Examine Normal Kernel Dumps
Learn how to navigate a normal kernel dump.
We'll cover the following...
- Loading the core dump
- Identifying the current thread
- Seeking help
- Examining kernel message buffer
- Checking memory, computer, and network info
- Listing all processes
- Listing CPU queues
- Selecting tasks
- Examining the stack trace
- Examining the virtual memory layout
- Listing opened files
- Dumping memory contents as pointers
- Verifying the return address
- Listing backtrace of every PID
- Exploring individual tasks
- Try it out
In this lesson, we will learn how to navigate through a normal kernel dump using crash.
Loading the core dump
We’ve manually crashed a normally running kernel to collect a dump for this exercise (by echoing c to sysreq-trigger, as described in the “Overview and Required Tools” lesson).
crash dump.202112280237 ../KSym/vmlinux-5.10.0-10-amd64
Note: The loading process of the core dump may take some time.
The above command will output the following to the terminal:
Identifying the current thread
We can see the current thread from the process ID that led to the crash with the following command:
bt
The above command will output the following to the terminal:
Note: User space addresses are not available in the kernel dump.
sym 00007f1ddc1f0f33sym ffffffff9047f24d
The sym command interconverts between symbols and their virtual addresses.
Press + to interact
Seeking help
The tool ...