Review of Linux Kernel Sources and Functions
This article describes where in the Linux kernel sources you should start looking for particular kernel functions.
This article does not depend on knowledge of the 'C' programming language or require that you have the Linux kernel sources available in order to understand how the Linux kernel works. That said, it is a useful exercise to look at the kernel sources to get an in-depth understanding of the Linux operating system. This article gives an overview of the kernel sources; how they are arranged and where you might start to look for particular code.
Where to Get the Linux Kernel Sources
All of the major Linux distributions ( Ubuntu, Debian, Slackware, Red Hat etc) include the kernel sources in them. Usually the Linux kernel that got installed on your Linux system was built from those sources.
The Linux kernel sources have a very simple numbering system. Any even number kernel (for example 2.0.30) is a stable, released, kernel and any odd numbered kernel (for example 2.1.42 is a development kernel. This article is based on the stable 2.0.30 source tree. Development kernels have all of the latest features and support all of the latest devices. Although they can be unstable, which may not be exactly what you want it, is important that the Linux community tries the latest kernels. That way they are tested for the whole community. Remember that it is always worth backing up your system thoroughly if you do try out non-production kernels.
Changes to the kernel sources are distributed as patch files. The patch utility is used to apply a series of edits to a set of source files. So, for example, if you have the 2.0.29 kernel source tree and you wanted to move to the 2.0.30 source tree, you would obtain the 2.0.30 patch file and apply the patches (edits) to that source tree:
$ cd /usr/src/linux
$ patch -p1 < patch-2.0.30
This saves copying whole source trees, perhaps over slow serial connections.
How The Kernel Sources Are Arranged
At the very top level of the source tree /usr/src/linux you will see a number of directories:
- The arch subdirectory contains all of the architecture specific kernel code. It has further subdirectories, one per supported architecture, for example i386 and alpha.
- The include subdirectory contains most of the include files needed to build the kernel code. It too has further subdirectories including one for every architecture supported. The include/asm subdirectory is a soft link to the real include directory needed for this architecture, for example include/asm-i386. To change architectures you need to edit the kernel makefile and rerun the Linux kernel configuration program.
- This directory contains the initialization code for the kernel and it is a very good place to start looking at how the kernel works.
- This directory contains all of the memory management code. The architecture specific memory management code lives down in arch/*/mm/, for example arch/i386/mm/fault.c.
- All of the system's device drivers live in this directory. They are further sub-divided into classes of device driver, for example block.
- This directory contains the kernels inter-process communications code.
- This is simply a directory used to hold built modules.
- All of the file system code. This is further sub-divided into directories, one per supported file system, for example vfat and ext2.
- The main kernel code. Again, the architecture specific kernel code is in arch/*/kernel.
- The kernel's networking code.
- This directory contains the kernel's library code. The architecture specific library code can be found in arch/*/lib/.
- This directory contains the scripts (for example awk and tk scripts) that are used when the kernel is configured.
Where to Start Looking
A large complex program like the Linux kernel can be rather daunting to look at. It is rather like a large ball of string with no end showing. Looking at one part of the kernel often leads to looking at several other related files and before long you have forgotten what you were looking for. The next subsections give you a hint as to where in the source tree the best place to look is for a given subject.
System Startup and Initialization
On an Intel based system, the kernel starts when either loadlin.exe or LILO has loaded the kernel into memory and passed control to it. Look in arch/i386/kernel/head.S for this part. Head.S does some architecture specific setup and then jumps to the main() routine in init/main.c.
This code is mostly in mm but the architecture specific code is in arch/*/mm. The page fault handling code is in mm/memory.c and the memory mapping and page cache code is in mm/filemap.c. The buffer cache is implemented in mm/buffer.c and the swap cache in mm/swap_state.c and mm/swapfile.c.
Most of the relevant generic code is in kernel with the architecture specific code in arch/*/kernel. The scheduler is in kernel/sched.c and the fork code is in kernel/fork.c. The bottom half handling code is in include/linux/interrupt.h. The task_struct data structure can be found in include/linux/sched.h.
The PCI pseudo driver is in drivers/pci/pci.c with the system wide definitions in include/linux/pci.h. Each architecture has some specific PCI BIOS code, Alpha AXP's is in arch/alpha/kernel/bios32.c.
This is all in ipc. All System V IPC objects include an ipc_perm data structure and this can be found in include/linux/ipc.h. System V messages are implemented in ipc/msg.c, shared memory in ipc/shm.c and semaphores in ipc/sem.c. Pipes are implemented in ipc/pipe.c.
The kernel's interrupt handling code is almost all microprocessor (and often platform) specific. The Intel interrupt handling code is in arch/i386/kernel/irq.c and its definitions in include/asm-i386/irq.h.
Most of the lines of the Linux kernel's source code are in its device drivers. All of Linux's device driver sources are held in drivers but these are further broken out by type:
- block device drivers such as ide (in ide.c). If you want to look at how all of the devices that could possibly contain file systems are initialized then you should look at device_setup() in drivers/block/genhd.c. It not only initializes the hard disks but also the network as you need a network to mount nfs file systems. Block devices include both IDE and SCSI based devices.
- This the place to look for character based devices such as ttys, serial ports and mice.
- All of the CDROM code for Linux. It is here that the special CDROM devices (such as Soundblaster CDROM) can be found. Note that the ide CD driver is ide-cd.c in drivers/block and that the SCSI CD driver is in scsi.c in drivers/scsi.
- This are the sources for the PCI pseudo-driver. A good place to look at how the PCI subsystem is mapped and initialized. The Alpha AXP PCI fixup code is also worth looking at in arch/alpha/kernel/bios32.c.
- This is where to find all of the SCSI code as well as all of the drivers for the scsi devices supported by Linux.
- This is where to look to find the network device drivers such as the DECChip 21040 PCI ethernet driver which is in tulip.c.
- This is where all of the sound card drivers are.
The sources for the EXT2 file system are all in the fs/ext2/ directory with data structure definitions in include/linux/ext2_fs.h, ext2_fs_i.h and ext2_fs_sb.h. The Virtual File System data structures are described in include/linux/fs.h and the code is in fs/*. The buffer cache is implemented in fs/buffer.c along with the update kernel daemon.
The networking code is kept in net with most of the include files in include/net. The BSD socket code is in net/socket.c and the IP version 4 INET socket code is in net/ipv4/af_inet.c. The generic protocol support code (including the sk_buff handling routines) is in net/core with the TCP/IP networking code in net/ipv4. The network device drivers are in drivers/net.
The kernel module code is partially in the kernel and partially in the modules package. The kernel code is all in kernel/modules.c with the data structures and kernel demon kerneld messages in include/linux/module.h and include/linux/kerneld.h respectively. You may want to look at the structure of an ELF object file in include/linux/elf.h.
Additional Linux Resources
Here is a list of resources for learning Linux:
Resources for System Administrators
- Linux System Admin Guide- What is Linux Operating System and how it works
- Linux System Admin Guide- What are Directory Tree and Filesystem Hierarchy in Linux
- Linux System Admin Guide- Introduction to Linux File Systems for System Admins
- Linux System Admin Guide- Overview of Linux Virtual Memory and Disk Buffer Cache
- Linux System Admin Guide- Best Practices for Monitoring Linux Systems
- Linux System Admin Guide- Best Practices for Performing Linux Boots and Shutdowns
- Linux System Admin Guide- Best Practices for Making and Managing Backup Operations
Resources for Linux Kernel Programmers
- How Linux Operating System Memory Management works
- Comprehensive Review of Linux Kernel Operating System Processes
- Comprehensive Review of Linux File System Architecture and Management
- What are mechanisms behind Linux Kernel task management
- How Linux Kernel Sources and Functions work
- Comprehensive look at how Linux Data Structures work
Linux File System Dictionary
Comprehensive Review of How Linux File and Directory System Works
Hands-on Linux classes
- Introduction to Linux and Shell programming
- Linux System Administration
- Korn Shell and Bash Shell Coding
Linux Operating System Distributions
- Comprehensive list of all Linux OS distributions
- Comprehensive list of all special purpose Linux distributions
- Comprehensive list of all secure Linux distributions for cybersecurity professionals