/**
 *  sys_kill - send a signal to a process
 *  @pid: the PID of the process
 *  @sig: signal to be sent
 */
SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
{
	struct kernel_siginfo info; // info是signal的结构体

	prepare_kill_siginfo(sig, &info);

	return kill_something_info(sig, &info, pid);
}

typedef struct kernel_siginfo {
	__SIGINFO;
} kernel_siginfo_t;

struct {				\
	int si_signo; /* Signal number */
	int si_errno；/* An errno value */
	int si_code; // 产生信号的原因
	union __sifields _sifields;
}

static inline void prepare_kill_siginfo(int sig, struct kernel_siginfo *info)
{
	clear_siginfo(info);
	info->si_signo = sig; // 传入的信号
	info->si_errno = 0;
	info->si_code = SI_USER; // 产生自用户空间
	info->si_pid = task_tgid_vnr(current); // 主要是从当前namespace 中找到对应的pid号。
	info->si_uid = from_kuid_munged(current_user_ns(), current_uid()); // 返回0，也就是root用户
}

/*
 * si_code values
 * Digital reserves positive values for kernel-generated signals.
 */
#define SI_USER		0		/* sent by kill, sigsend, raise 由kill、raise等发送的*/
#define SI_KERNEL	0x80		/* sent by the kernel from somewhere 从内核某处发送 */
#define SI_QUEUE	-1		/* sent by sigqueue */
#define SI_TIMER	-2		/* sent by timer expiration */
#define SI_MESGQ	-3		/* sent by real time mesq state change */
#define SI_ASYNCIO	-4		/* sent by AIO completion */
#define SI_SIGIO	-5		/* sent by queued SIGIO */
#define SI_TKILL	-6		/* sent by tkill system call */
#define SI_DETHREAD	-7		/* sent by execve() killing subsidiary threads */
#define SI_ASYNCNL	-60		/* sent by glibc async name lookup completion */

#define SI_FROMUSER(siptr)	((siptr)->si_code <= 0)
#define SI_FROMKERNEL(siptr)	((siptr)->si_code > 0)

/*
 * We don't use read_sysreg() as we want the compiler to cache the value where
 * possible.
 */
static __always_inline struct task_struct *get_current(void)
{
	unsigned long sp_el0;

	asm ("mrs %0, sp_el0" : "=r" (sp_el0));

	return (struct task_struct *)sp_el0;
}

#define current get_current() // 获取当前运行的task_struct

pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
			struct pid_namespace *ns)
{
	pid_t nr = 0;  // pid_t 宏定义 int 变量

	rcu_read_lock(); // 申请rcu锁
	if (!ns)
		ns = task_active_pid_ns(current);
	nr = pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);
	rcu_read_unlock(); // 释放rcu锁

	return nr;
}

struct pid_namespace *task_active_pid_ns(struct task_struct *tsk)
{
	return ns_of_pid(task_pid(tsk));
}

static inline struct pid_namespace *ns_of_pid(struct pid *pid)
{
	struct pid_namespace *ns = NULL;
	if (pid)
		ns = pid->numbers[pid->level].ns;
	return ns;
}

pid_t pid_nr_ns(struct pid *pid, struct pid_namespace *ns)
{
	struct upid *upid;
	pid_t nr = 0;

	if (pid && ns->level <= pid->level) {
		upid = &pid->numbers[ns->level];
		if (upid->ns == ns)
			nr = upid->nr;
	}
	return nr;
}

static int kill_something_info(int sig, struct kernel_siginfo *info, pid_t pid)
{
	int ret;

	if (pid > 0)
		return kill_proc_info(sig, info, pid);
	...
}

static int kill_proc_info(int sig, struct kernel_siginfo *info, pid_t pid)
{
	int error;
	rcu_read_lock();
	error = kill_pid_info(sig, info, find_vpid(pid));
	rcu_read_unlock();
	return error;
}

struct pid *find_vpid(int nr)
{
	return find_pid_ns(nr, task_active_pid_ns(current));
}

int kill_pid_info(int sig, struct kernel_siginfo *info, struct pid *pid)
{
	int error = -ESRCH;
	struct task_struct *p;

	for (;;) {
		rcu_read_lock();
		p = pid_task(pid, PIDTYPE_PID);
		if (p)
			error = group_send_sig_info(sig, info, p, PIDTYPE_TGID);
		rcu_read_unlock();
		if (likely(!p || error != -ESRCH))
			return error;

		/*
		 * The task was unhashed in between, try again.  If it
		 * is dead, pid_task() will return NULL, if we race with
		 * de_thread() it will find the new leader.
		 */
	}
}

struct task_struct *pid_task(struct pid *pid, enum pid_type type)
{
	struct task_struct *result = NULL;
	if (pid) {
		struct hlist_node *first;
		first = rcu_dereference_check(hlist_first_rcu(&pid->tasks[type]),
					      lockdep_tasklist_lock_is_held());
		if (first)
			result = hlist_entry(first, struct task_struct, pid_links[(type)]);
	}
	return result;
}

int group_send_sig_info(int sig, struct kernel_siginfo *info,
			struct task_struct *p, enum pid_type type)
{
	int ret;

	rcu_read_lock();
	ret = check_kill_permission(sig, info, p); 
    // 检查是否是有效信号，检测是否来自用户或内核
    // 来自用户需要记录审计日志后返回0，来自内核直接返回0
	rcu_read_unlock();

	if (!ret && sig) // 如果是有效信号，调用do_send_sig_info
		ret = do_send_sig_info(sig, info, p, type);

	return ret;
}

/*
 * Bad permissions for sending the signal
 * - the caller must hold the RCU read lock
 */
static int check_kill_permission(int sig, struct kernel_siginfo *info,
				 struct task_struct *t)
{
	struct pid *sid;
	int error;

	if (!valid_signal(sig))  // return sig <= _NSIG ? 1 : 0; _NSIG == 64 这里检测是否是一个有效的信号
		return -EINVAL; // EINVAL 宏定义 22

	if (!si_fromuser(info)) // si_fromuser判断是否是来自用户，是返回True
		return 0;

	error = audit_signal_info(sig, t); // 记录审计日志，这里始终返回0
	if (error)
		return error;

	if (!same_thread_group(current, t) && // current和当前进程信号是否一致
	    !kill_ok_by_cred(t)) {
		switch (sig) {
		case SIGCONT:
			sid = task_session(t);
			/*
			 * We don't return the error if sid == NULL. The
			 * task was unhashed, the caller must notice this.
			 */
			if (!sid || sid == task_session(current))
				break;
			fallthrough;
		default:
			return -EPERM;
		}
	}

	return security_task_kill(t, info, sig, NULL); // 返回0
}

static inline bool si_fromuser(const struct kernel_siginfo *info)
{
	return info == SEND_SIG_NOINFO || // SEND_SIG_NOINFO为SI_USER，这里info.si_code为SI_USER故为True
		(!is_si_special(info) && SI_FROMUSER(info)); 
    	// is_si_special函数关键处为info <= SEND_SIG_PRIV; SEND_SIG_PRIV即SI_KERNEL表示由内核发送
    	// 故is_si_special(info)为True，即!is_si_special(info)为false
    	// SI_FROMUSER为下列宏定义
    	// #define SI_FROMUSER(siptr)	((siptr)->si_code <= 0)
    	// 故这里SI_FROMUSER(info)为True
    	// 综上所述，si_fromuser判断sig是否来自用户
}

/**
 * audit_signal_info - record signal info for shutting down audit subsystem
 * @sig: signal value
 * @t: task being signaled
 *
 * If the audit subsystem is being terminated, record the task (pid)
 * and uid that is doing that.
 */
int audit_signal_info(int sig, struct task_struct *t)
{
	kuid_t uid = current_uid(), auid;

	if (auditd_test_task(t) && // auditd_test_task判断是否是注册的审计进程，是返回1，否返回0
	    (sig == SIGTERM || sig == SIGHUP ||
	     sig == SIGUSR1 || sig == SIGUSR2)) { // 如果sig是SIGTERM、SIGHUP或用户自定义的SIGUSR1和SIGUSR2
		audit_sig_pid = task_tgid_nr(current);
		auid = audit_get_loginuid(current);
		if (uid_valid(auid))
			audit_sig_uid = auid;
		else
			audit_sig_uid = uid;
		security_task_getsecid(current, &audit_sig_sid);
	}

	return audit_signal_info_syscall(t); // 始终返回0
}

/**
 * auditd_test_task - Check to see if a given task is an audit daemon
 * @task: the task to check
 *
 * Description:
 * Return 1 if the task is a registered audit daemon, 0 otherwise.
 */
int auditd_test_task(struct task_struct *task)
{
	int rc;
	struct auditd_connection *ac;

	rcu_read_lock();
	ac = rcu_dereference(auditd_conn); // 
	rc = (ac && ac->pid == task_tgid(task) ? 1 : 0); 
    // task_tgid通过task_struct获取pid结构体，而ac是Linux audit守护进程，负责将审计记录写入磁盘，使用ausearch或aureport实用程序查看日志。
	rcu_read_unlock();

	return rc;
}

int do_send_sig_info(int sig, struct kernel_siginfo *info, struct task_struct *p,
			enum pid_type type)
{
	unsigned long flags;
	int ret = -ESRCH;

	if (lock_task_sighand(p, &flags)) { // 获取信号处理函数锁
		ret = send_signal(sig, info, p, type);
		unlock_task_sighand(p, &flags);
	}

	return ret;
}

static int send_signal(int sig, struct kernel_siginfo *info, struct task_struct *t,
			enum pid_type type)
{
	/* Should SIGKILL or SIGSTOP be received by a pid namespace init? */
    // pid namespace init是否需要接收SIGKILL or SIGSTOP
	bool force = false;

	if (info == SEND_SIG_NOINFO) {
		/* Force if sent from an ancestor pid namespace */
        // 如果来自祖先用户空间，则强制发送
		force = !task_pid_nr_ns(current, task_active_pid_ns(t));
	} else if (info == SEND_SIG_PRIV) {
		/* Don't ignore kernel generated signals */
        // 来自内核的信号不会被忽略
		force = true;
	} else if (has_si_pid_and_uid(info)) {
		/* SIGKILL and SIGSTOP is special or has ids */
		struct user_namespace *t_user_ns;

		rcu_read_lock();
		t_user_ns = task_cred_xxx(t, user_ns);
		if (current_user_ns() != t_user_ns) {
			kuid_t uid = make_kuid(current_user_ns(), info->si_uid);
			info->si_uid = from_kuid_munged(t_user_ns, uid);
		}
		rcu_read_unlock();

		/* A kernel generated signal? */
		force = (info->si_code == SI_KERNEL);

		/* From an ancestor pid namespace? */
		if (!task_pid_nr_ns(current, task_active_pid_ns(t))) {
			info->si_pid = 0;
			force = true;
		}
	}
	return __send_signal(sig, info, t, type, force);
}

pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
			struct pid_namespace *ns)
{
    //参数中的 ns = task_active_pid_ns(t)是返回目标进程的namespace
    // 这里的task是current，也就是当前进程的task_struct
	pid_t nr = 0;  // pid_t 宏定义 int 变量

	rcu_read_lock(); // 申请rcu锁
	if (!ns)
		ns = task_active_pid_ns(current); // 返回pid也就是调用kill的进程所在的命名空间
	nr = pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); // 从当前namespace 中找到对应的pid号
	rcu_read_unlock(); // 释放rcu锁

	return nr;
}

pid_t pid_nr_ns(struct pid *pid, struct pid_namespace *ns)
{
	struct upid *upid;
	pid_t nr = 0;

	if (pid && ns->level <= pid->level) {
		upid = &pid->numbers[ns->level]; // 获取和目标进程处于同一level的namespace
		if (upid->ns == ns) // 当前进程和目标进程是不是同一个命名空间
			nr = upid->nr;
	}
	return nr;
}

static int __send_signal(int sig, struct kernel_siginfo *info, struct task_struct *t,
			enum pid_type type, bool force)
{
    struct sigpending *pending; // sig的链表，保存了进程上尚未处理的信号
	struct sigqueue *q; // 实时信号可能会排队，使用队列实现
	int override_rlimit;
	int ret = 0, result;

	assert_spin_locked(&t->sighand->siglock); // 自旋锁

	result = TRACE_SIGNAL_IGNORED;
	// 判断该信号SIGKILL或者SIGSTOP是否是发送给init，如果是则忽略
	if (!prepare_signal(sig, t, force))
		goto ret;
}

static bool sig_task_ignored(struct task_struct *t, int sig, bool force)
{
	void __user *handler;

	handler = sig_handler(t, sig);

	/* SIGKILL and SIGSTOP may not be sent to the global init */
	// SIGKILL and SIGSTOP不会被发送到global init进程
	// 如果是SIGKILL and SIGSTOP目标进程是init进程
	if (unlikely(is_global_init(t) && sig_kernel_only(sig)))
		return true;

    // 这里的flag标志是task_struct的标志，见下面
    // SIGNAL_UNKILLABLE为进程刚被fork，但是还没被执行，所以这里是如果进程刚被创建，但是还没被执行，返回true
	// 如果是默认的handle
    // 不是SIGKILL或者是SIGSTOP并且可以被发送到进程
    // 所以这里标识如果进程刚被fork，发送的信号不是必须被处理的信号，且handle是默认的handle，则不能响应信号
    if (unlikely(t->signal->flags & SIGNAL_UNKILLABLE) &&
	    handler == SIG_DFL && !(force && sig_kernel_only(sig)))
		return true;

	/* Only allow kernel generated signals to this kthread */
    // PF_KTHREAD是内核线程
	if (unlikely((t->flags & PF_KTHREAD) &&
		     (handler == SIG_KTHREAD_KERNEL) && !force))
		return true;

	return sig_handler_ignored(handler, sig);
}

// flag可能取值如下：
PF_FORKNOEXEC 进程刚创建，但还没执行。
PF_SUPERPRIV 超级用户特权。
PF_DUMPCORE dumped core。
PF_SIGNALED 进程被信号(signal)杀出。
PF_EXITING 进程开始关闭

static inline bool sig_handler_ignored(void __user *handler, int sig)
{
	/* Is it explicitly or implicitly ignored? */
	// 属于可以被忽略的信号
	return handler == SIG_IGN ||
	// 默认信号处理程序，也就是说信号是SIGCONT，SIGCHLD，SIGWINCH，SIGURG他们的默认处理信号是忽略
	       (handler == SIG_DFL && sig_kernel_ignore(sig));
}

#define sig_kernel_ignore(sig)		siginmask(sig, SIG_KERNEL_IGNORE_MASK)

#define SIG_KERNEL_IGNORE_MASK (\
        rt_sigmask(SIGCONT)   |  rt_sigmask(SIGCHLD)   | \
	rt_sigmask(SIGWINCH)  |  rt_sigmask(SIGURG)    )

SIGCHLD：
● 子进程终止时；
● 子进程接收到SIGSTOP信号停止时；
● 子进程处在停止态，接收到SIGCONT信号后被唤醒时。
SIGWINCH:
窗口大小改变时
SIGURG：
有"紧急"数据或out-of-band数据到达socket时产生.