^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) .. SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) Using FS and GS segments in user space applications
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) ===================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) The x86 architecture supports segmentation. Instructions which access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) memory can use segment register based addressing mode. The following
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) notation is used to address a byte within a segment:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) Segment-register:Byte-address
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) The segment base address is added to the Byte-address to compute the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) resulting virtual address which is accessed. This allows to access multiple
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) instances of data with the identical Byte-address, i.e. the same code. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) selection of a particular instance is purely based on the base-address in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) the segment register.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) In 32-bit mode the CPU provides 6 segments, which also support segment
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) limits. The limits can be used to enforce address space protections.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) In 64-bit mode the CS/SS/DS/ES segments are ignored and the base address is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) always 0 to provide a full 64bit address space. The FS and GS segments are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) still functional in 64-bit mode.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) Common FS and GS usage
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) ------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) The FS segment is commonly used to address Thread Local Storage (TLS). FS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) is usually managed by runtime code or a threading library. Variables
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) declared with the '__thread' storage class specifier are instantiated per
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) thread and the compiler emits the FS: address prefix for accesses to these
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) variables. Each thread has its own FS base address so common code can be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) used without complex address offset calculations to access the per thread
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) instances. Applications should not use FS for other purposes when they use
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) runtimes or threading libraries which manage the per thread FS.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) The GS segment has no common use and can be used freely by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) applications. GCC and Clang support GS based addressing via address space
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) identifiers.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) Reading and writing the FS/GS base address
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) ------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) There exist two mechanisms to read and write the FS/GS base address:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) - the arch_prctl() system call
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) - the FSGSBASE instruction family
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) Accessing FS/GS base with arch_prctl()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) --------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) The arch_prctl(2) based mechanism is available on all 64-bit CPUs and all
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) kernel versions.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) Reading the base:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) arch_prctl(ARCH_GET_FS, &fsbase);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) arch_prctl(ARCH_GET_GS, &gsbase);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) Writing the base:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) arch_prctl(ARCH_SET_FS, fsbase);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) arch_prctl(ARCH_SET_GS, gsbase);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) The ARCH_SET_GS prctl may be disabled depending on kernel configuration
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) and security settings.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) Accessing FS/GS base with the FSGSBASE instructions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) ---------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) With the Ivy Bridge CPU generation Intel introduced a new set of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) instructions to access the FS and GS base registers directly from user
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) space. These instructions are also supported on AMD Family 17H CPUs. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) following instructions are available:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) =============== ===========================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) RDFSBASE %reg Read the FS base register
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) RDGSBASE %reg Read the GS base register
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) WRFSBASE %reg Write the FS base register
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) WRGSBASE %reg Write the GS base register
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) =============== ===========================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) The instructions avoid the overhead of the arch_prctl() syscall and allow
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) more flexible usage of the FS/GS addressing modes in user space
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) applications. This does not prevent conflicts between threading libraries
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) and runtimes which utilize FS and applications which want to use it for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) their own purpose.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) FSGSBASE instructions enablement
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) The instructions are enumerated in CPUID leaf 7, bit 0 of EBX. If
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) available /proc/cpuinfo shows 'fsgsbase' in the flag entry of the CPUs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) The availability of the instructions does not enable them
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) automatically. The kernel has to enable them explicitly in CR4. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) reason for this is that older kernels make assumptions about the values in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) the GS register and enforce them when GS base is set via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) arch_prctl(). Allowing user space to write arbitrary values to GS base
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) would violate these assumptions and cause malfunction.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) On kernels which do not enable FSGSBASE the execution of the FSGSBASE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) instructions will fault with a #UD exception.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) The kernel provides reliable information about the enabled state in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) ELF AUX vector. If the HWCAP2_FSGSBASE bit is set in the AUX vector, the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) kernel has FSGSBASE instructions enabled and applications can use them.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) The following code example shows how this detection works::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) #include <sys/auxv.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) #include <elf.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) /* Will be eventually in asm/hwcap.h */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) #ifndef HWCAP2_FSGSBASE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) #define HWCAP2_FSGSBASE (1 << 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) ....
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) unsigned val = getauxval(AT_HWCAP2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) if (val & HWCAP2_FSGSBASE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) printf("FSGSBASE enabled\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) FSGSBASE instructions compiler support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) GCC version 4.6.4 and newer provide instrinsics for the FSGSBASE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) instructions. Clang 5 supports them as well.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) =================== ===========================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) _readfsbase_u64() Read the FS base register
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) _readfsbase_u64() Read the GS base register
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) _writefsbase_u64() Write the FS base register
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) _writegsbase_u64() Write the GS base register
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) =================== ===========================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) To utilize these instrinsics <immintrin.h> must be included in the source
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) code and the compiler option -mfsgsbase has to be added.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) Compiler support for FS/GS based addressing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) -------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) GCC version 6 and newer provide support for FS/GS based addressing via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) Named Address Spaces. GCC implements the following address space
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) identifiers for x86:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) ========= ====================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) __seg_fs Variable is addressed relative to FS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) __seg_gs Variable is addressed relative to GS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) ========= ====================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) The preprocessor symbols __SEG_FS and __SEG_GS are defined when these
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) address spaces are supported. Code which implements fallback modes should
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) check whether these symbols are defined. Usage example::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) #ifdef __SEG_GS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) long data0 = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) long data1 = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) long __seg_gs *ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) /* Check whether FSGSBASE is enabled by the kernel (HWCAP2_FSGSBASE) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) ....
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) /* Set GS base to point to data0 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) _writegsbase_u64(&data0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) /* Access offset 0 of GS */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) ptr = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) printf("data0 = %ld\n", *ptr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) /* Set GS base to point to data1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) _writegsbase_u64(&data1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) /* ptr still addresses offset 0! */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) printf("data1 = %ld\n", *ptr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) Clang does not provide the GCC address space identifiers, but it provides
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) address spaces via an attribute based mechanism in Clang 2.6 and newer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) versions:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) ==================================== =====================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) __attribute__((address_space(256)) Variable is addressed relative to GS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) __attribute__((address_space(257)) Variable is addressed relative to FS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) ==================================== =====================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) FS/GS based addressing with inline assembly
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) -------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) In case the compiler does not support address spaces, inline assembly can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) be used for FS/GS based addressing mode::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) mov %fs:offset, %reg
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) mov %gs:offset, %reg
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) mov %reg, %fs:offset
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) mov %reg, %gs:offset
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags