The following subcommands lke stbl may be used to display current state of loaded kernel extensions. During boot phase, KDB is called to try to load extension symbol table. A message is printed to say what happens. In the following example, unix and one driver have symbol table. If the kernel extension is stripped, the symbol table is not loaded in memory, but it is possible to build a new symbol table with the traceback table. The lke subcommand can be used for this purpose. A symbol name cache is managed inside KDB, and the cache is filled with function names with lke entry subcommand. This cache is a circular buffer, old entries will be removed by new ones when the cache is full.
... during boot phase no symbol [/etc/drivers/mddtu_load] no symbol [/etc/drivers/fd] Preserving 14280 bytes of symbol table [/etc/drivers/rsdd] no symbol [/etc/drivers/posixdd] no symbol [/etc/drivers/dtropendd] ... KDB(4)> stbl list symbol table entries LDRENTRY TEXT DATA TOC MODULE NAME 1 00000000 00000000 00000000 00207EF0 /unix 2 0B04C400 0156F0F0 015784F0 01578840 /etc/drivers/rsdd KDB(4)> rmst 2 ignore second entry KDB(4)> stbl list symbol table entries LDRENTRY TEXT DATA TOC MODULE NAME 1 00000000 00000000 00000000 00207EF0 /unix KDB(4)> stbl 1 list a symbol table entry LDRENTRY TEXT DATA TOC MODULE NAME 1 00000000 00000000 00000000 00207EF0 /unix st_desc addr.... 00153920 symoff.......... 002A9EB8 nb_sym.......... 0000551E ... (0)> lke ? help A KERNEXT FUNCTION NAME CACHE exists with 1024 entries max (circular buffer) Usage: lke <entry> to populate the cache Usage: lke -a <address> to populate the cache Usage: lke -l to list the cache (0)> lke list loaded kernel extensions ADDRESS FILE FILESIZE FLAGS MODULE NAME 1 055ADD00 014620C0 000076CC 00000262 /usr/lib/drivers/pse/psekdb 2 055AD780 05704000 000702D0 00000272 /usr/lib/drivers/nfs.ext 3 055AD880 05781000 00000D74 00000248 /unix 4 055AD380 01461D58 00000348 00000272 /usr/lib/drivers/nfs_kdes.ext 5 055AD800 056F7000 00000D20 00000248 /unix 6 055AD600 01455140 0000CC0C 00000262 /etc/drivers/ptydd 7 055AD500 01451400 00003D2C 00000272 /usr/lib/drivers/if_en 8 055AD580 05656000 00000D20 00000248 /unix 9 055AD400 055FB000 0004E038 00000272 /usr/lib/drivers/netinet ... 39 05518200 0135FA60 00006EFC 00000262 /etc/drivers/bscsidd 40 05518300 0135F5B8 0000049C 00000272 /etc/drivers/lsadd 41 05518180 04F7D000 00000CCC 00000248 /unix 42 05518280 0135E020 00001590 00000262 /etc/drivers/mca_ppc_busdd 43 04F61100 00326BF8 00000000 00000256 /unix 44 04F61158 04F62000 00000CCC 00000248 /unix (0)> lke 40 print slot 40 and process traceback table ADDRESS FILE FILESIZE FLAGS MODULE NAME 40 05518300 0135F5B8 0000049C 00000272 /etc/drivers/lsadd le_flags....... TEXT KERNELEX DATAINTEXT DATA DATAEXISTS le_next........ 05518180 le_fp.......... 00000000 le_filename.... 05518358 le_file........ 0135F5B8 le_filesize.... 0000049C le_data........ 0135F988 le_tid......... 00000000 le_datasize.... 000000CC le_usecount.... 00000008 le_loadcount... 00000001 le_ndepend..... 00000001 le_maxdepend... 00000001 le_ule......... 04F86000 le_deferred.... 00000000 le_exports..... 04F86000 le_de.......... 632E6100 le_searchlist.. C0000420 le_dlusecount.. 00000000 le_dlindex..... 0000622F le_lex......... 00000000 TOC@........... 0135FA10 <PROCESS TRACE BACKS> .lsa_pos_unlock 0135F6B4 .lsa_pos_lock 0135F6E4 .lsa_config 0135F738 .lockl.glink 0135F86C .pincode.glink 0135F894 .lock_alloc.glink 0135F8BC .simple_lock_init.glink 0135F8E4 .unpincode.glink 0135F90C .lock_free.glink 0135F934 .unlockl.glink 0135F95C (0)> lke -a 0135E51C using a kernext address as argument ADDRESS FILE FILESIZE FLAGS MODULE NAME 1 05518280 0135E020 00001590 00000262 /etc/drivers/mca_ppc_busdd le_flags....... TEXT DATAINTEXT DATA DATAEXISTS le_next........ 04F61100 le_fp.......... 00000000 le_filename.... 055182D8 le_file........ 0135E020 le_filesize.... 00001590 le_data........ 0135F380 le_tid......... 00000000 le_datasize.... 00000230 le_usecount.... 00000001 le_loadcount... 00000001 le_ndepend..... 00000001 le_maxdepend... 00000001 le_ule......... 00000000 le_deferred.... 00000000 le_exports..... 00000000 le_de.......... 6366672E le_searchlist.. C0000420 le_dlusecount.. 00000000 le_dlindex..... 00006C69 le_lex......... 00000000 TOC@........... 0135F4F8 <PROCESS TRACE BACKS> .mca_ppc_businit 0135E120 .complete_error 0135E38C .d_protect_ppc 0135E51C .d_move_ppc 0135E608 .d_bflush_ppc 0135E630 .d_cflush_ppc 0135E65C .d_complete_ppc 0135E688 .d_master_ppc 0135E7B4 .d_slave_ppc 0135E974 .d_unmask_ppc 0135EBA4 .d_mask_ppc 0135EC40 .d_clear_ppc 0135ECD8 .d_init_ppc 0135ED8C .vm_att.glink 0135EF88 .lock_alloc.glink 0135EFB0 .simple_lock_init.glink 0135EFD8 .vm_det.glink 0135F000 .pincode.glink 0135F028 .bcopy 0135F060 .copystr 0135F238 .errsave.glink 0135F2E0 .xmemdma_ppc.glink 0135F308 .xmemqra.glink 0135F330 .xmemacc.glink 0135F358 (0)> lke -l list current name cache KERNEXT FUNCTION NAME CACHE .lsa_pos_unlock 0135F6B4 .lsa_pos_lock 0135F6E4 .lsa_config 0135F738 .lockl.glink 0135F86C .pincode.glink 0135F894 .lock_alloc.glink 0135F8BC .simple_lock_init.glink 0135F8E4 .unpincode.glink 0135F90C .lock_free.glink 0135F934 .unlockl.glink 0135F95C .mca_ppc_businit 0135E120 .complete_error 0135E38C .d_protect_ppc 0135E51C .d_move_ppc 0135E608 .d_bflush_ppc 0135E630 .d_cflush_ppc 0135E65C .d_complete_ppc 0135E688 .d_master_ppc 0135E7B4 .d_slave_ppc 0135E974 .d_unmask_ppc 0135EBA4 .d_mask_ppc 0135EC40 .d_clear_ppc 0135ECD8 .d_init_ppc 0135ED8C .vm_att.glink 0135EF88 .lock_alloc.glink 0135EFB0 .simple_lock_init.glink 0135EFD8 .vm_det.glink 0135F000 .pincode.glink 0135F028 .bcopy 0135F060 .copystr 0135F238 .errsave.glink 0135F2E0 .xmemdma_ppc.glink 0135F308 .xmemqra.glink 0135F330 .xmemacc.glink 0135F358 00 KERNEXT FUNCTION range [0135F6B4 0135F974] 10 entries 01 KERNEXT FUNCTION range [0135E120 0135F370] 24 entries (0)> dc .lsa_ if name is not unique Ambiguous: [kernext function name cache] 0135F6B4 .lsa_pos_unlock 0135F6E4 .lsa_pos_lock 0135F738 .lsa_config (0)> expected symbol or address (0)> dc .lsa_config 11 display code .lsa_config+000000 stmw r29,FFFFFFF4(stkp) .lsa_config+000004 mflr r0 .lsa_config+000008 ori r31,r3,0 .lsa_config+00000C stw r0,8(stkp) .lsa_config+000010 stwu stkp,FFFFFFB0(stkp) .lsa_config+000014 li r30,0 .lsa_config+000018 lwz r3,C(toc) .lsa_config+00001C li r4,0 .lsa_config+000020 bl <.lockl.glink> .lsa_config+000024 lwz toc,14(stkp) .lsa_config+000028 lwz r29,14(toc) (0)> dc .lockl.glink 6 display glink code .lockl.glink+000000 lwz r12,10(toc) .lockl.glink+000004 stw toc,14(stkp) .lockl.glink+000008 lwz r0,0(r12) .lockl.glink+00000C lwz toc,4(r12) .lockl.glink+000010 mtctr r0 .lockl.glink+000014 bcctr
The exp subcommand may be used to look for an exported symbol address, or to display the export list. By default all the export list is printed, but it is possible to specify a string as prefix. Notice that export tables can be paged out.
KDB(0)> exp list export table 000814D4 pio_assist 019A7708 puthere 0007BE90 vmminfo 00081FD4 socket 01A28A50 tcp_input 01A28BFC in_pcb_hash_del 019A78E8 adjmsg 0000BAB8 execexit 00325138 loif 01980874 lvm_kp_tid 000816E4 ns_detach 019A7930 mps_wakeup 01A28C50 ip_forward 00081E60 ksettickd 000810AC uiomove 000811EC blkflush 0018D97C setpriv 01A5CD38 clntkudp_init 000820D0 soqremque 00178824 devtosth 00081984 rtinithead 01A5CD8C xdr_rmtcall_args (0)> more (^C to quit) ? ^C interrupt KDB(0)> exp send search in export table 00081F5C sendmsg 00081F80 sendto 00081F74 send KDB(0)>