Provided by: python3-drgn_0.0.29-1_amd64 
NAME
drgn - drgn 0.0.29
drgn (pronounced "dragon") is a debugger with an emphasis on programmability. drgn
exposes the types and variables in a program for easy, expressive scripting in Python. For
example, you can debug the Linux kernel:
>>> from drgn.helpers.linux import list_for_each_entry
>>> for mod in list_for_each_entry('struct module',
... prog['modules'].address_of_(),
... 'list'):
... if mod.refcnt.counter > 10:
... print(mod.name)
...
(char [56])"snd"
(char [56])"evdev"
(char [56])"i915"
Although other debuggers like GDB have scripting support, drgn aims to make scripting as
natural as possible so that debugging feels like coding. This makes it well-suited for
introspecting the complex, inter-connected state in large programs.
Additionally, drgn is designed as a library that can be used to build debugging and
introspection tools; see the official tools.
drgn was developed at Meta for debugging the Linux kernel (as an alternative to the crash
utility), but it can also debug userspace programs written in C. C++ support is in
progress.
In addition to the main Python API, an experimental C library, libdrgn, is also available.
See the Installation instructions. Then, start with the User Guide.
GETTING HELP
• The GitHub issue tracker is the preferred method to report issues.
• There is also a Linux Kernel Debuggers Matrix room.
LICENSE
Copyright (c) Meta Platforms, Inc. and affiliates.
drgn is licensed under the LGPLv2.1 or later.
ACKNOWLEDGEMENTS
drgn is named after this because dragons eat dwarves.
TABLE OF CONTENTS
Installation
There are several options for installing drgn.
Dependencies
drgn depends on:
• Python 3.6 or newer
• elfutils 0.165 or newer
It optionally depends on:
• libkdumpfile for makedumpfile compressed kernel core dump format support
The build requires:
• GCC
• GNU Make
• pkgconf
• setuptools
Running tests requires:
• check 0.10.0 or newer
Building from the Git repository (rather than a release tarball) additionally requires:
• autoconf
• automake
• libtool
Installation
Package Manager
drgn can be installed using the package manager on some Linux distributions.
• Fedora >= 32
$ sudo dnf install drgn
• RHEL/CentOS >= 8
Enable EPEL. Then:
$ sudo dnf install drgn
• Arch Linux
Install the drgn package from the AUR.
• Debian >= 12 (Bookworm)
$ sudo apt install python3-drgn
• Gentoo
$ sudo emerge dev-debug/drgn
• openSUSE
$ sudo zypper install python3-drgn
• Ubuntu
Enable the michel-slm/kernel-utils PPA. Then:
$ sudo apt install python3-drgn
pip
If your Linux distribution doesn't package the latest release of drgn, you can install it
with pip.
First, install pip. Then, run:
$ sudo pip3 install drgn
This will install a binary wheel by default. If you get a build error, then pip wasn't
able to use the binary wheel. Install the dependencies listed below and try again.
Note that RHEL/CentOS 6, Debian Stretch, Ubuntu Trusty, and Ubuntu Xenial (and older) ship
Python versions which are too old. Python 3.6 or newer must be installed.
From Source
To get the development version of drgn, you will need to build it from source. First,
install dependencies:
• Fedora
$ sudo dnf install autoconf automake check-devel elfutils-devel gcc git libkdumpfile-devel libtool make pkgconf python3 python3-devel python3-pip python3-setuptools
• RHEL/CentOS
$ sudo dnf install autoconf automake check-devel elfutils-devel gcc git libtool make pkgconf python3 python3-devel python3-pip python3-setuptools
Optionally, install libkdumpfile-devel from EPEL on RHEL/CentOS >= 8 or install ‐
libkdumpfile from source if you want support for the makedumpfile format.
Replace dnf with yum for RHEL/CentOS < 8.
• Debian/Ubuntu
$ sudo apt install autoconf automake check gcc git liblzma-dev libelf-dev libdw-dev libtool make pkgconf python3 python3-dev python3-pip python3-setuptools zlib1g-dev
Optionally, install libkdumpfile from source if you want support for the makedumpfile
format.
• Arch Linux
$ sudo pacman -S --needed autoconf automake check gcc git libelf libtool make pkgconf python python-pip python-setuptools
Optionally, install libkdumpfile from the AUR or from source if you want support for the
makedumpfile format.
• Gentoo
$ sudo emerge --noreplace --oneshot dev-build/autoconf dev-build/automake dev-libs/check dev-libs/elfutils sys-devel/gcc dev-vcs/git dev-libs/libkdumpfile dev-build/libtool dev-build/make dev-python/pip virtual/pkgconfig dev-lang/python dev-python/setuptools
• openSUSE
$ sudo zypper install autoconf automake check-devel gcc git libdw-devel libelf-devel libkdumpfile-devel libtool make pkgconf python3 python3-devel python3-pip python3-setuptools
Then, run:
$ git clone https://github.com/osandov/drgn.git
$ cd drgn
$ python3 setup.py build
$ sudo python3 setup.py install
Virtual Environment
The above options all install drgn globally. You can also install drgn in a virtual
environment, either with pip:
$ python3 -m venv drgnenv
$ source drgnenv/bin/activate
(drgnenv) $ pip3 install drgn
(drgnenv) $ drgn --help
Or from source:
$ python3 -m venv drgnenv
$ source drgnenv/bin/activate
(drgnenv) $ python3 setup.py install
(drgnenv) $ drgn --help
Running Locally
If you build drgn from source, you can also run it without installing it:
$ python3 setup.py build_ext -i
$ python3 -m drgn --help
User Guide
Quick Start
drgn debugs the running kernel by default; run sudo drgn. To debug a running program, run
sudo drgn -p $PID. To debug a core dump (either a kernel vmcore or a userspace core dump),
run drgn -c $PATH. Make sure to install debugging symbols for whatever you are debugging.
Then, you can access variables in the program with prog['name'] and access structure
members with .:
$ sudo drgn
>>> prog['init_task'].comm
(char [16])"swapper/0"
You can use various predefined helpers:
>>> len(list(bpf_prog_for_each()))
11
>>> task = find_task(115)
>>> cmdline(task)
[b'findmnt', b'-p']
You can get stack traces with stack_trace() and access parameters or local variables with
trace['name']:
>>> trace = stack_trace(task)
>>> trace[5]
#5 at 0xffffffff8a5a32d0 (do_sys_poll+0x400/0x578) in do_poll at ./fs/select.c:961:8 (inlined)
>>> poll_list = trace[5]['list']
>>> file = fget(task, poll_list.entries[0].fd)
>>> d_path(file.f_path.address_of_())
b'/proc/115/mountinfo'
Core Concepts
The most important interfaces in drgn are programs, objects, and helpers.
Programs
A program being debugged is represented by an instance of the drgn.Program class. The drgn
CLI is initialized with a Program named prog; unless you are using the drgn library
directly, this is usually the only Program you will need.
A Program is used to look up type definitions, access variables, and read arbitrary
memory:
>>> prog.type('unsigned long')
prog.int_type(name='unsigned long', size=8, is_signed=False)
>>> prog['jiffies']
Object(prog, 'volatile unsigned long', address=0xffffffffbe405000)
>>> prog.read(0xffffffffbe411e10, 16)
b'swapper/0\x00\x00\x00\x00\x00\x00\x00'
The drgn.Program.type(), drgn.Program.variable(), drgn.Program.constant(), and
drgn.Program.function() methods look up those various things in a program.
drgn.Program.read() reads memory from the program's address space. The [] operator looks
up a variable, constant, or function:
>>> prog['jiffies'] == prog.variable('jiffies')
True
It is usually more convenient to use the [] operator rather than the variable(),
constant(), or function() methods unless the program has multiple objects with the same
name, in which case the methods provide more control.
Objects
Variables, constants, functions, and computed values are all called objects in drgn.
Objects are represented by the drgn.Object class. An object may exist in the memory of the
program (a reference):
>>> Object(prog, 'int', address=0xffffffffc09031a0)
Or, an object may be a constant or temporary computed value (a value):
>>> Object(prog, 'int', value=4)
What makes drgn scripts expressive is that objects can be used almost exactly like they
would be in the program's own source code. For example, structure members can be accessed
with the dot (.) operator, arrays can be subscripted with [], arithmetic can be performed,
and objects can be compared:
>>> print(prog['init_task'].comm[0])
(char)115
>>> print(repr(prog['init_task'].nsproxy.mnt_ns.mounts + 1))
Object(prog, 'unsigned int', value=34)
>>> prog['init_task'].nsproxy.mnt_ns.pending_mounts > 0
False
Python doesn't have all of the operators that C or C++ do, so some substitutions are
necessary:
• Instead of *ptr, dereference a pointer with ptr[0].
• Instead of ptr->member, access a member through a pointer with ptr.member.
• Instead of &var, get the address of a variable with var.address_of_().
A common use case is converting a drgn.Object to a Python value so it can be used by a
standard Python library. There are a few ways to do this:
• The drgn.Object.value_() method gets the value of the object with the directly
corresponding Python type (i.e., integers and pointers become int, floating-point types
become float, booleans become bool, arrays become list, structures and unions become
dict).
• The drgn.Object.string_() method gets a null-terminated string as bytes from an array or
pointer.
• The int(), float(), and bool() functions do an explicit conversion to that Python type.
Objects have several attributes; the most important are drgn.Object.prog_ and
drgn.Object.type_. The former is the drgn.Program that the object is from, and the latter
is the drgn.Type of the object.
Note that all attributes and methods of the Object class end with an underscore (_) in
order to avoid conflicting with structure or union members. The Object attributes and
methods always take precedence; use drgn.Object.member_() if there is a conflict.
References vs. Values
The main difference between reference objects and value objects is how they are evaluated.
References are read from the program's memory every time they are evaluated; values simply
return the stored value (drgn.Object.read_() reads a reference object and returns it as a
value object):
>>> import time
>>> jiffies = prog['jiffies']
>>> jiffies.value_()
4391639989
>>> time.sleep(1)
>>> jiffies.value_()
4391640290
>>> jiffies2 = jiffies.read_()
>>> jiffies2.value_()
4391640291
>>> time.sleep(1)
>>> jiffies2.value_()
4391640291
>>> jiffies.value_()
4391640593
References have a drgn.Object.address_ attribute, which is the object's address as a
Python int. This is slightly different from the drgn.Object.address_of_() method, which
returns the address as a drgn.Object. Of course, both references and values can have a
pointer type; address_ refers to the address of the pointer object itself, and
drgn.Object.value_() refers to the value of the pointer (i.e., the address it points to):
>>> address = prog['jiffies'].address_
>>> type(address)
<class 'int'>
>>> print(hex(address))
0xffffffffbe405000
>>> jiffiesp = prog['jiffies'].address_of_()
>>> jiffiesp
Object(prog, 'volatile unsigned long *', value=0xffffffffbe405000)
>>> print(hex(jiffiesp.value_()))
0xffffffffbe405000
Absent Objects
In addition to reference objects and value objects, objects may also be absent.
>>> Object(prog, "int").value_()
Traceback (most recent call last):
File "<console>", line 1, in <module>
_drgn.ObjectAbsentError: object absent
This represents an object whose value or address is not known. For example, this can
happen if the object was optimized out of the program by the compiler.
Any attempt to operate on an absent object results in a drgn.ObjectAbsentError exception,
although basic information including its type may still be accessed.
Helpers
Some programs have common data structures that you may want to examine. For example,
consider linked lists in the Linux kernel:
struct list_head {
struct list_head *next, *prev;
};
#define list_for_each(pos, head) \
for (pos = (head)->next; pos != (head); pos = pos->next)
When working with these lists, you'd probably want to define a function:
def list_for_each(head):
pos = head.next
while pos != head:
yield pos
pos = pos.next
Then, you could use it like so for any list you need to look at:
>>> for pos in list_for_each(head):
... do_something_with(pos)
Of course, it would be a waste of time and effort for everyone to have to define these
helpers for themselves, so drgn includes a collection of helpers for many use cases. See
Helpers.
Validators
Validators are a special category of helpers that check the consistency of a data
structure. In general, helpers assume that the data structures that they examine are
valid. Validators do not make this assumption and do additional (potentially expensive)
checks to detect broken invariants, corruption, etc.
Validators raise drgn.helpers.ValidationError if the data structure is not valid or
drgn.FaultError if the data structure is invalid in a way that causes a bad memory access.
They have names prefixed with validate_.
For example, drgn.helpers.linux.list.validate_list() checks the consistency of a linked
list in the Linux kernel (in particular, the consistency of the next and prev pointers):
>>> validate_list(prog["my_list"].address_of_())
drgn.helpers.ValidationError: (struct list_head *)0xffffffffc029e460 next 0xffffffffc029e000 has prev 0xffffffffc029e450
drgn.helpers.linux.list.validate_list_for_each_entry() does the same checks while also
returning the entries in the list for further validation:
def validate_my_list(prog):
for entry in validate_list_for_each_entry(
"struct my_entry",
prog["my_list"].address_of_(),
"list",
):
if entry.value < 0:
raise ValidationError("list contains negative entry")
Other Concepts
In addition to the core concepts above, drgn provides a few additional abstractions.
Threads
The drgn.Thread class represents a thread. drgn.Program.threads(), drgn.Program.thread(),
drgn.Program.main_thread(), and drgn.Program.crashed_thread() can be used to find threads:
>>> for thread in prog.threads():
... print(thread.tid)
...
39143
39144
>>> print(prog.main_thread().tid)
39143
>>> print(prog.crashed_thread().tid)
39144
Stack Traces
drgn represents stack traces with the drgn.StackTrace and drgn.StackFrame classes.
drgn.stack_trace(), drgn.Program.stack_trace(), and drgn.Thread.stack_trace() return the
call stack for a thread. The [] operator looks up an object in the scope of a StackFrame:
>>> trace = stack_trace(115)
>>> trace
#0 context_switch (./kernel/sched/core.c:4683:2)
#1 __schedule (./kernel/sched/core.c:5940:8)
#2 schedule (./kernel/sched/core.c:6019:3)
#3 schedule_hrtimeout_range_clock (./kernel/time/hrtimer.c:2148:3)
#4 poll_schedule_timeout (./fs/select.c:243:8)
#5 do_poll (./fs/select.c:961:8)
#6 do_sys_poll (./fs/select.c:1011:12)
#7 __do_sys_poll (./fs/select.c:1076:8)
#8 __se_sys_poll (./fs/select.c:1064:1)
#9 __x64_sys_poll (./fs/select.c:1064:1)
#10 do_syscall_x64 (./arch/x86/entry/common.c:50:14)
#11 do_syscall_64 (./arch/x86/entry/common.c:80:7)
#12 entry_SYSCALL_64+0x7c/0x15b (./arch/x86/entry/entry_64.S:113)
#13 0x7f3344072af7
>>> trace[5]
#5 at 0xffffffff8a5a32d0 (do_sys_poll+0x400/0x578) in do_poll at ./fs/select.c:961:8 (inlined)
>>> prog['do_poll']
(int (struct poll_list *list, struct poll_wqueues *wait, struct timespec64 *end_time))<absent>
>>> trace[5]['list']
*(struct poll_list *)0xffffacca402e3b50 = {
.next = (struct poll_list *)0x0,
.len = (int)1,
.entries = (struct pollfd []){},
}
Symbols
The symbol table of a program is a list of identifiers along with their address and size.
drgn represents symbols with the drgn.Symbol class, which is returned by
drgn.Program.symbol().
Types
drgn automatically obtains type definitions from the program. Types are represented by the
drgn.Type class and created by various factory functions like drgn.Program.int_type():
>>> prog.type('int')
prog.int_type(name='int', size=4, is_signed=True)
You won't usually need to work with types directly, but see Types if you do.
Platforms
Certain operations and objects in a program are platform-dependent; drgn allows accessing
the platform that a program runs with the drgn.Platform class.
Command Line Interface
The drgn CLI is basically a wrapper around the drgn library which automatically creates a
drgn.Program. The CLI can be run in interactive mode or script mode.
Script Mode
Script mode is useful for reusable scripts. Simply pass the path to the script along with
any arguments:
$ cat script.py
import sys
from drgn.helpers.linux import find_task
pid = int(sys.argv[1])
uid = find_task(pid).cred.uid.val.value_()
print(f'PID {pid} is being run by UID {uid}')
$ sudo drgn script.py 601
PID 601 is being run by UID 1000
It's even possible to run drgn scripts directly with the proper shebang:
$ cat script2.py
#!/usr/bin/env drgn
mounts = prog['init_task'].nsproxy.mnt_ns.mounts.value_()
print(f'You have {mounts} filesystems mounted')
$ sudo ./script2.py
You have 36 filesystems mounted
Interactive Mode
Interactive mode uses the Python interpreter's interactive mode and adds a few nice
features, including:
• History
• Tab completion
• Automatic import of relevant helpers
• Pretty printing of objects and types
The default behavior of the Python REPL is to print the output of repr(). For drgn.Object
and drgn.Type, this is a raw representation:
>>> print(repr(prog['jiffies']))
Object(prog, 'volatile unsigned long', address=0xffffffffbe405000)
>>> print(repr(prog.type('atomic_t')))
prog.typedef_type(name='atomic_t', type=prog.struct_type(tag=None, size=4, members=(TypeMember(prog.type('int'), name='counter', bit_offset=0),)))
The standard print() function uses the output of str(). For drgn objects and types, this
is a representation in programming language syntax:
>>> print(prog['jiffies'])
(volatile unsigned long)4395387628
>>> print(prog.type('atomic_t'))
typedef struct {
int counter;
} atomic_t
In interactive mode, the drgn CLI automatically uses str() instead of repr() for objects
and types, so you don't need to call print() explicitly:
$ sudo drgn
>>> prog['jiffies']
(volatile unsigned long)4395387628
>>> prog.type('atomic_t')
typedef struct {
int counter;
} atomic_t
Next Steps
Refer to the API Reference. Look through the Helpers. Read some Case Studies. Browse
through the tools. Check out the community contributions.
Advanced Usage
The User Guide covers basic usage of drgn, but drgn also supports more advanced use cases
which are covered here.
Loading Debugging Symbols
drgn will automatically load debugging information based on the debugged program (e.g.,
from loaded kernel modules or loaded shared libraries). drgn.Program.load_debug_info()
can be used to load additional debugging information:
>>> prog.load_debug_info(['./libfoo.so', '/usr/lib/libbar.so'])
Library
In addition to the CLI, drgn is also available as a library.
drgn.program_from_core_dump(), drgn.program_from_kernel(), and drgn.program_from_pid()
correspond to the -c, -k, and -p command line options, respectively; they return a
drgn.Program that can be used just like the one initialized by the CLI:
>>> import drgn
>>> prog = drgn.program_from_kernel()
C Library
The core functionality of drgn is implemented in C and is available as a C library,
libdrgn. See drgn.h.
Full documentation can be generated by running doxygen in the libdrgn directory of the
source code. Note that the API and ABI are not yet stable.
Custom Programs
The main components of a drgn.Program are the program memory, types, and symbols. The CLI
and equivalent library interfaces automatically determine these. However, it is also
possible to create a "blank" Program and plug in the main components. The
drgn.cli.run_interactive() function allows you to run the same drgn CLI once you've
created a drgn.Program, so it's easy to make a custom program which allows interactive
debugging.
drgn.Program.add_memory_segment() defines a range of memory and how to read that memory.
The following example uses a Btrfs filesystem image as the program "memory":
import drgn
import os
import sys
from drgn.cli import run_interactive
def btrfs_debugger(dev):
file = open(dev, 'rb')
size = file.seek(0, 2)
def read_file(address, count, offset, physical):
file.seek(offset)
return file.read(count)
platform = drgn.Platform(drgn.Architecture.UNKNOWN,
drgn.PlatformFlags.IS_LITTLE_ENDIAN)
prog = drgn.Program(platform)
prog.add_memory_segment(0, size, read_file)
prog.load_debug_info([f'/lib/modules/{os.uname().release}/kernel/fs/btrfs/btrfs.ko'])
return prog
prog = btrfs_debugger(sys.argv[1] if len(sys.argv) >= 2 else '/dev/sda')
print(drgn.Object(prog, 'struct btrfs_super_block', address=65536))
run_interactive(prog, banner_func=lambda _: "BTRFS debugger")
drgn.Program.register_type_finder() and drgn.Program.register_object_finder() are the
equivalent methods for plugging in types and objects.
Environment Variables
Some of drgn's behavior can be modified through environment variables:
DRGN_MAX_DEBUG_INFO_ERRORS
The maximum number of individual errors to report in a drgn.MissingDebugInfoError.
Any additional errors are truncated. The default is 5; -1 is unlimited.
DRGN_PREFER_ORC_UNWINDER
Whether to prefer using ORC over DWARF for stack unwinding (0 or 1). The default is
0. Note that drgn will always fall back to ORC for functions lacking DWARF call
frame information and vice versa. This environment variable is mainly intended for
testing and may be ignored in the future.
DRGN_USE_LIBDWFL_REPORT
Whether drgn should use libdwfl to find debugging information for core dumps
instead of its own implementation (0 or 1). The default is 0. This environment
variable is mainly intended as an escape hatch in case of bugs in drgn's
implementation and will be ignored in the future.
DRGN_USE_LIBKDUMPFILE_FOR_ELF
Whether drgn should use libkdumpfile for ELF vmcores (0 or 1). The default is 0.
This functionality will be removed in the future.
DRGN_USE_SYS_MODULE
Whether drgn should use /sys/module to find information about loaded kernel modules
for the running kernel instead of getting them from the core dump (0 or 1). The
default is 1. This environment variable is mainly intended for testing and may be
ignored in the future.
Linux Kernel Special Objects
When debugging the Linux kernel, there are some special drgn.Objects accessible with
drgn.Program.object() and drgn.Program[]. Some of these are available even without
debugging information, thanks to metadata called "vmcoreinfo" which is present in kernel
core dumps. These special objects include:
UTS_RELEASE
Object type: const char []
This corresponds to the UTS_RELEASE macro in the Linux kernel source code. This is
the exact kernel release (i.e., the output of uname -r).
To use this as a Python string, you must convert it:
>>> release = prog["UTS_RELEASE"].string_().decode("ascii")
This is available without debugging information.
PAGE_SIZE
Object type: unsigned long
PAGE_SHIFT
Object type: unsigned int
PAGE_MASK
Object type: unsigned long
These correspond to the macros of the same name in the Linux kernel source code.
The page size is the smallest contiguous unit of physical memory which can be
allocated or mapped by the kernel.
>>> prog['PAGE_SIZE']
(unsigned long)4096
>>> prog['PAGE_SHIFT']
(int)12
>>> prog['PAGE_MASK']
(unsigned long)18446744073709547520
>>> 1 << prog['PAGE_SHIFT'] == prog['PAGE_SIZE']
True
>>> ~(prog['PAGE_SIZE'] - 1) == prog['PAGE_MASK']
True
These are available without debugging information.
jiffies
Object type: volatile unsigned long
This is a counter of timer ticks. It is actually an alias of jiffies_64 on 64-bit
architectures, or the least significant 32 bits of jiffies_64 on 32-bit
architectures. Since this alias is defined via the linker, drgn handles it
specially.
This is not available without debugging information.
vmemmap
Object type: struct page *
This is a pointer to the "virtual memory map", an array of struct page for each
physical page of memory. While the purpose and implementation details of this array
are beyond the scope of this documentation, it is enough to say that it is
represented in the kernel source in an architecture-dependent way, frequently as a
macro or constant. The definition provided by drgn ensures that users can access it
without resorting to architecture-specific logic.
This is not available without debugging information.
VMCOREINFO
Object type: const char []
This is the data contained in the vmcoreinfo note, which is present either as an
ELF note in /proc/kcore or ELF vmcores, or as a special data section in
kdump-formatted vmcores. The vmcoreinfo note contains critical data necessary for
interpreting the kernel image, such as KASLR offsets and data structure locations.
In the Linux kernel, this data is normally stored in a variable called
vmcoreinfo_data. However, drgn reads this information from ELF note or from the
diskdump header. It is possible (in rare cases, usually with vmcores created by
hypervisors) for a vmcore to contain vmcoreinfo which differs from the data in
vmcoreinfo_data, so it is important to distinguish the contents. For that reason,
we use the name VMCOREINFO to distinguish it from the kernel variable
vmcoreinfo_data.
This is available without debugging information.
API Reference
Programs
class drgn.Program
A Program represents a crashed or running program. It can be used to lookup type
definitions, access variables, and read arbitrary memory.
The main functionality of a Program is looking up objects (i.e., variables,
constants, or functions). This is usually done with the [] operator.
Program(platform: Optional[Platform] = None, *, vmcoreinfo: Union[bytes, str, None]
= None)
Create a Program with no target program. It is usually more convenient to
use one of the Program Constructors.
Parameters
• platform -- The platform of the program, or None if it should be
determined automatically when a core dump or symbol file is added.
• vmcoreinfo -- Optionally provide the VMCOREINFO note data for Linux
kernel core dumps, which will override any detected data. When not
provided or None, automatically detect the info.
flags: ProgramFlags
Flags which apply to this program.
platform: Optional[Platform]
Platform that this program runs on, or None if it has not been determined
yet.
language: Language
Default programming language of the program.
This is used for interpreting the type name given to type() and when
creating an Object without an explicit type.
For the Linux kernel, this defaults to Language.C. For userspace programs,
this defaults to the language of main in the program, falling back to
Language.C. This heuristic may change in the future.
This can be explicitly set to a different language (e.g., if the heuristic
was incorrect).
__getitem__(name: str) -> Object
Implement self[name]. Get the object (variable, constant, or function) with
the given name.
This is equivalent to prog.object(name) except that this raises KeyError
instead of LookupError if no objects with the given name are found.
If there are multiple objects with the same name, one is returned
arbitrarily. In this case, the variable(), constant(), function(), or
object() methods can be used instead.
>>> prog['jiffies']
Object(prog, 'volatile unsigned long', address=0xffffffff94c05000)
Parameters
name -- Object name.
__contains__(name: str) -> bool
Implement name in self. Return whether an object (variable, constant, or
function) with the given name exists in the program.
Parameters
name -- Object name.
variable(name: str, filename: Optional[str] = None) -> Object
Get the variable with the given name.
>>> prog.variable('jiffies')
Object(prog, 'volatile unsigned long', address=0xffffffff94c05000)
This is equivalent to prog.object(name, FindObjectFlags.VARIABLE, filename).
Parameters
• name -- The variable name.
• filename -- The source code file that contains the definition. See
Filenames.
Raises LookupError -- if no variables with the given name are found in the
given file
constant(name: str, filename: Optional[str] = None) -> Object
Get the constant (e.g., enumeration constant) with the given name.
Note that support for macro constants is not yet implemented for DWARF
files, and most compilers don't generate macro debugging information by
default anyways.
>>> prog.constant('PIDTYPE_MAX')
Object(prog, 'enum pid_type', value=4)
This is equivalent to prog.object(name, FindObjectFlags.CONSTANT, filename).
Parameters
• name -- The constant name.
• filename -- The source code file that contains the definition. See
Filenames.
Raises LookupError -- if no constants with the given name are found in the
given file
function(name: str, filename: Optional[str] = None) -> Object
Get the function with the given name.
>>> prog.function('schedule')
Object(prog, 'void (void)', address=0xffffffff94392370)
This is equivalent to prog.object(name, FindObjectFlags.FUNCTION, filename).
Parameters
• name -- The function name.
• filename -- The source code file that contains the definition. See
Filenames.
Raises LookupError -- if no functions with the given name are found in the
given file
object(name: str, flags: FindObjectFlags = FindObjectFlags.ANY, filename:
Optional[str] = None) -> Object
Get the object (variable, constant, or function) with the given name.
When debugging the Linux kernel, this can look up certain special objects
documented in Linux Kernel Special Objects, sometimes without any debugging
information loaded.
Parameters
• name -- The object name.
• flags -- Flags indicating what kind of object to look for.
• filename -- The source code file that contains the definition. See
Filenames.
Raises LookupError -- if no objects with the given name are found in the
given file
symbol(address_or_name: Union[IntegerLike, str], /) -> Symbol
Get a symbol containing the given address, or a symbol with the given name.
Global symbols are preferred over weak symbols, and weak symbols are
preferred over other symbols. In other words: if a matching
SymbolBinding.GLOBAL or SymbolBinding.UNIQUE symbol is found, it is
returned. Otherwise, if a matching SymbolBinding.WEAK symbol is found, it is
returned. Otherwise, any matching symbol (e.g., SymbolBinding.LOCAL) is
returned. If there are multiple matching symbols with the same binding, one
is returned arbitrarily. To retrieve all matching symbols, use symbols().
Parameters
address_or_name -- Address or name to search for.
Raises LookupError -- if no symbol contains the given address or matches the
given name
symbols(address_or_name: Union[None, IntegerLike, str] = None, /) -> List[Symbol]
Get a list of global and local symbols, optionally matching a name or
address.
If a string argument is given, this returns all symbols matching that name.
If an integer-like argument given, this returns a list of all symbols
containing that address. If no argument is given, all symbols in the program
are returned. In all cases, the symbols are returned in an unspecified
order.
Parameters
address_or_name -- Address or name to search for.
stack_trace(thread: Union[Object, IntegerLike]) -> StackTrace
Get the stack trace for the given thread in the program.
thread may be a thread ID (as defined by gettid(2)), in which case this will
unwind the stack for the thread with that ID. The ID may be a Python int or
an integer Object
thread may also be a struct pt_regs or struct pt_regs * object, in which
case the initial register values will be fetched from that object.
Finally, if debugging the Linux kernel, thread may be a struct task_struct *
object, in which case this will unwind the stack for that task. See
drgn.helpers.linux.pid.find_task().
This is implemented for the Linux kernel (both live and core dumps) as well
as userspace core dumps; it is not yet implemented for live userspace
processes.
Parameters
thread -- Thread ID, struct pt_regs object, or struct task_struct *
object.
stack_trace_from_pcs(pcs: Sequence[IntegerLike]) -> StackTrace
Get a stack trace with the supplied list of program counters.
Parameters
pcs -- List of program counters.
type(name: str, filename: Optional[str] = None) -> Type
Get the type with the given name.
>>> prog.type('long')
prog.int_type(name='long', size=8, is_signed=True)
Parameters
• name -- The type name.
• filename -- The source code file that contains the definition. See
Filenames.
Raises LookupError -- if no types with the given name are found in the given
file
type(type: Type, /) -> Type
Return the given type.
This is mainly useful so that helpers can use prog.type() to get a Type
regardless of whether they were given a str or a Type. For example:
def my_helper(obj: Object, type: Union[str, Type]) -> bool:
# type may be str or Type.
type = obj.prog_.type(type)
# type is now always Type.
return sizeof(obj) > sizeof(type)
Parameters
type -- Type.
Returns
The exact same type.
threads() -> Iterator[Thread]
Get an iterator over all of the threads in the program.
thread(tid: IntegerLike) -> Thread
Get the thread with the given thread ID.
Parameters
tid -- Thread ID (as defined by gettid(2)).
Raises LookupError -- if no thread has the given thread ID
main_thread() -> Thread
Get the main thread of the program.
This is only defined for userspace programs.
Raises ValueError -- if the program is the Linux kernel
crashed_thread() -> Thread
Get the thread that caused the program to crash.
For userspace programs, this is the thread that received the fatal signal
(e.g., SIGSEGV or SIGQUIT).
For the kernel, this is the thread that panicked (either directly or as a
result of an oops, BUG_ON(), etc.).
Raises ValueError -- if the program is live (i.e., not a core dump)
read(address: IntegerLike, size: IntegerLike, physical: bool = False) -> bytes
Read size bytes of memory starting at address in the program. The address
may be virtual (the default) or physical if the program supports it.
>>> prog.read(0xffffffffbe012b40, 16)
b'swapper/0'
Parameters
• address -- The starting address.
• size -- The number of bytes to read.
• physical -- Whether address is a physical memory address. If False,
then it is a virtual memory address. Physical memory can usually
only be read when the program is an operating system kernel.
Raises
• FaultError -- if the address range is invalid or the type of
address (physical or virtual) is not supported by the program
• ValueError -- if size is negative
read_u8(address: IntegerLike, physical: bool = False) -> int
read_u16(address: IntegerLike, physical: bool = False) -> int
read_u32(address: IntegerLike, physical: bool = False) -> int
read_u64(address: IntegerLike, physical: bool = False) -> int
read_word(address: IntegerLike, physical: bool = False) -> int
Read an unsigned integer from the program's memory in the program's byte
order.
read_u8(), read_u16(), read_u32(), and read_u64() read an 8-, 16-, 32-, or
64-bit unsigned integer, respectively. read_word() reads a program
word-sized unsigned integer.
For signed integers, alternate byte order, or other formats, you can use
read() and int.from_bytes() or the struct module.
Parameters
• address -- Address of the integer.
• physical -- Whether address is a physical memory address; see
read().
Raises FaultError -- if the address is invalid; see read()
add_memory_segment(address: IntegerLike, size: IntegerLike, read_fn: Callable[[int,
int, int, bool], bytes], physical: bool = False) -> None
Define a region of memory in the program.
If it overlaps a previously registered segment, the new segment takes
precedence.
Parameters
• address -- Address of the segment.
• size -- Size of the segment in bytes.
• physical -- Whether to add a physical memory segment. If False,
then this adds a virtual memory segment.
• read_fn -- Callable to call to read memory from the segment. It is
passed the address being read from, the number of bytes to read,
the offset in bytes from the beginning of the segment, and whether
the address is physical: (address, count, offset, physical). It
should return the requested number of bytes as bytes or another
buffer type.
register_type_finder(name: str, fn: Callable[[Program, TypeKindSet, str,
Optional[str]], Optional[Type]], *, enable_index: Optional[int] = None) -> None
Register a callback for finding types in the program.
This does not enable the finder unless enable_index is given.
Parameters
• name -- Finder name.
• fn -- Callable taking the program, a TypeKindSet, name, and
filename: (prog, kinds, name, filename). The filename should be
matched with filename_matches(). This should return a Type or None
if not found.
• enable_index -- Insert the finder into the list of enabled type
finders at the given index. If -1 or greater than the number of
enabled finders, insert it at the end. If None or not given, don't
enable the finder.
Raises ValueError -- if there is already a finder with the given name
registered_type_finders() -> Set[str]
Return the names of all registered type finders.
set_enabled_type_finders(names: Sequence[str]) -> None
Set the list of enabled type finders.
Finders are called in the same order as the list until a type is found.
Finders that are not in the list are not called.
Parameters
names -- Names of finders to enable, in order.
Raises ValueError -- if no finder has a given name or the same name is given
more than once
enabled_type_finders() -> List[str]
Return the names of enabled type finders, in order.
register_object_finder(name: str, fn: Callable[[Program, str, FindObjectFlags,
Optional[str]], Optional[Object]], *, enable_index: Optional[int] = None) -> None
Register a callback for finding objects in the program.
This does not enable the finder unless enable_index is given.
Parameters
• name -- Finder name.
• fn -- Callable taking the program, name, FindObjectFlags, and
filename: (prog, name, flags, filename). The filename should be
matched with filename_matches(). This should return an Object or
None if not found.
• enable_index -- Insert the finder into the list of enabled object
finders at the given index. If -1 or greater than the number of
enabled finders, insert it at the end. If None or not given, don't
enable the finder.
Raises ValueError -- if there is already a finder with the given name
registered_object_finders() -> Set[str]
Return the names of all registered object finders.
set_enabled_object_finders(names: Sequence[str]) -> None
Set the list of enabled object finders.
Finders are called in the same order as the list until an object is found.
Finders that are not in the list are not called.
Parameters
names -- Names of finders to enable, in order.
Raises ValueError -- if no finder has a given name or the same name is given
more than once
enabled_object_finders() -> List[str]
Return the names of enabled object finders, in order.
register_symbol_finder(name: str, fn: Callable[[Program, Optional[str],
Optional[int], bool], Sequence[Symbol]], *, enable_index: Optional[int] = None) ->
None
Register a callback for finding symbols in the program.
This does not enable the finder unless enable_index is given.
The callback should take four arguments: the program, a name, an address,
and a boolean flag one. It should return a list of symbols or an empty list
if no matches are found.
If name is not None, then only symbols with that name should be returned. If
address is not None, then only symbols containing that address should be
returned. If neither is None, then the returned symbols must match both. If
both are None, then all symbols should be considered matching.
When the one flag is False, the callback should return a list of all
matching symbols. When it is True, it should return a list with at most one
symbol which is the best match.
Parameters
• name -- Finder name.
• fn -- Callable taking (prog, name, address, one) and returning a
sequence of Symbols.
• enable_index -- Insert the finder into the list of enabled finders
at the given index. If -1 or greater than the number of enabled
finders, insert it at the end. If None or not given, don't enable
the finder.
Raises ValueError -- if there is already a finder with the given name
registered_symbol_finders() -> Set[str]
Return the names of all registered symbol finders.
set_enabled_symbol_finders(names: Sequence[str]) -> None
Set the list of enabled symbol finders.
Finders are called in the same order as the list. When the one flag is set,
the search will short-circuit after the first finder which returns a result,
and subsequent finders will not be called. Otherwise, all callbacks will be
called, and all results will be returned.
Finders that are not in the list are not called.
Parameters
names -- Names of finders to enable, in order.
Raises ValueError -- if no finder has a given name or the same name is given
more than once
enabled_symbol_finders() -> List[str]
Return the names of enabled symbol finders, in order.
add_type_finder(fn: Callable[[TypeKind, str, Optional[str]], Optional[Type]]) ->
None
Deprecated method to register and enable a callback for finding types in the
program.
Deprecated since version 0.0.27: Use register_type_finder() instead.
The differences from register_type_finder() are:
1. fn is not passed prog.
2. fn is passed a TypeKind instead of a TypeKindSet. If multiple kinds are
being searched for, fn will be called multiple times.
3. A name for the finder is generated from fn.
4. The finder is always enabled before any existing finders.
add_object_finder(fn: Callable[[Program, str, FindObjectFlags, Optional[str]],
Optional[Object]]) -> None
Deprecated method to register and enable a callback for finding objects in
the program.
Deprecated since version 0.0.27: Use register_object_finder() instead.
The differences from register_object_finder() are:
1. A name for the finder is generated from fn.
2. The finder is always enabled before any existing finders.
set_core_dump(path: Union[Path, int]) -> None
Set the program to a core dump.
This loads the memory segments from the core dump and determines the mapped
executable and libraries. It does not load any debugging symbols; see
load_default_debug_info().
Parameters
path -- Core dump file path or open file descriptor.
set_kernel() -> None
Set the program to the running operating system kernel.
This loads the memory of the running kernel and thus requires root
privileges. It does not load any debugging symbols; see
load_default_debug_info().
set_pid(pid: int) -> None
Set the program to a running process.
This loads the memory of the process and determines the mapped executable
and libraries. It does not load any debugging symbols; see
load_default_debug_info().
Parameters
pid -- Process ID.
load_debug_info(paths: Optional[Iterable[Path]] = None, default: bool = False,
main: bool = False) -> None
Load debugging information for a list of executable or library files.
Note that this is parallelized, so it is usually faster to load multiple
files at once rather than one by one.
Parameters
• paths -- Paths of binary files.
• default --
Also load debugging information which can automatically be
determined from the program.
For the Linux kernel, this tries to load vmlinux and any loaded
kernel modules from a few standard locations.
For userspace programs, this tries to load the executable and any
loaded libraries.
This implies main=True.
• main --
Also load debugging information for the main executable.
For the Linux kernel, this tries to load vmlinux.
This is currently ignored for userspace programs.
Raises MissingDebugInfoError -- if debugging information was not available
for some files; other files with debugging information are still
loaded
load_default_debug_info() -> None
Load debugging information which can automatically be determined from the
program.
This is equivalent to load_debug_info(None, True).
cache: Dict[Any, Any]
Dictionary for caching program metadata.
This isn't used by drgn itself. It is intended to be used by helpers to
cache metadata about the program. For example, if a helper for a program
depends on the program version or an optional feature, the helper can detect
it and cache it for subsequent invocations:
def my_helper(prog):
try:
have_foo = prog.cache['have_foo']
except KeyError:
have_foo = detect_foo_feature(prog)
prog.cache['have_foo'] = have_foo
if have_foo:
return prog['foo']
else:
return prog['bar']
class drgn.ProgramFlags
Bases: enum.Flag
ProgramFlags are flags that can apply to a Program (e.g., about what kind of
program it is).
IS_LINUX_KERNEL
The program is the Linux kernel.
IS_LIVE
The program is currently running (e.g., it is the running operating system
kernel or a running process).
IS_LOCAL
The program is running on the local machine.
class drgn.FindObjectFlags
Bases: enum.Flag
FindObjectFlags are flags for Program.object(). These can be combined to search for
multiple kinds of objects at once.
CONSTANT
FUNCTION
VARIABLE
ANY
class drgn.Thread
A thread in a program.
tid: Final[int]
Thread ID (as defined by gettid(2)).
name: Optional[str]
Thread name, or None if unknown.
See PR_SET_NAME and /proc/pid/comm.
NOTE:
Linux userspace core dumps only save the name of the main thread, so name
will be None for other threads.
object: Final[Object]
If the program is the Linux kernel, the struct task_struct * object for this
thread. Otherwise, not defined.
stack_trace() -> StackTrace
Get the stack trace for this thread.
This is equivalent to prog.stack_trace(thread.tid). See
Program.stack_trace().
Filenames
The Program.type(), Program.object(), Program.variable(), Program.constant(), and
Program.function() methods all take a filename parameter to distinguish between multiple
definitions with the same name. The filename refers to the source code file that contains
the definition. It is matched with filename_matches(). If multiple definitions match, one
is returned arbitrarily.
drgn.filename_matches(haystack: Optional[str], needle: Optional[str]) -> bool
Return whether a filename containing a definition (haystack) matches a filename
being searched for (needle).
The filename is matched from right to left, so 'stdio.h', 'include/stdio.h',
'usr/include/stdio.h', and '/usr/include/stdio.h' would all match a definition in
/usr/include/stdio.h. If needle is None or empty, it matches any definition. If
haystack is None or empty, it only matches if needle is also None or empty.
Parameters
• haystack -- Path of file containing definition.
• needle -- Filename to match.
Program Constructors
The drgn command line interface automatically creates a Program named prog. However, drgn
may also be used as a library without the CLI, in which case a Program must be created
manually.
drgn.program_from_core_dump(path: Union[Path, int]) -> Program
Create a Program from a core dump file. The type of program (e.g., userspace or
kernel) is determined automatically.
Parameters
path -- Core dump file path or open file descriptor.
drgn.program_from_kernel() -> Program
Create a Program from the running operating system kernel. This requires root
privileges.
drgn.program_from_pid(pid: int) -> Program
Create a Program from a running program with the given PID. This requires
appropriate permissions (on Linux, ptrace(2) attach permissions).
Parameters
pid -- Process ID of the program to debug.
Default Program
Most functions that take a Program can be called without the prog argument. In that case,
the default program argument is used, which is determined by the rules below.
NOTE:
In the drgn CLI, you probably don't need to care about these details. Simply omit
prog:
# Equivalent in the CLI.
find_task(pid)
find_task(prog, pid)
find_task(prog["init_pid_ns"].address_of_(), pid)
1. If prog is given explicitly, either as a positional or keyword argument, then it is
used.
2. Otherwise, if the first argument is an Object, then Object.prog_ is used.
3. Otherwise, the default program is used.
The default program is set automatically in the CLI. Library users can get and set it
manually. The default program is a per-thread setting. See Thread Safety.
drgn.get_default_prog() -> Program
Get the default program for the current thread.
Raises NoDefaultProgramError -- if the default program is not set
drgn.set_default_prog(prog: Optional[Program], /) -> None
Set the default program for the current thread.
Parameters
prog -- Program to set as the default, or None to unset it.
class drgn.NoDefaultProgramError
Bases: Exception
Error raised when trying to use the default program when it is not set.
For helpers, it is recommended to use the decorators from the drgn.helpers.common.prog
module instead.
Platforms
class drgn.Platform
A Platform represents the environment (i.e., architecture and ABI) that a program
runs on.
Platform(arch: Architecture, flags: Optional[PlatformFlags] = None)
Create a Platform.
Parameters
• arch -- Platform.arch
• flags -- Platform.flags; if None, default flags for the
architecture are used.
arch: Final[Architecture]
Instruction set architecture of this platform.
flags: Final[PlatformFlags]
Flags which apply to this platform.
registers: Final[Sequence[Register]]
Processor registers on this platform.
class drgn.Architecture
Bases: enum.Enum
An Architecture represents an instruction set architecture.
X86_64 The x86-64 architecture, a.k.a. AMD64 or Intel 64.
I386 The 32-bit x86 architecture, a.k.a. i386 or IA-32.
AARCH64
The AArch64 architecture, a.k.a. ARM64.
ARM The 32-bit Arm architecture.
PPC64 The 64-bit PowerPC architecture.
RISCV64
The 64-bit RISC-V architecture.
RISCV32
The 32-bit RISC-V architecture.
S390X The s390x architecture, a.k.a. IBM Z or z/Architecture.
S390 The 32-bit s390 architecture, a.k.a. System/390.
UNKNOWN
An architecture which is not known to drgn. Certain features are not
available when the architecture is unknown, but most of drgn will still
work.
class drgn.PlatformFlags
Bases: enum.Flag
PlatformFlags are flags describing a Platform.
IS_64_BIT
Platform is 64-bit.
IS_LITTLE_ENDIAN
Platform is little-endian.
class drgn.Register
A Register represents information about a processor register.
names: Final[Sequence[str]]
Names of this register.
drgn.host_platform: Platform
The platform of the host which is running drgn.
Languages
class drgn.Language
A Language represents a programming language supported by drgn.
This class cannot be constructed; there are singletons for the supported languages.
name: Final[str]
Name of the programming language.
C: ClassVar[Language]
The C programming language.
CPP: ClassVar[Language]
The C++ programming language.
Objects
class drgn.Object
An Object represents a symbol or value in a program. An object may exist in the
memory of the program (a reference), it may be a constant or temporary computed
value (a value), or it may be absent entirely (an absent object).
All instances of this class have two attributes: prog_, the program that the object
is from; and type_, the type of the object. Reference objects also have an
address_ and a bit_offset_. Objects may also have a bit_field_size_.
repr() of an object returns a Python representation of the object:
>>> print(repr(prog['jiffies']))
Object(prog, 'volatile unsigned long', address=0xffffffffbf005000)
str() returns a "pretty" representation of the object in programming language
syntax:
>>> print(prog['jiffies'])
(volatile unsigned long)4326237045
The output format of str() can be modified by using the format_() method instead:
>>> sysname = prog['init_uts_ns'].name.sysname
>>> print(sysname)
(char [65])"Linux"
>>> print(sysname.format_(type_name=False))
"Linux"
>>> print(sysname.format_(string=False))
(char [65]){ 76, 105, 110, 117, 120 }
NOTE:
The drgn CLI is set up so that objects are displayed in the "pretty" format
instead of with repr() (the latter is the default behavior of Python's
interactive mode). Therefore, it's usually not necessary to call print() in the
drgn CLI.
Objects support the following operators:
• Arithmetic operators: +, -, *, /, %
• Bitwise operators: <<, >>, &, |, ^, ~
• Relational operators: ==, !=, <, >, <=, >=
• Subscripting: [] (Python does not have a unary * operator, so pointers are
dereferenced with ptr[0])
• Member access: . (Python does not have a -> operator, so . is also used to access
members of pointers to structures)
• The address-of operator: drgn.Object.address_of_() (this is a method because
Python does not have a & operator)
• Array length: len()
These operators all have the semantics of the program's programming language. For
example, adding two objects from a program written in C results in an object with a
type and value according to the rules of C:
>>> Object(prog, 'unsigned long', 2**64 - 1) + Object(prog, 'int', 1)
Object(prog, 'unsigned long', value=0)
If only one operand to a binary operator is an object, the other operand will be
converted to an object according to the language's rules for literals:
>>> Object(prog, 'char', 0) - 1
Object(prog, 'int', value=-1)
The standard int(), float(), and bool() functions convert an object to that Python
type. Conversion to bool uses the programming language's notion of "truthiness".
Additionally, certain Python functions will automatically coerce an object to the
appropriate Python type (e.g., hex(), round(), and list subscripting).
Object attributes and methods are named with a trailing underscore to avoid
conflicting with structure, union, or class members. The attributes and methods
always take precedence; use member_() if there is a conflict.
Objects are usually obtained directly from a Program, but they can be constructed
manually, as well (for example, if you got a variable address from a log file).
Object(prog: Program, type: Union[str, Type], value: Union[IntegerLike, float,
bool, Mapping[str, Any], Sequence[Any]], *, bit_field_size: Optional[IntegerLike] =
None)
Create a value object given its type and value.
Parameters
• prog -- Program to create the object in.
• type -- Type of the object.
• value -- Value of the object. See value_().
• bit_field_size -- Size in bits of the object if it is a bit field.
The default is None, which means the object is not a bit field.
Object(prog: Program, *, value: Union[int, float, bool])
Create a value object from a "literal".
This is used to emulate a literal number in the source code of the program.
The type is deduced from value according to the language's rules for
literals.
Parameters
value -- Value of the literal.
Object(prog: Program, type: Union[str, Type], *, address: IntegerLike, bit_offset:
IntegerLike = 0, bit_field_size: Optional[IntegerLike] = None)
Create a reference object.
Parameters
• address -- Address of the object in the program.
• bit_offset -- Offset in bits from address to the beginning of the
object.
Object(prog: Program, type: Union[str, Type], *, bit_field_size: Optional[‐
IntegerLike] = None)
Create an absent object.
prog_: Final[Program]
Program that this object is from.
type_: Final[Type]
Type of this object.
absent_: Final[bool]
Whether this object is absent.
This is False for all values and references (even if the reference has an
invalid address).
address_: Final[Optional[int]]
Address of this object if it is a reference, None if it is a value or
absent.
bit_offset_: Final[Optional[int]]
Offset in bits from this object's address to the beginning of the object if
it is a reference, None otherwise. This can only be non-zero for scalars.
bit_field_size_: Final[Optional[int]]
Size in bits of this object if it is a bit field, None if it is not.
__getattr__(name: str) -> Object
Implement self.name.
This corresponds to both the member access (.) and member access through
pointer (->) operators in C.
Note that if name is an attribute or method of the Object class, then that
takes precedence. Otherwise, this is equivalent to member_().
>>> print(prog['init_task'].pid)
(pid_t)0
Parameters
name -- Attribute name.
__getitem__(idx: IntegerLike) -> Object
Implement self[idx]. Get the array element at the given index.
>>> print(prog['init_task'].comm[1])
(char)119
[0] is also the equivalent of the pointer dereference (*) operator in C:
>>> ptr_to_ptr
*(void **)0xffff9b86801e2968 = 0xffff9b86801e2460
>>> print(ptr_to_ptr[0])
(void *)0xffff9b86801e2460
This is only valid for pointers and arrays.
NOTE:
Negative indices behave as they would in the object's language (as
opposed to the Python semantics of indexing from the end of the array).
Parameters
idx -- The array index.
Raises TypeError -- if this object is not a pointer or array
__len__() -> int
Implement len(self). Get the number of elements in this object.
>>> len(prog['init_task'].comm)
16
This is only valid for arrays.
Raises TypeError -- if this object is not an array with complete type
value_() -> Any
Get the value of this object as a Python object.
For basic types (integer, floating-point, boolean), this returns an object
of the directly corresponding Python type (int, float, bool). For pointers,
this returns the address value of the pointer. For enums, this returns an
int. For structures and unions, this returns a dict of members. For arrays,
this returns a list of values.
Raises
• FaultError -- if reading the object causes a bad memory access
• TypeError -- if this object has an unreadable type (e.g., void)
string_() -> bytes
Read a null-terminated string pointed to by this object.
This is only valid for pointers and arrays. The element type is ignored;
this operates byte-by-byte.
For pointers and flexible arrays, this stops at the first null byte.
For complete arrays, this stops at the first null byte or at the end of the
array.
Raises
• FaultError -- if reading the string causes a bad memory access
• TypeError -- if this object is not a pointer or array
member_(name: str) -> Object
Get a member of this object.
This is valid for structures, unions, classes, and pointers to any of those.
If the object is a pointer, it is automatically dereferenced first.
Normally the dot operator (.) can be used to accomplish the same thing, but
this method can be used if there is a name conflict with an Object attribute
or method.
Parameters
name -- Name of the member.
Raises
• TypeError -- if this object is not a structure, union, class, or a
pointer to one of those
• LookupError -- if this object does not have a member with the given
name
address_of_() -> Object
Get a pointer to this object.
This corresponds to the address-of (&) operator in C. It is only possible
for reference objects, as value objects don't have an address in the
program.
As opposed to address_, this returns an Object, not an int.
Raises ValueError -- if this object is a value
read_() -> Object
Read this object (which may be a reference or a value) and return it as a
value object.
This is useful if the object can change in the running program (but of
course nothing stops the program from modifying the object while it is being
read).
As opposed to value_(), this returns an Object, not a standard Python type.
Raises
• FaultError -- if reading this object causes a bad memory access
• TypeError -- if this object has an unreadable type (e.g., void)
to_bytes_() -> bytes
Return the binary representation of this object's value.
classmethod from_bytes_(prog: Program, type: Union[str, Type], bytes:
collections.abc.Buffer, *, bit_offset: IntegerLike = 0, bit_field_size: Optional[‐
IntegerLike] = None) -> Object
Return a value object from its binary representation.
>>> print(Object.from_bytes_(prog, "int", b""))
(int)16
Parameters
• prog -- Program to create the object in.
• type -- Type of the object.
• bytes -- Buffer containing value of the object.
• bit_offset -- Offset in bits from the beginning of bytes to the
beginning of the object.
• bit_field_size -- Size in bits of the object if it is a bit field.
The default is None, which means the object is not a bit field.
format_(*, columns: Optional[IntegerLike] = None, dereference: Optional[bool] =
None, symbolize: Optional[bool] = None, string: Optional[bool] = None, char:
Optional[bool] = None, type_name: Optional[bool] = None, member_type_names:
Optional[bool] = None, element_type_names: Optional[bool] = None,
members_same_line: Optional[bool] = None, elements_same_line: Optional[bool] =
None, member_names: Optional[bool] = None, element_indices: Optional[bool] = None,
implicit_members: Optional[bool] = None, implicit_elements: Optional[bool] = None)
-> str
Format this object in programming language syntax.
Various format options can be passed (as keyword arguments) to control the
output. Options that aren't passed or are passed as None fall back to a
default. Specifically, obj.format_() (i.e., with no passed options) is
equivalent to str(obj).
>>> workqueues = prog['workqueues']
>>> print(workqueues)
(struct list_head){
.next = (struct list_head *)0xffff932ecfc0ae10,
.prev = (struct list_head *)0xffff932e3818fc10,
}
>>> print(workqueues.format_(type_name=False,
... member_type_names=False,
... member_names=False,
... members_same_line=True))
{ 0xffff932ecfc0ae10, 0xffff932e3818fc10 }
Parameters
• columns -- Number of columns to limit output to when the expression
can be reasonably wrapped. Defaults to no limit.
• dereference -- If this object is a pointer, include the
dereferenced value. This does not apply to structure, union, or
class members, or array elements, as dereferencing those could lead
to an infinite loop. Defaults to True.
• symbolize -- Include a symbol name and offset for pointer objects.
Defaults to True.
• string -- Format the values of objects with string type as strings.
For C, this applies to pointers to and arrays of char, signed char,
and unsigned char. Defaults to True.
• char -- Format objects with character type as character literals.
For C, this applies to char, signed char, and unsigned char.
Defaults to False.
• type_name -- Include the type name of this object. Defaults to
True.
• member_type_names -- Include the type names of structure, union,
and class members. Defaults to True.
• element_type_names -- Include the type names of array elements.
Defaults to False.
• members_same_line -- Place multiple structure, union, and class
members on the same line if they fit within the specified number of
columns. Defaults to False.
• elements_same_line -- Place multiple array elements on the same
line if they fit within the specified number of columns. Defaults
to True.
• member_names -- Include the names of structure, union, and class
members. Defaults to True.
• element_indices -- Include the indices of array elements. Defaults
to False.
• implicit_members -- Include structure, union, and class members
which have an implicit value (i.e., for C, zero-initialized).
Defaults to True.
• implicit_elements -- Include array elements which have an implicit
value (i.e., for C, zero-initialized). Defaults to False.
drgn.NULL(prog: Program, type: Union[str, Type]) -> Object
Get an object representing NULL casted to the given type.
This is equivalent to Object(prog, type, 0).
Parameters
• prog -- The program.
• type -- The type.
drgn.cast(type: Union[str, Type], obj: Object) -> Object
Get the value of an object explicitly casted to another type.
This uses the programming language's rules for explicit conversions, like the cast
operator.
>>> cast("unsigned int", Object(prog, "float", 2.0))
(unsigned int)2
>>> cast("void *", Object(prog, "int", 0))
(void *)0x0
See also implicit_convert() for implicit conversions (which usually do stricter
type checking) and reinterpret() for reinterpreting the raw memory of an object.
Parameters
• type -- Type to cast to.
• obj -- Object to cast.
Returns
Casted object. This is always a value object.
Raises TypeError -- if casting obj to type is not allowed
drgn.implicit_convert(type: Union[str, Type], obj: Object) -> Object
Get the value of an object implicitly converted to another type.
This uses the programming language's rules for implicit conversions, like when
assigning to a variable or passing arguments to a function call.
>>> implicit_convert("unsigned int", Object(prog, "float", 2.0))
(unsigned int)2
>>> implicit_convert("void *", Object(prog, "int", 0))
Traceback (most recent call last):
...
TypeError: cannot convert 'int' to incompatible type 'void *'
See also cast() for explicit conversions and reinterpret() for reinterpreting the
raw memory of an object.
Parameters
• type -- Type to convert to.
• obj -- Object to convert.
Returns
Converted object. This is always a value object.
Raises TypeError -- if converting obj to type is not allowed
drgn.reinterpret(type: Union[str, Type], obj: Object) -> Object
Get the representation of an object reinterpreted as another type.
This reinterprets the raw memory of the object, so an object can be reinterpreted
as any other type.
>>> reinterpret("unsigned int", Object(prog, "float", 2.0))
(unsigned int)1073741824
NOTE:
You usually want cast() or implicit_convert() instead, which convert the value
of an object instead of its in-memory representation.
Parameters
• type -- Type to reinterpret as.
• obj -- Object to reinterpret.
Returns
Reinterpreted object. If obj is a reference object, then this is a reference
object. If obj is a value object, then this is a value object.
Raises OutOfBoundsError -- if obj is a value object and type is larger than obj
drgn.container_of(ptr: Object, type: Union[str, Type], member: str) -> Object
Get the containing object of a pointer object.
This corresponds to the container_of() macro in C.
Parameters
• ptr -- Pointer to member in containing object.
• type -- Type of containing object.
• member -- Name of member in containing object. May include one or more
member references and zero or more array subscripts.
Returns
Pointer to containing object.
Raises
• TypeError -- if ptr is not a pointer or type is not a structure, union, or
class type
• ValueError -- if the member is not byte-aligned (e.g., because it is a bit
field)
• LookupError -- if type does not have a member with the given name
Symbols
class drgn.Symbol
A Symbol represents an entry in the symbol table of a program, i.e., an identifier
along with its corresponding address range in the program.
Symbol(name: str, address: int, size: int, binding: SymbolBinding, kind:
SymbolKind)
Create a Symbol.
Parameters
• name -- Symbol.name
• address -- Symbol.address
• size -- Symbol.size
• binding -- Symbol.binding
• kind -- Symbol.kind
name: Final[str]
Name of this symbol.
address: Final[int]
Start address of this symbol.
size: Final[int]
Size of this symbol in bytes.
binding: Final[SymbolBinding]
Linkage behavior and visibility of this symbol.
kind: Final[SymbolKind]
Kind of entity represented by this symbol.
class drgn.SymbolBinding
Bases: enum.Enum
A SymbolBinding describes the linkage behavior and visibility of a symbol.
UNKNOWN
Unknown.
LOCAL Not visible outside of the object file containing its definition.
GLOBAL Globally visible.
WEAK Globally visible but may be overridden by a non-weak global symbol.
UNIQUE Globally visible even if dynamic shared object is loaded locally. See GCC's
-fno-gnu-unique option.
class drgn.SymbolKind
Bases: enum.Enum
A SymbolKind describes the kind of entity that a symbol represents.
UNKNOWN
Unknown or not defined.
OBJECT Data object (e.g., variable or array).
FUNC Function or other executable code.
SECTION
Object file section.
FILE Source file.
COMMON Data object in common block.
TLS Thread-local storage entity.
IFUNC Indirect function.
Stack Traces
Stack traces are retrieved with stack_trace(), Program.stack_trace(), or
Thread.stack_trace().
drgn.stack_trace(thread: Union[Object, IntegerLike]) -> StackTrace
Get the stack trace for the given thread using the default program argument.
See Program.stack_trace() for more details.
Parameters
thread -- Thread ID, struct pt_regs object, or struct task_struct * object.
class drgn.StackTrace
A StackTrace is a sequence of StackFrame.
len(trace) is the number of stack frames in the trace. trace[0] is the innermost
stack frame, trace[1] is its caller, and trace[len(trace) - 1] is the outermost
frame. Negative indexing also works: trace[-1] is the outermost frame and
trace[-len(trace)] is the innermost frame. It is also iterable:
for frame in trace:
if frame.name == 'io_schedule':
print('Thread is doing I/O')
str() returns a pretty-printed stack trace:
>>> prog.stack_trace(1)
#0 context_switch (kernel/sched/core.c:4339:2)
#1 __schedule (kernel/sched/core.c:5147:8)
#2 schedule (kernel/sched/core.c:5226:3)
#3 do_wait (kernel/exit.c:1534:4)
#4 kernel_wait4 (kernel/exit.c:1678:8)
#5 __do_sys_wait4 (kernel/exit.c:1706:13)
#6 do_syscall_64 (arch/x86/entry/common.c:47:14)
#7 entry_SYSCALL_64+0x7c/0x15b (arch/x86/entry/entry_64.S:112)
#8 0x4d49dd
The format is subject to change. The drgn CLI is set up so that stack traces are
displayed with str() by default.
prog: Final[Program]
Program that this stack trace is from.
class drgn.StackFrame
A StackFrame represents a single frame in a thread's call stack.
str() returns a pretty-printed stack frame:
>>> prog.stack_trace(1)[0]
#0 at 0xffffffffb64ac287 (__schedule+0x227/0x606) in context_switch at kernel/sched/core.c:4339:2 (inlined)
This includes more information than when printing the full stack trace. The format
is subject to change. The drgn CLI is set up so that stack frames are displayed
with str() by default.
The [] operator can look up function parameters, local variables, and global
variables in the scope of the stack frame:
>>> prog.stack_trace(1)[0]['prev'].pid
(pid_t)1
>>> prog.stack_trace(1)[0]['scheduler_running']
(int)1
name: Final[Optional[str]]
Name of the function at this frame, or None if it could not be determined.
The name cannot be determined if debugging information is not available for
the function, e.g., because it is implemented in assembly. It may be
desirable to use the symbol name or program counter as a fallback:
name = frame.name
if name is None:
try:
name = frame.symbol().name
except LookupError:
name = hex(frame.pc)
is_inline: Final[bool]
Whether this frame is for an inlined call.
An inline frame shares the same stack frame in memory as its caller.
Therefore, it has the same registers (including program counter and thus
symbol).
interrupted: Final[bool]
Whether this stack frame was interrupted (for example, by a hardware
interrupt, signal, trap, etc.).
If this is True, then the register values in this frame are the values at
the time that the frame was interrupted.
This is False if the frame is for a function call, in which case the
register values are the values when control returns to this frame. In
particular, the program counter is the return address, which is typically
the instruction after the call instruction.
pc: Final[int]
Program counter at this stack frame.
sp: Final[int]
Stack pointer at this stack frame.
__getitem__(name: str) -> Object
Implement self[name]. Get the object (variable, function parameter,
constant, or function) with the given name in the scope of this frame.
If the object exists but has been optimized out, this returns an absent
object.
Parameters
name -- Object name.
__contains__(name: str) -> bool
Implement name in self. Return whether an object with the given name exists
in the scope of this frame.
Parameters
name -- Object name.
locals() -> List[str]
Get a list of the names of all local objects (local variables, function
parameters, local constants, and nested functions) in the scope of this
frame.
Not all names may have present values, but they can be used with the []
operator to check.
source() -> Tuple[str, int, int]
Get the source code location of this frame.
Returns
Location as a (filename, line, column) triple.
Raises LookupError -- if the source code location is not available
symbol() -> Symbol
Get the function symbol at this stack frame.
This is equivalent to:
prog.symbol(frame.pc - (0 if frame.interrupted else 1))
register(reg: str) -> int
Get the value of the given register at this stack frame.
Parameters
reg -- Register name.
Raises
• ValueError -- if the register name is not recognized
• LookupError -- if the register value is not known
registers() -> Dict[str, int]
Get the values of all available registers at this stack frame as a
dictionary with the register names as keys.
Types
class drgn.Type
A Type object describes a type in a program. Each kind of type (e.g., integer,
structure) has different attributes (e.g., name, size). Types can also have
qualifiers (e.g., constant, atomic). Accessing an attribute which does not apply to
a type raises an AttributeError.
repr() of a Type returns a Python representation of the type:
>>> print(repr(prog.type('sector_t')))
prog.typedef_type(name='sector_t', type=prog.int_type(name='unsigned long', size=8, is_signed=False))
str() returns a representation of the type in programming language syntax:
>>> print(prog.type('sector_t'))
typedef unsigned long sector_t
The drgn CLI is set up so that types are displayed with str() instead of repr() by
default.
This class cannot be constructed directly. Instead, use one of the Type
Constructors.
prog: Final[Program]
Program that this type is from.
kind: Final[TypeKind]
Kind of this type.
primitive: Final[Optional[PrimitiveType]]
If this is a primitive type (e.g., int or double), the kind of primitive
type. Otherwise, None.
qualifiers: Final[Qualifiers]
Bitmask of this type's qualifier.
language: Final[Language]
Programming language of this type.
name: Final[str]
Name of this type. This is present for integer, boolean, floating-point, and
typedef types.
tag: Final[Optional[str]]
Tag of this type, or None if this is an anonymous type. This is present for
structure, union, class, and enumerated types.
size: Final[Optional[int]]
Size of this type in bytes, or None if this is an incomplete type. This is
present for integer, boolean, floating-point, structure, union, class, and
pointer types.
length: Final[Optional[int]]
Number of elements in this type, or None if this is an incomplete type.
This is only present for array types.
is_signed: Final[bool]
Whether this type is signed. This is only present for integer types.
byteorder: Final[str]
Byte order of this type: 'little' if it is little-endian, or 'big' if it is
big-endian. This is present for integer, boolean, floating-point, and
pointer types.
type: Final[Type]
Type underlying this type, defined as follows:
• For typedef types, the aliased type.
• For enumerated types, the compatible integer type, which is None if this
is an incomplete type.
• For pointer types, the referenced type.
• For array types, the element type.
• For function types, the return type.
For other types, this attribute is not present.
members: Final[Optional[Sequence[TypeMember]]]
List of members of this type, or None if this is an incomplete type. This
is present for structure, union, and class types.
enumerators: Final[Optional[Sequence[TypeEnumerator]]]
List of enumeration constants of this type, or None if this is an incomplete
type. This is only present for enumerated types.
parameters: Final[Sequence[TypeParameter]]
List of parameters of this type. This is only present for function types.
is_variadic: Final[bool]
Whether this type takes a variable number of arguments. This is only present
for function types.
template_parameters: Final[Sequence[TypeTemplateParameter]]
List of template parameters of this type. This is present for structure,
union, class, and function types.
type_name() -> str
Get a descriptive full name of this type.
is_complete() -> bool
Get whether this type is complete (i.e., the type definition is known).
This is always False for void types. It may be False for structure, union,
class, enumerated, and array types, as well as typedef types where the
underlying type is one of those. Otherwise, it is always True.
qualified(qualifiers: Qualifiers) -> Type
Get a copy of this type with different qualifiers.
Note that the original qualifiers are replaced, not added to.
Parameters
qualifiers -- New type qualifiers.
unqualified() -> Type
Get a copy of this type with no qualifiers.
member(name: str) -> TypeMember
Look up a member in this type by name.
If this type has any unnamed members, this also matches members of those
unnamed members, recursively. If the member is found in an unnamed member,
TypeMember.bit_offset and TypeMember.offset are adjusted accordingly.
Parameters
name -- Name of the member.
Raises
• TypeError -- if this type is not a structure, union, or class type
• LookupError -- if this type does not have a member with the given
name
has_member(name: str) -> bool
Return whether this type has a member with the given name.
If this type has any unnamed members, this also matches members of those
unnamed members, recursively.
Parameters
name -- Name of the member.
Raises TypeError -- if this type is not a structure, union, or class type
class drgn.TypeMember
A TypeMember represents a member of a structure, union, or class type.
TypeMember(object_or_type: Union[Object, Type, Callable[[], Union[Object, Type]]],
name: Optional[str] = None, bit_offset: int = 0)
Create a TypeMember.
Parameters
• object_or_type --
One of:
1. TypeMember.object as an Object.
2. TypeMember.type as a Type. In this case, object is set to an
absent object with that type.
3. A callable that takes no arguments and returns one of the above.
It is called when object or type is first accessed, and the
result is cached.
• name -- TypeMember.name
• bit_offset -- TypeMember.bit_offset
object: Final[Object]
Member as an Object.
This is the default initializer for the member, or an absent object if the
member has no default initializer. (However, the DWARF specification as of
version 5 does not actually support default member initializers, so this is
usually absent.)
type: Final[Type]
Member type.
This is a shortcut for TypeMember.object.type.
name: Final[Optional[str]]
Member name, or None if the member is unnamed.
bit_offset: Final[int]
Offset of the member from the beginning of the type in bits.
offset: Final[int]
Offset of the member from the beginning of the type in bytes. If the offset
is not byte-aligned, accessing this attribute raises ValueError.
bit_field_size: Final[Optional[int]]
Size in bits of this member if it is a bit field, None if it is not.
This is a shortcut for TypeMember.object.bit_field_size_.
class drgn.TypeEnumerator
A TypeEnumerator represents a constant in an enumerated type.
Its name and value may be accessed as attributes or unpacked:
>>> prog.type('enum pid_type').enumerators[0].name
'PIDTYPE_PID'
>>> name, value = prog.type('enum pid_type').enumerators[0]
>>> value
0
TypeEnumerator(name: str, value: int)
Create a TypeEnumerator.
Parameters
• name -- TypeEnumerator.name
• value -- TypeEnumerator.value
name: Final[str]
Enumerator name.
value: Final[int]
Enumerator value.
class drgn.TypeParameter
A TypeParameter represents a parameter of a function type.
TypeParameter(default_argument_or_type: Union[Object, Type, Callable[[], Union[‐
Object, Type]]], name: Optional[str] = None)
Create a TypeParameter.
Parameters
• default_argument_or_type --
One of:
1. TypeParameter.default_argument as an Object.
2. TypeParameter.type as a Type. In this case, default_argument is
set to an absent object with that type.
3. A callable that takes no arguments and returns one of the above.
It is called when default_argument or type is first accessed,
and the result is cached.
• name -- TypeParameter.name
default_argument: Final[Object]
Default argument for parameter.
If the parameter does not have a default argument, then this is an absent
object.
NOTE:
Neither GCC nor Clang emits debugging information for default arguments
(as of GCC 10 and Clang 11), and drgn does not yet parse it, so this is
usually absent.
type: Final[Type]
Parameter type.
This is the same as TypeParameter.default_argument.type_.
name: Final[Optional[str]]
Parameter name, or None if the parameter is unnamed.
class drgn.TypeTemplateParameter
A TypeTemplateParameter represents a template parameter of a structure, union,
class, or function type.
TypeTemplateParameter(argument: Union[Type, Object, Callable[[], Union[Type,
Object]]], name: Optional[str] = None, is_default: bool = False)
Create a TypeTemplateParameter.
Parameters
• argument --
One of:
1. TypeTemplateParameter.argument as a Type if the parameter is a
type template parameter.
2. TypeTemplateParameter.argument as a non-absent Object if the
parameter is a non-type template parameter.
3. A callable that takes no arguments and returns one of the above.
It is called when argument is first accessed, and the result is
cached.
• name -- TypeTemplateParameter.name
• is_default -- TypeTemplateParameter.is_default
argument: Final[Union[Type, Object]]
Template argument.
If this is a type template parameter, then this is a Type. If this is a
non-type template parameter, then this is an Object.
name: Final[Optional[str]]
Template parameter name, or None if the parameter is unnamed.
is_default: Final[bool]
Whether argument is the default for the template parameter.
NOTE:
There are two ways to interpret this:
1. The argument was omitted entirely and thus defaulted to the
default argument.
2. The (specified or defaulted) argument is the same as the default
argument.
Compilers are inconsistent about which interpretation they use.
GCC added this information in version 4.9. Clang added it in version 11
(and only when emitting DWARF version 5). If the program was compiled by
an older version, this is always false.
class drgn.TypeKind
Bases: enum.Enum
A TypeKind represents a kind of type.
VOID Void type.
INT Integer type.
BOOL Boolean type.
FLOAT Floating-point type.
STRUCT Structure type.
UNION Union type.
CLASS Class type.
ENUM Enumerated type.
TYPEDEF
Type definition (a.k.a. alias) type.
POINTER
Pointer type.
ARRAY Array type.
FUNCTION
Function type.
class drgn.TypeKindSet
Bases: collections.abc.Set[TypeKind]
Immutable set of TypeKinds.
>>> kinds = TypeKindSet({TypeKind.STRUCT, TypeKind.CLASS})
>>> TypeKind.STRUCT in kinds
True
>>> TypeKind.INT in kinds
False
>>> for kind in kinds:
... print(kind)
...
TypeKind.STRUCT
TypeKind.CLASS
class drgn.PrimitiveType
Bases: enum.Enum
A PrimitiveType represents a primitive type known to drgn.
C_VOID
C_CHAR
C_SIGNED_CHAR
C_UNSIGNED_CHAR
C_SHORT
C_UNSIGNED_SHORT
C_INT
C_UNSIGNED_INT
C_LONG
C_UNSIGNED_LONG
C_LONG_LONG
C_UNSIGNED_LONG_LONG
C_BOOL
C_FLOAT
C_DOUBLE
C_LONG_DOUBLE
C_SIZE_T
C_PTRDIFF_T
class drgn.Qualifiers
Bases: enum.Flag
Qualifiers are modifiers on types.
NONE No qualifiers.
CONST Constant type.
VOLATILE
Volatile type.
RESTRICT
Restrict type.
ATOMIC Atomic type.
drgn.alignof(type: Type, /) -> int
Get the alignment requirement (in bytes) of a Type.
This corresponds to _Alignof() in C.
Raises TypeError -- if type is a function type or an incomplete type
drgn.offsetof(type: Type, member: str) -> int
Get the offset (in bytes) of a member in a Type.
This corresponds to offsetof() in C.
Parameters
• type -- Structure, union, or class type.
• member -- Name of member. May include one or more member references and
zero or more array subscripts.
Raises
• TypeError -- if type is not a structure, union, or class type
• ValueError -- if the member is not byte-aligned (e.g., because it is a bit
field)
• LookupError -- if type does not have a member with the given name
Type Constructors
Custom drgn types can be created with the following factory functions. These can be used
just like types obtained from Program.type().
Program.void_type(*, qualifiers: Qualifiers = Qualifiers.NONE, language: Optional[‐
Language] = None) -> Type
Create a new void type. It has kind TypeKind.VOID.
Parameters
• qualifiers -- Type.qualifiers
• lang -- Type.language
Program.int_type(name: str, size: IntegerLike, is_signed: bool, byteorder: Optional[str] =
None, *, qualifiers: Qualifiers = Qualifiers.NONE, language: Optional[Language] = None) ->
Type
Create a new integer type. It has kind TypeKind.INT.
Parameters
• name -- Type.name
• size -- Type.size
• is_signed -- Type.is_signed
• byteorder -- Type.byteorder, or None to use the program's default byte
order.
• qualifiers -- Type.qualifiers
• lang -- Type.language
Program.bool_type(name: str, size: IntegerLike, byteorder: Optional[str] = None, *,
qualifiers: Qualifiers = Qualifiers.NONE, language: Optional[Language] = None) -> Type
Create a new boolean type. It has kind TypeKind.BOOL.
Parameters
• name -- Type.name
• size -- Type.size
• byteorder -- Type.byteorder, or None to use the program's default byte
order.
• qualifiers -- Type.qualifiers
• lang -- Type.language
Program.float_type(name: str, size: IntegerLike, byteorder: Optional[str] = None, *,
qualifiers: Qualifiers = Qualifiers.NONE, language: Optional[Language] = None) -> Type
Create a new floating-point type. It has kind TypeKind.FLOAT.
Parameters
• name -- Type.name
• size -- Type.size
• byteorder -- Type.byteorder, or None to use the program's default byte
order.
• qualifiers -- Type.qualifiers
• lang -- Type.language
Program.struct_type(tag: Optional[str], size: IntegerLike, members: Sequence[TypeMember],
*, template_parameters: Sequence[TypeTemplateParameter] = (), qualifiers: Qualifiers =
Qualifiers.NONE, language: Optional[Language] = None) -> Type
Create a new structure type. It has kind TypeKind.STRUCT.
Parameters
• tag -- Type.tag
• size -- Type.size
• members -- Type.members
• template_parameters -- Type.template_parameters
• qualifiers -- Type.qualifiers
• lang -- Type.language
Program.struct_type(tag: Optional[str], size: None = None, members: None = None, *,
template_parameters: Sequence[TypeTemplateParameter] = (), qualifiers: Qualifiers =
Qualifiers.NONE, language: Optional[Language] = None) -> Type
Create a new incomplete structure type.
Program.union_type(tag: Optional[str], size: IntegerLike, members: Sequence[TypeMember],
*, template_parameters: Sequence[TypeTemplateParameter] = (), qualifiers: Qualifiers =
Qualifiers.NONE, language: Optional[Language] = None) -> Type
Create a new union type. It has kind TypeKind.UNION. Otherwise, this is the same as
as struct_type().
Program.union_type(tag: Optional[str], size: None = None, members: None = None, *,
template_parameters: Sequence[TypeTemplateParameter] = (), qualifiers: Qualifiers =
Qualifiers.NONE, language: Optional[Language] = None) -> Type
Create a new incomplete union type.
Program.class_type(tag: Optional[str], size: IntegerLike, members: Sequence[TypeMember],
*, template_parameters: Sequence[TypeTemplateParameter] = (), qualifiers: Qualifiers =
Qualifiers.NONE, language: Optional[Language] = None) -> Type
Create a new class type. It has kind TypeKind.CLASS. Otherwise, this is the same as
as struct_type().
Program.class_type(tag: Optional[str], size: None = None, members: None = None, *,
template_parameters: Sequence[TypeTemplateParameter] = (), qualifiers: Qualifiers =
Qualifiers.NONE, language: Optional[Language] = None) -> Type
Create a new incomplete class type.
Program.enum_type(tag: Optional[str], type: Type, enumerators: Sequence[TypeEnumerator],
*, qualifiers: Qualifiers = Qualifiers.NONE, language: Optional[Language] = None) -> Type
Create a new enumerated type. It has kind TypeKind.ENUM.
Parameters
• tag -- Type.tag
• type -- The compatible integer type (Type.type)
• enumerators -- Type.enumerators
• qualifiers -- Type.qualifiers
• lang -- Type.language
Program.enum_type(tag: Optional[str], type: None = None, enumerators: None = None, *,
qualifiers: Qualifiers = Qualifiers.NONE, language: Optional[Language] = None) -> Type
Create a new incomplete enumerated type.
Program.typedef_type(name: str, type: Type, *, qualifiers: Qualifiers = Qualifiers.NONE,
language: Optional[Language] = None) -> Type
Create a new typedef type. It has kind TypeKind.TYPEDEF.
Parameters
• name -- Type.name
• type -- The aliased type (Type.type)
• qualifiers -- Type.qualifiers
• lang -- Type.language
Program.pointer_type(type: Type, size: Optional[int] = None, byteorder: Optional[str] =
None, *, qualifiers: Qualifiers = Qualifiers.NONE, language: Optional[Language] = None) ->
Type
Create a new pointer type. It has kind TypeKind.POINTER,
Parameters
• type -- The referenced type (Type.type)
• size -- Type.size, or None to use the program's default pointer size.
• byteorder -- Type.byteorder, or None to use the program's default byte
order.
• qualifiers -- Type.qualifiers
• lang -- Type.language
Program.array_type(type: Type, length: Optional[int] = None, *, qualifiers: Qualifiers =
Qualifiers.NONE, language: Optional[Language] = None) -> Type
Create a new array type. It has kind TypeKind.ARRAY.
Parameters
• type -- The element type (Type.type)
• length -- Type.length
• qualifiers -- Type.qualifiers
• lang -- Type.language
Program.function_type(type: Type, parameters: Sequence[TypeParameter], is_variadic: bool =
False, *, template_parameters: Sequence[TypeTemplateParameter] = (), qualifiers:
Qualifiers = Qualifiers.NONE, language: Optional[Language] = None) -> Type
Create a new function type. It has kind TypeKind.FUNCTION.
Parameters
• type -- The return type (Type.type)
• parameters -- Type.parameters
• is_variadic -- Type.is_variadic
• template_parameters -- Type.template_parameters
• qualifiers -- Type.qualifiers
• lang -- Type.language
Miscellaneous
drgn.sizeof(type_or_obj: Union[Type, Object], /) -> int
Get the size of a Type or Object in bytes.
Parameters
type_or_obj -- Entity to get the size of.
Raises TypeError -- if the type does not have a size (e.g., because it is
incomplete or void)
drgn.execscript(path: str, *args: str) -> None
Execute a script.
The script is executed in the same context as the caller: currently defined globals
are available to the script, and globals defined by the script are added back to
the calling context.
This is most useful for executing scripts from interactive mode. For example, you
could have a script named exe.py:
"""Get all tasks executing a given file."""
import sys
from drgn.helpers.linux.fs import d_path
from drgn.helpers.linux.pid import find_task
def task_exe_path(task):
if task.mm:
return d_path(task.mm.exe_file.f_path).decode()
else:
return None
tasks = [
task for task in for_each_task()
if task_exe_path(task) == sys.argv[1]
]
Then, you could execute it and use the defined variables and functions:
>>> execscript('exe.py', '/usr/bin/bash')
>>> tasks[0].pid
(pid_t)358442
>>> task_exe_path(find_task(357954))
'/usr/bin/vim'
Parameters
• path -- File path of the script.
• args -- Zero or more additional arguments to pass to the script. This is a
variable argument list.
class drgn.IntegerLike
Bases: Protocol
An int or integer-like object.
Parameters annotated with this type expect an integer which may be given as a
Python int or an Object with integer type.
drgn.Path: TypeAlias
Filesystem path.
Parameters annotated with this type accept a filesystem path as str, bytes, or
os.PathLike.
Exceptions
class drgn.FaultError
Bases: Exception
This error is raised when a bad memory access is attempted (i.e., when accessing a
memory address which is not valid in a program).
FaultError(message: str, address: int)
Parameters
• message -- FaultError.message
• address -- FaultError.address
message: str
Error message.
address: int
Address that couldn't be accessed.
class drgn.MissingDebugInfoError
Bases: Exception
This error is raised when one or more files in a program do not have debug
information.
class drgn.ObjectAbsentError
Bases: Exception
This error is raised when attempting to use an absent object.
class drgn.OutOfBoundsError
Bases: Exception
This error is raised when attempting to access beyond the bounds of a value object.
CLI
Functions for embedding the drgn CLI.
drgn.cli.version_header() -> str
Return the version header printed at the beginning of a drgn session.
The run_interactive() function does not include this banner at the beginning of an
interactive session. Use this function to retrieve one line of text to add to the
beginning of the drgn banner, or print it before calling run_interactive().
drgn.cli.run_interactive(prog: drgn.Program, banner_func: Optional[Callable[[str], str]] =
None, globals_func: Optional[Callable[[Dict[str, Any]], Dict[str, Any]]] = None, quiet:
bool = False) -> None
Run drgn's Interactive Mode until the user exits.
This function allows your application to embed the same REPL that drgn provides
when it is run on the command line in interactive mode.
Parameters
• prog -- Pre-configured program to run against. Available as a global named
prog in the CLI.
• banner_func -- Optional function to modify the printed banner. Called with
the default banner, and must return a string to use as the new banner. The
default banner does not include the drgn version, which can be retrieved
via version_header().
• globals_func -- Optional function to modify globals provided to the
session. Called with a dictionary of default globals, and must return a
dictionary to use instead.
• quiet -- Ignored. Will be removed in the future.
NOTE:
This function uses readline and modifies some settings. Unfortunately, it is
not possible for it to restore all settings. In particular, it clears the
readline history and resets the TAB keybinding to the default.
Applications using readline should save their history and clear any custom
settings before calling this function. After calling this function, applications
should restore their history and settings before using readline.
Logging
drgn logs using the standard logging module to a logger named "drgn".
Thread Safety
Only one thread at a time should access the same Program (including Object, Type,
StackTrace, etc. from that program). It is safe to use different Programs from concurrent
threads.
Helpers
The drgn.helpers package contains subpackages which provide helpers for working with
particular types of programs. Currently, there are common helpers and helpers for the
Linux kernel. In the future, there may be helpers for, e.g., glibc and libstdc++.
class drgn.helpers.ValidationError
Bases: Exception
Error raised by a validator when an inconsistent or invalid state is detected.
Common
The drgn.helpers.common package provides helpers that can be used with any program. The
helpers are available from the individual modules in which they are defined and from this
top-level package. E.g., the following are both valid:
>>> from drgn.helpers.common.memory import identify_address
>>> from drgn.helpers.common import identify_address
Some of these helpers may have additional program-specific behavior but are otherwise
generic.
Formatting
The drgn.helpers.common.format module provides generic helpers for formatting different
things as text.
drgn.helpers.common.format.escape_ascii_character(c: int, escape_single_quote: bool =
False, escape_double_quote: bool = False, escape_backslash: bool = False) -> str
Format an ASCII byte value as a character, possibly escaping it. Non-printable
characters are always escaped. Non-printable characters other than \0, \a, \b, \t,
\n, \v, \f, and \r are escaped in hexadecimal format (e.g., \x7f). By default,
printable characters are never escaped.
Parameters
• c -- Character to escape.
• escape_single_quote -- Whether to escape single quotes to \'.
• escape_double_quote -- Whether to escape double quotes to \".
• escape_backslash -- Whether to escape backslashes to \\.
drgn.helpers.common.format.escape_ascii_string(buffer: Iterable[int], escape_single_quote:
bool = False, escape_double_quote: bool = False, escape_backslash: bool = False) -> str
Escape an iterable of ASCII byte values (e.g., bytes or bytearray). See
escape_ascii_character().
Parameters
buffer -- Byte array to escape.
drgn.helpers.common.format.decode_flags(value: drgn.IntegerLike, flags:
Iterable[Tuple[str, int]], bit_numbers: bool = True) -> str
Get a human-readable representation of a bitmask of flags.
By default, flags are specified by their bit number:
>>> decode_flags(2, [("BOLD", 0), ("ITALIC", 1), ("UNDERLINE", 2)])
'ITALIC'
They can also be specified by their value:
>>> decode_flags(2, [("BOLD", 1), ("ITALIC", 2), ("UNDERLINE", 4)],
... bit_numbers=False)
'ITALIC'
Multiple flags are combined with "|":
>>> decode_flags(5, [("BOLD", 0), ("ITALIC", 1), ("UNDERLINE", 2)])
'BOLD|UNDERLINE'
If there are multiple names for the same bit, they are all included:
>>> decode_flags(2, [("SMALL", 0), ("BIG", 1), ("LARGE", 1)])
'BIG|LARGE'
If there are any unknown bits, their raw value is included:
>>> decode_flags(27, [("BOLD", 0), ("ITALIC", 1), ("UNDERLINE", 2)])
'BOLD|ITALIC|0x18'
Zero is returned verbatim:
>>> decode_flags(0, [("BOLD", 0), ("ITALIC", 1), ("UNDERLINE", 2)])
'0'
Parameters
• value -- Bitmask to decode.
• flags -- List of flag names and their bit numbers or values.
• bit_numbers -- Whether flags specifies the bit numbers (where 0 is the
least significant bit) or values of the flags.
drgn.helpers.common.format.decode_enum_type_flags(value: drgn.IntegerLike, type:
drgn.Type, bit_numbers: bool = True) -> str
Get a human-readable representation of a bitmask of flags where the flags are
specified by an enumerated drgn.Type.
This supports enums where the values are bit numbers:
>>> print(bits_enum)
enum style_bits {
BOLD = 0,
ITALIC = 1,
UNDERLINE = 2,
}
>>> decode_enum_type_flags(5, bits_enum)
'BOLD|UNDERLINE'
Or the values of the flags:
>>> print(flags_enum)
enum style_flags {
BOLD = 1,
ITALIC = 2,
UNDERLINE = 4,
}
>>> decode_enum_type_flags(5, flags_enum, bit_numbers=False)
'BOLD|UNDERLINE'
See decode_flags().
Parameters
• value -- Bitmask to decode.
• type -- Enumerated type with bit numbers for enumerators.
• bit_numbers -- Whether the enumerator values specify the bit numbers or
values of the flags.
drgn.helpers.common.format.number_in_binary_units(n: SupportsFloat, precision: int = 1) ->
str
Format a number in binary units (i.e., "K" is 1024, "M" is 10242, etc.).
>>> number_in_binary_units(1280)
'1.2K'
A precision can be specified:
>>> number_in_binary_units(1280, precision=2)
'1.25K'
Exact numbers are printed without a fractional part:
>>> number_in_binary_units(1024 * 1024)
'1M'
Numbers less than 1024 are not scaled:
>>> number_in_binary_units(10)
'10'
Parameters
• n -- Number to format.
• precision -- Number of digits to include in fractional part.
Memory
The drgn.helpers.common.memory module provides helpers for working with memory and
addresses.
drgn.helpers.common.memory.identify_address(prog: drgn.Program, addr: drgn.IntegerLike, *,
cache: Optional[Dict[Any, Any]] = None) -> Optional[str]
Try to identify what an address refers to.
For all programs, this will identify addresses as follows:
• Object symbols (e.g., addresses in global variables): object symbol:
{symbol_name}+{hex_offset} (where hex_offset is the offset from the beginning of
the symbol in hexadecimal).
• Function symbols (i.e., addresses in functions): function symbol:
{symbol_name}+{hex_offset}.
• Other symbols: symbol: {symbol_name}+{hex_offset}.
Additionally, for the Linux kernel, this will identify:
• Allocated slab objects: slab object: {slab_cache_name}+{hex_offset} (where
hex_offset is the offset from the beginning of the object in hexadecimal).
• Free slab objects: free slab object: {slab_cache_name}+{hex_offset}.
• Vmap addresses (e.g., vmalloc, ioremap): vmap:
{hex_start_address}-{hex_end_address}. If the function that allocated the vmap is
known, this also includes caller {function_name}+{hex_offset}.
• Vmap kernel stacks: vmap stack: {pid} ({comm}) +{hex_offset} (where pid and comm
identify the task and hex_offset is the offset from the beginning of the stack in
hexadecimal).
This may recognize other types of addresses in the future.
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- void *
• cache -- Opaque cache used to amortize expensive lookups. If you're going
to call this function many times in a short period, create an empty
dictionary and pass the same dictionary as cache to each call. Don't
reuse it indefinitely or you may get stale results.
Returns
Identity as string, or None if the address is unrecognized.
drgn.helpers.common.memory.print_annotated_memory(prog: drgn.Program, address:
drgn.IntegerLike, size: drgn.IntegerLike, physical: bool = False) -> None
Print the contents of a range of memory, annotating values that can be identified.
Currently, this will identify any addresses in the memory range with
identify_address().
See print_annotated_stack() for a similar function that annotates stack traces.
>>> print_annotated_memory(0xffffffff963eb200, 56)
ADDRESS VALUE
ffffffff963eb200: 00000000000000b8
ffffffff963eb208: 000000000000a828
ffffffff963eb210: 0000000000000000
ffffffff963eb218: ffff8881042948e0 [slab object: mnt_cache+0x20]
ffffffff963eb220: ffff88810074a540 [slab object: dentry+0x0]
ffffffff963eb228: ffff8881042948e0 [slab object: mnt_cache+0x20]
ffffffff963eb230: ffff88810074a540 [slab object: dentry+0x0]
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• address -- Starting address.
• size -- Number of bytes to read.
• physical -- Whether address is a physical memory address. If False, then
it is a virtual memory address.
Program Decorators
The drgn.helpers.common.prog module provides decorators to transparently use the default
program argument.
drgn.helpers.common.prog.takes_program_or_default(f: TakesProgram[P, R]) ->
TakesProgramOrDefault[P, R]
Wrap a function taking a Program so that it uses the default program argument if
omitted.
@takes_program_or_default
def my_helper(prog: Program, n: IntegerLike) -> Foo:
...
my_helper(1)
# is equivalent to
my_helper(get_default_prog(), 1)
obj = Object(...)
my_helper(obj)
# is equivalent to
my_helper(obj.prog_, obj)
drgn.helpers.common.prog.takes_object_or_program_or_default(f: Callable[Concatenate[‐
drgn.Program, Optional[drgn.Object], P], R]) -> TakesObjectOrProgramOrDefault[P, R]
Wrap a function taking a Program and an optional Object so that it accepts a
Program or an Object or neither, in which case the default program argument is
used.
@takes_object_or_program_or_default
def my_helper(prog: Program, obj: Optional[Object], n: IntegerLike) -> Foo:
...
my_helper(prog, 1)
# is equivalent to
my_helper.__wrapped__(prog, None, 1)
obj = Object(...)
my_helper(obj, 1)
# is equivalent to
my_helper.__wrapped__(obj.prog_, obj, 1)
my_helper(1)
# is equivalent to
my_helper.__wrapped__(get_default_prog(), None, 1)
one_obj = Object(..., 1)
my_helper(one_obj)
# is equivalent to
my_helper.__wrapped__(one_obj.prog_, None, one_obj)
WARNING:
This cannot be used with positional parameters with a default value, as that
would create ambiguity. Keyword-only parameters with a default value are OK.
# NOT ALLOWED
@takes_object_or_program_or_default
def my_helper(prog: Program, obj: Optional[Object], foo: str = ""): ...
# OK
@takes_object_or_program_or_default
def my_helper(prog: Program, obj: Optional[Object], *, foo: str = ""): ...
NOTE:
The object parameter can be passed as a keyword, but because of limitations of
the Python type system, type checkers do not recognize this.
Stack
The drgn.helpers.common.stack module provides helpers for working with stack traces.
drgn.helpers.common.stack.print_annotated_stack(trace: drgn.StackTrace) -> None
Print the contents of stack memory in a stack trace, annotating values that can be
identified.
Currently, this will identify any addresses on the stack with identify_address().
See print_annotated_memory() for a similar function that annotates arbitrary memory
ranges.
>>> print_annotated_stack(stack_trace(1))
STACK POINTER VALUE
[stack frame #0 at 0xffffffff8dc93c41 (__schedule+0x429/0x488) in context_switch at ./kernel/sched/core.c:5209:2 (inlined)]
[stack frame #1 at 0xffffffff8dc93c41 (__schedule+0x429/0x488) in __schedule at ./kernel/sched/core.c:6521:8]
ffffa903c0013d28: ffffffff8d8497bf [function symbol: __flush_tlb_one_user+0x5]
ffffa903c0013d30: 000000008d849eb5
ffffa903c0013d38: 0000000000000001
ffffa903c0013d40: 0000000000000004
ffffa903c0013d48: efdea37bb7cb1f00
ffffa903c0013d50: ffff926641178000 [slab object: task_struct+0x0]
ffffa903c0013d58: ffff926641178000 [slab object: task_struct+0x0]
ffffa903c0013d60: ffffa903c0013e10
ffffa903c0013d68: ffff926641177ff0 [slab object: mm_struct+0x70]
ffffa903c0013d70: ffff926641178000 [slab object: task_struct+0x0]
ffffa903c0013d78: ffff926641178000 [slab object: task_struct+0x0]
ffffa903c0013d80: ffffffff8dc93d29 [function symbol: schedule+0x89]
...
Parameters
trace -- Stack trace to print.
Types
The drgn.helpers.common.type module provides generic helpers for working with types in
ways that aren't provided by the core drgn library.
drgn.helpers.common.type.enum_type_to_class(type: drgn.Type, name: str, exclude:
Container[str] = (), prefix: str = '') -> Type[enum.IntEnum]
Get an enum.IntEnum class from an enumerated drgn.Type.
Parameters
• type -- Enumerated type to convert.
• name -- Name of the IntEnum type to create.
• exclude -- Container (e.g., list or set) of enumerator names to exclude
from the created IntEnum.
• prefix -- Prefix to strip from the beginning of enumerator names.
drgn.helpers.common.type.member_at_offset(type: drgn.Type, offset: drgn.IntegerLike) ->
str
Return the name of the member at an offset in a type.
This is effectively the opposite of offsetof().
>>> prog.type('struct list_head')
struct list_head {
struct list_head *next;
struct list_head *prev;
}
>>> member_at_offset(prog.type('struct list_head'), 0)
'next'
>>> member_at_offset(prog.type('struct list_head'), 8)
'prev'
This includes nested structures and array elements:
>>> prog.type('struct sigpending')
struct sigpending {
struct list_head list;
sigset_t signal;
}
>>> prog.type('sigset_t')
typedef struct {
unsigned long sig[1];
} sigset_t
>>> member_at_offset(prog.type('struct sigpending'), 0)
'list.next'
>>> member_at_offset(prog.type('struct sigpending'), 8)
'list.prev'
>>> member_at_offset(prog.type('struct sigpending'), 16)
'signal.sig[0]'
This also includes all possible matches for a union:
>>> prog.type('union mc_target')
union mc_target {
struct folio *folio;
swp_entry_t ent;
}
>>> prog.type('swp_entry_t')
typedef struct {
unsigned long val;
} swp_entry_t
>>> member_at_offset(prog.type('union mc_target'), 0)
'folio or ent.val'
Offsets in the middle of a member are represented:
>>> member_at_offset(prog.type('struct list_head'), 4)
'next+0x4'
Offsets in padding or past the end of the type are also represented:
>>> prog.type('struct autogroup')
struct autogroup {
struct kref kref;
struct task_group *tg;
struct rw_semaphore lock;
unsigned long id;
int nice;
}
>>> member_at_offset(prog.type('struct autogroup'), 4)
'<padding between kref and tg>'
>>> member_at_offset(prog.type('struct autogroup'), 70)
'<padding at end>'
>>> member_at_offset(prog.type('struct autogroup'), 72)
'<end>'
>>> member_at_offset(prog.type('struct autogroup'), 80)
'<past end>'
Parameters
• type -- Type to check.
• offset -- Offset in bytes.
Raises TypeError -- if type is not a structure, union, class, or array type (or a
typedef of one of those)
Experimental
The drgn.helpers.experimental package contains experimental helpers with no stability
guarantees. They may change, move to another package, or be removed. They are not
automatically imported by the CLI.
Kmodify
The drgn.helpers.experimental.kmodify module provides experimental helpers for modifying
the state of the running kernel. This works by loading a temporary kernel module, so the
kernel must support loadable kernel modules (CONFIG_MODULES=y) and allow loading unsigned
modules (CONFIG_MODULE_SIG_FORCE=n). It is currently only implemented for x86-64.
WARNING:
These helpers are powerful but extremely dangerous. Use them with care.
drgn.helpers.experimental.kmodify.write_memory(prog: drgn.Program, address:
drgn.IntegerLike, value: bytes) -> None
Write a byte string to kernel memory.
>>> os.uname().sysname
'Linux'
>>> write_memory(prog["init_uts_ns"].name.sysname.address_, b"Lol\0")
>>> os.uname().sysname
'Lol'
WARNING:
This attempts to detect writes to bad addresses and raise a FaultError, but this
is best-effort and may still crash the kernel. Writing bad data can of course
also cause a crash when the data is used. Additionally, this is not atomic, so
the data may be accessed while it is partially written.
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• address -- Address to write to.
• value -- Byte string to write.
Raises FaultError -- if the address cannot be written to
drgn.helpers.experimental.kmodify.write_object(object: drgn.Object, value: Any, *,
dereference: Optional[bool] = None) -> None
Write to an object in kernel memory.
>>> os.system("uptime -p")
up 12 minutes
>>> write_object(prog["init_time_ns"].offsets.boottime.tv_sec, 1000000000)
>>> os.system("uptime -p")
up 3 decades, 1 year, 37 weeks, 1 hour, 59 minutes
WARNING:
The warnings about write_memory() also apply to write_object().
Parameters
• object -- Object to write to.
• value -- Value to write. This may be an Object or a Python value. Either
way, it will be converted to the type of object.
• dereference -- If object is a pointer, whether to dereference it. If True,
then write to the object pointed to by object (*ptr = value). If False,
then write to the pointer itself (ptr = value). This is a common source of
confusion, so it is required if object is a pointer.
Raises
• ValueError -- if object is not a reference object (i.e., its address is
not known)
• TypeError -- if object is a pointer and dereference is not given
• TypeError -- if object is not a pointer and dereference is True
drgn.helpers.experimental.kmodify.call_function(prog: drgn.Program, func: Union[str,
drgn.Object], *args: Any) -> drgn.Object
Call a function in the kernel.
Arguments can be either Objects or Python values. The function return value is
returned as an Object:
>>> # GFP_KERNEL isn't in the kernel debug info
>>> # We have to use this trick to get it.
>>> for flag in prog["gfpflag_names"]:
... if flag.name.string_() == b"GFP_KERNEL":
... GFP_KERNEL = flag.mask
... break
...
>>> # kmalloc() is actually a macro.
>>> # We have to call the underlying function.
>>> p = call_function("__kmalloc_noprof", 13, GFP_KERNEL)
>>> p
(void *)0xffff991701ef43c0
>>> identify_address(p)
'slab object: kmalloc-16+0x0'
>>> call_function("kfree", p)
(void)<absent>
>>> identify_address(p)
'free slab object: kmalloc-16+0x0'
Variadic functions are also supported:
>>> call_function("_printk", "Hello, world! %d\n", Object(prog, "int", 1234))
(int)18
>>> os.system("dmesg | tail -1")
[ 1138.223004] Hello, world! 1234
Constructed values can be passed by pointer using pass_pointer():
>>> sb = prog["init_fs"].root.mnt.mnt_sb
>>> sb.s_shrink.scan_objects
(unsigned long (*)(struct shrinker *, struct shrink_control *))super_cache_scan+0x0 = 0xffffffffbda4c487
>>> sc = pass_pointer(Object(prog, "struct shrink_control",
... {"gfp_mask": GFP_KERNEL, "nr_to_scan": 100, "nr_scanned": 100}))
>>> call_function(sb.s_shrink.scan_objects, sb.s_shrink, sc)
(unsigned long)31
If the function modifies the passed value, the pass_pointer object is updated:
>>> sc.object
(struct shrink_control){
.gfp_mask = (gfp_t)3264,
.nid = (int)0,
.nr_to_scan = (unsigned long)1,
.nr_scanned = (unsigned long)100,
.memcg = (struct mem_cgroup *)0x0,
}
NOTE:
It is not possible to call some functions, including inlined functions and
function-like macros. If the unavailable function is a wrapper around another
function, sometimes the wrapped function can be called instead.
WARNING:
Calling a function incorrectly may cause the kernel to crash or misbehave in
various ways.
The function is called from process context. Note that the function may have
context, locking, or reference counting requirements.
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• func -- Function to call. May be a function name, function object, or
function pointer object.
• args -- Function arguments. int, float, and bool arguments are converted
as "literals" with Object(prog, value=...). str and bytes arguments are
converted to char array objects. pass_pointer arguments are copied to the
kernel, passed by pointer, and copied back.
Returns
Function return value.
Raises
• TypeError -- if the passed arguments have incorrect types for the function
• ObjectAbsentError -- if the function cannot be called because it is
inlined
• LookupError -- if a function with the given name is not found (possibly
because it is actually a function-like macro)
class drgn.helpers.experimental.kmodify.pass_pointer(object: Any)
Wrapper used to pass values to call_function() by pointer.
Parameters
object -- Object or Python value to wrap.
object: Any
Wrapped object. Updated to an Object containing the final value after the
function call.
Linux Kernel
The drgn.helpers.linux package contains several modules for working with data structures
and subsystems in the Linux kernel. The helpers are available from the individual modules
in which they are defined and from this top-level package. E.g., the following are both
valid:
>>> from drgn.helpers.linux.list import list_for_each_entry
>>> from drgn.helpers.linux import list_for_each_entry
Iterator macros (for_each_foo) are a common idiom in the Linux kernel. The equivalent drgn
helpers are implemented as Python generators. For example, the following code in C:
list_for_each(pos, head)
do_something_with(pos);
Translates to the following code in Python:
for pos in list_for_each(head):
do_something_with(pos)
Bit Operations
The drgn.helpers.linux.bitops module provides helpers for common bit operations in the
Linux kernel.
drgn.helpers.linux.bitops.for_each_set_bit(bitmap: drgn.Object, size: drgn.IntegerLike) ->
Iterator[int]
Iterate over all set (one) bits in a bitmap.
Parameters
• bitmap -- unsigned long *
• size -- Size of bitmap in bits.
drgn.helpers.linux.bitops.for_each_clear_bit(bitmap: drgn.Object, size: drgn.IntegerLike)
-> Iterator[int]
Iterate over all clear (zero) bits in a bitmap.
Parameters
• bitmap -- unsigned long *
• size -- Size of bitmap in bits.
drgn.helpers.linux.bitops.test_bit(nr: drgn.IntegerLike, bitmap: drgn.Object) -> bool
Return whether a bit in a bitmap is set.
Parameters
• nr -- Bit number.
• bitmap -- unsigned long *
Block Layer
The drgn.helpers.linux.block module provides helpers for working with the Linux block
layer, including disks (struct gendisk) and partitions.
Since Linux v5.11, partitions are represented by struct block_device. Before that, they
were represented by struct hd_struct.
drgn.helpers.linux.block.disk_devt(disk: drgn.Object) -> drgn.Object
Get a disk's device number.
Parameters
disk -- struct gendisk *
Returns
dev_t
drgn.helpers.linux.block.disk_name(disk: drgn.Object) -> bytes
Get the name of a disk (e.g., sda).
Parameters
disk -- struct gendisk *
drgn.helpers.linux.block.bdev_partno(bdev: drgn.Object) -> drgn.Object
Get the partition number of a block device.
Parameters
bdev -- struct block_device *
Returns
u8
drgn.helpers.linux.block.for_each_disk(prog: drgn.Program) -> Iterator[drgn.Object]
Iterate over all disks in the system.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Iterator of struct gendisk * objects.
drgn.helpers.linux.block.print_disks(prog: drgn.Program) -> None
Print all of the disks in the system.
Parameters
prog -- Program, which may be omitted to use the default program argument.
drgn.helpers.linux.block.part_devt(part: drgn.Object) -> drgn.Object
Get a partition's device number.
Parameters
part -- struct block_device * or struct hd_struct * depending on the kernel
version.
Returns
dev_t
drgn.helpers.linux.block.part_name(part: drgn.Object) -> bytes
Get the name of a partition (e.g., sda1).
Parameters
part -- struct block_device * or struct hd_struct * depending on the kernel
version.
drgn.helpers.linux.block.for_each_partition(prog: drgn.Program) -> Iterator[drgn.Object]
Iterate over all partitions in the system.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Iterator of struct block_device * or struct hd_struct * objects depending on
the kernel version.
drgn.helpers.linux.block.print_partitions(prog: drgn.Program) -> None
Print all of the partitions in the system.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Boot
The drgn.helpers.linux.boot module provides helpers for inspecting the Linux kernel boot
configuration.
drgn.helpers.linux.boot.kaslr_offset(prog: drgn.Program) -> int
Get the kernel address space layout randomization offset (zero if it is disabled).
Parameters
prog -- Program, which may be omitted to use the default program argument.
drgn.helpers.linux.boot.pgtable_l5_enabled(prog: drgn.Program) -> bool
Return whether 5-level paging is enabled.
Parameters
prog -- Program, which may be omitted to use the default program argument.
BPF
The drgn.helpers.linux.bpf module provides helpers for working with BPF interface in ‐
include/linux/bpf.h, include/linux/bpf-cgroup.h, etc.
drgn.helpers.linux.bpf.bpf_btf_for_each(prog: drgn.Program) -> Iterator[drgn.Object]
Iterate over all BTF objects.
This is only supported since Linux v4.18.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Iterator of struct btf * objects.
drgn.helpers.linux.bpf.bpf_link_for_each(prog: drgn.Program) -> Iterator[drgn.Object]
Iterate over all BPF links.
This is only supported since Linux v5.8.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Iterator of struct bpf_link * objects.
drgn.helpers.linux.bpf.bpf_map_for_each(prog: drgn.Program) -> Iterator[drgn.Object]
Iterate over all BPF maps.
This is only supported since Linux v4.13.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Iterator of struct bpf_map * objects.
drgn.helpers.linux.bpf.bpf_prog_for_each(prog: drgn.Program) -> Iterator[drgn.Object]
Iterate over all BPF programs.
This is only supported since Linux v4.13.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Iterator of struct bpf_prog * objects.
drgn.helpers.linux.bpf.cgroup_bpf_prog_for_each(cgrp: drgn.Object, bpf_attach_type:
drgn.IntegerLike) -> Iterator[drgn.Object]
Iterate over all cgroup BPF programs of the given attach type attached to the given
cgroup.
Parameters
• cgrp -- struct cgroup *
• bpf_attach_type -- enum bpf_attach_type
Returns
Iterator of struct bpf_prog * objects.
drgn.helpers.linux.bpf.cgroup_bpf_prog_for_each_effective(cgrp: drgn.Object,
bpf_attach_type: drgn.IntegerLike) -> Iterator[drgn.Object]
Iterate over all effective cgroup BPF programs of the given attach type for the
given cgroup.
Parameters
• cgrp -- struct cgroup *
• bpf_attach_type -- enum bpf_attach_type
Returns
Iterator of struct bpf_prog * objects.
Cgroup
The drgn.helpers.linux.cgroup module provides helpers for working with the cgroup
interface in include/linux/cgroup.h. Only cgroup v2 is supported.
drgn.helpers.linux.cgroup.sock_cgroup_ptr(skcd: drgn.Object) -> drgn.Object
Get the cgroup for a socket from the given struct sock_cgroup_data * (usually from
struct sock::sk_cgrp_data).
Parameters
skcd -- struct sock_cgroup_data *
Returns
struct cgroup *
drgn.helpers.linux.cgroup.cgroup_parent(cgrp: drgn.Object) -> drgn.Object
Return the parent cgroup of the given cgroup if it exists, NULL otherwise.
Parameters
cgrp -- struct cgroup *
Returns
struct cgroup *
drgn.helpers.linux.cgroup.cgroup_name(cgrp: drgn.Object) -> bytes
Get the name of the given cgroup.
Parameters
cgrp -- struct cgroup *
drgn.helpers.linux.cgroup.cgroup_path(cgrp: drgn.Object) -> bytes
Get the full path of the given cgroup.
Parameters
cgrp -- struct cgroup *
drgn.helpers.linux.cgroup.cgroup_get_from_path(prog: drgn.Program, path: drgn.Path) ->
drgn.Object
Look up a cgroup from its default hierarchy path .
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• path -- Path name.
drgn.helpers.linux.cgroup.css_next_child(pos: drgn.Object, parent: drgn.Object) ->
drgn.Object
Get the next child (or NULL if there is none) of the given parent starting from the
given position (NULL to initiate traversal).
Parameters
• pos -- struct cgroup_subsys_state *
• parent -- struct cgroup_subsys_state *
Returns
struct cgroup_subsys_state *
drgn.helpers.linux.cgroup.css_next_descendant_pre(pos: drgn.Object, root: drgn.Object) ->
drgn.Object
Get the next pre-order descendant (or NULL if there is none) of the given css root
starting from the given position (NULL to initiate traversal).
Parameters
• pos -- struct cgroup_subsys_state *
• root -- struct cgroup_subsys_state *
Returns
struct cgroup_subsys_state *
drgn.helpers.linux.cgroup.css_for_each_child(css: drgn.Object) -> Iterator[drgn.Object]
Iterate through children of the given css.
Parameters
css -- struct cgroup_subsys_state *
Returns
Iterator of struct cgroup_subsys_state * objects.
drgn.helpers.linux.cgroup.css_for_each_descendant_pre(css: drgn.Object) -> Iterator[‐
drgn.Object]
Iterate through the given css's descendants in pre-order.
Parameters
css -- struct cgroup_subsys_state *
Returns
Iterator of struct cgroup_subsys_state * objects.
CPU Masks
The drgn.helpers.linux.cpumask module provides helpers for working with CPU masks from ‐
include/linux/cpumask.h.
drgn.helpers.linux.cpumask.cpu_online_mask(prog: drgn.Program) -> drgn.Object
Return the mask of online CPUs.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
struct cpumask *
drgn.helpers.linux.cpumask.cpu_possible_mask(prog: drgn.Program) -> drgn.Object
Return the mask of possible CPUs.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
struct cpumask *
drgn.helpers.linux.cpumask.cpu_present_mask(prog: drgn.Program) -> drgn.Object
Return the mask of present CPUs.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
struct cpumask *
drgn.helpers.linux.cpumask.for_each_cpu(mask: drgn.Object) -> Iterator[int]
Iterate over all of the CPUs in the given mask.
Parameters
mask -- struct cpumask *
drgn.helpers.linux.cpumask.for_each_online_cpu(prog: drgn.Program) -> Iterator[int]
Iterate over all online CPUs.
Parameters
prog -- Program, which may be omitted to use the default program argument.
drgn.helpers.linux.cpumask.for_each_possible_cpu(prog: drgn.Program) -> Iterator[int]
Iterate over all possible CPUs.
Parameters
prog -- Program, which may be omitted to use the default program argument.
drgn.helpers.linux.cpumask.for_each_present_cpu(prog: drgn.Program) -> Iterator[int]
Iterate over all present CPUs.
Parameters
prog -- Program, which may be omitted to use the default program argument.
drgn.helpers.linux.cpumask.cpumask_to_cpulist(mask: drgn.Object) -> str
Return a CPU mask as a CPU list string.
>>> cpumask_to_cpulist(mask)
0-3,8-11
Parameters
mask -- struct cpumask *
Returns
String in the CPU list format.
Devices
The drgn.helpers.linux.device module provides helpers for working with Linux devices,
including the kernel encoding of dev_t.
drgn.helpers.linux.device.MAJOR(dev: drgn.IntegerLike) -> int
Return the major ID of a kernel dev_t.
Parameters
dev -- dev_t object or int.
drgn.helpers.linux.device.MINOR(dev: drgn.IntegerLike) -> int
Return the minor ID of a kernel dev_t.
Parameters
dev -- dev_t object or int.
drgn.helpers.linux.device.MKDEV(major: drgn.IntegerLike, minor: drgn.IntegerLike) -> int
Return a kernel dev_t from the major and minor IDs.
Parameters
• major -- Device major ID.
• minor -- Device minor ID.
Virtual Filesystem Layer
The drgn.helpers.linux.fs module provides helpers for working with the Linux virtual
filesystem (VFS) layer, including mounts, dentries, and inodes.
drgn.helpers.linux.fs.path_lookup(root: Union[drgn.Object, drgn.Program], path: drgn.Path,
*, allow_negative: bool = False) -> drgn.Object
Look up the given path name.
Parameters
• root -- struct path * to use as the root directory. Defaults to the
initial root filesystem if given a Program or omitted.
• path -- Path to lookup.
• allow_negative -- Whether to allow returning a negative dentry (i.e., a
dentry for a non-existent path).
Returns
struct path
Raises Exception -- if the dentry is negative and allow_negative is False, or if
the path is not present in the dcache. The latter does not necessarily mean
that the path does not exist; it may be uncached. On a live system, you can
make the kernel cache the path by accessing it (e.g., with open() or
os.stat()):
>>> path_lookup('/usr/include/stdlib.h')
...
Exception: could not find '/usr/include/stdlib.h' in dcache
>>> open('/usr/include/stdlib.h').close()
>>> path_lookup('/usr/include/stdlib.h')
(struct path){
.mnt = (struct vfsmount *)0xffff8b70413cdca0,
.dentry = (struct dentry *)0xffff8b702ac2c480,
}
drgn.helpers.linux.fs.d_path(path: drgn.Object) -> bytes
Return the full path of a dentry given a struct path.
Parameters
path -- struct path or struct path *
drgn.helpers.linux.fs.d_path(vfsmnt: drgn.Object, dentry: drgn.Object) -> bytes
Return the full path of a dentry given a mount and dentry.
Parameters
• vfsmnt -- struct vfsmount *
• dentry -- struct dentry *
drgn.helpers.linux.fs.d_path(dentry: drgn.Object) -> bytes
Return the full path of a dentry.
Since a mount is not provided, this arbitrarily selects a mount to determine the
path.
Parameters
dentry -- struct dentry *
drgn.helpers.linux.fs.dentry_path(dentry: drgn.Object) -> bytes
Return the path of a dentry from the root of its filesystem.
Parameters
dentry -- struct dentry *
drgn.helpers.linux.fs.inode_path(inode: drgn.Object) -> Optional[bytes]
Return any path of an inode from the root of its filesystem.
Parameters
inode -- struct inode *
Returns
Path, or None if the inode has no aliases.
drgn.helpers.linux.fs.inode_paths(inode: drgn.Object) -> Iterator[bytes]
Return an iterator over all of the paths of an inode from the root of its
filesystem.
Parameters
inode -- struct inode *
drgn.helpers.linux.fs.mount_src(mnt: drgn.Object) -> bytes
Get the source device name for a mount.
Parameters
mnt -- struct mount *
drgn.helpers.linux.fs.mount_dst(mnt: drgn.Object) -> bytes
Get the path of a mount point.
Parameters
mnt -- struct mount *
drgn.helpers.linux.fs.mount_fstype(mnt: drgn.Object) -> bytes
Get the filesystem type of a mount.
Parameters
mnt -- struct mount *
drgn.helpers.linux.fs.for_each_mount(ns: Union[drgn.Object, drgn.Program], *, src:
Optional[drgn.Path] = None, dst: Optional[drgn.Path] = None, fstype: Optional[Union[str,
bytes]] = None) -> Iterator[drgn.Object]
Iterate over all of the mounts in a given namespace.
Parameters
• ns -- struct mnt_namespace *. Defaults to the initial mount namespace if
given a Program or omitted.
• src -- Only include mounts with this source device name.
• dst -- Only include mounts with this destination path.
• fstype -- Only include mounts with this filesystem type.
Returns
Iterator of struct mount * objects.
drgn.helpers.linux.fs.print_mounts(ns: Union[drgn.Object, drgn.Program], *, src:
Optional[drgn.Path] = None, dst: Optional[drgn.Path] = None, fstype: Optional[Union[str,
bytes]] = None) -> None
Print the mount table of a given namespace. The arguments are the same as
for_each_mount(). The output format is similar to /proc/mounts but prints the value
of each struct mount *.
drgn.helpers.linux.fs.fget(task: drgn.Object, fd: drgn.IntegerLike) -> drgn.Object
Return the kernel file descriptor of the fd of a given task.
Parameters
• task -- struct task_struct *
• fd -- File descriptor.
Returns
struct file *
drgn.helpers.linux.fs.for_each_file(task: drgn.Object) -> Iterator[Tuple[int,
drgn.Object]]
Iterate over all of the files open in a given task.
Parameters
task -- struct task_struct *
Returns
Iterator of (fd, struct file *) tuples.
drgn.helpers.linux.fs.print_files(task: drgn.Object) -> None
Print the open files of a given task.
Parameters
task -- struct task_struct *
IDR
The drgn.helpers.linux.idr module provides helpers for working with the IDR data structure
in include/linux/idr.h. An IDR provides a mapping from an ID to a pointer.
drgn.helpers.linux.idr.idr_find(idr: drgn.Object, id: drgn.IntegerLike) -> drgn.Object
Look up the entry with the given ID in an IDR.
Parameters
• idr -- struct idr *
• id -- Entry ID.
Returns
void * found entry, or NULL if not found.
drgn.helpers.linux.idr.idr_for_each(idr: drgn.Object) -> Iterator[Tuple[int, drgn.Object]]
Iterate over all of the pointers in an IDR.
Parameters
idr -- struct idr *
Returns
Iterator of (index, void *) tuples.
drgn.helpers.linux.idr.idr_for_each_entry(idr: drgn.Object, type: Union[str, drgn.Type])
-> Iterator[Tuple[int, drgn.Object]]
Iterate over all of the entries with the given type in an IDR.
Parameters
• idr -- struct idr *
• type -- Entry type.
Returns
Iterator of (index, type *) tuples.
Kconfig
The drgn.helpers.linux.kconfig module provides helpers for reading the Linux kernel build
configuration.
drgn.helpers.linux.kconfig.get_kconfig(prog: drgn.Program) -> Mapping[str, str]
Get the kernel build configuration as a mapping from the option name to the value.
>>> get_kconfig()['CONFIG_SMP']
'y'
>>> get_kconfig()['CONFIG_HZ']
'300'
This is only supported if the kernel was compiled with CONFIG_IKCONFIG. Note that
most Linux distributions do not enable this option.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Kernfs
The drgn.helpers.linux.kernfs module provides helpers for working with the kernfs pseudo
filesystem interface in include/linux/kernfs.h.
drgn.helpers.linux.kernfs.kernfs_name(kn: drgn.Object) -> bytes
Get the name of the given kernfs node.
Parameters
kn -- struct kernfs_node *
drgn.helpers.linux.kernfs.kernfs_path(kn: drgn.Object) -> bytes
Get full path of the given kernfs node.
Parameters
kn -- struct kernfs_node *
drgn.helpers.linux.kernfs.kernfs_walk(parent: drgn.Object, path: drgn.Path) -> drgn.Object
Find the kernfs node with the given path from the given parent kernfs node.
Parameters
• parent -- struct kernfs_node *
• path -- Path name.
Returns
struct kernfs_node * (NULL if not found)
Linked Lists
The drgn.helpers.linux.list module provides helpers for working with the doubly-linked
list implementations (struct list_head and struct hlist_head) in include/linux/list.h.
drgn.helpers.linux.list.list_empty(head: drgn.Object) -> bool
Return whether a list is empty.
Parameters
head -- struct list_head *
drgn.helpers.linux.list.list_is_singular(head: drgn.Object) -> bool
Return whether a list has only one element.
Parameters
head -- struct list_head *
drgn.helpers.linux.list.list_count_nodes(head: drgn.Object) -> int
Return the number of nodes in a list.
Parameters
head -- struct list_head *
drgn.helpers.linux.list.list_first_entry(head: drgn.Object, type: Union[str, drgn.Type],
member: str) -> drgn.Object
Return the first entry in a list.
The list is assumed to be non-empty.
See also list_first_entry_or_null().
Parameters
• head -- struct list_head *
• type -- Entry type.
• member -- Name of list node member in entry type.
Returns
type *
drgn.helpers.linux.list.list_first_entry_or_null(head: drgn.Object, type: Union[str,
drgn.Type], member: str) -> drgn.Object
Return the first entry in a list or NULL if the list is empty.
See also list_first_entry().
Parameters
• head -- struct list_head *
• type -- Entry type.
• member -- Name of list node member in entry type.
Returns
type *
drgn.helpers.linux.list.list_last_entry(head: drgn.Object, type: Union[str, drgn.Type],
member: str) -> drgn.Object
Return the last entry in a list.
The list is assumed to be non-empty.
Parameters
• head -- struct list_head *
• type -- Entry type.
• member -- Name of list node member in entry type.
Returns
type *
drgn.helpers.linux.list.list_next_entry(pos: drgn.Object, member: str) -> drgn.Object
Return the next entry in a list.
Parameters
• pos -- type*
• member -- Name of list node member in entry type.
Returns
type *
drgn.helpers.linux.list.list_prev_entry(pos: drgn.Object, member: str) -> drgn.Object
Return the previous entry in a list.
Parameters
• pos -- type*
• member -- Name of list node member in entry type.
Returns
type *
drgn.helpers.linux.list.list_for_each(head: drgn.Object) -> Iterator[drgn.Object]
Iterate over all of the nodes in a list.
Parameters
head -- struct list_head *
Returns
Iterator of struct list_head * objects.
drgn.helpers.linux.list.list_for_each_reverse(head: drgn.Object) -> Iterator[drgn.Object]
Iterate over all of the nodes in a list in reverse order.
Parameters
head -- struct list_head *
Returns
Iterator of struct list_head * objects.
drgn.helpers.linux.list.list_for_each_entry(type: Union[str, drgn.Type], head:
drgn.Object, member: str) -> Iterator[drgn.Object]
Iterate over all of the entries in a list.
Parameters
• type -- Entry type.
• head -- struct list_head *
• member -- Name of list node member in entry type.
Returns
Iterator of type * objects.
drgn.helpers.linux.list.list_for_each_entry_reverse(type: Union[str, drgn.Type], head:
drgn.Object, member: str) -> Iterator[drgn.Object]
Iterate over all of the entries in a list in reverse order.
Parameters
• type -- Entry type.
• head -- struct list_head *
• member -- Name of list node member in entry type.
Returns
Iterator of type * objects.
drgn.helpers.linux.list.validate_list(head: drgn.Object) -> None
Validate that the next and prev pointers in a list are consistent.
Parameters
head -- struct list_head *
Raises ValidationError -- if the list is invalid
drgn.helpers.linux.list.validate_list_for_each(head: drgn.Object) -> Iterator[drgn.Object]
Like list_for_each(), but validates the list like validate_list() while iterating.
Parameters
head -- struct list_head *
Raises ValidationError -- if the list is invalid
drgn.helpers.linux.list.validate_list_for_each_entry(type: Union[str, drgn.Type], head:
drgn.Object, member: str) -> Iterator[drgn.Object]
Like list_for_each_entry(), but validates the list like validate_list() while
iterating.
Parameters
• type -- Entry type.
• head -- struct list_head *
• member -- Name of list node member in entry type.
Raises ValidationError -- if the list is invalid
drgn.helpers.linux.list.hlist_empty(head: drgn.Object) -> bool
Return whether a hash list is empty.
Parameters
head -- struct hlist_head *
drgn.helpers.linux.list.hlist_for_each(head: drgn.Object) -> Iterator[drgn.Object]
Iterate over all of the nodes in a hash list.
Parameters
head -- struct hlist_head *
Returns
Iterator of struct hlist_node * objects.
drgn.helpers.linux.list.hlist_for_each_entry(type: Union[str, drgn.Type], head:
drgn.Object, member: str) -> Iterator[drgn.Object]
Iterate over all of the entries in a hash list.
Parameters
• type -- Entry type.
• head -- struct hlist_head *
• member -- Name of list node member in entry type.
Returns
Iterator of type * objects.
Nulls Lists
The drgn.helpers.linux.list_nulls module provides helpers for working with the special
version of lists (struct hlist_nulls_head and struct hlist_nulls_node) in ‐
include/linux/list_nulls.h where the end of list is not a NULL pointer, but a "nulls"
marker.
drgn.helpers.linux.list_nulls.is_a_nulls(pos: drgn.Object) -> bool
Return whether a a pointer is a nulls marker.
Parameters
pos -- struct hlist_nulls_node *
drgn.helpers.linux.list_nulls.hlist_nulls_empty(head: drgn.Object) -> bool
Return whether a nulls hash list is empty.
Parameters
head -- struct hlist_nulls_head *
drgn.helpers.linux.list_nulls.hlist_nulls_for_each_entry(type: Union[str, drgn.Type],
head: drgn.Object, member: str) -> Iterator[drgn.Object]
Iterate over all the entries in a nulls hash list.
Parameters
• type -- Entry type.
• head -- struct hlist_nulls_head *
• member -- Name of list node member in entry type.
Returns
Iterator of type * objects.
Lockless Lists
The drgn.helpers.linux.llist module provides helpers for working with the lockless,
NULL-terminated, singly-linked list implementation in include/linux/llist.h (struct
llist_head and struct llist_node).
drgn.helpers.linux.llist.llist_empty(head: drgn.Object) -> bool
Return whether an llist is empty.
Parameters
head -- struct llist_head *
drgn.helpers.linux.llist.llist_is_singular(head: drgn.Object) -> bool
Return whether an llist has only one element.
Parameters
head -- struct llist_head *
drgn.helpers.linux.llist.llist_first_entry(head: drgn.Object, type: Union[str, drgn.Type],
member: str) -> drgn.Object
Return the first entry in an llist.
The list is assumed to be non-empty.
See also llist_first_entry_or_null().
Parameters
• head -- struct llist_head *
• type -- Entry type.
• member -- Name of struct llist_node member in entry type.
Returns
type *
drgn.helpers.linux.llist.llist_first_entry_or_null(head: drgn.Object, type: Union[str,
drgn.Type], member: str) -> drgn.Object
Return the first entry in an llist or NULL if the llist is empty.
See also llist_first_entry().
Parameters
• head -- struct llist_head *
• type -- Entry type.
• member -- Name of struct llist_node member in entry type.
Returns
type *
drgn.helpers.linux.llist.llist_next_entry(pos: drgn.Object, member: str) -> drgn.Object
Return the next entry in an llist.
Parameters
• pos -- type*
• member -- Name of struct llist_node member in entry type.
Returns
type *
drgn.helpers.linux.llist.llist_for_each(node: drgn.Object) -> Iterator[drgn.Object]
Iterate over all of the nodes in an llist starting from a given node.
Parameters
node -- struct llist_node *
Returns
Iterator of struct llist_node * objects.
drgn.helpers.linux.llist.llist_for_each_entry(type: Union[str, drgn.Type], node:
drgn.Object, member: str) -> Iterator[drgn.Object]
Iterate over all of the entries in an llist starting from a given node.
Parameters
• type -- Entry type.
• node -- struct llist_node *
• member -- Name of struct llist_node member in entry type.
Returns
Iterator of type * objects.
Maple Trees
The drgn.helpers.linux.mapletree module provides helpers for working with maple trees from
include/linux/maple_tree.h.
Maple trees were introduced in Linux 6.1.
drgn.helpers.linux.mapletree.mtree_load(mt: drgn.Object, index: drgn.IntegerLike, *,
advanced: bool = False) -> drgn.Object
Look up the entry at a given index in a maple tree.
>>> entry = mtree_load(task.mm.mm_mt.address_of_(), 0x55d65cfaa000)
>>> cast("struct vm_area_struct *", entry)
*(struct vm_area_struct *)0xffff97ad82bfc930 = {
...
}
Parameters
• mt -- struct maple_tree *
• index -- Entry index.
• advanced -- Whether to return nodes only visible to the maple tree
advanced API. If False, zero entries (see xa_is_zero()) will be returned
as NULL.
Returns
void * found entry, or NULL if not found.
drgn.helpers.linux.mapletree.mt_for_each(mt: drgn.Object, *, advanced: bool = False) ->
Iterator[Tuple[int, int, drgn.Object]]
Iterate over all of the entries and their ranges in a maple tree.
>>> for first_index, last_index, entry in mt_for_each(task.mm.mm_mt.address_of_()):
... print(hex(first_index), hex(last_index), entry)
...
0x55d65cfaa000 0x55d65cfaafff (void *)0xffff97ad82bfc930
0x55d65cfab000 0x55d65cfabfff (void *)0xffff97ad82bfc0a8
0x55d65cfac000 0x55d65cfacfff (void *)0xffff97ad82bfc000
0x55d65cfad000 0x55d65cfadfff (void *)0xffff97ad82bfcb28
...
Parameters
• mt -- struct maple_tree *
• advanced -- Whether to return nodes only visible to the maple tree
advanced API. If False, zero entries (see xa_is_zero()) will be skipped.
Returns
Iterator of (first_index, last_index, void *) tuples. Both indices are
inclusive.
Memory Management
The drgn.helpers.linux.mm module provides helpers for working with the Linux memory
management (MM) subsystem.
Helpers that translate virtual addresses or read virtual memory may fail for multiple
reasons:
1. If the address is invalid.
2. If the address is swapped or paged out.
3. If the address is in high memory. High memory is only used for userspace memory by
32-bit systems with a lot of physical memory, and only if CONFIG_HIGHMEM is enabled.
3a. If the page table is in high memory. This is only possible if CONFIG_HIGHPTE is
enabled.
drgn.helpers.linux.mm.PageActive(page: drgn.Object) -> bool
Return whether the PG_active flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageChecked(page: drgn.Object) -> bool
Return whether the PG_checked flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageDirty(page: drgn.Object) -> bool
Return whether the PG_dirty flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageDoubleMap(page: drgn.Object) -> bool
Return whether the PG_double_map flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageError(page: drgn.Object) -> bool
Return whether the PG_error flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageForeign(page: drgn.Object) -> bool
Return whether the PG_foreign flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageHWPoison(page: drgn.Object) -> bool
Return whether the PG_hwpoison flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageHasHWPoisoned(page: drgn.Object) -> bool
Return whether the PG_has_hwpoisoned flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageIdle(page: drgn.Object) -> bool
Return whether the PG_idle flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageIsolated(page: drgn.Object) -> bool
Return whether the PG_isolated flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageLRU(page: drgn.Object) -> bool
Return whether the PG_lru flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageLocked(page: drgn.Object) -> bool
Return whether the PG_locked flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageMappedToDisk(page: drgn.Object) -> bool
Return whether the PG_mappedtodisk flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageMlocked(page: drgn.Object) -> bool
Return whether the PG_mlocked flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageOwnerPriv1(page: drgn.Object) -> bool
Return whether the PG_owner_priv_1 flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PagePinned(page: drgn.Object) -> bool
Return whether the PG_pinned flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PagePrivate(page: drgn.Object) -> bool
Return whether the PG_private flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PagePrivate2(page: drgn.Object) -> bool
Return whether the PG_private_2 flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageReadahead(page: drgn.Object) -> bool
Return whether the PG_readahead flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageReclaim(page: drgn.Object) -> bool
Return whether the PG_reclaim flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageReferenced(page: drgn.Object) -> bool
Return whether the PG_referenced flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageReported(page: drgn.Object) -> bool
Return whether the PG_reported flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageReserved(page: drgn.Object) -> bool
Return whether the PG_reserved flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageSavePinned(page: drgn.Object) -> bool
Return whether the PG_savepinned flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageSkipKASanPoison(page: drgn.Object) -> bool
Return whether the PG_skip_kasan_poison flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageSlobFree(page: drgn.Object) -> bool
Return whether the PG_slob_free flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageSwapBacked(page: drgn.Object) -> bool
Return whether the PG_swapbacked flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageUncached(page: drgn.Object) -> bool
Return whether the PG_uncached flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageUnevictable(page: drgn.Object) -> bool
Return whether the PG_unevictable flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageUptodate(page: drgn.Object) -> bool
Return whether the PG_uptodate flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageVmemmapSelfHosted(page: drgn.Object) -> bool
Return whether the PG_vmemmap_self_hosted flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageWaiters(page: drgn.Object) -> bool
Return whether the PG_waiters flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageWorkingset(page: drgn.Object) -> bool
Return whether the PG_workingset flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageWriteback(page: drgn.Object) -> bool
Return whether the PG_writeback flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageXenRemapped(page: drgn.Object) -> bool
Return whether the PG_xen_remapped flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageYoung(page: drgn.Object) -> bool
Return whether the PG_young flag is set on a page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageSlab(page: drgn.Object) -> bool
Return whether a page belongs to the slab allocator.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageCompound(page: drgn.Object) -> bool
Return whether a page is part of a compound page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageHead(page: drgn.Object) -> bool
Return whether a page is a head page in a compound page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.PageTail(page: drgn.Object) -> bool
Return whether a page is a tail page in a compound page.
Parameters
page -- struct page *
drgn.helpers.linux.mm.compound_head(page: drgn.Object) -> drgn.Object
Get the head page associated with a page.
If page is a tail page, this returns the head page of the compound page it belongs
to. Otherwise, it returns page.
Parameters
page -- struct page *
Returns
struct page *
drgn.helpers.linux.mm.compound_order(page: drgn.Object) -> drgn.Object
Return the allocation order of a potentially compound page.
Parameters
page -- struct page *
Returns
unsigned int
drgn.helpers.linux.mm.compound_nr(page: drgn.Object) -> drgn.Object
Return the number of pages in a potentially compound page.
Parameters
page -- struct page *
Returns
unsigned long
drgn.helpers.linux.mm.page_size(page: drgn.Object) -> drgn.Object
Return the number of bytes in a potentially compound page.
Parameters
page -- struct page *
Returns
unsigned long
drgn.helpers.linux.mm.decode_page_flags(page: drgn.Object) -> str
Get a human-readable representation of the flags set on a page.
>>> decode_page_flags(page)
'PG_uptodate|PG_dirty|PG_lru|PG_reclaim|PG_swapbacked|PG_readahead|PG_savepinned|PG_isolated|PG_reported'
Parameters
page -- struct page *
drgn.helpers.linux.mm.for_each_page(prog: drgn.Program) -> Iterator[drgn.Object]
Iterate over every struct page * from the minimum to the maximum page.
NOTE:
This may include offline pages which don't have a valid struct page. Wrap
accesses in a try ... except drgn.FaultError:
>>> for page in for_each_page():
... try:
... if PageLRU(page):
... print(hex(page))
... except drgn.FaultError:
... continue
0xfffffb4a000c0000
0xfffffb4a000c0040
...
This may be fixed in the future.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Iterator of struct page * objects.
drgn.helpers.linux.mm.PFN_PHYS(prog: drgn.Program, pfn: drgn.IntegerLike) -> drgn.Object
Get the physical address of a page frame number (PFN).
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• pfn -- unsigned long
Returns
phys_addr_t
drgn.helpers.linux.mm.PHYS_PFN(prog: drgn.Program, addr: drgn.IntegerLike) -> drgn.Object
Get the page frame number (PFN) of a physical address.
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- phys_addr_t
Returns
unsigned long
drgn.helpers.linux.mm.page_to_pfn(page: drgn.Object) -> drgn.Object
Get the page frame number (PFN) of a page.
Parameters
page -- struct page *
Returns
unsigned long
drgn.helpers.linux.mm.page_to_phys(page: drgn.Object) -> drgn.Object
Get the physical address of a page.
Parameters
page -- struct page *
Returns
phys_addr_t
drgn.helpers.linux.mm.page_to_virt(page: drgn.Object) -> drgn.Object
Get the directly mapped virtual address of a page.
Parameters
page -- struct page *
Returns
void *
drgn.helpers.linux.mm.pfn_to_page(prog: drgn.Program, pfn: drgn.IntegerLike) ->
drgn.Object
Get the page with a page frame number (PFN).
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• pfn -- unsigned long
Returns
struct page *
drgn.helpers.linux.mm.pfn_to_virt(prog: drgn.Program, pfn: drgn.IntegerLike) ->
drgn.Object
Get the directly mapped virtual address of a page frame number (PFN).
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• pfn -- unsigned long
Returns
void *
drgn.helpers.linux.mm.phys_to_page(prog: drgn.Program, addr: drgn.IntegerLike) ->
drgn.Object
Get the page containing a physical address.
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- phys_addr_t
Returns
struct page *
drgn.helpers.linux.mm.phys_to_virt(prog: drgn.Program, addr: drgn.IntegerLike) ->
drgn.Object
Get the directly mapped virtual address of a physical address.
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- phys_addr_t
Returns
void *
drgn.helpers.linux.mm.virt_to_page(prog: drgn.Program, addr: drgn.IntegerLike) ->
drgn.Object
Get the page containing a directly mapped virtual address.
NOTE:
This only works for virtual addresses from the "direct map". This includes
address from:
• kmalloc
• Slab allocator
• Page allocator
But not:
• vmalloc
• vmap
• ioremap
• Symbols (function pointers, global variables)
For vmalloc or vmap addresses, use vmalloc_to_page(addr). For arbitrary kernel
addresses, use follow_page(prog["init_mm"].address_of_(), addr).
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- void *
Returns
struct page *
drgn.helpers.linux.mm.virt_to_pfn(prog: drgn.Program, addr: drgn.IntegerLike) ->
drgn.Object
Get the page frame number (PFN) of a directly mapped virtual address.
NOTE:
This only works for virtual addresses from the "direct map". For vmalloc or vmap
addresses, use vmalloc_to_pfn(addr). For arbitrary kernel addresses, use
follow_pfn(prog["init_mm"].address_of_(), addr).
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- void *
Returns
unsigned long
drgn.helpers.linux.mm.virt_to_phys(prog: drgn.Program, addr: drgn.IntegerLike) ->
drgn.Object
Get the physical address of a directly mapped virtual address.
NOTE:
This only works for virtual addresses from the "direct map". For arbitrary
kernel addresses, use follow_phys(prog["init_mm"].address_of_(), addr).
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- void *
Returns
phys_addr_t
drgn.helpers.linux.mm.follow_page(mm: drgn.Object, addr: drgn.IntegerLike) -> drgn.Object
Get the page that a virtual address maps to in a virtual address space.
>>> task = find_task(113)
>>> follow_page(task.mm, 0x7fffbbb6d4d0)
*(struct page *)0xffffbe4bc0337b80 = {
...
}
Parameters
• mm -- struct mm_struct *
• addr -- void *
Returns
struct page *
Raises
• FaultError -- if the virtual address cannot be translated
• NotImplementedError -- if virtual address translation is not supported for
this architecture yet
drgn.helpers.linux.mm.follow_pfn(mm: drgn.Object, addr: drgn.IntegerLike) -> drgn.Object
Get the page frame number (PFN) that a virtual address maps to in a virtual address
space.
>>> task = find_task(113)
>>> follow_pfn(task.mm, 0x7fffbbb6d4d0)
(unsigned long)52718
Parameters
• mm -- struct mm_struct *
• addr -- void *
Returns
unsigned long
Raises
• FaultError -- if the virtual address cannot be translated
• NotImplementedError -- if virtual address translation is not supported for
this architecture yet
drgn.helpers.linux.mm.follow_phys(mm: drgn.Object, addr: drgn.IntegerLike) -> drgn.Object
Get the physical address that a virtual address maps to in a virtual address space.
>>> task = find_task(113)
>>> follow_phys(task.mm, 0x7fffbbb6d4d0)
(phys_addr_t)215934160
Parameters
• mm -- struct mm_struct *
• addr -- void *
Returns
phys_addr_t
Raises
• FaultError -- if the virtual address cannot be translated
• NotImplementedError -- if virtual address translation is not supported for
this architecture yet
drgn.helpers.linux.mm.vmalloc_to_page(prog: drgn.Program, addr: drgn.IntegerLike) ->
drgn.Object
Get the page containing a vmalloc or vmap address.
>>> task = find_task(113)
>>> vmalloc_to_page(task.stack)
*(struct page *)0xffffbe4bc00a2200 = {
...
}
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- void *
Returns
struct page *
drgn.helpers.linux.mm.vmalloc_to_pfn(prog: drgn.Program, addr: drgn.IntegerLike) ->
drgn.Object
Get the page frame number (PFN) containing a vmalloc or vmap address.
>>> task = find_task(113)
>>> vmalloc_to_pfn(task.stack)
(unsigned long)10376
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- void *
Returns
unsigned long
drgn.helpers.linux.mm.find_vmap_area(prog: drgn.Program, addr: drgn.IntegerLike) ->
drgn.Object
Return the struct vmap_area * containing an address.
>>> find_vmap_area(0xffffa2b680081000)
*(struct vmap_area *)0xffffa16541046b40 = {
...
}
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- Address to look up.
Returns
struct vmap_area * (NULL if not found)
drgn.helpers.linux.mm.for_each_vmap_area(prog: drgn.Program) -> Iterator[drgn.Object]
Iterate over every struct vmap_area * on the system.
>>> for va in for_each_vmap_area():
... caller = ""
... if va.vm:
... sym = prog.symbol(va.vm.caller)
... if sym:
... caller = f" {sym.name}"
... print(f"{hex(va.va_start)}-{hex(va.va_end)}{caller}")
...
0xffffa2b680000000-0xffffa2b680005000 irq_init_percpu_irqstack
0xffffa2b680005000-0xffffa2b680007000 acpi_os_map_iomem
0xffffa2b68000b000-0xffffa2b68000d000 hpet_enable
0xffffa2b680080000-0xffffa2b680085000 kernel_clone
...
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Iterator of struct vmap_area * objects.
drgn.helpers.linux.mm.access_process_vm(task: drgn.Object, address: drgn.IntegerLike,
size: drgn.IntegerLike) -> bytes
Read memory from a task's virtual address space.
>>> task = find_task(1490152)
>>> access_process_vm(task, 0x7f8a62b56da0, 12)
b'hello, world'
Parameters
• task -- struct task_struct *
• address -- Starting address.
• size -- Number of bytes to read.
Raises
• FaultError -- if the virtual address cannot be translated
• NotImplementedError -- if virtual address translation is not supported for
this architecture yet
drgn.helpers.linux.mm.access_remote_vm(mm: drgn.Object, address: drgn.IntegerLike, size:
drgn.IntegerLike) -> bytes
Read memory from a virtual address space. This is similar to access_process_vm(),
but it takes a struct mm_struct * instead of a struct task_struct *.
>>> task = find_task(1490152)
>>> access_remote_vm(task.mm, 0x7f8a62b56da0, 12)
b'hello, world'
Parameters
• mm -- struct mm_struct *
• address -- Starting address.
• size -- Number of bytes to read.
Raises
• FaultError -- if the virtual address cannot be translated
• NotImplementedError -- if virtual address translation is not supported for
this architecture yet
drgn.helpers.linux.mm.cmdline(task: drgn.Object) -> Optional[List[bytes]]
Get the list of command line arguments of a task, or None for kernel tasks.
>>> cmdline(find_task(1495216))
[b'vim', b'drgn/helpers/linux/mm.py']
$ tr '\0' ' ' < /proc/1495216/cmdline
vim drgn/helpers/linux/mm.py
Parameters
task -- struct task_struct *
Raises
• FaultError -- if the virtual address containing the command line cannot be
translated
• NotImplementedError -- if virtual address translation is not supported for
this architecture yet
drgn.helpers.linux.mm.environ(task: drgn.Object) -> Optional[List[bytes]]
Get the list of environment variables of a task, or None for kernel tasks.
>>> environ(find_task(1497797))
[b'HOME=/root', b'PATH=/usr/local/sbin:/usr/local/bin:/usr/bin', b'LOGNAME=root']
$ tr '\0' '\n' < /proc/1497797/environ
HOME=/root
PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
LOGNAME=root
Parameters
task -- struct task_struct *
Raises
• FaultError -- if the virtual address containing the environment cannot be
translated
• NotImplementedError -- if virtual address translation is not supported for
this architecture yet
drgn.helpers.linux.mm.vma_find(mm: drgn.Object, addr: drgn.IntegerLike) -> drgn.Object
Return the virtual memory area (VMA) containing an address.
Parameters
• mm -- struct mm_struct *
• addr -- Address to look up.
Returns
struct vm_area_struct * (NULL if not found)
drgn.helpers.linux.mm.for_each_vma(mm: drgn.Object) -> Iterator[drgn.Object]
Iterate over every virtual memory area (VMA) in a virtual address space.
>>> for vma in for_each_vma(task.mm):
... print(vma)
...
*(struct vm_area_struct *)0xffff97ad82bfc930 = {
...
}
*(struct vm_area_struct *)0xffff97ad82bfc0a8 = {
...
}
...
Parameters
mm -- struct mm_struct *
Returns
Iterator of struct vm_area_struct * objects.
drgn.helpers.linux.mm.totalram_pages(prog: drgn.Program) -> int
Return the total number of RAM pages.
Parameters
prog -- Program, which may be omitted to use the default program argument.
drgn.helpers.linux.mm.in_direct_map(prog: drgn.Program, addr: drgn.IntegerLike) -> bool
Return True if an address is within the kernel's direct memory mapping :param prog:
Program, which may be omitted to use the default program argument.:param addr:
address to check
Modules
The drgn.helpers.linux.module module contains helpers for working with loaded kernel
modules.
drgn.helpers.linux.module.for_each_module(prog: drgn.Program) -> Iterable[drgn.Object]
Returns all loaded kernel modules
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Iterable of struct module * objects
drgn.helpers.linux.module.find_module(prog: drgn.Program, name: Union[str, bytes]) ->
drgn.Object
Lookup a kernel module by name, or return NULL if not found
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• name -- name to search for
Returns
the struct module * by that name, or NULL
drgn.helpers.linux.module.module_percpu_region(mod: drgn.Object) -> Tuple[int, int]
Lookup the percpu memory region of a module.
Given a struct module *, return the address (as a an int) and the length of the
percpu memory region. Modules may have a NULL percpu region, in which case (0, 0)
is returned. Rarely, on kernels without CONFIG_SMP, there is no percpu region at
all, and this function returns (0, 0)
Parameters
mod -- Object of type struct module *
Returns
(base, size) of the module percpu region
drgn.helpers.linux.module.module_address_regions(mod: drgn.Object) -> List[Tuple[int,
int]]
Returns a list of address ranges for a module
Given a struct module *, return every address range associated with the module.
Note that the number of address ranges and their interpretations vary across kernel
versions. Some kernel versions provide additional information about some regions
(e.g. text, data, R/O, init). This API doesn't distinguish. However, this API does
not provide the module's percpu region: use module_percpu_region() for that.
Parameters
mod -- Object of type struct module *
Returns
list of tuples: (starting memory address, length of address range)
drgn.helpers.linux.module.address_to_module(prog: drgn.Program, addr: drgn.IntegerLike) ->
drgn.Object
Return the struct module * associated with a memory address
If the address is a text, data, or read-only data address associated with a kernel
module, then this function returns the module it is associated with. Otherwise,
returns NULL. Note that dynamic memory (e.g. slab objects) generally can't be
associated with the module that allocated it. Further, static & dynamic per-cpu
address cannot be associated with their associated module either.
Normally, this lookup is efficient, thanks to CONFIG_MODULES_TREE_LOOKUP, which
provides a red-black tree of module address ranges, and is very commonly enabled.
However, on some uncommon configurations the rbtree may not be present. In those
cases, we fall back to a linear search of each kernel module's memory regions.
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- memory address to lookup
Returns
the struct module * associated with the memory, or NULL
Networking
The drgn.helpers.linux.net module provides helpers for working with the Linux kernel
networking subsystem.
drgn.helpers.linux.net.SOCKET_I(inode: drgn.Object) -> drgn.Object
Get a socket from an inode referring to the socket.
Parameters
inode -- struct inode *
Returns
struct socket *
Raises ValueError -- If inode does not refer to a socket
drgn.helpers.linux.net.SOCK_INODE(sock: drgn.Object) -> drgn.Object
Get the inode of a socket.
Parameters
sock -- struct socket *
Returns
struct inode *
drgn.helpers.linux.net.for_each_net(prog: drgn.Program) -> Iterator[drgn.Object]
Iterate over all network namespaces in the system.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Iterator of struct net * objects.
drgn.helpers.linux.net.get_net_ns_by_inode(inode: drgn.Object) -> drgn.Object
Get a network namespace from a network namespace NSFS inode, e.g.
/proc/$PID/ns/net or /var/run/netns/$NAME.
Parameters
inode -- struct inode *
Returns
struct net *
Raises ValueError -- if inode is not a network namespace inode
drgn.helpers.linux.net.get_net_ns_by_fd(task: drgn.Object, fd: drgn.IntegerLike) ->
drgn.Object
Get a network namespace from a task and a file descriptor referring to a network
namespace NSFS inode, e.g. /proc/$PID/ns/net or /var/run/netns/$NAME.
Parameters
• task -- struct task_struct *
• fd -- File descriptor.
Returns
struct net *
Raises ValueError -- If fd does not refer to a network namespace inode
drgn.helpers.linux.net.netdev_for_each_tx_queue(dev: drgn.Object) -> Iterator[drgn.Object]
Iterate over all TX queues for a network device.
Parameters
dev -- struct net_device *
Returns
Iterator of struct netdev_queue * objects.
drgn.helpers.linux.net.netdev_get_by_index(net: Union[drgn.Object, drgn.Program], ifindex:
drgn.IntegerLike) -> drgn.Object
Get the network device with the given interface index number.
Parameters
• net -- struct net *. Defaults to the initial network namespace if given a
Program or omitted.
• ifindex -- Network interface index number.
Returns
struct net_device * (NULL if not found)
drgn.helpers.linux.net.netdev_get_by_name(net: Union[drgn.Object, drgn.Program], name:
Union[str, bytes]) -> drgn.Object
Get the network device with the given interface name.
Parameters
• net -- struct net *. Defaults to the initial network namespace if given a
Program or omitted.
• name -- Network interface name.
Returns
struct net_device * (NULL if not found)
drgn.helpers.linux.net.netdev_priv(dev: drgn.Object, type: Union[str, drgn.Type] = 'void')
-> drgn.Object
Return the private data of a network device.
>>> dev = netdev_get_by_name("wlp0s20f3")
>>> netdev_priv(dev)
(void *)0xffff9419c9dec9c0
>>> netdev_priv(dev, "struct ieee80211_sub_if_data")
*(struct ieee80211_sub_if_data *)0xffff9419c9dec9c0 = {
...
}
Parameters
• dev -- struct net_device *
• type -- Type of private data.
Returns
type *
drgn.helpers.linux.net.sk_fullsock(sk: drgn.Object) -> bool
Check whether a socket is a full socket, i.e., not a time-wait or request socket.
Parameters
sk -- struct sock *
drgn.helpers.linux.net.sk_nulls_for_each(head: drgn.Object) -> Iterator[drgn.Object]
Iterate over all the entries in a nulls hash list of sockets specified by struct
hlist_nulls_head head.
Parameters
head -- struct hlist_nulls_head *
Returns
Iterator of struct sock * objects.
drgn.helpers.linux.net.skb_shinfo(skb: drgn.Object) -> drgn.Object
Get the shared info for a socket buffer.
Parameters
skb -- struct sk_buff *
Returns
struct skb_shared_info *
NUMA Node Masks
The drgn.helpers.linux.nodemask module provides helpers for working with NUMA node masks
from include/linux/nodemask.h.
drgn.helpers.linux.nodemask.for_each_node_mask(mask: drgn.Object) -> Iterator[int]
Iterate over all of the NUMA nodes in the given mask.
Parameters
mask -- nodemask_t
drgn.helpers.linux.nodemask.for_each_node_state(prog: drgn.Program, state:
drgn.IntegerLike) -> Iterator[int]
Iterate over all NUMA nodes in the given state.
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• state -- enum node_states (e.g., N_NORMAL_MEMORY)
drgn.helpers.linux.nodemask.for_each_node(prog: drgn.Program) -> Iterator[int]
Iterate over all possible NUMA nodes.
Parameters
prog -- Program, which may be omitted to use the default program argument.
drgn.helpers.linux.nodemask.for_each_online_node(prog: drgn.Program) -> Iterator[int]
Iterate over all online NUMA nodes.
Parameters
prog -- Program, which may be omitted to use the default program argument.
drgn.helpers.linux.nodemask.node_state(node: drgn.IntegerLike, state: drgn.Object) -> bool
Return whether the given NUMA node has the given state.
Parameters
• node -- NUMA node number.
• state -- enum node_states (e.g., N_NORMAL_MEMORY)
Per-CPU
The drgn.helpers.linux.percpu module provides helpers for working with per-CPU allocations
from include/linux/percpu.h and per-CPU counters from include/linux/percpu_counter.h.
drgn.helpers.linux.percpu.per_cpu_ptr(ptr: drgn.Object, cpu: drgn.IntegerLike) ->
drgn.Object
Return the per-CPU pointer for a given CPU.
>>> prog["init_net"].loopback_dev.pcpu_refcnt
(int *)0x2c980
>>> per_cpu_ptr(prog["init_net"].loopback_dev.pcpu_refcnt, 7)
*(int *)0xffff925e3ddec980 = 4
Parameters
• ptr -- Per-CPU pointer, i.e., type __percpu *. For global variables, it's
usually easier to use per_cpu().
• cpu -- CPU number.
Returns
type * object.
drgn.helpers.linux.percpu.per_cpu(var: drgn.Object, cpu: drgn.IntegerLike) -> drgn.Object
Return the per-CPU variable for a given CPU.
>>> print(repr(prog["runqueues"]))
Object(prog, 'struct rq', address=0x278c0)
>>> per_cpu(prog["runqueues"], 6).curr.comm
(char [16])"python3"
Parameters
• var -- Per-CPU variable, i.e., type __percpu (not a pointer; use
per_cpu_ptr() for that).
• cpu -- CPU number.
Returns
type object.
drgn.helpers.linux.percpu.percpu_counter_sum(fbc: drgn.Object) -> int
Return the sum of a per-CPU counter.
Parameters
fbc -- struct percpu_counter *
Process IDS
The drgn.helpers.linux.pid module provides helpers for looking up process IDs and
processes.
drgn.helpers.linux.pid.pid_task(pid: drgn.Object, pid_type: drgn.IntegerLike) ->
drgn.Object
Return the struct task_struct * containing the given struct pid * of the given
type.
Parameters
• pid -- struct pid *
• pid_type -- enum pid_type
Returns
struct task_struct *
drgn.helpers.linux.pid.find_pid(ns: drgn.Object | drgn.Program, pid: drgn.IntegerLike) ->
drgn.Object
Return the struct pid * for the given PID number.
Parameters
ns -- struct pid_namespace *. Defaults to the initial PID namespace if given
a Program or omitted.
Returns
struct pid *
drgn.helpers.linux.pid.for_each_pid(ns: drgn.Object | drgn.Program) -> Iterator[‐
drgn.Object]
Iterate over all PIDs in a namespace.
Parameters
ns -- struct pid_namespace *. Defaults to the initial PID namespace if given
a Program or omitted.
Returns
Iterator of struct pid * objects.
drgn.helpers.linux.pid.find_task(ns: drgn.Object | drgn.Program, pid: drgn.IntegerLike) ->
drgn.Object
Return the task with the given PID.
Parameters
ns -- struct pid_namespace *. Defaults to the initial PID namespace if given
a Program or omitted.
Returns
struct task_struct *
drgn.helpers.linux.pid.for_each_task(ns: drgn.Object | drgn.Program) -> Iterator[‐
drgn.Object]
Iterate over all of the tasks visible in a namespace.
Parameters
ns -- struct pid_namespace *. Defaults to the initial PID namespace if given
a Program or omitted.
Returns
Iterator of struct task_struct * objects.
Priority-Sorted Lists
The drgn.helpers.linux.plist module provides helpers for working with
descending-priority-sorted doubly-linked lists (struct plist_head and struct plist_node)
from include/linux/plist.h.
drgn.helpers.linux.plist.plist_head_empty(head: drgn.Object) -> bool
Return whether a plist is empty.
Parameters
head -- struct plist_head *
drgn.helpers.linux.plist.plist_node_empty(node: drgn.Object) -> bool
Return whether a plist node is empty (i.e., not on a list).
Parameters
node -- struct plist_node *
drgn.helpers.linux.plist.plist_first_entry(head: drgn.Object, type: Union[str, drgn.Type],
member: str) -> drgn.Object
Return the first (highest priority) entry in a plist.
The list is assumed to be non-empty.
Parameters
• head -- struct plist_head *
• type -- Entry type.
• member -- Name of list node member in entry type.
Returns
type *
drgn.helpers.linux.plist.plist_last_entry(head: drgn.Object, type: Union[str, drgn.Type],
member: str) -> drgn.Object
Return the last (lowest priority) entry in a plist.
The list is assumed to be non-empty.
Parameters
• head -- struct plist_head *
• type -- Entry type.
• member -- Name of list node member in entry type.
Returns
type *
drgn.helpers.linux.plist.plist_for_each(head: drgn.Object) -> Iterator[drgn.Object]
Iterate over all of the nodes in a plist.
Parameters
head -- struct plist_head *
Returns
Iterator of struct plist_node * objects.
drgn.helpers.linux.plist.plist_for_each_entry(type: Union[str, drgn.Type], head:
drgn.Object, member: str) -> Iterator[drgn.Object]
Iterate over all of the entries in a plist.
Parameters
• type -- Entry type.
• head -- struct plist_head *
• member -- Name of plist node member in entry type.
Returns
Iterator of type * objects.
Log Buffer
The drgn.helpers.linux.printk module provides helpers for reading the Linux kernel log
buffer.
class drgn.helpers.linux.printk.PrintkRecord
Bases: NamedTuple
Kernel log record.
text: bytes
Message text.
facility: int
syslog(3) facility.
level: int
Log level.
seq: int
Sequence number.
timestamp: int
Timestamp in nanoseconds.
caller_tid: Optional[int]
Thread ID of thread that logged this record, if available.
This is available if the message was logged from task context and if the
kernel saves the printk() caller ID.
As of Linux 5.10, the kernel always saves the caller ID. From Linux 5.1
through 5.9, it is saved only if the kernel was compiled with
CONFIG_PRINTK_CALLER. Before that, it is never saved.
caller_cpu: Optional[int]
Processor ID of CPU that logged this record, if available.
This is available only if the message was logged when not in task context
(e.g., in an interrupt handler) and if the kernel saves the printk() caller
ID.
See caller_tid for when the kernel saves the caller ID.
continuation: bool
Whether this record is a continuation of a previous record.
context: Dict[bytes, bytes]
Additional metadata for the message.
See the /dev/kmsg documentation for an explanation of the keys and values.
drgn.helpers.linux.printk.get_printk_records(prog: drgn.Program) -> List[PrintkRecord]
Get a list of records in the kernel log buffer.
Parameters
prog -- Program, which may be omitted to use the default program argument.
drgn.helpers.linux.printk.get_dmesg(prog: drgn.Program) -> bytes
Get the contents of the kernel log buffer formatted like dmesg(1).
If you just want to print the log buffer, use print_dmesg().
The format of each line is:
[ timestamp] message
If you need to format the log buffer differently, use get_printk_records() and
format it yourself.
Parameters
prog -- Program, which may be omitted to use the default program argument.
drgn.helpers.linux.printk.print_dmesg(prog: drgn.Program, *, file:
Optional[SupportsWrite[str]] = None) -> None
Print the contents of the kernel log buffer.
>>> print_dmesg()
[ 0.000000] Linux version 6.8.0-vmtest28.1default (drgn@drgn) (x86_64-linux-gcc (GCC) 12.2.0, GNU ld (GNU Binutils) 2.39) #1 SMP PREEMPT_DYNAMIC Mon Mar 11 06:38:45 UTC 2024
[ 0.000000] Command line: rootfstype=9p rootflags=trans=virtio,cache=loose,msize=1048576 ro console=ttyS0,115200 panic=-1 crashkernel=256M init=/tmp/drgn-vmtest-rudzppeo/init
[ 0.000000] BIOS-provided physical RAM map:
...
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• file -- File to print to. Defaults to sys.stdout.
Radix Trees
The drgn.helpers.linux.radixtree module provides helpers for working with radix trees from
include/linux/radix-tree.h.
SEE ALSO:
XArrays, which were introduced in Linux 4.20 as a replacement for radix trees.
drgn.helpers.linux.radixtree.radix_tree_lookup(root: drgn.Object, index: drgn.IntegerLike)
-> drgn.Object
Look up the entry at a given index in a radix tree.
Parameters
• root -- struct radix_tree_root *
• index -- Entry index.
Returns
void * found entry, or NULL if not found.
drgn.helpers.linux.radixtree.radix_tree_for_each(root: drgn.Object) -> Iterator[Tuple[int,
drgn.Object]]
Iterate over all of the entries in a radix tree.
Parameters
root -- struct radix_tree_root *
Returns
Iterator of (index, void *) tuples.
Red-Black Trees
The drgn.helpers.linux.rbtree module provides helpers for working with red-black trees
from include/linux/rbtree.h.
drgn.helpers.linux.rbtree.RB_EMPTY_ROOT(root: drgn.Object) -> bool
Return whether a red-black tree is empty.
Parameters
node -- struct rb_root *
drgn.helpers.linux.rbtree.RB_EMPTY_NODE(node: drgn.Object) -> bool
Return whether a red-black tree node is empty, i.e., not inserted in a tree.
Parameters
node -- struct rb_node *
drgn.helpers.linux.rbtree.rb_parent(node: drgn.Object) -> drgn.Object
Return the parent node of a red-black tree node.
Parameters
node -- struct rb_node *
Returns
struct rb_node *
drgn.helpers.linux.rbtree.rb_first(root: drgn.Object) -> drgn.Object
Return the first node (in sort order) in a red-black tree, or NULL if the tree is
empty.
Parameters
root -- struct rb_root *
Returns
struct rb_node *
drgn.helpers.linux.rbtree.rb_last(root: drgn.Object) -> drgn.Object
Return the last node (in sort order) in a red-black tree, or NULL if the tree is
empty.
Parameters
root -- struct rb_root *
Returns
struct rb_node *
drgn.helpers.linux.rbtree.rb_next(node: drgn.Object) -> drgn.Object
Return the next node (in sort order) after a red-black node, or NULL if the node is
the last node in the tree or is empty.
Parameters
node -- struct rb_node *
Returns
struct rb_node *
drgn.helpers.linux.rbtree.rb_prev(node: drgn.Object) -> drgn.Object
Return the previous node (in sort order) before a red-black node, or NULL if the
node is the first node in the tree or is empty.
Parameters
node -- struct rb_node *
Returns
struct rb_node *
drgn.helpers.linux.rbtree.rbtree_inorder_for_each(root: drgn.Object) -> Iterator[‐
drgn.Object]
Iterate over all of the nodes in a red-black tree, in sort order.
Parameters
root -- struct rb_root *
Returns
Iterator of struct rb_node * objects.
drgn.helpers.linux.rbtree.rbtree_inorder_for_each_entry(type: Union[str, drgn.Type], root:
drgn.Object, member: str) -> Iterator[drgn.Object]
Iterate over all of the entries in a red-black tree in sorted order.
Parameters
• type -- Entry type.
• root -- struct rb_root *
• member -- Name of struct rb_node member in entry type.
Returns
Iterator of type * objects.
drgn.helpers.linux.rbtree.rb_find(type: Union[str, drgn.Type], root: drgn.Object, member:
str, key: KeyType, cmp: Callable[[KeyType, drgn.Object], int]) -> drgn.Object
Find an entry in a red-black tree given a key and a comparator function.
Note that this function does not have an analogue in the Linux kernel source code,
as tree searches are all open-coded.
Parameters
• type -- Entry type.
• root -- struct rb_root *
• member -- Name of struct rb_node member in entry type.
• key -- Key to find.
• cmp -- Callback taking key and entry that returns < 0 if the key is less
than the entry, > 0 if the key is greater than the entry, and 0 if the key
matches the entry.
Returns
type * found entry, or NULL if not found.
drgn.helpers.linux.rbtree.validate_rbtree(type: Union[str, drgn.Type], root: drgn.Object,
member: str, cmp: Callable[[drgn.Object, drgn.Object], int], allow_equal: bool) -> None
Validate a red-black tree.
This checks that:
1. The tree is a valid binary search tree ordered according to cmp.
2. If allow_equal is False, there are no nodes that compare equal according to cmp.
3. The rb_parent pointers are consistent.
4. The red-black tree requirements are satisfied: the root node is black, no red
node has a red child, and every path from any node to any of its descendant leaf
nodes goes through the same number of black nodes.
Parameters
• type -- Entry type.
• root -- struct rb_root *
• member -- Name of struct rb_node member in entry type.
• cmp -- Callback taking two type * entry objects that returns < 0 if the
first entry is less than the second entry, > 0 if the first entry is
greater than the second entry, and 0 if they are equal.
• allow_equal -- Whether the tree may contain entries that compare equal to
each other.
Raises ValidationError -- if the tree is invalid
drgn.helpers.linux.rbtree.validate_rbtree_inorder_for_each_entry(type: Union[str,
drgn.Type], root: drgn.Object, member: str, cmp: Callable[[drgn.Object, drgn.Object],
int], allow_equal: bool) -> Iterator[drgn.Object]
Like rbtree_inorder_for_each_entry(), but validates the red-black tree like
validate_rbtree() while iterating.
Parameters
• type -- Entry type.
• root -- struct rb_root *
• member -- Name of struct rb_node member in entry type.
• cmp -- Callback taking two type * entry objects that returns < 0 if the
first entry is less than the second entry, > 0 if the first entry is
greater than the second entry, and 0 if they are equal.
• allow_equal -- Whether the tree may contain entries that compare equal to
each other.
Raises ValidationError -- if the tree is invalid
CPU Scheduler
The drgn.helpers.linux.sched module provides helpers for working with the Linux CPU
scheduler.
drgn.helpers.linux.sched.task_cpu(task: drgn.Object) -> int
Return the CPU number that the given task last ran on.
Parameters
task -- struct task_struct *
drgn.helpers.linux.sched.task_thread_info(task: drgn.Object) -> drgn.Object
Return the thread information structure for a task.
Parameters
task -- struct task_struct *
Returns
struct thread_info *
drgn.helpers.linux.sched.cpu_curr(prog: drgn.Program, cpu: drgn.IntegerLike) ->
drgn.Object
Return the task running on the given CPU.
>>> cpu_curr(7).comm
(char [16])"python3"
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• cpu -- CPU number.
Returns
struct task_struct *
drgn.helpers.linux.sched.idle_task(prog: drgn.Program, cpu: drgn.IntegerLike) ->
drgn.Object
Return the idle thread (PID 0, a.k.a swapper) for the given CPU.
>>> idle_task(1).comm
(char [16])"swapper/1"
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• cpu -- CPU number.
Returns
struct task_struct *
drgn.helpers.linux.sched.task_state_to_char(task: drgn.Object) -> str
Get the state of the task as a character (e.g., 'R' for running). See ps(1) for a
description of the process state codes.
Parameters
task -- struct task_struct *
drgn.helpers.linux.sched.loadavg(prog: drgn.Program) -> Tuple[float, float, float]
Return system load averaged over 1, 5 and 15 minutes as tuple of three float
values.
>>> loadavg()
(2.34, 0.442, 1.33)
Parameters
prog -- Program, which may be omitted to use the default program argument.
Slab Allocator
The drgn.helpers.linux.slab module provides helpers for working with the Linux slab
allocator.
WARNING:
Beware of slab merging when using these helpers. See slab_cache_is_merged().
drgn.helpers.linux.slab.slab_cache_is_merged(slab_cache: drgn.Object) -> bool
Return whether a slab cache has been merged with any other slab caches.
Unless configured otherwise, the kernel may merge slab caches of similar sizes
together. See the SLUB users guide and slab_merge/slab_nomerge in the kernel
parameters documentation.
This can cause confusion, as only the name of the first cache will be found, and
objects of different types will be mixed in the same slab cache.
For example, suppose that we have two types, struct foo and struct bar, which have
the same size but are otherwise unrelated. If the kernel creates a slab cache named
foo for struct foo, then another slab cache named bar for struct bar, then slab
cache foo will be reused instead of creating another cache for bar. So the
following will fail:
find_slab_cache("bar")
And the following will also return struct bar * objects errantly casted to struct
foo *:
slab_cache_for_each_allocated_object(find_slab_cache("foo"), "struct foo")
Unfortunately, these issues are difficult to work around generally, so one must be
prepared to handle them on a case-by-case basis (e.g., by looking up the slab cache
by its variable name and by checking that members of the structure make sense for
the expected type).
Parameters
slab_cache -- struct kmem_cache *
drgn.helpers.linux.slab.get_slab_cache_aliases(prog: drgn.Program) -> Dict[str, str]
Return a dict mapping slab cache name to the cache it was merged with.
The SLAB and SLUB subsystems can merge caches with similar settings and object
sizes, as described in the documentation of slab_cache_is_merged(). In some cases,
the information about which caches were merged is lost, but in other cases, we can
reconstruct the info. This function reconstructs the mapping, but requires that
the kernel is configured with CONFIG_SLUB and CONFIG_SYSFS.
The returned dict maps from original cache name, to merged cache name. You can use
this mapping to discover the correct cache to lookup via find_slab_cache(). The
dict contains an entry only for caches which were merged into a cache of a
different name.
>>> cache_to_merged = get_slab_cache_aliases()
>>> cache_to_merged["dnotify_struct"]
'avc_xperms_data'
>>> "avc_xperms_data" in cache_to_merged
False
>>> find_slab_cache("dnotify_struct") is None
True
>>> find_slab_cache("avc_xperms_data") is None
False
Warning
This function will only work on kernels which are built with CONFIG_SLUB and
CONFIG_SYSFS enabled.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Mapping of slab cache name to final merged name
Raises LookupError -- If the helper fails because the debugged kernel doesn't have
the required configuration
drgn.helpers.linux.slab.for_each_slab_cache(prog: drgn.Program) -> Iterator[drgn.Object]
Iterate over all slab caches.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Iterator of struct kmem_cache * objects.
drgn.helpers.linux.slab.find_slab_cache(prog: drgn.Program, name: Union[str, bytes]) ->
Optional[drgn.Object]
Return the slab cache with the given name.
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• name -- Slab cache name.
Returns
struct kmem_cache *
drgn.helpers.linux.slab.print_slab_caches(prog: drgn.Program) -> None
Print the name and struct kmem_cache * value of all slab caches.
Parameters
prog -- Program, which may be omitted to use the default program argument.
drgn.helpers.linux.slab.slab_cache_for_each_allocated_object(slab_cache: drgn.Object,
type: Union[str, drgn.Type]) -> Iterator[drgn.Object]
Iterate over all allocated objects in a given slab cache.
Only the SLUB and SLAB allocators are supported; SLOB does not store enough
information to identify objects in a slab cache.
>>> dentry_cache = find_slab_cache("dentry")
>>> next(slab_cache_for_each_allocated_object(dentry_cache, "struct dentry"))
*(struct dentry *)0xffff905e41404000 = {
...
}
Parameters
• slab_cache -- struct kmem_cache *
• type -- Type of object in the slab cache.
Returns
Iterator of type * objects.
drgn.helpers.linux.slab.slab_object_info(prog: drgn.Program, addr: drgn.IntegerLike) ->
Optional[SlabObjectInfo]
Get information about an address if it is in a slab object.
>>> ptr = find_task(1).comm.address_of_()
>>> info = slab_object_info(ptr)
>>> info
SlabObjectInfo(slab_cache=Object(prog, 'struct kmem_cache *', address=0xffffdb93c0045e18), slab=Object(prog, 'struct slab *', value=0xffffdb93c0045e00), address=0xffffa2bf81178000, allocated=True)
Note that SlabObjectInfo.address is the start address of the object, which may be
less than addr if addr points to a member inside of the object:
>>> ptr.value_() - info.address
1496
>>> offsetof(prog.type("struct task_struct"), "comm")
1496
Note that SLOB does not store enough information to identify slab objects, so if
the kernel is configured to use SLOB, this will always return None.
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- void *
Returns
SlabObjectInfo if addr is in a slab object, or None if not.
class drgn.helpers.linux.slab.SlabObjectInfo
Information about an object in the slab allocator.
slab_cache: drgn.Object
struct kmem_cache * that the slab object is from.
slab: drgn.Object
Slab containing the slab object.
Since Linux v5.17, this is a struct slab *. Before that, it is a struct page
*.
address: int
Address of the slab object.
allocated: bool
True if the object is allocated, False if it is free.
drgn.helpers.linux.slab.find_containing_slab_cache(prog: drgn.Program, addr:
drgn.IntegerLike) -> drgn.Object
Get the slab cache that an address was allocated from, if any.
Note that SLOB does not store enough information to identify objects in a slab
cache, so if the kernel is configured to use SLOB, this will always return NULL.
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• addr -- void *
Returns
struct kmem_cache * containing addr, or NULL if addr is not from a slab
cache.
Stack Depot
The drgn.helpers.linux.stackdepot module provides helpers for working with the stack trace
storage from include/linux/stackdepot.h used by KASAN and other kernel debugging tools.
drgn.helpers.linux.stackdepot.stack_depot_fetch(handle: drgn.Object) -> Optional[‐
drgn.StackTrace]
Returns a stack trace for the given stack handle.
Parameters
handle -- depot_stack_handle_t
Returns
The stack trace, or None if not available.
Traffic Control (TC)
The drgn.helpers.linux.tc module provides helpers for working with the Linux kernel
Traffic Control (TC) subsystem.
drgn.helpers.linux.tc.qdisc_lookup(dev: drgn.Object, major: drgn.IntegerLike) ->
drgn.Object
Get a Qdisc from a device and a major handle number. It is worth noting that
conventionally handles are hexadecimal, e.g. 10: in a tc command means major handle
0x10.
Parameters
• dev -- struct net_device *
• major -- Qdisc major handle number.
Returns
struct Qdisc * (NULL if not found)
TCP
The drgn.helpers.linux.tcp module provides helpers for working with the TCP protocol in
the Linux kernel.
drgn.helpers.linux.tcp.sk_tcpstate(sk: drgn.Object) -> drgn.Object
Return the TCP protocol state of a socket.
Parameters
sk -- struct sock *
Returns
TCP state enum value.
Users
The drgn.helpers.linux.user module provides helpers for working with users in the Linux
kernel.
drgn.helpers.linux.user.find_user(prog: drgn.Program, uid: Union[drgn.Object,
drgn.IntegerLike]) -> drgn.Object
Return the user structure with the given UID.
Parameters
• prog -- Program, which may be omitted to use the default program argument.
• uid -- kuid_t object or integer.
Returns
struct user_struct * (NULL if not found)
drgn.helpers.linux.user.for_each_user(prog: drgn.Program) -> Iterator[drgn.Object]
Iterate over all users in the system.
Parameters
prog -- Program, which may be omitted to use the default program argument.
Returns
Iterator of struct user_struct * objects.
Wait Queues
The drgn.helpers.linux.wait module provides helpers for working with wait queues
(wait_queue_head_t and wait_queue_entry_t) from include/linux/wait.h.
NOTE:
Since Linux 4.13, entries in a wait queue have type wait_queue_entry_t. Before that,
the type was named wait_queue_t.
drgn.helpers.linux.wait.waitqueue_active(wq: drgn.Object) -> bool
Return whether a wait queue has any waiters.
Parameters
wq -- wait_queue_head_t *
drgn.helpers.linux.wait.waitqueue_for_each_entry(wq: drgn.Object) -> Iterator[drgn.Object]
Iterate over all entries in a wait queue.
Parameters
wq -- wait_queue_head_t *
Returns
Iterator of wait_queue_entry_t * or wait_queue_t * objects depending on the
kernel version.
drgn.helpers.linux.wait.waitqueue_for_each_task(wq: drgn.Object) -> Iterator[drgn.Object]
Iterate over all tasks waiting on a wait queue.
WARNING:
This comes from wait_queue_entry_t::private, which usually stores a task.
However, some wait queue entries store a different pointer type, in which case
this will return garbage.
Parameters
wq -- wait_queue_head_t *
Returns
Iterator of struct task_struct * objects.
XArrays
The drgn.helpers.linux.xarray module provides helpers for working with the XArray data
structure from include/linux/xarray.h.
NOTE:
XArrays were introduced in Linux 4.20 as a replacement for radix trees. To make it
easier to work with data structures that were changed from a radix tree to an XArray
(like struct address_space::i_pages), drgn treats XArrays and radix trees
interchangeably in some cases.
Specifically, xa_load() is equivalent to radix_tree_lookup(), and xa_for_each() is
equivalent to radix_tree_for_each(), except that the radix tree helpers assume
advanced=False. (Therefore, xa_load() and xa_for_each() also accept a struct
radix_tree_root *, and radix_tree_lookup() and radix_tree_for_each() also accept a
struct xarray *.)
drgn.helpers.linux.xarray.xa_load(xa: drgn.Object, index: drgn.IntegerLike, *, advanced:
bool = False) -> drgn.Object
Look up the entry at a given index in an XArray.
>>> entry = xa_load(inode.i_mapping.i_pages.address_of_(), 2)
>>> cast("struct page *", entry)
*(struct page *)0xffffed6980306f40 = {
...
}
Parameters
• xa -- struct xarray *
• index -- Entry index.
• advanced -- Whether to return nodes only visible to the XArray advanced
API. If False, zero entries (see xa_is_zero()) will be returned as NULL.
Returns
void * found entry, or NULL if not found.
drgn.helpers.linux.xarray.xa_for_each(xa: drgn.Object, *, advanced: bool = False) ->
Iterator[Tuple[int, drgn.Object]]
Iterate over all of the entries in an XArray.
>>> for index, entry in xa_for_each(inode.i_mapping.i_pages.address_of_()):
... print(index, entry)
...
0 (void *)0xffffed6980356140
1 (void *)0xffffed6980306f80
2 (void *)0xffffed6980306f40
3 (void *)0xffffed6980355b40
Parameters
• xa -- struct xarray *
• advanced -- Whether to return nodes only visible to the XArray advanced
API. If False, zero entries (see xa_is_zero()) will be skipped.
Returns
Iterator of (index, void *) tuples.
drgn.helpers.linux.xarray.xa_is_value(entry: drgn.Object) -> bool
Return whether an XArray entry is a value.
See xa_to_value().
Parameters
entry -- void *
drgn.helpers.linux.xarray.xa_to_value(entry: drgn.Object) -> drgn.Object
Return the value in an XArray entry.
In addition to pointers, XArrays can store integers between 0 and LONG_MAX. If
xa_is_value() returns True, use this to get the stored integer.
>>> entry = xa_load(xa, 9)
>>> entry
(void *)0xc9
>>> xa_is_value(entry)
True
>>> xa_to_value(entry)
(unsigned long)100
Parameters
entry -- void *
Returns
unsigned long
drgn.helpers.linux.xarray.xa_is_zero(entry: drgn.Object) -> bool
Return whether an XArray entry is a "zero" entry.
A zero entry is an entry that was reserved but is not present. These are only
visible to the XArray advanced API, so they are only returned by xa_load() and
xa_for_each() when advanced = True.
>>> entry = xa_load(xa, 10, advanced=True)
>>> entry
(void *)0x406
>>> xa_is_zero(entry)
True
>>> xa_load(xa, 10)
(void *)0
Parameters
entry -- void *
Support Matrix
Architectures
Some features in drgn require architecture-specific support. The current status of this
support is:
┌─────────────┬─────────────────────┬──────────────────┬─────────────────────┐
│Architecture │ Linux Kernel │ Stack Traces [2] │ Virtual Address │
│ │ Modules [1] │ │ Translation [3] │
├─────────────┼─────────────────────┼──────────────────┼─────────────────────┤
│x86-64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────────┼─────────────────────┤
│AArch64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────────┼─────────────────────┤
│s390x │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────────┼─────────────────────┤
│ppc64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────────┼─────────────────────┤
│i386 │ ✓ │ │ │
├─────────────┼─────────────────────┼──────────────────┼─────────────────────┤
│Arm │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────────┼─────────────────────┤
│RISC-V │ ✓ │ │ │
└─────────────┴─────────────────────┴──────────────────┴─────────────────────┘
Key
[1] Support for loading debugging symbols for Linux kernel modules.
[2] Support for capturing stack traces (drgn.Program.stack_trace(),
drgn.Thread.stack_trace()).
[3] Support for translating virtual addresses, which is required for reading from
vmalloc/vmap and module memory in Linux kernel vmcores and for various helpers in
drgn.helpers.linux.mm.
The listed architectures are recognized in drgn.Architecture. Other architectures are
represented by drgn.Architecture.UNKNOWN. Features not mentioned above should work on
any architecture, listed or not.
Cross-Debugging
drgn can debug architectures different from the host. For example, you can debug an
AArch64 (kernel or userspace) core dump from an x86-64 machine.
Linux Kernel Versions
drgn officially supports the current mainline, stable, and longterm kernel releases from ‐
kernel.org. (There may be some delay before a new mainline version is fully supported.)
End-of-life versions are supported until it becomes too difficult to do so. The kernel
versions currently fully supported are:
• 6.0-6.12
• 5.10-5.19
• 5.4
• 4.19
• 4.14
• 4.9
Other versions are not tested. They'll probably mostly work, but support is best-effort.
Kernel Configuration
drgn supports debugging kernels with various configurations:
• SMP and !SMP.
• Preemptible and non-preemptible.
• SLUB, SLAB, and SLOB allocators.
drgn requires a kernel configured with CONFIG_PROC_KCORE=y for live kernel debugging.
Case Studies
These are writeups of real-world problems solved with drgn.
Recovering a dm-crypt Encryption Key
Author: Omar Sandoval
Date: January 11th, 2024
dm-crypt is the Linux kernel's transparent disk encryption subsystem. I recently had to
recover the master key for an encrypted disk where the passphrase was no longer known, but
the dm-crypt device was still open. Normally, the key is stored in kernel space and cannot
be accessed by user space. However, with drgn, we can traverse kernel data structures to
recover the key. This is a great example of how to jump between kernel code and drgn to
navigate a subsystem.
WARNING:
The dm-crypt master key is obviously very sensitive information that shouldn't be
exposed carelessly.
As a disclaimer for anyone concerned about the security implications: everything is
working as intended here. Debugging the live kernel with drgn requires root, and root
has many other ways to access sensitive information (loading kernel modules, triggering
a kernel core dump, etc.). Solutions like inline encryption and kernel_lockdown(7) can
be used for defense in depth if necessary.
Setup
For this writeup, I'm going to set up dm-crypt in a virtual machine running Linux 6.7.
# uname -r
6.7.0
# cryptsetup luksFormat /dev/vdb
WARNING!
========
This will overwrite data on /dev/vdb irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/vdb: hello
Verify passphrase: hello
# cryptsetup open /dev/vdb mycrypt
Enter passphrase for /dev/vdb: hello
The default configuration is AES in XTS mode with a 512-bit key:
# cryptsetup status mycrypt
/dev/mapper/mycrypt is active.
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 bits
key location: keyring
device: /dev/vdb
sector size: 512
offset: 32768 sectors
size: 33521664 sectors
mode: read/write
The new device is dm-0:
# realpath /dev/mapper/mycrypt
/dev/dm-0
Getting from Device Mapper to the Crypto API
The dm-crypt documentation tells us that "Device-mapper is infrastructure in the Linux
kernel that provides a generic way to create virtual layers of block devices.
Device-mapper crypt target provides transparent encryption of block devices using the
kernel crypto API."
Our first goal is therefore to get to whatever context is used by the crypto API, which
likely includes the encryption key. To do that, we're going to have to navigate through
the device mapper code.
To start, let's find the virtual disk for our dm-crypt target in drgn using the
for_each_disk() and disk_name() helpers:
>>> for disk in for_each_disk():
... if disk_name(disk) == b"dm-0":
... print(disk)
... break
...
*(struct gendisk *)0xffffa3b9421b2c00 = {
...
}
struct gendisk has a function table, fops, with callbacks to the disk driver.
Specifically, the submit_bio callback intercepts disk reads and writes:
>>> disk.fops.submit_bio
(void (*)(struct bio *))dm_submit_bio+0x0 = 0xffffffffc05761e0
Let's take a look at dm_submit_bio():
static void dm_submit_bio(struct bio *bio)
{
struct mapped_device *md = bio->bi_bdev->bd_disk->private_data;
int srcu_idx;
struct dm_table *map;
map = dm_get_live_table(md, &srcu_idx);
...
dm_split_and_process_bio(md, map, bio);
...
}
So the disk's private data is a struct mapped_device. Let's get it in drgn:
>>> md = cast("struct mapped_device *", disk.private_data)
dm_get_live_table() gets the device mapper table:
struct dm_table *dm_get_live_table(struct mapped_device *md,
int *srcu_idx) __acquires(md->io_barrier)
{
*srcu_idx = srcu_read_lock(&md->io_barrier);
return srcu_dereference(md->map, &md->io_barrier);
}
SRCU is a synchronization mechanism which we can blithely ignore:
>>> map = cast("struct dm_table *", md.map)
dm_submit_bio() then calls dm_split_and_process_bio(), which calls ‐
__split_and_process_bio():
static blk_status_t __split_and_process_bio(struct clone_info *ci)
{
struct bio *clone;
struct dm_target *ti;
unsigned int len;
ti = dm_table_find_target(ci->map, ci->sector);
...
__map_bio(clone);
}
dm_table_find_target() finds the appropriate device mapper target in a table:
struct dm_target *dm_table_find_target(struct dm_table *t, sector_t sector)
{
...
return &t->targets[(KEYS_PER_NODE * n) + k];
}
Our simple case only has one target:
>>> map.num_targets
(unsigned int)1
>>> ti = map.targets
__split_and_process_bio() then calls __map_bio():
static void __map_bio(struct bio *clone)
{
struct dm_target_io *tio = clone_to_tio(clone);
struct dm_target *ti = tio->ti;
struct dm_io *io = tio->io;
struct mapped_device *md = io->md;
int r;
...
if (likely(ti->type->map == linear_map))
r = linear_map(ti, clone);
else if (ti->type->map == stripe_map)
r = stripe_map(ti, clone);
else
r = ti->type->map(ti, clone);
...
}
So we need to look at another callback:
>>> ti.type.map
(dm_map_fn)crypt_map+0x0 = 0xffffffffc08a03f0
crypt_map() is part of dm-crypt, so we've finally made it out of generic device mapper:
static int crypt_map(struct dm_target *ti, struct bio *bio)
{
struct dm_crypt_io *io;
struct crypt_config *cc = ti->private;
...
And we have the dm-crypt configuration:
>>> cc = cast("struct crypt_config *", ti.private)
Dumping it out reveals some crypto API context!
>>> cc
*(struct crypt_config *)0xffffa3b9421b2400 = {
...
.cipher_tfm = (union <anonymous>){
.tfms = (struct crypto_skcipher **)0xffffa3b9438667c0,
...
},
.tfms_count = (unsigned int)1,
...
}
>>> tfm = cc.cipher_tfm.tfms[0]
Descending Down the Crypto API
The Linux kernel crypto API is very generic and is implemented with a lot of runtime
polymorphism. Our next goal is to traverse through the crypto API data structures to find
the key.
The crypto API refers to cryptographic ciphers as "transformations". Transformations can
be combined and nested in various ways. The tfm variable we found is a "transformation
object", which is an instance of a transformation:
>>> tfm
*(struct crypto_skcipher *)0xffffa3b948218c00 = {
.reqsize = (unsigned int)160,
.base = (struct crypto_tfm){
.refcnt = (refcount_t){
.refs = (atomic_t){
.counter = (int)1,
},
},
.crt_flags = (u32)0,
.node = (int)-1,
.exit = (void (*)(struct crypto_tfm *))crypto_skcipher_exit_tfm+0x0 = 0xffffffffb77d2600,
.__crt_alg = (struct crypto_alg *)0xffffa3b943dab448,
.__crt_ctx = (void *[]){},
},
}
>>> tfm.base.__crt_alg
*(struct crypto_alg *)0xffffa3b943dab448 = {
...
.cra_name = (char [128])"xts(aes)",
...
}
This is an skcipher, or a symmetric key cipher. It is using the xts(aes) algorithm as
expected. __crt_ctx is an opaque context, which is promising if we can figure out how to
interpret it. The exit callback looks like a cleanup function. That seems like a good way
for us to figure out how __crt_ctx is used. Here are crypto_skcipher_exit_tfm() and the ‐
crypto_skcipher_alg() and crypto_skcipher_tfm() getters it uses:
static void crypto_skcipher_exit_tfm(struct crypto_tfm *tfm)
{
struct crypto_skcipher *skcipher = __crypto_skcipher_cast(tfm);
struct skcipher_alg *alg = crypto_skcipher_alg(skcipher);
alg->exit(skcipher);
}
static inline struct skcipher_alg *crypto_skcipher_alg(
struct crypto_skcipher *tfm)
{
return container_of(crypto_skcipher_tfm(tfm)->__crt_alg,
struct skcipher_alg, base);
}
static inline struct crypto_tfm *crypto_skcipher_tfm(
struct crypto_skcipher *tfm)
{
return &tfm->base;
}
We can emulate the getters in drgn to find the underlying implementation:
>>> def crypto_skcipher_alg(tfm):
... return container_of(tfm.base.__crt_alg, "struct skcipher_alg", "base")
...
>>> crypto_skcipher_alg(tfm).exit
(void (*)(struct crypto_skcipher *))simd_skcipher_exit+0x0 = 0xffffffffc058b1f0
My machine supports the AES-NI x86 extension. The kernel cannot use SIMD instructions like
AES-NI in some contexts, so it has an extra layer of indirection to go through an
asynchronous daemon when necessary. This involves a couple of wrapper transformation
objects. simd_skcipher_exit() shows us how to unwrap the first one:
static void simd_skcipher_exit(struct crypto_skcipher *tfm)
{
struct simd_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm);
cryptd_free_skcipher(ctx->cryptd_tfm);
}
We just need one more getter in drgn, crypto_skcipher_ctx():
>>> def crypto_skcipher_ctx(tfm):
... return cast("void *", tfm.base.__crt_ctx)
...
>>> simd_ctx = cast("struct simd_skcipher_ctx *", crypto_skcipher_ctx(tfm))
>>> cryptd_tfm = simd_ctx.cryptd_tfm
>>> cryptd_tfm
*(struct cryptd_skcipher *)0xffffa3b94b5e4cc0 = {
.base = (struct crypto_skcipher){
.reqsize = (unsigned int)80,
.base = (struct crypto_tfm){
.refcnt = (refcount_t){
.refs = (atomic_t){
.counter = (int)1,
},
},
.crt_flags = (u32)0,
.node = (int)-1,
.exit = (void (*)(struct crypto_tfm *))crypto_skcipher_exit_tfm+0x0 = 0xffffffffb77d2600,
.__crt_alg = (struct crypto_alg *)0xffffa3b9421b2848,
.__crt_ctx = (void *[]){},
},
},
}
We saw crypto_skcipher_exit_tfm() earlier, so we know where to look next:
>>> crypto_skcipher_alg(cryptd_tfm.base).exit
(void (*)(struct crypto_skcipher *))cryptd_skcipher_exit_tfm+0x0 = 0xffffffffc04d6210
cryptd_skcipher_exit_tfm() shows us how to unwrap this transformation object:
static void cryptd_skcipher_exit_tfm(struct crypto_skcipher *tfm)
{
struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm);
crypto_free_skcipher(ctx->child);
}
Now we can get the actual cipher transformation object:
>>> cryptd_ctx = cast("struct cryptd_skcipher_ctx *", crypto_skcipher_ctx(cryptd_tfm.base))
>>> child_tfm = cryptd_ctx.child
>>> child_tfm
*(struct crypto_skcipher *)0xffffa3b945dc4000 = {
.reqsize = (unsigned int)0,
.base = (struct crypto_tfm){
.refcnt = (refcount_t){
.refs = (atomic_t){
.counter = (int)1,
},
},
.crt_flags = (u32)0,
.node = (int)-1,
.exit = (void (*)(struct crypto_tfm *))0x0,
.__crt_alg = (struct crypto_alg *)0xffffffffc05e7d80,
.__crt_ctx = (void *[]){},
},
}
This one doesn't have an exit callback, so let's look at the algorithm:
>>> crypto_skcipher_alg(child_tfm)
*(struct skcipher_alg *)0xffffffffc05e7d40 = {
.setkey = (int (*)(struct crypto_skcipher *, const u8 *, unsigned int))xts_aesni_setkey+0x0 = 0xffffffffc059efb0,
...
}
xts_aesni_setkey() is very enlightening:
static int xts_aesni_setkey(struct crypto_skcipher *tfm, const u8 *key,
unsigned int keylen)
{
struct aesni_xts_ctx *ctx = aes_xts_ctx(tfm);
int err;
err = xts_verify_key(tfm, key, keylen);
if (err)
return err;
keylen /= 2;
/* first half of xts-key is for crypt */
err = aes_set_key_common(&ctx->crypt_ctx, key, keylen);
if (err)
return err;
/* second half of xts-key is for tweak */
return aes_set_key_common(&ctx->tweak_ctx, key + keylen, keylen);
}
XTS splits the provided key into two keys: one for data and one for a "tweak". They are
stored in ctx->crypt_ctx and ctx->tweak_ctx, respectively.
To reach ctx, we need one more getter, aes_xts_ctx():
static inline struct aesni_xts_ctx *aes_xts_ctx(struct crypto_skcipher *tfm)
{
return aes_align_addr(crypto_skcipher_ctx(tfm));
}
Which uses aes_align_addr():
#define AESNI_ALIGN 16
static inline void *aes_align_addr(void *addr)
{
if (crypto_tfm_ctx_alignment() >= AESNI_ALIGN)
return addr;
return PTR_ALIGN(addr, AESNI_ALIGN);
}
Implementing that in drgn gets us the key material!
>>> def aes_xts_ctx(tfm):
... AESNI_ALIGN = 16
... mask = AESNI_ALIGN - 1
... ctx = cast("unsigned long", crypto_skcipher_ctx(tfm))
... return cast("struct aesni_xts_ctx *", (ctx + mask) & ~mask)
...
>>> xts_ctx = aes_xts_ctx(cryptd_ctx.child)
>>> xts_ctx
*(struct aesni_xts_ctx *)0xffffa3b945dc4030 = {
.tweak_ctx = (struct crypto_aes_ctx){
.key_enc = (u32 [60]){
4053857025, 2535432618, 3497512106, 429624542,
190965574, 620881567, 2728140233, 1574816406,
1642869364, 4143158238, 646209396, 1059050410,
2124513770, 1537238901, 4181490364, 2766254122,
2225457809, 1918261583, 1423050299, 1808651665,
18645611, 1522328862, 2743115682, 123809672, 1080042880,
842431695, 1726249716, 220835685, 3602512678,
2349145656, 797278618, 686075410, 2304003180,
3143774371, 3716565591, 3501188402, 2797609477,
717569085, 88128935, 765727669, 1552680193, 3891148194,
979927029, 3938949831, 554080963, 197371646, 243473241,
589760748, 2460666129, 1967455411, 1328317254,
2783648129, 669994703, 741140529, 581956456, 25754500,
3453357406, 3096637933, 4156453547, 1381329706,
},
.key_dec = (u32 [60]){
3453357406, 3096637933, 4156453547, 1381329706,
1691590497, 1611861415, 2033812690, 3535200077,
1503779265, 1400120959, 2713205381, 402136101,
2278736107, 79729350, 422218101, 2878299039, 3072023845,
181796798, 4073463034, 3057657504, 2722800653,
2199015981, 501881779, 2997211882, 893456792,
3184435867, 4162446148, 1150040666, 3430456984,
559478304, 2667071902, 2941241689, 2504843709,
2291118851, 1171735007, 3163937054, 4210330224,
3978324152, 3214983102, 834109639, 179351664, 499339966,
3445158620, 4181891265, 4283462504, 399827656,
1384175366, 2383888249, 3581021031, 393470670,
3499860066, 874146333, 3319833674, 3901002144,
1163146702, 3700942975, 4053857025, 2535432618,
3497512106, 429624542,
},
.key_length = (u32)32,
},
.crypt_ctx = (struct crypto_aes_ctx){
.key_enc = (u32 [60]){
91118336, 1683438947, 280915620, 1674463119, 3416529787,
95371281, 156839573, 539041733, 2748950209, 3348011938,
3610309894, 3036590729, 1176448220, 1135635661,
1256800856, 1791516061, 4259008143, 978703661,
3982827563, 1503367842, 2366333926, 3468365611,
2219986291, 4003074286, 3589535297, 4020642668,
46334791, 1532531173, 3026313791, 2061167892,
4270366823, 269660297, 1916354478, 2644450498,
2673614725, 3288632928, 2828270575, 3528005371,
750892700, 1020462613, 735205841, 3058517267, 689003158,
3977630966, 4257919917, 797156694, 54662090, 1066472927,
3047676072, 65707451, 721143597, 3354268635, 1004719636,
341928770, 388200584, 682782039, 4002672596, 3984159343,
3347232066, 7120537,
},
.key_dec = (u32 [60]){
4002672596, 3984159343, 3347232066, 7120537, 2275767381,
3582792214, 728749911, 250810445, 2145441323,
3415330885, 1171250799, 717236012, 72947820, 1378379331,
4276274497, 631031578, 3286455042, 3027306094,
2388528682, 1863317827, 1027747936, 1450278447,
2898961154, 3682468443, 2929020077, 2006078828,
976160836, 3780245353, 3002856629, 1798524495,
4206615853, 2008326489, 523503039, 3641121217,
1304255784, 3682533165, 3583917429, 3653810938,
2441646946, 2366602356, 2101484483, 3325238398,
2495235305, 2529403397, 1276800912, 206997391,
1212164504, 478670614, 2260253082, 3144746941,
1384732823, 41543404, 2858181789, 1078781983,
1142337047, 1422378638, 91118336, 1683438947, 280915620,
1674463119,
},
.key_length = (u32)32,
},
}
Extracting the AES Key
Since we have a 512-bit key, XTS uses two 256-bit AES keys. You'll notice that the key_enc
fields above are much larger than that. This is because AES expands the key into a number
of "round keys" using a "key schedule". Luckily, the first few round keys are copied
directly from the original key.
With that information, we can finally recover the original key:
>>> def aes_key_from_ctx(ctx):
... words = ctx.key_enc.value_()[:ctx.key_length / 4]
... return b"".join(word.to_bytes(4, "little") for word in words)
...
>>> aes_key_from_ctx(xts_ctx.crypt_ctx).hex()
'005b6e05633d5764a46ebe108f47ce637b1ba4cb1140af05952e5909c51f2120'
>>> aes_key_from_ctx(xts_ctx.tweak_ctx).hex()
'01f3a0f1aaa11f97aacc77d0de8c9b1946e7610b9fe60125c91d9ca296cadd5d'
Which we can double check with cryptsetup:
# cryptsetup luksDump --dump-master-key /dev/vdb
WARNING!
========
The header dump with volume key is sensitive information
that allows access to encrypted partition without a passphrase.
This dump should be stored encrypted in a safe place.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/vdb: hello
LUKS header information for /dev/vdb
Cipher name: aes
Cipher mode: xts-plain64
Payload offset: 32768
UUID: b43cba2c-532b-4491-bbb9-763b55bd7f03
MK bits: 512
MK dump: 00 5b 6e 05 63 3d 57 64 a4 6e be 10 8f 47 ce 63
7b 1b a4 cb 11 40 af 05 95 2e 59 09 c5 1f 21 20
01 f3 a0 f1 aa a1 1f 97 aa cc 77 d0 de 8c 9b 19
46 e7 61 0b 9f e6 01 25 c9 1d 9c a2 96 ca dd 5d
Conclusion
Before this, I had almost no knowledge of device mapper or crypto API internals. drgn
makes it easy to explore the kernel and learn how it works.
Note that different system configurations will have different representations in the
crypto API. For example, different ciphers modes will obviously have different
transformations. Even the lack of AES-NI with the same cipher mode results in different
transformation objects.
I converted this case study to the dm_crypt_key.py script in drgn's contrib directory. It
could be extended to cover other ciphers in the future.
Using Stack Trace Variables to Find a Kyber Bug
Author: Omar Sandoval
Date: June 9th, 2021
Jakub Kicinski reported a crash in the Kyber I/O scheduler when he was testing Linux 5.12.
He captured a core dump and asked me to debug it. This is a quick writeup of that
investigation.
First, we can get the task that crashed:
>>> task = per_cpu(prog["runqueues"], prog["crashing_cpu"]).curr
Then, we can get its stack trace:
>>> trace = prog.stack_trace(task)
>>> trace
#0 queued_spin_lock_slowpath (../kernel/locking/qspinlock.c:471:3)
#1 queued_spin_lock (../include/asm-generic/qspinlock.h:85:2)
#2 do_raw_spin_lock (../kernel/locking/spinlock_debug.c:113:2)
#3 spin_lock (../include/linux/spinlock.h:354:2)
#4 kyber_bio_merge (../block/kyber-iosched.c:573:2)
#5 blk_mq_sched_bio_merge (../block/blk-mq-sched.h:37:9)
#6 blk_mq_submit_bio (../block/blk-mq.c:2182:6)
#7 __submit_bio_noacct_mq (../block/blk-core.c:1015:9)
#8 submit_bio_noacct (../block/blk-core.c:1048:10)
#9 submit_bio (../block/blk-core.c:1125:9)
#10 submit_stripe_bio (../fs/btrfs/volumes.c:6553:2)
#11 btrfs_map_bio (../fs/btrfs/volumes.c:6642:3)
#12 btrfs_submit_data_bio (../fs/btrfs/inode.c:2440:8)
#13 submit_one_bio (../fs/btrfs/extent_io.c:175:9)
#14 submit_extent_page (../fs/btrfs/extent_io.c:3229:10)
#15 __extent_writepage_io (../fs/btrfs/extent_io.c:3793:9)
#16 __extent_writepage (../fs/btrfs/extent_io.c:3872:8)
#17 extent_write_cache_pages (../fs/btrfs/extent_io.c:4514:10)
#18 extent_writepages (../fs/btrfs/extent_io.c:4635:8)
#19 do_writepages (../mm/page-writeback.c:2352:10)
#20 __writeback_single_inode (../fs/fs-writeback.c:1467:8)
#21 writeback_sb_inodes (../fs/fs-writeback.c:1732:3)
#22 __writeback_inodes_wb (../fs/fs-writeback.c:1801:12)
#23 wb_writeback (../fs/fs-writeback.c:1907:15)
#24 wb_check_background_flush (../fs/fs-writeback.c:1975:10)
#25 wb_do_writeback (../fs/fs-writeback.c:2063:11)
#26 wb_workfn (../fs/fs-writeback.c:2091:20)
#27 process_one_work (../kernel/workqueue.c:2275:2)
#28 worker_thread (../kernel/workqueue.c:2421:4)
#29 kthread (../kernel/kthread.c:292:9)
#30 ret_from_fork+0x1f/0x2a (../arch/x86/entry/entry_64.S:294)
It looks like kyber_bio_merge() tried to lock an invalid spinlock. For reference, this is
the source code of kyber_bio_merge():
static bool kyber_bio_merge(struct blk_mq_hw_ctx *hctx, struct bio *bio,
unsigned int nr_segs)
{
struct kyber_hctx_data *khd = hctx->sched_data;
struct blk_mq_ctx *ctx = blk_mq_get_ctx(hctx->queue);
struct kyber_ctx_queue *kcq = &khd->kcqs[ctx->index_hw[hctx->type]];
unsigned int sched_domain = kyber_sched_domain(bio->bi_opf);
struct list_head *rq_list = &kcq->rq_list[sched_domain];
bool merged;
spin_lock(&kcq->lock);
merged = blk_bio_list_merge(hctx->queue, rq_list, bio, nr_segs);
spin_unlock(&kcq->lock);
return merged;
}
When printed, the kcq structure containing the spinlock indeed looks like garbage (omitted
for brevity).
A crash course on the Linux kernel block layer: for each block device, there is a
"software queue" (struct blk_mq_ctx *ctx) for each CPU and a "hardware queue" (struct
blk_mq_hw_ctx *hctx) for each I/O queue provided by the device. Each hardware queue has
one or more software queues assigned to it. Kyber keeps additional data per hardware
queue (struct kyber_hctx_data *khd) and per software queue (struct kyber_ctx_queue *kcq).
Let's try to figure out where the bad kcq came from. It should be an element of the
khd->kcqs array (khd is optimized out, but we can recover it from hctx->sched_data):
>>> trace[4]["khd"]
(struct kyber_hctx_data *)<absent>
>>> hctx = trace[4]["hctx"]
>>> khd = cast("struct kyber_hctx_data *", hctx.sched_data)
>>> trace[4]["kcq"] - khd.kcqs
(ptrdiff_t)1
>>> hctx.nr_ctx
(unsigned short)1
So the kcq is for the second software queue, but the hardware queue is only supposed to
have one software queue. Let's see which CPU was assigned to the hardware queue:
>>> hctx.ctxs[0].cpu
(unsigned int)6
Here's the problem: we're not running on CPU 6, we're running on CPU 19:
>>> prog["crashing_cpu"]
(int)19
And CPU 19 is assigned to a different hardware queue that actually does have two software
queues:
>>> ctx = per_cpu_ptr(hctx.queue.queue_ctx, 19)
>>> other_hctx = ctx.hctxs[hctx.type]
>>> other_hctx == hctx
False
>>> other_hctx.nr_ctx
(unsigned short)2
The bug is that the caller gets the hctx for the current CPU, then kyber_bio_merge() gets
the ctx for the current CPU, and if the thread is migrated to another CPU in between, they
won't match. The fix is to get a consistent view of the hctx and ctx. The commit that
fixes this is here.
Getting Debugging Symbols
Most Linux distributions don't install debugging symbols for installed packages by
default. This page documents how to install debugging symbols on common distributions. If
drgn prints an error like:
$ sudo drgn
could not get debugging information for:
kernel (could not find vmlinux for 5.14.14-200.fc34.x86_64)
...
Then you need to install debugging symbols.
Fedora
Fedora makes it very easy to install debugging symbols with the DNF debuginfo-install
plugin, which is installed by default. Simply run sudo dnf debuginfo-install $package:
$ sudo dnf debuginfo-install python3
To find out what package owns a binary, use rpm -qf:
$ rpm -qf $(which python3)
python3-3.9.7-1.fc34.x86_64
To install symbols for the running kernel:
$ sudo dnf debuginfo-install kernel-$(uname -r)
Also see the Fedora documentation.
Debian
Debian requires you to manually add the debugging symbol repositories:
$ sudo tee /etc/apt/sources.list.d/debug.list << EOF
deb http://deb.debian.org/debian-debug/ $(lsb_release -cs)-debug main
deb http://deb.debian.org/debian-debug/ $(lsb_release -cs)-proposed-updates-debug main
EOF
$ sudo apt update
Then, debugging symbol packages can be installed with sudo apt install. Some debugging
symbol packages are named with a -dbg suffix:
$ sudo apt install python3-dbg
And some are named with a -dbgsym suffix:
$ sudo apt install coreutils-dbgsym
You can use the find-dbgsym-packages command from the debian-goodies package to find the
correct name:
$ sudo apt install debian-goodies
$ find-dbgsym-packages $(which python3)
libc6-dbg libexpat1-dbgsym python3.9-dbg zlib1g-dbgsym
$ find-dbgsym-packages $(which cat)
coreutils-dbgsym libc6-dbg
To install symbols for the running kernel:
$ sudo apt install linux-image-$(uname -r)-dbg
Also see the Debian documentation.
Ubuntu
On Ubuntu, you must install the debugging symbol archive signing key and manually add the
debugging symbol repositories:
$ sudo apt update
$ sudo apt install ubuntu-dbgsym-keyring
$ sudo tee /etc/apt/sources.list.d/debug.list << EOF
deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse
deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse
EOF
$ sudo apt update
Like Debian, some debugging symbol packages are named with a -dbg suffix and some are
named with a -dbgsym suffix:
$ sudo apt install python3-dbg
$ sudo apt install coreutils-dbgsym
You can use the find-dbgsym-packages command from the debian-goodies package to find the
correct name:
$ sudo apt install debian-goodies
$ find-dbgsym-packages $(which python3)
libc6-dbg libexpat1-dbgsym python3.9-dbg zlib1g-dbgsym
$ find-dbgsym-packages $(which cat)
coreutils-dbgsym libc6-dbg
To install symbols for the running kernel:
$ sudo apt install linux-image-$(uname -r)-dbgsym
Also see the Ubuntu documentation.
Arch Linux
Arch Linux unfortunately does not make debugging symbols available. Packages must be
manually rebuilt with debugging symbols enabled. See the ArchWiki and the feature request.
Release Highlights
These are highlights of each release of drgn focusing on a few exciting items from the
full release notes.
0.0.28 & 0.0.29 (Released October 7th & 8th, 2024)
These are some of the highlights of drgn 0.0.28. See the GitHub release for the full
release notes, including more improvements and bug fixes.
drgn 0.0.29 was released shortly after 0.0.28 with a single bug fix for the
drgn.helpers.experimental.kmodify module. See the release notes.
Calling Arbitrary Functions in the Running Kernel
This release added call_function(), which calls a function in the running kernel. This is
the first ever feature in drgn that allows modifying the state of the kernel. Its primary
use cases are experimentation in development environments and mitigating kernel bugs in
production. For example, this recent lost wake-up bug could be mitigated with something
like:
from drgn.helpers.experimental.kmodify import call_function
for task in for_each_task():
for frame in stack_trace(task):
if frame.name == "perf_event_free_task":
call_function("wake_up_process", task)
break
Note that this feature is currently experimental, only supported on x86-64, and may have a
different API in the future.
There is a blog post about how this feature works.
Writing to Kernel Memory
In a similar vein, drgn can now write to kernel memory, either via an address (with
write_memory()):
>>> import os
>>> from drgn.helpers.experimental.kmodify import write_memory
>>> os.uname().sysname
'Linux'
>>> write_memory(prog["init_uts_ns"].name.sysname.address_, b"Lol\\0")
>>> os.uname().sysname
'Lol'
or an object (with write_object()):
>>> from drgn.helpers.experimental.kmodify import write_object
>>> os.system("uptime -p")
up 12 minutes
>>> write_object(prog["init_time_ns"].offsets.boottime.tv_sec, 1000000000)
>>> os.system("uptime -p")
up 3 decades, 1 year, 37 weeks, 1 hour, 59 minutes
This feature is also experimental. It uses the same underlying mechanism as
call_function().
More C Operators
This release added a couple of new functions corresponding to operators in C. The
alignof() function is analogous to the _Alignof() operator in C:
>>> alignof(prog.type("long long"))
8
The implicit_convert() function implements implicit conversions in C, like when assigning
a variable, passing an argument to a function call, or returning a value:
>>> implicit_convert("unsigned int", Object(prog, "float", 2.0))
(unsigned int)2
>>> implicit_convert("void *", Object(prog, "int", 0))
Traceback (most recent call last):
...
TypeError: cannot convert 'int' to incompatible type 'void *'
Kernel Module Helpers
Stephen Brennan contributed several helpers for working with Linux kernel modules.
for_each_module() iterates over loaded modules:
>>> for module in for_each_module():
... print(module.name.string_().decode())
...
overlay
vhost_net
vhost
...
find_module() finds the module with a given name:
>>> module = find_module("overlay")
>>> module
*(struct module *)0xffffffffc23dae00 = {
...
}
module_address_regions() and module_percpu_region() return all of the memory regions
associated with a module, and address_to_module() finds the module containing an address:
>>> for start, size in module_address_regions(module):
... print(hex(start), size)
...
0xffffffffc23be000 102400
0xffffffffc23d8000 65536
0xffffffffc23e9000 73728
0xffffffffc2385000 4096
0x0 0
0x0 0
0x0 0
>>> address_to_module(0xffffffffc23bf000) == module
True
Thread Names
Ryan Wilson added the name attribute to drgn.Thread. This provides a consistent interface
for getting the name of a thread regardless of whether you're debugging the kernel or a
userspace program. (Unfortunately, userspace core dumps on Linux don't save the name of
any threads other than the main thread.)
Full 32-Bit Arm Support
This release added support for virtual address translation and stack traces on 32-bit Arm.
This is the state of architecture support in this release:
┌─────────────┬─────────────────────┬──────────────┬─────────────────────┐
│Architecture │ Linux Kernel │ Stack Traces │ Virtual Address │
│ │ Modules │ │ Translation │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│x86-64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│AArch64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│s390x │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│ppc64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│i386 │ ✓ │ │ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│Arm │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│RISC-V │ ✓ │ │ │
└─────────────┴─────────────────────┴──────────────┴─────────────────────┘
Note that there are known Linux kernel issues with debugging 32-bit Arm, both live and in
kdump. Please reach out to the linux-debuggers@vger.kernel.org mailing list if these
affect you.
AArch64 and s390x Virtual Address Translation Fixes
As of Linux 6.9, the default AArch64 kernel configuration enables 52-bit virtual addresses
and falls back to a smaller virtual address size if the hardware does not support 52 bits.
This required updates to drgn that were missed in v0.0.27.
As of Linux 6.10, on s390x, virtual addresses in the direct mapping are no longer equal to
physical addresses. This also required updates to drgn that were missed in v0.0.27.
Linux 6.11 and 6.12 Support
A change in Linux 6.12 broke tools/fsrefs.py. This error from visit_uprobes() is fixed in
this release:
TypeError: cannot convert 'struct list_head' to bool
No other changes were required to support Linux 6.11 and 6.12.
0.0.27 (Released July 1st, 2024)
These are some of the highlights of drgn 0.0.27. See the GitHub release for the full
release notes, including more improvements and bug fixes.
Finding the Type Member at an Offset
This release added member_at_offset(), which returns the name of the member at an offset
in a type:
>>> prog.type('struct list_head')
struct list_head {
struct list_head *next;
struct list_head *prev;
}
>>> member_at_offset(prog.type('struct list_head'), 0)
'next'
>>> member_at_offset(prog.type('struct list_head'), 8)
'prev'
It also handles more complicated cases, like nested structures, arrays, unions, and
padding.
It is particularly useful in combination with identify_address() or slab_object_info():
>>> identify_address(0xffff984fc7cc6708)
'slab object: fuse_inode+0x188'
>>> member_at_offset(prog.type("struct fuse_inode"), 0x188)
'inode.i_data.i_pages.xa_head'
(Note that in some cases, the slab cache name isn't identical to the type name. Slab
merging also complicates this; see slab_cache_is_merged(). In those cases, this trick
requires some extra effort.)
Identifying Memory
This release added print_annotated_memory(), which dumps a range of memory, annotating
values that can be identified:
>>> print_annotated_memory(0xffff985163300698, 64)
ADDRESS VALUE
ffff985163300698: ffff984f415456a0 [slab object: mnt_cache+0x20]
ffff9851633006a0: ffff984f587b7840 [slab object: dentry+0x0]
ffff9851633006a8: ffff984f404bfa38 [slab object: inode_cache+0x0]
ffff9851633006b0: ffffffff8b4890c0 [object symbol: signalfd_fops+0x0]
ffff9851633006b8: 0000000000000000
ffff9851633006c0: ffff984f9307c078 [slab object: lsm_file_cache+0x0]
ffff9851633006c8: ffff984f8afe3980 [slab object: kmalloc-8+0x0]
ffff9851633006d0: ffff984f414730f0 [slab object: ep_head+0x0]
(This is similar to print_annotated_stack() but for arbitrary memory ranges.)
identify_address() (used by print_annotated_memory() and print_annotated_stack()) can now
also identify vmap addresses and vmap kernel stacks:
>>> print(identify_address(0xffffffffc0536540))
vmap: 0xffffffffc0536000-0xffffffffc0545000 caller load_module+0x811
>>> print(identify_address(0xffffbb88e2283f58))
vmap stack: 2220305 (python3) +0x3f58
Configurable Type and Object Finders
drgn already supported registering custom callbacks that could satisfy type and object
lookups: Program.add_type_finder() and Program.add_object_finder(). However, there was no
way to disable previously added callbacks or control the order in which they are called.
This release adds an interface for doing so.
Program.registered_object_finders() returns the set of registered object finders:
>>> prog.registered_object_finders()
{'dwarf', 'linux'}
Program.enabled_object_finders() returns the list of enabled object finders in the order
that they are called:
>>> prog.enabled_object_finders()
['linux', 'dwarf']
Program.register_object_finder() registers and optionally enables a finder:
>>> def my_object_finder(prog, name, flags, filename):
... ...
...
>>> prog.register_object_finder("foo", my_object_finder)
>>> prog.registered_object_finders()
{'foo', 'dwarf', 'linux'}
>>> prog.enabled_object_finders()
['linux', 'dwarf']
>>> def my_object_finder2(prog, name, flags, filename):
... ...
...
>>> prog.register_object_finder("bar", my_object_finder2, enable_index=0)
>>> prog.registered_object_finders()
{'foo', 'dwarf', 'bar', 'linux'}
>>> prog.enabled_object_finders()
['bar', 'linux', 'dwarf']
Program.set_enabled_object_finders() sets the list of enabled finders. This can enable,
disable, and reorder finders.
>>> prog.set_enabled_object_finders(['dwarf', 'foo'])
>>> prog.enabled_object_finders()
['dwarf', 'foo']
Type finders have equivalent methods: Program.registered_type_finders(),
Program.enabled_type_finders(), Program.register_type_finder(), and
Program.set_enabled_type_finders().
The old interface is now deprecated.
Symbol Finders
Previously, symbols could only be looked up using the ELF symbol table. In this release,
Stephen Brennan added support for custom symbol finders:
Program.registered_symbol_finders(), Program.enabled_symbol_finders(),
Program.register_symbol_finder(), and Program.set_enabled_symbol_finders().
contrib Directory
A few new scripts were added to the contrib directory, and others were updated.
contrib/search_kernel_memory.py
This script does a brute force search through kernel RAM for a given byte string and
prints all of the addresses where it is found. It's useful as a last resort for finding
what is referencing an object, for example.
>>> folio = stack_trace(task)[5]["folio"]
>>> search_memory(prog, folio.value_().to_bytes(8, "little"))
0xffff8882f67539e8 vmap stack: 2232297 (io_thread) +0x39e8
0xffff8882f6753a18 vmap stack: 2232297 (io_thread) +0x3a18
0xffff8882f6753a60 vmap stack: 2232297 (io_thread) +0x3a60
0xffff8882f6753ac8 vmap stack: 2232297 (io_thread) +0x3ac8
0xffff888300405530 slab object: kmalloc-16+0x0
0xffff8883b8c6ca38
contrib/gcore.py
This script creates a core dump of a live process. This works even if the process is stuck
in D state (Uninterruptible Sleep), which normally causes debuggers attempting to attach
to the process to hang, too. The generated core dump can be debugged with GDB, LLDB, or
even drgn.
By default, gcore.py reads the task's memory through /proc/$pid/mem. However, if
mmap_lock/mmap_sem is stuck, then this will also hang. If the --no-procfs flag is used,
drgn bypasses this, too, by reading the process's page tables and reading the memory
directly. This has a couple of big downsides: paged out memory will be skipped, and it's a
lot slower. But if the task is badly stuck in memory management, --no-procfs is a great
escape hatch.
gcore.py can also extract userspace core dumps out of a kernel core dump, but note that ‐
makedumpfile(8) is normally configured to filter out userspace memory.
contrib/negdentdelete.py
Negative dentries are a cache of failed filename lookups. They can take up a lot of
memory, and it's difficult to get rid of them by normal means. Stephen Brennan contributed
a script that can be used to get rid of negative dentries in a directory.
contrib/btrfs_tree.py
This script contains work-in-progress helpers for reading Btrfs metadata. It was added in
drgn 0.0.23, but this release expanded and improved it. It will likely be adapted into
proper helpers in a future release.
This script was used to investigate a bug, culminating in Linux kernel commit 9d274c19a71b
("btrfs: fix crash on racing fsync and size-extending write into prealloc").
contrib/bpf_inspect.py
Leon Hwang made many improvements to this script, including adding more detailed
information, new commands, and updating it for recent kernels.
Linux 6.9 and 6.10 Support
Changes in Linux 6.9 and 6.10 broke a few drgn helpers. Here are some errors you might see
with older versions of drgn that are fixed in this release.
From stack_depot_fetch():
AttributeError: 'union handle_parts' has no member 'pool_index'
From for_each_disk():
AttributeError: 'struct block_device' has no member 'bd_partno'
Additionally, slab_cache_for_each_allocated_object(), slab_object_info(), and
find_containing_slab_cache() may fail to find anything.
0.0.26 (Released March 11th, 2024)
These are some of the highlights of drgn 0.0.26. See the GitHub release for the full
release notes, including more improvements and bug fixes.
Miscellaneous Helpers
This release added several new Linux kernel helpers with no particular theme:
• print_dmesg(), a shortcut for printing the kernel log buffer.
• idr_for_each_entry(), a shortcut for iterating over an IDR and casting its entries to a
specific type.
• stack_depot_fetch() for getting stack traces from the storage used by KASAN and other
kernel debugging tools. This was contributed by Peter Collingbourne.
• plist_head_empty(), plist_node_empty(), plist_first_entry(), plist_last_entry(),
plist_for_each(), and plist_for_each_entry(), helpers for working with the kernel's
priority-sorted lists.
fsrefs.py Tool
The fsrefs.py tool was added to the tools directory. It prints information about
everything that is referencing a file or filesystem. This is similar to fuser(1) and ‐
lsof(8), but it can find more since it has access to kernel internals.
$ ./tools/fsrefs.py --inode /dev/urandom
pid 1349 (bluetoothd) fd 16 (struct file *)0xffff8881458cf000
pid 1368 (udisksd) fd 15 (struct file *)0xffff888145c13100
...
$ ./tools/fsrefs.py --super-block /run
mount /run (struct mount *)0xffff8881015cc140
pid 1 (systemd) fd 256 (struct file *)0xffff8881012f3d00 /run/initctl
pid 1 (systemd) fd 380 (struct file *)0xffff88810bf88800 /run/dmeventd-server
pid 1 (systemd) fd 385 (struct file *)0xffff88810bf88f00 /run/dmeventd-client
mount /run (mount namespace 4026532545) (struct mount *)0xffff8881474028c0
pid 2135770 (systemd-journal) vma 0x7f7d94f2a000-0x7f7d94f2b000 (struct file *)0xffff88813925bf00 /run/systemd/journal/kernel-seqnum
pid 2135770 (systemd-journal) vma 0x7f7d94f2b000-0x7f7d94f2c000 (struct file *)0xffff88813925a100 /run/systemd/journal/seqnum
...
fsrefs.py currently checks:
• File descriptors
• Task working directories
• Task root directories
• Memory mappings
• Filesystem mounts
• binfmt_misc
• loop(4) devices
• Swap files
• uprobes
It will be extended to check more as the need arises, so feel free to report anything it
missed.
(Note that as opposed to the contrib directory, scripts in the tools directory are
regularly maintained and tested.)
DWARF Package Files
drgn now supports split DWARF package (.dwp) files. These are generated by the dwp and
llvm-dwp tools.
Linux 6.8 Support
Linux 6.8 changed some filesystem internals in a way that broke a couple of drgn helpers.
Here are some errors you might see with older versions of drgn that are fixed in this
release.
From path_lookup() or for_each_mount() (fixed by Johannes Thumshirn):
AttributeError: 'struct mnt_namespace' has no member 'list'
From path_lookup():
AttributeError: 'struct dentry' has no member 'd_subdirs'
Python 3.13 Support
Python 3.13, currently in alpha, removed or changed some private APIs
(_PyDict_GetItemIdWithError(), _PyDict_SetItemId(), and _PyLong_AsByteArray()) that drgn
depended on, which caused build failures. This was fixed by using public APIs instead.
0.0.25 (Released December 1st, 2023)
These are some of the highlights of drgn 0.0.25. See the GitHub release for the full
release notes, including more improvements and bug fixes.
Omitting the prog Argument
As a usability improvement, prog can now be omitted from most function calls. For example,
instead of find_task(prog, 1234), you can now simply write find_task(1234). Additionally,
instead of prog.stack_trace(1234), you can now write stack_trace(1234). (The old way will
continue to be supported.)
Most CLI users don't need to worry about how this works, but library users may want to
understand the Default Program.
It's tricky balancing interactive convenience and sensible APIs for scripting, but we
think this is a nice improvement overall!
Running Without root
drgn debugs the live Linux kernel via /proc/kcore, which can only be accessed by the root
user (or a user with the CAP_SYS_RAWIO capability, to be precise). However, it's not
necessary (or ideal) for the rest of drgn to run as root.
Now when drgn is run against the live kernel as an unprivileged user, it will attempt to
open /proc/kcore via sudo(8). The rest of drgn will then run without extra privileges.
In other words, in order to debug the live kernel, all you need to do is install debugging
symbols and run:
$ drgn
This feature was contributed by Stephen Brennan.
Maple Tree Helpers
Maple trees were introduced in Linux 6.1, initially to store virtual memory areas (VMAs).
This release adds a couple of helpers for working with them.
mtree_load() looks up an entry in a maple tree:
>>> mtree_load(task.mm.mm_mt.address_of_(), 0x55d65cfaa000)
(void *)0xffff97ad82bfc930
mt_for_each() iterates over a maple tree:
>>> for first_index, last_index, entry in mt_for_each(task.mm.mm_mt.address_of_()):
... print(hex(first_index), hex(last_index), entry)
...
0x55d65cfaa000 0x55d65cfaafff (void *)0xffff97ad82bfc930
0x55d65cfab000 0x55d65cfabfff (void *)0xffff97ad82bfc0a8
0x55d65cfac000 0x55d65cfacfff (void *)0xffff97ad82bfc000
0x55d65cfad000 0x55d65cfadfff (void *)0xffff97ad82bfcb28
...
VMA Helpers
This release also adds higher-level helpers specifically for VMAs.
vma_find() looks up a VMA by address:
>>> vma_find(task.mm, 0x55d65cfaa000)
*(struct vm_area_struct *)0xffff97ad82bfc930 = {
...
}
>>> vma_find(task.mm, 0x55d65cfa9fff)
(struct vm_area_struct *)0
for_each_vma() iterates over every VMA in an address space:
>>> for vma in for_each_vma(task.mm):
... print(vma)
...
*(struct vm_area_struct *)0xffff97ad82bfc930 = {
...
}
*(struct vm_area_struct *)0xffff97ad82bfc0a8 = {
...
}
...
These helpers also handle older kernels without maple trees.
Wait Queue Helpers
Wait queues are a fundamental data structure and synchronization mechanism in the Linux
kernel. Imran Khan contributed a few helpers for working with them.
waitqueue_active() returns whether a wait queue has any waiters:
>>> wq
*(wait_queue_head_t *)0xffff8da80d618e18 = {
.lock = (spinlock_t){
.rlock = (struct raw_spinlock){
.raw_lock = (arch_spinlock_t){
.val = (atomic_t){
.counter = (int)0,
},
.locked = (u8)0,
.pending = (u8)0,
.locked_pending = (u16)0,
.tail = (u16)0,
},
},
},
.head = (struct list_head){
.next = (struct list_head *)0xffffae44e3007ce8,
.prev = (struct list_head *)0xffffae44e3007ce8,
},
}
>>> waitqueue_active(wq)
True
waitqueue_for_each_entry() iterates over each entry in a wait queue:
>>> for entry in waitqueue_for_each_entry(wq):
... print(entry)
...
*(wait_queue_entry_t *)0xffffae44e3007cd0 = {
.flags = (unsigned int)0,
.private = (void *)0xffff8da7863ec000,
.func = (wait_queue_func_t)woken_wake_function+0x0 = 0xffffffffa8181010,
.entry = (struct list_head){
.next = (struct list_head *)0xffff8da80d618e20,
.prev = (struct list_head *)0xffff8da80d618e20,
},
}
waitqueue_for_each_task() iterates over each task waiting on a wait queue (although note
that this does not work for some special wait queues that don't store tasks):
>>> for task in waitqueue_for_each_task(wq):
... print(task.pid, task.comm)
...
(pid_t)294708 (char [16])"zsh"
ppc64 Radix MMU Support
Sourabh Jain contributed ppc64 radix MMU virtual address translation support. This is the
state of architecture support in this release:
drgn 0.0.25 Architecture Support
┌─────────────┬─────────────────────┬──────────────┬─────────────────────┐
│Architecture │ Linux Kernel │ Stack Traces │ Virtual Address │
│ │ Modules │ │ Translation │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│x86-64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│AArch64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│s390x │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│ppc64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│i386 │ ✓ │ │ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│Arm │ ✓ │ │ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│RISC-V │ ✓ │ │ │
└─────────────┴─────────────────────┴──────────────┴─────────────────────┘
0.0.24 (Released September 8th, 2023)
These are some of the highlights of drgn 0.0.24. See the GitHub release for the full
release notes, including more improvements and bug fixes.
Linked List Length Helper
This release added list_count_nodes(), which returns the length of a Linux kernel linked
list:
>>> list_count_nodes(prog["workqueues"].address_of_())
29
Networking Helpers
This release added a couple of Linux kernel networking helpers requested by Jakub
Kicinski.
netdev_priv() returns the private data of a network device:
>>> dev = netdev_get_by_name(prog, "wlp0s20f3")
>>> netdev_priv(dev)
(void *)0xffff9419c9dec9c0
>>> netdev_priv(dev, "struct ieee80211_sub_if_data")
*(struct ieee80211_sub_if_data *)0xffff9419c9dec9c0 = {
...
}
skb_shinfo() returns the shared info for a socket buffer.
C++ Lookups
This release added support for a few C++ features.
Simple Type Specifiers
Unlike C, C++ allows referring to class, struct, union, and enum types without their
respective keywords. For example:
class Foo { ... };
Foo foo; // Equivalent to class Foo foo;
Previously, drgn always required the keyword, so prog.type("class Foo") would succeed but
prog.type("Foo") would fail with a LookupError. This requirement was surprising to C++
developers, so it was removed. For C++ programs, prog.type("Foo") will now find a class,
struct, union, or enum type named Foo (for C programs, the keyword is still required).
Nested Classes
Again unlike C, C++ allows class, struct, and union types to be defined inside of other
class, struct, and union types. For example:
class Foo {
public:
class Bar { ... };
...
};
Foo::Bar bar;
drgn can now find such types with prog.type("Foo::Bar").
Member Functions
C++ supports member functions (a.k.a. methods). For example:
class Foo {
int method() { ... }
};
drgn can now find member functions with drgn.Program.function(), drgn.Program.object(), or
drgn.Program[] (e.g., prog.function("Foo::method") or prog["Foo::method"]).
Split DWARF
drgn now supports split DWARF object (.dwo) files. This is enabled by the -gsplit-dwarf
option in GCC and Clang or for the Linux kernel with CONFIG_DEBUG_INFO_SPLIT=y.
Split DWARF package (.dwp) file support is still in progress.
Performance Improvements
Thierry Treyer found a bug that made us search through much more debugging information
than necessary when getting a stack trace. Fixing this made stack traces almost twice as
fast.
The C++ lookup and split DWARF support mentioned above require processing more information
in drgn's debugging information indexing step, which it does on startup and whenever
debugging information is manually loaded. This could've been a performance regression, but
instead, indexing was reworked from the ground up in a way that's usually faster despite
the added features.
0.0.23 (Released June 28th, 2023)
These are some of the highlights of drgn 0.0.23. See the GitHub release for the full
release notes, including more improvements and bug fixes.
Virtual Address Translation Helpers
This release added several Linux kernel helpers for translating virtual addresses.
follow_phys() translates a virtual address to a physical address in a given address space.
For example, to get the physical address that virtual address 0x7f7fe46a4270 maps to in
process 115:
>>> task = find_task(prog, 115)
>>> address = 0x7f7fe46a4270
>>> print(hex(follow_phys(task.mm, address)))
0x4090270
follow_page() translates a virtual address to the struct page * that it maps to:
>>> follow_page(task.mm, address)
*(struct page *)0xffffd20ac0102400 = {
...
}
follow_pfn() translates a virtual address to the page frame number (PFN) of the page that
it maps to:
>>> follow_pfn(task.mm, address)
(unsigned long)16528
These can be used to translate arbitrary kernel virtual addresses by passing
prog["init_mm"].address_of_():
>>> print(hex(follow_phys(prog["init_mm"].address_of_(), 0xffffffffc0483000)))
0x2e4b000
Vmalloc/Vmap Address Translation Helpers
vmalloc_to_page() is a special case of follow_page() for vmalloc and vmap addresses:
>>> vmalloc_to_page(prog, 0xffffffffc0477000)
*(struct page *)0xffffc902400b8980 = {
...
}
Likewise, vmalloc_to_pfn() is a special case of follow_pfn() for vmalloc and vmap
addresses:
>>> vmalloc_to_pfn(prog, 0xffffffffc0477000)
(unsigned long)11814
contrib Directory
Martin Liška, Boris Burkov, and Johannes Thumshirn added lots of new scripts to the
contrib directory:
• btrfs_tree.py: work-in-progress helpers for Btrfs B-trees
• btrfs_tree_mod_log.py: simulator for the Btrfs tree modification log
• dump_btrfs_bgs.py: print block groups in a Btrfs filesystem
• kcore_list.py: print memory regions from /proc/kcore
• kernel_sys.py: print system information (similar to crash's sys command)
• mount.py: print a filesystem mount table
• platform_drivers.py: print registered platform drivers
• vmmap.py: print memory mappings in a process (similar to /proc/$pid/maps)
• vmstat.py: print information about kernel memory usage
Embedding Interactive Mode
drgn.cli.run_interactive() runs drgn's interactive mode. It can be used to embed drgn in
another application. For example, you could use it for a custom drgn.Program that the
standard drgn CLI can't set up:
import drgn
import drgn.cli
prog = drgn.Program()
prog.add_type_finder(...)
prog.add_object_finder(...)
prog.add_memory_segment(...)
drgn.cli.run_interactive(prog)
Full s390x Support
Sven Schnelle contributed s390x virtual address translation support. This is the state of
architecture support in this release:
drgn 0.0.23 Architecture Support
┌─────────────┬─────────────────────┬──────────────┬─────────────────────┐
│Architecture │ Linux Kernel │ Stack Traces │ Virtual Address │
│ │ Modules │ │ Translation │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│x86-64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│AArch64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│ppc64 │ ✓ │ ✓ │ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│s390x │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│i386 │ ✓ │ │ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│Arm │ ✓ │ │ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│RISC-V │ ✓ │ │ │
└─────────────┴─────────────────────┴──────────────┴─────────────────────┘
Linux 6.3 & 6.4 Support
Linux 6.3 and 6.4 had an unusual number of breaking changes for drgn. Here are some errors
you might see with older versions of drgn that are fixed in this release.
On startup (fixed by Ido Schimmel):
warning: could not get debugging information for:
kernel modules (could not find loaded kernel modules: 'struct module' has no member 'core_size')
From drgn.Program.stack_trace() and drgn.Thread.stack_trace():
Exception: unknown ORC entry type 3
From compound_order() and compound_nr():
AttributeError: 'struct page' has no member 'compound_order'
From for_each_disk() and for_each_partition():
AttributeError: 'struct class' has no member 'p'
Python 3.12 Support
Python 3.12, currently in beta, changed an implementation detail that drgn depended on,
which caused crashes like:
Py_SIZE: Assertion `ob->ob_type != &PyLong_Type' failed.
Stephen Brennan fixed this.
0.0.22 (Released January 5th, 2023)
These are some of the highlights of drgn 0.0.22. See the GitHub release for the full
release notes, including more improvements and bug fixes.
Listing Stack Frame Locals
drgn.StackFrame.locals() returns the names of all arguments and local variables in the
scope of a stack frame. This allows you to get a quick idea of what's going on in a
function without needing to read the source code right away.
Let's use the __schedule stack frame from the following trace as an example:
>>> trace = prog.stack_trace(1)
>>> trace
#0 context_switch (./kernel/sched/core.c:5209:2)
#1 __schedule (./kernel/sched/core.c:6521:8)
#2 schedule (./kernel/sched/core.c:6597:3)
#3 do_wait (./kernel/exit.c:1562:4)
#4 kernel_wait4 (./kernel/exit.c:1706:8)
#5 __do_sys_wait4 (./kernel/exit.c:1734:13)
#6 do_syscall_x64 (./arch/x86/entry/common.c:50:14)
#7 do_syscall_64 (./arch/x86/entry/common.c:80:7)
#8 entry_SYSCALL_64+0x9b/0x197 (./arch/x86/entry/entry_64.S:120)
#9 0x7f6a34a00057
>>> trace[1].locals()
['sched_mode', 'prev', 'next', 'switch_count', 'prev_state', 'rf', 'rq', 'cpu']
>>> for name in trace[1].locals():
... print(name, trace[1][name].format_(dereference=False))
...
sched_mode (unsigned int)0
prev (struct task_struct *)0xffffa3b601178000
next (struct task_struct *)0xffffa3b6026db800
switch_count (unsigned long *)0xffffa3b601178528
prev_state (unsigned long)<absent>
rf (struct rq_flags){
.flags = (unsigned long)1,
.cookie = (struct pin_cookie){},
.clock_update_flags = (unsigned int)4,
}
rq (struct rq *)0xffffa3b67fda9640
cpu (int)<absent>
Compare this to the kernel source code. Note that some of the variables have been
optimized out by the compiler.
This feature was contributed by Stephen Brennan.
Merged Slab Caches
The Linux kernel slab allocator merges "similar" slab caches as an optimization, which
often causes confusion. slab_cache_is_merged() (added back in 0.0.20) returns whether or
not a slab cache has been merged, but not what it was merged with. In this release,
Stephen Brennan added get_slab_cache_aliases(), which provides a mapping from a slab cache
name to the name of the cache it was merged into:
>>> get_slab_cache_aliases(prog)
{'io_kiocb': 'maple_node', 'ip_dst_cache': 'uid_cache', 'aio_kiocb': 'uid_cache', 'ip_fib_alias': 'Acpi-Parse', 'pid_namespace': 'pid', 'iommu_iova': 'vmap_area', 'fasync_cache': 'ftrace_event_field', 'dnotify_mark': 'Acpi-State', 'tcp_bind2_bucket': 'vmap_area', 'nsproxy': 'Acpi-Operand', 'shared_policy_node': 'ftrace_event_field', 'eventpoll_epi': 'pid', 'fib6_nodes': 'vmap_area', 'Acpi-Namespace': 'ftrace_event_field', 'posix_timers_cache': 'maple_node', 'inotify_inode_mark': 'Acpi-State', 'kernfs_iattrs_cache': 'trace_event_file', 'fs_cache': 'vmap_area', 'UDP-Lite': 'UDP', 'anon_vma_chain': 'vmap_area', 'ip6_dst_cache': 'maple_node', 'eventpoll_pwq': 'vmap_area', 'inet_peer_cache': 'uid_cache', 'fsnotify_mark_connector': 'numa_policy', 'ip_fib_trie': 'ftrace_event_field', 'filp': 'maple_node', 'dnotify_struct': 'numa_policy', 'UDPLITEv6': 'UDPv6', 'biovec-16': 'maple_node', 'PING': 'signal_cache', 'ep_head': 'blkdev_ioc', 'tcp_bind_bucket': 'pid', 'Acpi-ParseExt': 'Acpi-State', 'cred_jar': 'pid', 'ovl_aio_req': 'pid', 'pool_workqueue': 'maple_node', 'sigqueue': 'Acpi-State', 'file_lock_ctx': 'Acpi-Parse', 'kernfs_node_cache': 'pid'}
This means that if you're looking for io_kiocb allocations, you actually need to look at
the maple_node slab cache. Conversely, if you're looking at the maple_node slab cache, you
need to be aware that it also contains allocations from all of the following slab caches:
>>> [merged for merged, canonical in get_slab_cache_aliases(prog).items() if canonical == "maple_node"]
['io_kiocb', 'posix_timers_cache', 'ip6_dst_cache', 'filp', 'biovec-16', 'pool_workqueue']
Slab Address Information
This release extended identify_address() to show additional information about slab
allocations:
>>> ptr1 = 0xffffa3b601178438
>>> ptr2 = 0xffffa3b601176cc0
>>> identify_address(prog, ptr1)
'slab object: task_struct+0x438'
>>> identify_address(prog, ptr2)
'free slab object: mm_struct+0x0'
This means that ptr1 is an address 0x438 bytes into an allocated object from the
task_struct slab cache, and ptr2 is a free object from the mm_struct slab cache.
slab_object_info() provides the same information programmatically:
>>> slab_object_info(prog, ptr1)
SlabObjectInfo(slab_cache=Object(prog, 'struct kmem_cache *', value=0xffffa3b601045500), slab=Object(prog, 'struct slab *', value=0xffffe80840045e00), address=0xffffa3b601178000, allocated=True)
>>> slab_object_info(prog, ptr2)
SlabObjectInfo(slab_cache=Object(prog, 'struct kmem_cache *', value=0xffffa3b601045900), slab=Object(prog, 'struct slab *', value=0xffffe80840045c00), address=0xffffa3b601176cc0, allocated=False)
Annotated Stack Memory
print_annotated_stack() prints a stack trace and all of its memory, identifying anything
that it can:
>>> print_annotated_stack(prog.stack_trace(1))
STACK POINTER VALUE
[stack frame #0 at 0xffffffffaf8a68e9 (__schedule+0x429/0x488) in context_switch at ./kernel/sched/core.c:5209:2 (inlined)]
[stack frame #1 at 0xffffffffaf8a68e9 (__schedule+0x429/0x488) in __schedule at ./kernel/sched/core.c:6521:8]
ffffbb1ac0013d28: ffffffffaf4498f5 [function symbol: __flush_tlb_one_user+0x5]
ffffbb1ac0013d30: 00000000af449feb
ffffbb1ac0013d38: 0000000000000001
ffffbb1ac0013d40: 0000000000000004
ffffbb1ac0013d48: 25c5ff9539edc200
ffffbb1ac0013d50: ffffa3b601178000 [slab object: task_struct+0x0]
ffffbb1ac0013d58: ffffa3b601178000 [slab object: task_struct+0x0]
ffffbb1ac0013d60: ffffbb1ac0013e10
ffffbb1ac0013d68: ffffa3b601177ff0 [slab object: mm_struct+0x70]
ffffbb1ac0013d70: ffffa3b601178000 [slab object: task_struct+0x0]
ffffbb1ac0013d78: ffffa3b601178000 [slab object: task_struct+0x0]
ffffbb1ac0013d80: ffffffffaf8a69d1 [function symbol: schedule+0x89]
[stack frame #2 at 0xffffffffaf8a69d1 (schedule+0x89/0xc7) in schedule at ./kernel/sched/core.c:6597:3]
ffffbb1ac0013d88: ffffbb1ac0013de8
ffffbb1ac0013d90: 0000000000000000
ffffbb1ac0013d98: ffffffffaf4595ee [function symbol: do_wait+0x231]
[stack frame #3 at 0xffffffffaf4595ee (do_wait+0x231/0x2e3) in do_wait at ./kernel/exit.c:1562:4]
ffffbb1ac0013da0: ffffa3b601178450 [slab object: task_struct+0x450]
ffffbb1ac0013da8: ffffa3b601178000 [slab object: task_struct+0x0]
ffffbb1ac0013db0: 0000000000000004
ffffbb1ac0013db8: 0000000000000000
ffffbb1ac0013dc0: 00007ffe0984a170
ffffbb1ac0013dc8: 0000000000000000
ffffbb1ac0013dd0: fffffffffffffffd
ffffbb1ac0013dd8: 0000000000000004
ffffbb1ac0013de0: ffffffffaf45a42f [function symbol: kernel_wait4+0xc2]
[stack frame #4 at 0xffffffffaf45a42f (kernel_wait4+0xc2/0x11b) in kernel_wait4 at ./kernel/exit.c:1706:8]
ffffbb1ac0013de8: 0000000400000004
ffffbb1ac0013df0: 0000000000000000
ffffbb1ac0013df8: 0000000000000000
ffffbb1ac0013e00: 0000000000000000
ffffbb1ac0013e08: 0000000000000000
ffffbb1ac0013e10: ffffffff00000000
ffffbb1ac0013e18: ffffa3b601178000 [slab object: task_struct+0x0]
ffffbb1ac0013e20: ffffffffaf45890c [function symbol: child_wait_callback+0x0]
ffffbb1ac0013e28: ffffa3b601188028 [slab object: signal_cache+0x28]
ffffbb1ac0013e30: ffffa3b601188028 [slab object: signal_cache+0x28]
ffffbb1ac0013e38: 000055d500000000
ffffbb1ac0013e40: 25c5ff9539edc200
ffffbb1ac0013e48: 0000000000000000
ffffbb1ac0013e50: ffffbb1ac0013f30
ffffbb1ac0013e58: ffffbb1ac0013f58
ffffbb1ac0013e60: 0000000000000000
ffffbb1ac0013e68: 0000000000000000
ffffbb1ac0013e70: 0000000000000000
ffffbb1ac0013e78: ffffffffaf45a4c0 [function symbol: __do_sys_wait4+0x38]
[stack frame #5 at 0xffffffffaf45a4c0 (__do_sys_wait4+0x38/0x8c) in __do_sys_wait4 at ./kernel/exit.c:1734:13]
ffffbb1ac0013e80: ffffffffaf8aaa21 [function symbol: _raw_spin_unlock_irq+0x10]
ffffbb1ac0013e88: ffffffffaf46460c [function symbol: do_sigaction+0xf8]
ffffbb1ac0013e90: ffffa3b601180020 [slab object: sighand_cache+0x20]
ffffbb1ac0013e98: ffffa3b6028d02d0 [slab object: vm_area_struct+0x0]
ffffbb1ac0013ea0: 25c5ff9539edc200
ffffbb1ac0013ea8: 0000000000000002
ffffbb1ac0013eb0: 00007ffe09849fb0
ffffbb1ac0013eb8: ffffbb1ac0013f58
ffffbb1ac0013ec0: 0000000000000000
ffffbb1ac0013ec8: 0000000000000000
ffffbb1ac0013ed0: 0000000000000046
ffffbb1ac0013ed8: ffffa3b601178000 [slab object: task_struct+0x0]
ffffbb1ac0013ee0: ffffa3b601178000 [slab object: task_struct+0x0]
ffffbb1ac0013ee8: ffffbb1ac0013f58
ffffbb1ac0013ef0: 0000000000000000
ffffbb1ac0013ef8: ffffffffaf426def [function symbol: fpregs_assert_state_consistent+0x1b]
ffffbb1ac0013f00: 0000000000000000
ffffbb1ac0013f08: ffffffffaf4b2f53 [function symbol: exit_to_user_mode_prepare+0xa6]
ffffbb1ac0013f10: 0000000000000000
ffffbb1ac0013f18: 25c5ff9539edc200
ffffbb1ac0013f20: ffffbb1ac0013f58
ffffbb1ac0013f28: 0000000000000000
ffffbb1ac0013f30: ffffbb1ac0013f48
ffffbb1ac0013f38: ffffffffaf8a1573 [function symbol: do_syscall_64+0x70]
[stack frame #6 at 0xffffffffaf8a1573 (do_syscall_64+0x70/0x8a) in do_syscall_x64 at ./arch/x86/entry/common.c:50:14 (inlined)]
[stack frame #7 at 0xffffffffaf8a1573 (do_syscall_64+0x70/0x8a) in do_syscall_64 at ./arch/x86/entry/common.c:80:7]
ffffbb1ac0013f40: 0000000000000000
ffffbb1ac0013f48: 0000000000000000
ffffbb1ac0013f50: ffffffffafa0009b [symbol: entry_SYSCALL_64+0x9b]
[stack frame #8 at 0xffffffffafa0009b (entry_SYSCALL_64+0x9b/0x197) at ./arch/x86/entry/entry_64.S:120]
ffffbb1ac0013f58: 0000000000000000
[stack frame #9 at 0x7f6a34a00057]
Like drgn.StackFrame.locals(), this provides a nice overview of everything happening in a
function, which might include useful hints. Keep in mind that it may identify "stale"
addresses for anything that a function hasn't reinitialized yet, and as always, be careful
of slab cache merging.
This was inspired by the crash bt -FF command. It was contributed by Nhat Pham.
XArray Helpers
XArrays were introduced in Linux 4.20 as a replacement for radix trees. drgn's radix tree
helpers also support XArrays in some cases, but this is awkward, not obvious, and doesn't
work for new, XArray-only functionality.
This release added dedicated XArray helpers like xa_load() and xa_for_each().
s390x Support
Sven Schnelle contributed s390x support for Linux kernel modules and stack traces. This is
the state of architecture support in this release:
drgn 0.0.22 Architecture Support
┌─────────────┬─────────────────────┬──────────────┬─────────────────────┐
│Architecture │ Linux Kernel │ Stack Traces │ Virtual Address │
│ │ Modules │ │ Translation │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│x86-64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│AArch64 │ ✓ │ ✓ │ ✓ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│ppc64 │ ✓ │ ✓ │ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│s390x │ ✓ │ ✓ │ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│i386 │ ✓ │ │ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│Arm │ ✓ │ │ │
├─────────────┼─────────────────────┼──────────────┼─────────────────────┤
│RISC-V │ ✓ │ │ │
└─────────────┴─────────────────────┴──────────────┴─────────────────────┘
Relicensing to LGPL
drgn was originally licensed as GPLv3+. In this release, it was changed to LGPLv2.1+. The
motivation for this change was to enable the long term vision for drgn that more projects
can use it as a library providing programmatic interfaces for debugger functionality. For
example, Object Introspection, a userspace memory profiler recently open sourced by Meta,
uses drgn to parse debugging information.
AUTHOR
Omar Sandoval
COPYRIGHT
Omar Sandoval