How to get the address of a kernel module that was inserted using insmod?

Asked 17/6, 2011 at 10:46 Answered 14/4, 2018 at 21:19

Solved linux linux-kernel linux-device-driver embedded-linux

I would like to know the address of a kernel module. Actually, from stack trace it looks that the crash has been triggered from a kernel module (which have been insmoded after system boots up). There are several modules I insmod manually. So I need to detect which module among these is triggering the crash. Please let me know how to get the address of each modules loaded using insmod.

Siphonostele answered 17/6, 2011 at 10:46 Comment(1)

I am using linux kernel 2.6.34.7. – Siphonostele 17/6, 2011 at 10:47

cat /proc/modules should give you a rough guide to where things are loaded. You might get more of a clue about exactly where the kernel crash is by looking at /proc/kallsyms.

Beardless answered 17/6, 2011 at 12:37 Comment(0)

/sys/module/<MODULE_NAME>/sections/ contains addresses of all sections of your module. Since most section begin with a dot (.), don't forget to pass -a to ls when listing this directory content:

$ ls -a /sys/module/usbcore/sections/
.                      __ex_table                 __param
..                     .fixup                     .rodata
.altinstr_replacement  .gnu.linkonce.this_module  .rodata.str1.1
.altinstructions       .init.text                 .rodata.str1.8
.bss                   __kcrctab_gpl              .smp_locks
__bug_table            __ksymtab_gpl              .strtab
.data                  __ksymtab_strings          .symtab
.data..read_mostly     __mcount_loc               .text
.data.unlikely         .note.gnu.build-id         .text.unlikely
.exit.text             .parainstructions          __verbose

Pungent answered 22/5, 2016 at 21:26 Comment(5)

Do you understand why the value of .text is something much smaller than the values shown by /proc/modules and pr_debug https://mcmap.net/q/429957/-how-to-get-the-address-of-a-kernel-module-that-was-inserted-using-insmod (both the same, and correct according to QEMU + GDB)? – Crossland 14/4, 2018 at 21:31

@CiroSantilli包子露宪六四事件法轮功 Here, I find same values in /proc/modules and in /sys/module/<MODULE_NAME>/sections/.text – Quincy 16/4, 2018 at 7:14

Thanks for confirming. Here is a minimal reproducible example where I see the difference: github.com/cirosantilli/linux-kernel-module-cheat/tree/… – Crossland 16/4, 2018 at 9:5

@CiroSantilli I won't qualify your example "minimal". Are you sure you are not confused between output of readelf and files from /sys? .text address provided by readelf is much smaller since it is not yet relocated. – Quincy 16/4, 2018 at 13:43

OK, minimal within bisecting 50 kernel configs :-) I am certain, give it a try. – Crossland 16/4, 2018 at 13:46

pr_debug on dmesg

If we enable pr_debug, then it shows the base address the module was loaded at.

This can be useful for example if the module panics at init_module and you can't read /proc/modules interactively.

The best way to enable pr_debug is to compile the kernel with CONFIG_DYNAMIC_DEBUG=y as explained at: Why is pr_debug of the Linux kernel not giving any output?

Then when you do:

echo 8 > /proc/sys/kernel/printk
echo 'file kernel/module.c +p' > /sys/kernel/debug/dynamic_debug/control
insmod mymodule.ko

we see a line of form:

0xffffffffc0005000 .text

which contains the base address.

Crossland answered 14/4, 2018 at 21:19 Comment(2)

This is amazingly useful and might have helped me get to the bottom of a months-long bug-hunt. But how on earth do you derive these incantations? – Mincemeat 27/6, 2020 at 20:26

@Mincemeat thanks! It's like any open source problem: a mixture of read the source/Google into it/notice by chance when you don't need it :-) – Crossland 27/6, 2020 at 20:47

Recommended topics

Hot tags