forked from ptesarik/makedumpfile
-
Notifications
You must be signed in to change notification settings - Fork 0
/
makedumpfile.conf.5
419 lines (398 loc) · 12.4 KB
/
makedumpfile.conf.5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
.TH MAKEDUMPFILE.CONF 5 "28 Oct 2015" "makedumpfile v1.5.9" "Linux System Administrator's Manual"
.SH NAME
makedumpfile.conf \- The filter configuration file for makedumpfile(8).
.SH DESCRIPTION
.PP
The makedumpfile.conf is a configuration file for makedumpfile tool.
makedumpfile.conf file contains the erase commands to filter out desired kernel
data from the vmcore while creating \fIDUMPFILE\fR using makedumpfile tool.
makedumpfile reads the filter config and builds the list of memory addresses
and its sizes after processing filter commands. The memory locations that
require to be filtered out are then poisoned with character \fIX\fR (58 in Hex).
.SH FILE FORMAT
.PP
The file consists of module sections that contains filter commands. A section
begins with the name of the section in square brackets and continues until the
next section begins.
.br
"["<\fIModuleName\fR>"]"
.br
<\fIFilterCommands\fR>
.br
where
.br
"[" is the character \fB[\fR
.br
"]" is the character \fB]\fR
.TP
<\fIModuleName\fR>
is either 'vmlinux' or name of a Linux kernel module.
.TP
<\fIFilterCommands\fR>
is a list of one or more filter commands as described in the section
\fBFILTER COMMANDS\fR of this manual page.
.PP
The section name indicates a kernel module name (including \fBvmlinux\fR) where
the symbols specified in subsequent erase commands belong to. The unnamed
section defaults to \fB[vmlinux]\fR section. However, a user can also explicitly
define \fB[vmlinux]\fR section. The sections help makedumpfile tool to select
appropriate kernel or module debuginfo file before processing the subsequent
erase commands. Before selecting appropriate debuginfo file, the module name
is validated against the loaded modules from the vmcore. If no match is found,
then the section is ignored and makedumpfile skips to the next module section.
If match is found, then makedumpfile will try to load the corresponding
module debuginfo file. If module debuginfo is not available then, makedumpfile
will skip the section with a warning message.
.SH FILTER COMMANDS
.SS filter command
.PP
A filter command is either an erase command or a loop construct. Each erase
command and loop construct must start with a new line. Each filter command
describes data in the dump to be erased. Syntax:
.br
<\fIEraseCommands\fR>|<\fILoopConstruct\fR>
.br
where
.TP
<\fIEraseCommands\fR>
Described in the subsection \fBerase command\fR of this manual page.
.TP
<\fILoopConstruct\fR>
Described in the subsection \fBLoop construct\fR of this manual page.
.SS erase command
.PP
Erase specified size of a kernel data referred by specified kernel/module
symbol or its member component. The erase command syntax is:
.br
\fBerase\fR <\fISymbol\fR>[.\fImember\fR[...]] [\fBsize\fR
<\fISizeValue\fR>[K|M]]
.br
\fBerase\fR <\fISymbol\fR>[.\fImember\fR[...]] [\fBsize\fR <\fISizeSymbol\fR>]
.br
\fBerase\fR <\fISymbol\fR>[.\fImember\fR[...]] [\fBnullify\fR]
.br
where
.br
.TP
<\fISymbol\fR>
A kernel or module symbol (variable) name that is part of global symbols
\fB/proc/kallsyms\fR.
.TP
<\fISizeValue\fR>
A positive integer value as a size of the data in bytes to be erased. The
suffixes 'K' and 'M' can be used to specify kilobytes and Megabytes
respectively where, K means 1024 bytes and M means 1024 ^ 2 = 1048576 bytes.
The suffixes are not case sensitive.
.TP
<\fISizeSymbol\fR>
A simple expression of the form <\fISymbol\fR>[.\fImember\fR[...]] that denotes
a symbol which contains a positive integer value as a size of the data in bytes
to be erased.
.TP
<\fISymbol\fR>[.\fImember\fR[...]]
A simple expression that results into either a global kernel symbol name or
its member components. The expression always uses '.' operator to specify
the \fImember\fR component of kernel symbol or its member irrespective of
whether it is of pointer type or not.
.TP
\fImember\fR[...]
Member or component of member in <\fISymbol\fR>.
.PP
The \fBerase\fR command takes two arguments 1. kernel symbol name or its
member components and 2. size of the data referred by argument (1) OR
\fBnullify\fR keyword. The second argument \fBsize\fR OR \fBnullify\fR is
optional. The unit for size value is in \fBbytes\fR. If \fBsize\fR option is
not specified then the size of the first argument is determined according to
its data type using dwarf info from debuginfo file. In case of '\fBchar *\fR'
data type, the length of string pointed by '\fBchar *\fR' pointer is determined
with an upper limit of 1024. The \fBsize\fR can be specified in two forms 1.
a integer value as explained above (<\fISizeValue\fR>) and 2. a simple
expression in the form of <\fISymbol\fR>[.\fImember\fR[...]]] that results into
base type (integer) variable.
.PP
If the specified <\fISymbol\fR> is of type '\fBvoid *\fR', then user needs to
provide either \fBsize\fR or \fBnullify\fR option, otherwise the erase command
will not have any effect.
.PP
The \fBnullify\fR option only works if specified <\fISymbol\fR> is a pointer.
Instead of erasing data pointed by the specified pointer \fBnullify\fR erases
the pointer value and set it to '0' (NULL). Please note that by nullifying
the pointer values may affect the debug ability of created \fIDUMPFILE\fR.
Use the \fBnullify\fR option only when the size of data to be erased is not
known. \fBe.g.\fR data pointed by '\fBvoid *\fR'.
.PP
Let us look at the makedumpfile.conf file from the example below which was
configured to erase desired kernel data from the kernel module with name
\fBmymodule\fR. At line 1 and 3, the user has not specified size option while
erasing 'array_var' and 'mystruct1.name' symbols. Instead the user depends on
makedumpfile to automatically determine the sizes to be erased \fBi.e\fR
100 bytes for 'array_var' and 11 bytes for 'mystruct1.name'. At line 2,
while erasing the 'mystruct1.buffer' member the user has specified the size
value 25 against the actual size of 50. In this case the user specified
\fBsize\fR takes the precedence and makedumpfile erases only 25 bytes from
\'mystruct1.buffer'. At line 4, the size of the data pointed by \fBvoid *\fR
pointer 'mystruct1.addr' is unknown. Hence the \fBnullify\fR option has been
specified to reset the pointer value to NULL. At line 5, the
\'mystruct2.addr_size' is specified as \fBsize\fR argument to determine the
size of the data pointed by \fBvoid *\fR pointer 'mystruct2.addr'.
.br
.B Example:
.PP
Assuming the following piece of code is from kernel module 'mymodule':
.br
struct s1 {
.br
char *name;
.br
void *addr1;
.br
void *addr2;
.br
char buffer[50];
.br
};
.br
struct s2 {
.br
void *addr;
.br
long addr_size;
.br
};
.br
/* Global symbols */
.br
char array_var[100];
.br
struct s1 mystruct1;
.br
struct s2 *mystruct2;
.br
int foo()
.br
{
.br
...
.br
s1.name = "Hello World";
.br
...
.br
}
.br
\fBmakedumpfile.conf:\fR
.br
[mymodule]
.br
erase array_var
.br
erase mystruct1.buffer size 25
.br
erase mystruct1.name
.br
erase mystruct1.addr1 nullify
.br
# Assuming addr2 points to 1024 bytes
.br
erase mystruct1.addr2 size 1K
.br
erase mystruct2.addr size mystruct2.addr_size
.br
.B EOF
.SS Loop construct
.PP
A Loop construct allows the user to traverse the linked list or array elements
and erase the data contents referred by each element.
.br
\fBfor\fR <\fIid\fR> \fBin\fR {<\fIArrayVar\fR> |
.br
<\fIStructVar\fR> \fBvia\fR <\fINextMember\fR> |
.br
<\fIListHeadVar\fR> \fBwithin\fR
<\fIStructName\fR>\fB:\fR<\fIListHeadMember\fR>}
.br
\fBerase\fR <\fIid\fR>[.\fIMemberExpression\fR]
[\fBsize\fR <\fISizeExpression\fR>|\fBnullify\fR]
.br
[\fBerase\fR <\fIid\fR>...]
.br
[...]
.br
\fBendfor\fR
.PP
where
.PP
.TP
<\fIid\fR>
Arbitrary name used to temporarily point to elements of the list. This is
also called iteration variable.
.TP
<\fIArrayVar\fR>
A simple expression in the form of <\fISymbol\fR>[.\fImember\fR[...]] that
results into an array variable.
.TP
<\fIStructVar\fR>
A simple expression in the form of <\fISymbol\fR>[.\fImember\fR[...]] that
results into a variable that points to a structure.
.TP
<\fINextMember\fR>
Member within <\fIStructVar\fR> that points to an object of same type that of
<\fIStructVar\fR>.
.TP
<\fIListHeadVar\fR>
A simple expression in the form of <\fISymbol\fR>[.\fImember\fR[...]] that
results into a variable of type struct list_head.
.TP
<\fIStructName\fR>
Name of the structure type that can be traversed using HEAD variable
<\fIListHeadVar\fR> and contains a member named <\fIListHeadMember\fR>.
.TP
<\fIListHeadMember\fR>
Name of a member in <\fIStructName\fR>, of type struct list_head.
.TP
<\fIMemberExpression\fR>
A simple expression in the form of [.\fImember\fR[...]] to specify a member
or component of an element in <\fIArrayVar\fR>, <\fIStructVar\fR>
or <\fIStructName\fR>.
.TP
<\fISizeExpression\fR>
Size value in the form of <\fISizeValue\fR>, <\fIid\fR>[.\fIMemberExpression\fR]
or <\fISymbol\fR>[.\fImember\fR[...]].
.PP
The \fBfor\fR loop construct allows to iterate on list of elements in an array
or linked lists. Each element in the list is assigned to iteration variable
<\fIid\fR>. The type of the iteration variable is determined by that of the
list elements. The entry specified after '\fBin\fR' terminal is called LIST
entry. The LIST entry can be an array variable, structure variable/pointer or a
struct list_head type variable. The set of \fBerase\fR commands specified
between \fBfor\fR and \fBendfor\fR, will be executed for each element in the
LIST entry.
.PP
If the LIST entry specified is an array variable, then the loop will be
executed for each array element. The size of the array will be determined by
using dwarf information.
.PP
If the LIST entry specified is a structure variable/pointer, then a traversal
member (<\fINextMember\fR>) must be specified using '\fBvia\fR' terminal. The
\fBfor\fR loop will continue until the value of traversal member is NULL or
matches with address of the first node <\fIStructVar\fR> if it is a circular
linked list.
.PP
If the LIST entry is specified using a struct list_head type variable, then
\fBwithin\fR terminal must be used to specify the structure name
<\fIStructName\fR> that is surrounding to it along with the struct list_head
type member after '\fB:\fR' which is part of the linked list. In the erase
statement <\fIid\fR> then denotes the structure that the list_head is
contained in (ELEMENT_OF).
.PP
The below example illustrates how to use loop construct for traversing
Array, linked list via next member and list_head.
.B Example:
.PP
Assuming following piece of code is from kernel module 'mymodule':
.br
struct s1 {
.br
struct *next;
.br
struct list_head list;
.br
char private[100];
.br
void *key;
.br
long key_size;
.br
};
.br
/* Global symbols */
.br
struct s1 mystruct1;
.br
static LIST_HEAD(s1_list_head);
.br
struct s1 myarray[100];
.br
void foo()
.br
{
.br
struct s1 *s1_ptr;
.br
...
.br
...
.br
s1_ptr = malloc(...);
.br
...
.br
...
.br
list_add(&s1_ptr->list, &s1_list_head);
.br
...
.br
}
.br
\fBmakedumpfile.conf:\fR
.br
[mymodule]
.br
# erase private fields from list starting with mystruct1 connected via
.br
# 'next' member:
.br
for mys1 in mystruct1 via next
.br
erase mys1.private
.br
erase mys1.key size mys1.key_size
.br
endfor
.br
# erase private fields from list starting with list_head variable
.br
# s1_list_head.
.br
for mys1 in s1_list_head.next within s1:list
.br
erase mys1.private
.br
erase mys1.key size mys1.key_size
.br
endfor
.br
# erase private fields from all elements of the array myarray:
.br
for mys1 in myarray
.br
erase mys1.private
.br
erase mys1.key size mys1.key_size
.br
endfor
.br
.B EOF
.PP
In the above example, the first \fBfor\fR construct traverses the linked list
through a specified structure variable \fBmystruct1\fR of type \fBstruct s1\fR.
The linked list can be traversed using '\fBnext\fR' member of \fBmystruct1\fR.
Hence a \fBvia\fR terminal has been used to specify the traversal member
name '\fBnext\fR'.
.PP
The second \fBfor\fR construct traverses the linked list through a specified
struct list_head variable \fBs1_list_head.next\fR. The global symbol
\fBs1_list_head\fR is a start address of the linked list and its \fBnext\fR
member points to the address of struct list_head type member '\fBlist\fR' from
\fBstruct s1\fR. Hence a \fBwithin\fR terminal is used to specify the structure
name '\fBs1\fR' that can be traversed using \fBs1_list_head.next\fR variable
along with the name of struct list_head type member '\fBlist\fR' which is part
of the linked list that starts from \fBs1_list_head\fR global symbol.
.PP
The third \fBfor\fR construct traverses the array elements specified through
a array variable \fBmyarray\fR.
.br
.SH SEE ALSO
.PP
makedumpfile(8)