问题描述:系统出现panic,dmesg有如下打印:
[122061.197311] task:irq/181-ice-enp state:D stack:0 pid:3134 ppid:2 flags:0x00004000
[122061.197315] Call Trace:
[122061.197317] <TASK>
[122061.197318] __schedule+0x34e/0xb00
[122061.197325] schedule_rtlock+0x1f/0x40
[122061.197328] rtlock_slowlock_locked+0x232/0xd40
[122061.197332] rt_read_lock+0x54/0x130
[122061.197333] ep_poll_callback+0x35/0x2a0
[122061.197337] ? ktime_get+0x39/0xa0
[122061.197340] __wake_up_common+0x7d/0x190
[122061.197343] __wake_up_common_lock+0x7c/0xc0
[122061.197345] sock_def_readable+0x42/0xc0
[122061.197349] tcp_child_process+0x199/0x1f0
[122061.197354] tcp_v4_rcv+0xaf5/0xe80
[122061.197356] ? raw_local_deliver+0xc7/0x230
[122061.197359] ip_protocol_deliver_rcu+0x32/0x160
[122061.197361] ip_local_deliver_finish+0x77/0xa0
[122061.197363] ip_sublist_rcv_finish+0x80/0x90
[122061.197364] ip_sublist_rcv+0x1a4/0x240
[122061.197365] ? __pfx_ip_rcv_finish+0x10/0x10
[122061.197367] ip_list_rcv+0x136/0x160
[122061.197368] __netif_receive_skb_list_core+0x2b1/0x2e0
[122061.197371] netif_receive_skb_list_internal+0x1d5/0x310
[122061.197373] napi_complete_done+0x73/0x1b0
[122061.197377] ice_napi_poll+0xa1f/0xd80 [ice]
[122061.197444] __napi_poll+0x29/0x1b0
[122061.197446] net_rx_action+0x29f/0x370
[122061.197447] ? plist_del+0x63/0xc0
[122061.197450] handle_softirqs.constprop.0+0xb0/0x250
[122061.197453] ? __pfx_irq_forced_thread_fn+0x10/0x10
[122061.197456] __local_bh_enable_ip+0x6f/0xa0
[122061.197457] irq_forced_thread_fn+0x77/0x90
[122061.197460] irq_thread+0xed/0x1a0
[122061.197463] ? __pfx_irq_thread_dtor+0x10/0x10
[122061.197466] ? __pfx_irq_thread+0x10/0x10
[122061.197468] kthread+0xdd/0x110
[122061.197470] ? __pfx_kthread+0x10/0x10
[122061.197471] ret_from_fork+0x31/0x50
[122061.197474] ? __pfx_kthread+0x10/0x10
[122061.197476] ret_from_fork_asm+0x1b/0x30
[122061.197479] </TASK>
进程3134在尝试获取lock,而且处于state:D,中断无法执行,导致系统出现异常。
内核代码在rtlock_slowlock_locked中尝试获取lock,代码如下:
1802 /**
1803 * rtlock_slowlock_locked - Slow path lock acquisition for RT locks
1804 * @lock: The underlying RT mutex
1805 */
1806 static void __sched rtlock_slowlock_locked(struct rt_mutex_base *lock)
1807 {
1808 struct rt_mutex_waiter waiter;
1809 struct task_struct *owner;
1810
1811 lockdep_assert_held(&lock->wait_lock);
1812
1813 if (try_to_take_rt_mutex(lock, current, NULL))
1814 return;
1815
1816 rt_mutex_init_rtlock_waiter(&waiter);
1817
1818 /* Save current state and set state to TASK_RTLOCK_WAIT */
1819 current_save_and_set_rtlock_wait_state();
1820
1821 trace_contention_begin(lock, LCB_F_RT);
1822
1823 task_blocks_on_rt_mutex(lock, &waiter, current, NULL, RT_MUTEX_MIN_CHAINWALK);
1824
1825 for (;;) {
1826 /* Try to acquire the lock again */
1827 if (try_to_take_rt_mutex(lock, current, &waiter))
1828 break;
1829
1830 if (&waiter == rt_mutex_top_waiter(lock))
1831 owner = rt_mutex_owner(lock);
1832 else
1833 owner = NULL;
1834 raw_spin_unlock_irq(&lock->wait_lock);
1835
1836 if (!owner || !rtmutex_spin_on_owner(lock, &waiter, owner))
1837 schedule_rtlock();
1838
1839 raw_spin_lock_irq(&lock->wait_lock);
1840 set_current_state(TASK_RTLOCK_WAIT);
1841 }
1842
1843 /* Restore the task state */
1844 current_restore_rtlock_saved_state();
1845
1846 /*
1847 * try_to_take_rt_mutex() sets the waiter bit unconditionally.
1848 * We might have to fix that up:
1849 */
1850 fixup_rt_mutex_waiters(lock, true);
1851 debug_rt_mutex_free_waiter(&waiter);
1852
1853 trace_contention_end(lock, 0);
1854 }
lock结构体如下:
struct rt_mutex_base {
raw_spinlock_t wait_lock;
struct rb_root_cached waiters;
struct task_struct *owner;
};
解决思路:只要找到lock,就可以通过lock找到owner
使用crash打开vmcore分析:
crash> bt -f 3134
PID: 3134 TASK: ff27411db0af97c0 CPU: 0 COMMAND: "irq/181-ice-enp"
#0 [ff468632c619f748] __schedule at ffffffff99f3c3ce
ff468632c619f750: 0000100000000000 ff27415b3e5f23c0
ff468632c619f760: ffffffff00000004 ffffffff9a2100a0
ff468632c619f770: 0000000000000000 0000000000000002
ff468632c619f780: da58a4eb0f1c7100 ff27411db0af97c0
ff468632c619f790: ff27411db0af97c0 ff27411f3bd0df00
ff468632c619f7a0: ff27411db0afa098 ff27411db0af97c0
ff468632c619f7b0: ff27411f89f8da98 ffffffff99f3d04f
#1 [ff468632c619f7b8] schedule_rtlock at ffffffff99f3d04f
ff468632c619f7c0: ff468632c619f800 ffffffff99f43042
#2 [ff468632c619f7c8] rtlock_slowlock_locked at ffffffff99f43042
ff468632c619f7d0: 0000000000000000 ff27411f3bd0e7d8
ff468632c619f7e0: ff27411f3bd0e7d8 0000000000000000
ff468632c619f7f0: ff27411db0af9ba8 0000000000000000
ff468632c619f800: ff468632cc40f3f0 0000000000000000
ff468632c619f810: 0000000000000000 ffffffff0000001d
ff468632c619f820: 0000000000000000 0000000000000001
ff468632c619f830: 0000000000000000 0000000000000000
ff468632c619f840: ff27411d0000001d 0000000000000000
ff468632c619f850: ff27411db0af97c0 ff27411f89f8da98
ff468632c619f860: 27183d1600001000 0000000000000000
ff468632c619f870: da58a4eb0f1c7100 00000000000000c3
ff468632c619f880: ff27411f89f8da90 ff27411f89f8da98
ff468632c619f890: ff27411fbcd3d8d0 ff27411f89f8da90
ff468632c619f8a0: 00000000000000c3 ffffffff99f43c74
…………
需要找到lock的寄存器,进而找到在何时被压栈到何处
rt_mutex_base中wait_lock是第一个成员,也就是说函数当中许多对 lock->wait_lock 的调用可以直接用lock的值,对函数rtlock_slowlock_locked进行反汇编:
crash> dis -lr ffffffff99f43042
kernel/locking/rtmutex.c: 1807
0xffffffff99f42e10 <rtlock_slowlock_locked>: nopl 0x0(%rax,%rax,1) [FTRACE NOP]
0xffffffff99f42e15 <rtlock_slowlock_locked+5>: push %r15
kernel/locking/rtmutex.c: 1813
0xffffffff99f42e17 <rtlock_slowlock_locked+7>: xor %edx,%edx
kernel/locking/rtmutex.c: 1807
0xffffffff99f42e19 <rtlock_slowlock_locked+9>: push %r14
0xffffffff99f42e1b <rtlock_slowlock_locked+11>: push %r13
0xffffffff99f42e1d <rtlock_slowlock_locked+13>: push %r12
0xffffffff99f42e1f <rtlock_slowlock_locked+15>: push %rbp
0xffffffff99f42e20 <rtlock_slowlock_locked+16>: mov %rdi,%rbp
0xffffffff99f42e23 <rtlock_slowlock_locked+19>: push %rbx
arch/x86/include/asm/current.h: 41
0xffffffff99f42e24 <rtlock_slowlock_locked+20>: mov %gs:0x31b40,%r12
kernel/locking/rtmutex.c: 1813
0xffffffff99f42e2d <rtlock_slowlock_locked+29>: mov %r12,%rsi
kernel/locking/rtmutex.c: 1807
0xffffffff99f42e30 <rtlock_slowlock_locked+32>: sub $0xa8,%rsp
0xffffffff99f42e37 <rtlock_slowlock_locked+39>: mov %gs:0x28,%rax
0xffffffff99f42e40 <rtlock_slowlock_locked+48>: mov %rax,0xa0(%rsp)
0xffffffff99f42e48 <rtlock_slowlock_locked+56>: xor %eax,%eax
arch/x86/include/asm/current.h: 41
0xffffffff99f42e4a <rtlock_slowlock_locked+58>: call 0xffffffff99f42430 <try_to_take_rt_mutex>
kernel/locking/rtmutex.c: 1813
0xffffffff99f42e4f <rtlock_slowlock_locked+63>: mov %eax,0x4(%rsp)
0xffffffff99f42e53 <rtlock_slowlock_locked+67>: test %eax,%eax
0xffffffff99f42e55 <rtlock_slowlock_locked+69>: je 0xffffffff99f42e84 <rtlock_slowlock_locked+116>
kernel/locking/rtmutex.c: 1854
0xffffffff99f42e57 <rtlock_slowlock_locked+71>: mov 0xa0(%rsp),%rax
0xffffffff99f42e5f <rtlock_slowlock_locked+79>: sub %gs:0x28,%rax
0xffffffff99f42e68 <rtlock_slowlock_locked+88>: jne 0xffffffff99f43b44 <rtlock_slowlock_locked+3380>
0xffffffff99f42e6e <rtlock_slowlock_locked+94>: add $0xa8,%rsp
0xffffffff99f42e75 <rtlock_slowlock_locked+101>: pop %rbx
0xffffffff99f42e76 <rtlock_slowlock_locked+102>: pop %rbp
0xffffffff99f42e77 <rtlock_slowlock_locked+103>: pop %r12
0xffffffff99f42e79 <rtlock_slowlock_locked+105>: pop %r13
0xffffffff99f42e7b <rtlock_slowlock_locked+107>: pop %r14
0xffffffff99f42e7d <rtlock_slowlock_locked+109>: pop %r15
0xffffffff99f42e7f <rtlock_slowlock_locked+111>: ret
0xffffffff99f42e80 <rtlock_slowlock_locked+112>: int3
0xffffffff99f42e81 <rtlock_slowlock_locked+113>: int3
0xffffffff99f42e82 <rtlock_slowlock_locked+114>: int3
0xffffffff99f42e83 <rtlock_slowlock_locked+115>: int3
kernel/locking/rtmutex_common.h: 214
0xffffffff99f42e84 <rtlock_slowlock_locked+116>: lea 0x8d8(%r12),%r13
0xffffffff99f42e8c <rtlock_slowlock_locked+124>: lea 0x30(%rsp),%rbx
kernel/locking/rtmutex_common.h: 217
0xffffffff99f42e91 <rtlock_slowlock_locked+129>: movq $0x0,0x80(%rsp)
kernel/locking/rtmutex_common.h: 214
0xffffffff99f42e9d <rtlock_slowlock_locked+141>: lea 0x58(%rsp),%rax
kernel/locking/rtmutex.c: 1819
0xffffffff99f42ea2 <rtlock_slowlock_locked+146>: mov %r13,%rdi
kernel/locking/rtmutex_common.h: 215
0xffffffff99f42ea5 <rtlock_slowlock_locked+149>: mov %rbx,0x30(%rsp)
kernel/locking/rtmutex_common.h: 214
0xffffffff99f42eaa <rtlock_slowlock_locked+154>: mov %rax,0x58(%rsp)
kernel/locking/rtmutex_common.h: 223
0xffffffff99f42eaf <rtlock_slowlock_locked+159>: movl $0x1000,0x90(%rsp)
arch/x86/include/asm/current.h: 41
0xffffffff99f42eba <rtlock_slowlock_locked+170>: call 0xffffffff99f45c60 <_raw_spin_lock>
0xffffffff99f42ebf <rtlock_slowlock_locked+175>: mov 0x18(%r12),%eax
0xffffffff99f42ec4 <rtlock_slowlock_locked+180>: mov %r13,%rdi
0xffffffff99f42ec7 <rtlock_slowlock_locked+183>: movl $0x1000,0x18(%r12)
0xffffffff99f42ed0 <rtlock_slowlock_locked+192>: mov %eax,0x1c(%r12)
0xffffffff99f42ed5 <rtlock_slowlock_locked+197>: call 0xffffffff99f45d60 <_raw_spin_unlock>
arch/x86/include/asm/jump_label.h: 27
0xffffffff99f42eda <rtlock_slowlock_locked+202>: nopl 0x0(%rax,%rax,1)
arch/x86/include/asm/current.h: 41
0xffffffff99f42edf <rtlock_slowlock_locked+207>: mov 0x18(%rbp),%r13
0xffffffff99f42ee3 <rtlock_slowlock_locked+211>: mov %gs:0x31b40,%r15
kernel/locking/rtmutex_common.h: 161
0xffffffff99f42eec <rtlock_slowlock_locked+220>: and $0xfffffffffffffffe,%r13
0xffffffff99f42ef0 <rtlock_slowlock_locked+224>: mov %r13,%r12
kernel/locking/rtmutex.c: 1224
0xffffffff99f42ef3 <rtlock_slowlock_locked+227>: cmp %r13,%r15
0xffffffff99f42ef6 <rtlock_slowlock_locked+230>: je 0xffffffff99f4302a <rtlock_slowlock_locked+538>
kernel/locking/rtmutex.c: 1227
0xffffffff99f42efc <rtlock_slowlock_locked+236>: lea 0x8d8(%r15),%r14
0xffffffff99f42f03 <rtlock_slowlock_locked+243>: mov %r14,%rdi
0xffffffff99f42f06 <rtlock_slowlock_locked+246>: call 0xffffffff99f45c60 <_raw_spin_lock>
kernel/locking/rtmutex.c: 1228
0xffffffff99f42f0b <rtlock_slowlock_locked+251>: mov 0x6c(%r15),%ecx
kernel/locking/rtmutex.c: 350
0xffffffff99f42f0f <rtlock_slowlock_locked+255>: mov $0x78,%eax
kernel/locking/rtmutex.c: 365
0xffffffff99f42f14 <rtlock_slowlock_locked+260>: mov 0x1f8(%r15),%r9
kernel/locking/rtmutex.c: 1228
0xffffffff99f42f1b <rtlock_slowlock_locked+267>: mov %r15,0x80(%rsp)
kernel/locking/rtmutex.c: 1229
0xffffffff99f42f23 <rtlock_slowlock_locked+275>: cmp $0x64,%ecx
0xffffffff99f42f26 <rtlock_slowlock_locked+278>: mov %rbp,0x88(%rsp)
include/linux/sched/rt.h: 11
0xffffffff99f42f2e <rtlock_slowlock_locked+286>: cmovge %eax,%ecx
kernel/locking/rtmutex_common.h: 112
0xffffffff99f42f31 <rtlock_slowlock_locked+289>: mov 0x8(%rbp),%rax
kernel/locking/rtmutex.c: 365
0xffffffff99f42f35 <rtlock_slowlock_locked+293>: mov %r9,0x50(%rsp)
kernel/locking/rtmutex.c: 379
0xffffffff99f42f3a <rtlock_slowlock_locked+298>: mov %r9,0x78(%rsp)
kernel/locking/rtmutex.c: 364
0xffffffff99f42f3f <rtlock_slowlock_locked+303>: mov %ecx,0x48(%rsp)
kernel/locking/rtmutex.c: 378
0xffffffff99f42f43 <rtlock_slowlock_locked+307>: mov %ecx,0x70(%rsp)
kernel/locking/rtmutex_common.h: 112
0xffffffff99f42f47 <rtlock_slowlock_locked+311>: test %rax,%rax
0xffffffff99f42f4a <rtlock_slowlock_locked+314>: je 0xffffffff99f4321e <rtlock_slowlock_locked+1038>
kernel/locking/rtmutex_common.h: 130
0xffffffff99f42f50 <rtlock_slowlock_locked+320>: mov 0x10(%rbp),%rax
0xffffffff99f42f54 <rtlock_slowlock_locked+324>: mov %rax,0x8(%rsp)
kernel/locking/rtmutex_common.h: 135
0xffffffff99f42f59 <rtlock_slowlock_locked+329>: test %rax,%rax
0xffffffff99f42f5c <rtlock_slowlock_locked+332>: je 0xffffffff99f42f68 <rtlock_slowlock_locked+344>
kernel/locking/rtmutex_common.h: 137
0xffffffff99f42f5e <rtlock_slowlock_locked+334>: cmp 0x58(%rax),%rbp
0xffffffff99f42f62 <rtlock_slowlock_locked+338>: jne 0xffffffff99f43527 <rtlock_slowlock_locked+1815>
include/linux/rbtree.h: 168
0xffffffff99f42f68 <rtlock_slowlock_locked+344>: mov 0x8(%rbp),%rax
0xffffffff99f42f6c <rtlock_slowlock_locked+348>: lea 0x8(%rbp),%r10
include/linux/rbtree.h: 172
0xffffffff99f42f70 <rtlock_slowlock_locked+352>: test %rax,%rax
0xffffffff99f42f73 <rtlock_slowlock_locked+355>: je 0xffffffff99f4315c <rtlock_slowlock_locked+844>
include/linux/rbtree.h: 170
0xffffffff99f42f79 <rtlock_slowlock_locked+361>: mov $0x1,%edi
0xffffffff99f42f7e <rtlock_slowlock_locked+366>: jmp 0xffffffff99f42f9a <rtlock_slowlock_locked+394>
include/linux/sched/deadline.h: 15
0xffffffff99f42f80 <rtlock_slowlock_locked+368>: test %ecx,%ecx
0xffffffff99f42f82 <rtlock_slowlock_locked+370>: js 0xffffffff99f430b8 <rtlock_slowlock_locked+680>
include/linux/rbtree.h: 177
0xffffffff99f42f88 <rtlock_slowlock_locked+376>: mov 0x8(%rax),%rdx
0xffffffff99f42f8c <rtlock_slowlock_locked+380>: lea 0x8(%rax),%rsi
include/linux/rbtree.h: 178
0xffffffff99f42f90 <rtlock_slowlock_locked+384>: xor %edi,%edi
include/linux/rbtree.h: 172
0xffffffff99f42f92 <rtlock_slowlock_locked+386>: test %rdx,%rdx
0xffffffff99f42f95 <rtlock_slowlock_locked+389>: je 0xffffffff99f42fab <rtlock_slowlock_locked+411>
0xffffffff99f42f97 <rtlock_slowlock_locked+391>: mov %rdx,%rax
kernel/locking/rtmutex.c: 393
0xffffffff99f42f9a <rtlock_slowlock_locked+394>: cmp 0x18(%rax),%ecx
0xffffffff99f42f9d <rtlock_slowlock_locked+397>: jge 0xffffffff99f42f80 <rtlock_slowlock_locked+368>
include/linux/rbtree.h: 175
0xffffffff99f42f9f <rtlock_slowlock_locked+399>: lea 0x10(%rax),%rsi
include/linux/rbtree.h: 172
0xffffffff99f42fa3 <rtlock_slowlock_locked+403>: mov (%rsi),%rdx
0xffffffff99f42fa6 <rtlock_slowlock_locked+406>: test %rdx,%rdx
0xffffffff99f42fa9 <rtlock_slowlock_locked+409>: jne 0xffffffff99f42f97 <rtlock_slowlock_locked+391>
include/linux/rbtree.h: 62
0xffffffff99f42fab <rtlock_slowlock_locked+411>: mov %rax,0x30(%rsp)
include/linux/rbtree.h: 63
0xffffffff99f42fb0 <rtlock_slowlock_locked+416>: movq $0x0,0x38(%rsp)
0xffffffff99f42fb9 <rtlock_slowlock_locked+425>: movq $0x0,0x40(%rsp)
include/linux/rbtree.h: 65
0xffffffff99f42fc2 <rtlock_slowlock_locked+434>: mov %rbx,(%rsi)
include/linux/rbtree.h: 112
0xffffffff99f42fc5 <rtlock_slowlock_locked+437>: test %dil,%dil
0xffffffff99f42fc8 <rtlock_slowlock_locked+440>: jne 0xffffffff99f4317b <rtlock_slowlock_locked+875>
include/linux/rbtree.h: 114
0xffffffff99f42fce <rtlock_slowlock_locked+446>: mov %rbx,%rdi
0xffffffff99f42fd1 <rtlock_slowlock_locked+449>: mov %r10,%rsi
0xffffffff99f42fd4 <rtlock_slowlock_locked+452>: call 0xffffffff99f20d40 <rb_insert_color>
kernel/locking/rtmutex.c: 1238
0xffffffff99f42fd9 <rtlock_slowlock_locked+457>: mov %rbx,0x900(%r15)
kernel/locking/rtmutex.c: 1240
0xffffffff99f42fe0 <rtlock_slowlock_locked+464>: mov %r14,%rdi
0xffffffff99f42fe3 <rtlock_slowlock_locked+467>: call 0xffffffff99f45d60 <_raw_spin_unlock>
kernel/locking/rtmutex.c: 1257
0xffffffff99f42fe8 <rtlock_slowlock_locked+472>: test %r13,%r13
0xffffffff99f42feb <rtlock_slowlock_locked+475>: je 0xffffffff99f4302a <rtlock_slowlock_locked+538>
kernel/locking/rtmutex.c: 1260
0xffffffff99f42fed <rtlock_slowlock_locked+477>: lea 0x8d8(%r13),%r8
0xffffffff99f42ff4 <rtlock_slowlock_locked+484>: mov %r8,%rdi
0xffffffff99f42ff7 <rtlock_slowlock_locked+487>: mov %r8,0x10(%rsp)
0xffffffff99f42ffc <rtlock_slowlock_locked+492>: call 0xffffffff99f45c60 <_raw_spin_lock>
kernel/locking/rtmutex_common.h: 130
0xffffffff99f43001 <rtlock_slowlock_locked+497>: mov 0x10(%rbp),%rax
kernel/locking/rtmutex_common.h: 135
0xffffffff99f43005 <rtlock_slowlock_locked+501>: mov 0x10(%rsp),%r8
0xffffffff99f4300a <rtlock_slowlock_locked+506>: test %rax,%rax
0xffffffff99f4300d <rtlock_slowlock_locked+509>: je 0xffffffff99f43022 <rtlock_slowlock_locked+530>
kernel/locking/rtmutex_common.h: 137
0xffffffff99f4300f <rtlock_slowlock_locked+511>: cmp 0x58(%rax),%rbp
0xffffffff99f43013 <rtlock_slowlock_locked+515>: jne 0xffffffff99f435fe <rtlock_slowlock_locked+2030>
kernel/locking/rtmutex_common.h: 139
0xffffffff99f43019 <rtlock_slowlock_locked+521>: cmp %rbx,%rax
0xffffffff99f4301c <rtlock_slowlock_locked+524>: je 0xffffffff99f43228 <rtlock_slowlock_locked+1048>
kernel/locking/rtmutex.c: 1275
0xffffffff99f43022 <rtlock_slowlock_locked+530>: mov %r8,%rdi
0xffffffff99f43025 <rtlock_slowlock_locked+533>: call 0xffffffff99f45d60 <_raw_spin_unlock>
kernel/locking/rtmutex.c: 1281
0xffffffff99f4302a <rtlock_slowlock_locked+538>: mov %gs:0x31b40,%r12
arch/x86/include/asm/current.h: 41
0xffffffff99f43033 <rtlock_slowlock_locked+547>: jmp 0xffffffff99f43054 <rtlock_slowlock_locked+580>
kernel/locking/rtmutex.c: 1834
0xffffffff99f43035 <rtlock_slowlock_locked+549>: mov %rbp,%rdi
0xffffffff99f43038 <rtlock_slowlock_locked+552>: call 0xffffffff99f45da0 <_raw_spin_unlock_irq>
kernel/locking/rtmutex.c: 1837
0xffffffff99f4303d <rtlock_slowlock_locked+557>: call 0xffffffff99f3d030 <schedule_rtlock>
kernel/locking/rtmutex.c: 1839
0xffffffff99f43042 <rtlock_slowlock_locked+562>: mov %rbp,%rdi
在x86上面,当参数少于7时, 参数会依次放入寄存器: rdi, rsi, rdx, rcx, r8, r9,
mov %rdi,%rbp
这一行代码已经把参数的值放到rbp寄存器当中了,而且后续可以看到一些类似“mov %r13,%rdi”的操作,说明虽然schedule_rtlock没有参数,但是rdi寄存器已经不再存放lock的值了。
从以下反汇编的内容可以得知,lock值应该就存在rbq当中
0xffffffff99f43035 <rtlock_slowlock_locked+549>: mov %rbp,%rdi
0xffffffff99f43038 <rtlock_slowlock_locked+552>: call 0xffffffff99f45da0 <_raw_spin_unlock_irq>
因为原函数当中是这样进行调用的:
1839 raw_spin_lock_irq(&lock->wait_lock);
lock->wait_lock就是lock的值,在调用_raw_spin_unlock_irq的时候把rbp传给参数寄存器,也就是说rbq当中存的就是lock的值。
接下来对schedule_rtlock进行反汇编:
crash> dis -lr ffffffff99f3d04f
kernel/sched/core.c: 6874
0xffffffff99f3d030 <schedule_rtlock>: nopw (%rax)
kernel/sched/core.c: 6792
0xffffffff99f3d034 <schedule_rtlock+4>: push %rbx
arch/x86/include/asm/current.h: 41
0xffffffff99f3d035 <schedule_rtlock+5>: mov %gs:0x31b40,%rbx
arch/x86/include/asm/preempt.h: 80
0xffffffff99f3d03e <schedule_rtlock+14>: incl %gs:0x660f4b03(%rip) # 0x31b48
kernel/sched/core.c: 6796
0xffffffff99f3d045 <schedule_rtlock+21>: mov $0x2,%edi
0xffffffff99f3d04a <schedule_rtlock+26>: call 0xffffffff99f3c080 <__schedule>
arch/x86/include/asm/preempt.h: 85
0xffffffff99f3d04f <schedule_rtlock+31>: decl %gs:0x660f4af2(%rip) # 0x31b48
并未发现对%rbp的操作,可能是编译器进行了优化,因为schedule_rtlock并未改变寄存器%rbq的值,所以并未进行压栈。
继续对上一层函数__schedule进行反汇编
crash> dis -lr ffffffff99f3c3ce
kernel/sched/core.c: 6598
0xffffffff99f3c080 <__schedule>: push %rbp
0xffffffff99f3c081 <__schedule+1>: mov %rsp,%rbp
0xffffffff99f3c084 <__schedule+4>: push %r15
0xffffffff99f3c086 <__schedule+6>: push %r14
0xffffffff99f3c088 <__schedule+8>: mov %edi,%r14d
0xffffffff99f3c08b <__schedule+11>: push %r13
……
可以看到在最开始的时候就对寄存器%rbp进行压栈,对应的栈地址为ff468632c619f7b0,内容为ff27411f89f8da98
在crash里面查看这个地址的内容:
crash> rt_mutex_base ff27411f89f8da98
struct rt_mutex_base {
wait_lock = {
raw_lock = {
{
val = {
counter = 0
},
{
locked = 0 '\000',
pending = 0 '\000'
},
{
locked_pending = 0,
tail = 0
}
}
}
},
waiters = {
rb_root = {
rb_node = 0xff468632cc40f3f0
},
rb_leftmost = 0xff468632c619f800
},
owner = crash> rt_mutex_base ff27411f89f8da98
}
可以看到owner为0xff27411f3bd0df01,最后的1不是task_struct的地址,是在获得锁的时候或的(#define RT_MUTEX_HAS_WAITERS 1UL),实际的task_struct地址是0xff27411f3bd0df00
crash> task_struct.pid 0xff27411f3bd0df00
pid = 23645,
得到锁是由23645进程执有的
