1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 *
25 * Copyright 2018 Joyent, Inc.
26 */
27
28/*
29 * Kernel Process View Target
30 *
31 * The kproc target is activated when the user is debugging a kernel using the
32 * kvm target and executes a ::context dcmd to change the debugger view to one
33 * of the running processes.  The kvm target's t_setcontext operation will
34 * create and activate a kproc target in response to this call.  The kproc
35 * target itself is built upon the kvm target's libkvm cookie and the ability
36 * to read information from the kernel itself and the ability to read the
37 * address space of a particular user process with kvm_aread().  It also relies
38 * on a special set of functions provided by the kvm target's mdb_ks support
39 * module in order to bootstrap: specifically, given the initial proc pointer,
40 * mdb_ks provides functions to return the set of address space mappings, the
41 * address space pointer itself, the aux vector vector saved in the u-area,
42 * and the process data model.  The kproc target maintains a list of address
43 * space mappings (kp_map_t) and load objects (kp_file_t), and for each load
44 * object will attempt to read the corresponding dynamic symbol table.  In
45 * order to bootstrap, the target uses the AT_BASE and AT_ENTRY aux vector
46 * elements to locate the dynamic linker and executable mappings.  With these
47 * mappings in place, we initialize a librtld_db agent on the target (see
48 * mdb_pservice.c for how this is done), and then process each load object
49 * found in the link-map chain.  In order to simplify the construction of
50 * symbol tables for each load object, we would like make use of our existing
51 * library of GElf processing code.  Since the MDB GElf code uses mdb_io
52 * objects to read in an ELF file, we simply define a new type of mdb_io object
53 * where each read operation is translated into a call to kproc's t_vread
54 * function to read from the range of the address space defined by the mapping
55 * as if it were a file.
56 */
57
58#include <sys/types.h>
59#include <sys/proc.h>
60#include <sys/auxv.h>
61
62#include <strings.h>
63#include <limits.h>
64#include <rtld_db.h>
65#include <procfs.h>
66#include <dlfcn.h>
67#include <kvm.h>
68
69#include <mdb/mdb_target_impl.h>
70#include <mdb/mdb_debug.h>
71#include <mdb/mdb_string.h>
72#include <mdb/mdb_err.h>
73#include <mdb/mdb_ks.h>
74#include <mdb/mdb_gelf.h>
75#include <mdb/mdb_io_impl.h>
76#include <mdb/mdb.h>
77
78typedef struct kp_symarg {
79	mdb_tgt_sym_f *sym_cb;		/* Caller's callback function */
80	void *sym_data;			/* Callback function argument */
81	uint_t sym_type;		/* Symbol type/binding filter */
82	uintptr_t sym_adjust;		/* Symbol value adjustment */
83	mdb_syminfo_t sym_info;		/* Symbol id and table id */
84	const char *sym_obj;		/* Containing object */
85} kp_symarg_t;
86
87typedef struct kp_file {
88	mdb_gelf_file_t *kpf_file;	/* ELF file object */
89	mdb_io_t *kpf_fio;		/* ELF file back-end */
90	mdb_gelf_symtab_t *kpf_dynsym;	/* Dynamic symbol table */
91	struct kp_map *kpf_map;		/* Primary (text) mapping */
92	const char *kpf_basename;	/* Mapping basename */
93	uintptr_t kpf_dyn_base;		/* Load address for ET_DYN files */
94	uintptr_t kpf_text_base;	/* Base address of text mapping */
95	uintptr_t kpf_data_base;	/* Base address of data mapping */
96	struct kp_file *kpf_next;	/* Pointer to next file */
97} kp_file_t;
98
99typedef struct kp_map {
100	mdb_map_t kpm_map;		/* Mapping information */
101	kp_file_t *kpm_file;		/* Pointer to load object */
102	struct kp_map *kpm_next;	/* Pointer to next mapping */
103} kp_map_t;
104
105typedef struct kp_io {
106	mdb_tgt_t *kpi_tgt;		/* Backpointer to kproc target */
107	kp_map_t *kpi_map;		/* Mapping for this i/o */
108	uintptr_t kpi_ptr;		/* Virtual address pointer */
109	uintptr_t kpi_lim;		/* Virtual address limit */
110} kp_io_t;
111
112typedef struct kp_data {
113	mdb_tgt_t *kp_parent;		/* Parent kvm target */
114	kvm_t *kp_cookie;		/* Cookie for libkvm routines */
115	rd_agent_t *kp_rap;		/* Cookie for librtld_db routines */
116	proc_t *kp_proc;		/* Proc address in dump */
117	struct as *kp_as;		/* Proc as address in dump */
118	pid_t kp_pid;			/* Process ID */
119	auxv_t *kp_auxv;		/* Auxv array from u-area */
120	int kp_nauxv;			/* Length of kp_auxv */
121	const char *kp_platform;	/* Platform string from kvm target */
122	uint_t kp_model;		/* Process data model */
123	kp_file_t *kp_file_head;	/* Head of load object list */
124	kp_file_t *kp_file_tail;	/* Tail of load object list */
125	kp_map_t *kp_map_head;		/* Head of mapping list */
126	kp_map_t *kp_map_tail;		/* Tail of mapping list */
127	int kp_num_files;		/* Length of load object list */
128	int kp_num_maps;		/* Length of mapping list */
129	kp_map_t *kp_map_exec;		/* Executable mapping */
130	kp_map_t *kp_map_ldso;		/* Interpreter mapping */
131	kp_file_t kp_prfile;		/* Fake file for mdb.m_prsym */
132} kp_data_t;
133
134static mdb_io_t *kp_io_create(mdb_tgt_t *, kp_map_t *);
135
136static kp_map_t *
137kp_addr_to_kpmap(kp_data_t *kp, uintptr_t addr)
138{
139	kp_map_t *kpm;
140
141	for (kpm = kp->kp_map_head; kpm != NULL; kpm = kpm->kpm_next) {
142		if (addr >= kpm->kpm_map.map_base &&
143		    addr < kpm->kpm_map.map_base + kpm->kpm_map.map_size)
144			return (kpm);
145	}
146
147	return (NULL);
148}
149
150static long
151kp_getauxval(kp_data_t *kp, int type)
152{
153	auxv_t *auxp;
154
155	for (auxp = kp->kp_auxv; auxp->a_type != AT_NULL; auxp++) {
156		if (auxp->a_type == type)
157			return (auxp->a_un.a_val);
158	}
159
160	return (-1L);
161}
162
163static void
164kp_add_mapping(const mdb_map_t *pmp, void *data)
165{
166	kp_map_t *kpm = mdb_zalloc(sizeof (kp_map_t), UM_SLEEP);
167	kp_data_t *kp = data;
168
169	bcopy(pmp, &kpm->kpm_map, sizeof (mdb_map_t));
170
171	if (kp->kp_map_tail != NULL)
172		kp->kp_map_tail->kpm_next = kpm;
173	else
174		kp->kp_map_head = kpm;
175
176	kp->kp_map_tail = kpm;
177	kp->kp_num_maps++;
178}
179
180static kp_file_t *
181kp_file_create(mdb_tgt_t *t, kp_map_t *kpm, GElf_Half etype)
182{
183	kp_file_t *kpf = mdb_zalloc(sizeof (kp_file_t), UM_SLEEP);
184	kp_data_t *kp = t->t_data;
185	size_t dyns_sz;
186	void *dyns;
187
188	kpf->kpf_fio = kp_io_create(t, kpm);
189	kpf->kpf_map = kpm;
190	kpf->kpf_basename = strbasename(kpm->kpm_map.map_name);
191	kpf->kpf_file = mdb_gelf_create(kpf->kpf_fio, etype, GF_PROGRAM);
192	kpf->kpf_text_base = kpm->kpm_map.map_base;
193
194	if (kpm != kp->kp_map_exec)
195		kpf->kpf_dyn_base = kpf->kpf_text_base;
196
197	if (kpf->kpf_file == NULL)
198		goto err; /* Failed to create ELF file */
199
200	mdb_dprintf(MDB_DBG_TGT, "loading symbols for %s\n",
201	    kpm->kpm_map.map_name);
202
203	if ((kp->kp_rap != NULL) && (rd_get_dyns(kp->kp_rap,
204	    kpf->kpf_text_base, &dyns, &dyns_sz) == RD_OK))
205		mdb_gelf_dyns_set(kpf->kpf_file, dyns, dyns_sz);
206
207	kpf->kpf_dynsym = mdb_gelf_symtab_create_dynamic(kpf->kpf_file,
208	    MDB_TGT_DYNSYM);
209
210	if (kpf->kpf_dynsym == NULL)
211		goto err; /* Failed to create symbol table */
212
213	kpm->kpm_file = kpf;
214
215	if (kp->kp_file_tail != NULL)
216		kp->kp_file_tail->kpf_next = kpf;
217	else
218		kp->kp_file_head = kpf;
219
220	kp->kp_file_tail = kpf;
221	kp->kp_num_files++;
222
223	return (kpf);
224
225err:
226	if (kpf->kpf_file != NULL)
227		mdb_gelf_destroy(kpf->kpf_file);
228	else
229		mdb_io_destroy(kpf->kpf_fio);
230	mdb_free(kpf, sizeof (kp_file_t));
231	return (NULL);
232}
233
234static void
235kp_file_destroy(kp_file_t *kpf)
236{
237	if (kpf->kpf_dynsym != NULL)
238		mdb_gelf_symtab_destroy(kpf->kpf_dynsym);
239
240	mdb_gelf_destroy(kpf->kpf_file);
241	mdb_free(kpf, sizeof (kp_file_t));
242}
243
244static int
245kp_setcontext(mdb_tgt_t *t, void *context)
246{
247	kp_data_t *kp = t->t_data;
248
249	if (kp->kp_proc != context) {
250		mdb_tgt_destroy(t);
251		return (mdb_tgt_setcontext(mdb.m_target, context));
252	}
253
254	mdb_warn("debugger context is already set to proc %p\n", context);
255	return (0);
256}
257
258static kp_map_t *
259kp_find_data(kp_data_t *kp, kp_file_t *kpf, const rd_loadobj_t *rlp)
260{
261	GElf_Phdr *gpp = kpf->kpf_file->gf_phdrs;
262	size_t i, n = kpf->kpf_file->gf_npload;
263
264	/*
265	 * Find the first loadable, writeable Phdr and compute kpf_data_base
266	 * as the virtual address at which is was loaded.
267	 */
268	for (i = 0; i < n; i++, gpp++) {
269		if (gpp->p_type == PT_LOAD && (gpp->p_flags & PF_W)) {
270			kpf->kpf_data_base = gpp->p_vaddr;
271			if (kpf->kpf_map != kp->kp_map_exec)
272				kpf->kpf_data_base += rlp->rl_base;
273			break;
274		}
275	}
276
277	/*
278	 * If we found a suitable Phdr and set kpf_data_base, return
279	 * the mapping information for this address; otherwise fail.
280	 */
281	if (kpf->kpf_data_base != 0)
282		return (kp_addr_to_kpmap(kp, kpf->kpf_data_base));
283
284	return (NULL);
285}
286
287static int
288kp_iter_mapping(const rd_loadobj_t *rlp, mdb_tgt_t *t)
289{
290	kp_data_t *kp = t->t_data;
291	kp_file_t *kpf;
292	kp_map_t *kpm;
293
294	char name[MDB_TGT_MAPSZ];
295
296	if (mdb_tgt_readstr(t, MDB_TGT_AS_VIRT, name,
297	    sizeof (name), (mdb_tgt_addr_t)rlp->rl_nameaddr) <= 0) {
298		mdb_dprintf(MDB_DBG_TGT, "failed to read name %p",
299		    (void *)rlp->rl_nameaddr);
300		return (1); /* Keep going; forget this if we can't read name */
301	}
302
303	mdb_dprintf(MDB_DBG_TGT, "rd_loadobj name = \"%s\" rl_base = %p\n",
304	    name, (void *)rlp->rl_base);
305
306	if ((kpm = kp_addr_to_kpmap(kp, rlp->rl_base)) == NULL)
307		return (1); /* Keep going; no mapping at this address */
308
309	(void) strncpy(kpm->kpm_map.map_name, name, MDB_TGT_MAPSZ);
310	kpm->kpm_map.map_name[MDB_TGT_MAPSZ - 1] = '\0';
311
312	if ((kpf = kpm->kpm_file) == NULL) {
313		if (kpm == kp->kp_map_exec)
314			kpf = kp_file_create(t, kpm, ET_EXEC);
315		else
316			kpf = kp_file_create(t, kpm, ET_DYN);
317
318		if (kpf == NULL)
319			return (1); /* Keep going; failed to build ELF file */
320	} else
321		kpf->kpf_basename = strbasename(kpm->kpm_map.map_name);
322
323	if ((kpm = kp_find_data(kp, kpf, rlp)) != NULL) {
324		mdb_dprintf(MDB_DBG_TGT, "found data for %s at %p\n",
325		    kpf->kpf_basename, (void *)kpm->kpm_map.map_base);
326		kpm->kpm_file = kpf;
327	}
328
329	return (1);
330}
331
332/*ARGSUSED*/
333static int
334kp_status_dcmd(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
335{
336	kp_data_t *kp = mdb.m_target->t_data;
337
338	mdb_printf("debugging PID %d (%d-bit) in kernel crash dump\n",
339	    kp->kp_pid, kp->kp_model == PR_MODEL_ILP32 ? 32 : 64);
340
341	if (kp->kp_map_exec != NULL) {
342		mdb_printf("executable file: %s\n",
343		    kp->kp_map_exec->kpm_map.map_name);
344	}
345
346	return (DCMD_OK);
347}
348
349static const mdb_dcmd_t kp_dcmds[] = {
350	{ "status", NULL, "print summary of current target", kp_status_dcmd },
351	{ NULL }
352};
353
354static void
355kp_activate(mdb_tgt_t *t)
356{
357	kp_data_t *kp = t->t_data;
358
359	mdb_prop_postmortem = TRUE;
360	mdb_prop_kernel = FALSE;
361
362	if (kp->kp_model == PR_MODEL_ILP32)
363		mdb_prop_datamodel = MDB_TGT_MODEL_ILP32;
364	else
365		mdb_prop_datamodel = MDB_TGT_MODEL_LP64;
366
367	/*
368	 * Initialize our rtld_db agent and then iterate over the link map,
369	 * instantiating kp_file objects as we go.
370	 */
371	if ((kp->kp_rap = rd_new((struct ps_prochandle *)t)) != NULL) {
372		(void) rd_loadobj_iter(kp->kp_rap, (rl_iter_f *)
373		    kp_iter_mapping, t);
374	} else {
375		mdb_warn("unable to initialize rtld_db agent for proc %p\n",
376		    (void *)kp->kp_proc);
377	}
378
379	(void) mdb_tgt_register_dcmds(t, &kp_dcmds[0], MDB_MOD_FORCE);
380
381	if (kp->kp_map_exec != NULL && kp->kp_map_exec->kpm_file != NULL)
382		mdb_tgt_elf_export(kp->kp_map_exec->kpm_file->kpf_file);
383	else
384		mdb_tgt_elf_export(NULL);
385}
386
387static void
388kp_deactivate(mdb_tgt_t *t)
389{
390	const mdb_dcmd_t *dcp;
391
392	for (dcp = &kp_dcmds[0]; dcp->dc_name != NULL; dcp++) {
393		if (mdb_module_remove_dcmd(t->t_module, dcp->dc_name) == -1)
394			warn("failed to remove dcmd %s", dcp->dc_name);
395	}
396
397	mdb_prop_postmortem = FALSE;
398	mdb_prop_kernel = FALSE;
399	mdb_prop_datamodel = MDB_TGT_MODEL_UNKNOWN;
400}
401
402static void
403kp_destroy(mdb_tgt_t *t)
404{
405	kp_data_t *kp = t->t_data;
406	kp_map_t *kpm, *nkpm;
407	kp_file_t *kpf, *nkpf;
408
409	if (kp->kp_rap != NULL)
410		rd_delete(kp->kp_rap);
411
412	for (kpm = kp->kp_map_head; kpm != NULL; kpm = nkpm) {
413		nkpm = kpm->kpm_next;
414		mdb_free(kpm, sizeof (kp_map_t));
415	}
416
417	for (kpf = kp->kp_file_head; kpf != NULL; kpf = nkpf) {
418		nkpf = kpf->kpf_next;
419		kp_file_destroy(kpf);
420	}
421
422	mdb_free(kp->kp_auxv, kp->kp_nauxv * sizeof (auxv_t));
423	mdb_free(kp, sizeof (kp_data_t));
424}
425
426/*ARGSUSED*/
427static const char *
428kp_name(mdb_tgt_t *t)
429{
430	return ("kproc");
431}
432
433static const char *
434kp_isa(mdb_tgt_t *t)
435{
436	kp_data_t *kp = t->t_data;
437#ifdef __sparc
438	return (kp->kp_model == PR_MODEL_ILP32 ? "sparc" : "sparcv9");
439#else
440	return (kp->kp_model == PR_MODEL_ILP32 ? "i386" : "amd64");
441#endif
442}
443
444static const char *
445kp_platform(mdb_tgt_t *t)
446{
447	return (((kp_data_t *)t->t_data)->kp_platform);
448}
449
450static int
451kp_uname(mdb_tgt_t *t, struct utsname *utsp)
452{
453	kp_data_t *kp = t->t_data;
454	return (mdb_tgt_uname(kp->kp_parent, utsp));
455}
456
457static int
458kp_dmodel(mdb_tgt_t *t)
459{
460	kp_data_t *kp = t->t_data;
461
462	switch (kp->kp_model) {
463	case PR_MODEL_ILP32:
464		return (MDB_TGT_MODEL_ILP32);
465	case PR_MODEL_LP64:
466		return (MDB_TGT_MODEL_LP64);
467	}
468
469	return (MDB_TGT_MODEL_UNKNOWN);
470}
471
472static kp_map_t *
473kp_name_to_kpmap(kp_data_t *kp, const char *name)
474{
475	size_t namelen;
476	kp_file_t *kpf;
477	kp_map_t *kpm;
478
479	/*
480	 * Handle special reserved names (except for MDB_TGT_OBJ_EVERY):
481	 */
482	if (name == MDB_TGT_OBJ_EXEC)
483		return (kp->kp_map_exec);
484
485	if (name == MDB_TGT_OBJ_RTLD)
486		return (kp->kp_map_ldso);
487
488	/*
489	 * First pass: look for exact matches on the entire pathname
490	 * associated with the mapping or its basename.
491	 */
492	for (kpm = kp->kp_map_head; kpm != NULL; kpm = kpm->kpm_next) {
493		if ((kpf = kpm->kpm_file) != NULL) {
494			if (strcmp(kpm->kpm_map.map_name, name) == 0 ||
495			    strcmp(kpf->kpf_basename, name) == 0)
496				return (kpf->kpf_map);
497		}
498	}
499
500	namelen = strlen(name);
501
502	/*
503	 * Second pass: look for partial matches (initial basename match
504	 * up to a '.' suffix); allows "libc.so" or "libc" to match "libc.so.1"
505	 */
506	for (kpm = kp->kp_map_head; kpm != NULL; kpm = kpm->kpm_next) {
507		if ((kpf = kpm->kpm_file) != NULL) {
508			if (strncmp(kpf->kpf_basename, name, namelen) == 0 &&
509			    kpf->kpf_basename[namelen] == '.')
510				return (kpf->kpf_map);
511		}
512	}
513
514	/*
515	 * One last check: we allow "a.out" to always alias the executable,
516	 * assuming this name was not in use for something else.
517	 */
518	if (strcmp(name, "a.out") == 0)
519		return (kp->kp_map_exec);
520
521	return (NULL);
522}
523
524
525static ssize_t
526kp_vread(mdb_tgt_t *t, void *buf, size_t nbytes, uintptr_t addr)
527{
528	kp_data_t *kp = t->t_data;
529	ssize_t n = kvm_aread(kp->kp_cookie, addr, buf, nbytes, kp->kp_as);
530
531	if (n == -1)
532		return (set_errno(EMDB_NOMAP));
533
534	return (n);
535}
536
537static ssize_t
538kp_vwrite(mdb_tgt_t *t, const void *buf, size_t nbytes, uintptr_t addr)
539{
540	kp_data_t *kp = t->t_data;
541	ssize_t n = kvm_awrite(kp->kp_cookie, addr, buf, nbytes, kp->kp_as);
542
543	if (n == -1)
544		return (set_errno(EMDB_NOMAP));
545
546	return (n);
547}
548
549
550int
551kp_vtop(mdb_tgt_t *t, mdb_tgt_as_t as, uintptr_t va, physaddr_t *pap)
552{
553	kp_data_t *kp = t->t_data;
554	physaddr_t pa;
555
556	if (as != MDB_TGT_AS_VIRT && as != MDB_TGT_AS_VIRT_I &&
557	    as != MDB_TGT_AS_VIRT_S)
558		return (set_errno(EINVAL));
559
560	if ((pa = kvm_physaddr(kp->kp_cookie, kp->kp_as, va)) != -1ULL) {
561		*pap = pa;
562		return (0);
563	}
564
565	return (set_errno(EMDB_NOMAP));
566}
567
568static int
569kp_lookup_by_name(mdb_tgt_t *t, const char *object,
570    const char *name, GElf_Sym *symp, mdb_syminfo_t *sip)
571{
572	kp_data_t *kp = t->t_data;
573	kp_file_t *kpf;
574	int n;
575
576	GElf_Sym sym;
577	uint_t symid;
578	int rv = -1;
579
580	/*
581	 * Simplify our task: if object is EVERY, then we need to search
582	 * kp_num_files files beginning at kp_file_head; otherwise we are
583	 * searching 1 file whose file pointer is obtained via object_to_map.
584	 */
585	if (object != MDB_TGT_OBJ_EVERY) {
586		kp_map_t *kpm = kp_name_to_kpmap(kp, object);
587		if (kpm == NULL || kpm->kpm_file == NULL)
588			return (set_errno(EMDB_NOOBJ));
589		kpf = kpm->kpm_file;
590		n = 1;
591	} else {
592		kpf = kp->kp_file_head;
593		n = kp->kp_num_files;
594	}
595
596	/*
597	 * Iterate through the load object files and look for the symbol name
598	 * in the .dynsym of each.  If we encounter a match with SHN_UNDEF,
599	 * keep looking in hopes of finding a better match.  This means that
600	 * a name such as "puts" will match the puts function in libc instead
601	 * of matching the puts PLT entry in the a.out file.
602	 */
603	for (; n > 0; n--, kpf = kpf->kpf_next) {
604		if (kpf->kpf_dynsym == NULL)
605			continue; /* No symbols for this file */
606
607		if (mdb_gelf_symtab_lookup_by_name(kpf->kpf_dynsym,
608		    name, symp, &sip->sym_id) != 0)
609			continue; /* Symbol name not found */
610
611		symp->st_value += kpf->kpf_dyn_base;
612
613		if (symp->st_shndx != SHN_UNDEF) {
614			sip->sym_table = MDB_TGT_DYNSYM;
615			return (0);
616		}
617
618		if (rv != 0) {
619			sym = *symp;
620			symid = sip->sym_id;
621			rv = 0;
622		}
623	}
624
625	if (rv != 0)
626		return (set_errno(EMDB_NOSYM));
627
628	sip->sym_table = MDB_TGT_DYNSYM;
629	sip->sym_id = symid;
630	*symp = sym;
631
632	return (0);
633}
634
635static int
636kp_lookup_by_addr(mdb_tgt_t *t, uintptr_t addr, uint_t flags,
637    char *buf, size_t nbytes, GElf_Sym *symp, mdb_syminfo_t *sip)
638{
639	kp_data_t *kp = t->t_data;
640	kp_map_t *kpm = kp_addr_to_kpmap(kp, addr);
641
642	kp_file_t *sym_kpf = NULL;
643	GElf_Sym sym;
644	uint_t symid;
645
646	const char *name;
647	kp_file_t *kpf;
648	int n;
649
650	/*
651	 * Check the user's private symbol table first; if a match is
652	 * found there, we're done or we have a first guess.
653	 */
654	if (mdb_gelf_symtab_lookup_by_addr(mdb.m_prsym,
655	    addr, flags, buf, nbytes, symp, &sip->sym_id) == 0) {
656		sym_kpf = &kp->kp_prfile;
657		if (flags & MDB_TGT_SYM_EXACT)
658			goto found;
659		sym = *symp;
660		symid = sip->sym_id;
661	}
662
663	/*
664	 * If no mapping contains the address and EXACT mode is set, we're done.
665	 * Otherwise we need to search all the symbol tables in fuzzy mode.
666	 * If we find a mapping, then we only need to search that symtab.
667	 */
668	if (kpm == NULL || kpm->kpm_file == NULL) {
669		if (flags & MDB_TGT_SYM_EXACT)
670			return (set_errno(EMDB_NOSYMADDR));
671		kpf = kp->kp_file_head;
672		n = kp->kp_num_files;
673	} else {
674		kpf = kpm->kpm_file;
675		n = 1;
676	}
677
678	/*
679	 * Iterate through our list of load objects, scanning each one which
680	 * has a symbol table.  In fuzzy mode, we continue looking and
681	 * improve our choice if we find a closer symbol.
682	 */
683	for (; n > 0; n--, kpf = kpf->kpf_next) {
684		if (kpf->kpf_dynsym == NULL)
685			continue; /* No symbols for this file */
686
687		if (mdb_gelf_symtab_lookup_by_addr(kpf->kpf_dynsym,
688		    addr - kpf->kpf_dyn_base, flags, buf, nbytes,
689		    symp, &sip->sym_id) != 0)
690			continue; /* No symbol for this address */
691
692		symp->st_value += kpf->kpf_dyn_base;
693
694		if (flags & MDB_TGT_SYM_EXACT) {
695			sym_kpf = kpf;
696			goto found;
697		}
698
699		if (sym_kpf == NULL || mdb_gelf_sym_closer(symp, &sym, addr)) {
700			sym_kpf = kpf;
701			sym = *symp;
702			symid = sip->sym_id;
703		}
704	}
705
706	if (sym_kpf == NULL)
707		return (set_errno(EMDB_NOSYMADDR));
708
709	*symp = sym;	/* Copy our best symbol into the caller's symbol */
710	sip->sym_id = symid;
711found:
712	/*
713	 * Once we've found something, copy the final name into the caller's
714	 * buffer and prefix it with the load object name if appropriate.
715	 */
716	name = mdb_gelf_sym_name(sym_kpf->kpf_dynsym, symp);
717
718	if (sym_kpf != kp->kp_map_exec->kpm_file && sym_kpf != &kp->kp_prfile) {
719		(void) mdb_snprintf(buf, nbytes, "%s`%s",
720		    sym_kpf->kpf_basename, name);
721	} else if (nbytes > 0) {
722		(void) strncpy(buf, name, nbytes);
723		buf[nbytes - 1] = '\0';
724	}
725
726	if (sym_kpf == &kp->kp_prfile)
727		sip->sym_table = MDB_TGT_PRVSYM;
728	else
729		sip->sym_table = MDB_TGT_DYNSYM;
730
731	return (0);
732}
733
734static int
735kp_symtab_func(void *data, const GElf_Sym *symp, const char *name, uint_t id)
736{
737	kp_symarg_t *argp = data;
738	if (mdb_tgt_sym_match(symp, argp->sym_type)) {
739		GElf_Sym sym = *symp;
740
741		sym.st_value += argp->sym_adjust;
742
743		argp->sym_info.sym_id = id;
744
745		return (argp->sym_cb(argp->sym_data, &sym, name,
746		    &argp->sym_info, argp->sym_obj));
747	}
748
749	return (0);
750}
751
752static void
753kp_symtab_iter(kp_file_t *kpf, uint_t type, const char *obj,
754    mdb_tgt_sym_f *cb, void *data)
755{
756	if (kpf->kpf_dynsym != NULL) {
757		kp_symarg_t arg;
758
759		arg.sym_cb = cb;
760		arg.sym_data = data;
761		arg.sym_type = type;
762		arg.sym_adjust = kpf->kpf_dyn_base;
763		arg.sym_info.sym_table = kpf->kpf_dynsym->gst_tabid;
764		arg.sym_obj = obj;
765
766		mdb_gelf_symtab_iter(kpf->kpf_dynsym, kp_symtab_func, &arg);
767	}
768}
769
770/*ARGSUSED*/
771static int
772kp_symbol_iter(mdb_tgt_t *t, const char *object, uint_t which,
773    uint_t type, mdb_tgt_sym_f *func, void *private)
774{
775	kp_data_t *kp = t->t_data;
776	kp_file_t *kpf = NULL;
777	kp_map_t *kpm;
778
779	switch ((uintptr_t)object) {
780	case (uintptr_t)MDB_TGT_OBJ_EVERY:
781		if (kp->kp_map_exec && kp->kp_map_exec->kpm_file) {
782			kpf = kp->kp_map_exec->kpm_file;
783			kp_symtab_iter(kpf, type, MDB_TGT_OBJ_EXEC, func,
784			    private);
785		}
786		if (kp->kp_map_ldso && kp->kp_map_ldso->kpm_file) {
787			kpf = kp->kp_map_ldso->kpm_file;
788			kp_symtab_iter(kpf, type, MDB_TGT_OBJ_RTLD, func,
789			    private);
790		}
791		return (0);
792
793	case (uintptr_t)MDB_TGT_OBJ_EXEC:
794		if (kp->kp_map_exec && kp->kp_map_exec->kpm_file)
795			kpf = kp->kp_map_exec->kpm_file;
796		break;
797
798	case (uintptr_t)MDB_TGT_OBJ_RTLD:
799		if (kp->kp_map_ldso && kp->kp_map_ldso->kpm_file)
800			kpf = kp->kp_map_ldso->kpm_file;
801		break;
802
803	default:
804		if ((kpm = kp_name_to_kpmap(kp, object)) != NULL) {
805			kpf = kpm->kpm_file;
806			break;
807		} else
808			return (set_errno(EMDB_NOOBJ));
809	}
810
811	if (kpf != NULL)
812		kp_symtab_iter(kpf, type, object, func, private);
813
814	return (0);
815}
816
817static int
818kp_mapping_iter(mdb_tgt_t *t, mdb_tgt_map_f *func, void *private)
819{
820	kp_data_t *kp = t->t_data;
821	kp_map_t *kpm;
822
823	for (kpm = kp->kp_map_head; kpm != NULL; kpm = kpm->kpm_next) {
824		if (func(private, &kpm->kpm_map, kpm->kpm_map.map_name) != 0)
825			break;
826	}
827
828	return (0);
829}
830
831static int
832kp_object_iter(mdb_tgt_t *t, mdb_tgt_map_f *func, void *private)
833{
834	kp_data_t *kp = t->t_data;
835	kp_file_t *kpf;
836
837	for (kpf = kp->kp_file_head; kpf != NULL; kpf = kpf->kpf_next) {
838		if (func(private, &kpf->kpf_map->kpm_map,
839		    kpf->kpf_map->kpm_map.map_name) != 0)
840			break;
841	}
842
843	return (0);
844}
845
846static const mdb_map_t *
847kp_addr_to_map(mdb_tgt_t *t, uintptr_t addr)
848{
849	kp_map_t *kpm = kp_addr_to_kpmap(t->t_data, addr);
850
851	if (kpm != NULL)
852		return (&kpm->kpm_map);
853
854	(void) set_errno(EMDB_NOMAP);
855	return (NULL);
856}
857
858static const mdb_map_t *
859kp_name_to_map(mdb_tgt_t *t, const char *name)
860{
861	kp_map_t *kpm = kp_name_to_kpmap(t->t_data, name);
862
863	if (kpm != NULL)
864		return (&kpm->kpm_map);
865
866	(void) set_errno(EMDB_NOOBJ);
867	return (NULL);
868}
869
870/*ARGSUSED*/
871static int
872kp_status(mdb_tgt_t *t, mdb_tgt_status_t *tsp)
873{
874	bzero(tsp, sizeof (mdb_tgt_status_t));
875	tsp->st_state = MDB_TGT_DEAD;
876	return (0);
877}
878
879static int
880kp_auxv(mdb_tgt_t *t, const auxv_t **auxvp)
881{
882	kp_data_t *kp = t->t_data;
883	*auxvp = kp->kp_auxv;
884	return (0);
885}
886
887static const mdb_tgt_ops_t kproc_ops = {
888	(int (*)())(uintptr_t) mdb_tgt_notsup,	/* t_setflags */
889	kp_setcontext,				/* t_setcontext */
890	kp_activate,				/* t_activate */
891	kp_deactivate,				/* t_deactivate */
892	(void (*)())(uintptr_t) mdb_tgt_nop,	/* t_periodic */
893	kp_destroy,				/* t_destroy */
894	kp_name,				/* t_name */
895	kp_isa,					/* t_isa */
896	kp_platform,				/* t_platform */
897	kp_uname,				/* t_uname */
898	kp_dmodel,				/* t_dmodel */
899	(ssize_t (*)()) mdb_tgt_notsup,		/* t_aread */
900	(ssize_t (*)()) mdb_tgt_notsup,		/* t_awrite */
901	kp_vread,				/* t_vread */
902	kp_vwrite,				/* t_vwrite */
903	(ssize_t (*)()) mdb_tgt_notsup,		/* t_pread */
904	(ssize_t (*)()) mdb_tgt_notsup,		/* t_pwrite */
905	(ssize_t (*)()) mdb_tgt_notsup,		/* t_fread */
906	(ssize_t (*)()) mdb_tgt_notsup,		/* t_fwrite */
907	(ssize_t (*)()) mdb_tgt_notsup,		/* t_ioread */
908	(ssize_t (*)()) mdb_tgt_notsup,		/* t_iowrite */
909	kp_vtop,				/* t_vtop */
910	kp_lookup_by_name,			/* t_lookup_by_name */
911	kp_lookup_by_addr,			/* t_lookup_by_addr */
912	kp_symbol_iter,				/* t_symbol_iter */
913	kp_mapping_iter,			/* t_mapping_iter */
914	kp_object_iter,				/* t_object_iter */
915	kp_addr_to_map,				/* t_addr_to_map */
916	kp_name_to_map,				/* t_name_to_map */
917	(struct ctf_file *(*)()) mdb_tgt_null,	/* t_addr_to_ctf */
918	(struct ctf_file *(*)()) mdb_tgt_null,	/* t_name_to_ctf */
919	kp_status,				/* t_status */
920	(int (*)())(uintptr_t) mdb_tgt_notsup,	/* t_run */
921	(int (*)())(uintptr_t) mdb_tgt_notsup,	/* t_step */
922	(int (*)())(uintptr_t) mdb_tgt_notsup,	/* t_step_out */
923	(int (*)())(uintptr_t) mdb_tgt_notsup,	/* t_next */
924	(int (*)())(uintptr_t) mdb_tgt_notsup,	/* t_cont */
925	(int (*)())(uintptr_t) mdb_tgt_notsup,	/* t_signal */
926	(int (*)())(uintptr_t) mdb_tgt_null,	/* t_add_sbrkpt */
927	(int (*)())(uintptr_t) mdb_tgt_null,	/* t_add_vbrkpt */
928	(int (*)())(uintptr_t) mdb_tgt_null,	/* t_add_pwapt */
929	(int (*)())(uintptr_t) mdb_tgt_null,	/* t_add_vwapt */
930	(int (*)())(uintptr_t) mdb_tgt_null,	/* t_add_iowapt */
931	(int (*)())(uintptr_t) mdb_tgt_null,	/* t_add_sysenter */
932	(int (*)())(uintptr_t) mdb_tgt_null,	/* t_add_sysexit */
933	(int (*)())(uintptr_t) mdb_tgt_null,	/* t_add_signal */
934	(int (*)())(uintptr_t) mdb_tgt_null,	/* t_add_fault */
935	(int (*)())(uintptr_t) mdb_tgt_notsup,	/* t_getareg XXX */
936	(int (*)())(uintptr_t) mdb_tgt_notsup,	/* t_putareg XXX */
937	(int (*)())(uintptr_t) mdb_tgt_notsup,	/* t_stack_iter XXX */
938	kp_auxv					/* t_auxv */
939};
940
941int
942mdb_kproc_tgt_create(mdb_tgt_t *t, int argc, const char *argv[])
943{
944	kp_data_t *kp = mdb_zalloc(sizeof (kp_data_t), UM_SLEEP);
945	void *proc = (void *)argv[0];
946	long at_entry, at_base;
947	GElf_Sym sym;
948
949	int (*f_asiter)(uintptr_t, void (*)(const mdb_map_t *, void *), void *);
950	int (*f_auxv)(uintptr_t, auxv_t *);
951	uintptr_t (*f_as)(uintptr_t);
952	uint_t (*f_model)(uintptr_t);
953	pid_t (*f_pid)(uintptr_t);
954
955	if (argc != 1)
956		return (set_errno(EINVAL));
957
958	t->t_flags &= ~MDB_TGT_F_RDWR;
959	t->t_data = kp;
960	t->t_ops = &kproc_ops;
961
962	f_asiter = (int (*)()) dlsym(RTLD_NEXT, "mdb_kproc_asiter");
963	f_auxv = (int (*)()) dlsym(RTLD_NEXT, "mdb_kproc_auxv");
964	f_as = (uintptr_t (*)()) dlsym(RTLD_NEXT, "mdb_kproc_as");
965	f_model = (model_t (*)()) dlsym(RTLD_NEXT, "mdb_kproc_model");
966	f_pid = (pid_t (*)()) dlsym(RTLD_NEXT, "mdb_kproc_pid");
967
968	if (f_asiter == NULL || f_auxv == NULL ||
969	    f_as == NULL || f_model == NULL || f_pid == NULL) {
970		warn("required kernel support module is not loaded\n");
971		goto err;
972	}
973
974	/*
975	 * Here the kproc target relies on the fact that at the time of its
976	 * instantiation, mdb.m_target is pointing at a kvm target, and
977	 * that the kvm target has stored its libkvm handle in t_pshandle.
978	 */
979	kp->kp_parent = mdb.m_target;
980	kp->kp_cookie = mdb.m_target->t_pshandle;
981	kp->kp_platform = mdb_tgt_platform(mdb.m_target);
982	kp->kp_proc = proc;
983	kp->kp_as = (struct as *)f_as((uintptr_t)proc);
984	kp->kp_pid = f_pid((uintptr_t)proc);
985
986	if (kp->kp_as == NULL) {
987		warn("failed to obtain address space for proc %p\n", proc);
988		goto err;
989	}
990
991	if (kp->kp_pid == -1) {
992		warn("failed to obtain PID for proc %p\n", proc);
993		goto err;
994	}
995
996	if (mdb_tgt_lookup_by_name(kp->kp_parent, MDB_TGT_OBJ_EXEC, "kas",
997	    &sym, NULL) == 0 && kp->kp_as ==
998	    (struct as *)(uintptr_t)sym.st_value) {
999		warn("specified process is a system process (no context)\n");
1000		goto err;
1001	}
1002
1003	if ((kp->kp_model = f_model((uintptr_t)proc)) == PR_MODEL_UNKNOWN) {
1004		warn("failed to obtain data model for proc %p\n", proc);
1005		goto err;
1006	}
1007
1008	if (f_asiter((uintptr_t)kp->kp_as, kp_add_mapping, kp) == -1) {
1009		warn("failed to load mappings for proc %p", proc);
1010		goto err;
1011	}
1012
1013	kp->kp_nauxv = f_auxv((uintptr_t)proc, NULL) + 1;
1014	kp->kp_auxv = mdb_alloc(sizeof (auxv_t) * kp->kp_nauxv, UM_SLEEP);
1015
1016	if (f_auxv((uintptr_t)proc, kp->kp_auxv) == -1) {
1017		warn("failed to load auxv for proc %p", proc);
1018		goto err;
1019	}
1020
1021	kp->kp_auxv[kp->kp_nauxv - 1].a_type = AT_NULL;
1022	kp->kp_auxv[kp->kp_nauxv - 1].a_un.a_val = 0;
1023
1024	if ((at_entry = kp_getauxval(kp, AT_ENTRY)) == -1L) {
1025		warn("auxv for proc %p is missing AT_ENTRY\n", proc);
1026		goto err;
1027	}
1028
1029	if ((at_base = kp_getauxval(kp, AT_BASE)) == -1L) {
1030		warn("auxv for proc %p is missing AT_BASE\n", proc);
1031		goto err;
1032	}
1033
1034	/*
1035	 * If we're applying kproc to a live kernel, we need to force libkvm
1036	 * to set the current process to the process in question so we can
1037	 * read from its address space.  If kvm_getproc returns NULL, the
1038	 * process may have gone away since our previous calls to mdb_ks.
1039	 */
1040	if (mdb_prop_postmortem == FALSE &&
1041	    kvm_getproc(kp->kp_cookie, kp->kp_pid) == NULL)
1042		warn("failed to attach to PID %d\n", (int)kp->kp_pid);
1043
1044	kp->kp_map_exec = kp_addr_to_kpmap(kp, at_entry);
1045	kp->kp_map_ldso = kp_addr_to_kpmap(kp, at_base);
1046
1047	(void) kp_file_create(t, kp->kp_map_exec, ET_EXEC);
1048	(void) kp_file_create(t, kp->kp_map_ldso, ET_DYN);
1049
1050	kp->kp_prfile.kpf_dynsym = mdb.m_prsym;
1051
1052	return (0);
1053
1054err:
1055	kp_destroy(t);
1056	return (-1);
1057}
1058
1059static ssize_t
1060kp_io_read(mdb_io_t *io, void *buf, size_t nbytes)
1061{
1062	kp_io_t *kpi = io->io_data;
1063	kp_data_t *kp = kpi->kpi_tgt->t_data;
1064
1065	kp_map_t *kpm = kp_addr_to_kpmap(kp, kpi->kpi_ptr);
1066	size_t left;
1067
1068	if (kpm != NULL) {
1069		const mdb_map_t *mp = &kpm->kpm_map;
1070		left = mp->map_base + mp->map_size - kpi->kpi_ptr;
1071	} else
1072		left = 0;
1073
1074	if (left != 0) {
1075		ssize_t rbytes = kp_vread(kpi->kpi_tgt,
1076		    buf, MIN(nbytes, left), kpi->kpi_ptr);
1077
1078		if (rbytes >= 0)
1079			kpi->kpi_ptr += rbytes;
1080
1081		return (rbytes);
1082	}
1083
1084	return (0); /* At end of segment or in hole; return EOF */
1085}
1086
1087static off64_t
1088kp_io_seek(mdb_io_t *io, off64_t offset, int whence)
1089{
1090	kp_io_t *kpi = io->io_data;
1091	const mdb_map_t *mp = &kpi->kpi_map->kpm_map;
1092	uintptr_t nptr;
1093
1094	if (io->io_next != NULL)
1095		return (IOP_SEEK(io->io_next, offset, whence));
1096
1097	switch (whence) {
1098	case SEEK_SET:
1099		nptr = mp->map_base + offset;
1100		break;
1101	case SEEK_CUR:
1102		nptr = kpi->kpi_ptr + offset;
1103		break;
1104	case SEEK_END:
1105		nptr = kpi->kpi_lim + offset;
1106		break;
1107	default:
1108		return (set_errno(EINVAL));
1109	}
1110
1111	if (nptr < mp->map_base || nptr >= kpi->kpi_lim)
1112		return (set_errno(EINVAL));
1113
1114	kpi->kpi_ptr = nptr;
1115	return ((off64_t)(nptr - mp->map_base));
1116}
1117
1118static void
1119kp_io_close(mdb_io_t *io)
1120{
1121	mdb_free(io->io_data, sizeof (kp_io_t));
1122}
1123
1124static const char *
1125kp_io_name(mdb_io_t *io)
1126{
1127	kp_io_t *kpi = io->io_data;
1128
1129	if (io->io_next != NULL)
1130		return (IOP_NAME(io->io_next));
1131
1132	return (kpi->kpi_map->kpm_map.map_name);
1133}
1134
1135static const mdb_io_ops_t kp_io_ops = {
1136	kp_io_read,
1137	no_io_write,
1138	kp_io_seek,
1139	no_io_ctl,
1140	kp_io_close,
1141	kp_io_name,
1142	no_io_link,
1143	no_io_unlink,
1144	no_io_setattr,
1145	no_io_suspend,
1146	no_io_resume
1147};
1148
1149static mdb_io_t *
1150kp_io_create(mdb_tgt_t *t, kp_map_t *kpm)
1151{
1152	kp_data_t *kp = t->t_data;
1153	mdb_map_t *mp = &kp->kp_map_tail->kpm_map;
1154
1155	mdb_io_t *io = mdb_alloc(sizeof (mdb_io_t), UM_SLEEP);
1156	kp_io_t *kpi = mdb_alloc(sizeof (kp_io_t), UM_SLEEP);
1157
1158	kpi->kpi_tgt = t;
1159	kpi->kpi_map = kpm;
1160	kpi->kpi_ptr = kpm->kpm_map.map_base;
1161	kpi->kpi_lim = mp->map_base + mp->map_size;
1162
1163	io->io_ops = &kp_io_ops;
1164	io->io_data = kpi;
1165	io->io_next = NULL;
1166	io->io_refcnt = 0;
1167
1168	return (io);
1169}
1170