1.编译附件step1.c和step2.c，创建目录tmp_dir，执行sync
2.挂载step1.img到tmp_dir，执行./step1 tmp_dir，然后umount tmp_dir
3.挂载step2.img到tmp_dir，执行./step2 tmp_dir，然后umount tmp_dir，系统发生crash（如果没有发生，则重新拷贝step1.img和step2.img后执行sync，再重复步奏2和3）

以下是几种调用栈：
1）crash> bt
PID: 2769 TASK: ffff800062da7c00 CPU: 3 COMMAND: "mount"
#0 [ffff0000181cf520] machine_kexec at ffff0000080a2c14
#1 [ffff0000181cf580] __crash_kexec at ffff0000081b0c30
#2 [ffff0000181cf710] crash_kexec at ffff0000081b0d58
#3 [ffff0000181cf740] die at ffff00000808f6fc
#4 [ffff0000181cf780] die_kernel_fault at ffff0000080aa530
#5 [ffff0000181cf7b0] __do_kernel_fault at ffff0000080aa234
#6 [ffff0000181cf7e0] do_translation_fault at ffff000008a03474
#7 [ffff0000181cf810] do_mem_abort at ffff0000080812cc
#8 [ffff0000181cfa10] el1_ia at ffff000008083214
PC: ffff0000083021d8 [__kmalloc+176]
LR: ffff00000830218c [__kmalloc+100]
SP: ffff0000181cfa20 PSTATE: 20000005
X29: ffff0000181cfa20 X28: ffff800065e00800 X27: ffff000003da1000
X26: ffff800069fae750 X25: ffff000003de0000 X24: ffff8000fbedfa00
X23: ffff8000fbedfa00 X22: ffff000003d9f7d8 X21: 0000000000000100
X20: 00000000006086c0 X19: 10ffff800069fecd X18: ffffffffffffffff
X17: 0000000000000000 X16: 0000000000000000 X15: 0000000000000001
X14: ffff000008ade410 X13: 0000000000000000 X12: 0000000000000000
X11: ffff0000181cfa50 X10: ffff000003ddea40 X9: 0000000000000000
X8: ffff80006d5b7a50 X7: 0000000000000000 X6: 000000000000003f
X5: 0000000000001e97 X4: ffff8000ffb30bc0 X3: ffff0000092737c8
X2: ffff7fe0001a7f80 X1: 00008000f6bd0000 X0: 0000000000000000
#9 [ffff0000181cfa20] __kmalloc at ffff0000083021d4
#10 [ffff0000181cfa60] kmem_alloc at ffff000003d9f7d4 [xfs]
#11 [ffff0000181cfaa0] xlog_alloc_log at ffff000003da0a04 [xfs]
#12 [ffff0000181cfb30] xfs_log_mount at ffff000003da1b30 [xfs]
#13 [ffff0000181cfb70] xfs_mountfs at ffff000003d94848 [xfs]
#14 [ffff0000181cfbf0] xfs_fs_fill_super at ffff000003d9b348 [xfs]
#15 [ffff0000181cfc50] mount_bdev at ffff000008337f0c
#16 [ffff0000181cfca0] xfs_fs_mount at ffff000003d99660 [xfs]
#17 [ffff0000181cfcd0] mount_fs at ffff000008338afc
#18 [ffff0000181cfd20] vfs_kern_mount at ffff00000835dce8
#19 [ffff0000181cfd60] do_mount at ffff000008361238
#20 [ffff0000181cfe00] ksys_mount at ffff000008361df8
#21 [ffff0000181cfe40] __arm64_sys_mount at ffff000008361e9c
#22 [ffff0000181cfe60] el0_svc_common at ffff0000080982a4
#23 [ffff0000181cfea0] el0_svc_handler at ffff000008098394
#24 [ffff0000181cfff0] el0_svc at ffff000008084184

2）crash> bt
PID: 3762 TASK: ffff80006ca80000 CPU: 3 COMMAND: "bash"
#0 [ffff00000d0ef880] machine_kexec at ffff0000080a2c14
#1 [ffff00000d0ef8e0] __crash_kexec at ffff0000081b0c30
#2 [ffff00000d0efa70] crash_kexec at ffff0000081b0d58
#3 [ffff00000d0efaa0] die at ffff00000808f6fc
#4 [ffff00000d0efae0] die_kernel_fault at ffff0000080aa530
#5 [ffff00000d0efb10] __do_kernel_fault at ffff0000080aa234
#6 [ffff00000d0efb40] do_alignment_fault at ffff0000080aa274
#7 [ffff00000d0efb70] do_mem_abort at ffff0000080812cc
#8 [ffff00000d0efd70] el1_ia at ffff000008083214
PC: ffff0000089dedc4 [__ll_sc___cmpxchg_case_acq_8+4]
LR: ffff0000089fd43c [mutex_lock+44]
SP: ffff00000d0efd80 PSTATE: 60000005
X29: ffff00000d0efd80 X28: ffff80006ca80000 X27: 0000000000000000
X26: 0000000000000000 X25: 0000000056000000 X24: ffff8000412fac80
X23: ffff8000417491f8 X22: ffff8000fb903da0 X21: ffff8000412fac80
X20: ffff8000638e6500 X19: ffff8000600ac011 X18: 0000000000000000
X17: 0000000000000000 X16: ffff8000638e6500 X15: 0000000000000000
X14: 0000000000000000 X13: 0000000000000000 X12: 0000000000000000
X11: 0000000000000000 X10: 0000000000000000 X9: 0000000000000000
X8: 0000000000000000 X7: 0000000000000000 X6: 0000000000000000
X5: 0000000000000000 X4: 0000000000000000 X3: 0000000000000001
X2: ffff80006ca80000 X1: 0000000000000000 X0: ffff8000600ac011
#9 [ffff00000d0efd80] __ll_sc___cmpxchg_case_acq_8 at ffff0000089dedc0
#10 [ffff00000d0efda0] pipe_release at ffff00000833f8b0
#11 [ffff00000d0efdd0] __fput at ffff0000083359e8
#12 [ffff00000d0efe20] ____fput at ffff000008335b9c
#13 [ffff00000d0efe40] task_work_run at ffff000008110918
#14 [ffff00000d0efe80] do_notify_resume at ffff00000808e940
#15 [ffff00000d0efff0] work_pending at ffff000008084060

3） 此情况下系统会卡在kdump内核中，无法复位。日志详见附件中的serial.log
[ 125.082365] Process NetworkManager (pid: 1444, stack limit = 0x00000000b19c5d2d)
[ 125.084701] CPU: 1 PID: 1444 Comm: NetworkManager Kdump: loaded Not tainted 4.19.95-2002.1.0.0027.aarch64 #1
[ 125.087424] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
[ 125.089742] pstate: 00000005 (nzcv daif -PAN -UAO)
[ 125.091717] pc : __mutex_lock.isra.1+0x338/0x548
[ 125.093650] lr : __mutex_lock.isra.1+0x3c/0x548
[ 125.095588] sp : ffff00000dd2f820
[ 125.097330] x29: ffff00000dd2f820 x28: ffff00000dd2f968
[ 125.099342] x27: ffff00000dd2fa94 x26: ffff8000fea0ec01
[ 125.101369] x25: 0000000000000000 x24: 0000000000000020
[ 125.103472] x23: 0000000000000002 x22: ffff8000fea0ec00
[ 125.105649] x21: ffff000009273000 x20: ffff8000615f6600
[ 125.107645] x19: ffff8000615f6600 x18: 0000000000000000
[ 125.109606] x17: 0000000000000011 x16: 0000000000000011
[ 125.111845] x15: 0000000000000000 x14: 0000000000000000
[ 125.113813] x13: ffff000008a6e2e8 x12: 0000000000000003
[ 125.115822] x11: ffff000008a6e2c0 x10: 0000000000000b80
[ 125.117766] x9 : ffff00000dd2f840 x8 : ffff00000b20f940
[ 125.119733] x7 : 0000000000000000 x6 : ffff0000083901c8
[ 125.121633] x5 : ffff8000ff211b80 x4 : ffff8000fea0ec38
[ 125.123522] x3 : ffff800060e66c80 x2 : 0000000000000000
[ 125.125414] x1 : 0000000000000011 x0 : 0000000000000010
[ 125.127295] Call trace:
[ 125.128778] __mutex_lock.isra.1+0x338/0x548
[ 125.130474] __mutex_lock_slowpath+0x24/0x30
[ 125.132162] mutex_lock+0x50/0x60
[ 125.133670] ep_scan_ready_list.isra.3+0x288/0x2b8
[ 125.135388] ep_eventpoll_poll+0x78/0xa0
[ 125.137037] do_sys_poll+0x390/0x560
[ 125.138530] __arm64_sys_ppoll+0x180/0x1f8
[ 125.140411] el0_svc_common+0x78/0x130
[ 125.142051] el0_svc_handler+0x38/0x78
[ 125.143569] el0_svc+0x8/0xc