whatis
如果提前知道数据类型的定义,可以直接用struct、union等,否则可以直接用whatis。
crash> whatis -o page struct page { [0] unsigned long flags; union { struct { union { [8] struct list_head lru; struct { [8] void *__filler; [16] unsigned int mlock_count; }; [8] struct list_head buddy_list; [8] struct list_head pcp_list; }; [24] struct address_space *mapping; union { [32] unsigned long index; [32] unsigned long share; }; [40] unsigned long private; }; struct { [8] unsigned long pp_magic; [16] struct page_pool *pp; [24] unsigned long _pp_mapping_pad; [32] unsigned long dma_addr; union { [40] unsigned long dma_addr_upper; [40] atomic_long_t pp_frag_count; }; }; ... [52] atomic_t _refcount; [56] unsigned long memcg_data; } SIZE: 64
struct
上面显示page是struct类型,那么也可以直接用struct,struct的输出格式更丰富,这里struct也可以用*代替。
crash> *page -xo struct page { [0x0] unsigned long flags; union { struct { union { [0x8] struct list_head lru; struct { [0x8] void *__filler; [0x10] unsigned int mlock_count; }; [0x8] struct list_head buddy_list; [0x8] struct list_head pcp_list; }; [0x18] struct address_space *mapping; union { [0x20] unsigned long index; [0x20] unsigned long share; }; [0x28] unsigned long private; }; ... [0x34] atomic_t _refcount; [0x38] unsigned long memcg_data; } SIZE: 0x40
上面显示的是结构体成员的的偏移,如果我们已经知道某个结构体变量的地址,那么可以可以用下面的方法获取其中每个成员的地址:
crash> *page -ox ffffea0000000440 struct page { [ffffea0000000440] unsigned long flags; union { struct { union { [ffffea0000000448] struct list_head lru; struct { [ffffea0000000448] void *__filler; [ffffea0000000450] unsigned int mlock_count; }; [ffffea0000000448] struct list_head buddy_list; [ffffea0000000448] struct list_head pcp_list; }; [ffffea0000000458] struct address_space *mapping; union { [ffffea0000000460] unsigned long index; [ffffea0000000460] unsigned long share; }; [ffffea0000000468] unsigned long private; }; ... [ffffea0000000474] atomic_t _refcount; [ffffea0000000478] unsigned long memcg_data; } SIZE: 0x40 C 复制 全屏
完。
