Print kernel's page table entries

Question

Virtual memory map with 4 level page tables:

0000000000000000 - 00007fffffffffff (=47 bits) user space, different per mm
ffff800000000000 - ffff80ffffffffff          


        

Answer 1

Each process has its own page global directory (PGD), the pointer to which is stored in the CR3 register, which is loaded when the process is scheduled to run by the kernel. Kernel also keeps its own PGD for the process swapper (if I remember right), which is stored in the init_mm.pgd struct member. You should be able to find the pages you are looking for in this PGD.

Unfortunately, unless you are running in a VM, I know of no easy way of getting to CR3. You can get at init_mm struct using GDB like this:

• Get a kernel with debug symbols matching your current kernel. The match must be exact so it is best to use the corresponding distribution package. See How to get Ubuntu debug kernel for Ubuntu directions.

• Assuming you are running a distribution that has a functioning /proc/kcore (e.g. Ubuntu), you can do gdb /proc/kcore

• Now do p init_mm.pgd To get the address of the kernel's PGD.

• Which you can now dump using dump mem (That's if the PGD fits in a 4K page)

To get all of the lower level tables corresponding to the memory range you are interested in, you will have to walk them starting with PGD, either manually or with python scripting in GDB.