Linux kernel_thread 的一些注意事项

 

在x86_64平台上,很多内核函数的入口定义都在entry_64.S中。

kernel_thread定义如下：

 

/* * Create a kernel thread. * * C extern interface: *extern long kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) * * asm input arguments: *rdi: fn, rsi: arg, rdx: flags */ENTRY(kernel_thread)CFI_STARTPROCFAKE_STACK_FRAME $child_ripSAVE_ALL# rdi: flags, rsi: usp, rdx: will be &pt_regsmovq %rdx,%rdiorq kernel_thread_flags(%rip),%rdimovq $-1, %rsimovq %rsp, %rdxxorl %r8d,%r8dxorl %r9d,%r9d# clone nowcall do_forkmovq %rax,RAX(%rsp)xorl %edi,%edi/* * It isn't worth to check for reschedule here, * so internally to the x86_64 port you can rely on kernel_thread() * not to reschedule the child before returning, this avoids the need * of hacks for example to fork off the per-CPU idle tasks. * [Hopefully no generic code relies on the reschedule -AK] */RESTORE_ALLUNFAKE_STACK_FRAMEretCFI_ENDPROCEND(kernel_thread)

 

其中的FAKE_STACK_FRAME宏，虚构了一个中断堆栈信息，意思就是：中断返回后的执行第一条指令就是child_rip。

然后就是准备参数寄存器，调用do_fork这跟传统的穿件进程与线程一样的。主线程返回时，把创建的伪中断堆栈恢复，然后继续正常执行。

 

而子进程则返回到child_rip处，跟父进程的执行路径不一样，并不恢复伪堆栈的信息。执行路径的不同主要由以下几段代码来控制：

copy_thread中的一段：

p->thread.sp = (unsigned long) childregs;p->thread.sp0 = (unsigned long) (childregs+1);p->thread.usersp = me->thread.usersp;set_tsk_thread_flag(p, TIF_FORK);p->thread.fs = me->thread.fs;p->thread.gs = me->thread.gs;savesegment(gs, p->thread.gsindex);savesegment(fs, p->thread.fsindex);savesegment(es, p->thread.es);savesegment(ds, p->thread.ds); 

以及switch_to宏：

#define switch_to(prev, next, last) /asm volatile(SAVE_CONTEXT / "movq %%rsp,%P[threadrsp](%[prev])/n/t" /* save RSP */ / "movq %P[threadrsp](%[next]),%%rsp/n/t" /* restore RSP */ / "call __switch_to/n/t" / ".globl thread_return/n" / "thread_return:/n/t" / "movq "__percpu_arg([current_task])",%%rsi/n/t" / __switch_canary / "movq %P[thread_info](%%rsi),%%r8/n/t" / "movq %%rax,%%rdi/n/t" / "testl %[_tif_fork],%P[ti_flags](%%r8)/n/t" / "jnz ret_from_fork/n/t" / RESTORE_CONTEXT / : "=a" (last) / __switch_canary_oparam / : [next] "S" (next), [prev] "D" (prev), / [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), / [ti_flags] "i" (offsetof(struct thread_info, flags)), / [_tif_fork] "i" (_TIF_FORK), / [thread_info] "i" (offsetof(struct task_struct, stack)), / [current_task] "m" (per_cpu_var(current_task)) / __switch_canary_iparam / : "memory", "cc" __EXTRA_CLOBBER) 

在创建子进程时，将thread_info中的flag TIF_FORK标志位置为1。子进程创建后，并不会立即调度执行，而是通过父进程让其调度执行后才被调度。这时在switch_to宏中就会对TIF_FORK标志位判断，是否为新创建的进程，如果是，就跳到ret_from_fork进行执行。

代码如下

/* * A newly forked process directly context switches into this address. * * rdi: prev task we switched from */ENTRY(ret_from_fork)DEFAULT_FRAMELOCK ; btr $TIF_FORK,TI_flags(%r8)push kernel_eflags(%rip)CFI_ADJUST_CFA_OFFSET 8popf# reset kernel eflagsCFI_ADJUST_CFA_OFFSET -8call schedule_tail# rdi: 'prev' task parameterGET_THREAD_INFO(%rcx)RESTORE_RESTtestl $3, CS-ARGOFFSET(%rsp)# from kernel_thread?je int_ret_from_sys_calltestl $_TIF_IA32, TI_flags(%rcx)# 32-bit compat task needs IRETjnz int_ret_from_sys_callRESTORE_TOP_OF_STACK %rdi, -ARGOFFSETjmp ret_from_sys_call# go to the SYSRET fastpathCFI_ENDPROCEND(ret_from_fork) 

此时跳入int_ret_from_sys_call，因为此时堆栈中CS寄存器特权级为0.

/* * Syscall return path ending with IRET. * Has correct top of stack, but partial stack frame. */GLOBAL(int_ret_from_sys_call)DISABLE_INTERRUPTS(CLBR_NONE)TRACE_IRQS_OFFtestl $3,CS-ARGOFFSET(%rsp)je retint_restore_argsretint_restore_args:/* return to kernel space */DISABLE_INTERRUPTS(CLBR_ANY)/* * The iretq could re-enable interrupts: */TRACE_IRQS_IRETQrestore_args:RESTORE_ARGS 0,8,0irq_return:INTERRUPT_RETURN 

 

这样，子进程就会调用INTERRUPT_RETURN指令（iret）。硬件中断恢复父进程创建的伪中断堆栈，执行child_rip代码段：

ENTRY(child_rip)pushq $0# fake return addressCFI_STARTPROC/* * Here we are in the child and the registers are set as they were * at kernel_thread() invocation in the parent. */movq %rdi, %raxmovq %rsi, %rdicall *%rax# exitmov %eax, %edicall do_exitud2# padding for call traceCFI_ENDPROCEND(child_rip) 

此时rdi寄存器存放的kernel_thread传递的执行函数指针int (*fn)(void *), rsi 存放args，通过call，进入到kernel_thread所需要执行的函数。执行完do_exit。

 

整个过程就是这样子的，关键是整个过程中堆栈情况要搞清楚就行了。其中do_fork的工作，和用户空间系统调用fork陷入do_fork做的事一样的。如果是用户空间过来的，在ret_from_fork中，对比cs寄存器时，特权级为3，就会从ret_from_sys_call返回用户空间。还是很烦的。