Arm Linux Kernel Hacks

rousalome.egloos.com

포토로그 Kernel Crash


통계 위젯 (화이트)

8179
1390
307630


[리눅스커널] ARMv8: 슬럽 오브젝트의 트랙(track) 구조체를 TRACE32로 디버깅하기 Linux Kernel - Core Analysis

이번 시간에는 64비트 기반 ARMv8 아키텍처(커널 4.19 버전)에서의 슬럽 오브젝트의 디버깅 정보를 확인해보겠습니다. 슬럽 오브젝트의 패턴을 빨리 확인하는 좋은 컨텐츠였으면 좋겠습니다.

크래시 유틸리티로 슬랩 페이지(kmalloc-256)를 확인 

ffffffbf50925d00 슬럽 오브젝트의 속성을 확인하기 위해 'kmem ffffffbf50925d00' 명령어를 입력하겠습니다. 여기서 kmem 오른쪽에 보이는 주소는 슬랩 페이지 디스크립터입니다. 

crash64> kmem ffffffbf50925d00
1 CACHE             OBJSIZE  ALLOCATED     TOTAL  SLABS  SSIZE  NAME
2 ffffffd3c08e7780      256      36025     36046   1718    16k  kmalloc-256
3   SLAB              MEMORY            NODE  TOTAL  ALLOCATED  FREE
4   ffffffbf50925d00  ffffffd424974000     0     21         21     0
5   FREE / [ALLOCATED]
6   [ffffffd424974000]
7   [ffffffd424974300]
8   [ffffffd424974600]
9   [ffffffd424974900]
10  [ffffffd424974c00]
11  [ffffffd424974f00]
12  [ffffffd424975200]
13  [ffffffd424975500]
14  [ffffffd424975800]
15  [ffffffd424975b00]
16  [ffffffd424975e00]
17  [ffffffd424976100]
18  [ffffffd424976400]
19  [ffffffd424976700]
20  [ffffffd424976a00]
21  [ffffffd424976d00]
22  [ffffffd424977000]
23  [ffffffd424977300]
24  [ffffffd424977600]
25  [ffffffd424977900]
26  [ffffffd424977c00]
27
28      PAGE               PHYSICAL      MAPPING       INDEX CNT FLAGS
29 ffffffbf50925d00         e4974000 ffffffd3c08e7780        0  1 10200 slab,head

6~26번째 줄의 정보로 20여개의 슬럽 오브젝트가 할당된 상태임을 알 수 있습니다.
위 항목의 12번째 줄에 보이는 FFFFFFD424975200 주소에 해당하는 슬럽 오브젝트를 확인해봅시다.

다음은 TRACE32에서 'd.v %y.ll 0xFFFFFFD424975200' 명령어를 입력했을 때 출력 결과입니다.

$ d.v %y.ll 0xFFFFFFD424975200
1 ________________address|_data____________________|value_____________|symbol
2    NSD:FFFFFFD424975200| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
3    NSD:FFFFFFD424975208| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
4    NSD:FFFFFFD424975210| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
5    NSD:FFFFFFD424975218| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
6    NSD:FFFFFFD424975220| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
7    NSD:FFFFFFD424975228| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
8    NSD:FFFFFFD424975230| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
9    NSD:FFFFFFD424975238| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
10   NSD:FFFFFFD424975240| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
11   NSD:FFFFFFD424975248| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
12   NSD:FFFFFFD424975250| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
13   NSD:FFFFFFD424975258| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
14   NSD:FFFFFFD424975260| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
15   NSD:FFFFFFD424975268| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
16   NSD:FFFFFFD424975270| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
17   NSD:FFFFFFD424975278| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
18   NSD:FFFFFFD424975280| 00 F8 24 01 00 00 00 00  0x124F800
19   NSD:FFFFFFD424975288| 00 01 00 00 00 00 00 00  0x100
20   NSD:FFFFFFD424975290| 00 00 00 00 00 00 00 00  0x0
21   NSD:FFFFFFD424975298| 00 48 E8 01 00 00 00 00  0x1E84800
22   NSD:FFFFFFD4249752A0| 02 01 08 00 4B 00 00 00  0x4B00080102
23   NSD:FFFFFFD4249752A8| 00 00 00 00 00 00 00 00  0x0
24   NSD:FFFFFFD4249752B0| 00 6C DC 02 00 00 00 00  0x2DC6C00
25   NSD:FFFFFFD4249752B8| 02 01 04 00 19 00 00 00  0x1900040102
26   NSD:FFFFFFD4249752C0| 00 00 00 00 00 00 00 00  0x0
27   NSD:FFFFFFD4249752C8| 00 90 D0 03 00 00 00 00  0x3D09000
28   NSD:FFFFFFD4249752D0| 02 01 10 00 4B 00 00 00  0x4B00100102
29   NSD:FFFFFFD4249752D8| 00 00 00 00 00 00 00 00  0x0
30   NSD:FFFFFFD4249752E0| 00 D8 B8 05 00 00 00 00  0x5B8D800
31   NSD:FFFFFFD4249752E8| 02 01 08 00 19 00 00 00  0x1900080102
32   NSD:FFFFFFD4249752F0| 00 00 00 00 00 00 00 00  0x0
33   NSD:FFFFFFD4249752F8| 00 E1 F5 05 00 00 00 00  0x5F5E100
34   NSD:FFFFFFD424975300| 02 05 00 00 00 00 00 00  0x502
35   NSD:FFFFFFD424975308| 00 00 00 00 00 00 00 00  0x0
36   NSD:FFFFFFD424975310| 00 0E 27 07 00 00 00 00  0x7270E00
37   NSD:FFFFFFD424975318| 02 04 00 00 00 00 00 00  0x402
38   NSD:FFFFFFD424975320| 00 00 00 00 00 00 00 00  0x0
39   NSD:FFFFFFD424975328| 00 F8 24 01 00 00 00 00  0x124F800
40   NSD:FFFFFFD424975330| 00 01 00 00 00 00 00 00  0x100
41   NSD:FFFFFFD424975338| 00 00 00 00 00 00 00 00  0x0
42   NSD:FFFFFFD424975340| 00 00 00 00 00 00 00 00  0x0
43   NSD:FFFFFFD424975348| 00 00 00 00 00 00 00 00  0x0
44   NSD:FFFFFFD424975350| 00 00 00 00 00 00 00 00  0x0
45   NSD:FFFFFFD424975358| 00 00 00 00 00 00 00 00  0x0
46   NSD:FFFFFFD424975360| 00 00 00 00 00 00 00 00  0x0
47   NSD:FFFFFFD424975368| 00 00 00 00 00 00 00 00  0x0
48   NSD:FFFFFFD424975370| 00 00 00 00 00 00 00 00  0x0
49   NSD:FFFFFFD424975378| 00 00 00 00 00 00 00 00  0x0
50   NSD:FFFFFFD424975380| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
51   NSD:FFFFFFD424975388| 31 BC 8E 72 65 1F 5E 13  0x135E1F65728EBC31
52   NSD:FFFFFFD424975390| D0 E3 9C 2E 90 FF FF FF  0xFFFFFF902E9CE3D0 \\vmlinux\clk-rcg2\clk_rcg2_dfs_determine_rate+0x110
53   NSD:FFFFFFD424975398| A8 1B 03 2E 90 FF FF FF  0xFFFFFF902E031BA8 \\vmlinux\slub\kmem_cache_alloc_trace+0x358
54   NSD:FFFFFFD4249753A0| D0 E3 9C 2E 90 FF FF FF  0xFFFFFF902E9CE3D0 \\vmlinux\clk-rcg2\clk_rcg2_dfs_determine_rate+0x110
55   NSD:FFFFFFD4249753A8| C4 CD 98 2E 90 FF FF FF  0xFFFFFF902E98CDC4 \\vmlinux\clk\clk_core_round_rate_nolock+0x2CC
56   NSD:FFFFFFD4249753B0| F0 D0 98 2E 90 FF FF FF  0xFFFFFF902E98D0F0 \\vmlinux\clk\clk_hw_round_rate+0x278
57   NSD:FFFFFFD4249753B8| 0C F1 9C 2E 90 FF FF FF  0xFFFFFF902E9CF10C \\vmlinux\clk-branch\clk_branch2_round_rate+0x3C
58   NSD:FFFFFFD4249753C0| 44 CE 98 2E 90 FF FF FF  0xFFFFFF902E98CE44 \\vmlinux\clk\clk_core_round_rate_nolock+0x34C
59   NSD:FFFFFFD4249753C8| C0 D4 98 2E 90 FF FF FF  0xFFFFFF902E98D4C0 \\vmlinux\clk\clk_round_rate+0x358
60   NSD:FFFFFFD4249753D0| 8C 80 9B 30 90 FF FF FF  0xFFFFFF90309B808C \\vmlinux\qcom-geni-se\geni_se_clk_tbl_get+0x19C
61   NSD:FFFFFFD4249753D8| B4 82 9B 30 90 FF FF FF  0xFFFFFF90309B82B4 \\vmlinux\qcom-geni-se\geni_se_clk_freq_match+0xA4
62   NSD:FFFFFFD4249753E0| 5C D4 10 2F 90 FF FF FF  0xFFFFFF902F10D45C \\vmlinux\spi-geni-qcom\get_spi_clk_cfg+0xBC
63   NSD:FFFFFFD4249753E8| DC 95 10 2F 90 FF FF FF  0xFFFFFF902F1095DC \\vmlinux\spi-geni-qcom\spi_geni_transfer_one+0x574
64   NSD:FFFFFFD4249753F0| B8 15 10 2F 90 FF FF FF  0xFFFFFF902F1015B8 \\vmlinux\spi\spi_transfer_one_message+0x458
65   NSD:FFFFFFD4249753F8| 24 92 0F 2F 90 FF FF FF  0xFFFFFF902F0F9224 \\vmlinux\spi\__spi_pump_messages+0x1034
66   NSD:FFFFFFD424975400| 58 E1 0F 2F 90 FF FF FF  0xFFFFFF902F0FE158 \\vmlinux\spi\__spi_sync+0x358
67   NSD:FFFFFFD424975408| D4 EA 0F 2F 90 FF FF FF  0xFFFFFF902F0FEAD4 \\vmlinux\spi\spi_write_then_read+0x3DC
68   NSD:FFFFFFD424975410| 48 2D AB 30 90 FF FF FF  0xFFFFFF9030AB2D48 \\vmlinux\ice40-spi\ice40_fpga_ops_write+0x1B8
69   NSD:FFFFFFD424975418| 00 00 00 00 07 00 00 00  0x700000000
70   NSD:FFFFFFD424975420| DC E9 FF FF 00 00 00 00  0xFFFFE9DC
71   NSD:FFFFFFD424975428| F0 E9 03 2E 90 FF FF FF  0xFFFFFF902E03E9F0 \\vmlinux\quarantine\qlink_free+0x18
72   NSD:FFFFFFD424975430| 08 EA 03 2E 90 FF FF FF  0xFFFFFF902E03EA08 \\vmlinux\quarantine\qlink_free+0x30
73   NSD:FFFFFFD424975438| 68 E6 03 2E 90 FF FF FF  0xFFFFFF902E03E668 \\vmlinux\quarantine\quarantine_reduce+0x158
74   NSD:FFFFFFD424975440| 94 BD 03 2E 90 FF FF FF  0xFFFFFF902E03BD94 \\vmlinux\kasan\kasan_kmalloc+0x44
75   NSD:FFFFFFD424975448| 44 BD 03 2E 90 FF FF FF  0xFFFFFF902E03BD44 \\vmlinux\kasan\kasan_slab_alloc+0x14
76   NSD:FFFFFFD424975450| BC 17 03 2E 90 FF FF FF  0xFFFFFF902E0317BC \\vmlinux\slub\kmem_cache_alloc+0x2EC
77   NSD:FFFFFFD424975458| F4 B7 08 2E 90 FF FF FF  0xFFFFFF902E08B7F4 \\vmlinux\file_table\__alloc_file+0x3C
78   NSD:FFFFFFD424975460| E4 B6 08 2E 90 FF FF FF  0xFFFFFF902E08B6E4 \\vmlinux\file_table\alloc_empty_file+0x94
79   NSD:FFFFFFD424975468| E0 B2 0A 2E 90 FF FF FF  0xFFFFFF902E0AB2E0 \\vmlinux\fs/namei\path_openat+0x100
80   NSD:FFFFFFD424975470| D4 AF 0A 2E 90 FF FF FF  0xFFFFFF902E0AAFD4 \\vmlinux\fs/namei\do_filp_open+0x1B4
81   NSD:FFFFFFD424975478| C8 E9 07 2E 90 FF FF FF  0xFFFFFF902E07E9C8 \\vmlinux\open\do_sys_open+0x250
82   NSD:FFFFFFD424975480| 2C EE 07 2E 90 FF FF FF  0xFFFFFF902E07EE2C \\vmlinux\open\__arm64_sys_openat+0x9C
83   NSD:FFFFFFD424975488| 00 05 AB 2D 90 FF FF FF  0xFFFFFF902DAB0500 \\vmlinux\kernel/syscall\el0_svc_common+0x158
84   NSD:FFFFFFD424975490| 40 03 AB 2D 90 FF FF FF  0xFFFFFF902DAB0340 \\vmlinux\kernel/syscall\el0_svc_handler+0x108
85   NSD:FFFFFFD424975498| 88 57 A8 2D 90 FF FF FF  0xFFFFFF902DA85788 \\vmlinux\Global\el0_svc+0x8
86   NSD:FFFFFFD4249754A0| 00 00 00 00 00 00 00 00  0x0
87   NSD:FFFFFFD4249754A8| 00 00 00 00 00 00 00 00  0x0
88   NSD:FFFFFFD4249754B0| 07 00 00 00 CD 05 00 00  0x5CD00000007
89   NSD:FFFFFFD4249754B8| DA E9 FF FF 00 00 00 00  0xFFFFE9DA
90   NSD:FFFFFFD4249754C0| 07 00 00 00 31 04 80 BB  0xBB80043100000007
91   NSD:FFFFFFD4249754C8| FB 16 00 00 BA 02 80 96  0x968002BA000016FB
92   NSD:FFFFFFD4249754D0| 5A 5A 5A 5A 5A 5A 5A 5A  0x5A5A5A5A5A5A5A5A
93   NSD:FFFFFFD4249754D8| 5A 5A 5A 5A 5A 5A 5A 5A  0x5A5A5A5A5A5A5A5A
94   NSD:FFFFFFD4249754E0| 5A 5A 5A 5A 5A 5A 5A 5A  0x5A5A5A5A5A5A5A5A
95   NSD:FFFFFFD4249754E8| 5A 5A 5A 5A 5A 5A 5A 5A  0x5A5A5A5A5A5A5A5A
96   NSD:FFFFFFD4249754F0| 5A 5A 5A 5A 5A 5A 5A 5A  0x5A5A5A5A5A5A5A5A
97   NSD:FFFFFFD4249754F8| 5A 5A 5A 5A 5A 5A 5A 5A  0x5A5A5A5A5A5A5A5A
98   NSD:FFFFFFD424975500| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC

위 메모리 덤프의 내용은 다음과 같이 해석할 수 있습니다.

   * 1~17번째 줄: 0xCC 값으로 채워져 있는데 이는 SLUB_RED_ACTIVE 매크로를 의미한다.
   
        https://elixir.bootlin.com/linux/v4.19.30/source/include/linux/poison.h
   #define SLUB_RED_ACTIVE 0xcc

   * 18~49번째 줄: 슬럽 오브젝트에 해당하는 메모리 공간이다.
   
        슬럽 오브젝트의 사이즈는 0x100이다.   
         - FFFFFFD424975380 - FFFFFFD424975280 = 0x100  

    * 52~70번째: 해당 슬럽 오브젝트를 할당 했을 때의 콜 스택과 프로세스의 정보이며 track 구조체로 이를 표현한다.
    * 71~89번째: 해당 슬럽 오브젝트를 해제 했을 때의 콜 스택과 프로세스의 정보이며 track 구조체로 이를 표현한다.

슬럽 오브젝트의 track 정보 확인하기 
이어서 해당 슬럽 오브젝트의 track 정보를 확인해봅시다.

먼저 슬럽 오브젝트를 할당할 때의 track 구조체를 점검하겠습니다. 

 1  (struct track *) (struct track*)0xFFFFFFD424975390 = 0xFFFFFFD424975390 = end+0x43F00B7390 -> (
 2    (long unsigned int) addr = 18446743593455248336 = 0xFFFFFF902E9CE3D0,
 3    (long unsigned int [16]) addrs = (
 4      [0] = 18446743593445170088 = 0xFFFFFF902E031BA8,
 5      [1] = 18446743593455248336 = 0xFFFFFF902E9CE3D0,
 6      [2] = 18446743593454980548 = 0xFFFFFF902E98CDC4,
 7      [3] = 18446743593454981360 = 0xFFFFFF902E98D0F0,
 8      [4] = 18446743593455251724 = 0xFFFFFF902E9CF10C,
 9      [5] = 18446743593454980676 = 0xFFFFFF902E98CE44,
 10     [6] = 18446743593454982336 = 0xFFFFFF902E98D4C0,
 11     [7] = 18446743593488711820 = 0xFFFFFF90309B808C,
 12     [8] = 18446743593488712372 = 0xFFFFFF90309B82B4,
 13     [9] = 18446743593462846556 = 0xFFFFFF902F10D45C,
 14     [10] = 18446743593462830556 = 0xFFFFFF902F1095DC,
 15     [11] = 18446743593462797752 = 0xFFFFFF902F1015B8,
 16     [12] = 18446743593462764068 = 0xFFFFFF902F0F9224,
 17     [13] = 18446743593462784344 = 0xFFFFFF902F0FE158,
 18     [14] = 18446743593462786772 = 0xFFFFFF902F0FEAD4,
 19     [15] = 18446743593489739080 = 0xFFFFFF9030AB2D48),
 20   (int) cpu = 0 = 0x0,
 21   (int) pid = 7 = 0x7,
 22   (long unsigned int) when = 4294961628 = 0xFFFFE9DC)

위에서 보이는 디버깅 정보는 아래와 같이 요약할 수 잇습니다.

         * 2~19번째: 함수의 콜 스택 주소이다.  
* 20번째: CPU번호다.
* 21번째: PID이다.
* 22번째: 해당 슬럽 오브젝트를 할당할 때 jiffies 이다.
이번에는 슬럽 오브젝트를 해제할 때의 track 구조체를 점검하자. 

1   (struct track *) (struct track*)0xFFFFFFD424975428 = 0xFFFFFFD424975428 = end+0x43F00B7428 -> (
2     (long unsigned int) addr = 18446743593445222896 = 0xFFFFFF902E03E9F0,
3     (long unsigned int [16]) addrs = (
4       [0] = 18446743593445222920 = 0xFFFFFF902E03EA08,
5       [1] = 18446743593445221992 = 0xFFFFFF902E03E668,
6       [2] = 18446743593445211540 = 0xFFFFFF902E03BD94,
7       [3] = 18446743593445211460 = 0xFFFFFF902E03BD44,
8       [4] = 18446743593445169084 = 0xFFFFFF902E0317BC,
9       [5] = 18446743593445537780 = 0xFFFFFF902E08B7F4,
10      [6] = 18446743593445537508 = 0xFFFFFF902E08B6E4,
11      [7] = 18446743593445667552 = 0xFFFFFF902E0AB2E0,
12      [8] = 18446743593445666772 = 0xFFFFFF902E0AAFD4,
13      [9] = 18446743593445485000 = 0xFFFFFF902E07E9C8,
14      [10] = 18446743593445486124 = 0xFFFFFF902E07EE2C,
15      [11] = 18446743593439397120 = 0xFFFFFF902DAB0500,
16      [12] = 18446743593439396672 = 0xFFFFFF902DAB0340,
17      [13] = 18446743593439221640 = 0xFFFFFF902DA85788,
18      [14] = 0 = 0x0,
19      [15] = 0 = 0x0),
20    (int) cpu = 7 = 0x7,
21    (int) pid = 1485 = 0x05CD,
22    (long unsigned int) when = 4294961626 = 0xFFFFE9DA)

위에서 보이는 디버깅 정보는 아래와 같습니다.

        * 2~19번째: 함수의 콜 스택 주소이다.  
* 20번째: CPU번호다.
* 21번째: PID이다.
* 22번째: 해당 슬럽 오브젝트를 할당할 때 jiffies 이다.

이처럼 슬럽 오브젝트를 할당하고 해제할 때의 콜 스택과 프로세스 정보를 확인할 수 있습니다.
슬럽 오브젝트를 할당할 때의 코드 확인하기 

track 구조체의 정보를 잘 활용하면 해당 슬럽 오브젝트를 할당할 때의 코드와 슬럽 오브젝트를 할당 받아 사용하는 구조체를 확인할 수 있습니다.

이를 위해 먼저 슬럽 오브젝트를 할당할 때의 디버깅 정보를 보겠습니다.

52   NSD:FFFFFFD424975390| D0 E3 9C 2E 90 FF FF FF  0xFFFFFF902E9CE3D0 \\vmlinux\clk-rcg2\clk_rcg2_dfs_determine_rate+0x110
53   NSD:FFFFFFD424975398| A8 1B 03 2E 90 FF FF FF  0xFFFFFF902E031BA8 \\vmlinux\slub\kmem_cache_alloc_trace+0x358
54   NSD:FFFFFFD4249753A0| D0 E3 9C 2E 90 FF FF FF  0xFFFFFF902E9CE3D0 \\vmlinux\clk-rcg2\clk_rcg2_dfs_determine_rate+0x110
55   NSD:FFFFFFD4249753A8| C4 CD 98 2E 90 FF FF FF  0xFFFFFF902E98CDC4 \\vmlinux\clk\clk_core_round_rate_nolock+0x2CC

위 디버깅 정보로 슬럽 오브젝트를 할당한 심벌의 주소는 '0xFFFFFF902E031BA8'이고 kmem_cache_alloc_trace+0x358 심벌임을 알 수 있습니다. 
크래시 유틸리티를 활용해 확인하니 해당  '0xFFFFFF902E031BA8' 주소에 해당하는 코드의 정보를 다음과 같습니다. 
crash64> sym 0xFFFFFF902E9CE3D0
ffffff902e9ce3d0 (t) clk_rcg2_dfs_determine_rate+272 /home/baldcandy/drivers/clk/qcom/clk-rcg2.c: 1471

해당 코드를 열어보면 clk_rcg2_dfs_populate_freq_table() 함수에서 슬럽 오브젝트를 할당한다는 사실을 알 수 있습니다.

다음은 clk_rcg2_dfs_populate_freq_table() 함수의 구현부입니다.

1 static int clk_rcg2_dfs_populate_freq_table(struct clk_rcg2 *rcg)
2 {
3 struct freq_tbl *freq_tbl;
4 int i, ret;
5
6 freq_tbl = kcalloc(MAX_PERF_LEVEL + 1, sizeof(*freq_tbl), GFP_KERNEL);
7 if (!freq_tbl)
8 return -ENOMEM;
9 rcg->freq_tbl = freq_tbl;

3~6번째 줄로 해당 슬럽 오브젝트는 struct freq_tbl 구조체로 사용한다는 사실을 알 수 있습니다.

그런데 아래와 같이 해당 슬럽 오브젝트의 덤프와 같이 레드 존 정보를 제외한 패이로드의 시작 주소는 0xFFFFFFD424975280입니다.

1 ________________address|_data____________________|value_____________|symbol
2    NSD:FFFFFFD424975200| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
3    NSD:FFFFFFD424975208| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
4    NSD:FFFFFFD424975210| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
5    NSD:FFFFFFD424975218| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
6    NSD:FFFFFFD424975220| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
7    NSD:FFFFFFD424975228| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
8    NSD:FFFFFFD424975230| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
9    NSD:FFFFFFD424975238| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
10   NSD:FFFFFFD424975240| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
11   NSD:FFFFFFD424975248| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
12   NSD:FFFFFFD424975250| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
13   NSD:FFFFFFD424975258| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
14   NSD:FFFFFFD424975260| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
15   NSD:FFFFFFD424975268| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
16   NSD:FFFFFFD424975270| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
17   NSD:FFFFFFD424975278| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
18   NSD:FFFFFFD424975280| 00 F8 24 01 00 00 00 00  0x124F800
19   NSD:FFFFFFD424975288| 00 01 00 00 00 00 00 00  0x100
20   NSD:FFFFFFD424975290| 00 00 00 00 00 00 00 00  0x0
21   NSD:FFFFFFD424975298| 00 48 E8 01 00 00 00 00  0x1E84800
22   NSD:FFFFFFD4249752A0| 02 01 08 00 4B 00 00 00  0x4B00080102

이 정보를 토대로 0xFFFFFFD424975280 주소를 struct freq_tbl 구조체로 캐스팅하면 필드의 정보를 확인할 수 있습니다.

$ v.v %t %d %i %y  (struct freq_tbl*)0xFFFFFFD424975280
  (struct freq_tbl *) (struct freq_tbl*)0xFFFFFFD424975280 = 0xFFFFFFD424975280 
    (long unsigned int) freq = 19200000,
    (u8) src = 0,
    (u8) pre_div = 1,
    (u16) m = 0,
    (u16) n = 0,
    (long unsigned int) src_freq = 0)


크래시 유틸리티로 슬랩 페이지(kmalloc-256)를 확인 

이번에는 다른 슬럽 오브젝트(kmalloc-256)의 디버깅 정보를 확인해 봅시다. 
crash64> kmem ffffffbf50925d00
1 CACHE             OBJSIZE  ALLOCATED     TOTAL  SLABS  SSIZE  NAME
2 ffffffd3c08e7780      256      36025     36046   1718    16k  kmalloc-256
3   SLAB              MEMORY            NODE  TOTAL  ALLOCATED  FREE
4   ffffffbf50925d00  ffffffd424974000     0     21         21     0
5   FREE / [ALLOCATED]
6   [ffffffd424974000]
7   [ffffffd424974300]
8   [ffffffd424974600]
9   [ffffffd424974900]
10  [ffffffd424974c00]
11  [ffffffd424974f00]
12  [ffffffd424975200]
13  [ffffffd424975500]
14  [ffffffd424975800]
15  [ffffffd424975b00]
16  [ffffffd424975e00]
17  [ffffffd424976100]
18  [ffffffd424976400]
19  [ffffffd424976700]
20  [ffffffd424976a00]
21  [ffffffd424976d00]
22  [ffffffd424977000]
23  [ffffffd424977300]
24  [ffffffd424977600]
25  [ffffffd424977900]
26  [ffffffd424977c00]
27
28      PAGE               PHYSICAL      MAPPING       INDEX CNT FLAGS
29 ffffffbf50925d00         e4974000 ffffffd3c08e7780        0  1 10200 slab,head

위 항목의 22번째 줄에 보이는 FFFFFFD424977000 주소에 해당하는 슬럽 오브젝트를 확인합시다. 
1 ________________address|_data____________________|value_____________|symbol
2    NSD:FFFFFFD424977000| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
3    NSD:FFFFFFD424977008| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
4    NSD:FFFFFFD424977010| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
5    NSD:FFFFFFD424977018| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
6    NSD:FFFFFFD424977020| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
7    NSD:FFFFFFD424977028| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
8    NSD:FFFFFFD424977030| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
9    NSD:FFFFFFD424977038| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
10   NSD:FFFFFFD424977040| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
11   NSD:FFFFFFD424977048| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
12   NSD:FFFFFFD424977050| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
13   NSD:FFFFFFD424977058| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
14   NSD:FFFFFFD424977060| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
15   NSD:FFFFFFD424977068| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
16   NSD:FFFFFFD424977070| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
17   NSD:FFFFFFD424977078| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
18   NSD:FFFFFFD424977080| 80 55 9B AF D4 FF FF FF  0xFFFFFFD4AF9B5580
19   NSD:FFFFFFD424977088| 80 4C 97 24 D4 FF FF FF  0xFFFFFFD424974C80
20   NSD:FFFFFFD424977090| 01 00 00 00 00 77 6C 61  0x616C770000000001
21   NSD:FFFFFFD424977098| 6E 5F 69 70 61 5F 63 6F  0x6F635F6170695F6E
22   NSD:FFFFFFD4249770A0| 72 65 2E 63 00 00 00 00  0x632E6572
23   NSD:FFFFFFD4249770A8| 00 00 00 00 00 00 00 00  0x0
24   NSD:FFFFFFD4249770B0| 00 00 00 00 00 00 00 00  0x0
25   NSD:FFFFFFD4249770B8| 00 00 00 00 00 00 00 00  0x0
26   NSD:FFFFFFD4249770C0| 00 00 00 00 00 00 00 00  0x0
27   NSD:FFFFFFD4249770C8| 45 08 00 00 28 00 00 00  0x2800000845
28   NSD:FFFFFFD4249770D0| A0 40 58 30 90 FF FF FF  0xFFFFFF90305840A0 \\vmlinux\wlan_ipa_core\wlan_ipa_setup+0xDC0
29   NSD:FFFFFFD4249770D8| 68 67 66 65 64 63 62 61  0x6162636465666768
30   NSD:FFFFFFD4249770E0| 14 39 97 B8 00 00 00 00  0xB8973914
31   NSD:FFFFFFD4249770E8| E8 4C 97 24 D4 FF FF FF  0xFFFFFFD424974CE8
32   NSD:FFFFFFD4249770F0| E8 55 9B AF D4 FF FF FF  0xFFFFFFD4AF9B55E8
33   NSD:FFFFFFD4249770F8| 00 00 00 00 00 00 00 00  0x0
34   NSD:FFFFFFD424977100| 0A 00 00 00 00 00 00 00  0x0A
35   NSD:FFFFFFD424977108| 00 00 00 00 00 00 00 00  0x0
36   NSD:FFFFFFD424977110| 87 86 85 84 83 82 81 80  0x8081828384858687
37   NSD:FFFFFFD424977118| 00 00 00 00 00 00 00 00  0x0
38   NSD:FFFFFFD424977120| 00 00 00 00 00 00 00 00  0x0
39   NSD:FFFFFFD424977128| 00 00 00 00 00 00 00 00  0x0
40   NSD:FFFFFFD424977130| 00 00 00 00 00 00 00 00  0x0
41   NSD:FFFFFFD424977138| 00 00 00 00 00 00 00 00  0x0
42   NSD:FFFFFFD424977140| 00 00 00 00 00 00 00 00  0x0
43   NSD:FFFFFFD424977148| 00 00 00 00 00 00 00 00  0x0
44   NSD:FFFFFFD424977150| 00 00 00 00 00 00 00 00  0x0
45   NSD:FFFFFFD424977158| 00 00 00 00 00 00 00 00  0x0
46   NSD:FFFFFFD424977160| 00 00 00 00 00 00 00 00  0x0
47   NSD:FFFFFFD424977168| 00 00 00 00 00 00 00 00  0x0
48   NSD:FFFFFFD424977170| 00 00 00 00 00 00 00 00  0x0
49   NSD:FFFFFFD424977178| 00 00 00 00 00 00 00 00  0x0
50   NSD:FFFFFFD424977180| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
51   NSD:FFFFFFD424977188| 31 8C 8E 72 65 1F 5E 13  0x135E1F65728E8C31
52   NSD:FFFFFFD424977190| 44 B8 1A 30 90 FF FF FF  0xFFFFFF90301AB844 \\vmlinux\qdf_mem\qdf_mem_malloc_debug+0x13C
53   NSD:FFFFFFD424977198| 3C 43 03 2E 90 FF FF FF  0xFFFFFF902E03433C \\vmlinux\slub\__kmalloc+0x3AC
54   NSD:FFFFFFD4249771A0| 44 B8 1A 30 90 FF FF FF  0xFFFFFF90301AB844 \\vmlinux\qdf_mem\qdf_mem_malloc_debug+0x13C
55   NSD:FFFFFFD4249771A8| B8 4A 58 30 90 FF FF FF  0xFFFFFF9030584AB8 \\vmlinux\wlan_ipa_core\wlan_ipa_setup_sys_pipe+0x3A8
56   NSD:FFFFFFD4249771B0| A0 40 58 30 90 FF FF FF  0xFFFFFF90305840A0 \\vmlinux\wlan_ipa_core\wlan_ipa_setup+0xDC0
57   NSD:FFFFFFD4249771B8| 78 E3 57 30 90 FF FF FF  0xFFFFFF903057E378 \\vmlinux\wlan_ipa_main\ipa_obj_setup+0x28
58   NSD:FFFFFFD4249771C0| 00 DD 57 30 90 FF FF FF  0xFFFFFF903057DD00 \\vmlinux\wlan_ipa_obj_mgmt_api\ipa_pdev_obj_create_notification+0x138
59   NSD:FFFFFFD4249771C8| B0 C0 48 30 90 FF FF FF  0xFFFFFF903048C0B0 \\vmlinux\wlan_objmgr_pdev_obj\wlan_objmgr_pdev_obj_create+0x338
60   NSD:FFFFFFD4249771D0| C8 FF DF 2F 90 FF FF FF  0xFFFFFF902FDFFFC8 \\vmlinux\wlan_hdd_object_manager\hdd_objmgr_create_and_store_pdev+0xF8
61   NSD:FFFFFFD4249771D8| 80 61 DC 2F 90 FF FF FF  0xFFFFFF902FDC6180 \\vmlinux\wlan_hdd_main\hdd_update_tgt_cfg+0xC0
62   NSD:FFFFFFD4249771E0| 20 9D 1F 30 90 FF FF FF  0xFFFFFF90301F9D20 \\vmlinux\wma_main\wma_rx_ready_event+0x2910
63   NSD:FFFFFFD4249771E8| F8 C9 1E 30 90 FF FF FF  0xFFFFFF90301EC9F8 \\vmlinux\wma_main\wma_legacy_service_ready_event_handler+0x70
64   NSD:FFFFFFD4249771F0| 60 D2 42 30 90 FF FF FF  0xFFFFFF903042D260 \\vmlinux\init_event_handler\init_deinit_ready_event_handler+0x490
65   NSD:FFFFFFD4249771F8| E8 FB 2D 30 90 FF FF FF  0xFFFFFF90302DFBE8 \\vmlinux\wmi_unified\__wmi_control_rx+0xA78
66   NSD:FFFFFFD424977200| B8 11 2E 30 90 FF FF FF  0xFFFFFF90302E11B8 \\vmlinux\wmi_unified\wmi_rx_event_work+0x4E0
67   NSD:FFFFFFD424977208| 50 5E 1A 30 90 FF FF FF  0xFFFFFF90301A5E50 \\vmlinux\qdf_defer\__qdf_defer_func+0x68
68   NSD:FFFFFFD424977210| B8 3F B5 2D 90 FF FF FF  0xFFFFFF902DB53FB8 \\vmlinux\workqueue\process_one_work+0x900
69   NSD:FFFFFFD424977218| 06 00 00 00 37 09 00 00  0x93700000006
70   NSD:FFFFFFD424977220| 1A C4 FF FF 00 00 00 00  0xFFFFC41A
71   NSD:FFFFFFD424977228| F0 E9 03 2E 90 FF FF FF  0xFFFFFF902E03E9F0 \\vmlinux\quarantine\qlink_free+0x18
72   NSD:FFFFFFD424977230| 08 EA 03 2E 90 FF FF FF  0xFFFFFF902E03EA08 \\vmlinux\quarantine\qlink_free+0x30
73   NSD:FFFFFFD424977238| 68 E6 03 2E 90 FF FF FF  0xFFFFFF902E03E668 \\vmlinux\quarantine\quarantine_reduce+0x158
74   NSD:FFFFFFD424977240| 94 BD 03 2E 90 FF FF FF  0xFFFFFF902E03BD94 \\vmlinux\kasan\kasan_kmalloc+0x44
75   NSD:FFFFFFD424977248| 44 BD 03 2E 90 FF FF FF  0xFFFFFF902E03BD44 \\vmlinux\kasan\kasan_slab_alloc+0x14
76   NSD:FFFFFFD424977250| BC 17 03 2E 90 FF FF FF  0xFFFFFF902E0317BC \\vmlinux\slub\kmem_cache_alloc+0x2EC
77   NSD:FFFFFFD424977258| 50 52 0A 2E 90 FF FF FF  0xFFFFFF902E0A5250 \\vmlinux\fs/namei\getname_flags+0xC8
78   NSD:FFFFFFD424977260| 58 9A 0A 2E 90 FF FF FF  0xFFFFFF902E0A9A58 \\vmlinux\fs/namei\user_path_at_empty+0x40
79   NSD:FFFFFFD424977268| 18 50 09 2E 90 FF FF FF  0xFFFFFF902E095018 \\vmlinux\fs/stat\vfs_statx+0xF8
80   NSD:FFFFFFD424977270| CC 54 09 2E 90 FF FF FF  0xFFFFFF902E0954CC \\vmlinux\fs/stat\__arm64_sys_newfstatat+0x11C
81   NSD:FFFFFFD424977278| 00 05 AB 2D 90 FF FF FF  0xFFFFFF902DAB0500 \\vmlinux\kernel/syscall\el0_svc_common+0x158
82   NSD:FFFFFFD424977280| 40 03 AB 2D 90 FF FF FF  0xFFFFFF902DAB0340 \\vmlinux\kernel/syscall\el0_svc_handler+0x108
83   NSD:FFFFFFD424977288| 88 57 A8 2D 90 FF FF FF  0xFFFFFF902DA85788 \\vmlinux\Global\el0_svc+0x8
84   NSD:FFFFFFD424977290| 00 00 00 00 00 00 00 00  0x0
85   NSD:FFFFFFD424977298| 00 00 00 00 00 00 00 00  0x0
86   NSD:FFFFFFD4249772A0| 00 00 00 00 00 00 00 00  0x0
87   NSD:FFFFFFD4249772A8| 00 00 00 00 00 00 00 00  0x0
88   NSD:FFFFFFD4249772B0| 06 00 00 00 CA 07 00 00  0x7CA00000006
89   NSD:FFFFFFD4249772B8| 16 C4 FF FF 00 00 00 00  0xFFFFC416
90   NSD:FFFFFFD4249772C0| 37 09 00 00 AC 03 E0 BB  0xBBE003AC00000937
91   NSD:FFFFFFD4249772C8| 7C 04 00 00 CA 02 60 F7  0xF76002CA0000047C
92   NSD:FFFFFFD4249772D0| 5A 5A 5A 5A 5A 5A 5A 5A  0x5A5A5A5A5A5A5A5A
93   NSD:FFFFFFD4249772D8| 5A 5A 5A 5A 5A 5A 5A 5A  0x5A5A5A5A5A5A5A5A
94   NSD:FFFFFFD4249772E0| 5A 5A 5A 5A 5A 5A 5A 5A  0x5A5A5A5A5A5A5A5A
95   NSD:FFFFFFD4249772E8| 5A 5A 5A 5A 5A 5A 5A 5A  0x5A5A5A5A5A5A5A5A
96   NSD:FFFFFFD4249772F0| 5A 5A 5A 5A 5A 5A 5A 5A  0x5A5A5A5A5A5A5A5A
97   NSD:FFFFFFD4249772F8| 5A 5A 5A 5A 5A 5A 5A 5A  0x5A5A5A5A5A5A5A5A 


슬럽 오브젝트의 track 정보 확인하기 

이번에는 해당 슬럽 오브젝트를 할당했을 때의 track 구조체를 확인해봅시다. 

  (struct track *) (struct track*)0xFFFFFFD424977190 = 0xFFFFFFD424977190 = end+0x43F00B9190 -> (
    (long unsigned int) addr = 18446743593480271940 = 0xFFFFFF90301AB844, // qdf_mem\qdf_mem_malloc_debug+0x13C
    (long unsigned int [16]) addrs = (
      [0] = 18446743593445180220 = 0xFFFFFF902E03433C,  // __kmalloc+0x3AC
      [1] = 18446743593480271940 = 0xFFFFFF90301AB844, // qdf_mem\qdf_mem_malloc_debug+0x13C
      [2] = 18446743593484307128 = 0xFFFFFF9030584AB8, // wlan_ipa_core\wlan_ipa_setup_sys_pipe+0x3A8
      [3] = 18446743593484304544 = 0xFFFFFF90305840A0, // wlan_ipa_core\wlan_ipa_setup+0xDC0
      [4] = 18446743593484280696 = 0xFFFFFF903057E378, // wlan_ipa_main\ipa_obj_setup+0x28
      [5] = 18446743593484279040 = 0xFFFFFF903057DD00, // ipa_pdev_obj_create_notification+0x138
      [6] = 18446743593483288752 = 0xFFFFFF903048C0B0, // wlan_objmgr_pdev_obj_create+0x338
      [7] = 18446743593476423624 = 0xFFFFFF902FDFFFC8, // hdd_objmgr_create_and_store_pdev+0xF8
      [8] = 18446743593476186496 = 0xFFFFFF902FDC6180, // hdd_update_tgt_cfg+0xC0
      [9] = 18446743593480592672 = 0xFFFFFF90301F9D20, // wma_rx_ready_event+0x2910
      [10] = 18446743593480538616 = 0xFFFFFF90301EC9F8, // wma_legacy_service_ready_event_handler+0x70
      [11] = 18446743593482900064 = 0xFFFFFF903042D260, // init_deinit_ready_event_handler+0x490
      [12] = 18446743593481534440 = 0xFFFFFF90302DFBE8, // __wmi_control_rx+0xA78
      [13] = 18446743593481540024 = 0xFFFFFF90302E11B8, // wmi_rx_event_work+0x4E0
      [14] = 18446743593480248912 = 0xFFFFFF90301A5E50, // __qdf_defer_func+0x68
      [15] = 18446743593440067512 = 0xFFFFFF902DB53FB8),  // process_one_work+0x900
    (int) cpu = 6 = 0x6,
    (int) pid = 2359 = 0x0937,
    (long unsigned int) when = 4294951962 = 0xFFFFC41A)

0xFFFFFF90301AB844 주소에 해당하는 심벌은 qdf_mem_malloc_debug+0x13C이고 해당 함수의 구현부는 다음과 같습니다.
1 void *qdf_mem_malloc_debug(size_t size, const char *file, uint32_t line,
2    void *caller, uint32_t flag)
3 {
4 QDF_STATUS status;
5 enum qdf_debug_domain current_domain = qdf_debug_domain_get();
6 qdf_list_t *mem_list = qdf_mem_list_get(current_domain);
7 struct qdf_mem_header *header;
8 void *ptr;
9 unsigned long start, duration;
10 ...
11 start = qdf_mc_timer_get_system_time();
12 header = kzalloc(size + QDF_MEM_DEBUG_SIZE, flag);
13 duration = qdf_mc_timer_get_system_time() - start;

7번째와 12번째 줄로 보아 qdf_mem_header 구조체로 해당 슬럽 오브젝트를 사용했음을 알 수 있습니다.

0xFFFFFFD424977080 주소를 qdf_mem_header 구조체로 캐스팅하면 다음과 같은 출력 결과를 확인할 수 있습니다. 

  (struct qdf_mem_header *) (struct qdf_mem_header*)0xFFFFFFD424977080 
    (qdf_list_node_t) node = (
      (struct list_head *) next = 0xFFFFFFD4AF9B5580,
      (struct list_head *) prev = 0xFFFFFFD424974C80),
    (enum qdf_debug_domain) domain = QDF_DEBUG_DOMAIN_ACTIVE = 1,
    (uint8_t) freed = 0,
    (char [48]) file = "wlan_ipa_core.c",
    (uint32_t) line = 2117,
    (uint32_t) size = 40,
    (void *) caller = 0xFFFFFF90305840A0 = wlan_ipa_setup+0xDC0,
    (uint64_t) header = 7017280452245743464,
    (uint64_t) time = 3096918292)

크래시 유틸리티로 슬랩 페이지(kmalloc-512)를 확인 

이번에는 kmalloc-512 슬럽 오브젝트를 확인해보자.

1 crash64> kmem 0xFFFFFFBF4F6EA200
2 CACHE             OBJSIZE  ALLOCATED     TOTAL  SLABS  SSIZE  NAME
3 ffffffd3c08e0780      512      16918     18276    572    32k  kmalloc-512
4   SLAB              MEMORY            NODE  TOTAL  ALLOCATED  FREE
5   ffffffbf4f6ea200  ffffffd3dba88000     0     32         28     4
6   FREE / [ALLOCATED]
7   [ffffffd3dba88000]
8   [ffffffd3dba88400]
9   [ffffffd3dba88800]
10  [ffffffd3dba88c00]
11   ffffffd3dba89000
12  [ffffffd3dba89400]
13  [ffffffd3dba89800]
14  [ffffffd3dba89c00]
15  [ffffffd3dba8a000]
16  [ffffffd3dba8a400]
17  [ffffffd3dba8a800]
18  [ffffffd3dba8ac00]
19  [ffffffd3dba8b000]
20  [ffffffd3dba8b400]
21  [ffffffd3dba8b800]
22   ffffffd3dba8bc00
23  [ffffffd3dba8c000]
24  [ffffffd3dba8c400]
25  [ffffffd3dba8c800]
26  [ffffffd3dba8cc00]
27  [ffffffd3dba8d000]
28   ffffffd3dba8d400
29  [ffffffd3dba8d800]
30   ffffffd3dba8dc00
31  [ffffffd3dba8e000]
32  [ffffffd3dba8e400]
33  [ffffffd3dba8e800]
34  [ffffffd3dba8ec00]
35  [ffffffd3dba8f000]
36  [ffffffd3dba8f400]
37  [ffffffd3dba8f800]
38  [ffffffd3dba8fc00]
39
40      PAGE               PHYSICAL      MAPPING       INDEX CNT FLAGS
41 ffffffbf4f6ea200         9ba88000 ffffffd3c08e0780 ffffffd3dba8bc80  1 10200 slab,head
42

위 출력 결과에서 ffffffd3dba88000 주소에 해당하는 슬럽 오브젝트를 확인해보자.

1 ________________address|_data____________________|value_____________|symbol
2    NSD:FFFFFFD3DBA88000| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
3    NSD:FFFFFFD3DBA88008| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
4    NSD:FFFFFFD3DBA88010| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
5    NSD:FFFFFFD3DBA88018| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
6    NSD:FFFFFFD3DBA88020| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
7    NSD:FFFFFFD3DBA88028| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
8    NSD:FFFFFFD3DBA88030| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
9    NSD:FFFFFFD3DBA88038| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
10   NSD:FFFFFFD3DBA88040| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
11   NSD:FFFFFFD3DBA88048| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
12   NSD:FFFFFFD3DBA88050| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
13   NSD:FFFFFFD3DBA88058| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
14   NSD:FFFFFFD3DBA88060| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
15   NSD:FFFFFFD3DBA88068| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
16   NSD:FFFFFFD3DBA88070| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
17   NSD:FFFFFFD3DBA88078| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
18   NSD:FFFFFFD3DBA88080| 80 D4 47 6E D4 FF FF FF  0xFFFFFFD46E47D480
19   NSD:FFFFFFD3DBA88088| 88 D0 4B 75 D4 FF FF FF  0xFFFFFFD4754BD088
20   NSD:FFFFFFD3DBA88090| 00 00 00 00 00 00 00 00  0x0
21   NSD:FFFFFFD3DBA88098| 00 00 00 00 00 00 00 00  0x0
22   NSD:FFFFFFD3DBA880A0| A0 80 A8 DB D3 FF FF FF  0xFFFFFFD3DBA880A0
23   NSD:FFFFFFD3DBA880A8| A0 80 A8 DB D3 FF FF FF  0xFFFFFFD3DBA880A0
24   NSD:FFFFFFD3DBA880B0| B0 05 00 00 00 00 00 00  0x5B0
25   NSD:FFFFFFD3DBA880B8| 00 00 00 00 00 00 00 00  0x0
26   NSD:FFFFFFD3DBA880C0| 00 00 00 00 00 00 00 00  0x0
27   NSD:FFFFFFD3DBA880C8| C8 80 A8 DB D3 FF FF FF  0xFFFFFFD3DBA880C8
28   NSD:FFFFFFD3DBA880D0| C8 80 A8 DB D3 FF FF FF  0xFFFFFFD3DBA880C8
29   NSD:FFFFFFD3DBA880D8| 00 00 00 00 00 00 00 00  0x0
30   NSD:FFFFFFD3DBA880E0| 00 00 00 00 00 00 00 00  0x0
31   NSD:FFFFFFD3DBA880E8| 00 00 00 00 00 00 00 00  0x0
32   NSD:FFFFFFD3DBA880F0| 03 00 00 00 00 00 00 00  0x3
33   NSD:FFFFFFD3DBA880F8| 01 72 00 00 00 00 00 00  0x7201
34   NSD:FFFFFFD3DBA88100| 00 00 00 00 00 00 00 00  0x0
35   NSD:FFFFFFD3DBA88108| 00 00 00 00 00 00 00 00  0x0
36   NSD:FFFFFFD3DBA88110| 03 00 00 00 00 00 00 00  0x3
37   NSD:FFFFFFD3DBA88118| 01 72 00 00 00 00 00 00  0x7201
38   NSD:FFFFFFD3DBA88120| 00 00 00 00 00 00 00 00  0x0
39   NSD:FFFFFFD3DBA88128| 28 81 A8 DB D3 FF FF FF  0xFFFFFFD3DBA88128
40   NSD:FFFFFFD3DBA88130| 28 81 A8 DB D3 FF FF FF  0xFFFFFFD3DBA88128
41   NSD:FFFFFFD3DBA88138| 00 00 00 00 00 00 00 00  0x0
42   NSD:FFFFFFD3DBA88140| 00 00 00 00 3C 00 00 00  0x3C00000000
43 ...
44   NSD:FFFFFFD3DBA88270| 00 00 00 00 00 00 00 00  0x0
45   NSD:FFFFFFD3DBA88278| 00 00 00 00 00 00 00 00  0x0
46   NSD:FFFFFFD3DBA88280| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
47   NSD:FFFFFFD3DBA88288| 1E AF 63 1C B1 1B 93 8D  0x8D931BB11C63AF1E
48   NSD:FFFFFFD3DBA88290| CC A8 A8 30 90 FF FF FF  0xFFFFFF9030A8A8CC \\vmlinux\binder\binder_get_thread+0x1EC
49   NSD:FFFFFFD3DBA88298| A8 1B 03 2E 90 FF FF FF  0xFFFFFF902E031BA8 \\vmlinux\slub\kmem_cache_alloc_trace+0x358
50   NSD:FFFFFFD3DBA882A0| CC A8 A8 30 90 FF FF FF  0xFFFFFF9030A8A8CC \\vmlinux\binder\binder_get_thread+0x1EC
51   NSD:FFFFFFD3DBA882A8| F0 36 A8 30 90 FF FF FF  0xFFFFFF9030A836F0 \\vmlinux\binder\binder_ioctl+0x368
52   NSD:FFFFFFD3DBA882B0| 74 64 0C 2E 90 FF FF FF  0xFFFFFF902E0C6474 \\vmlinux\fs/ioctl\do_vfs_ioctl+0xA14
53   NSD:FFFFFFD3DBA882B8| 28 71 0C 2E 90 FF FF FF  0xFFFFFF902E0C7128 \\vmlinux\fs/ioctl\__arm64_sys_ioctl+0xB8
54   NSD:FFFFFFD3DBA882C0| 00 05 AB 2D 90 FF FF FF  0xFFFFFF902DAB0500 \\vmlinux\kernel/syscall\el0_svc_common+0x158
55   NSD:FFFFFFD3DBA882C8| 40 03 AB 2D 90 FF FF FF  0xFFFFFF902DAB0340 \\vmlinux\kernel/syscall\el0_svc_handler+0x108
56   NSD:FFFFFFD3DBA882D0| 88 57 A8 2D 90 FF FF FF  0xFFFFFF902DA85788 \\vmlinux\Global\el0_svc+0x8
57   NSD:FFFFFFD3DBA882D8| 00 00 00 00 00 00 00 00  0x0
58   NSD:FFFFFFD3DBA882E0| 00 00 00 00 00 00 00 00  0x0
59   NSD:FFFFFFD3DBA882E8| 00 00 00 00 00 00 00 00  0x0
60   NSD:FFFFFFD3DBA882F0| 00 00 00 00 00 00 00 00  0x0
61   NSD:FFFFFFD3DBA882F8| 00 00 00 00 00 00 00 00  0x0
62   NSD:FFFFFFD3DBA88300| 00 00 00 00 00 00 00 00  0x0
63   NSD:FFFFFFD3DBA88308| 00 00 00 00 00 00 00 00  0x0
64   NSD:FFFFFFD3DBA88310| 00 00 00 00 00 00 00 00  0x0
65   NSD:FFFFFFD3DBA88318| 06 00 00 00 B0 05 00 00  0x5B000000006
66   NSD:FFFFFFD3DBA88320| 96 C3 FF FF 00 00 00 00  0xFFFFC396
67   NSD:FFFFFFD3DBA88328| F0 E9 03 2E 90 FF FF FF  0xFFFFFF902E03E9F0 \\vmlinux\quarantine\qlink_free+0x18
68   NSD:FFFFFFD3DBA88330| 08 EA 03 2E 90 FF FF FF  0xFFFFFF902E03EA08 \\vmlinux\quarantine\qlink_free+0x30
69   NSD:FFFFFFD3DBA88338| 68 E6 03 2E 90 FF FF FF  0xFFFFFF902E03E668 \\vmlinux\quarantine\quarantine_reduce+0x158
70   NSD:FFFFFFD3DBA88340| 94 BD 03 2E 90 FF FF FF  0xFFFFFF902E03BD94 \\vmlinux\kasan\kasan_kmalloc+0x44
71   NSD:FFFFFFD3DBA88348| 44 BD 03 2E 90 FF FF FF  0xFFFFFF902E03BD44 \\vmlinux\kasan\kasan_slab_alloc+0x14
72   NSD:FFFFFFD3DBA88350| BC 17 03 2E 90 FF FF FF  0xFFFFFF902E0317BC \\vmlinux\slub\kmem_cache_alloc+0x2EC
73   NSD:FFFFFFD3DBA88358| 00 AF AE 2D 90 FF FF FF  0xFFFFFF902DAEAF00 \\vmlinux\fork\vm_area_dup+0x30
74   NSD:FFFFFFD3DBA88360| D8 63 FF 2D 90 FF FF FF  0xFFFFFF902DFF63D8 \\vmlinux\mm/mmap\__split_vma+0xA8
75   NSD:FFFFFFD3DBA88368| B4 31 FF 2D 90 FF FF FF  0xFFFFFF902DFF31B4 \\vmlinux\mm/mmap\do_munmap+0x24C
76   NSD:FFFFFFD3DBA88370| 18 1F FF 2D 90 FF FF FF  0xFFFFFF902DFF1F18 \\vmlinux\mm/mmap\mmap_region+0x4E0
77   NSD:FFFFFFD3DBA88378| E0 13 FF 2D 90 FF FF FF  0xFFFFFF902DFF13E0 \\vmlinux\mm/mmap\do_mmap+0x8E8
78   NSD:FFFFFFD3DBA88380| A8 BC F9 2D 90 FF FF FF  0xFFFFFF902DF9BCA8 \\vmlinux\mm/util\vm_mmap_pgoff+0x160
79   NSD:FFFFFFD3DBA88388| FC 2B FF 2D 90 FF FF FF  0xFFFFFF902DFF2BFC \\vmlinux\mm/mmap\ksys_mmap_pgoff+0x10C
80   NSD:FFFFFFD3DBA88390| C0 E1 A9 2D 90 FF FF FF  0xFFFFFF902DA9E1C0 \\vmlinux\arch/arm64/kernel/sys\__arm64_sys_mmap+0xE8
81   NSD:FFFFFFD3DBA88398| 00 05 AB 2D 90 FF FF FF  0xFFFFFF902DAB0500 \\vmlinux\kernel/syscall\el0_svc_common+0x158
82   NSD:FFFFFFD3DBA883A0| 40 03 AB 2D 90 FF FF FF  0xFFFFFF902DAB0340 \\vmlinux\kernel/syscall\el0_svc_handler+0x108
83   NSD:FFFFFFD3DBA883A8| 88 57 A8 2D 90 FF FF FF  0xFFFFFF902DA85788 \\vmlinux\Global\el0_svc+0x8
84   NSD:FFFFFFD3DBA883B0| 07 00 00 00 89 02 00 00  0x28900000007

슬럽 오브젝트의 track 정보 확인하기 

track 구조체로 보아 binder_get_thread+0x1EC 함수에서 kmalloc-512 슬럽 오브젝트를 할당했음을 알 수 있다.

binder_get_thread() 함수를 보자.

1 static struct binder_thread *binder_get_thread(struct binder_proc *proc)
2 {
3 struct binder_thread *thread;
4 struct binder_thread *new_thread;
6 binder_inner_proc_lock(proc);
7 thread = binder_get_thread_ilocked(proc, NULL);
8 binder_inner_proc_unlock(proc);
9 if (!thread) {
10 new_thread = kzalloc(sizeof(*thread), GFP_KERNEL);
11 if (new_thread == NULL)

4번째와 10번째 줄로 kmalloc-512 슬럽 오브젝트를 binder_thread 구조체로 사용한다는 사실을 알 수 있습니다.
슬럽 오브젝트의 패이 로드 주소는 다음과 같이 FFFFFFD3DBA88080 이니;

17   NSD:FFFFFFD3DBA88078| CC CC CC CC CC CC CC CC  0xCCCCCCCCCCCCCCCC
18   NSD:FFFFFFD3DBA88080| 80 D4 47 6E D4 FF FF FF  0xFFFFFFD46E47D480
19   NSD:FFFFFFD3DBA88088| 88 D0 4B 75 D4 FF FF FF  0xFFFFFFD4754BD088
20   NSD:FFFFFFD3DBA88090| 00 00 00 00 00 00 00 00  0x0

FFFFFFD3DBA88080 주소를 binder_thread 구조체로 캐스팅해보자.

$ v.v %t %h %i %y %s %d (struct binder_thread*)0xFFFFFFD3DBA88080
  (struct binder_thread *) (struct binder_thread*)0xFFFFFFD3DBA88080 = 0xFFFFFFD3DBA88080 = end+0x43
    (struct binder_proc *) proc = 0xFFFFFFD46E47D480 = end+0x4439BBF480,
    (struct rb_node) rb_node = ((long unsigned int) __rb_parent_color = 18446743886698893448 = 0xFFF
    (struct list_head) waiting_thread_node = ((struct list_head *) next = 0xFFFFFFD3DBA880A0 = end+0
    (int) pid = 1456 = 0x05B0,
    (int) looper = 0 = 0x0,
    (bool) looper_need_return = FALSE,
    (struct binder_transaction *) transaction_stack = 0x0 = ,
    (struct list_head) todo = (
      (struct list_head *) next = 0xFFFFFFD3DBA880C8 = end+0x43A71CA0C8,
      (struct list_head *) prev = 0xFFFFFFD3DBA880C8 = end+0x43A71CA0C8),
    (bool) process_todo = FALSE,
    (struct binder_error) return_error = ((struct binder_work) work = ((struct list_head) entry = ((
    (struct binder_error) reply_error = ((struct binder_work) work = ((struct list_head) entry = ((s
    (wait_queue_head_t) wait = ((spinlock_t) lock = ((struct raw_spinlock) rlock = ((arch_spinlock_t
    (struct binder_stats) stats = ((atomic_t [18]) br = ([0] = ((int) counter = 0 = 0x0), [1] = ((in
    (atomic_t) tmp_ref = ((int) counter = 0 = 0x0),
    (bool) is_dead = FALSE,
    (struct task_struct *) task = 0xFFFFFFD4DD85B340 = end+0x44A8F9D340 -> (
      (struct thread_info) thread_info = ((long unsigned int) flags = 2048 = 0x0800, (long unsigned
      (long int) state = 1 = 0x1,
      (void *) stack = 0xFFFFFFD4652D0000 = end+0x4430A12000,
      (atomic_t) usage = ((int) counter = 5 = 0x5),
      (unsigned int) flags = 1077952576 = 0x40404040,
      (unsigned int) ptrace = 0 = 0x0,

위와 같은 정보를 확인할 수 있습니다.

 

덧글

  • ym0914 2021/03/26 20:33 # 삭제 답글

    crash tool 과 trace32 로 slub object 주소 하나만 가지고 이렇게 많은 정보를 추출해 낼 수 있다니 환상적이고 놀랍습니다.
    보여주셔서 감사합니다.
  • AustinKim 2021/03/27 00:47 #

    도움이 됐다니 뿌듯하네요.
    그럼, 즐거운 주말 보내세요.
댓글 입력 영역