 0x0,
wait = 0x0
},
context = 0x0,
start_code = 0xc0000000,
end_code = 0xc022b4c8,
start_data = 0x0,
end_data = 0xc0250388,
start_brk = 0x0,
brk = 0xc02928d8,
start_stack = 0x0,
arg_start = 0x0,
arg_end = 0x0,
env_start = 0x0,
env_end = 0x0,
rss = 0x0,
total_vm = 0x0,
locked_vm = 0x0,
def_flags = 0x0,
cpu_vm_mask = 0x0,
swap_cnt = 0x0,
swap_address = 0x0,
segments = 0x0
}
If a per-cpu symbol is entered as a argument, its data type
and all of its per-cpu addresses are displayed:
crash> p irq_stat
PER-CPU DATA TYPE:
irq_cpustat_t irq_stat;
PER-CPU ADDRESSES:
[0]: ffff88021e211540
[1]: ffff88021e251540
[2]: ffff88021e291540
[3]: ffff88021e2d1540
To display the contents a per-cpu symbol for CPU 1, append
a cpu-specifier:
crash> p irq_stat:1
per_cpu(irq_stat, 1) = $29 = {
__softirq_pending = 0,
__nmi_count = 209034,
apic_timer_irqs = 597509876,
irq_spurious_count = 0,
icr_read_retry_count = 2,
x86_platform_ipis = 0,
apic_perf_irqs = 209034,
apic_irq_work_irqs = 0,
irq_resched_count = 264922233,
irq_call_count = 7036692,
irq_tlb_count = 4750442,
irq_thermal_count = 0,
irq_threshold_count = 0
}
28. ps - display process status information
28.1. SYNOPSIS
ps [-k|-u|-G|-y policy] [-s] [-p|-c|-t|-[l|m][-C cpu]|-a|-g|-r|-S|-A]
[pid | task | command] ...
28.2. DESCRIPTION
This command displays process status for selected, or all, processes
in the system. If no arguments are entered, the process data is
is displayed for all processes. Specific processes may be selected
by using the following identifier formats:
pid a process PID.
task a hexadecimal task_struct pointer.
command a command name. If a command name is made up of letters that
are all numerical values, precede the name string with a "\".
If the command string is enclosed within "'" characters, then
the encompassed string must be a POSIX extended regular expression
that will be used to match task names.
The process list may be further restricted by the following options:
-k restrict the output to only kernel threads.
-u restrict the output to only user tasks.
-G display only the thread group leader in a thread group.
-y policy restrict the output to tasks having a specified scheduling policy
expressed by its integer value or by its (case-insensitive) name;
multiple policies may be entered in a comma-separated list:
0 or NORMAL
1 or FIFO
2 or RR
3 or BATCH
4 or ISO
5 or IDLE
6 or DEADLINE
The process identifier types may be mixed. For each task, the following
items are displayed:
1. the process PID.
2. the parent process PID.
3. the CPU number that the task ran on last.
4. the task_struct address or the kernel stack pointer of the process.
(see -s option below)
5. the task state (RU, IN, UN, ZO, ST, TR, DE, SW, WA, PA, ID, NE).
6. the percentage of physical memory being used by this task.
7. the virtual address size of this task in kilobytes.
8. the resident set size of this task in kilobytes.
9. the command name.
The default output shows the task_struct address of each process under a
column titled "TASK". This can be changed to show the kernel stack
pointer under a column titled "KSTACKP".
-s replace the TASK column with the KSTACKP column.
On SMP machines, the active task on each CPU will be highlighted by an
angle bracket (">") preceding its information. If the crash variable
"offline" is set to "hide", the active task on an offline CPU will
be highlighted by a "-" preceding its information.
Alternatively, information regarding parent-child relationships,
per-task time usage data, argument/environment data, thread groups,
or resource limits may be displayed:
-p display the parental hierarchy of selected, or all, tasks.
-c display the children of selected, or all, tasks.
-t display the task run time, start time, and cumulative user
and system times.
-l display the task's last-run timestamp value, using either the
task_struct's last_run value, the task_struct's timestamp value
or the task_struct's sched_entity last_arrival value, whichever
applies, of selected, or all, tasks; the list is sorted with the
most recently-run task (with the largest timestamp) shown first,
followed by the task's current state.
-m similar to -l, but the timestamp value is translated into days,
hours, minutes, seconds, and milliseconds since the task was
last run on a cpu.
-C cpus only usable with the -l or -m options, dump the timestamp data
in per-cpu blocks, where the cpu[s] can be specified as "1,3,5",
"1-3", "1,3,5-7,10", "all", or "a" (shortcut for "all").
-a display the command line arguments and environment strings of
selected, or all, user-mode tasks.
-g display tasks by thread group, of selected, or all, tasks.
-r display resource limits (rlimits) of selected, or all, tasks.
-S display a summary consisting of the number of tasks in a task state.
-A display only the active task on each cpu.
28.3. EXAMPLES
Show the process status of all current tasks:
crash> ps
PID PPID CPU TASK ST %MEM VSZ RSS COMM
> 0 0 3 c024c000 RU 0.0 0 0 [swapper]
> 0 0 0 c0dce000 RU 0.0 0 0 [swapper]
0 0 1 c0fa8000 RU 0.0 0 0 [swapper]
> 0 0 2 c009a000 RU 0.0 0 0 [swapper]
1 0 1 c0098000 IN 0.0 1096 476 init
2 1 1 c0090000 IN 0.0 0 0 [kflushd]
3 1 1 c000e000 IN 0.0 0 0 [kpiod]
4 1 3 c000c000 IN 0.0 0 0 [kswapd]
5 1 1 c0008000 IN 0.0 0 0 [mdrecoveryd]
253 1 2 fbc4c000 IN 0.0 1088 376 portmap
268 1 2 fbc82000 IN 0.1 1232 504 ypbind
274 268 2 fa984000 IN 0.1 1260 556 ypbind
321 1 1 fabf6000 IN 0.1 1264 608 syslogd
332 1 1 fa9be000 RU 0.1 1364 736 klogd
346 1 2 fae88000 IN 0.0 1112 472 atd
360 1 2 faeb2000 IN 0.1 1284 592 crond
378 1 2 fafd6000 IN 0.1 1236 560 inetd
392 1 0 fb710000 IN 0.1 2264 1468 named
406 1 3 fb768000 IN 0.1 1284 560 lpd
423 1 1 fb8ac000 IN 0.1 1128 528 rpc.statd
434 1 2 fb75a000 IN 0.0 1072 376 rpc.rquotad
445 1 2 fb4a4000 IN 0.0 1132 456 rpc.mountd
460 1 1 fa938000 IN 0.0 0 0 [nfsd]
461 1 1 faa86000 IN 0.0 0 0 [nfsd]
462 1 0 fac48000 IN 0.0 0 0 [nfsd]
463 1 0 fb4ca000 IN 0.0 0 0 [nfsd]
464 1 0 fb4c8000 IN 0.0 0 0 [nfsd]
465 1 2 fba6e000 IN 0.0 0 0 [nfsd]
466 1 1 fba6c000 IN 0.0 0 0 [nfsd]
467 1 2 fac04000 IN 0.0 0 0 [nfsd]
468 461 2 fa93a000 IN 0.0 0 0 [lockd]
469 468 2 fa93e000 IN 0.0 0 0 [rpciod]
486 1 0 fab54000 IN 0.1 1596 880 amd
523 1 2 fa84e000 IN 0.1 1884 1128 sendmail
538 1 0 fa82c000 IN 0.0 1112 416 gpm
552 1 3 fa70a000 IN 0.1 2384 1220 httpd
556 552 3 fa776000 IN 0.1 2572 1352 httpd
557 552 2 faba4000 IN 0.1 2572 1352 httpd
558 552 1 fa802000 IN 0.1 2572 1352 httpd
559 552 3 fa6ee000 IN 0.1 2572 1352 httpd
560 552 3 fa700000 IN 0.1 2572 1352 httpd
561 552 0 fa6f0000 IN 0.1 2572 1352 httpd
562 552 3 fa6ea000 IN 0.1 2572 1352 httpd
563 552 0 fa67c000 IN 0.1 2572 1352 httpd
564 552 3 fa674000 IN 0.1 2572 1352 httpd
565 552 3 fa66a000 IN 0.1 2572 1352 httpd
582 1 2 fa402000 IN 0.2 2968 1916 xfs
633 1 2 fa1ec000 IN 0.2 5512 2248 innd
636 1 3 fa088000 IN 0.1 2536 804 actived
676 1 0 fa840000 IN 0.0 1060 384 mingetty
677 1 1 fa590000 IN 0.0 1060 384 mingetty
678 1 2 fa3b8000 IN 0.0 1060 384 mingetty
679 1 0 fa5b8000 IN 0.0 1060 384 mingetty
680 1 1 fa3a4000 IN 0.0 1060 384 mingetty
681 1 2 fa30a000 IN 0.0 1060 384 mingetty
683 1 3 fa5d8000 IN 0.0 1052 280 update
686 378 1 fa3aa000 IN 0.1 2320 1136 in.rlogind
687 686 2 f9e52000 IN 0.1 2136 1000 login
688 687 0 f9dec000 IN 0.1 1732 976 bash
> 700 688 1 f9d62000 RU 0.0 1048 256 gen12
Display the parental hierarchy of the "crash" process on a live system:
crash> ps -p 4249
PID: 0 TASK: c0252000 CPU: 0 COMMAND: "swapper"
PID: 1 TASK: c009a000 CPU: 1 COMMAND: "init"
PID: 632 TASK: c73b6000 CPU: 1 COMMAND: "prefdm"
PID: 637 TASK: c5a4a000 CPU: 1 COMMAND: "prefdm"
PID: 649 TASK: c179a000 CPU: 0 COMMAND: "kwm"
PID: 683 TASK: c1164000 CPU: 0 COMMAND: "kfm"
PID: 1186 TASK: c165a000 CPU: 0 COMMAND: "xterm"
PID: 1188 TASK: c705e000 CPU: 1 COMMAND: "bash"
PID: 4249 TASK: c6b9a000 CPU: 0 COMMAND: "crash"
Display all children of the "kwm" window manager:
crash> ps -c kwm
PID: 649 TASK: c179a000 CPU: 0 COMMAND: "kwm"
PID: 682 TASK: c2d58000 CPU: 1 COMMAND: "kwmsound"
PID: 683 TASK: c1164000 CPU: 1 COMMAND: "kfm"
PID: 685 TASK: c053c000 CPU: 0 COMMAND: "krootwm"
PID: 686 TASK: c13fa000 CPU: 0 COMMAND: "kpanel"
PID: 687 TASK: c13f0000 CPU: 1 COMMAND: "kbgndwm"
Display all threads in a firefox session:
crash> ps firefox
PID PPID CPU TASK ST %MEM VSZ RSS COMM
21273 21256 6 ffff81003ec15080 IN 46.3 1138276 484364 firefox
21276 21256 6 ffff81003f49e7e0 IN 46.3 1138276 484364 firefox
21280 21256 0 ffff81003ec1d7e0 IN 46.3 1138276 484364 firefox
21286 21256 6 ffff81000b0d1820 IN 46.3 1138276 484364 firefox
21287 21256 2 ffff81000b0d10c0 IN 46.3 1138276 484364 firefox
26975 21256 5 ffff81003b5c1820 IN 46.3 1138276 484364 firefox
26976 21256 5 ffff810023232820 IN 46.3 1138276 484364 firefox
26977 21256 4 ffff810021a11820 IN 46.3 1138276 484364 firefox
26978 21256 5 ffff810003159040 IN 46.3 1138276 484364 firefox
26979 21256 5 ffff81003a058820 IN 46.3 1138276 484364 firefox
Display only the thread group leader in the firefox session:
crash> ps -G firefox
PID PPID CPU TASK ST %MEM VSZ RSS COMM
21273 21256 0 ffff81003ec15080 IN 46.3 1138276 484364 firefox
Show the time usage data for pid 10318:
crash> ps -t 10318
PID: 10318 TASK: f7b85550 CPU: 5 COMMAND: "bash"
RUN TIME: 1 days, 01:35:32
START TIME: 5209
UTIME: 95
STIME: 57
Show the process status of PID 1, task f9dec000, and all nfsd tasks:
crash> ps 1 f9dec000 nfsd
PID PPID CPU TASK ST %MEM VSZ RSS COMM
1 0 1 c0098000 IN 0.0 1096 476 init
688 687 0 f9dec000 IN 0.1 1732 976 bash
460 1 1 fa938000 IN 0.0 0 0 [nfsd]
461 1 1 faa86000 IN 0.0 0 0 [nfsd]
462 1 0 fac48000 IN 0.0 0 0 [nfsd]
463 1 0 fb4ca000 IN 0.0 0 0 [nfsd]
464 1 0 fb4c8000 IN 0.0 0 0 [nfsd]
465 1 2 fba6e000 IN 0.0 0 0 [nfsd]
466 1 1 fba6c000 IN 0.0 0 0 [nfsd]
467 1 2 fac04000 IN 0.0 0 0 [nfsd]
Show all kernel threads:
crash> ps -k
PID PPID CPU TASK ST %MEM VSZ RSS COMM
0 0 1 c0fac000 RU 0.0 0 0 [swapper]
0 0 0 c0252000 RU 0.0 0 0 [swapper]
2 1 1 c0fa0000 IN 0.0 0 0 [kflushd]
3 1 1 c03de000 IN 0.0 0 0 [kpiod]
4 1 1 c03dc000 IN 0.0 0 0 [kswapd]
5 1 0 c0092000 IN 0.0 0 0 [mdrecoveryd]
336 1 0 c4a9a000 IN 0.0 0 0 [rpciod]
337 1 0 c4830000 IN 0.0 0 0 [lockd]
487 1 1 c4ba6000 IN 0.0 0 0 [nfsd]
488 1 0 c18c6000 IN 0.0 0 0 [nfsd]
489 1 0 c0cac000 IN 0.0 0 0 [nfsd]
490 1 0 c056a000 IN 0.0 0 0 [nfsd]
491 1 0 c0860000 IN 0.0 0 0 [nfsd]
492 1 1 c0254000 IN 0.0 0 0 [nfsd]
493 1 0 c0a86000 IN 0.0 0 0 [nfsd]
494 1 0 c0968000 IN 0.0 0 0 [nfsd]
Display a summary consisting of the number of tasks in a task state:
crash> ps -S
RU: 5
IN: 259
UN: 31
ZO: 1
Display only the active task, on each cpu:
crash> ps -A
PID PPID CPU TASK ST %MEM VSZ RSS COMM
> 10 2 1 ffff880212969710 IN 0.0 0 0 [migration/1]
> 0 0 3 ffff884026d43520 RU 0.0 0 0 [swapper]
> 6582 1 2 ffff880f49c52040 RU 0.0 42202472 33368 oracle
> 9497 1 0 ffff880549ec2ab0 RU 0.0 42314692 138664 oracle
Show all tasks sorted by their task_struct's last_run, timestamp, or
sched_entity last_arrival timestamp value, whichever applies:
crash> ps -l
[20811245123] [IN] PID: 37 TASK: f7153030 CPU: 2 COMMAND: "events/2"
[20811229959] [IN] PID: 1756 TASK: f2a5a570 CPU: 2 COMMAND: "ntpd"
[20800696644] [IN] PID: 1456 TASK: f2b1f030 CPU: 4 COMMAND: "irqbalance"
[20617047229] [IN] PID: 2324 TASK: f57f9570 CPU: 5 COMMAND: "flush-253:0"
[20617029209] [IN] PID: 49 TASK: f7167030 CPU: 4 COMMAND: "bdi-default"
[20438025365] [IN] PID: 345 TASK: f55c7ab0 CPU: 3 COMMAND: "mpt_poll_0"
[20103026046] [IN] PID: 728 TASK: f72ba570 CPU: 3 COMMAND: "edac-poller"
[20000189409] [IN] PID: 35 TASK: f7153ab0 CPU: 0 COMMAND: "events/0"
[20000179905] [IN] PID: 48 TASK: f7167570 CPU: 0 COMMAND: "sync_supers"
[19997120354] [IN] PID: 36 TASK: f7153570 CPU: 1 COMMAND: "events/1"
[19991059209] [IN] PID: 38 TASK: f715fab0 CPU: 3 COMMAND: "events/3"
[19988091608] [IN] PID: 39 TASK: f715f570 CPU: 4 COMMAND: "events/4"
[19985076530] [IN] PID: 40 TASK: f715f030 CPU: 5 COMMAND: "events/5"
[19982019106] [IN] PID: 41 TASK: f7161ab0 CPU: 6 COMMAND: "events/6"
[19982016294] [IN] PID: 29 TASK: f7109ab0 CPU: 6 COMMAND: "ksoftirqd/6"
[19838402345] [RU] PID: 2331 TASK: f297f570 CPU: 7 COMMAND: "bash"
[19837129436] [IN] PID: 2326 TASK: f2ad5030 CPU: 6 COMMAND: "sshd"
[19289476417] [IN] PID: 1772 TASK: f5665570 CPU: 5 COMMAND: "sendmail"
...
Show the most-recently run tasks on cpu 0 using both the -l and the -m
options:
crash> ps -m -C0
CPU: 0
[ 0 00:00:00.003] [RU] PID: 1205 TASK: dee03f20 CPU: 0 COMMAND: "insmod"
[ 0 00:00:00.006] [RU] PID: 770 TASK: df9e9940 CPU: 0 COMMAND: "rsyslogd"
[ 0 00:00:00.009] [IN] PID: 603 TASK: df9bcbc0 CPU: 0 COMMAND: "udevd"
[ 0 00:00:00.010] [IN] PID: 348 TASK: df9ecbc0 CPU: 0 COMMAND: "udevd"
[ 0 00:00:00.013] [IN] PID: 934 TASK: df9171a0 CPU: 0 COMMAND: "hald"
[ 0 00:00:00.023] [IN] PID: 6 TASK: df443f20 CPU: 0 COMMAND: "events/0"
[ 0 00:00:00.029] [IN] PID: 15 TASK: df46b280 CPU: 0 COMMAND: "kblockd/0"
[ 0 00:00:00.101] [IN] PID: 1168 TASK: dee01940 CPU: 0 COMMAND: "bash"
[ 0 00:00:01.404] [IN] PID: 272 TASK: dfa48ca0 CPU: 0 COMMAND: "flush-8:0"
...
crash> ps -l -C0
CPU: 0
[137146164748] [RU] PID: 1205 TASK: dee03f20 CPU: 0 COMMAND: "insmod"
[137142534372] [RU] PID: 770 TASK: df9e9940 CPU: 0 COMMAND: "rsyslogd"
[137140168469] [IN] PID: 603 TASK: df9bcbc0 CPU: 0 COMMAND: "udevd"
[137138826427] [IN] PID: 348 TASK: df9ecbc0 CPU: 0 COMMAND: "udevd"
[137135214599] [IN] PID: 934 TASK: df9171a0 CPU: 0 COMMAND: "hald"
[137125651275] [IN] PID: 6 TASK: df443f20 CPU: 0 COMMAND: "events/0"
[137119564815] [IN] PID: 15 TASK: df46b280 CPU: 0 COMMAND: "kblockd/0"
[137047715027] [IN] PID: 1168 TASK: dee01940 CPU: 0 COMMAND: "bash"
[135744209052] [IN] PID: 272 TASK: dfa48ca0 CPU: 0 COMMAND: "flush-8:0"
...
Show the kernel stack pointer of each user task:
crash> ps -us
PID PPID CPU KSTACKP ST %MEM VSZ RSS COMM
1 0 0 c009bedc IN 0.0 1096 52 init
239 1 0 c15e7ed8 IN 0.2 1332 224 pump
280 1 1 c7cbdedc IN 0.2 1092 208 portmap
295 1 0 c7481edc IN 0.0 1232 0 ypbind
301 295 0 c7c7bf28 IN 0.1 1260 124 ypbind
376 1 1 c5053f28 IN 0.0 1316 40 automount
381 1 0 c34ddf28 IN 0.2 1316 224 automount
391 1 1 c2777f28 IN 0.2 1316 224 automount
...
Display the argument and environment data for the automount task:
crash> ps -a automount
PID: 3948 TASK: f722ee30 CPU: 0 COMMAND: "automount"
ARG: /usr/sbin/automount --timeout=60 /net program /etc/auto.net
ENV: SELINUX_INIT=YES
CONSOLE=/dev/console
TERM=linux
INIT_VERSION=sysvinit-2.85
PATH=/sbin:/usr/sbin:/bin:/usr/bin
LC_MESSAGES=en_US
RUNLEVEL=3
runlevel=3
PWD=/
LANG=ja_JP.UTF-8
PREVLEVEL=N
previous=N
HOME=/
SHLVL=2
_=/usr/sbin/automount
Display the tasks in the thread group containing task c20ab0b0:
crash> ps -g c20ab0b0
PID: 6425 TASK: f72f50b0 CPU: 0 COMMAND: "firefox-bin"
PID: 6516 TASK: f71bf1b0 CPU: 0 COMMAND: "firefox-bin"
PID: 6518 TASK: d394b930 CPU: 0 COMMAND: "firefox-bin"
PID: 6520 TASK: c20aa030 CPU: 0 COMMAND: "firefox-bin"
PID: 6523 TASK: c20ab0b0 CPU: 0 COMMAND: "firefox-bin"
PID: 6614 TASK: f1f181b0 CPU: 0 COMMAND: "firefox-bin"
Display the tasks in the thread group for each instance of the
program named "multi-thread":
crash> ps -g multi-thread
PID: 2522 TASK: 1003f0dc7f0 CPU: 1 COMMAND: "multi-thread"
PID: 2523 TASK: 10037b13030 CPU: 1 COMMAND: "multi-thread"
PID: 2524 TASK: 1003e064030 CPU: 1 COMMAND: "multi-thread"
PID: 2525 TASK: 1003e13a7f0 CPU: 1 COMMAND: "multi-thread"
PID: 2526 TASK: 1002f82b7f0 CPU: 1 COMMAND: "multi-thread"
PID: 2527 TASK: 1003e1737f0 CPU: 1 COMMAND: "multi-thread"
PID: 2528 TASK: 10035b4b7f0 CPU: 1 COMMAND: "multi-thread"
PID: 2529 TASK: 1003f0c37f0 CPU: 1 COMMAND: "multi-thread"
PID: 2530 TASK: 10035597030 CPU: 1 COMMAND: "multi-thread"
PID: 2531 TASK: 100184be7f0 CPU: 1 COMMAND: "multi-thread"
Display the resource limits of "bash" task 13896:
crash> ps -r 13896
PID: 13896 TASK: cf402000 CPU: 0 COMMAND: "bash"
RLIMIT CURRENT MAXIMUM
CPU (unlimited) (unlimited)
FSIZE (unlimited) (unlimited)
DATA (unlimited) (unlimited)
STACK 10485760 (unlimited)
CORE (unlimited) (unlimited)
RSS (unlimited) (unlimited)
NPROC 4091 4091
NOFILE 1024 1024
MEMLOCK 4096 4096
AS (unlimited) (unlimited)
LOCKS (unlimited) (unlimited)
Search for task names matching a POSIX regular expression:
crash> ps 'migration*'
PID PPID CPU TASK ST %MEM VSZ RSS COMM
8 2 0 ffff8802128a2e20 IN 0.0 0 0 [migration/0]
10 2 1 ffff880212969710 IN 0.0 0 0 [migration/1]
15 2 2 ffff880212989710 IN 0.0 0 0 [migration/2]
20 2 3 ffff8802129a9710 IN 0.0 0 0 [migration/3]
29. pte - translate a page table entry
29.1. SYNOPSIS
pte contents ...
29.2. DESCRIPTION
This command translates the hexadecimal contents of a PTE into its physical
page address and page bit settings. If the PTE references a swap location,
the swap device and offset are displayed.
29.3. EXAMPLES
crash> pte d8e067
PTE PHYSICAL FLAGS
d8e067 d8e000 (PRESENT|RW|USER|ACCESSED|DIRTY)
crash> pte 13f600
PTE SWAP OFFSET
13f600 /dev/hda2 5104
30. ptob - page to bytes
30.1. SYNOPSIS
ptob page_number ...
30.2. DESCRIPTION
This command translates a page frame number to its byte value.
30.3. EXAMPLES
crash> ptob 512a
512a: 512a000
31. ptov - physical to virtual
per-cpu to virtual
31.1. SYNOPSIS
ptov [address | offset:cpuspec]
31.2. DESCRIPTION
This command translates a hexadecimal physical address into a kernel
virtual address. Alternatively, a hexadecimal per-cpu offset and
cpu specifier will be translated into kernel virtual addresses for
each cpu specified.
address a physical address
offset:cpuspec a per-cpu offset with a CPU specifier:
: CPU of the currently selected task.
:a[ll] all CPUs.
:#[-#][,...] CPU list(s), e.g. "1,3,5", "1-3",
or "1,3,5-7,10".
31.3. EXAMPLES
Translate physical address 56e000 into a kernel virtual address:
crash> ptov 56e000
VIRTUAL PHYSICAL
ffff88000056e000 56e000
Translate per-cpu offset b0c0 into a kernel virtual address for
all cpus:
crash> ptov b0c0:a
PER-CPU OFFSET: b0c0
CPU VIRTUAL
[0] ffff88021e20b0c0
[1] ffff88021e24b0c0
[2] ffff88021e28b0c0
[3] ffff88021e2cb0c0
32. rd - read memory
32.1. SYNOPSIS
rd [-adDsSupxmfNR][-8|-16|-32|-64][-o offs][-e addr][-r file][address|symbol]
[count]
32.2. DESCRIPTION
This command displays the contents of memory, with the output formatted
in several different manners. The starting address may be entered either
symbolically or by address. The default output size is the size of a long
data type, and the default output format is hexadecimal. When hexadecimal
output is used, the output will be accompanied by an ASCII translation.
-p address argument is a physical address.
-u address argument is a user virtual address; only required on
processors with common user and kernel virtual address spaces.
-m address argument is a xen host machine address.
-f address argument is a dumpfile offset.
-d display output in signed decimal format (default is hexadecimal).
-D display output in unsigned decimal format (default is hexadecimal).
-s displays output symbolically when appropriate.
-S[S] displays output symbolically when appropriate; if the memory
contents reference a slab cache object, the name of the slab cache
will be displayed in brackets. If -S is entered twice, and the
memory contents reference a slab cache object, both the memory
contents and the name of the slab cache will be displayed in
brackets.
-x do not display ASCII translation at end of each line.
-8 display output in 8-bit values.
-16 display output in 16-bit values.
-32 display output in 32-bit values (default on 32-bit machines).
-64 display output in 64-bit values (default on 64-bit machines).
-a display output in ASCII characters if the memory contains printable
ASCII characters; if no count argument is entered, stop at the first
non-printable character.
-N display output in network byte order (only valid for 16- and 32-bit
values)
-R display memory in reverse order; memory will be displayed up to and
including the address argument, requiring the count argument to be
greater than 1 in order to display memory before the specified
address.
-o offs offset the starting address by offs.
-e addr display memory until reaching specified ending hexadecimal address.
-r file dumps raw data to the specified output file; the number of bytes that
are copied to the file must be specified either by a count argument
or by the -e option.
address starting hexadecimal address:
1 the default presumes a kernel virtual address.
2. -p specifies a physical address.
3. -u specifies a user virtual address, but is only necessary on
processors with common user and kernel virtual address spaces.
symbol symbol of starting address to read.
count number of memory locations to display; if entered, it must be the
last argument on the command line; if not entered, the count defaults
to 1, or unlimited for -a; when used with the -r option, it is the
number of bytes to be written to the file.
32.3. EXAMPLES
Display the kernel's version string:
crash> rd -a linux_banner
c082a020: Linux version 2.6.32-119.el6.i686 (mockbuild@hs20-bc2-4.buil
c082a05c: d.redhat.com) (gcc version 4.4.4 20100726 (Red Hat 4.4.4-13)
c082a098: (GCC) ) #1 SMP Tue Mar 1 18:16:57 EST 2011
Display the same block of memory, first without symbols, again
with symbols, and then with symbols and slab cache references:
crash> rd f6e31f70 28
f6e31f70: f6e31f6c f779c180 c04a4032 00a9dd40 l.....y.2@J.@...
f6e31f80: 00000fff c0472da0 f6e31fa4 f779c180 .....-G.......y.
f6e31f90: fffffff7 00a9b70f f6e31000 c04731ee .............1G.
f6e31fa0: f6e31fa4 00000000 00000000 00000000 ................
f6e31fb0: 00000000 00a9dd40 c0404f17 00000000 ....@....O@.....
f6e31fc0: 00a9dd40 00000fff 00a9dd40 00a9b70f @.......@.......
f6e31fd0: bf9e2718 ffffffda c040007b 0000007b .'......{.@.{...
crash> rd -s f6e31f70 28
f6e31f70: f6e31f6c f779c180 kmsg_read 00a9dd40
f6e31f80: 00000fff vfs_read+159 f6e31fa4 f779c180
f6e31f90: fffffff7 00a9b70f f6e31000 sys_read+60
f6e31fa0: f6e31fa4 00000000 00000000 00000000
f6e31fb0: 00000000 00a9dd40 syscall_call+7 00000000
f6e31fc0: 00a9dd40 00000fff 00a9dd40 00a9b70f
f6e31fd0: bf9e2718 ffffffda startup_32+123 0000007b
crash> rd -S f6e31f70 28
f6e31f70: [size-4096] [filp] kmsg_read 00a9dd40
f6e31f80: 00000fff vfs_read+159 [size-4096] [filp]
f6e31f90: fffffff7 00a9b70f [size-4096] sys_read+60
f6e31fa0: [size-4096] 00000000 00000000 00000000
f6e31fb0: 00000000 00a9dd40 syscall_call+7 00000000
f6e31fc0: 00a9dd40 00000fff 00a9dd40 00a9b70f
f6e31fd0: bf9e2718 ffffffda startup_32+123 0000007b
crash> rd -SS f6e31f70 28
f6e31f70: [f6e31f6c:size-4096] [f779c180:filp] kmsg_read 00a9dd40
f6e31f80: 00000fff vfs_read+159 [f6e31fa4:size-4096] [f779c180:filp]
f6e31f90: fffffff7 00a9b70f [f6e31000:size-4096] sys_read+60
f6e31fa0: [f6e31fa4:size-4096] 00000000 00000000 00000000
f6e31fb0: 00000000 00a9dd40 syscall_call+7 00000000
f6e31fc0: 00a9dd40 00000fff 00a9dd40 00a9b70f
f6e31fd0: bf9e2718 ffffffda startup_32+123 0000007b
Read jiffies in hexadecimal and decimal format:
crash> rd jiffies
c0213ae0: 0008cc3a :...
crash> rd -d jiffies
c0213ae0: 577376
Access the same memory in different sizes:
crash> rd -64 kernel_version
c0226a6c: 35312d352e322e32 2.2.5-15
crash> rd -32 kernel_version 2
c0226a6c: 2e322e32 35312d35 2.2.5-15
crash> rd -16 kernel_version 4
c0226a6c: 2e32 2e32 2d35 3531 2.2.5-15
crash> rd -8 kernel_version 8
c0226a6c: 32 2e 32 2e 35 2d 31 35 2.2.5-15
Read the range of memory from c009bf2c to c009bf60:
crash> rd c009bf2c -e c009bf60
c009bf2c: c009bf64 c01328c3 c009bf64 c0132838 d....(..d...8(..
c009bf3c: 0000002a 00000004 c57d77e8 00000104 *........w}.....
c009bf4c: 0000000b c009a000 7fffffff 00000000 ................
c009bf5c: 00000000 ....
33. repeat - repeat a command
33.1. SYNOPSIS
repeat [-seconds] command
33.2. DESCRIPTION
This command repeats a command indefinitely, optionally delaying a given
number of seconds between each command execution.
-seconds The number of seconds to delay between command executions.
This option must precede the command name to be executed.
Command execution may be stopped with CTRL-C, or if scrolling is in effect,
by entering "q". This command is meant for use on a live system; it is
hard to conceive of a reason to use it when debugging a crash dump.
33.3. EXAMPLES
Display the value of jiffies once per second:
crash> repeat -1 p jiffies
jiffies = $1 = 155551079
jiffies = $2 = 155551180
jiffies = $3 = 155551281
jiffies = $4 = 155551382
jiffies = $5 = 155551483
jiffies = $6 = 155551584
jiffies = $7 = 155551685
jiffies = $8 = 155551786
jiffies = $9 = 155551887
jiffies = $10 = 155551988
jiffies = $11 = 155552089
jiffies = $12 = 155552190
jiffies = $13 = 155552291
jiffies = $14 = 155552392
jiffies = $15 = 155552493
jiffies = $16 = 155552594
jiffies = $17 = 155552695
jiffies = $18 = 155552796
...
34. runq - run queue
34.1. SYNOPSIS
runq [-t] [-T] [-m] [-g] [-c cpu(s)]
34.2. DESCRIPTION
With no argument, this command displays the tasks on the run queues
of each cpu.
-t Display the timestamp information of each cpu's runqueue, which is the
rq.clock, rq.most_recent_timestamp or rq.timestamp_last_tick value,
whichever applies; following each cpu timestamp is the last_run or
timestamp value of the active task on that cpu, whichever applies,
along with the task identification.
-T Display the time lag of each CPU relative to the most recent runqueue
timestamp.
-m Display the amount of time that the active task on each cpu has been
running, expressed in a format consisting of days, hours, minutes,
seconds and milliseconds.
-g Display tasks hierarchically by task_group. The task_group line shows
the task_group address, the cfs_rq or rt_rq address, the task_group
name (if any), and whether the task_group is throttled.
-c cpu restrict the output to the run queue data of one or more CPUs,
which can be specified using the format "3", "1,8,9", "1-23",
or "1,8,9-14".
34.3. EXAMPLES
Display the tasks on an O(1) scheduler run queue:
crash> runq
CPU 0 RUNQUEUE: ffff880001cdb460
CURRENT: PID: 2739 TASK: ffff8800320fa7e0 COMMAND: "bash"
ACTIVE PRIO_ARRAY: ffff880001cdb4d8
[115] PID: 2739 TASK: ffff8800320fa7e0 COMMAND: "bash"
PID: 1776 TASK: ffff88003217d820 COMMAND: "syslogd"
EXPIRED PRIO_ARRAY: ffff880001cdbdb8
[no tasks queued]
CPU 1 RUNQUEUE: ffff880001ce3460
CURRENT: PID: 1779 TASK: ffff88003207a860 COMMAND: "klogd"
ACTIVE PRIO_ARRAY: ffff880001ce34d8
[115] PID: 1779 TASK: ffff88003207a860 COMMAND: "klogd"
EXPIRED PRIO_ARRAY: ffff880001ce3db8
[no tasks queued]
Display the tasks on a CFS run queue:
crash> runq
CPU 0 RUNQUEUE: ffff8800090436c0
CURRENT: PID: 588 TASK: ffff88007e4877a0 COMMAND: "udevd"
RT PRIO_ARRAY: ffff8800090437c8
[no tasks queued]
CFS RB_ROOT: ffff880009043740
[118] PID: 2110 TASK: ffff88007d470860 COMMAND: "check-cdrom.sh"
[118] PID: 2109 TASK: ffff88007f1247a0 COMMAND: "check-cdrom.sh"
[118] PID: 2114 TASK: ffff88007f20e080 COMMAND: "udevd"
CPU 1 RUNQUEUE: ffff88000905b6c0
CURRENT: PID: 2113 TASK: ffff88007e8ac140 COMMAND: "udevd"
RT PRIO_ARRAY: ffff88000905b7c8
[no tasks queued]
CFS RB_ROOT: ffff88000905b740
[118] PID: 2092 TASK: ffff88007d7a4760 COMMAND: "MAKEDEV"
[118] PID: 1983 TASK: ffff88007e59f140 COMMAND: "udevd"
[118] PID: 2064 TASK: ffff88007e40f7a0 COMMAND: "udevd"
[115] PID: 2111 TASK: ffff88007e4278a0 COMMAND: "kthreadd"
Display run queue timestamp data:
crash> runq -t
CPU 0: 2680990637359
2680986653330 PID: 28228 TASK: ffff880037ca2ac0 COMMAND: "loop"
CPU 1: 2680940618478
2680940618478 PID: 28167 TASK: ffff880078130040 COMMAND: "bash"
CPU 2: 2680990763425
2680986785772 PID: 28227 TASK: ffff8800787780c0 COMMAND: "loop"
CPU 3: 2680990954469
2680986059540 PID: 28226 TASK: ffff880078778b00 COMMAND: "loop"
Display the amount of time the active task on each cpu has been running:
crash> runq -m
CPU 0: [0 00:00:00.014] PID: 5275 TASK: f5dbcaa0 COMMAND: "sh"
CPU 1: [0 00:00:00.002] PID: 5203 TASK: f5c7baa0 COMMAND: "cat"
CPU 2: [0 00:00:00.014] PID: 7971 TASK: f5c6c550 COMMAND: "khelper"
CPU 3: [0 00:00:00.002] PID: 0 TASK: f4ccd000 COMMAND: "swapper"
Display tasks hierarchically by task_group:
crash> runq -g
CPU 0
CURRENT: PID: 14734 TASK: ffff88010626f500 COMMAND: "sh"
ROOT_TASK_GROUP: ffffffff81ed93e0 RT_RQ: ffff880028216808
[ 0] TASK_GROUP: ffff88022c6bbc00 RT_RQ: ffff880139fc9800 (THROTTLED)
[ 0] PID: 14750 TASK: ffff88013a4dd540 COMMAND: "rtloop99"
[ 1] PID: 14748 TASK: ffff88013bbca040 COMMAND: "rtloop98"
[ 1] TASK_GROUP: ffff88012b0fb400 RT_RQ: ffff880089029000
[ 1] PID: 14752 TASK: ffff880088abf500 COMMAND: "rtloop98"
[ 54] PID: 14749 TASK: ffff880037a4e080 COMMAND: "rtloop45"
[ 98] PID: 14746 TASK: ffff88012678c080 COMMAND: "rtloop1"
ROOT_TASK_GROUP: ffffffff81ed93e0 CFS_RQ: ffff8800282166e8
[120] PID: 14740 TASK: ffff88013b1e6080 COMMAND: "sh"
[120] PID: 14738 TASK: ffff88012678d540 COMMAND: "sh"
[120] PID: 14734 TASK: ffff88010626f500 COMMAND: "sh" [CURRENT]
TASK_GROUP: ffff884052bc9800 CFS_RQ: ffff8831e4a1b000 (THROTTLED)
[120] PID: 14732 TASK: ffff88013bbcb500 COMMAND: "sh"
[120] PID: 14728 TASK: ffff8800b3496080 COMMAND: "sh"
[120] PID: 14730 TASK: ffff880037833540 COMMAND: "sh"
TASK_GROUP: ffff884058f1d000 CFS_RQ: ffff88120a101600 (THROTTLED)
[120] PID: 14726 TASK: ffff880138d42aa0 COMMAND: "sh"
...
Display tasks hierarchically by task_group for cpu 3 only:
crash> runq -g -c3
CPU 3
CURRENT: PID: 2948 TASK: ffff88022af2a100 COMMAND: "bash"
INIT_TASK_GROUP: ffffffff81e1a780 RT_RQ: ffff880028216148
[no tasks queued]
INIT_TASK_GROUP: ffffffff81e1a780 CFS_RQ: ffff880028216028
[120] PID: 2948 TASK: ffff88022af2a100 COMMAND: "bash" [CURRENT]
TASK_GROUP: ffff88012b880800 CFS_RQ: ffff88012c5d1000 <libvirt>
TASK_GROUP: ffff88012c078000 CFS_RQ: ffff88012c663e00 <qemu>
TASK_GROUP: ffff88022c7f4c00 CFS_RQ: ffff88012bb56000 <guest2>
TASK_GROUP: ffff88022b621400 CFS_RQ: ffff88012b012000 <vcpu0>
[120] PID: 3248 TASK: ffff88012a9d4100 COMMAND: "qemu-kvm"
35. sbitmapq - sbitmap_queue struct contents
35.1. SYNOPSIS
sbitmapq [-s struct[.member[,member]] -a address [-p] [-v]] -[x|d] address
35.2. DESCRIPTION
The command dumps the contents of the sbitmap_queue structure and
the used bits in the bitmap. Also, it shows the dump of a structure
array associated with the sbitmap_queue.
The arguments are as follows:
-s struct name of a C-code structure, that is stored in an array
associated with sbitmap_queue structure. Use the
"struct.member" format in order to display a particular
member of the structure. -s option requires -a option
-a address address of a structure array associated with sbitmap_queue
structure. The set bits in sbitmap are used for the index
in an associated array.
-p associated with sbitmap_queue array contains the points of
structure.
-x override default output format with hexadecimal format.
-d override default output format with decimal format.
-v By default, the sbitmap command shows only a used sbitmap
index and a structure address in the associated array.
This flag says to print a formatted display of the
contents of a structure in an associated array. -v option
requires of -s.
35.3. EXAMPLES
All examples are shown on the base of Linux Target system with iSCSI
transport.
Display the common sbitmap information for target session:
crash> struct -oh se_session 0xc0000000e118c760 | grep sbitmap_queue
[c0000000e118c808] struct sbitmap_queue sess_tag_pool;
crash>
crash> sbitmapq c0000000e118c808
depth = 136
busy = 4
cleared = 26
bits_per_word = 32
map_nr = 5
alloc_hint = {74, 36, 123, 101}
wake_batch = 8
wake_index = 0
ws_active = 0
ws = {
{ .wait_cnt = 8, .wait = inactive },
{ .wait_cnt = 8, .wait = inactive },
{ .wait_cnt = 8, .wait = inactive },
{ .wait_cnt = 8, .wait = inactive },
{ .wait_cnt = 8, .wait = inactive },
{ .wait_cnt = 8, .wait = inactive },
{ .wait_cnt = 8, .wait = inactive },
{ .wait_cnt = 8, .wait = inactive },
}
round_robin = 0
min_shallow_depth = 4294967295
00000000: 0000 0000 0000 0000 0030 0000 0000 0000
00000010: 00
Display the addresses of structure are associated with
sbitmap_queue (for iscsi it is 'iscsi_cmd' structure):
crash> struct se_session 0xc0000000e118c760 | grep sess_cmd_map
sess_cmd_map = 0xc0000000671c0000,
crash>
crash> sbitmapq -s iscsi_cmd -a 0xc0000000671c0000 c0000000e118c808
76: 0xc0000000671d5600
77: 0xc0000000671d5a80
Dump of formatted content of structures:
crash> sbitmapq -s iscsi_cmd -a 0xc0000000671c0000 -v c0000000e118c808
76 (0xc0000000671d5600):
struct iscsi_cmd {
dataout_timer_flags = 0,
dataout_timeout_retries = 0 '\000',
error_recovery_count = 0 '\000',
deferred_i_state = ISTATE_NO_STATE,
i_state = ISTATE_SENT_STATUS,
...
first_data_sg = 0xc0000000e306b080,
first_data_sg_off = 0,
kmapped_nents = 1,
sense_reason = 0
}
77 (0xc0000000671d5a80):
struct iscsi_cmd {
dataout_timer_flags = 0,
dataout_timeout_retries = 0 '\000',
error_recovery_count = 0 '\000',
deferred_i_state = ISTATE_NO_STATE,
i_state = ISTATE_NEW_CMD,
...
first_data_sg = 0x0,
first_data_sg_off = 0,
kmapped_nents = 0,
sense_reason = 0
}
36. search - search memory
36.1. SYNOPSIS
search [-s start] [ -[kKV] | -u | -p | -t | -T ] [-e end | -l length] [-m mask]
[-x count] -[cwh] [value | (expression) | symbol | string] ...
36.2. DESCRIPTION
This command searches for a given value within a range of user virtual, kernel
virtual, or physical memory space. If no end nor length value is entered,
then the search stops at the end of user virtual, kernel virtual, or physical
address space, whichever is appropriate.
An optional mask value may be entered to mask off "don't care" bits.
-s start Start the search at this hexadecimal user or kernel virtual
address, physical address, or kernel symbol. The start address
must be appropriate for the memory type specified; if no memory
type is specified, the default is kernel virtual address space.
-k If no start address is specified, start the search at the base
of kernel virtual address space. This option is the default.
-K Same as -k, except that mapped kernel virtual memory that was
allocated by vmalloc(), module memory, or virtual mem_map regions
will not be searched.
-V Same as -k, except that unity-mapped kernel virtual memory and
mapped kernel-text/static-data (x86_64 and ia64) will not be
searched.
-u If no start address is specified, start the search at the base
of the current context's user virtual address space. If a start
address is specified, then this option specifies that the start
address is a user virtual address.
-p If no start address is specified, start the search at the base
of physical address space. If a start address is specified,
then this option specifies that the start address is a physical
address.
-t Search only the kernel stack pages of every task. If one or more
matches are found in a task's kernel stack, precede the output
with a task-identifying header.
-T Same as -t, except only the active task(s) are considered.
-e end Stop the search at this hexadecimal user or kernel virtual
address, kernel symbol, or physical address. The end address
must be appropriate for the memory type specified.
-l length Length in bytes of address range to search.
-m mask Ignore the bits that are set in the hexadecimal mask value.
-c Search for character string values instead of unsigned longs. If
the string contains any space(s), it must be encompassed by double
quotes.
-w Search for unsigned hexadecimal ints instead of unsigned longs.
This is only meaningful on 64-bit systems in order to search both
the upper and lower 32-bits of each 64-bit long for the value.
-h Search for unsigned hexadecimal shorts instead of unsigned longs.
-x count Display the memory contents before and after any found value. The
before and after memory context will consist of "count" memory
items of the same size as the "value" argument. This option is
not applicable with the -c option.
value Search for this hexadecimal long, unless modified by the -c, -w,
or -h options.
(expression) Search for the value of this expression; the expression value must
not overflow the designated size when -h or -w are used; not
applicable when used with the -c option.
symbol Search for this symbol value; the symbol value must not overflow
the designated size when -h or -w are used; not applicable when
used with the -c option.
string Search for character string values; if the string contains any
space(s), it must be encompassed by double quotes; only applicable
with the -c option.
If -k, -K, -V, -u, -p or -t are not used, then the search defaults to kernel
virtual address space. The starting address must be long-word aligned.
Address ranges that start in user space and end in kernel space are not
accepted.
36.3. EXAMPLES
Search the current context's address space for all instances of 0xdeadbeef:
crash> search -u deadbeef
81aba5c: deadbeef
81abaa8: deadbeef
bfffc698: deadbeef
bffff390: deadbeef
Search all kernel memory above the kernel text space for all instances
of 0xabcd occurring in the lower 16-bits of each 32-bit word:
crash> search -s _etext -m ffff0000 abcd
c071481c: abcd
c0c2b0fc: 804abcd
c0cf5e74: 7489abcd
c17c0b44: c012abcd
c1dac730: 3dbeabcd
c226d0e8: ffffabcd
c23ed5dc: abcd
c3022544: 3dbeabcd
c3069b58: 3dbeabcd
c3e86e84: aabcd
c3e88ed0: aabcd
c3e8ee5c: aabcd
c3e9df50: aabcd
c3e9e930: aabcd
c440a778: 804abcd
c486eb44: 3dbeabcd
c578f0fc: 804abcd
c6394f90: 8ababcd
c65219f0: 3abcd
c661399c: abcd
c68514ac: 8abcd
c7e036bc: 3dbeabcd
c7e12568: 5abcd
c7e1256c: 5abcd
Search the 4K page at c532c000 for all instances of 0xffffffff:
crash> search -s c532c000 -l 4096 ffffffff
c532c33c: ffffffff
c532c3fc: ffffffff
Search the static kernel data area for all instances of c2d400eb:
crash> search -s _etext -e _edata c2d400eb
c022b550: c2d400eb
c022b590: c2d400eb
c022b670: c2d400eb
c022b6e0: c2d400eb
c022b7b0: c2d400eb
c022b7e0: c2d400eb
c022b8b0: c2d400eb
Search physical memory for all instances of 0xbabe occurring in the
upper 16 bits of each 32-bit word:
crash> search -p babe0000 -m ffff
2a1dc4: babe671e
2b6928: babe3de1
2f99ac: babe0d54
31843c: babe70b9
3ba920: babeb5d7
413ce4: babe7540
482747c: babe2600
48579a4: babe2600
4864a68: babe2600
...
Search physical memory for all instances of 0xbabe occurring in the
upper 16 bits of each 32-bit word on a 64-bit system:
crash> search -p babe0000 -m ffff -w
102e248: babe1174
11d2f90: babe813d
122d3ad70: babe6b27
124d8cd30: babe3dc8
124d8eefc: babef981
124d8f060: babe3dc8
124d8f17c: babefc81
...
Search kernel memory for all instances of 32-bit value 0xbabe1174
on a 64-bit system:
crash> search -k -w babe1174
ffff88000102e248: babe1174
ffffffff8102e248: babe1174
Search kernel memory for two strings:
crash> search -k -c "can't allocate memory" "Failure to"
ffff8800013ddec1: can't allocate memory for key lists..<3>%s %s: error con
ffff8801258be748: Failure to install fence: %d..<3>[drm:%s] *ERROR* Failed
ffff880125f07ec9: can't allocate memory..<3>ACPI: Invalid data..Too many d
ffffffff813ddec1: can't allocate memory for key lists..<3>%s %s: error con
Search the kernel stacks of all tasks for those that contain the inode
address ffff81002c0a3050:
crash> search -t ffff81002c0a3050
PID: 4876 TASK: ffff81003e9f5860 CPU: 7 COMMAND: "automount"
ffff8100288fbe98: ffff81002c0a3050
PID: 4880 TASK: ffff81003ce967a0 CPU: 0 COMMAND: "automount"
ffff81002c0fbdd8: ffff81002c0a3050
ffff81002c0fbe78: ffff81002c0a3050
When a kernel symbol or an (expression) is used an argument, both the
resultant value and the input string are displayed:
crash> search anon_inode_inode (__down_interruptible+191)
ffff81000222a728: ffffffff80493d60 (anon_inode_inode)
ffff810005a1e918: ffffffff800649d6 (__down_interruptible+191)
ffff810005a1e9d0: ffffffff800649d6 (__down_interruptible+191)
ffff810005a1eb48: ffffffff800649d6 (__down_interruptible+191)
ffff81000b409c60: ffffffff80493d60 (anon_inode_inode)
ffff81000c155b98: ffffffff80493d60 (anon_inode_inode)
ffff8100194fac70: ffffffff80493d60 (anon_inode_inode)
ffff81001daa1008: ffffffff80493d60 (anon_inode_inode)
ffff810028b95830: ffffffff800649d6 (__down_interruptible+191)
ffff81002cea0c70: ffffffff80493d60 (anon_inode_inode)
ffff810031327268: ffffffff80493d60 (anon_inode_inode)
ffff810031327270: ffffffff800649d6 (__down_interruptible+191)
ffff810034b1ccd0: ffffffff800649d6 (__down_interruptible+191)
ffff8100399565a8: ffffffff80493d60 (anon_inode_inode)
ffff81003a278cd0: ffffffff800649d6 (__down_interruptible+191)
ffff81003cc23e08: ffffffff800649d6 (__down_interruptible+191)
37. set - set a process context or internal crash variable
37.1. SYNOPSIS
set [[-a] [pid | taskp] | [-c cpu] | -p] | [crash_variable [setting]] | -v
37.2. DESCRIPTION
This command either sets a new context, or gets the current context for
display. The context can be set by the use of:
pid a process PID.
taskp a hexadecimal task_struct pointer.
-a sets the pid or task as the active task on its cpu (dumpfiles only).
-c cpu sets the context to the active task on a cpu (dumpfiles only).
-p sets the context to the panic task, or back to the crash task on
a live system.
-v display the current state of internal crash variables.
If no argument is entered, the current context is displayed. The context
consists of the PID, the task pointer, the CPU, and task state. The task
state shows the bits found in both the task_struct state and exit_state
fields.
This command may also be used to set internal crash variables. If no value
argument is entered, the current value of the crash variable is shown. These
are the crash variables, acceptable arguments, and purpose:
scroll on | off controls output scrolling.
scroll less /usr/bin/less as the output scrolling program.
scroll more /bin/more as the output scrolling program.
scroll CRASHPAGER use CRASHPAGER environment variable as the
output scrolling program.
radix 10 | 16 sets output radix to 10 or 16.
refresh on | off controls internal task list refresh.
print_max number set maximum number of array elements to print.
print_array on | off if on, set gdb's printing of arrays to "pretty"
format, with one line per element.
console device-name sets debug console device.
debug number sets crash debug level.
core on | off if on, drops core when the next error message
is displayed.
hash on | off controls internal list verification.
silent on | off turns off initialization messages; turns off
crash prompt during input file execution.
(scrolling is turned off if silent is on)
edit vi | emacs set line editing mode (from .crashrc file only).
namelist filename name of kernel (from .crashrc file only).
zero_excluded on | off controls whether excluded pages, or pages that
are missing from an incomplete dumpfile, should
return zero-filled memory when read.
null-stop on | off if on, gdb's printing of character arrays will
stop at the first NULL encountered.
gdb on | off if on, the crash session will be run in a mode
where all commands will be passed directly to
gdb, and the command prompt will change to
"gdb>"; when running in this mode, native crash
commands may be executed by preceding them with
the "crash" directive.
scope text-addr sets the text scope for viewing the definition
of data structures; the "text-addr" argument
must be a kernel or module text address, which
may be expressed symbolically or as a hexadecimal
value; set scope 0 to un-set.
offline show | hide show or hide command output that is associated
with offline cpus.
redzone on | off if on, CONFIG_SLUB object addresses displayed by
the kmem command will point to the SLAB_RED_ZONE
padding inserted at the beginning of the object.
error default | redirect | filename set the destination of error messages.
"default": error messages are always displayed
on the console; if the output of a command is
piped to an external command or redirected
to a file, the error messages are also sent
to the pipe or file.
"redirect": if the output of a command is piped
to an external command or redirected to a file,
error messages are only sent to the pipe or
file; otherwise they are displayed on the
console.
"filename": error messages are only sent to the
specified filename; they are not displayed on
the console and are not sent to a pipe or file.
Internal variables may be set in four manners:
1. entering the set command in $HOME/.crashrc.
2. entering the set command in .crashrc in the current directory.
3. executing an input file containing the set command.
4. during runtime with this command.
During initialization, $HOME/.crashrc is read first, followed by the
.crashrc file in the current directory. Set commands in the .crashrc file
in the current directory override those in $HOME/.crashrc. Set commands
entered with this command or by runtime input file override those
defined in either .crashrc file. Multiple set command arguments or argument
pairs may be entered in one command line.
37.3. EXAMPLES
Set the current context to task c2fe8000:
crash> set c2fe8000
PID: 15917
COMMAND: "bash"
TASK: c2fe8000
CPU: 0
STATE: TASK_INTERRUPTIBLE
Set the context back to the panicking task:
crash> set -p
PID: 698
COMMAND: "gen12"
TASK: f9d78000
CPU: 2
STATE: TASK_RUNNING (PANIC)
Turn off output scrolling:
crash> set scroll off
scroll: off (/usr/bin/less)
Show the current state of crash internal variables:
crash> set -v
scroll: on (/usr/bin/less)
radix: 10 (decimal)
refresh: on
print_max: 256
print_array: off
console: /dev/pts/2
debug: 0
core: off
hash: on
silent: off
edit: vi
namelist: vmlinux
zero_excluded: off
null-stop: on
gdb: off
scope: (not set)
offline: show
redzone: on
error: default
Show the current context:
crash> set
PID: 1525
COMMAND: "bash"
TASK: c1ede000
CPU: 0
STATE: TASK_INTERRUPTIBLE
38. sig - task signal handling
38.1. SYNOPSIS
sig [[-l] | [-s sigset]] | [-g] [pid | taskp] ...
38.2. DESCRIPTION
This command displays signal-handling data of one or more tasks. Multiple
task or PID numbers may be entered; if no arguments are entered, the signal
handling data of the current context will be displayed. The default display
shows:
1. A formatted dump of the "sig" signal_struct structure referenced by
the task_struct. For each defined signal, it shows the sigaction
structure address, the signal handler, the signal sigset_t mask
(also expressed as a 64-bit hexadecimal value), and the flags.
2. Whether the task has an unblocked signal pending.
3. The contents of the "blocked" and "signal" sigset_t structures
from the task_struct/signal_struct, both of which are represented
as a 64-bit hexadecimal value.
4. For each queued signal, private and/or shared, if any, its signal
number and associated siginfo structure address.
The -l option lists the signal numbers and their name(s). The -s option
translates a 64-bit hexadecimal value representing the contents of a
sigset_t structure into the signal names whose bits are set.
pid a process PID.
taskp a hexadecimal task_struct pointer.
-g displays signal information for all threads in a task's
thread group.
-l displays the defined signal numbers and names.
-s sigset translates a 64-bit hexadecimal value representing a sigset_t
into a list of signal names associated with the bits set.
38.3. EXAMPLES
Dump the signal-handling data of PID 8970:
crash> sig 8970
PID: 8970 TASK: f67d8560 CPU: 1 COMMAND: "procsig"
SIGNAL_STRUCT: f6018680 COUNT: 1
SIG SIGACTION HANDLER MASK FLAGS
[1] f7877684 SIG_DFL 0000000000000000 0
[2] f7877698 SIG_DFL 0000000000000000 0
...
[8] f7877710 SIG_DFL 0000000000000000 0
[9] f7877724 SIG_DFL 0000000000000000 0
[10] f7877738 804867a 0000000000000000 80000000 (SA_RESETHAND)
[11] f787774c SIG_DFL 0000000000000000 0
[12] f7877760 804867f 0000000000000000 10000004 (SA_SIGINFO|SA_RESTART)
[13] f7877774 SIG_DFL 0000000000000000 0
...
[31] f78778dc SIG_DFL 0000000000000000 0
[32] f78778f0 SIG_DFL 0000000000000000 0
[33] f7877904 SIG_DFL 0000000000000000 0
[34] f7877918 804867f 0000000000000000 10000004 (SA_SIGINFO|SA_RESTART)
[35] f787792c SIG_DFL 0000000000000000 0
[36] f7877940 SIG_DFL 0000000000000000 0
...
[58] f7877af8 SIG_DFL 0000000000000000 0
[59] f7877b0c SIG_DFL 0000000000000000 0
[60] f7877b20 SIG_DFL 0000000000000000 0
[61] f7877b34 SIG_DFL 0000000000000000 0
[62] f7877b48 SIG_DFL 0000000000000000 0
[63] f7877b5c SIG_DFL 0000000000000000 0
[64] f7877b70 804867f 0000000000000000 10000004 (SA_SIGINFO|SA_RESTART)
SIGPENDING: no
BLOCKED: 8000000200000800
PRIVATE_PENDING
SIGNAL: 0000000200000800
SIGQUEUE: SIG SIGINFO
12 f51b9c84
34 f51b9594
SHARED_PENDING
SIGNAL: 8000000000000800
SIGQUEUE: SIG SIGINFO
12 f51b9188
64 f51b9d18
64 f51b9500
Dump the signal-handling data for all tasks in the thread group containing
PID 2578:
crash> sig -g 2578
PID: 2387 TASK: f617d020 CPU: 0 COMMAND: "slapd"
SIGNAL_STRUCT: f7dede00 COUNT: 6
SIG SIGACTION HANDLER MASK FLAGS
[1] c1f60c04 a258a7 0000000000000000 10000000 (SA_RESTART)
[2] c1f60c18 a258a7 0000000000000000 10000000 (SA_RESTART)
[3] c1f60c2c SIG_DFL 0000000000000000 0
[4] c1f60c40 SIG_DFL 0000000000000000 0
[5] c1f60c54 a258a7 0000000000000000 10000000 (SA_RESTART)
[6] c1f60c68 SIG_DFL 0000000000000000 0
[7] c1f60c7c SIG_DFL 0000000000000000 0
[8] c1f60c90 SIG_DFL 0000000000000000 0
[9] c1f60ca4 SIG_DFL 0000000000000000 0
[10] c1f60cb8 a25911 0000000000000000 10000000 (SA_RESTART)
...
[64] c1f610f0 SIG_DFL 0000000000000000 0
SHARED_PENDING
SIGNAL: 0000000000000000
SIGQUEUE: (empty)
PID: 2387 TASK: f617d020 CPU: 0 COMMAND: "slapd"
SIGPENDING: no
BLOCKED: 0000000000000000
PRIVATE_PENDING
SIGNAL: 0000000000000000
SIGQUEUE: (empty)
PID: 2392 TASK: f6175aa0 CPU: 0 COMMAND: "slapd"
SIGPENDING: no
BLOCKED: 0000000000000000
PRIVATE_PENDING
SIGNAL: 0000000000000000
SIGQUEUE: (empty)
PID: 2523 TASK: f7cd4aa0 CPU: 1 COMMAND: "slapd"
SIGPENDING: no
BLOCKED: 0000000000000000
PRIVATE_PENDING
SIGNAL: 0000000000000000
SIGQUEUE: (empty)
...
Translate the sigset_t mask value, cut-and-pasted from the signal handling
data from signals 1 and 10 above:
crash> sig -s 800A000000000201
SIGHUP SIGUSR1 SIGRTMAX-14 SIGRTMAX-12 SIGRTMAX
List the signal numbers and their names:
crash> sig -l
[1] SIGHUP
[2] SIGINT
[3] SIGQUIT
[4] SIGILL
[5] SIGTRAP
[6] SIGABRT/SIGIOT
[7] SIGBUS
[8] SIGFPE
[9] SIGKILL
[10] SIGUSR1
[11] SIGSEGV
[12] SIGUSR2
[13] SIGPIPE
[14] SIGALRM
[15] SIGTERM
[16] SIGSTKFLT
[17] SIGCHLD/SIGCLD
[18] SIGCONT
[19] SIGSTOP
[20] SIGTSTP
[21] SIGTTIN
[22] SIGTTOU
[23] SIGURG
[24] SIGXCPU
[25] SIGXFSZ
[26] SIGVTALRM
[27] SIGPROF
[28] SIGWINCH
[29] SIGIO/SIGPOLL
[30] SIGPWR
[31] SIGSYS
[32] SIGRTMIN
[33] SIGRTMIN+1
[34] SIGRTMIN+2
[35] SIGRTMIN+3
[36] SIGRTMIN+4
[37] SIGRTMIN+5
[38] SIGRTMIN+6
[39] SIGRTMIN+7
[40] SIGRTMIN+8
[41] SIGRTMIN+9
[42] SIGRTMIN+10
[43] SIGRTMIN+11
[44] SIGRTMIN+12
[45] SIGRTMIN+13
[46] SIGRTMIN+14
[47] SIGRTMIN+15
[48] SIGRTMIN+16
[49] SIGRTMAX-15
[50] SIGRTMAX-14
[51] SIGRTMAX-13
[52] SIGRTMAX-12
[53] SIGRTMAX-11
[54] SIGRTMAX-10
[55] SIGRTMAX-9
[56] SIGRTMAX-8
[57] SIGRTMAX-7
[58] SIGRTMAX-6
[59] SIGRTMAX-5
[60] SIGRTMAX-4
[61] SIGRTMAX-3
[62] SIGRTMAX-2
[63] SIGRTMAX-1
[64] SIGRTMAX
39. struct - structure contents
39.1. SYNOPSIS
struct struct_name[.member[,member]][-o][-l offset][-rfuxdp]
[address | symbol][:cpuspec] [count | -c count]
39.2. DESCRIPTION
This command displays either a structure definition, or a formatted display
of the contents of a structure at a specified address. When no address is
specified, the structure definition is shown along with the structure size.
A structure member may be appended to the structure name in order to limit
the scope of the data displayed to that particular member; when no address
is specified, the member's offset and definition are shown.
struct_name name of a C-code structure used by the kernel.
.member name of a structure member; to display multiple members of a
structure, use a comma-separated list of members. If any
member contains an embedded structure, or the member is an
array, the output may be restricted to just the embedded
structure or an array element by expressing the member argument
as "member.member" or "member[index]"; embedded member
specifications may extend beyond one level deep, by expressing
the member argument as "member.member.member...".
-o show member offsets when displaying structure definitions;
if used with an address or symbol argument, each member will
be preceded by its virtual address.
-l offset if the address argument is a pointer to a structure member that
is contained by the target data structure, typically a pointer
to an embedded list_head, the offset to the embedded member may
be entered in either of the following manners:
1. in "structure.member" format.
2. a number of bytes.
-r raw dump of structure data.
-f address argument is a dumpfile offset.
-u address argument is a user virtual address in the current
context.
-x override default output format with hexadecimal format.
-d override default output format with decimal format.
-p if a structure member is a pointer value, show the member's
data type on the output line; and on the subsequent line(s),
dereference the pointer, display the pointer target's symbol
value in brackets if appropriate, and if possible, display the
target data; requires an address argument.
address hexadecimal address of a structure; if the address points
to an embedded list_head structure contained within the
target data structure, then the "-l" option must be used.
symbol symbolic reference to the address of a structure.
:cpuspec CPU specification for a per-cpu address or symbol:
: CPU of the currently selected task.
:a[ll] all CPUs.
:#[-#][,...] CPU list(s), e.g. "1,3,5", "1-3",
or "1,3,5-7,10".
count count of structures to dump from an array of structures;
if used, this must be the last argument entered.
-c count "-c" is only required if "count" is not the last argument
entered or if a negative number is entered; if a negative
value is entered, the (positive) "count" structures that
lead up to and include the target structure will be displayed.
Structure data, sizes, and member offsets are shown in the current output
radix unless the -x or -d option is specified.
Please note that in the vast majority of cases, the "struct" command
name may be dropped; if the structure name does not conflict with any crash
or gdb command name, then the "struct_name[.member]" argument will be
recognized as a structure name, and this command automatically executed.
See the NOTE below.
39.3. EXAMPLES
Display the vm_area_struct at address c1e44f10:
crash> struct vm_area_struct c1e44f10
struct vm_area_struct {
vm_mm = 0xc2857750,
vm_start = 0x8048000,
vm_end = 0x80a5000,
vm_next = 0xc1e44a10,
vm_page_prot = {
pgprot = 0x25
},
vm_flags = 0x1875,
vm_avl_height = 0x2,
vm_avl_left = 0xc30fe200,
vm_avl_right = 0xc30fed00,
vm_next_share = 0x0,
vm_pprev_share = 0xc1e44a30,
vm_ops = 0xc0215ca0,
vm_offset = 0x0,
vm_file = 0xc0bfdc70,
vm_pte = 0
}
Display the definition and size of a vm_area_struct structure. This first
example below displays just the structure and size. The second example
uses the -o option to also display member offsets. Both examples were
run with the output radix set to 10 (decimal):
crash> struct vm_area_struct
struct vm_area_struct {
struct mm_struct *vm_mm;
long unsigned int vm_start;
long unsigned int vm_end;
struct vm_area_struct *vm_next;
pgprot_t vm_page_prot;
short unsigned int vm_flags;
short int vm_avl_height;
struct vm_area_struct *vm_avl_left;
struct vm_area_struct *vm_avl_right;
struct vm_area_struct *vm_next_share;
struct vm_area_struct **vm_pprev_share;
struct vm_operations_struct *vm_ops;
long unsigned int vm_offset;
struct file *vm_file;
long unsigned int vm_pte;
}
SIZE: 56
crash> struct vm_area_struct -o
struct vm_area_struct {
[0] struct mm_struct *vm_mm;
[4] long unsigned int vm_start;
[8] long unsigned int vm_end;
[12] struct vm_area_struct *vm_next;
[16] pgprot_t vm_page_prot;
[20] short unsigned int vm_flags;
[22] short int vm_avl_height;
[24] struct vm_area_struct *vm_avl_left;
[28] struct vm_area_struct *vm_avl_right;
[32] struct vm_area_struct *vm_next_share;
[36] struct vm_area_struct **vm_pprev_share;
[40] struct vm_operations_struct *vm_ops;
[44] long unsigned int vm_offset;
[48] struct file *vm_file;
[52] long unsigned int vm_pte;
}
SIZE: 56
Display the definition and offset of the pgd member of an mm_struct:
crash> struct mm_struct.pgd
struct mm_struct {
[80] pgd_t *pgd;
}
Display the pgd member of the mm_struct at address ffff810022e7d080:
crash> struct mm_struct.pgd ffff810022e7d080
pgd = 0xffff81000e3ac000
Display the pgd_t pointed to by the mm_struct.pgd pointer above, forcing
the output to be expressed in hexadecimal:
crash> mm_struct.pgd ffff810022e7d080 -px
pgd_t *pgd = 0xffff81000e3ac000
-> {
pgd = 0x2c0a6067
}
Display the thread_info structure pointed to by the thread_info
member of the task_struct at ffff8100181190c0:
crash> task_struct.thread_info ffff8100181190c0 -p
struct thread_info *thread_info = 0xffff810023c06000
-> {
task = 0xffff8100181190c0,
exec_domain = 0xffffffff802f78e0,
flags = 128,
status = 1,
cpu = 3,
preempt_count = 0,
addr_limit = {
seg = 18446604435732824064
},
restart_block = {
fn = 0xffffffff80095a52 <do_no_restart_syscall>,
arg0 = 0,
arg1 = 0,
arg2 = 0,
arg3 = 0
}
}
Display the flags and virtual members of 4 contiguous page structures
in the mem_map page structure array:
crash> page.flags,virtual c101196c 4
flags = 0x8000,
virtual = 0xc04b0000
flags = 0x8000,
virtual = 0xc04b1000
flags = 0x8000,
virtual = 0xc04b2000
flags = 0x8000,
virtual = 0xc04b3000
Display the array of tcp_sl_timer structures declared by tcp_slt_array[]:
crash> struct tcp_sl_timer tcp_slt_array 4
struct tcp_sl_timer {
count = {
counter = 0x0
},
period = 0x32,
last = 0x1419e4,
handler = 0xc0164854 <tcp_syn_recv_timer>
}
struct tcp_sl_timer {
count = {
counter = 0x2
},
period = 0x753,
last = 0x14a6df,
handler = 0xc01645b0 <tcp_keepalive>
}
struct tcp_sl_timer {
count = {
counter = 0x0
},
period = 0x2ee,
last = 0x143134,
handler = 0xc016447c <tcp_twkill>
}
struct tcp_sl_timer {
count = {
counter = 0x0
},
period = 0x64,
last = 0x143198,
handler = 0xc0164404 <tcp_bucketgc>
}
Without using the "struct" command name, display the the "d_child"
list_head member from a dentry structure:
crash> dentry.d_child 0xe813cb4
d_child = {
next = 0x3661344,
prev = 0xdea4bc4
},
Display the child dentry structure referenced by the "next" pointer above.
Since the "next" address of 0x3661344 above is a pointer to an embedded
list_head structure within the child dentry structure, the -l option
is required:
crash> dentry -l dentry.d_child 0x3661344
struct dentry {
d_count = {
counter = 1
},
d_flags = 0,
d_inode = 0xf9aa604,
d_parent = 0x11152b1c,
d_hash = {
next = 0x11fb3fc0,
prev = 0x11fb3fc0
},
d_lru = {
next = 0x366133c,
prev = 0x366133c
},
d_child = {
next = 0x36613cc,
prev = 0xe813cd4
},
d_subdirs = {
next = 0x366134c,
prev = 0x366134c
},
d_alias = {
next = 0xf9aa614,
prev = 0xf9aa614
},
d_mounted = 0,
d_name = {
name = 0x3661384 "boot.log",
len = 8,
hash = 1935169207
},
d_time = 1515870810,
d_op = 0x0,
d_sb = 0x11fc9c00,
d_vfs_flags = 0,
d_fsdata = 0x0,
d_extra_attributes = 0x0,
d_iname = "boot.log\000"
}
Display the virtual address of each member of the task_struct at
ffff8100145d2080:
crash> task_struct -o ffff8100145d2080
struct task_struct {
[ffff8100145d2080] volatile long int state;
[ffff8100145d2088] struct thread_info *thread_info;
[ffff8100145d2090] atomic_t usage;
[ffff8100145d2098] long unsigned int flags;
[ffff8100145d20a0] int lock_depth;
[ffff8100145d20a4] int load_weight;
[ffff8100145d20a8] int prio;
[ffff8100145d20ac] int static_prio;
[ffff8100145d20b0] int normal_prio;
[ffff8100145d20b8] struct list_head run_list;
[ffff8100145d20c8] struct prio_array *array;
...
Display the embedded sched_entity structure's on_rq member and
the third pid_link structure in the embedded pids[] array of the
task_struct at ffff88011653e250:
crash> task_struct.se.on_rq,pids[2] ffff88011653e250
se.on_rq = 1,
pids[2] = {
node = {
next = 0xffff88011653aff0,
pprev = 0xffff88011653a860
},
pid = 0xffff88010d07ed00
}
For an example of displaying per-cpu variables, consider the
struct hd_struct.dkstats member, which is a percpu pointer to
a disk_stats structure:
crash> struct hd_struct.dkstats
struct hd_struct {
[1232] struct disk_stats *dkstats;
}
Taking an hd_struct at address ffff8802450e2848, display all
of the per-cpu disk_stats structures that it references:
crash> struct hd_struct.dkstats ffff8802450e2848
dkstats = 0x60fdb48026c8
crash> struct disk_stats 0x60fdb48026c8:a
[0]: ffffe8fefe6026c8
struct disk_stats {
sectors = {451376, 80468},
ios = {6041, 971},
merges = {386, 390},
ticks = {194877, 56131},
io_ticks = 12371,
time_in_queue = 309163
}
[1]: ffffe8fefe8026c8
struct disk_stats {
sectors = {0, 0},
ios = {0, 0},
merges = {7, 242},
ticks = {0, 0},
io_ticks = 23,
time_in_queue = 581
}
[2]: ffffe8fefea026c8
struct disk_stats {
sectors = {0, 0},
ios = {0, 0},
merges = {4, 112},
ticks = {0, 0},
io_ticks = 11,
time_in_queue = 305
}
[3]: ffffe8fefec026c8
struct disk_stats {
sectors = {0, 0},
ios = {0, 0},
merges = {5, 54},
ticks = {0, 0},
io_ticks = 17,
time_in_queue = 41
}
39.4. NOTE
If the structure name does not conflict with any crash command name, the
"struct" command may be dropped. Accordingly, the examples above could
also have been accomplished like so:
crash> vm_area_struct c1e44f10
crash> vm_area_struct
crash> vm_area_struct -o
crash> mm_struct.pgd ffff810022e7d080
crash> mm_struct.pgd
crash> tcp_sl_timer tcp_slt_array 4
Lastly, the short-cut "*" pointer-to command may also be used to negate
the need to enter the "struct" command name (enter "help *" for details).
40. swap - swap device information
40.1. SYNOPSIS
swap
40.2. DESCRIPTION
This command displays information for each configured swap device.
40.3. EXAMPLE
crash> swap
SWAP_INFO_STRUCT TYPE SIZE USED PCT PRI FILENAME
ffff880153d45f40 PARTITION 7192568k 1200580k 16% -1 /dev/dm-1
41. sym - translate a symbol to its virtual address, or vice-versa
41.1. SYNOPSIS
sym [-l] | [-M] | [-m module] | [-p|-n] | [-q string] | [symbol | vaddr]
41.2. DESCRIPTION
This command translates a symbol to its virtual address, or a static
kernel virtual address to its symbol -- or to a symbol-plus-offset value,
if appropriate. Additionally, the symbol type is shown in parentheses,
and if the symbol is a known text value, the file and line number are shown.
-l dumps all symbols and their values.
-M dumps the current set of module symbols.
-m module dumps the current set of symbols for a specified module.
-p display the target symbol and the previous symbol.
-n display the target symbol and the next symbol.
-q string searches for all symbols containing "string".
symbol a kernel text or data symbol.
vaddr a kernel virtual address.
If the "symbol", "vaddr" or "string" argument resolves to a module
symbol, then the module name will be displayed in brackets following the
symbol value.
41.3. EXAMPLES
Translate data symbol jiffies to its value, and vice-versa:
crash> sym jiffies
c0213ae0 (D) jiffies
crash> sym c0213ae0
c0213ae0 (D) jiffies
Translate a text address to its symbolic value and source file:
crash> sym c0109944
c0109944 (T) system_call+0x34 ../linux-2.2.5/arch/i386/kernel/signal.c: 723
Dump the whole symbol table:
crash> sym -l
c0100000 (T) _stext
c0100000 (A) _text
c0100000 (t) startup_32
c0100000 (T) stext
c01000a4 (t) checkCPUtype
c0100139 (t) is486
c0100148 (t) is386
c01001b1 (t) L6
c01001b3 (t) ready
c01001b4 (t) check_x87
c01001da (t) setup_idt
c01001f7 (t) rp_sidt
c0100204 (T) stack_start
c010020c (t) int_msg
c0100220 (t) ignore_int
c0100242 (t) idt_descr
c0100244 (T) idt
c010024a (t) gdt_descr
c010024c (T) gdt
c0101000 (T) swapper_pg_dir
c0102000 (T) pg0
c0103000 (T) empty_bad_page
c0104000 (T) empty_bad_page_table
c0105000 (T) empty_zero_page
...
Find all symbols containing the string "pipe":
crash> sym -q pipe
c010ec60 (T) sys_pipe
c012f660 (t) pipe_read
c012f7b8 (t) pipe_write
c012f9c0 (t) pipe_lseek
c012f9d0 (t) bad_pipe_r
c012f9dc (t) bad_pipe_w
c012f9e8 (t) pipe_ioctl
c012fa18 (t) pipe_poll
c012fb00 (t) pipe_release
c012fb48 (t) pipe_read_release
c012fb5c (t) pipe_write_release
c012fb70 (t) pipe_rdwr_release
c012fba0 (t) pipe_read_open
c012fbb0 (t) pipe_write_open
c012fbc0 (t) pipe_rdwr_open
c012fbec (t) get_pipe_inode
c012fcc4 (T) do_pipe
c023a920 (D) read_pipe_fops
c023a960 (D) write_pipe_fops
c023a9a0 (D) rdwr_pipe_fops
c023a9e0 (D) pipe_inode_operations
Dump the symbols of the uart401 module, both before, and then after,
the complete set of symbols are loaded with the "mod -s" command:
crash> sym -m uart401
c8032000 MODULE START: uart401
c8032138 (?) uart401intr
c803235c (?) attach_uart401
c8032638 (?) probe_uart401
c80326d4 (?) unload_uart401
c8033770 MODULE END: uart401
crash> mod -s uart401
MODULE NAME SIZE OBJECT FILE
c8032000 uart401 6000 /lib/modules/2.2.14/misc/uart401.o
crash> sym -m uart401
c8032000 MODULE START: uart401
c8032050 (t) my_notifier_call
c8032084 (t) uart401_status
c8032098 (t) uart401_cmd
c80320a8 (t) uart401_read
c80320bc (t) uart401_write
c80320cc (t) uart401_input_loop
c8032138 (T) uart401intr
c8032168 (t) uart401_open
c80321c8 (t) uart401_close
c80321f4 (t) uart401_out
c80322ac (t) uart401_start_read
c80322b4 (t) uart401_end_read
c80322bc (t) uart401_kick
c80322c4 (t) uart401_buffer_status
c80322cc (t) enter_uart_mode
c803235c (T) attach_uart401
c803259c (t) reset_uart401
c8032638 (T) probe_uart401
c80326d4 (T) unload_uart401
c8032760 (T) init_module
c80327cc (T) cleanup_module
c8032b00 (d) sound_notifier
c8032b0c (d) detected_devc
c8032b20 (d) std_synth_info
c8032bc0 (d) std_midi_synth
c8033600 (d) uart401_operations
c80336c4 (D) io
c80336c8 (D) irq
c80336e0 (b) hw_info.508
c8033770 MODULE END: uart401
Display the value of jiffies, along with the next and previous symbols:
crash> sym -np jiffies
c023027c (D) prof_shift
c0230280 (D) jiffies
c02302a0 (D) task
Translate a symbol value to its name and module:
crash> sym f88878d1
f88878d1 (t) ext3_readdir [ext3]
crash>
42. sys - system data
42.1. SYNOPSIS
sys [-c [name|number]] [-t] [-i] config
42.2. DESCRIPTION
This command displays system-specific data. If no arguments are entered,
the same system data shown during crash invocation is shown.
-c [name|number] If no name or number argument is entered, dump all
sys_call_table entries. If a name string is entered,
search the table for all entries containing the string.
If a number is entered, the table entry associated with
that number is displayed. If the current output radix
has been set to 16, the system call numbers will be
displayed in hexadecimal.
config If the kernel was configured with CONFIG_IKCONFIG, then
dump the in-kernel configuration data.
-t Display kernel taint information. If the "tainted_mask"
symbol exists, show its hexadecimal value and translate
each bit set to the symbolic letter of the taint type.
On older kernels with the "tainted" symbol, only its
hexadecimal value is shown. The relevant kernel sources
should be consulted for the meaning of the letter(s) or
hexadecimal bit value(s).
-panic Panic a live system. Requires write permission to
/dev/mem. Results in the crash context causing an
"Attempted to kill the idle task!" panic. (The dump
will indicate that the crash context has a PID of 0).
-i Dump the DMI string data if available in the kernel.
42.3. EXAMPLES
Display essential system information:
crash> sys
KERNEL: vmlinux.4
DUMPFILE: lcore.cr.4
CPUS: 4
DATE: Mon Oct 11 18:48:55 1999
UPTIME: 10 days, 14:14:39
LOAD AVERAGE: 0.74, 0.23, 0.08
TASKS: 77
NODENAME: test.mclinux.com
RELEASE: 2.2.5-15smp
VERSION: #24 SMP Mon Oct 11 17:41:40 CDT 1999
MACHINE: i686 (500 MHz)
MEMORY: 1 GB
Dump the system configuration data (if CONFIG_IKCONFIG):
crash> sys config
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.16
# Mon Apr 10 07:58:06 2006
#
CONFIG_X86_64=y
CONFIG_64BIT=y
CONFIG_X86=y
CONFIG_SEMAPHORE_SLEEPERS=y
CONFIG_MMU=y
CONFIG_RWSEM_GENERIC_SPINLOCK=y
CONFIG_GENERIC_CALIBRATE_DELAY=y
CONFIG_X86_CMPXCHG=y
CONFIG_EARLY_PRINTK=y
CONFIG_GENERIC_ISA_DMA=y
CONFIG_GENERIC_IOMAP=y
CONFIG_ARCH_MAY_HAVE_PC_FDC=y
CONFIG_DMI=y
...
Display the kernel taint information, in this case where both the
TAINT_WARN and TAINT_PROPRIETARY_MODULE bits have been set:
crash> sys -t
TAINTED_MASK: 201 PW
Dump the system call table:
crash> sys -c
NUM SYSTEM CALL FILE AND LINE NUMBER
0 sys_ni_syscall ../kernel/sys.c: 48
1 sys_exit ../kernel/exit.c: 404
2 sys_fork ../arch/i386/kernel/process.c: 771
3 sys_read ../fs/read_write.c: 117
4 sys_write ../fs/read_write.c: 146
5 sys_open ../fs/open.c: 754
6 sys_close ../fs/open.c: 839
7 sys_waitpid ../kernel/exit.c: 503
8 sys_creat ../fs/open.c: 789
9 sys_link ../fs/namei.c: 1213
10 sys_unlink ../fs/namei.c: 1074
11 sys_execve ../arch/i386/kernel/process.c: 806
...
Find the system call number of the select system call:
crash> sys -c select
NUM SYSTEM CALL FILE AND LINE NUMBER
65 sys_select ../fs/select.c: 259
If the current output radix has been set to 16, the system call numbers
will be displayed in hexadecimal.
Dump the DMI string data:
crash> sys -i
DMI_BIOS_VENDOR: LENOVO
DMI_BIOS_VERSION: G4ET37WW (1.12 )
DMI_BIOS_DATE: 05/29/2012
DMI_SYS_VENDOR: LENOVO
DMI_PRODUCT_NAME: 2429BQ1
DMI_PRODUCT_VERSION: ThinkPad T530
DMI_PRODUCT_SERIAL: R9R91HZ
DMI_PRODUCT_UUID: 568DFA01-5180-11CB-B851-BD06085ADDB0
DMI_BOARD_VENDOR: LENOVO
DMI_BOARD_NAME: 2429BQ1
DMI_BOARD_VERSION: Not Available
DMI_BOARD_SERIAL: 1ZLV127F17M
DMI_BOARD_ASSET_TAG: Not Available
DMI_CHASSIS_VENDOR: LENOVO
DMI_CHASSIS_TYPE: 10
DMI_CHASSIS_VERSION: Not Available
DMI_CHASSIS_SERIAL: R9R91HZ
DMI_CHASSIS_ASSET_TAG: RH0004111
43. task - task_struct and thread_info contents
43.1. SYNOPSIS
task [-R member[,member]] [-dx] [pid | taskp] ...
43.2. DESCRIPTION
This command dumps a formatted display of the contents of a task's
task_struct and thread_info structures. Multiple task or PID numbers
may be entered; if no arguments are entered, the task_struct and
thread_info structures of the current context are displayed. The -R option,
which may also be invoked indirectly via "foreach task", pares the output
down to one or more structure members.
pid a process PID.
taskp a hexadecimal task_struct pointer.
-R member a comma-separated list of one or more task_struct and/or
thread_info structure members. If any member contains an embedded
structure, or is an array, the output may be restricted to the
embedded structure or an array element by expressing the member
argument as "member.member" or "member[index]"; embedded member
specifications may extend beyond one level deep, by expressing the
member argument as "member.member.member...".
-x override default output format with hexadecimal format.
-d override default output format with decimal format.
43.3. EXAMPLES
Dump the task_struct and thread_info structures of the current context
in hexadecimal format:
crash> task -x
PID: 3176 TASK: f2451550 CPU: 1 COMMAND: "memtest"
struct task_struct {
state = 0x0,
stack = 0xf05b6000,
usage = {
counter = 0x2
},
flags = 0x402040,
ptrace = 0x0,
lock_depth = 0xffffffff,
prio = 0x78,
static_prio = 0x78,
normal_prio = 0x78,
rt_priority = 0x0,
...
perf_event_ctxp = {0x0, 0x0},
memcg_batch = {
do_batch = 0x0,
memcg = 0x0,
bytes = 0x0,
memsw_bytes = 0x0
}
}
struct thread_info {
task = 0xf2451550,
exec_domain = 0xc0a60860,
flags = 0x88,
status = 0x0,
cpu = 0x1,
preempt_count = 0x4010000,
addr_limit = {
seg = 0xc0000000
},
restart_block = {
...
Display the ngroups and groups task_struct members for PID 2958:
crash> task -R ngroups,groups 2958
PID: 2958 TASK: c6718000 CPU: 0 COMMAND: "bash"
ngroups = 6,
groups = {504, 8, 9, 1000, 1007, 1006, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
Display the embedded sched_entity structure's on_rq member:
crash> task -R se.on_rq
PID: 6529 TASK: ffff880116538790 CPU: 1 COMMAND: "bash"
se.on_rq = 1,
Display the 3rd pid_link structure in the embedded pids[] array:
crash> task -R pids[2]
PID: 6529 TASK: ffff880116538790 CPU: 0 COMMAND: "bash"
pids[2] = {
node = {
next = 0xffff8801165391b0,
pprev = 0xffff880209d011b0
},
pid = 0xffff8801f0876e00
}
NOTE: When this command is invoked directly (i.e., not from "foreach"), it
is not necessary to include the "-R" before the task_struct/thread_info
member name(s).
44. timer - timer queue data
44.1. SYNOPSIS
timer [-r][-C cpu]
44.2. DESCRIPTION
This command displays the timer queue entries, both old- and new-style,
in chronological order. In the case of the old-style timers, the
timer_table array index is shown; in the case of the new-style timers,
the timer_list address is shown. On later kernels, the timer data is
per-cpu.
-r Display hrtimer timer queue entries, both old- and new-style, in
chronological order. In the case of the old-style hrtimers, the
expiration time is a single value; in the new-style hrtimers, the
expiration time is a range.
-C cpu Restrict the output to one or more CPUs, where multiple cpu[s] can
be specified, for example, as "1,3,5", "1-3", or "1,3,5-7,10".
44.3. EXAMPLES
Display the timer queue on an SMP system:
crash> timer
JIFFIES
4296291038
...
TIMER_BASES[1][BASE_STD]: ffff9801aba5aa00
EXPIRES TTE TIMER_LIST FUNCTION
4296282997 -8041 ffff9801aba55ce0 ffffffff83a3bda0 <mce_timer_fn>
4296283104 -7934 ffff97fd84bd35e0 ffffffff83ac6b70 <delayed_work_timer_fn>
4296291061 23 ffffa6b283967de0 ffffffff83b29880 <process_timeout>
4296291112 74 ffff9800c9b62ad8 ffffffff83e6b550 <cursor_timer_handler>
4296291345 307 ffff980186d5ef88 ffffffff84146b80 <tcp_keepalive_timer>
4296291484 446 ffff9801a7c54740 ffffffff84147f50 <tcp_write_timer>
4296291997 959 ffffffffc073f880 ffffffff83ac6b70 <delayed_work_timer_fn>
4296296213 5175 ffffa6b28339be18 ffffffff83b29880 <process_timeout>
4296304383 13345 ffff980194ca72a8 ffffffff8412e4e0 <tw_timer_handler>
4296305724 14686 ffff980194ca6918 ffffffff8412e4e0 <tw_timer_handler>
4296306036 14998 ffff980194ca6d58 ffffffff8412e4e0 <tw_timer_handler>
4296306883 15845 ffff980194ca7e58 ffffffff8412e4e0 <tw_timer_handler>
4296307588 16550 ffff9801aaa27e58 ffffffff8412e4e0 <tw_timer_handler>
4296307625 16587 ffff980194ca6a28 ffffffff8412e4e0 <tw_timer_handler>
4296313542 22504 ffff980194ca7c38 ffffffff8412e4e0 <tw_timer_handler>
4296317680 26642 ffff9800c9149c58 ffffffff840da870 <neigh_timer_handler>
4296317744 26706 ffff9801a5354468 ffffffff83ac6b70 <delayed_work_timer_fn>
4296343322 52284 ffff980194ca63c8 ffffffff8412e4e0 <tw_timer_handler>
4296343581 52543 ffff980194ca7088 ffffffff8412e4e0 <tw_timer_handler>
4296343597 52559 ffff9801aaa274c8 ffffffff8412e4e0 <tw_timer_handler>
4296714205 423167 ffffffff84caf3c0 ffffffff83ac6b70 <delayed_work_timer_fn>
TIMER_BASES[1][BASE_DEF]: ffff9801aba5bc80
EXPIRES TTE TIMER_LIST FUNCTION
4296291264 226 ffffffff855eb238 ffffffff83c08fb0 <writeout_period>
4296319997 28959 ffffffffc06ede40 ffffffff83ac6b70 <delayed_work_timer_fn>
4296506084 215046 ffff9801aba629c8 ffffffff83ac5ea0 <idle_worker_timeout>
...
Display a new-style hrtimer queue:
crash> timer -r
...
CPU: 2 HRTIMER_CPU_BASE: ffff9801aba9cf00
CLOCK: 0 HRTIMER_CLOCK_BASE: ffff9801aba9cf40 [ktime_get]
CURRENT
1623742000000
SOFTEXPIRES EXPIRES TTE HRTIMER FUNCTION
1623741000000 1623741000000 -1000000 ffff9801aba9d540 ffffffff83b3c8e0 <tick_sched_timer>
1624024000000 1624024000000 282000000 ffff9801aba9d720 ffffffff83b7e7a0 <watchdog_timer_fn>
1626000939806 1626010929804 2268929804 ffffa6b28399fa40 ffffffff83b2c1e0 <hrtimer_wakeup>
1627576915615 1627576915615 3834915615 ffff9801a5727978 ffffffff83b365c0 <posix_timer_fn>
1627637194488 1627647194487 3905194487 ffffa6b283977db0 ffffffff83b2c1e0 <hrtimer_wakeup>
1629937423000 1629937423000 6195423000 ffff9801a9af2900 ffffffff83cf3d30 <timerfd_tmrproc>
CLOCK: 1 HRTIMER_CLOCK_BASE: ffff9801aba9cf80 [ktime_get_real]
CURRENT
1558362388334558243
SOFTEXPIRES EXPIRES TTE HRTIMER FUNCTION
1558362389331238000 1558362389331288000 996729757 ffffa6b28574bcf0 ffffffff83b2c1e0 <hrtimer_wakeup>
1558364372000000000 1558364372000000000 1983665441757 ffff9801a3513278 ffffffff83b365c0 <posix_timer_fn>
CLOCK: 2 HRTIMER_CLOCK_BASE: ffff9801aba9cfc0 [ktime_get_boottime]
(empty)
...
45. tree - display radix tree, XArray or red-black tree
45.1. SYNOPSIS
tree [-t [radix|xarray|rbtree]] [-r offset] [-[s|S] struct[.member[,member]]]
-[x|d] [-o offset] [-l] [-p] [-N] start
45.2. DESCRIPTION
This command dumps the contents of a radix tree, an XAarray, or a red-black
tree. The arguments are as follows:
-t type The type of tree to dump; the type string can be one of
"radix", "rbtree", or "xarray", or alternatively, "ra",
"rb" or "x" are acceptable. If not specified, rbtree is the
default type.
-r offset If the "start" argument is the address of a data structure that
contains an radix_tree_root, xarray or rb_root structure, then this
is the offset to that structure member. If the offset is non-zero,
then this option is required. The offset may be entered in either
of two manners:
1. In "structure.member" format.
2. A number of bytes.
-o offset For red-black trees only, the offset of the rb_node within its
containing data structure; if the offset is non-zero, then this
option is required. The offset may be entered in either of two
manners:
1. In "structure.member" format.
2. A number of bytes.
This option is not applicable to radix trees.
-s struct For each entry in a tree, format and print it as this type of data
structure; use the "struct.member" format in order to display a
particular member of the structure. To display multiple members
of a structure, use a comma-separated list of members. If any
structure member contains an embedded structure or is an array, the
the output may be restricted to the embedded structure or an array
element by expressing the member argument as "struct.member.member"
or "struct.member[index]"; embedded member specifications may
extend beyond one level deep by expressing the struct argument as
"struct.member.member.member...".
-S struct Similar to -s, but instead of parsing gdb output, member values
are read directly from memory, so the command works much faster
for 1-, 2-, 4-, and 8-byte members.
-l For red-black trees, dump the tree sorted in linear order starting
with the leftmost node and progressing to the right. This option
does not apply to radix trees.
-p Display the node's position information, showing the relationship
between it and the root. For red-black trees, a position that
indicates "root/l/r" means that the node is the right child
of the left child of the root node. For radix trees and xarrays,
the index, the height, and the slot index values are shown with
respect to the root.
-x Override default output format with hexadecimal format.
-d Override default output format with decimal format.
The meaning of the "start" argument, which can be expressed either in
hexadecimal format or symbolically, depends upon whether the -N option
is prepended:
start The address of a radix_tree_root, xarray or rb_root structure, or
the address of a structure containing the radix_tree_root, xarray
or rb_root structure; if the latter, then the "-r offset" option
must be used if the member offset of the root structure is
non-zero.
-N start The address of a radix_tree_node, xa_node or rb_node structure,
bypassing the radix_tree_root, xarray, or rb_root that points
to it.
45.3. EXAMPLES
The vmap_area_root is a standalone rb_root structure. Display the
virtual addresses of each vmap_area in its red-black tree:
crash> whatis vmap_area_root
struct rb_root vmap_area_root;
crash> tree -t rbtree -o vmap_area.rb_node vmap_area_root
ffff880128c508c0
ffff88012cb68140
ffff88012c9afec0
ffff88012d65c440
...
Display the vmap_area's va_start and va_end members of each of
the entries above expressing the vmap_area.rb_node offset as a
number of bytes:
crash> tree -t rbtree -o 24 vmap_area_root -s vmap_area.va_start,va_end
ffff880128c508c0
va_start = 0xffffc90014900000
va_end = 0xffffc90014921000
ffff88012cb68140
va_start = 0xffffc900110c0000
va_end = 0xffffc900110d1000
ffff88012c9afec0
va_start = 0xffffc90000640000
va_end = 0xffffc90000642000
ffff88012d65c440
va_start = 0xffffc90000620000
va_end = 0xffffc90000622000
...
Alternatively, use the -N option with the rb_node address contained
in the vmap_area_root structure:
crash> p vmap_area_root
vmap_area_root = $8 = {
rb_node = 0xffff880128c508d8
}
crash> tree -t rbtree -o vmap_area.rb_node -N 0xffff880128c508d8
ffff880128c508c0
ffff88012cb68140
ffff88012c9afec0
ffff88012d65c440
Display the virtual address of each vm_area_struct in the red-black
tree that has its root inside an mm_struct located at ffff880128b5a300.
The vm_area_struct.vm_rb rb_node member has an offset of 0x38 bytes:
crash> tree -t rbtree -r mm_struct.mm_rb ffff880128b5a300 -o 0x38
ffff88012a0de080
ffff880123e3ac78
ffff880123e3a700
ffff88012b2837c8
...
ffff880128c02ed0
ffff8801292e7958
ffff880123e3a318
ffff880123e3ad40
Add the -p option to the command above to show position information:
crash> tree -t rbtree -r mm_struct.mm_rb ffff880128b5a300 -o 0x38 -p
ffff88012a0de080
position: root
ffff880123e3ac78
position: root/l
ffff880123e3a700
position: root/l/l
ffff88012b2837c8
position: root/l/l/l
...
ffff880128c02ed0
position: root/r/r/l/r
ffff8801292e7958
position: root/r/r/l/r/r
ffff880123e3a318
position: root/r/r/r
ffff880123e3ad40
position: root/r/r/r/r
Given an mm_struct address of 0xffff880074b5be80, list the VMA tree in linear
order from the leftmost node progressing to the right using the -l option:
crash> tree -ls vm_area_struct.vm_start -o vm_area_struct.vm_rb \
-r mm_struct.mm_rb 0xffff880074b5be80 | paste - -
ffff88001f2c50e0 vm_start = 0x400000
ffff88001f2c5290 vm_start = 0xceb000
ffff880074bfc6c0 vm_start = 0xcec000
ffff88001f2c4bd0 vm_start = 0xd10000
ffff880074bfc948 vm_start = 0x1fe9000
ffff880036e54510 vm_start = 0x7ff6aa296000
ffff88001f2c5bd8 vm_start = 0x7ff6aa298000
ffff880036e54af8 vm_start = 0x7ff6aa497000
ffff880036e54f30 vm_start = 0x7ff6aa498000
ffff88000e06aa20 vm_start = 0x7ff6aa499000
ffff88000e06b368 vm_start = 0x7ff6ab95f000
...
ffff88001f2c5e60 vm_start = 0x7ff6bc1af000
ffff88001f2c4ca8 vm_start = 0x7ff6bc1b6000
ffff88001f2c5008 vm_start = 0x7ff6bc200000
ffff88001f2c5d88 vm_start = 0x7ff6bc205000
ffff880074bfd6c8 vm_start = 0x7ff6bc206000
ffff88001f2c4288 vm_start = 0x7ff6bc207000
ffff88001f2c4510 vm_start = 0x7ffc7a5fc000
ffff88001f2c5b00 vm_start = 0x7ffc7a6d1000
Compared to the top/down root/leaves order:
crash> tree -s vm_area_struct.vm_start -o vm_area_struct.vm_rb \
-r mm_struct.mm_rb 0xffff880074b5be80 | paste - -
ffff88001f2c5a28 vm_start = 0x7ff6bbbb9000
ffff88001f2c55f0 vm_start = 0x7ff6bb252000
ffff88000e06a360 vm_start = 0x7ff6ac6c3000
ffff88001f2c4bd0 vm_start = 0xd10000
ffff88001f2c5290 vm_start = 0xceb000
ffff88001f2c50e0 vm_start = 0x400000
ffff880074bfc6c0 vm_start = 0xcec000
ffff88000e06b368 vm_start = 0x7ff6ab95f000
ffff88001f2c5bd8 vm_start = 0x7ff6aa298000
ffff880074bfc948 vm_start = 0x1fe9000
ffff880036e54510 vm_start = 0x7ff6aa296000
ffff880036e54f30 vm_start = 0x7ff6aa498000
ffff880036e54af8 vm_start = 0x7ff6aa497000
ffff88000e06aa20 vm_start = 0x7ff6aa499000
ffff88000e06ae58 vm_start = 0x7ff6ac1df000
ffff88000e06ba28 vm_start = 0x7ff6abefc000
ffff88000e06a6c0 vm_start = 0x7ff6ac41b000
ffff88001f2c4000 vm_start = 0x7ff6bac75000
ffff88000e06bd88 vm_start = 0x7ff6b2d00000
ffff88000e06b440 vm_start = 0x7ff6b28de000
...
ffff880074bfd6c8 vm_start = 0x7ff6bc206000
ffff88001f2c4510 vm_start = 0x7ffc7a5fc000
ffff88001f2c5b00 vm_start = 0x7ffc7a6d1000
Display a list of the page structs in the radix tree of an address_space
structure located at ffff88012d364de0:
crash> tree -t radix -r address_space.page_tree ffff88012d364de0
ffffea00040d12c0
ffffea00040d9a60
ffffea00040d9b08
ffffea000407eda8
ffffea0004084288
...
ffffea000407bc70
ffffea00040baf48
ffffea0004043f48
ffffea000407de58
Add the -p option to the command above to show position information:
crash> tree -t radix -r address_space.page_tree ffff88012d364de0 -p
ffffea00040d12c0
index: 0 position: root/0/0
ffffea00040d9a60
index: 1 position: root/0/1
ffffea00040d9b08
index: 2 position: root/0/2
ffffea000407eda8
index: 3 position: root/0/3
ffffea0004084288
index: 4 position: root/0/4
...
ffffea000407bc70
index: 217 position: root/3/25
ffffea00040baf48
index: 218 position: root/3/26
ffffea0004043f48
index: 219 position: root/3/27
ffffea000407de58
index: 220 position: root/3/28
Alternatively, take the address of the radix_tree_node from the
radix_tree_root structure in the address_space structure above,
and display the tree with the -N option:
crash> struct address_space.page_tree ffff88012d364de0
page_tree = {
height = 0x2,
gfp_mask = 0x20,
rnode = 0xffff8801238add71
}
crash> tree -t radix -N 0xffff8801238add71
ffffea00040d12c0
ffffea00040d9a60
ffffea00040d9b08
ffffea000407eda8
ffffea0004084288
ffffea00040843a0
...
Using the same radix tree as above, display the flags and _count
members of each page struct in the list, and force the output format
to be hexadecimal:
crash> tree -t radix -N 0xffff8801238add71 -s page.flags,_count -x
ffffea00040d12c0
flags = 0x4000000002006c
_count = {
counter = 0x7
}
ffffea00040d9a60
flags = 0x4000000002006c
_count = {
counter = 0x7
}
ffffea00040d9b08
flags = 0x4000000002006c
_count = {
counter = 0x7
}
ffffea000407eda8
flags = 0x4000000002006c
_count = {
counter = 0x7
}
...
In more recent kernels, the XArray facility has replaced radix trees.
Display a list of the page structs in the XArray of an address_space
structure located at 0xffff94c235e76828, where the i_pages field is
an embedded xarray structure:
crash> tree -t xarray -r address_space.i_pages 0xffff94c235e76828
fffffcc005aa8380
fffffcc005cafa80
fffffcc005a79c80
fffffcc005ccad80
fffffcc005a72ec0
fffffcc005e27c00
fffffcc005ce3100
fffffcc005ff8dc0
fffffcc005c9a100
fffffcc005a49e40
fffffcc005c95a80
Add the -p option to the command above to show position information:
crash> tree -t xarray -r address_space.i_pages 0xffff94c235e76828 -p
fffffcc005aa8380
index: 90 position: root/1/26
fffffcc005cafa80
index: 91 position: root/1/27
fffffcc005a79c80
index: 92 position: root/1/28
fffffcc005ccad80
index: 93 position: root/1/29
fffffcc005a72ec0
index: 94 position: root/1/30
fffffcc005e27c00
index: 95 position: root/1/31
fffffcc005ce3100
index: 96 position: root/1/32
fffffcc005ff8dc0
index: 97 position: root/1/33
fffffcc005c9a100
index: 98 position: root/1/34
fffffcc005a49e40
index: 99 position: root/1/35
fffffcc005c95a80
index: 100 position: root/1/36
Alternatively, take the value found in the xa_head field from
the xarray structure, and display the tree with the -N option:
crash> address_space.i_pages 0xffff94c235e76828
i_pages = {
... [ xa_lock field not shown ] ...
xa_flags = 1,
xa_head = 0xffff94c23c1566ca
}
crash> tree -t x -N 0xffff94c23c1566ca
fffffcc005aa8380
fffffcc005cafa80
fffffcc005a79c80
fffffcc005ccad80
fffffcc005a72ec0
fffffcc005e27c00
fffffcc005ce3100
fffffcc005ff8dc0
fffffcc005c9a100
fffffcc005a49e40
fffffcc005c95a80
Using the same xarray command as above, display the flags and _refcount
members of each page struct in the list, and force the output format
to be hexadecimal:
crash> tree -t x -N 0xffff94c23c1566ca -s page.flags,_refcount -x
fffffcc005aa8380
flags = 0x57ffffc0000014
_refcount = {
counter = 0x1
}
fffffcc005cafa80
flags = 0x57ffffc0000014
_refcount = {
counter = 0x1
}
fffffcc005a79c80
flags = 0x57ffffc0000014
_refcount = {
counter = 0x1
}
fffffcc005ccad80
flags = 0x57ffffc0000014
_refcount = {
counter = 0x1
}
fffffcc005a72ec0
flags = 0x57ffffc0000014
_refcount = {
counter = 0x1
}
fffffcc005e27c00
flags = 0x57ffffc0000014
_refcount = {
counter = 0x1
}
fffffcc005ce3100
flags = 0x57ffffc0000014
_refcount = {
counter = 0x1
}
fffffcc005ff8dc0
flags = 0x57ffffc0000014
_refcount = {
counter = 0x1
}
fffffcc005c9a100
flags = 0x57ffffc0000014
_refcount = {
counter = 0x1
}
fffffcc005a49e40
flags = 0x57ffffc0000014
_refcount = {
counter = 0x1
}
fffffcc005c95a80
flags = 0x57ffffc0000014
_refcount = {
counter = 0x1
}
46. union - union contents
46.1. SYNOPSIS
union union_name[.member[,member]] [-o][-l offset][-rfuxdp]
[address | symbol][:cpuspec] [count | -c count]
46.2. DESCRIPTION
This command displays either a union definition, or a formatted display
of the contents of a union at a specified address. When no address is
specified, the union definition is shown along with the union size.
A union member may be appended to the structure name in order to limit
the scope of the data displayed to that particular member; when no address
is specified, the member's offset (always 0) and definition are shown.
union_name name of a C-code union used by the kernel.
.member name of a union member; to display multiple members of a
union, use a comma-separated list of members. If any member
contains an embedded structure, or the member is an array, the
output may be restricted to just the embedded structure or an
array element by expressing the argument as "member.member"
or "member[index]"; embedded member specifications may extend
beyond one level deep, by expressing the member argument as
"member.member.member...".
-o show member offsets when displaying union definitions; the
offset is always 0 unless used with an address or symbol
argument, in which case each member will be preceded by its
virtual address.
-l offset if the address argument is a pointer to a list_head structure
that is embedded in the target union structure, the offset
to the list_head member may be entered in either of the
following manners:
1. in "structure.member" format.
2. a number of bytes.
-r raw dump of union data.
-f address argument is a dumpfile offset.
-x override default output format with hexadecimal format.
-d override default output format with decimal format.
-p if a union member is a pointer value, show the member's
data type on the output line; and on the subsequent line(s),
dereference the pointer, display the pointer target's symbol
value in brackets if appropriate, and if possible, display the
target data; requires an address argument.
-u address argument is a user virtual address in the current
context.
address hexadecimal address of a union; if the address points
to an embedded list_head structure contained within the
target union structure, then the "-l" option must be used.
symbol symbolic reference to the address of a union.
:cpuspec CPU specification for a per-cpu address or symbol:
: CPU of the currently selected task.
:a[ll] all CPUs.
:#[-#][,...] CPU list(s), e.g. "1,3,5", "1-3",
or "1,3,5-7,10".
count count of unions to dump from an array of unions; if used,
this must be the last argument entered.
-c count "-c" is only required if "count" is not the last argument
entered or if a negative number is entered; if a negative
value is entered, the (positive) "count" structures that
lead up to and include the target structure will be displayed.
Union data, sizes, and member offsets are shown in the current output radix
unless the -x or -d option is specified.
Please note that in the vast majority of cases, the "union" command
name may be dropped; if the union name does not conflict with any crash
or gdb command name, then the "union_name[.member]" argument will be
recognized as a union name, and this command automatically executed.
See the NOTE below.
46.3. EXAMPLES
Display the bdflush_param union definition, and then an instance of it:
crash> union bdflush_param
union bdflush_param {
struct {
int nfract;
int ndirty;
int nrefill;
int nref_dirt;
int dummy1;
int age_buffer;
int age_super;
int dummy2;
int dummy3;
} b_un;
unsigned int data[9];
}
SIZE: 36 (0x24)
crash> union bdflush_param bdf_prm
union bdflush_param {
b_un = {
nfract = 40,
ndirty = 500,
nrefill = 64,
nref_dirt = 256,
dummy1 = 15,
age_buffer = 3000,
age_super = 500,
dummy2 = 1884,
dummy3 = 2
},
data = {40, 500, 64, 256, 15, 3000, 500, 1884, 2}
}
46.4. NOTE
If the union name does not conflict with any crash command name, the
"union" command may be dropped. Accordingly, the examples above could
also have been accomplished like so:
crash> bdflush_param
crash> bdflush_param bdf_prm
Lastly, the short-cut "*" (pointer-to) command may also be used to negate
the need to enter the "union" command name (enter "help *" for details).
47. vm - virtual memory
47.1. SYNOPSIS
vm [-p | -P vma | -M mm | -v | -m | -x | -d | [-R reference] [pid | task]]
[-f vm_flags]
47.2. DESCRIPTION
This command displays basic virtual memory information of a context,
consisting of a pointer to its mm_struct and page directory, its RSS and
total virtual memory size; and a list of pointers to each vm_area_struct,
its starting and ending address, vm_flags value, and file pathname. If no
arguments are entered, the current context is used. Additionally, the -p
option translates each virtual page of each VM area to its physical address.
The -R option, typically invoked from "foreach vm", searches for references
to a supplied number, address, or filename argument, and prints only the
essential information leading up to and including the reference.
Alternatively, the -m or -v options may be used to dump the task's mm_struct
or all of its vm_area_structs respectively. The -p, -v, -m, -R and -f
options are all mutually exclusive.
-p translate each virtual page to its physical address, or if
the page is not mapped, its swap device and offset, or
filename and offset.
-P vma similar to -p, but only translate the pages belonging to the
specified VM area of a context.
-M mm if the mm_struct address has been removed from the task_struct
of an exiting task, the virtual memory data cannot be displayed.
However, if the address can be determined from the kernel stack,
it can be entered manually in order to try to resurrect the
virtual memory data of the task.
-R reference search for references to this number or filename.
-m dump the mm_struct associated with the task.
-v dump all of the vm_area_structs associated with the task.
-x override the default output format for the -m or -v options
with hexadecimal format.
-d override the default output format for the -m or -v options
with decimal format.
-f vm_flags translate the bits of a FLAGS (vm_flags) value.
pid a process PID.
task a hexadecimal task_struct pointer.
47.3. EXAMPLES
Display the virtual memory data of the current context:
crash> vm
PID: 30986 TASK: c0440000 CPU: 0 COMMAND: "bash"
MM PGD RSS TOTAL_VM
c303fe20 c4789000 88k 1728k
VMA START END FLAGS FILE
c0d1f540 8048000 80ad000 1875 /bin/bash
c0d1f400 80ad000 80b3000 1873 /bin/bash
c0d1f880 80b3000 80ec000 77
c0d1f0c0 40000000 40012000 875 /lib/ld-2.1.1.so
c0d1f700 40012000 40013000 873 /lib/ld-2.1.1.so
c0d1fe00 40013000 40014000 77
c0d1f580 40014000 40016000 73
c0d1f280 4001a000 4004b000 75 /usr/lib/libncurses.so.4.2
c0d1f100 4004b000 40054000 73 /usr/lib/libncurses.so.4.2
c0d1f600 40054000 40057000 73
c0d1f9c0 40057000 40059000 75 /lib/libdl-2.1.1.so
c0d1f800 40059000 4005a000 73 /lib/libdl-2.1.1.so
c0d1fd00 4005a000 40140000 75 /lib/libc-2.1.1.so
c0d1fe40 40140000 40145000 73 /lib/libc-2.1.1.so
c0d1f780 40145000 40148000 73
c0d1f140 40148000 40150000 75 /lib/libnss_files-2.1.1.so
c0d1fa80 40150000 40151000 73 /lib/libnss_files-2.1.1.so
c0d1fb00 40151000 4015a000 75 /lib/libnss_nisplus-2.1.1.so
c5f754e0 4015a000 4015b000 73 /lib/libnss_nisplus-2.1.1.so
c0d1fec0 4015b000 4016d000 75 /lib/libnsl-2.1.1.so
c5f75460 4016d000 4016e000 73 /lib/libnsl-2.1.1.so
c5f75420 4016e000 40170000 73
c5f753e0 40170000 40178000 75 /lib/libnss_nis-2.1.1.so
c5f753a0 40178000 40179000 73 /lib/libnss_nis-2.1.1.so
c0d1f240 bfffc000 c0000000 177
Display the virtual memory data along with page translations for PID 386:
crash> vm -p 386
PID: 386 TASK: c11cc000 CPU: 0 COMMAND: "atd"
MM PGD RSS TOTAL_VM
c7e30560 c10e5000 104k 1112k
VMA START END FLAGS FILE
c0fbe6a0 8048000 804b000 1875 /usr/sbin/atd
VIRTUAL PHYSICAL
8048000 20e1000
8049000 17c6000
804a000 1f6f000
VMA START END FLAGS FILE
c61e0ba0 804b000 804d000 1873 /usr/sbin/atd
VIRTUAL PHYSICAL
804b000 254d000
804c000 6a9c000
VMA START END FLAGS FILE
c61e04e0 804d000 8050000 77
VIRTUAL PHYSICAL
804d000 219d000
804e000 2617000
804f000 SWAP: /dev/sda8 OFFSET: 24225
VMA START END FLAGS FILE
c61e0720 40000000 40012000 875 /lib/ld-2.1.1.so
VIRTUAL PHYSICAL
40000000 FILE: /lib/ld-2.1.1.so OFFSET: 0
40001000 FILE: /lib/ld-2.1.1.so OFFSET: 1000
40002000 FILE: /lib/ld-2.1.1.so OFFSET: 2000
40003000 FILE: /lib/ld-2.1.1.so OFFSET: 3000
40004000 FILE: /lib/ld-2.1.1.so OFFSET: 4000
40005000 FILE: /lib/ld-2.1.1.so OFFSET: 5000
...
Although the -R option is typically invoked from "foreach vm", it can be
executed directly. This example displays all VM areas with vm_flags of 75:
crash> vm -R 75
PID: 694 TASK: c0c76000 CPU: 1 COMMAND: "crash"
MM PGD RSS TOTAL_VM
c6c43110 c0fe9000 8932k 10720k
VMA START END FLAGS FILE
c322c0d0 40019000 4004a000 75 /usr/lib/libncurses.so.4.2
c67537c0 40056000 40071000 75 /lib/libm-2.1.1.so
c6753d00 40072000 40074000 75 /lib/libdl-2.1.1.so
c6753540 40075000 40081000 75 /usr/lib/libz.so.1.1.3
c6753740 40085000 4016b000 75 /lib/libc-2.1.1.so
One reason to use -R directly is to pare down the output associated with
the -p option on a task with a huge address space. This example displays
the page data associated with virtual address 40121000:
crash> vm -R 40121000
PID: 694 TASK: c0c76000 CPU: 0 COMMAND: "crash"
MM PGD RSS TOTAL_VM
c6c43110 c0fe9000 8928k 10720k
VMA START END FLAGS FILE
c6753740 40085000 4016b000 75 /lib/libc-2.1.1.so
VIRTUAL PHYSICAL
40121000 FILE: /lib/libc-2.1.1.so OFFSET: 9c000
Display the mm_struct for PID 4777:
crash> vm -m 4777
PID: 4777 TASK: c0896000 CPU: 0 COMMAND: "bash"
struct mm_struct {
mmap = 0xc6caa1c0,
mmap_avl = 0x0,
mmap_cache = 0xc6caabc0,
pgd = 0xc100a000,
count = {
counter = 0x1
},
map_count = 0x14,
mmap_sem = {
count = {
counter = 0x1
},
waking = 0x0,
wait = 0x0
},
context = 0x0,
start_code = 0x8048000,
end_code = 0x809c6f7,
start_data = 0x0,
end_data = 0x80a2090,
start_brk = 0x80a5420,
brk = 0x80b9000,
start_stack = 0xbffff9d0,
arg_start = 0xbffffad1,
arg_end = 0xbffffad7,
env_start = 0xbffffad7,
env_end = 0xbffffff2,
rss = 0xf6,
total_vm = 0x1a3,
locked_vm = 0x0,
def_flags = 0x0,
cpu_vm_mask = 0x0,
swap_cnt = 0x23d,
swap_address = 0x0,
segments = 0x0
}
Display all of the vm_area_structs for task c47d4000:
crash> vm -v c47d4000
PID: 4971 TASK: c47d4000 CPU: 1 COMMAND: "login"
struct vm_area_struct {
vm_mm = 0xc4b0d200,
vm_start = 0x8048000,
vm_end = 0x804d000,
vm_next = 0xc3e3abd0,
vm_page_prot = {
pgprot = 0x25
},
vm_flags = 0x1875,
vm_avl_height = 0x1,
vm_avl_left = 0x0,
vm_avl_right = 0x0,
vm_next_share = 0x0,
vm_pprev_share = 0xc3e3abf0,
vm_ops = 0xc02392a0,
vm_offset = 0x0,
vm_file = 0xc1e23660,
vm_pte = 0x0
}
struct vm_area_struct {
vm_mm = 0xc4b0d200,
vm_start = 0x804d000,
vm_end = 0x804e000,
vm_next = 0xc3e3a010,
vm_page_prot = {
pgprot = 0x25
},
vm_flags = 0x1873,
vm_avl_height = 0x2,
vm_avl_left = 0xc3e3a810,
vm_avl_right = 0xc3e3a010,
vm_next_share = 0xc3e3a810,
vm_pprev_share = 0xc3699c14
...
Translate a FLAGS value:
crash> vm -f 3875
3875: (READ|EXEC|MAYREAD|MAYWRITE|MAYEXEC|DENYWRITE|EXECUTABLE|LOCKED)
Display the page translations of the VM area at address f5604f2c:
crash> vm -P f5604f2c
PID: 5508 TASK: f56a9570 CPU: 0 COMMAND: "crond"
VMA START END FLAGS FILE
f5604f2c f5b000 f67000 8000075 /lib/libnss_files-2.12.so
VIRTUAL PHYSICAL
f5b000 3fec1000
f5c000 3d3a4000
f5d000 FILE: /lib/libnss_files-2.12.so OFFSET: 2000
f5e000 FILE: /lib/libnss_files-2.12.so OFFSET: 3000
f5f000 FILE: /lib/libnss_files-2.12.so OFFSET: 4000
f60000 3fd31000
f61000 3fd32000
f62000 FILE: /lib/libnss_files-2.12.so OFFSET: 7000
f63000 FILE: /lib/libnss_files-2.12.so OFFSET: 8000
f64000 3ff35000
f65000 FILE: /lib/libnss_files-2.12.so OFFSET: a000
f66000 FILE: /lib/libnss_files-2.12.so OFFSET: b000
48. vtop - virtual to physical
48.1. SYNOPSIS
vtop [-c [pid | taskp]] [-u|-k] address ...
48.2. DESCRIPTION
This command translates a user or kernel virtual address to its physical
address. Also displayed is the PTE translation, the vm_area_struct data
for user virtual addresses, the mem_map page data associated with the
physical page, and the swap location or file location if the page is
not mapped. The -u and -k options specify that the address is a user
or kernel virtual address; -u and -k are not necessary on processors whose
virtual addresses self-define themselves as user or kernel. User addresses
are translated with respect to the current context unless the -c option
is used. Kernel virtual addresses are translated using the swapper_pg_dir
as the base page directory unless the -c option is used.
-u The address is a user virtual address; only required
on processors with overlapping user and kernel virtual
address spaces.
-k The address is a kernel virtual address; only required
on processors with overlapping user and kernel virtual
address spaces.
-c [pid | taskp] Translate the virtual address from the page directory
of the specified PID or hexadecimal task_struct pointer.
However, if this command is invoked from "foreach vtop",
the pid or taskp argument should NOT be entered; the
address will be translated using the page directory of
each task specified by "foreach".
address A hexadecimal user or kernel virtual address.
48.3. EXAMPLES
Translate user virtual address 80b4000:
crash> vtop 80b4000
VIRTUAL PHYSICAL
80b4000 660f000
PAGE DIRECTORY: c37f0000
PGD: c37f0080 => e0d067
PMD: c37f0080 => e0d067
PTE: c0e0d2d0 => 660f067
PAGE: 660f000
PTE PHYSICAL FLAGS
660f067 660f000 (PRESENT|RW|USER|ACCESSED|DIRTY)
VMA START END FLAGS FILE
c773daa0 80b4000 810c000 77
PAGE PHYSICAL INODE OFFSET CNT FLAGS
c0393258 660f000 0 17000 1 uptodate
Translate kernel virtual address c806e000, first using swapper_pg_dir
as the page directory base, and secondly, using the page table base
of PID 1359:
crash> vtop c806e000
VIRTUAL PHYSICAL
c806e000 2216000
PAGE DIRECTORY: c0101000
PGD: c0101c80 => 94063
PMD: c0101c80 => 94063
PTE: c00941b8 => 2216063
PAGE: 2216000
PTE PHYSICAL FLAGS
2216063 2216000 (PRESENT|RW|ACCESSED|DIRTY)
PAGE PHYSICAL INODE OFFSET CNT FLAGS
c02e9370 2216000 0 0 1
crash> vtop -c 1359 c806e000
VIRTUAL PHYSICAL
c806e000 2216000
PAGE DIRECTORY: c5caf000
PGD: c5cafc80 => 94063
PMD: c5cafc80 => 94063
PTE: c00941b8 => 2216063
PAGE: 2216000
PTE PHYSICAL FLAGS
2216063 2216000 (PRESENT|RW|ACCESSED|DIRTY)
PAGE PHYSICAL INODE OFFSET CNT FLAGS
c02e9370 2216000 0 0 1
Determine swap location of user virtual address 40104000:
crash> vtop 40104000
VIRTUAL PHYSICAL
40104000 (not mapped)
PAGE DIRECTORY: c40d8000
PGD: c40d8400 => 6bbe067
PMD: c40d8400 => 6bbe067
PTE: c6bbe410 => 58bc00
PTE SWAP OFFSET
58bc00 /dev/sda8 22716
VMA START END FLAGS FILE
c7200ae0 40104000 40b08000 73
SWAP: /dev/sda8 OFFSET: 22716
49. waitq - list tasks queued on a wait queue
49.1. SYNOPSIS
waitq [ symbol ] | [ struct.member struct_addr ] | [ address ]
49.2. DESCRIPTION
This command walks the wait queue list displaying the tasks which
are blocked on the specified wait queue. The command differentiates
between the old- and new-style wait queue structures used by the kernel.
It can be invoked with the following argument types:
symbol a global symbol of a wait queue.
struct.member struct_addr a structure name and wait queue member combination
followed by the structure's hexadecimal address.
address a hexadecimal wait queue pointer.
49.3. EXAMPLES
Find out if any tasks are blocked on the "buffer_wait" wait queue:
crash> waitq buffer_wait
wait queue "buffer_wait" (c02927f0) is empty
See who is blocked on the "wait_chldexit" queue of task c5496000:
crash> waitq task_struct.wait_chldexit c5496000
PID: 30879 TASK: c5496000 CPU: 0 COMMAND: "bash"
Display the task list waiting on a known task queue:
crash> waitq c3534098
PID: 13691 TASK: c3534000 CPU: 1 COMMAND: "bash"
50. whatis - search symbol table for data or type information
50.1. SYNOPSIS
whatis [[-o] [struct | union | typedef | symbol]] |
[[-r [size|range]] [-m member]]
50.2. DESCRIPTION
This command displays the definition of structures, unions, typedefs or
text/data symbols:
struct a structure name. The output is the same as if the "struct"
command was used.
union a union name. The output is the same as if the "union" command
was used.
-o display the offsets of structure/union members.
typedef a typedef name. If the typedef translates to a structure or union
the output is the same as if the "struct" or "union" command
was used. If the typedef is a primitive datatype, the one-line
declaration is displayed.
symbol a kernel symbol.
Alternatively, a search can be made for data structures of a given size or
size range, that contain a member of a given type, or contain a pointer to
given type. The -r and -m options may be used alone or in conjunction with
one another:
-r size search for structures of this exact size.
-r range search for structures of a range of sizes, expressed as "low-high".
-m member search for structures that contain a member of this data type, or
that contain a pointer to this data type; if a structure contains
another structure, the members of the embedded structure will also
be subject to the search. The member argument may also be expressed
as a substring of a member's data type.
50.3. EXAMPLES
Display the definition of a linux_binfmt structure:
crash> whatis linux_binfmt
struct linux_binfmt {
struct list_head lh;
struct module *module;
int (*load_binary)(struct linux_binprm *);
int (*load_shlib)(struct file *);
int (*core_dump)(struct coredump_params *);
unsigned long min_coredump;
}
SIZE: 56
Display the same structure with member offsets:
crash> whatis -o linux_binfmt
struct linux_binfmt {
[0] struct list_head lh;
[16] struct module *module;
[24] int (*load_binary)(struct linux_binprm *);
[32] int (*load_shlib)(struct file *);
[40] int (*core_dump)(struct coredump_params *);
[48] unsigned long min_coredump;
}
SIZE: 56
Since a kmem_bufctl_t is typedef'd to be a kmem_bufctl_s structure, the
output of the following two commands is identical:
crash> whatis kmem_bufctl_s
struct kmem_bufctl_s {
union {
struct kmem_bufctl_s *buf_nextp;
kmem_slab_t *buf_slabp;
void *buf_objp;
} u;
};
crash> whatis kmem_bufctl_t
struct kmem_bufctl_s {
union {
struct kmem_bufctl_s *buf_nextp;
kmem_slab_t *buf_slabp;
void *buf_objp;
} u;
};
SIZE: 4 (0x4)
Display the type data of sys_read() and jiffies text and data symbols:
crash> whatis sys_read
ssize_t sys_read(unsigned int, char *, size_t);
crash> whatis jiffies
long unsigned int jiffies;
Display definition of a kdev_t typedef:
crash> whatis kdev_t
typedef short unsigned int kdev_t;
SIZE: 2 (0x2)
Display all structures which have a size of 192 bytes:
crash> whatis -r 192
SIZE TYPE
192 _intel_private
192 blkcg_gq
192 clock_event_device
192 cper_sec_proc_generic
192 dentry
192 dst_ops
192 ehci_itd
192 ethtool_rxnfc
192 fb_ops
192 file_lock
192 inode_operations
192 input_device_id
192 ip_vs_stats
192 numa_group
192 parallel_data
192 pcie_port_service_driver
192 pebs_record_hsw
192 pnp_driver
192 regmap_config
192 sched_entity
192 tcp_timewait_sock
192 timerfd_ctx
192 tpm_vendor_specific
192 urb
Display all structures that contain members that point to
an mm_struct:
crash> whatis -m mm_struct
SIZE TYPE
16 tlb_state
24 flush_tlb_info
24 ftrace_raw_xen_mmu_pgd
24 futex_key
24 map_info
32 ftrace_raw_xen_mmu_alloc_ptpage
32 ftrace_raw_xen_mmu_pte_clear
40 ftrace_raw_xen_mmu_flush_tlb_others
40 ftrace_raw_xen_mmu_ptep_modify_prot
40 ftrace_raw_xen_mmu_set_pte_at
40 mm_slot
64 mm_walk
64 rmap_item
104 userfaultfd_ctx
128 mmu_gather
216 vm_area_struct
256 linux_binprm
2616 rq
2936 task_struct
Display all structures sized from 256 to 512 bytes that
contain members that point to a task_struct:
crash> whatis -r 256-512 -m task_struct
SIZE TYPE
256 file
256 od_cpu_dbs_info_s
264 srcu_notifier_head
272 protection_domain
288 clk_notifier
288 fsnotify_group
296 quota_info
312 tty_port
320 workqueue_struct
344 trace_array
344 uart_state
352 cpufreq_policy
352 elf_thread_core_info
376 perf_event_context
384 rcu_data
400 cgroup
408 subsys_private
424 hvc_struct
496 psmouse
51. wr - write memory
51.1. SYNOPSIS
wr [-u|-k|-p] [-8|-16|-32|-64] [address|symbol] value
51.2. DESCRIPTION
This command modifies the contents of memory. The starting address may be
entered either symbolically or by address. The default modification size
is the size of a long data type. Write permission must exist on the
/dev/mem. When writing to memory on a live system, this command should
obviously be used with great care.
-u address argument is a user virtual address.
-k address argument is a kernel virtual address.
-p address argument is a physical address.
-8 write data in an 8-bit value.
-16 write data in a 16-bit value.
-32 write data in a 32-bit values (default on 32-bit machines).
-64 write data in a 64-bit values (default on 64-bit machines).
address address to write. The address is considered virtual unless the
-p option is used. If a virtual address is specified, the
-u or -k options are necessary only if the address space cannot
be determined from the address value itself. If a user virtual
address is specified, the address space of the current context
implied. The address must be expressed in hexadecimal format.
symbol symbol of starting address to write.
value the value of the data to write.
51.3. EXAMPLES
Turn on a debug flag:
crash> wr my_debug_flag 1
52. q - exit this session
52.1. SYNOPSIS
q
52.2. DESCRIPTION
Bail out of the current crash session.
52.3. NOTE
This command is equivalent to the "exit" command.