-----Original Message-----
> From: crash-utility-bounces@xxxxxxxxxx <crash-utility-bounces@xxxxxxxxxx> On Behalf Of Andrej Ras
> Sent: Friday, July 31, 2020 2:48 AM
> To: crash-utility@xxxxxxxxxx
> Subject: using crash without vmlinux OR dump memory at specific vaddr
>
> Hi Folks,
>
> I have a simple question --
>
> How can I use the crash utility to examine a live system without
> having vmlinux ?
If you cannot get the vmlinux compiled with -g option, you cannot use
the crash utility.
(but if you can build a vmlinux from the same source and config as the
running kernel, you might be able to use crash with it and System.map
or /proc/kallsyms? I've not tried this though..)
>
> If not is there a way to dump memory for a virtual memory address?
If you want only to dump a kernel virtual address, you might be able to
use /proc/kcore.
For example, to dump ffffffffad200100, which is linux_banner on a machine
btw, determine which segment the address is in,
# readelf -l /proc/kcore
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
...
LOAD 0x00007fffaca02000 0xffffffffaca00000 0x0000000c7a000000
0x000000000169b000 0x000000000169b000 RWE 1000
...
calculate the offset from its start address,
# echo $((0xffffffffad200100 - 0xffffffffaca00000))
8388864
and dump the file offset in /proc/kcore.
# dd if=/proc/kcore bs=1 skip=$((0x00007fffaca02000 + 8388864)) count=16 2>/dev/null
Linux version 3.
Thanks,
Kazu
--
Crash-utility mailing list
Crash-utility@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/crash-utility
