System.map文件和/proc/kallsyms
System.map
该文件是是一份内核符号表kernel symbol table,包含了内核中的变量名和函数名地址,在每次编译内核时,自动生成。
相关资料:
GNU Binutils wiki
GNU Binutils
What Are Symbols?
System.map文件格式:地址 类型 符号
类型是小写表示local symbol,大写表示global(external)
重点了解几个类型:
T The symbol is in the text(code) section
D The symbol is in the initialized data section
R The sysbol is in a read only data section
t static
d static
R const
r static const
使用nm命令可以查看更多信息:
nm - list symbols from object files
| 类型 | 说明 |
|---|---|
| A | The symbol’s value is absolute, and will not be changed by further linking |
| B b | The symbol is in the uninitialized data section(known as BS |
| C | The symbol is common. Common symbols are uninitialized data. When linking, multiple common symbols may appear with the same name. If the symbol is defined anywhere, the common symbols are treated as undefined references. |
| D d | The symbol is in the initialized data section. |
| G g | The symbol is in an initialized data section for small objects. Some object file formats permit more efficient access to small data objects, such as a global int variable as opposed to a large global array. |
| i | For PE format files this indicates that the symbol is in a section specific to the implementation of DLLs. For ELF format files this indicates that the symbol is an indirect function. This is a GNU extension to the standard set of ELF symbol types. It indicates a symbol which if referenced by a relocation does not evaluate to its address, but instead must be invoked at runtime. The runtime execution will then return the value to be used in the relocation. |
| N | The symbol is a debugging symbol. |
| p | The symbols is in a stack unwind section. |
| R r | The symbol is in a read only data section. |
| S s | The symbol is in an uninitialized data section for small objects. |
| T t | The symbol is in the text (code) section. |
| U | The symbol is undefined. |
| u | The symbol is a unique global symbol. This is a GNU extension to the standard set of ELF symbol bindings. For such a symbol the dynamic linker will make sure that in the entire process there is just one symbol with this name and type in use. |
| V v | The symbol is a weak object. When a weak defined symbol is linked with a normal defined symbol, the normal defined symbol is used with no error. When a weak undefined symbol is linked and the symbol is not defined, the value of the weak symbol becomes zero with no error. On some systems, uppercase indicates that a default value has been specified. |
| W w | The symbol is a weak symbol that has not been specifically tagged as a weak object symbol. When a weak defined symbol is linked with a normal defined symbol, the normal defined symbol is used with no error. When a weak undefined symbol is linked and the symbol is not defined, the value of the symbol is determined in a system-specific manner without error. On some systems, uppercase indicates that a default value has been specified. |
| - | The symbol is a stabs symbol in an a.out object file. In this case, the next values printed are the stabs other field, the stabs desc field, and the stab type. Stabs symbols are used to hold debugging information. |
| ? | The symbol type is unknown, or object file format specific. |
/proc/kallsysms
/proc/kallsysms have symbols of dynamically loaded modules as well static code and system.map is symbol tables of only static code. kallsyms包含了
kernel image和动态加载模块的符号表,函数如果被编译器内联(inline)或优化掉,则它在/proc/kallsyms有可能找不到。
正在运行的内核可能和System.map不匹配,出现System.map does not match actual kernel,所以/proc/kallsyms才是参考的主要来源,我们应该通过/proc/kallsyms获得符号的地址。
/proc/kallsyms的形成过程为:
- /scripts/kallsyms.c 生成System.map
- /kernel/kallsyms.c 生成/proc/kallsyms
/scripts/kallsyms.c 解析vmlinux(.tmp_vmlinux)生成kallsyms.S(.tmp_kallsyms.S),然后内核编译过程中将kallsyms.S(内核符号表)编入内核镜像uImage
内核启动后./kernel/kallsyms.c解析uImage形成/proc/kallsyms
/proc/kallsyms包含了内核中的函数符号(包括没有EXPORT_SYMBOL)、全局变量(用EXPORT_SYMBOL导出的全局变量)
参考资料
/proc/kallsys
linux内核kallsyms机制分析
kptr_restrict for hiding kernel pointers
documentation for the sysctl files
获取Linux内核未导出符号的几种方式
kernel symbol marked with “T” in /proc/kallsyms is not exported