Examine Normal Kernel Dumps
Explore how to navigate and analyze normal Linux kernel core dumps using the crash utility. Understand key commands for inspecting processes, CPU queues, stack traces, memory layout, and task structures to diagnose kernel crashes effectively.
We'll cover the following...
- Loading the core dump
- Identifying the current thread
- Seeking help
- Examining kernel message buffer
- Checking memory, computer, and network info
- Listing all processes
- Listing CPU queues
- Selecting tasks
- Examining the stack trace
- Examining the virtual memory layout
- Listing opened files
- Dumping memory contents as pointers
- Verifying the return address
- Listing backtrace of every PID
- Exploring individual tasks
- Try it out
In this lesson, we will learn how to navigate through a normal kernel dump using crash.
Loading the core dump
We’ve manually crashed a normally running kernel to collect a dump for this exercise (by echoing c to sysreq-trigger, as described in the “Overview and Required Tools” lesson).
crash dump.202112280237 ../KSym/vmlinux-5.10.0-10-amd64
Note: The loading process of the core dump may take some time.
The above command will output the following to the terminal:
Identifying the current thread
We can see the current thread from the process ID that led to the crash with the following command:
bt
The above command will output the following to the terminal:
Note: User space addresses are not available in the kernel dump.
sym 00007f1ddc1f0f33sym ffffffff9047f24d
The sym command interconverts between symbols and their virtual addresses.
Seeking help
The tool ...