{"id":4068,"date":"2014-12-10T00:48:51","date_gmt":"2014-12-09T16:48:51","guid":{"rendered":"http:\/\/rmohan.com\/?p=4068"},"modified":"2014-12-10T00:49:40","modified_gmt":"2014-12-09T16:49:40","slug":"kernel-crash-reportcrash-dump-analysis","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=4068","title":{"rendered":"Kernel Crash Report\/Crash Dump Analysis"},"content":{"rendered":"<h3 class=\"post-title entry-title\">Kernel Crash Report\/Crash Dump Analysis<\/h3>\n<div class=\"post-header\"><\/div>\n<div id=\"post-body-3983330995329165814\" class=\"post-body entry-content\">\n<div dir=\"ltr\">\n<div class=\"gmail_default\">In my previous post, we have configured how to capture kernel dump for reference click on the link\u00a0<a href=\"http:\/\/sunlnx.blogspot.in\/2013\/05\/crash-dump-kernel-kdump.html\" target=\"_blank\">kernel crash dump<\/a><\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">Here in this article,we master the basic usage of crash utility to open the dumped memory core and process the information\u00a0contained therein and to intercept the output.<\/div>\n<p><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/12\/Fundamentals-Complete-Memory-Dump-Analysis-Logo.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4069\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/12\/Fundamentals-Complete-Memory-Dump-Analysis-Logo.png\" alt=\"Fundamentals-Complete-Memory-Dump-Analysis-Logo\" width=\"341\" height=\"341\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2014\/12\/Fundamentals-Complete-Memory-Dump-Analysis-Logo.png 341w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/12\/Fundamentals-Complete-Memory-Dump-Analysis-Logo-150x150.png 150w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/12\/Fundamentals-Complete-Memory-Dump-Analysis-Logo-300x300.png 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/12\/Fundamentals-Complete-Memory-Dump-Analysis-Logo-144x144.png 144w\" sizes=\"(max-width: 341px) 100vw, 341px\" \/><\/a><\/p>\n<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">find out the dumped kernel location and start analyzing the code.<\/div>\n<div class=\"gmail_default\">#crash \/usr\/lib\/debug\/lib\/modules\/2.6.32-279.el6.i686\/vmlinux \/var\/crash\/127.0.0.1-2013-07-18-09\\:40\\:28\/vmcore<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">KERNEL: \/usr\/lib\/debug\/lib\/modules\/2.6.32-279.el6.i686\/vmlinux<\/div>\n<div class=\"gmail_default\">DUMPFILE: \/var\/crash\/127.0.0.1-2013-07-18-09:40:28\/vmcore \u00a0[PARTIAL DUMP]<\/div>\n<div class=\"gmail_default\">CPUS: 1<\/div>\n<div class=\"gmail_default\">DATE: Thu Jul 18 09:40:21 2013<\/div>\n<div class=\"gmail_default\">UPTIME: 00:37:21<\/div>\n<div class=\"gmail_default\">LOAD AVERAGE: 934.79, 206.96, 67.74<\/div>\n<div class=\"gmail_default\">TASKS: 5494<\/div>\n<div class=\"gmail_default\">NODENAME: &lt;hostname&gt;<\/div>\n<div class=\"gmail_default\">RELEASE: 2.6.32-279.el6.i686<\/div>\n<div class=\"gmail_default\">VERSION: #1 SMP Fri Jun 22 10:59:55 UTC 2012<\/div>\n<div class=\"gmail_default\">MACHINE: i686 \u00a0(2933 Mhz)<\/div>\n<div class=\"gmail_default\">MEMORY: 895.6 MB<\/div>\n<div class=\"gmail_default\">PANIC: &#8220;Oops: 0002 [#1] SMP &#8221; (check log for details)<\/div>\n<div class=\"gmail_default\">PID: 6847<\/div>\n<div class=\"gmail_default\">COMMAND: &#8220;bash&#8221;<\/div>\n<div class=\"gmail_default\">TASK: ea142aa0 \u00a0[THREAD_INFO: db8ae000]<\/div>\n<div class=\"gmail_default\">CPU: 0<\/div>\n<div class=\"gmail_default\">STATE: TASK_RUNNING (PANIC)<\/div>\n<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">Explanation of code is as below :-<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\"><b>KERNEL:<\/b> specifies the kernel running at the time of the crash.<\/div>\n<div class=\"gmail_default\"><b>DUMPFILE:<\/b> is the name of the dumped memory core.<\/div>\n<div class=\"gmail_default\"><b>CPUS:<\/b> is the number of CPUs on your machine.<\/div>\n<div class=\"gmail_default\"><b>DATE:<\/b> specifies the time of the crash.<\/div>\n<div class=\"gmail_default\"><b>TASKS:<\/b> indicates the number of tasks in the memory at the time of the crash. Task is a set of program instructions loaded into memory.<\/div>\n<div class=\"gmail_default\"><b>NODENAME:<\/b> is the name of the crashed host.<\/div>\n<div class=\"gmail_default\"><b>RELEASE:<\/b> and <b>VERSION:<\/b> specify the kernel release and version.<\/div>\n<div class=\"gmail_default\"><b>MACHINE:<\/b> specifies the architecture of the CPU.<\/div>\n<div class=\"gmail_default\"><b>MEMORY:<\/b> is the size of the physical memory on the crashed machine.<\/div>\n<div class=\"gmail_default\"><b>PANIC:<\/b> specifies what kind of crash occurred on the machine.<\/div>\n<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">Panic refers to the use of magic keys(SysRq), which we\u00a0deliberately trigger for a crash.<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\"><b>SysRq (System Request)<\/b> refers to<b> Magic Keys<\/b>, which allow you to send instructions directly to the kernel. They can be invoked using a keyboard sequence or by echoing letter commands to <b>\/proc\/sysrq-trigger<\/b>, provided the functionality is enabled. We have discussed this in the Kdump part.<\/div>\n<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">I attacked system by Denial of service(DoS) using the system to consume all its resources by forking.\u00a0<a href=\"http:\/\/www.cyberciti.biz\/faq\/understanding-bash-fork-bomb\/\" target=\"_blank\">forkbomb<\/a><\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">if you have looked load average of the crashed kernel its too high(<b>934.79, 206.96, 67.74<\/b>) and the process responsible was <b>PID:<\/b><b>6847<\/b><\/div>\n<div class=\"gmail_default\"><b>\u00a0<\/b><\/div>\n<div class=\"gmail_default\">PANIC: &#8220;Oops: 0002 [#1] SMP &#8221; has the value below.<b><br \/>\n<\/b><\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<b> \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 value<\/b><\/div>\n<div class=\"gmail_default\">&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<\/div>\n<div class=\"gmail_default\"><b>Bit 0 1<\/b><\/div>\n<div class=\"gmail_default\"><b>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<\/b><\/div>\n<div class=\"gmail_default\"><b>0<\/b> No page found Invalid access<\/div>\n<div class=\"gmail_default\"><b>1<\/b> Read or Execute Write<\/div>\n<div class=\"gmail_default\"><b>2<\/b> Kernel mode User mode<\/div>\n<div class=\"gmail_default\"><b>3<\/b> Not instruction fetch Instruction fetch<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">from our PANIC analysis it is clear that <b>&#8220;we have a page not found during a write operation in Kernel mode; the fault was not an Instruction Fetch.<\/b>&#8220;<\/div>\n<\/div>\n<div class=\"gmail_default\"><b>\u00a0<\/b><\/div>\n<div class=\"gmail_default\">we have used &#8220;\/proc\/sysrq-trigger&#8221; from the command line to dump our kernel in previous post, but if your system is unresponsive then you would be unable to trigger. In such cases we enable <b>SysRq feature<\/b> so that we could use magic keys to collect the dump of the crashed kernel.<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">#echo &#8220;1&#8221; &gt; \/proc\/sys\/kernel\/sysrq<\/div>\n<div class=\"gmail_default\">or add an entry to <b>\/etc\/sysctl.conf \u00a0<\/b><\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">#vim\u00a0<b>\/etc\/sysctl.conf \u00a0<\/b><\/div>\n<div class=\"gmail_default\">kernel.sysrq = 1<\/div>\n<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">Once configured, you will be able to use magic keys [ alt + PrintScreenSysRq + &lt;options&gt; ]<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\"><b>Options<\/b> as are below.<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">&#8216;b&#8217; \u00a0&#8211; Will immediately reboot the system without syncing or unmounting your disks.<\/div>\n<div class=\"gmail_default\">&#8216;c&#8217; \u00a0&#8211; Will perform a system crash by a NULL pointer\u00a0deference\u00a0 A crash dump will be taken if configured.<\/div>\n<div class=\"gmail_default\">&#8216;d&#8217; \u00a0&#8211; Shows all locks that are held.<\/div>\n<div class=\"gmail_default\">&#8216;e&#8217; \u00a0&#8211; Send a SIGTERM to all processes, except for init.<\/div>\n<div class=\"gmail_default\">&#8216;f&#8217;\u00a0 &#8211; Will call oom_kill to kill a memory hog process.<\/div>\n<div class=\"gmail_default\">&#8216;g&#8217;\u00a0 &#8211; Used by kgdb (kernel debugger)<\/div>\n<div class=\"gmail_default\">&#8216;h&#8217; \u00a0&#8211; Will display help<\/div>\n<div class=\"gmail_default\">&#8216;i&#8217; \u00a0&#8211; Send a SIGKILL to all processes, except for init.<\/div>\n<div class=\"gmail_default\">&#8216;j&#8217; \u00a0&#8211; Forcibly &#8220;Just thaw it&#8221; &#8211; filesystems frozen by the FIFREEZE ioctl.<\/div>\n<div class=\"gmail_default\">&#8216;k&#8217; \u00a0&#8211; Secure Access Key (SAK) Kills all programs on the current virtual console.<\/div>\n<div class=\"gmail_default\">&#8216;l&#8217; \u00a0 &#8211; Shows a stack backtrace for all active CPUs.<\/div>\n<div class=\"gmail_default\">&#8216;m&#8217; &#8211; Will dump current memory info to your console.<\/div>\n<div class=\"gmail_default\">&#8216;n&#8217; \u00a0&#8211; Used to make RT tasks nice-able<\/div>\n<div class=\"gmail_default\">&#8216;o&#8217; \u00a0&#8211; Will shut your system off (if configured and supported).<\/div>\n<div class=\"gmail_default\">&#8216;p&#8217; \u00a0&#8211; Will dump the current registers and flags to your console.<\/div>\n<div class=\"gmail_default\">&#8216;q&#8217; \u00a0&#8211; Will dump per CPU lists of all armed hrtimers (but NOT regular timer_list timers) and detailed information about all clockevent devices.<\/div>\n<div class=\"gmail_default\">&#8216;r&#8217; \u00a0&#8211; Turns off keyboard raw mode and sets it to XLATE.<\/div>\n<div class=\"gmail_default\">&#8216;s&#8217; \u00a0&#8211; Will attempt to sync all mounted filesystems.<\/div>\n<div class=\"gmail_default\">&#8216;t&#8217; \u00a0&#8211; Will dump a list of current tasks and their information to your console.<\/div>\n<div class=\"gmail_default\">&#8216;u&#8217; &#8211; Will attempt to remount all mounted filesystems read-only.<\/div>\n<div class=\"gmail_default\">&#8216;v&#8217;\u00a0&#8211; Forcefully restores framebuffer console<\/div>\n<div class=\"gmail_default\">&#8216;v&#8217;\u00a0&#8211; Causes ETM buffer dump [ARM-specific]<\/div>\n<div class=\"gmail_default\">&#8216;w&#8217;\u00a0&#8211; Dumps tasks that are in uninterruptable (blocked) state.<\/div>\n<div class=\"gmail_default\">&#8216;x&#8217;\u00a0&#8211; Used by xmon interface on ppc\/powerpc platforms. Show global PMU Registers on sparc64.<\/div>\n<div class=\"gmail_default\">&#8216;y&#8217;\u00a0&#8211; Show global CPU Registers [SPARC-64 specific]<\/div>\n<div class=\"gmail_default\">&#8216;z&#8217;\u00a0&#8211; Dump the ftrace buffer<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">[ Alt + SysRq + c ] &#8211; Crash collected by rebooting the system.<\/div>\n<div class=\"gmail_default\"><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/12\/kernel-crash.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4071\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/12\/kernel-crash.jpg\" alt=\"kernel-crash\" width=\"550\" height=\"294\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2014\/12\/kernel-crash.jpg 550w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/12\/kernel-crash-300x160.jpg 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/12\/kernel-crash-150x80.jpg 150w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/12\/kernel-crash-400x213.jpg 400w\" sizes=\"(max-width: 550px) 100vw, 550px\" \/><\/a><\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">We have almost\u00a0analyzed upto certain extent, however there are few of the commands which can help us in understanding more.<\/div>\n<div class=\"gmail_default\">Let us look few more basic commands which can be helpful.<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">crash&gt; help<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">* \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0files \u00a0 \u00a0 \u00a0 \u00a0 \u00a0mach \u00a0 \u00a0 \u00a0 repeat \u00a0 \u00a0 \u00a0timer<\/div>\n<div class=\"gmail_default\">alias \u00a0 \u00a0 \u00a0 \u00a0 foreach \u00a0 \u00a0 mod \u00a0 \u00a0 \u00a0 \u00a0runq \u00a0 \u00a0 \u00a0 \u00a0 \u00a0tree<\/div>\n<div class=\"gmail_default\">ascii \u00a0 \u00a0 \u00a0 \u00a0 fuser \u00a0 \u00a0 \u00a0 \u00a0 mount \u00a0 \u00a0 search \u00a0 \u00a0 \u00a0 union<\/div>\n<div class=\"gmail_default\">bt \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 gdb \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 net \u00a0 \u00a0 \u00a0 \u00a0 set \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 vm<\/div>\n<div class=\"gmail_default\">btop \u00a0 \u00a0 \u00a0 \u00a0 \u00a0help \u00a0 \u00a0 \u00a0 \u00a0 \u00a0p \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0sig \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 vtop<\/div>\n<div class=\"gmail_default\">dev \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ipcs \u00a0 \u00a0 \u00a0 \u00a0 \u00a0ps \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 struct \u00a0 \u00a0 \u00a0 \u00a0 waitq<\/div>\n<div class=\"gmail_default\">dis \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0irq \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0pte \u00a0 \u00a0 \u00a0 \u00a0 swap \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 whatis<\/div>\n<div class=\"gmail_default\">eval \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 kmem \u00a0 \u00a0 \u00a0ptob \u00a0 \u00a0 \u00a0 \u00a0sym \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0wr<\/div>\n<div class=\"gmail_default\">exit \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 list \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ptov \u00a0 \u00a0 \u00a0 \u00a0sys \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0q<\/div>\n<div class=\"gmail_default\">extend \u00a0 \u00a0 \u00a0 log \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 rd \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 task<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\"><b>bt &#8211; backtrace &#8211;\u00a0Display a kernel stack backtrace :=<\/b><\/div>\n<div class=\"gmail_default\">The sequence of numbered lines, starting with the hash sign (#) is the call trace. It&#8217;s a list of kernel functions executed just prior to the crash. This gives us a good indication<\/p>\n<div class=\"gmail_default\">of what happened before the system went down.<\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\"><b>\u00a0<\/b><\/div>\n<div class=\"gmail_default\"><b>crash&gt; bt<\/b><\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">PID: 6847 \u00a0 TASK: ea142aa0 \u00a0CPU: 0 \u00a0 COMMAND: &#8220;bash&#8221;<\/div>\n<div class=\"gmail_default\">\u00a0#0 [db8af618] crash_kexec at c049b75c<\/div>\n<div class=\"gmail_default\">\u00a0#1 [db8af66c] oops_end at c083fe92<\/div>\n<div class=\"gmail_default\">.<\/div>\n<div class=\"gmail_default\">.<\/div>\n<div class=\"gmail_default\">(output omitted &#8230;)<\/div>\n<div class=\"gmail_default\"><\/div>\n<\/div>\n<div class=\"gmail_default\"><b>foreach &#8211; display command data for multiple tasks in the system :=<\/b><\/div>\n<div class=\"gmail_default\">This command allows for a an examination of various kernel data associated\u00a0with any, or all, tasks in the system, without having to set the context<\/p>\n<div class=\"gmail_default\">\u00a0to each targeted task.<\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\"><b>crash&gt;foreach bt<\/b><\/div>\n<div class=\"gmail_default\"><b>.<\/b><\/div>\n<div class=\"gmail_default\"><b>.<\/b><\/div>\n<div class=\"gmail_default\">(output omitted..)<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\"><b>log &#8211; dump system message buffer :=<\/b><\/div>\n<div class=\"gmail_default\"><b>\u00a0<\/b><\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">The log command dumps \u00a0the kernel log buffer contents \u00a0inchronological order . This \u00a0is \u00a0similar to \u00a0what \u00a0you would see when you type <b>dmesg<\/b> on a running machine. This is useful when you want to look at the panic or oops message. An oops is triggered by some exception. It is a dump of the CPU register&#8217;s state and kernel stack at that instant . From the panic message, we can find hints as to how the panic was triggered (e. g. the function or process \u00a0or pid or command or address that triggered the panic), the register&#8217;s information, kernel module list, whether the kernel is<\/p>\n<div class=\"gmail_default\">tainted with proprietary kernel modules loaded, and so \u00a0on..<\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\"><\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\"><b>crash&gt;log<\/b><\/div>\n<\/div>\n<div class=\"gmail_default\">(output omitted..)<\/div>\n<div class=\"gmail_default\">.<\/div>\n<div class=\"gmail_default\">.<\/div>\n<div class=\"gmail_default\">SysRq : Trigger a crash<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">BUG: unable to handle kernel NULL pointer dereference at (null)<\/div>\n<div class=\"gmail_default\">IP: [&lt;c06a0d8f&gt;] sysrq_handle_crash+0xf\/0x20<\/div>\n<div class=\"gmail_default\">*pdpt = 00000000116c3001 *pde = 0000000000000000<\/div>\n<div class=\"gmail_default\">Oops: 0002 [#1] SMP<\/div>\n<\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">.<\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">.<\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">Pid: 6847, <b>comm: bash Not tainted<\/b> <b>2.6.32-279.el6.i686 #1 innotek GmbH\u00a0<\/b><\/div>\n<div class=\"gmail_default\">EIP: 0060:[&lt;c06a0d8f&gt;] EFLAGS: 00010096 CPU: 0<\/div>\n<div class=\"gmail_default\">EIP is at sysrq_handle_crash+0xf\/0x20<\/div>\n<div>.<\/div>\n<\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">.<\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">(output omitted..)<\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\"><\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">we don&#8217;t observe any tainted flags on the kernel, each flag has its own meaning.<\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\"><\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">P \u2014 Proprietary module has been loaded.<\/div>\n<div class=\"gmail_default\">F \u00a0\u2014 Module has been forcibly loaded.<\/div>\n<div class=\"gmail_default\">S \u2014 SMP with a CPU not \u00a0designed for SMP .<\/div>\n<div class=\"gmail_default\">R \u2014 User forced a module unload.<\/div>\n<div class=\"gmail_default\">M \u2014 System experienced a machine check exception.<\/div>\n<div class=\"gmail_default\">B \u2014 System has \u00a0hit \u00a0bad_page.<\/div>\n<div class=\"gmail_default\">U \u2014 Users pace- defined naughtiness .<\/div>\n<div class=\"gmail_default\">A \u2014 \u00a0ACPI \u00a0table over ridden.<\/div>\n<div class=\"gmail_default\">W \u2014 Taint on warning.<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\"><b>ps &#8211; Display process status :=<\/b><\/div>\n<div class=\"gmail_default\">Display process status information This command displays process status for selected, or all, processes in the system. If no arguments are entered, the process data is displayed for all processes.\u00a0The active task is marked with &#8220;&gt;&#8221;<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">crash&gt;ps<\/div>\n<\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">\u00a0 \u00a06846 \u00a0 5711 \u00a0 0 \u00a0d169d550 \u00a0UN \u00a0 0.1 \u00a0 \u00a05992 \u00a0 1112 \u00a0bash<\/div>\n<div class=\"gmail_default\">&gt; \u00a06847 \u00a0 \u00a0 \u00a01 \u00a0 0 \u00a0ea142aa0 \u00a0RU \u00a0 0.1 \u00a0 \u00a05992 \u00a0 1320 \u00a0bash<\/div>\n<div class=\"gmail_default\">\u00a0 \u00a06848 \u00a0 \u00a0 \u00a01 \u00a0 0 \u00a0d169d000 \u00a0UN \u00a0 0.1 \u00a0 \u00a05992 \u00a0 1368 \u00a0bash<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">when you observe from the log, there are number of bash instances. Hence total number of bash instances are as below<\/div>\n<div class=\"gmail_default\"><\/div>\n<div class=\"gmail_default\">\n<div class=\"gmail_default\">crash&gt; ps | fgrep bash | wc -l<\/div>\n<div class=\"gmail_default\">5363<\/div>\n<div class=\"gmail_default\">crash&gt;<\/div>\n<div><\/div>\n<div><b>\u00a0vm &#8211; virtual memory :=<\/b><\/div>\n<div>This command displays basic virtual memory information of a context, consisting of a pointer to its mm_struct and page dirctory, its RSS and total virtual memory size; and a list of pointers to each <b>vm_area_struct<\/b>, its starting and ending address, <b>vm_flags value<\/b>, and file path name.<\/div>\n<div><b>\u00a0<\/b><\/div>\n<div>\n<div>crash&gt; vm<\/div>\n<div>PID: 6847 \u00a0 TASK: ea142aa0 \u00a0CPU: 0 \u00a0 COMMAND: &#8220;bash&#8221;<\/div>\n<div>\u00a0 \u00a0MM \u00a0 \u00a0 \u00a0 PGD \u00a0 \u00a0 \u00a0RSS \u00a0 \u00a0TOTAL_VM<\/div>\n<div>e247f740 \u00a0d16c2000 \u00a01320k \u00a0 \u00a05992k<\/div>\n<div>\u00a0 VMA \u00a0 \u00a0 \u00a0 START \u00a0 \u00a0 \u00a0END \u00a0 \u00a0FLAGS \u00a0FILE<\/div>\n<div>d16b66f8 \u00a0 \u00a070d000 \u00a0 \u00a070e000 4040075<\/div>\n<div>d16b6694 \u00a0 \u00a0760000 \u00a0 \u00a077e000 8000875 \u00a0\/lib\/<a href=\"http:\/\/ld-2.12.so\/\">ld-2.12.so<\/a><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"gmail_default\"><b>.<\/b><\/div>\n<div class=\"gmail_default\"><b>.<\/b><\/div>\n<div class=\"gmail_default\">(output omitted..)<b><br \/>\n<\/b><\/div>\n<div class=\"gmail_default\"><b>\u00a0<\/b><\/div>\n<div><b>files &#8211; open files :=<\/b><\/div>\n<div>This command displays information about open files of a context. It prints the context&#8217;s current root directory and current working directory, and then for each open file descriptor it prints a pointer to its file struct, a pointer to its dentry struct, a pointer to the inode, the file type, and the pathname.<\/div>\n<div><\/div>\n<div>\n<div>crash&gt; files 6427<\/div>\n<div>PID: 6427 \u00a0 TASK: d4150aa0 \u00a0CPU: 0 \u00a0 COMMAND: &#8220;bash&#8221;<\/div>\n<div>ROOT: \/ \u00a0 \u00a0CWD: \/var\/crash<\/div>\n<div>\u00a0FD \u00a0 \u00a0FILE \u00a0 \u00a0 DENTRY \u00a0 \u00a0INODE \u00a0 \u00a0TYPE \u00a0PATH<\/div>\n<div>\u00a0 0 \u00a0f6698240 \u00a0f3609df8 \u00a0f3610e48 \u00a0FIFO<\/div>\n<div>\u00a0 1 \u00a0d40791c0 \u00a0f377c8d0 \u00a0f377d1a8 \u00a0FIFO<\/div>\n<\/div>\n<div>.<\/div>\n<div>.<\/div>\n<div>(output omitted..)<\/div>\n<div><\/div>\n<div><b>runq &#8211; run queue :=<\/b><\/div>\n<div>\n<div>This command displays the tasks on the run queues<\/p>\n<div>of each cpu.<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<div>\n<div>\n<div>crash&gt; runq<\/div>\n<div>CPU 0 RUNQUEUE: c6408680<\/div>\n<div>\u00a0 CURRENT: PID: 6847 \u00a0 TASK: ea142aa0 \u00a0COMMAND: &#8220;bash&#8221;<\/div>\n<div>\u00a0 RT PRIO_ARRAY: c6408778<\/div>\n<div>\u00a0 \u00a0 \u00a0[no tasks queued]<\/div>\n<div>\u00a0 CFS RB_ROOT: c64086dc<\/div>\n<div>\u00a0 \u00a0 \u00a0[120] PID: 7990 \u00a0 TASK: c9bb1000 \u00a0COMMAND: &#8220;bash&#8221;<\/div>\n<div>\u00a0 \u00a0 \u00a0[120] PID: 8616 \u00a0 TASK: c13f8aa0 \u00a0COMMAND: &#8220;bash&#8221;<\/div>\n<div>\u00a0 \u00a0 \u00a0[120] PID: 7714 \u00a0 TASK: f2485550 \u00a0COMMAND: &#8220;bash&#8221;<\/div>\n<\/div>\n<\/div>\n<div>\n<div>.<\/div>\n<div>.<\/div>\n<div>(output omitted..)<\/div>\n<\/div>\n<div><\/div>\n<div>\n<div><b>timer &#8211; timer queue data :=<\/b><\/div>\n<\/div>\n<div>Displays the timer queue entries in chronological order, listing the target function names, the current value of jiffies, and the expiration time of each entry.<\/div>\n<div><\/div>\n<div>TVEC_BASES[0]: c0be66a0<\/div>\n<div>\n<div>\u00a0JIFFIES<\/div>\n<div>\u00a01941918<\/div>\n<div>\u00a0EXPIRES \u00a0TIMER_LIST \u00a0FUNCTION<\/div>\n<div>\u00a01941920 \u00a0 d4aa1b74 \u00a0 c0466210 \u00a0&lt;process_timeout&gt;<\/div>\n<div>\u00a01941920 \u00a0 d847fb74 \u00a0 c0466210 \u00a0&lt;process_timeout&gt;<\/div>\n<\/div>\n<div>\n<div>.<\/div>\n<div>.<\/div>\n<div>(output omitted..)<\/div>\n<\/div>\n<div><\/div>\n<div>\n<div><b>net &#8211; network command :=<\/b><\/div>\n<\/div>\n<div>Display various network related data<\/div>\n<div><\/div>\n<div>\n<div>crash&gt; net<\/div>\n<div>NET_DEVICE \u00a0NAME \u00a0 IP ADDRESS(ES)<\/div>\n<div>\u00a0f70e6820 \u00a0 lo \u00a0 \u00a0 127.0.0.1<\/div>\n<div>\u00a0f4f32020 \u00a0 eth0 \u00a0 &lt;ipaddress-2&gt;<\/div>\n<div>\u00a0c171e020 \u00a0 eth1 \u00a0 &lt;ipaddress-1&gt;<\/div>\n<div>crash&gt;<\/div>\n<\/div>\n<div><\/div>\n<div>we have found some of the basics of kernel dump analysis which might be helpful in knowing what went behind the kernel to crash the system. As a best practice we need to analyze the dump and take necessary actions to avoid the re-occurrences.<\/div>\n<div><\/div>\n<div>&#8220;there are lot of administrators who don&#8217;t care rebooting server, but need server online&#8221;.<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Kernel Crash Report\/Crash Dump Analysis In my previous post, we have configured how to capture kernel dump for reference click on the link kernel crash dump Here in this article,we master the basic usage of crash utility to open the dumped memory core and process the information contained therein and to intercept the output. <\/p>\n<p> [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,4,50],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4068"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4068"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4068\/revisions"}],"predecessor-version":[{"id":4072,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4068\/revisions\/4072"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4068"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4068"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}