Debugging Linux Kernel with QEMU

Question

I was trying to study the debugging of kernel using QEMU. I tried initially and failed due to the fact that there was no virtual file system. The answers to this post suggests that there should be a virtual file system. But it doesn't talk about how to create virtual FS for kernel debugging and how to pass it over to the qemu. Can you help me out?

This blog post describes the use of QEMU to debug the OpenBSD kernel but could still be helpful, just replace the OpenBSD-specific parts with the Linux ones. (The author uses a complete system image to debug the kernel; he doesn't just use a kernel only.) What exactly is the step you're stuck with? — sr_, Jan 13 '13 at 09:49
@sr_ Kernel Panic happens. And the warning says:- Unable to mount root fs on unknown-block(0,0). — PaulDaviesC, Jan 13 '13 at 10:05
Try using a minimal filesystem (i.e. try debugging the kernel in its normal environment). What bug is it you're trying to get rid of? (A panic caused by no root file system doesn't quite qualify as a bug (unless what you're trying to do revolves around initrd)) — sr_, Jan 13 '13 at 10:09
I know that does not relate to bug. I am experimenting and not trying to get rid of any bugs as of now :) — PaulDaviesC, Jan 13 '13 at 10:23
Here is a way mentioned to debug the Linux kernel using qemu. — user31986, Jan 08 '16 at 10:20

score 3 · Answer 1 · edited Apr 16 '18 at 13:41

QEMU + GDB step-by-step procedure tested on Ubuntu 16.10 host

To get started from scratch quickly I've made a minimal fully automated QEMU + Buildroot example at: https://github.com/cirosantilli/linux-kernel-module-cheat Major steps are covered below.

First get a root filesystem rootfs.cpio.gz. If you need one, consider:

a minimal init-only executable image: Custom Linux Distro that runs just one program, nothing else | Unix & Linux Stack Exchange
a Busybox interactive system: What is the smallest possible Linux implementation? | Unix & Linux Stack Exchange

Then on the Linux kernel:

git checkout v4.9
make mrproper
make x86_64_defconfig
cat <<EOF >.config-fragment
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_KERNEL=y
CONFIG_GDB_SCRIPTS=y
EOF
./scripts/kconfig/merge_config.sh .config .config-fragment
make -j"$(nproc)"
qemu-system-x86_64 -kernel arch/x86/boot/bzImage \
                   -initrd rootfs.cpio.gz -S -s

On another terminal, supposing you want to start debugging from start_kernel:

gdb \
    -ex "add-auto-load-safe-path $(pwd)" \
    -ex "file vmlinux" \
    -ex 'set arch i386:x86-64:intel' \
    -ex 'target remote localhost:1234' \
    -ex 'break start_kernel' \
    -ex 'continue' \
    -ex 'disconnect' \
    -ex 'set arch i386:x86-64' \
    -ex 'target remote localhost:1234'

and we are done!!

For kernel modules see: How to debug Linux kernel modules with QEMU? | Stack Overflow

For Ubuntu 14.04, GDB 7.7.1, hbreak was needed, break software breakpoints were ignored. Not the case anymore in 16.10. See also: https://bugs.launchpad.net/ubuntu/+source/qemu-kvm/+bug/901944

The messy disconnect and what come after it are to work around the error:

Remote 'g' packet reply is too long: 000000000000000017d11000008ef4810120008000000000fdfb8b07000000000d352828000000004040010000000000903fe081ffffffff883fe081ffffffff00000000000e0000ffffffffffe0ffffffffffff07ffffffffffffffff9fffff17d11000008ef4810000000000800000fffffffff8ffffffffff0000ffffffff2ddbf481ffffffff4600000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f0300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000

Related threads:

https://sourceware.org/bugzilla/show_bug.cgi?id=13984 might be a GDB bug
gdb - Remote 'g' packet reply is too long | Stack Overflow
http://wiki.osdev.org/QEMU_and_GDB_in_long_mode osdev.org is as usual an awesome source for these problems
https://lists.nongnu.org/archive/html/qemu-discuss/2014-10/msg00069.html

See also:

https://github.com/torvalds/linux/blob/v4.9/Documentation/dev-tools/gdb-kernel-debugging.rst official Linux kernel "documentation"
How to debug the Linux kernel with GDB and QEMU? | Stack Overflow

Known limitations:

the Linux kernel does not support (and does not even compile without patches) with -O0: How to de-optimize the Linux kernel to and compile it with -O0? | Stack Overflow
GDB 7.11 will blow your memory on some types of tab completion, even after the max-completions fix: Tab completion interrupt for large binaries | Stack Overflow Likely some corner case which was not covered in that patch. So an ulimit -Sv 500000 is a wise action before debugging. Blew up specifically when I tab completed file<tab> for the filename argument of sys_execve as in: Can the sys_execve() system call in the Linux kernel receive both absolute or relative paths? | Stack Overflow

Wow....so detailed. I admired you, and really appreciated it....should go into a blog sir. — Peter Teoh, Aug 12 '17 at 11:43

score 3 · Accepted Answer · edited Apr 13 '17 at 12:36

3

Depending on the distribution you'd like to use, there are various ways to create a file system image, e.g. this article walks you through the laborious way to a "Linux from Scratch" system.

In general, you'd either create a QEMU image using qemu-img, fetch some distribution's installation media and use QEMU with the installation medium to prepare the image (this page explains the process for Debian GNU/Linux) or use an image prepared by someone else.

This section of the QEMU Wikibook contains all the information you need.

Edit: As Gilles' answer to the linked question suggests, you don't need a full-blown root file system for testing, you could just use an initrd image (say, Arch Linux's initrd like here)

edited Apr 13 '17 at 12:36

Community

1

answered Jan 13 '13 at 10:18

sr_

15,384

I have made a debian image. Now how will I choose initrd image for that? In other words, which file will I choose as initrd? – PaulDaviesC Jan 14 '13 at 17:26
@sr_ I am using ubuntu 12.04.1 how could I get qemu-img? – Coder404 Jan 20 '13 at 21:31
packages.ubuntu.com lets you search for package contents ⇒ qemu-utils – sr_ Jan 21 '13 at 07:49
@sr_ is qemu-utils the modern day version of qemu-img? – Coder404 Feb 02 '13 at 00:05
qemu-img is one of the tools in qemu-utils – sr_ Feb 02 '13 at 09:31

Debugging Linux Kernel with QEMU

2 Answers2