说明:文章基于arm64分析,使用的工具是crash_arm64.
mod 命令介绍
进入crash调试窗口后,输入 help mod
即可查看mod工具的使用帮助信息。
crash_arm64> help mod
NAME
mod - module information and loading of symbols and debugging data
SYNOPSIS
mod -s module [objfile] | -d module | -S [directory] [-D|-t|-r|-R|-o|-g]
DESCRIPTION
With no arguments, this command displays basic information of the currently
installed modules, consisting of the module address, name, size, the
object file name (if known), and whether the module was compiled with
CONFIG_KALLSYMS.
The arguments are concerned with with the loading or deleting of symbolic
and debugging data from a module's object file. A modules's object file
always contains symbolic data (symbol names and addresses), but contains
debugging data only if the module was compiled with the -g CFLAG. In
addition, the module may have compiled with CONFIG_KALLSYMS, which means
that the module's symbolic data will have been loaded into the kernel's
address space when it was installed. If the module was not compiled with
CONFIG_KALLSYMS, then only the module's exported symbols will be loaded
into the kernel's address space. Therefore, for the purpose of this
command, it should noted that a kernel module may have been compiled in
one of following manners:
1. If the module was built without CONFIG_KALLSYMS and without the -g CFLAG,
then the loading of the module's additional non-exported symbols can
be accomplished with this command.
2. If the module was built with CONFIG_KALLSYMS, but without the -g CFLAG,
then there is no benefit in loading the symbols from the module object
file, because all of the module's symbols will have been loaded into the
kernel's address space when it was installed.
3. If the module was built with CONFIG_KALLSYMS and with the the -g CFLAG,
then the loading of the module's debugging data can be accomplished
with this command.
4. If the module was built without CONFIG_KALLSYMS but with the -g CFLAG,
then the loading of the both module's symbolic and debugging data can
be accomplished with this command.
-s module [objfile] Loads symbolic and debugging data from the object file
for the module specified. If no objfile argument is
appended, a search will be made for an object file
consisting of the module name with a .o or .ko suffix,
starting at the `/lib/modules/<release>`directory on
the host system, or if not found there, starting at the
directory containing the kernel namelist file. If an
objfile argument is appended, then that file will be
used.
-d module Deletes the symbolic and debugging data of the module
specified.
-S [directory] Load symbolic and debugging data from the object file
for all loaded modules. For each module, a search
will be made for an object file consisting of the
module name with a .o or .ko suffix, starting at the
/lib/modules/<release> directory of the host system,
or if not found there, starting at the directory
containing the kernel namelist file. If a directory
argument is appended, then the search will be restricted
to that directory.
-D Deletes the symbolic and debugging data of all modules.
-t Display the contents of the module's "taints" bitmask
if it is non-zero. When possible, the "taints" bits
are translated to symbolic letters of the taint type;
otherwise the hexadecimal value is shown. In older
kernels, the contents of the "license_gplok" field is
displayed in hexadecimal; the field may be either a
bitmask or a boolean, depending upon the kernel version.
The relevant kernel sources should be consulted for the
meaning of the letter(s) or hexadecimal bit value(s).
For modules that have a "gpgsig_ok" field that is zero
(unsigned), the notation "(U)" is shown.
-r Passes the -readnow flag to the embedded gdb module,
which will override the two-stage strategy that it uses
for reading symbol tables from module object files.
-R Reinitialize module data. All currently-loaded symbolic
and debugging data will be deleted, and the installed
module list will be updated (live system only).
-g When used with -s or -S, add a module object's section
start and end addresses to its symbol list.
-o Load module symbols with old mechanism.
If the crash_arm64 session was invoked with the "--mod <directory>" option, or
a CRASH_MODULE_PATH environment variable exists, then /lib/modules/<release>
will be overridden as the default directory tree that is searched for module
object files.
After symbolic and debugging data have been loaded, backtraces and text
disassembly will be displayed appropriately. Depending upon the processor
architecture, data may also printed symbolically with the "p" command;
at a minimum, the "rd" command may be used with module data symbols.
If crash_arm64 can recognize that the set of modules has changed while running a
session on a live kernel, the module data will be reinitialized the next
time this command is run; the -r option forces the reinitialization.
EXAMPLES
Display the currently-installed modules:
crash_arm64> mod
MODULE NAME SIZE OBJECT FILE
c8019000 soundcore 2788 (not loaded)
c801b000 soundlow 336 (not loaded)
c801d000 sound 59864 (not loaded)
c802d000 ad1848 15728 (not loaded)
c8032000 uart401 6000 (not loaded)
c8035000 cs4232 2472 (not loaded)
c8043000 opl3 11048 (not loaded)
c8047000 3c59x 18152 (not loaded)
c804d000 sunrpc 53796 (not loaded)
c805c000 lockd 31528 (not loaded)
c8065000 nfsd 151896 (not loaded)
c8092000 nfs 29752 (not loaded)
Display the currently-installed modules on a system where all modules were
compiled with CONFIG_KALLSYMS:
crash_arm64> mod
MODULE NAME SIZE OBJECT FILE
e080d000 jbd 57016 (not loaded) [CONFIG_KALLSYMS]
e081e000 ext3 92360 (not loaded) [CONFIG_KALLSYMS]
e0838000 usbcore 83168 (not loaded) [CONFIG_KALLSYMS]
e0850000 usb-uhci 27532 (not loaded) [CONFIG_KALLSYMS]
e085a000 ehci-hcd 20904 (not loaded) [CONFIG_KALLSYMS]
e0865000 input 6208 (not loaded) [CONFIG_KALLSYMS]
e086a000 hid 22404 (not loaded) [CONFIG_KALLSYMS]
e0873000 mousedev 5688 (not loaded) [CONFIG_KALLSYMS]
e0878000 keybdev 2976 (not loaded) [CONFIG_KALLSYMS]
e08fd000 cdrom 34144 (not loaded) [CONFIG_KALLSYMS]
e0909000 ide-cd 35776 (not loaded) [CONFIG_KALLSYMS]
e0915000 scsi_mod 117928 (not loaded) [CONFIG_KALLSYMS]
e0935000 ide-scsi 12752 (not loaded) [CONFIG_KALLSYMS]
e093c000 microcode 5248 (not loaded) [CONFIG_KALLSYMS]
e0943000 sr_mod 18136 (not loaded) [CONFIG_KALLSYMS]
e0956000 floppy 59056 (not loaded) [CONFIG_KALLSYMS]
e0966000 sg 38060 (not loaded) [CONFIG_KALLSYMS]
e0971000 ip_tables 16544 (not loaded) [CONFIG_KALLSYMS]
e097d000 iptable_filter 2412 (not loaded) [CONFIG_KALLSYMS]
e097f000 e1000 76096 (not loaded) [CONFIG_KALLSYMS]
e09ba000 autofs 13780 (not loaded) [CONFIG_KALLSYMS]
e09c1000 parport 39072 (not loaded) [CONFIG_KALLSYMS]
e09ce000 lp 9220 (not loaded) [CONFIG_KALLSYMS]
e09d4000 parport_pc 19204 (not loaded) [CONFIG_KALLSYMS]
e09e2000 agpgart 59128 (not loaded) [CONFIG_KALLSYMS]
e0a1a000 radeon 117156 (not loaded) [CONFIG_KALLSYMS]
e2dc7000 sunrpc 91996 (not loaded) [CONFIG_KALLSYMS]
e2de1000 lockd 60624 (not loaded) [CONFIG_KALLSYMS]
e2df3000 nfs 96880 (not loaded) [CONFIG_KALLSYMS]
Load the symbolic and debugging data of all modules:
crash_arm64> mod -S
MODULE NAME SIZE OBJECT FILE
c8019000 soundcore 2788 /lib/modules/2.2.5-15/misc/soundcore.o
c801b000 soundlow 336 /lib/modules/2.2.5-15/misc/soundlow.o
c801d000 sound 59864 /lib/modules/2.2.5-15/misc/sound.o
c802d000 ad1848 15728 /lib/modules/2.2.5-15/misc/ad1848.o
c8032000 uart401 6000 /lib/modules/2.2.5-15/misc/uart401.o
c8035000 cs4232 2472 /lib/modules/2.2.5-15/misc/cs4232.o
c8043000 opl3 11048 /lib/modules/2.2.5-15/misc/opl3.o
c8047000 3c59x 18152 /lib/modules/2.2.5-15/net/3c59x.o
c804d000 sunrpc 53796 /lib/modules/2.2.5-15/misc/sunrpc.o
c805c000 lockd 31528 /lib/modules/2.2.5-15/fs/lockd.o
c8065000 nfsd 151896 /lib/modules/2.2.5-15/fs/nfsd.o
c8092000 nfs 29752 /lib/modules/2.2.5-15/fs/nfs.o
Load the symbolic and debugging data of the soundcore module from its
known location:
crash_arm64> mod -s soundcore
MODULE NAME SIZE OBJECT FILE
c8019000 soundcore 2788 /lib/modules/2.2.5-15/misc/soundcore.o
Delete the current symbolic and debugging data of the soundcore module,
and then re-load it from a specified object file:
crash_arm64> mod -d soundcore
crash_arm64> mod -s soundcore /tmp/soundcore.o
MODULE NAME SIZE OBJECT FILE
c8019000 soundcore 2788 /tmp/soundcore.o
After installing a new kernel module on a live system, reinitialize the
installed module list:
crash_arm64> !insmod mdacon
crash_arm64> mod
mod: NOTE: modules have changed on this system -- reinitializing
MODULE NAME SIZE OBJECT FILE
c8019000 soundcore 2788 (not loaded)
c801b000 soundlow 336 (not loaded)
c801d000 sound 59864 (not loaded)
c802d000 ad1848 15728 (not loaded)
c8032000 uart401 6000 (not loaded)
c8035000 cs4232 2472 (not loaded)
c8043000 opl3 11048 (not loaded)
c8047000 3c59x 18152 (not loaded)
c804d000 sunrpc 53796 (not loaded)
c805c000 lockd 31528 (not loaded)
c8065000 nfs 29752 (not loaded)
c806e000 autofs 9316 (not loaded)
c8072000 nfsd 151896 (not loaded)
c80a1000 mdacon 3556 (not loaded)
Display modules that are "tainted", where in this case
where they are proprietary and unsigned:
crash_arm64> mod -t
NAME TAINT
vxspec P(U)
vxportal P(U)
fdd P(U)
vxfs P(U)
vxdmp P(U)
vxio P(U)
vxglm P(U)
vxgms P(U)
vxodm P(U)
部分翻译:
NAME
mod - 模块信息以及符号和调试数据的加载
SYNOPSIS
mod -s module [objfile] | -d module | -S [directory] [-D|-t|-r|-R|-o|-g]
DESCRIPTION
该命令不带任何参数,显示当前已安装模块的基本信息,包括模块地址,名称,大小,目标文件名(如果知道)以及模块是否使用CONFIG_KALLSYMS编译。
这些参数与从模块的目标文件中加载或删除符号和调试数据有关。模块的目标文件始终包含符号数据(符号名称和地址),但是仅当使用-g CFLAG编译模块时,才包含调试数据。另外,该模块可能已使用CONFIG_KALLSYMS进行编译,这意味着该模块的符号数据在安装时将被加载到内核的地址空间中。如果模块不是使用CONFIG_KALLSYMS编译的,则仅模块的导出符号将被加载到内核的地址空间中。因此,出于此命令的目的,应注意,内核模块可能已通过以下方式之一进行了编译:
1.如果模块是在没有CONFIG_KALLSYMS且没有-g CFLAG的情况下构建的,则可以使用此命令来完成模块其他非导出符号的加载。
2.如果模块是使用CONFIG_KALLSYMS构建的,但没有-g CFLAG,则从模块目标文件中加载符号没有任何好处,因为当模块被加载时,所有模块的符号都会被加载到内核的地址空间中。已安装。
3.如果模块是使用CONFIG_KALLSYMS和-g CFLAG构建的,则可以使用此命令完成模块调试数据的加载。
4.如果模块是在没有CONFIG_KALLSYMS的情况下构建的,但带有-g CFLAG的模块,则可以使用此命令来完成两个模块的符号数据和调试数据的加载。
-s module [objfile] | 从目标文件中加载指定模块的符号和调试数据。 如果未附加objfile参数,则将从主机系统上的/ lib / modules / 目录开始搜索由后缀为.o或.ko的模块名称组成的目标文件。 在包含内核名称列表文件的目录中找到。 如果附加了参数,则将使用该文件。 |
-d module | 删除指定模块的符号和调试数据。 |
-S [directory] | 从目标文件中为所有已加载的模块加载符号和调试数据。 对于每个模块,将从主机系统的/ lib / modules / 目录开始搜索一个目标文件,该目标文件由带有.o或.ko后缀的模块名称组成,或者如果找不到该文件, 从包含内核名称列表文件的目录开始。 如果附加了目录参数,则搜索将限于该目录。 |
-D | 删除所有模块的符号和调试数据。 |
-t | 如果模块的“污点”位掩码非零,则显示其内容。 如果可能,将“污点”位转换为污点类型的符号字母。 否则,将显示十六进制值。 在老内核中,“ license_gplok”字段的内容以十六进制显示; 该字段可以是位掩码,也可以是布尔值,具体取决于内核版本。有关字母或十六进制位值的含义,请查阅相关的内核源。 对于“ gpgsig_ok”字段为零(无符号)的模块,将显示符号“(U)”。 |
-r | 将-readnow标志传递给嵌入式gdb模块,该模块将覆盖用于从模块目标文件读取符号表的两阶段策略。 |
-R | 重新初始化模块数据。 所有当前加载的符号和调试数据将被删除,并且已安装的模块列表将被更新(仅适用于实时系统)。 |
-g | 与-s或-S一起使用时,将模块对象的节开始和结束地址添加到其符号列表中。 |
-o | 使用旧机制加载模块符号。 |
如果使用“ --mod ”选项调用了crash_arm64会话,或者存在CRASH_MODULE_PATH环境变量,则/ lib / modules / 将被覆盖,作为搜索模块对象文件的默认目录树。
加载符号和调试数据后,将适当显示回溯和文本反汇编。 根据处理器架构的不同,数据也可以使用“ p”命令进行象征性打印。 至少,“ rd”命令可与模块数据符号一起使用。
如果crash_arm64在实时内核上运行会话时识别出模块组已更改,则下次运行该命令时将重新初始化模块数据;否则,将重新初始化模块数据。 -r选项强制重新初始化。