iret from PL#0 to PL#3 without tss

[Adek336]

I have the segments:
selector 0x8 - code for kernel, AR byte = 0x9a
0x10 - kernel data, 0x92
0x18 - user code, 0xFA
0x20 - user data, 0xF2

I have:

PUSHL $0x20 // SS
PUSHL $0x80000100 // ESP
PUSHL $0x212 // FLAGS
PUSHL $0x18 // CS
PUSHL $0x80000000 //EIP
IRET

0x80000000 is mapped into a hang function which works under PL#3.

Bochs returns a GPF, and CS, SS, ESP, EIP remain the same. It works if I change the PUSHL $0x18 to PUSHL $0x8 so to kernel code.

I do not use TSSs.

Any ideas?

Thanx in advance,
Adrian.

[Chris Giese]

>I do not use TSSs.

You must. The TSS stores the ring 0 SS and ESP while the ring 3 code runs. You need not, however, use the weird TSS-based task-switch system.

1. Make a TSS. Disable the I/O permission bitmap by setting its offset in the TSS to 104.
2. In the GDT, put a type 0x89 descriptor containing the linear address of the TSS
3. Use the LTR instruction to load a selector for this descriptor into the TR register. Note that LTR is illegal in real mode.

Also, IRET doesn't automatically store the ring 0 ESP in the TSS, which is...surprising. You must do that yourself, before IRET.

[distantvoices]

@ Chris Giese: surprising ... nay, it's logic from the view of the processor: esp0 is stored in a tss, and it can only update this value whilst loading a new tss and restoring cpu hardware state. When you do software stack based task switching, you have to do this update yourself, because the tss isn't replaced.

esp0 isn't updated upon iret even when you do hardware task switching. it is updated upon jmp [tss-sel]:0.

@adrian: regarding task switching: look at www.distantvoices.org. there is a link called "multitasking howto". Read throu' it, maybe it is of help

[Adek336]

no success :-\

I have a segment for the kernel tss, but ltr 0x18 (the selector) dooms the kernel to GPF.

Could send me the specs on what limit, flags and attribs a tss segment must have?

Cheers.
Adrian.

[Pype.Clicker]

they should all be documented in the Intel Manuals. Afaik, the limit must be at least of 0x68 bytes, and you cannot jump to an active TSS. Of course, your TSS must be present, etc.

Also make sure your user code's segment is large enough and that pages on which your "hang" function and user stack are user-accessible as read-write (well, the code should be read only if it's the only stuff present on the page) if you have paging enabled... (the page table entry should be accessible for the user too, iirc)

[bla]

You need to have one TSS structure even if you are not using hardware switching.

I found that on iret, if you do not have a valid SS0 and SP0 in the TSS struct, bochs throws an error(something like NULL segment descriptor). This seems weird since the manual does not say anything about TSS on iret.
Try using a valid SS0 and SP0 in a TSS struct.
(not sure yet why this is but it seems to work).

Also, remember that you are in ring 3 and if at this stage, you are running with paging enable, you will get a page fault exception if all the kernel pages are at user level.

[Adek336]

it works!
i had a walking stack eating and destroying every dynamic data I allocated, but now it not anymore a problem.

One thing is unclear for me: I alloc the piece of memory, where a PL3 task goes after the timer IRQ, there I dump the registers, load another one, load regs, and the stacks change. But with a PL0 task the task would run on the register stack! In this case I should not alloc another stack but just make the regdump one bigger. Do you have such an issue in your scheduler designs?

Cheers,
Adrian.

[Pype.Clicker]

sorry, i cannot get what you mean ... could you be clearer ?

[Adek336]

pl3 tasks change the stack because iret changes ... but for pl0 tasks iret doesn't change stack, so the regs and the task pushes are in one stack-space

[Pype.Clicker]

what do you call a "task push" ?
And why bothering where registers are saved before you switch to another stack (did i understand correctly that you were now trying to do some software task switching by stack-switching ?) : when restoring the new stack pointer and then returning from the stack-switch function, you'll just have everything restored fine. The only register you have to care manually is ESP (and ESP0 content )

[Adek336]

task push -> an element on the stack pushed by a task

btw what does "afaik" and "iirc" mean?

[Pype.Clicker]

"afaik" stands for "As Far As I Know"
"iirc" stands for "If I Remember Correctly"
"imho" stands for "In My Humble Opinion"
"RTFM" stands for "Read The F**ing Manual", which usually means people don't feel like answering a dull (in their opinion) question because you could have the answer by just looking at a tool's manual). "STFW" ("Search The F**ing Web") is close but less used.

can't remember of other wellknown Internexpressions for now.

[distantvoices]

*lol* = laughing out loudly

*rofl* = rolling on the floor laughing

*rotfl* = rotating on the floor laughing

<pype> one should not forget the ancient "sarfl" = Shift Arithmetic Right on the Floor Laughing, that was used in combination with CopyCarryFlag in order to implement *rotfl* on old 8 bits machines that had no ROT operand </pype>

*dg* aka ];-> = daemon grin *hehehe*

aka = also known as


tack sa mycket

[Candy]

>I do not use TSSs.

You must. The TSS stores the ring 0 SS and ESP while the ring 3 code runs. You need not, however, use the weird TSS-based task-switch system.

AFAIK, you don't have to use TSS'es if you don't switch between CPL0 and CPL3 using a TSS-ish mechanism. If so, not using TSS'es combined with flat mode would completely overrule all segmentation overhead, so some companies decided to add instructions (yet some more) to be used for fast (and resp. faster) entry & exit from cpl0 mode.

That said, they are:

SYSENTER & SYSEXIT (indicated by bit 11 in cpuid #1)
SYSCALL & SYSRET (indicated by bit 11 in cpuid #80000001)

and I think the second one is AMD-only.

HTH, Candy