diff --git a/volatility3/framework/plugins/linux/kthreads.py b/volatility3/framework/plugins/linux/kthreads.py index bd0e895a43..674eae1e53 100644 --- a/volatility3/framework/plugins/linux/kthreads.py +++ b/volatility3/framework/plugins/linux/kthreads.py @@ -72,28 +72,35 @@ def _generator(self): if task.has_member("worker_private"): # kernels >= 5.17 e32cf5dfbe227b355776948b2c9b5691b84d1cbd - ktread_base_pointer = task.worker_private + kthread_base_pointer = task.worker_private else: # 5.8 <= kernels < 5.17 in 52782c92ac85c4e393eb4a903a62e6c24afa633f threadfn # was added to struct kthread. task.set_child_tid is safe on those versions. - ktread_base_pointer = task.set_child_tid + kthread_base_pointer = task.set_child_tid - if not ktread_base_pointer.is_readable(): + if not kthread_base_pointer.is_readable(): continue - kthread = ktread_base_pointer.dereference().cast("kthread") + kthread = kthread_base_pointer.dereference().cast("kthread") threadfn = kthread.threadfn if not (threadfn and threadfn.is_readable()): continue task_name = utility.array_to_string(task.comm) + thread_name = task_name + # kernels >= 5.17 in d6986ce24fc00b0638bd29efe8fb7ba7619ed2aa full_name was added to kthread - thread_name = ( - utility.pointer_to_string(kthread.full_name, count=255) - if kthread.has_member("full_name") - else task_name - ) + if kthread.has_member("full_name"): + try: + thread_name = utility.pointer_to_string( + kthread.full_name, count=255 + ) + except exceptions.InvalidAddressException: + vollog.debug( + f"full_name pointer for thread at {kthread.vol.offset:#x} is paged out." + ) + module_name, symbol_name = ( linux_utilities_modules.Modules.lookup_module_address( self.context, vmlinux.name, handlers, threadfn