搭配kallsyms_lookup,我們除了可以抓出function name之外,還可以抓出module name,所以我把kallsyms_lookup埋在kmalloc呼叫中,但是,kmalloc被定義為inline function,所以不可能從__builtin_return_address拉出caller address,必需把kmalloc改為非inline function,所以我把kmalloc拉到slab.c,並加入以下幾行
/*inline*/ void *kmalloc(size_t size, gfp_t flags)
{
char *modname=NULL;
const char *name=NULL;
unsigned long kaoffset, kasize;
char namebuf[KSYM_NAME_LEN];
unsigned long caller = (unsigned long) __builtin_return_address(0);
name = kallsyms_lookup(caller, &kasize, &kaoffset, &modname, namebuf);
if (modname)
{
printk("modname %s\n",modname);
addElement(modname,size,0);
}
addElement是我們自己寫的函式,主要是在收集由kmalloc攔截到的資訊,有興趣的朋友可以自己寫自己的hook function
在kfree function內也擺上hook function,大概如下,記得要把obj_size-20,因為kmalloc會多佔20bytes空間於memory heap
void kfree(const void *objp)
{
struct kmem_cache *c;
unsigned long flags;
//hack
char *modname=NULL;
const char *name=NULL;
unsigned long kaoffset, kasize;
char namebuf[KSYM_NAME_LEN];
if (unlikely(ZERO_OR_NULL_PTR(objp)))
return;
local_irq_save(flags);
kfree_debugcheck(objp);
c = virt_to_cache(objp);
//hack
unsigned long caller = (unsigned long) __builtin_return_address(0);
name = kallsyms_lookup(caller, &kasize, &kaoffset, &modname, namebuf);
if (modname)
{
printk("modname %s\n",modname);
addElement(modname,0,obj_size(c)-20);
}
//hack end
debug_check_no_locks_freed(objp, obj_size(c));
debug_check_no_obj_freed(objp, obj_size(c));
__cache_free(c, (void *)objp);
local_irq_restore(flags);
}
轉貼
http://daydreamer.idv.tw/rewrite.php/read-55.html
