New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support GNU formatted device ids #1

Merged
merged 1 commit into from Apr 9, 2014

Conversation

2 participants
@phillipberndt
Copy link
Contributor

phillipberndt commented Apr 9, 2014

glibc uses a different definition of the major/minor part of device numbers:

unsigned int gnu_dev_major (unsigned long long int __dev) {
    return ((__dev >> 8) & 0xfff) | ((unsigned int) (__dev >> 32) & ~0xfff);
}

unsigned int gnu_dev_minor (unsigned long long int __dev) {
    return (__dev & 0xff) | ((unsigned int) (__dev >> 12) & ~0xff);
}

I have added support for this format by checking both formats against the string from the maps file. I don't believe that name collisions (and device changes) are likely enough to justify a more elaborate approach.

Also, on my system, procfs prepends (deleted) to removed files in the maps file. I've added a line to removed that. It doesn't make much of a difference, because the path does still either not exist or will have a different inode, but it looks better this way IMHO.

@liske

This comment has been minimized.

Copy link
Owner

liske commented Apr 9, 2014

Hi Phillip,

IMHO your patch 11cfb7c should be dropped (see comment) but I'm fine with eea4ce3. Which kernel/system are you running, just wondering of the different maps behavior...

Thanks for contributing.

@liske liske self-assigned this Apr 9, 2014

@liske liske added the bug label Apr 9, 2014

@phillipberndt

This comment has been minimized.

Copy link
Contributor

phillipberndt commented Apr 9, 2014

Alright. I've updated the pull request to only include the other commit.

AFAIK, all Linux systems use the alternative formula. But since major/minor are usually <128 on desktop PCs, both definitions coincide most times. I noticed the difference on a VServer, where the root partition has major 182, minor 631234.

liske added a commit that referenced this pull request Apr 9, 2014

Merge pull request #1 from phillipberndt/master
Support GNU formatted device ids

@liske liske merged commit e317553 into liske:master Apr 9, 2014

@liske

This comment has been minimized.

Copy link
Owner

liske commented Apr 9, 2014

Thanks! I'm still wondering about the "(deleted)" prefix. Is it some older kernel... my systems always use a suffix, not a prefix... is it VServer specific?

What does readlink return if a binary is removed? There is this little check in line 214 to improve detection speed due it does not read the maps file if the binary itself was removed.

@phillipberndt

This comment has been minimized.

Copy link
Contributor

phillipberndt commented Apr 9, 2014

I don't know, but I think so. The VServer runs Debian's 3.2.41-042stab084.17. I just ran a test with a Debian Desktop running 3.2.0-4-amd64 and also saw the suffix notation there. On the VServer, readlink also prefixes the deleted:

$ perl
print readlink("exe");
^D

(deleted)/tmp/a.out
@phillipberndt

This comment has been minimized.

Copy link
Contributor

phillipberndt commented Apr 9, 2014

It definitely has to be a VServer-specific thing, and I really don't know why they are doing that: I looked at a very old 2.6 kernel, and even there (deleted) was already appended rather than prepended.

@liske

This comment has been minimized.

Copy link
Owner

liske commented Apr 9, 2014

Thanks - very interesting especially for virtualization container detection like in imvirt :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment