KernelAnalysis-HOWTO

KernelAnalysis-HOWTORoberto Arcomano v0.63 - July 31, 2002This document tries to explain some things about the Linux Kernel, such as the most important components, how they work, and so on. This HOWTO should help prevent the reader from needing to browse all the kernel source files searching for the"right function," declaration, and definition, and then linking each to the other. You can find the latest version of this document at If you have suggestions to help make this document better, please submit your ideas to me at the following address: IntroductionIntroduction

This HOWTO tries to define how parts of the Linux Kernel work, what are the main functions and data structures used, and how the "wheel spins". You can find the latest version of this document at If you have suggestions to help make this document better, please submit your ideas to me at the following address: Code used within this document refers to the Linux Kernel version 2.4.x, which is the last stable kernel version at time of writing this HOWTO.

Copyright (C) 2000,2001,2002 Roberto Arcomano. This document is free; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You can get a copy of the GNU GPL

Translations

If you want to translate this document you are free to do so. However, you will need to do the following:

Check that another version of the document doesn't already exist at your local LDPMaintain all 'Introduction' sections (including 'Introduction', 'Copyright', 'Translations' , 'Credits').

Warning! You don't have to translate TXT or HTML file, you have to modify LYX file, so that it is possible to convert it all other formats (TXT, HTML, RIFF, etc.): to do that you can use "LyX" application you download from .

No need to ask me to translate! You just have to let me know (if you want) about your translation.

Thank you for your translation!

Credits

Thanks to for publishing and uploading my document quickly.

Syntax usedFunction Syntax

When speaking about a function, we write:

entfunction_name ent file location . extension entent

For example:

entschedule entkernel/sched.centent

tells us that we talk about

entscheduleent

function retrievable from file

ent kernel/sched.c ent

Note: We also assume /usr/src/linux as the starting directory.

Indentation

Indentation in source code is 3 blank characters.

InterCallings AnalysisOverview

We use the"InterCallings Analysis "(ICA) to see (in an indented fashion) how kernel functions call each other.

For example, the sleepenton command is described in ICA below:

The indented ICA is followed by functions' locations:

sleepenton entkernel/sched.centinitentwaitqueueententry entinclude/linux/wait.hentententaddentwaitentqueuelistentadd entinclude/linux/list.hentententlistentaddschedule entkernel/sched.centententremoveentwaitentqueue entinclude/linux/wait.hentlistentdel entinclude/linux/list.hentententlistentdel

Note: We don't specify anymore file location, if specified just before.

Details

In an ICA a line like looks like the following

function1 -ent function2

means that ent function1 ent is a generic pointer to another function. In this case ent function1 ent points to ent function2 ent.

When we write:

function:

it means that ent function ent is not a real function. It is a label (typically assembler label).

In many sections we may report a ''C'' code or a ''pseudo-code''. In real source files, you could use ''assembler'' or ''not structured'' code. This difference is for learning purposes.

PROs of using ICA

The advantages of using ICA (InterCallings Analysis) are many:

You get an overview of what happens when you call a kernel function Function locations are indicated after the function, so ICA could also be considered as a little ''function reference''InterCallings Analysis (ICA) is useful in sleep/awake mechanisms, where we can view what we do before sleeping, the proper sleeping action, and what we'll do after waking up (after schedule).

CONTROs of using ICA

Some of the disadvantages of using ICA are listed below:

As all theoretical models, we simplify reality avoiding many details, such as real source code and special conditions.

Additional diagrams should be added to better represent stack conditions, data values, and so on.

FundamentalsWhat is the kernel?

The kernel is the "core" of any computer system: it is the "software" which allows users to share computer resources.

The kernel can be thought ofas the main software of the OS (Operating System), which may also include graphics management.

For example, under Linux (like other Unix-like OSs), the XWindow environment doesn't belong to the Linux Kernel, because it manages only graphical operations (it uses user mode I/O to access video card devices).

By contrast, Windows environments (Win9x, WinME, WinNT, Win2K, WinXP, and so on) are a mix between a graphical environment and kernel.

What is the difference between User Mode and Kernel Mode?Overview

Many years ago, when computers were as big as a room, users ran their applications with much difficulty and, sometimes, their applications crashed the computer.

Operative modes

To avoid having applications that constantly crashed, newer OSs were designed with 2 different operative modes:

Kernel Mode: the machine operates with critical data structure, direct hardware (IN/OUT or memory mapped), direct memory, IRQ, DMA, and so on.User Mode: users can run applications.

| Applications /|ent | ______________ | | | User Mode | | | ______________ | | | | Implementation | _______ _______ | Abstraction Detail | | Kernel Mode | | | _______________ | | | | | | | | | | ent|/ Hardware |

Kernel Mode "prevents" User Mode applications from damaging the system or its features.

Modern microprocessors implement in hardware at least 2 different states. For example under Intel, 4 states determine the PL (Privilege Level). It is possible to use 0,1,2,3 states, with 0 used in Kernel Mode.

Unix OS requires only 2 privilege levels, and we will use such a paradigm as point of reference.

Switching from User Mode to Kernel ModeWhen do we switch?

Once we understand that there are 2 different modes, we have to know when we switch from one to the other.

Typically, there are 2 points of switching:

When calling a System Call: after calling a System Call, the task voluntary calls pieces of code living in Kernel ModeWhen an IRQ (or exception) comes: after the IRQ an IRQ handler (or exception handler) is called, then control returns back to the task that was interrupted like nothing was happened.

System Calls

System calls are like special functions that manage OS routines which live in Kernel Mode.

A system call can be called when we:

access an I/O device or a file (like read or write)need to access privileged information (like pid, changing scheduling policy or other information)need to change execution context (like forking or executing some other application) need to execute a particular command (like ''chdir'', ''kill", ''brk'', or ''signal'')

| | -------ent| System Call i | (Accessing Devices) | | | | entsys_read()ent | | ... | | | | | system_call(i) |-------- | | | entread()ent | | | | ... | | | | system_call(j) |-------- | | | entget_pid()ent | | | | | ... | -------ent| System Call j | (Accessing kernel data structures) | | | entsys_getpid()ent| | | USER MODE KERNEL MODE Unix System Calls Working

System calls are almost the only interface used by User Mode to talk with low level resources (hardware). The only exception to this statement is when a process uses ''ioperm'' system call. In this case a device can be accessed directly by User Mode process (IRQs cannot be used).

NOTE: Not every ''C'' function is a system call, only some of them.

Below is a list of System Calls under Linux Kernel 2.4.17, from ent arch/i386/kernel/entry.S ent

.long SYMBOL_NAME(sys_ni_syscall) /* 0 - old entsetup()ent system call*/ .long SYMBOL_NAME(sys_exit) .long SYMBOL_NAME(sys_fork) .long SYMBOL_NAME(sys_read) .long SYMBOL_NAME(sys_write) .long SYMBOL_NAME(sys_open) /* 5 */ .long SYMBOL_NAME(sys_close) .long SYMBOL_NAME(sys_waitpid) .long SYMBOL_NAME(sys_creat) .long SYMBOL_NAME(sys_link) .long SYMBOL_NAME(sys_unlink) /* 10 */ .long SYMBOL_NAME(sys_execve) .long SYMBOL_NAME(sys_chdir) .long SYMBOL_NAME(sys_time) .long SYMBOL_NAME(sys_mknod) .long SYMBOL_NAME(sys_chmod) /* 15 */ .long SYMBOL_NAME(sys_lchown16) .long SYMBOL_NAME(sys_ni_syscall) /* old break syscall holder */ .long SYMBOL_NAME(sys_stat) .long SYMBOL_NAME(sys_lseek) .long SYMBOL_NAME(sys_getpid) /* 20 */ .long SYMBOL_NAME(sys_mount) .long SYMBOL_NAME(sys_oldumount) .long SYMBOL_NAME(sys_setuid16) .long SYMBOL_NAME(sys_getuid16) .long SYMBOL_NAME(sys_stime) /* 25 */ .long SYMBOL_NAME(sys_ptrace) .long SYMBOL_NAME(sys_alarm) .long SYMBOL_NAME(sys_fstat) .long SYMBOL_NAME(sys_pause) .long SYMBOL_NAME(sys_utime) /* 30 */ .long SYMBOL_NAME(sys_ni_syscall) /* old stty syscall holder */ .long SYMBOL_NAME(sys_ni_syscall) /* old gtty syscall holder */ .long SYMBOL_NAME(sys_access) .long SYMBOL_NAME(sys_nice) .long SYMBOL_NAME(sys_ni_syscall) /* 35 */ /* old ftime syscall holder */ .long SYMBOL_NAME(sys_sync) .long SYMBOL_NAME(sys_kill) .long SYMBOL_NAME(sys_rename) .long SYMBOL_NAME(sys_mkdir) .long SYMBOL_NAME(sys_rmdir) /* 40 */ .long SYMBOL_NAME(sys_dup) .long SYMBOL_NAME(sys_pipe) .long SYMBOL_NAME(sys_times) .long SYMBOL_NAME(sys_ni_syscall) /* old prof syscall holder */ .long SYMBOL_NAME(sys_brk) /* 45 */ .long SYMBOL_NAME(sys_setgid16) .long SYMBOL_NAME(sys_getgid16) .long SYMBOL_NAME(sys_signal) .long SYMBOL_NAME(sys_geteuid16) .long SYMBOL_NAME(sys_getegid16) /* 50 */ .long SYMBOL_NAME(sys_acct) .long SYMBOL_NAME(sys_umount) /* recycled never used phys() */ .long SYMBOL_NAME(sys_ni_syscall) /* old lock syscall holder */ .long SYMBOL_NAME(sys_ioctl) .long SYMBOL_NAME(sys_fcntl) /* 55 */ .long SYMBOL_NAME(sys_ni_syscall) /* old mpx syscall holder */ .long SYMBOL_NAME(sys_setpgid) .long SYMBOL_NAME(sys_ni_syscall) /* old ulimit syscall holder */ .long SYMBOL_NAME(sys_olduname) .long SYMBOL_NAME(sys_umask) /* 60 */ .long SYMBOL_NAME(sys_chroot) .long SYMBOL_NAME(sys_ustat) .long SYMBOL_NAME(sys_dup2) .long SYMBOL_NAME(sys_getppid) .long SYMBOL_NAME(sys_getpgrp) /* 65 */ .long SYMBOL_NAME(sys_setsid) .long SYMBOL_NAME(sys_sigaction) .long SYMBOL_NAME(sys_sgetmask) .long SYMBOL_NAME(sys_ssetmask) .long SYMBOL_NAME(sys_setreuid16) /* 70 */ .long SYMBOL_NAME(sys_setregid16) .long SYMBOL_NAME(sys_sigsuspend) .long SYMBOL_NAME(sys_sigpending) .long SYMBOL_NAME(sys_sethostname) .long SYMBOL_NAME(sys_setrlimit) /* 75 */ .long SYMBOL_NAME(sys_old_getrlimit) .long SYMBOL_NAME(sys_getrusage) .long SYMBOL_NAME(sys_gettimeofday) .long SYMBOL_NAME(sys_settimeofday) .long SYMBOL_NAME(sys_getgroups16) /* 80 */ .long SYMBOL_NAME(sys_setgroups16) .long SYMBOL_NAME(old_select) .long SYMBOL_NAME(sys_symlink) .long SYMBOL_NAME(sys_lstat) .long SYMBOL_NAME(sys_readlink) /* 85 */ .long SYMBOL_NAME(sys_uselib) .long SYMBOL_NAME(sys_swapon) .long SYMBOL_NAME(sys_reboot) .long SYMBOL_NAME(old_readdir) .long SYMBOL_NAME(old_mmap) /* 90 */ .long SYMBOL_NAME(sys_munmap) .long SYMBOL_NAME(sys_truncate) .long SYMBOL_NAME(sys_ftruncate) .long SYMBOL_NAME(sys_fchmod) .long SYMBOL_NAME(sys_fchown16) /* 95 */ .long SYMBOL_NAME(sys_getpriority) .long SYMBOL_NAME(sys_setpriority) .long SYMBOL_NAME(sys_ni_syscall) /* old profil syscall holder */ .long SYMBOL_NAME(sys_statfs) .long SYMBOL_NAME(sys_fstatfs) /* 100 */ .long SYMBOL_NAME(sys_ioperm) .long SYMBOL_NAME(sys_socketcall) .long SYMBOL_NAME(sys_syslog) .long SYMBOL_NAME(sys_setitimer) .long SYMBOL_NAME(sys_getitimer) /* 105 */ .long SYMBOL_NAME(sys_newstat) .long SYMBOL_NAME(sys_newlstat) .long SYMBOL_NAME(sys_newfstat) .long SYMBOL_NAME(sys_uname) .long SYMBOL_NAME(sys_iopl) /* 110 */ .long SYMBOL_NAME(sys_vhangup) .long SYMBOL_NAME(sys_ni_syscall) /* old entidleent system call */ .long SYMBOL_NAME(sys_vm86old) .long SYMBOL_NAME(sys_wait4) .long SYMBOL_NAME(sys_swapoff) /* 115 */ .long SYMBOL_NAME(sys_sysinfo) .long SYMBOL_NAME(sys_ipc) .long SYMBOL_NAME(sys_fsync) .long SYMBOL_NAME(sys_sigreturn) .long SYMBOL_NAME(sys_clone) /* 120 */ .long SYMBOL_NAME(sys_setdomainname) .long SYMBOL_NAME(sys_newuname) .long SYMBOL_NAME(sys_modify_ldt) .long SYMBOL_NAME(sys_adjtimex) .long SYMBOL_NAME(sys_mprotect) /* 125 */ .long SYMBOL_NAME(sys_sigprocmask) .long SYMBOL_NAME(sys_create_module) .long SYMBOL_NAME(sys_init_module) .long SYMBOL_NAME(sys_delete_module) .long SYMBOL_NAME(sys_get_kernel_syms) /* 130 */ .long SYMBOL_NAME(sys_quotactl) .long SYMBOL_NAME(sys_getpgid) .long SYMBOL_NAME(sys_fchdir) .long SYMBOL_NAME(sys_bdflush) .long SYMBOL_NAME(sys_sysfs) /* 135 */ .long SYMBOL_NAME(sys_personality) .long SYMBOL_NAME(sys_ni_syscall) /* for afs_syscall */ .long SYMBOL_NAME(sys_setfsuid16) .long SYMBOL_NAME(sys_setfsgid16) .long SYMBOL_NAME(sys_llseek) /* 140 */ .long SYMBOL_NAME(sys_getdents) .long SYMBOL_NAME(sys_select) .long SYMBOL_NAME(sys_flock) .long SYMBOL_NAME(sys_msync) .long SYMBOL_NAME(sys_readv) /* 145 */ .long SYMBOL_NAME(sys_writev) .long SYMBOL_NAME(sys_getsid) .long SYMBOL_NAME(sys_fdatasync) .long SYMBOL_NAME(sys_sysctl) .long SYMBOL_NAME(sys_mlock) /* 150 */ .long SYMBOL_NAME(sys_munlock) .long SYMBOL_NAME(sys_mlockall) .long SYMBOL_NAME(sys_munlockall) .long SYMBOL_NAME(sys_sched_setparam) .long SYMBOL_NAME(sys_sched_getparam) /* 155 */ .long SYMBOL_NAME(sys_sched_setscheduler) .long SYMBOL_NAME(sys_sched_getscheduler) .long SYMBOL_NAME(sys_sched_yield) .long SYMBOL_NAME(sys_sched_get_priority_max) .long SYMBOL_NAME(sys_sched_get_priority_min) /* 160 */ .long SYMBOL_NAME(sys_sched_rr_get_interval) .long SYMBOL_NAME(sys_nanosleep) .long SYMBOL_NAME(sys_mremap) .long SYMBOL_NAME(sys_setresuid16) .long SYMBOL_NAME(sys_getresuid16) /* 165 */ .long SYMBOL_NAME(sys_vm86) .long SYMBOL_NAME(sys_query_module) .long SYMBOL_NAME(sys_poll) .long SYMBOL_NAME(sys_nfsservctl) .long SYMBOL_NAME(sys_setresgid16) /* 170 */ .long SYMBOL_NAME(sys_getresgid16) .long SYMBOL_NAME(sys_prctl) .long SYMBOL_NAME(sys_rt_sigreturn) .long SYMBOL_NAME(sys_rt_sigaction) .long SYMBOL_NAME(sys_rt_sigprocmask) /* 175 */ .long SYMBOL_NAME(sys_rt_sigpending) .long SYMBOL_NAME(sys_rt_sigtimedwait) .long SYMBOL_NAME(sys_rt_sigqueueinfo) .long SYMBOL_NAME(sys_rt_sigsuspend) .long SYMBOL_NAME(sys_pread) /* 180 */ .long SYMBOL_NAME(sys_pwrite) .long SYMBOL_NAME(sys_chown16) .long SYMBOL_NAME(sys_getcwd) .long SYMBOL_NAME(sys_capget) .long SYMBOL_NAME(sys_capset) /* 185 */ .long SYMBOL_NAME(sys_sigaltstack) .long SYMBOL_NAME(sys_sendfile) .long SYMBOL_NAME(sys_ni_syscall) /* streams1 */ .long SYMBOL_NAME(sys_ni_syscall) /* streams2 */ .long SYMBOL_NAME(sys_vfork) /* 190 */ .long SYMBOL_NAME(sys_getrlimit) .long SYMBOL_NAME(sys_mmap2) .long SYMBOL_NAME(sys_truncate64) .long SYMBOL_NAME(sys_ftruncate64) .long SYMBOL_NAME(sys_stat64) /* 195 */ .long SYMBOL_NAME(sys_lstat64) .long SYMBOL_NAME(sys_fstat64) .long SYMBOL_NAME(sys_lchown) .long SYMBOL_NAME(sys_getuid) .long SYMBOL_NAME(sys_getgid) /* 200 */ .long SYMBOL_NAME(sys_geteuid) .long SYMBOL_NAME(sys_getegid) .long SYMBOL_NAME(sys_setreuid) .long SYMBOL_NAME(sys_setregid) .long SYMBOL_NAME(sys_getgroups) /* 205 */ .long SYMBOL_NAME(sys_setgroups) .long SYMBOL_NAME(sys_fchown) .long SYMBOL_NAME(sys_setresuid) .long SYMBOL_NAME(sys_getresuid) .long SYMBOL_NAME(sys_setresgid) /* 210 */ .long SYMBOL_NAME(sys_getresgid) .long SYMBOL_NAME(sys_chown) .long SYMBOL_NAME(sys_setuid) .long SYMBOL_NAME(sys_setgid) .long SYMBOL_NAME(sys_setfsuid) /* 215 */ .long SYMBOL_NAME(sys_setfsgid) .long SYMBOL_NAME(sys_pivot_root) .long SYMBOL_NAME(sys_mincore) .long SYMBOL_NAME(sys_madvise) .long SYMBOL_NAME(sys_getdents64) /* 220 */ .long SYMBOL_NAME(sys_fcntl64) .long SYMBOL_NAME(sys_ni_syscall) /* reserved for TUX */ .long SYMBOL_NAME(sys_ni_syscall) /* Reserved for Security */ .long SYMBOL_NAME(sys_gettid) .long SYMBOL_NAME(sys_readahead) /* 225 */

IRQ Event

When an IRQ comes, the task that is running is interrupted in order to service the IRQ Handler.

After the IRQ is handled, control returns backs exactly to point of interrupt, like nothing happened.

Running Task |-----------| (3) NORMAL | | | entbreak executionent IRQ Handler EXECUTION (1)| | | -------------ent|---------| | ent|/ | | | does | IRQ (2)----ent| .. |-----ent | some | | | |ent----- | work | BACK TO | | | | | ..(4). | NORMAL (6)| ent|/ | ent-------------|_________| EXECUTION |___________| entreturn to codeent (5) USER MODE KERNEL MODE User-entKernel Mode Transition caused by IRQ event

The numbered steps below refer to the sequence of events in the diagram above:

Process is executingIRQ comes while the task is running.Task is interrupted to call an "Interrupt handler".The "Interrupt handler" code is executed.Control returns back to task user mode (as if nothing happened)Process returns back to normal execution

Special interest has the Timer IRQ, coming every TIMER ms to manage:

AlarmsSystem and task counters (used by schedule to decide when stop a process or for accounting)Multitasking based on wake up mechanism after TIMESLICE time.

MultitaskingMechanism

The key point of modern OSs is the "Task". The Task is an application running in memory sharing all resources (included CPU and Memory) with other Tasks.

This "resource sharing" is managed by the "Multitasking Mechanism". The Multitasking Mechanism switches from one task to another after a "timeslice" time. Users have the "illusion" that they own all resources. We can also imagine a single user scenario, where a user can have the "illusion" of running many tasks at the same time.

To implement this multitasking, the task uses "the state" variable, which can be:

READY, ready for executionBLOCKED, waiting for a resource

The task state is managed by its presence in a relative list: READY list and BLOCKED list.

Task Switching

The movement from one task to another is called ''Task Switching''. many computers have a hardware instruction which automatically performs this operation. Task Switching occurs in the following cases:

After Timeslice ends: we need to schedule a "Ready for execution" task and give it access.When a Task has to wait for a device: we need to schedule a new task and switch to it *

* We schedule another task to prevent "Busy Form Waiting", which occurs when we are waiting for a device instead performing other work.

Task Switching is managed by the "Schedule" entity.

Timer | | IRQ | | Schedule | | | ________________________ |-----ent| Task 1 |ent------------------ent|(1)Chooses a Ready Task | | | | |(2)Task Switching | | |___________| |________________________| | | | /|ent | | | | | | | | | | | | | | | | |-----ent| Task 2 |ent-------------------------------| | | | | | |___________| | . . . . . . . . . . . . . . . | | | | | | | | ------ent| Task N |ent-------------------------------- | | |___________| Task Switching based on TimeSlice

A typical Timeslice for Linux is about 10 ms.

Microkernel vs Monolithic OSOverview

Until now we viewed so called Monolithic OS, but there is also another kind of OS: ''Microkernel''.

A Microkernel OS uses Tasks, not only for user mode processes, but also as a real kernel manager, like Floppy-Task, HDD-Task, Net-Task and so on. Some examples are Amoeba, and Mach.

PROs and CONTROs of Microkernel OS

PROS:

OS is simpler to maintain because each Task manages a single kind of operation. So if you want to modify networking, you modify Net-Task (ideally, if it is not needed a structural update).

CONS:

Performances are worse than Monolithic OS, because you have to add 2*TASKentSWITCH times (the first to enter the specific Task, the second to go out from it).

My personal opinion is that, Microkernels are a good didactic example (like Minix) but they are not ''optimal'', so not really suitable. Linux uses a few Tasks, called "Kernel Threads" to implement a little microkernel structure (like kswapd, which is used to retrieve memory pages from mass storage). In this case there are no problems with perfomance because swapping is a very slow job.

NetworkingISO OSI levels

Standard ISO-OSI describes a network architecture with the following levels:

Physical level (examples: PPP and Ethernet)Data-link level (examples: PPP and Ethernet)Network level (examples: IP, and X.25)Transport level (examples: TCP, UDP)Session level (SSL)Presentation level (FTP binary-ascii coding)Application level (applications like Netscape)

The first 2 levels listed above are often implemented in hardware. Next levels are in software (or firmware for routers).

Many protocols are used by an OS: one of these is TCP/IP (the most important living on 3-4 levels).

What does the kernel?

The kernel doesn't know anything (only addresses) about first 2 levels of ISO-OSI.

In RX it:

Manages handshake with low levels devices (like ethernet card or modem) receiving "frames" from them.Builds TCP/IP "packets" from "frames" (like Ethernet or PPP ones), Convers ''packets'' in ''sockets'' passing them to the right application (using port number) orForwards packets to the right queue

frames packets sockets NIC ---------ent Kernel ----------ent Application | packets --------------ent Forward - RX -

In TX stage it:

Converts sockets or Queues datas into TCP/IP ''packets''Splits ''packets" into "frames" (like Ethernet or PPP ones)Sends ''frames'' using HW drivers

sockets packets frames Application ---------ent Kernel ----------ent NIC packets /|ent Forward ------------------- - TX -

Virtual MemorySegmentation

Segmentation is the first method to solve memory allocation problems: it allows you to compile source code without caring where the application will be placed in memory. As a matter of fact, this feature helps applications developers to develop in a independent fashion from the OS e also from the hardware.

We can say that a segment is the logical entity of an application, or the image of the application in memory.

When programming, we don't care where our data is put in memory, we only care about the offset inside our segment (our application).

We use to assign a Segment to each Process and vice versa. In Linux this is not true. Linux uses only 4 segments for either Kernel and all Processes.

Problems of Segmentation

____________________ -----ent| |-----ent | IN | Segment A | OUT ____________________ | |____________________| | |____| | | | Segment B | | Segment B | | |____ | | |____________________| | |____________________| | | Segment C | | |____________________| -----ent| Segment D |-----ent IN |____________________| OUT Segmentation problem

In the diagram above, we want to get exit processes A, and D and enter process B. As we can see there is enough space for B, but we cannot split it in 2 pieces, so we CANNOT load it (memory out).

The reason this problem occurs is because pure segments are continuous areas (because they are logical areas) and cannot be split.

Pagination

____________________ | Page 1 | |____________________| | Page 2 | |____________________| | .. | Segment ent---ent Process |____________________| | Page n | |____________________| | | |____________________| | | |____________________| Segment

Pagination splits memory in entnent pieces, each one with a fixed length.

A process may be loaded in one or more Pages. When memory is freed, all pages are freed (see Segmentation Problem, before).

Pagination is also used for another important purpose, "Swapping". If a page is not present in physical memory then it generates an EXCEPTION, that will make the Kernel search for a new page in storage memory. This mechanism allow OS to load more applications than the ones allowed by physical memory only.

Pagination Problem

In the diagram above, we can see what is wrong with the pagination policy: when a Process Y loads into Page X, ALL memory space of the Page is allocated, so the remaining space at the end of Page is wasted.

Segmentation and Pagination

How can we solve segmentation and pagination problems? Using either 2 policies.

| .. | |____________________| -----ent| Page 1 | | |____________________| | | .. | ____________________ | |____________________| | | |----ent| Page 2 | | Segment X | ----| |____________________| | | | | .. | |____________________| | |____________________| | | .. | | |____________________| |----ent| Page 3 | |____________________| | .. |

Process X, identified by Segment X, is split in 3 pieces and each of one is loaded in a page.

We do not have:

Segmentation problem: we allocate per Pages, so we also free Pages and we manage free space in an optimized way.Pagination problem: only last page wastes space, but we can decide to use very small pages, for example 4096 bytes length (losing at maximum 4096*NentTasks bytes) and manage hierarchical paging (using 2 or 3 levels of paging)

| | | | | | Offset2 | Value | | | /|ent| | Offset1 | |----- | | | /|ent | | | | | | | | | | ent|/| | | | | ------ent| | ent|/ | | | | Base Paging Address ----ent| | | | | ....... | | ....... | | | | | Hierarchical Paging

Linux Startup

We start the Linux kernel first from C code executed from ''startupent32:'' asm label:

startupent32 entarch/i386/kernel/head.Sentstartentkernel entinit/main.centlockentkernel entinclude/asm/smplock.henttrapentinit entarch/i386/kernel/traps.centinitentIRQ entarch/i386/kernel/i8259.centschedentinit entkernel/sched.centsoftirqentinit entkernel/softirq.centtimeentinit entarch/i386/kernel/time.centconsoleentinit entdrivers/char/ttyentio.centinitentmodules entkernel/module.centkmementcacheentinit entmm/slab.centsti entinclude/asm/system.hentcalibrateentdelay entinit/main.centmementinit entarch/i386/mm/init.centkmementcacheentsizesentinit entmm/slab.centpgtableentcacheentinit entarch/i386/mm/init.centforkentinit entkernel/fork.centprocentcachesentinit vfsentcachesentinit entfs/dcache.centbufferentinit entfs/buffer.centpageentcacheentinit entmm/filemap.centsignalsentinit entkernel/signal.centprocentrootentinit entfs/proc/root.centipcentinit entipc/util.centcheckentbugs entinclude/asm/bugs.hentsmpentinit entinit/main.centrestentinitkernelentthread entarch/i386/kernel/process.centunlockentkernel entinclude/asm/smplock.hentcpuentidle entarch/i386/kernel/process.cent

The last function ''restentinit'' does the following:

launches the kernel thread ''init''calls unlockentkernelmakes the kernel run cpuentidle routine, that will be the idle loop executing when nothing is scheduled

In fact the startentkernel procedure never ends. It will execute cpuentidle routine endlessly.

Follows ''init'' description, which is the first Kernel Thread:

Linux PeculiaritiesOverview

Linux has some peculiarities that distinguish it from other OSs. These peculiarities include:

Pagination onlySoftirqKernel threadsKernel modules''Proc'' directory

Flexibility Elements

Points 4 and 5 give system administrators an enormous flexibility on system configuration from user mode allowing them to solve also critical kernel bugs or specific problems without have to reboot the machine. For example, if you needed to change something on a big server and you didn't want to make a reboot, you could prepare the kernel to talk with a module, that you'll write.

Pagination only

Linux doesn't use segmentation to distinguish Tasks from each other; it uses pagination. (Only 2 segments are used for all Tasks, CODE and DATA/STACK)

We can also say that an interTask page fault never occurs, because each Task uses a set of Page Tables that are different for each Task. These tables cannot point to the same physical addresses.

Linux segments

Under the Linux kernel only 4 segments exist:

Kernel Code ent0x10entKernel Data / Stack ent0x18entUser Code ent0x23entUser Data / Stack ent0x2bent

entsyntax is ''Purpose entSegmentent''ent

Under Intel architecture, the segment registers used are:

CS for Code SegmentDS for Data SegmentSS for Stack SegmentES for Alternative Segment (for example used to make a memory copy between 2 different segments)

So, every Task uses 0x23 for code and 0x2b for data/stack.

Linux pagination

Under Linux 3 levels of pages are used, depending on the architecture. Under Intel only 2 levels are supported. Linux also supports Copy on Write mechanisms (please see Cap.10 for more information).

Why don't interTasks address conflicts exist?

The answer is very very simple: interTask address conflicts cannot exist because they are impossible. Linear -ent physical mapping is done by "Pagination", so it just needs to assign physical pages in an univocal fashion.

Do we need to defragment memory?

No. Page assigning is a dynamic process. We need a page only when a Task asks for it, so we choose it from free memory paging in an ordered fashion. When we want to release the page, we only have to add it to the free pages list.

What about Kernel Pages?

Kernel pages have a problem: they can be allocated in a dynamic fashion but we cannot have a guarantee that they are in contiguous area allocation, because linear kernel space is equivalent to physical kernel space.

For Code Segment there is no problem. Boot code is allocated at boot time (so we have a fixed amount of memory to allocate), and on modules we only have to allocate a memory area which could contain module code.

The real problem is the stack segment because each Task uses some kernel stack pages. Stack segments must be contiguous (according to stack definition), so we have to establish a maximum limit for each Task's stack dimension. If we exceed this limit bad things happen. We overwrite kernel mode process data structures.

The structure of the Kernel helps us, because kernel functions are never:

recursiveintercalling more than N times.

Once we know N, and we know the average of static variables for all kernel functions, we can estimate a stack limit.

If you want to try the problem out, you can create a module with a function inside calling itself many times. After a fixed number of times, the kernel module will hang because of a page fault exception handler (typically write to a read-only page).

Softirq

When an IRQ comes, task switching is deferred until later to get better performance. Some Task jobs (that could have to be done just after the IRQ and that could take much CPU in interrupt time, like building up a TCP/IP packet) are queued and will be done at scheduling time (once a time-slice will end).

In recent kernels (2.4.x) the softirq mechanisms are given to a kernelentthread: ''ksoftirqdentCPUn''. n stands for the number of CPU executing kernelentthread (in a monoprocessor system ''ksoftirqdentCPU0'' uses PID 3).

Preparing SoftirqEnabling Softirq

''cpuentraiseentsoftirq'' is a routine that will wakeentup ''ksoftirqdentCPU0'' kernel thread, to let it manage the enqueued job.

|cpu_raise_softirq |__cpu_raise_softirq |wakeup_softirqd |wake_up_process

cpuentraiseentsoftirq entkernel/softirq.centententcpuentraiseentsoftirq entinclude/linux/interrupt.hentwakeupentsoftirq entkernel/softirq.centwakeentupentprocess entkernel/sched.cent

''ententcpuentraiseentsoftirq'' routine will set right bit in the vector describing softirq pending.

''wakeupentsoftirq'' uses ''wakeupentprocess'' to wake up ''ksoftirqdentCPU0'' kernel thread.

Executing Softirq

TODO: describing data structures involved in softirq mechanism.

When kernel thread ''ksoftirqdentCPU0'' has been woken up, it will execute queued jobs

The code of ''ksoftirqdentCPU0'' is (main endless loop):

for (;;) ent if (!softirq_pending(cpu)) schedule(); __set_current_state(TASK_RUNNING); while (softirq_pending(cpu)) ent do_softirq(); if (current-entneed_resched) schedule ent __set_current_state(TASK_INTERRUPTIBLE) ent

ksoftirqd entkernel/softirq.cent

Kernel Threads

Even though Linux is a monolithic OS, a few ''kernel threads'' exist to do housekeeping work.

These Tasks don't utilize USER memory; they share KERNEL memory. They also operate at the highest privilege (RING 0 on a i386 architecture) like any other kernel mode piece of code.

Kernel threads are created by ''kernelentthread entarch/i386/kernel/processent'' function, which calls ''clone'' entarch/i386/kernel/process.cent system call from assembler (which is a ''fork'' like system call):

int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) ent long retval, d0; __asm__ __volatile__( entmovl ententesp,ententesientnenttent entint ent0x80entnenttent /* Linux/i386 system call */ entcmpl ententesp,ententesientnenttent /* child or parent? */ entje 1fentnenttent /* parent - jump */ /* Load the argument into eax, and push it. That way, it does * not matter whether the called function is compiled with * -mregparm or not. */ entmovl ent4,ententeaxentnenttent entpushl ententeaxentnenttent entcall *ent5entnenttent /* call fn */ entmovl ent3,ent0entnenttent /* exit */ entint ent0x80entnent ent1:enttent :ent=entaent (retval), ent=entSent (d0) :ent0ent (__NR_clone), entient (__NR_exit), entrent (arg), entrent (fn), entbent (flags | CLONE_VM) : entmemoryent); return retval; ent

Once called, we have a new Task (usually with very low PID number, like 2,3, etc.) waiting for a very slow resource, like swap or usb event. A very slow resource is used because we would have a task switching overhead otherwise.

Below is a list of most common kernel threads (from ''ps x'' command):

PID COMMAND 1 init 2 keventd 3 kswapd 4 kreclaimd 5 bdflush 6 kupdated 7 kacpid 67 khubd

'init' kernel thread is the first process created, at boot time. It will call all other User Mode Tasks (from file /etc/inittab) like console daemons, tty daemons and network daemons (''rc'' scripts).

Example of Kernel Threads: kswapd entmm/vmscan.cent.

''kswapd'' is created by ''clone() entarch/i386/kernel/process.cent''

Initialisation routines:

|do_initcalls |kswapd_init |kernel_thread |syscall fork (in assembler)

doentinitcalls entinit/main.cent

kswapdentinit entmm/vmscan.cent

kernelentthread entarch/i386/kernel/process.cent

Kernel ModulesOverview

Linux Kernel modules are pieces of code (examples: fs, net, and hw driver) running in kernel mode that you can add at runtime.

The Linux core cannot be modularized: scheduling and interrupt management or core network, and so on.

Under "/lib/modules/KERNELentVERSION/" you can find all the modules installed on your system.

Module loading and unloading

To load a module, type the following:

insmod MODULE_NAME parameters example: insmod ne io=0x300 irq=9

NOTE: You can use modprobe in place of insmod if you want the kernel automatically search some parameter (for example when using PCI driver, or if you have specified parameter under /etc/conf.modules file).

To unload a module, type the following:

rmmod MODULE_NAME

Module definition

A module always contains:

"initentmodule" function, executed at insmod (or modprobe) command "cleanupentmodule" function, executed at rmmod command

If these functions are not in the module, you need to add 2 macros to specify what functions will act as init and exit module:

moduleentinit(FUNCTIONentNAME)moduleentexit(FUNCTIONentNAME)

NOTE: a module can "see" a kernel variable only if it has been exported (with macro EXPORTentSYMBOL).

A useful trick for adding flexibility to your kernel

// kernel sources side void (*foo_function_pointer)(void *); if (foo_function_pointer) (foo_function_pointer)(parameter); // module side extern void (*foo_function_pointer)(void *); void my_function(void *parameter) ent //My code ent int init_module() ent foo_function_pointer = entmy_function; ent int cleanup_module() ent foo_function_pointer = NULL; ent

This simple trick allows you to have very high flexibility in your Kernel, because only when you load the module you'll make "myentfunction" routine execute. This routine will do everything you want to do: for example ''rshaper'' module, which controls bandwidth input traffic from the network, works in this kind of matter.

Notice that the whole module mechanism is possible thanks to some global variables exported to modules, such as head list (allowing you to extend the list as much as you want). Typical examples are fs, generic devices (char, block, net, telephony). You have to prepare the kernel to accept your new module; in some cases you have to create an infrastructure (like telephony one, that was recently created) to be as standard as possible.

Proc directory

Proc fs is located in the /proc directory, which is a special directory allowing you to talk directly with kernel.

Linux uses ''proc'' directory to support direct kernel communications: this is necessary in many cases, for example when you want see main processes data structures or enable ''proxy-arp'' feature on one interface and not in others, you want to change max number of threads, or if you want to debug some bus state, like ISA or PCI, to know what cards are installed and what I/O addresses and IRQs are assigned to them.

In the directory there are also all the tasks using PID as file names (you have access to all Task information, like path of binary file, memory used, and so on).

The interesting point is that you cannot only see kernel values (for example, see info about any task or about network options enabled of your TCP/IP stack) but you are also able to modify some of it, typically that ones under /proc/sys directory:

/proc/sys/ acpi dev debug fs proc net vm kernel

/proc/sys/kernel

Below are very important and well-know kernel values, ready to be modified:

overflowgid overflowuid random threads-max // Max number of threads, typically 16384 sysrq // kernel hack: you can view istant register values and more sem msgmnb msgmni msgmax shmmni shmall shmmax rtsig-max rtsig-nr modprobe // modprobe file location printk ctrl-alt-del cap-bound panic domainname // domain name of your Linux box hostname // host name of your Linux box version // date info about kernel compilation osrelease // kernel version (i.e. 2.4.5) ostype // Linux!

/proc/sys/net

This can be considered the most useful proc subdirectory. It allows you to change very important settings for your network kernel configuration.

core ipv4 ipv6 unix ethernet 802

/proc/sys/net/core

Listed below are general net settings, like "netdeventmaxentbacklog" (typically 300), the length of all your network packets. This value can limit your network bandwidth when receiving packets, Linux has to wait up to scheduling time to flush buffers (due to bottom half mechanism), about 1000/HZ ms

300 * 100 = 30 000 packets HZ(Timeslice freq) packets/s 30 000 * 1000 = 30 M packets average (Bytes/packet) throughput Bytes/s

If you want to get higher throughput, you need to increase netdeventmaxentbacklog, by typing:

echo 4000 ent /proc/sys/net/core/netdev_max_backlog

Note: Warning for some HZ values: under some architecture (like alpha or arm-tbox) it is 1000, so you can have 300 MBytes/s of average throughput.

/proc/sys/net/ipv4

"ipentforward", enables or disables ip forwarding in your Linux box. This is a generic setting for all devices, you can specify each device you choose.

/proc/sys/net/ipv4/conf/interface

I think this is the most useful /proc entry, because it allows you to change some net settings to support wireless networks (see for more information).

Here are some examples of when you could use this setting:

"forwarding", to enable ip forwarding for your interface"proxyentarp", to enable proxy arp feature. For more see Proxy arp HOWTO under and for proxy arp use in Wireless networks."sendentredirects" to avoid interface to send ICMPentREDIRECT (as before, see for more).

Linux MultitaskingOverview

This section will analyze data structures--the mechanism used to manage multitasking environment under Linux.

Task States

A Linux Task can be one of the following states (according to entinclude/linux.hent):

TASKentRUNNING, it means that it is in the "Ready List"TASKentINTERRUPTIBLE, task waiting for a signal or a resource (sleeping)TASKentUNINTERRUPTIBLE, task waiting for a resource (sleeping), it is in same "Wait Queue"TASKentZOMBIE, task child without fatherTASKentSTOPPED, task being debugged

Graphical Interaction

______________ CPU Available ______________ | | ----------------ent | | | TASK_RUNNING | | Real Running | |______________| ent---------------- |______________| CPU Busy | /|ent Waiting for | | Resource Resource | | Available ent|/ | ______________________ | | | TASK_INTERRUPTIBLE / | | TASK-UNINTERRUPTIBLE | |______________________| Main Multitasking Flow

TimeslicePIT 8253 Programming

Each 10 ms (depending on HZ value) an IRQ0 comes, which helps us in a multitasking environment. This signal comes from PIC 8259 (in arch 386+) which is connected to PIT 8253 with a clock of 1.19318 MHz.

_____ ______ ______ | CPU |ent------| 8259 |------| 8253 | |_____| IRQ0 |______| |___/|ent| |_____ CLK 1.193.180 MHz // From include/asm/param.h entifndef HZ entdefine HZ 100 entendif // From include/asm/timex.h entdefine CLOCK_TICK_RATE 1193180 /* Underlying HZ */ // From include/linux/timex.h entdefine LATCH ((CLOCK_TICK_RATE + HZ/2) / HZ) /* For divider */ // From arch/i386/kernel/i8259.c outb_p(0x34,0x43); /* binary, mode 2, LSB/MSB, ch 0 */ outb_p(LATCH ent 0xff , 0x40); /* LSB */ outb(LATCH entent 8 , 0x40); /* MSB */

So we program 8253 (PIT, Programmable Interval Timer) with LATCH = (1193180/HZ) = 11931.8 when HZ=100 (default). LATCH indicates the frequency divisor factor.

LATCH = 11931.8 gives to 8253 (in output) a frequency of 1193180 / 11931.8 = 100 Hz, so period = 10ms

So Timeslice = 1/HZ.

With each Timeslice we temporarily interrupt current process execution (without task switching), and we do some housekeeping work, after which we'll return back to our previous process.

Linux Timer IRQ ICA

Functions can be found under:

IRQ0x00entinterrupt, SAVEentALL entinclude/asm/hwentirq.hentdoentIRQ, handleentIRQentevent entarch/i386/kernel/irq.centtimerentinterrupt, doenttimerentinterrupt entarch/i386/kernel/time.centdoenttimer, updateentprocessenttimes entkernel/timer.centdoentsoftirq entkernel/softentirq.centRESTOREentALL, while loop entarch/i386/kernel/entry.Sent

Notes:

Function "IRQ0x00entinterrupt" (like others IRQ0xXYentinterrupt) is directly pointed by IDT (Interrupt Descriptor Table, similar to Real Mode Interrupt Vector Table, see Cap 11 for more), so EVERY interrupt coming to the processor is managed by "IRQ0xentNRentinterrupt" routine, where entNR is the interrupt number. We refer to it as "wrapper irq handler".wrapper routines are executed, like "doentIRQ","handleentIRQentevent" entarch/i386/kernel/irq.cent.After this, control is passed to official IRQ routine (pointed by "handler()"), previously registered with "requestentirq" entarch/i386/kernel/irq.cent, in this case "timerentinterrupt" entarch/i386/kernel/time.cent."timerentinterrupt" entarch/i386/kernel/time.cent routine is executed and, when it ends,control backs to some assembler routines entarch/i386/kernel/entry.Sent.

Description:

To manage Multitasking, Linux (like every other Unix) uses a ''counter'' variable to keep track of how much CPU was used by the task. So, on each IRQ 0, the counter is decremented (point 4) and, when it reaches 0, we need to switch task to manage timesharing (point 4 "needentresched" variable is set to 1, then, in point 5 assembler routines control "needentresched" and call, if needed, "schedule" entkernel/sched.cent).

Scheduler

The scheduler is the piece of code that chooses what Task has to be executed at a given time.

Any time you need to change running task, select a candidate. Below is the ''schedule entkernel/sched.cent'' function.

Bottom Half, Task Queues. and TaskletsOverview

In classic Unix, when an IRQ comes (from a device), Unix makes "task switching" to interrogate the task that requested the device.

To improve performance, Linux can postpone the non-urgent work until later, to better manage high speed event.

This feature is managed since kernel 1.x by the "bottom half" (BH). The irq handler "marks" a bottom half, to be executed later, in scheduling time.

In the latest kernels there is a "task queue"that is more dynamic than BH and there is also a "tasklet" to manage multiprocessor environments.

BH schema is:

DeclarationMarkExecution

Declaration

entdefine DECLARE_TASK_QUEUE(q) LIST_HEAD(q) entdefine LIST_HEAD(name) ent struct list_head name = LIST_HEAD_INIT(name) struct list_head ent struct list_head *next, *prev; ent; entdefine LIST_HEAD_INIT(name) ent ent(name), ent(name) ent ''DECLARE_TASK_QUEUE'' entinclude/linux/tqueue.h, include/linux/list.hent

"DECLAREentTASKentQUEUE(q)" macro is used to declare a structure named "q" managing task queue.

Mark

Here is the ICA schema for "markentbh" entinclude/linux/interrupt.hent function:

For example, when an IRQ handler wants to "postpone" some work, it would "markentbh(NUMBER)", where NUMBER is a BH declarated (see section before).

Execution

We can see this calling from "doentIRQ" entarch/i386/kernel/irq.cent function:

|do_softirq |h-entaction(h)-ent softirq_vecentTASKLET_SOFTIRQent-entaction -ent tasklet_action |tasklet_vecent0ent.list-entfunc

"h-entaction(h);" is the function has been previously queued.

Very low level routines

setentintrentgate

setenttrapentgate

setenttaskentgate (not used).

(*interrupt)entNRentIRQSent(void) = ent IRQ0x00entinterrupt, IRQ0x01entinterrupt, ..ent

NRentIRQS = 224 entkernel 2.4.2ent

Task SwitchingWhen does Task switching occur?

Now we'll see how the Linux Kernel switchs from one task to another.

Task Switching is needed in many cases, such as the following:

when TimeSlice ends, we need to give access to some other taskwhen a task decide to access a resource, it sleeps for it, so we have to choose another taskwhen a task waits for a pipe, we have to give access to other task, which would write to pipe

Task Switching

TASK SWITCHING TRICK entdefine switch_to(prev,next,last) do ent ent asm volatile(entpushl ententesientnenttent ent entpushl ententedientnenttent ent entpushl ententebpentnenttent ent entmovl ententesp,ent0entnenttent /* save ESP */ ent entmovl ent3,ententespentnenttent /* restore ESP */ ent entmovl ent1f,ent1entnenttent /* save EIP */ ent entpushl ent4entnenttent /* restore EIP */ ent entjmp __switch_toentnent ent ent1:enttent ent entpopl ententebpentnenttent ent entpopl ententedientnenttent ent entpopl ententesientnenttent ent :ent=ment (prev-entthread.esp),ent=ment (prev-entthread.eip), ent ent=bent (last) ent :entment (next-entthread.esp),entment (next-entthread.eip), ent entaent (prev), entdent (next), ent entbent (prev)); ent ent while (0)

Trick is here:

''pushl ent4'' which puts futureentEIP into the stack''jmp ententswitchentto'' which execute ''ententswitchentto'' function, but in opposite of ''call'' we will return to valued pushed in point 1 (so new Task!)

U S E R M O D E K E R N E L M O D E | | | | | | | | | | | | Timer | | | | | | | Normal | IRQ | | | | | | | Exec |------ent|Timer_Int.| | | | | | | | | .. | | | | | | ent|/ | |schedule()| | Task1 Ret| | | | | |_switch_to|ent-- | Address | |__________| |__________| | | | | | | | |S | | Task1 Data/Stack Task1 Code | | |w | | | | T|i | | | | a|t | | | | | | | | s|c | | | | | | Timer | | k|h | | | | | Normal | IRQ | | |i | | | | | Exec |------ent|Timer_Int.| |n | | | | | | | | .. | |g | | | | | ent|/ | |schedule()| | | Task2 Ret| | | | | |_switch_to|ent-- | Address | |__________| |__________| |__________| |__________| Task2 Data/Stack Task2 Code Kernel Code Kernel Data/Stack

ForkOverview

Fork is used to create another task. We start from a Task Parent, and we copy many data structures to Task Child.

| | | .. | Task Parent | | | | | | | fork |----------ent| CREATE | | | /| NEW | |_________| / | TASK | / | | --- / | | --- / | .. | / | | Task Child / | | / | fork |ent-/ | | |_________| Fork SysCall

What is not copied

New Task just created (''Task Child'') is almost equal to Parent (''Task Parent''), there are only few differences:

obviously PIDchild ''fork()'' will return 0, while parent ''fork()'' will return PID of Task Child, to distinguish them each other in User ModeAll child data pages are marked ''READ + EXECUTE'', no "WRITE'' (while parent has WRITE right for its own pages) so, when a write request comes, a ''Page Fault'' exception is generated which will create a new independent page: this mechanism is called ''Copy on Write'' (see Cap.10 for more).

Fork ICA

sysentfork entarch/i386/kernel/process.centdoentfork entkernel/fork.centallocenttaskentstruct entinclude/asm/processor.centententgetentfreeentpages entmm/pageentalloc.centgetentpid entkernel/fork.centcopyentfiles copyentfscopyentsighandcopyentmmallocateentmmmmentinitpgdentalloc -ent getentpgdentfast entinclude/asm/pgalloc.hentgetentpgdentslowdupentmmap entkernel/fork.centcopyentpageentrange entmm/memory.centptepentsetentwrprotect entinclude/asm/pgtable.hentclearentbit entinclude/asm/bitops.hentcopyentsegments entarch/i386/kernel/process.centcopyentthreadSETentLINKS entinclude/linux/sched.hentwakeentupentprocess entkernel/sched.cent

Copy on Write

To implement Copy on Write for Linux:

Mark all copied pages as read-only, causing a Page Fault when a child tries to write to them.Page Fault handler creates a new page for the Task caused exception.

| Page | Fault | Exception | | -----------ent |do_page_fault |handle_mm_fault |handle_pte_fault |do_wp_page |alloc_page // Allocate a new page |break_cow |copy_cow_page // Copy old page to new one |establish_pte // reconfig Page Table pointers |set_pte Page Fault ICA

doentpageentfault entarch/i386/mm/fault.cent handleentmmentfault entmm/memory.centhandleentpteentfault doentwpentpageallocentpage entinclude/linux/mm.hentbreakentcow entmm/memory.centcopyentcowentpageestablishentptesetentpte entinclude/asm/pgtable-3level.hent

Linux Memory ManagementOverview

Linux uses segmentation + pagination, which simplifies notation.

Segments

Linux uses only 4 segments:

2 segments (code and data/stack) for KERNEL SPACE from ent0xC000 0000ent (3 GB) to ent0xFFFF FFFFent (4 GB)2 segments (code and data/stack) for USER SPACE from ent0ent (0 GB) to ent0xBFFF FFFFent (3 GB)

__ 4 GB---ent| | | | Kernel | | Kernel Space (Code + Data/Stack) | | __| 3 GB---ent|----------------| __ | | | | | | 2 GB---ent| | | | Tasks | | User Space (Code + Data/Stack) | | | 1 GB---ent| | | | | | |________________| __| 0x00000000 Kernel/User Linear addresses

Specific i386 implementation

Again, Linux implements Pagination using 3 Levels of Paging, but in i386 architecture only 2 of them are really used:

------------------------------------------------------------------ L I N E A R A D D R E S S ------------------------------------------------------------------ ent___/ ent___/ ent_____/ PD offset PF offset Frame offset ent10 bitsent ent10 bitsent ent12 bitsent | | | | | ----------- | | | | Value |----------|--------- | | | | |---------| /|ent | | | | | | | | | | | | | | | | | | Frame offset | | | | | | | ent|/ | | | | | |---------|ent------ | | | | | | | | | | | | | | | | x 4096 | | | | PF offset|_________|------- | | | | /|ent | | | PD offset |_________|----- | | | _________| /|ent | | | | | | | | | | | ent|/ | | ent|/ _____ | | | ------ent|_________| PHYSICAL ADDRESS | | ent|/ | | x 4096 | | | CR3 |--------ent| | | | |_____| | ....... | | ....... | | | | | Page Directory Page File Linux i386 Paging

Memory Mapping

Linux manages Access Control with Pagination only, so different Tasks will have the same segment addresses, but different CR3 (register used to store Directory Page Address), pointing to different Page Entries.

In User mode a task cannot overcome 3 GB limit (0 x C0 00 00 00), so only the first 768 page directory entries are meaningful (768*4MB = 3GB).

When a Task goes in Kernel Mode (by System call or by IRQ) the other 256 pages directory entries become important, and they point to the same page files as all other Tasks (which are the same as the Kernel).

Note that Kernel (and only kernel) Linear Space is equal to Kernel Physical Space, so:

________________ _____ |Other KernelData|___ | | | |----------------| | |__| | | Kernel |ent |____| Real Other | 3 GB ---ent|----------------| ent | Kernel Data | | |ent ent | | | __|_ent_ent____|__ Real | | Tasks | ent ent | Tasks | | __|___ent_ent__|__ Space | | | ent ent | | | | ent ent|----------------| | | ent |Real KernelSpace| |________________| ent|________________| Logical Addresses Physical Addresses

Linear Kernel Space corresponds to Physical Kernel Space translated 3 GB down (in fact page tables are something like ent "00000000", "00000001" ent, so they operate no virtualization, they only report physical addresses they take from linear ones).

Notice that you'll not have an "addresses conflict" between Kernel and User spaces because we can manage physical addresses with Page Tables.

Low level memory allocationBoot Initialization

We start from kmementcacheentinit (launched by startentkernel entinit/main.cent at boot up).

|kmem_cache_init |kmem_cache_estimate

kmementcacheentinit entmm/slab.cent

kmementcacheentestimate

Now we continue with mementinit (also launched by startentkernelentinit/main.cent)

|mem_init |free_all_bootmem |free_all_bootmem_core

mementinit entarch/i386/mm/init.cent

freeentallentbootmem entmm/bootmem.cent

freeentallentbootmementcore

Run-time allocation

Under Linux, when we want to allocate memory, for example during "copyentonentwrite" mechanism (see Cap.10), we call:

Functions can be found under:

copyentmm entkernel/fork.centallocateentmm entkernel/fork.centkmementcacheentalloc entmm/slab.centententkmementcacheentalloc kmementcacheentallocentoneallocentnewentslabkmementcacheentgrowkmementgetpagesententgetentfreeentpages entmm/pageentalloc.centallocentpages entmm/numa.centallocentpagesentpgdatententallocentpages entmm/pageentalloc.centrmentqueuereclaimentpages entmm/vmscan.cent

TODO: Understand Zones

SwapOverview

Swap is managed by the kswapd daemon (kernel thread).

kswapd

As other kernel threads, kswapd has a main loop that wait to wake up.

kswapd entmm/vmscan.centdoenttryenttoentfreeentpagesrecalculateentvmentstats entmm/swap.centrefillentinactiveentscan entmm/vmswap.centrunenttaskentqueue entkernel/softirq.centinterruptibleentsleepentonenttimeout entkernel/sched.cent

When do we need swapping?

Swapping is needed when we have to access a page that is not in physical memory.

Linux uses ''kswapd'' kernel thread to carry out this purpose. When the Task receives a page fault exception we do the following:

| Page Fault Exception | cause by all these conditions: | a-) User page | b-) Read or write access | c-) Page not present | | -----------ent |do_page_fault |handle_mm_fault |pte_alloc |pte_alloc_one |__get_free_page = __get_free_pages |alloc_pages |alloc_pages_pgdat |__alloc_pages |wakeup_kswapd // We wake up kernel thread kswapd Page Fault ICA

doentpageentfault entarch/i386/mm/fault.cent handleentmmentfault entmm/memory.centpteentallocpteentallocentone entinclude/asm/pgalloc.hentententgetentfreeentpage entinclude/linux/mm.hentententgetentfreeentpages entmm/pageentalloc.centallocentpages entmm/numa.centallocentpagesentpgdatententallocentpageswakeupentkswapd entmm/vmscan.cent

Linux NetworkingHow Linux networking is managed?

There exists a device driver for each kind of NIC. Inside it, Linux will ALWAYS call a standard high level routing: "netifentrx entnet/core/dev.cent", which will controls what 3 level protocol the frame belong to, and it will call the right 3 level function (so we'll use a pointer to the function to determine which is right).

TCP example

We'll see now an example of what happens when we send a TCP packet to Linux, starting from ''netifentrx entnet/core/dev.cent'' call.

Interrupt management: "netifentrx"

Functions:

ententskbentqueueenttail entinclude/linux/skbuff.hentcpuentraiseentsoftirq entkernel/softirq.cent

Post Interrupt management: "netentrxentaction"

Once IRQ interaction is ended, we need to follow the next part of the frame life and examine what NETentRXentSOFTIRQ does.

We will next call ''netentrxentaction entnet/core/dev.cent'' according to "netentdeventinit entnet/core/dev.cent".

Functions can be found under:

netentrxentaction entnet/core/dev.centententskbentdequeue entinclude/linux/skbuff.hentipentrcv entnet/ipv4/ipentinput.centNFentHOOK -ent nfenthookentslow entnet/core/netfilter.centipentrcventfinish entnet/ipv4/ipentinput.centipentrouteentinput entnet/ipv4/route.centipentlocalentdeliver entnet/ipv4/ipentinput.centipentdefrag entnet/ipv4/ipentfragment.centipentlocalentdeliverentfinish entnet/ipv4/ipentinput.centtcpentv4entrcv entnet/ipv4/tcpentipv4.centententtcpentv4entlookuptcpentv4entdoentrcvtcpentrcventestablished entnet/ipv4/tcpentinput.centententskbentqueueenttail entinclude/linux/skbuff.hentsockentdefentreadable entnet/core/sock.centwakeentupentinterruptible entinclude/linux/sched.henttcpentv4enthndentreq entnet/ipv4/tcpentipv4.centtcpentv4entsearchentreqtcpentcheckentreqtcpentv4entsynentrecventsockententtcpentv4entlookupentestablishedtcpentrcventstateentprocess entnet/ipv4/tcpentinput.centtcpentv4entconnentrequest entnet/ipv4/tcpentipv4.centtcpentv4entsendentsynacktcpentv4entsynqentaddtcpentrcventsynsententstateentprocess entnet/ipv4/tcpentinput.centtcpentsetentstate entinclude/net/tcp.henttcpentsendentack entnet/ipv4/tcpentoutput.cent

Description:

First we determine protocol type (IP, then TCP)NFentHOOK (function) is a wrapper routine that first manages the network filter (for example firewall), then it calls ''function''.After we manage 3-way TCP Handshake which consists of:

SERVER (LISTENING) CLIENT (CONNECTING) SYN ent------------------- SYN + ACK -------------------ent ACK ent------------------- 3-Way TCP handshake

In the end we only have to launch "tcpentrcventestablished entnet/ipv4/tcpentinput.cent" which gives the packet to the user socket and wakes it up.

Linux File System

TODO

Useful TipsStack and HeapOverview

Here we view how "stack" and "heap" are allocated in memory

Memory allocation

FF.. | | ent-- bottom of the stack /|ent | | | higher | | | | stack values | | | ent|/ growing | | XX.. | | ent-- top of the stack entStack Pointerent | | | | | | 00.. |_________________| ent-- end of stack entStack Segmentent Stack

Memory address values start from 00.. (which is also where Stack Segment begins) and they grow going toward FF.. value.

XX.. is the actual value of the Stack Pointer.

Stack is used by functions for:

global variables local variablesreturn address

For example, for a classical function:

Application vs ProcessBase definition

We have to distinguish 2 concepts:

Application: that is the useful code we want to executeProcess: that is the IMAGE on memory of the application (it depends on memory strategy used, segmentation and/or Pagination).

Often Process is also called Task or Thread.

LocksOverview

2 kind of locks:

intraCPUinterCPU

Copyentonentwrite

Copyentonentwrite is a mechanism used to reduce memory usage. It postpones memory allocation until the memory is really needed.

For example, when a task executes the "fork()" system call (to create another task), we still use the same memory pages as the parent, in read only mode. When the new task WRITES into the old page, it causes an exception and the page is copied and marked "rw" (read, write).

1-) Page X is shared between Task Parent and Task Child Task Parent | | RW Access ______ | |----------ent|Page X| |_________| |______| /|ent | Task Child | | | R Access | | |---------------- |_________| 2-) Write request from Task Child Task Parent | | RW Access ______ | |----------ent|Page X| |_________| |______| /|ent | Task Child | | | W Access | | |---------------- |_________| 3-) Final Configuration: Task Parent and Task Child have an independent copy of the Page, X and Y Task Parent | | RW Access ______ | |----------ent|Page X| |_________| |______| Task Child | | RW Access ______ | |----------ent|Page Y| |_________| |______|

80386 specific detailsBoot procedure

bbootsect.s entarch/i386/bootent setup.S (+video.S) head.S (+misc.c) entarch/i386/boot/compressedent start_kernel entinit/main.cent

80386 (and more) DescriptorsOverview

Descriptors are data structure used by Intel microprocessor i386+ to virtualize memory.

Kind of descriptors

GDT (Global Descriptor Table)LDT (Local Descriptor Table)IDT (Interrupt Descriptor Table)

IRQ Overview

IRQ is an asyncronous signal sent to microprocessor to advertise a requested work is completed

Interaction schema

|ent--ent IRQ(0) entTimerent |ent--ent IRQ(1) entDevice 1ent | .. |ent--ent IRQ(n) entDevice nent _____________________________| /|ent /|ent /|ent | | | ent|/ ent|/ ent|/ Task(1) Task(2) .. Task(N) IRQ - Tasks Interaction Schema

What happens?

A typical O.S. uses many IRQ signals to interrupt normal process execution and does some housekeeping work. So:

IRQ (i) occurs and Task(j) is interruptedIRQ(i)enthandler is executedcontrol backs to Task(j) interrupted

Under Linux, when an IRQ comes, first the IRQ wrapper routine (named "interrupt0x??") is called, then the "official" IRQ(i)enthandler will be executed. This allows some duties like timeslice preemption.

Utility functionslistententry entinclude/linux/list.hent

Definition:

entdefine list_entry(ptr, type, member) ent ((type *)((char *)(ptr)-(unsigned long)(ent((type *)0)-entmember)))

Meaning:

"listententry" macro is used to retrieve a parent struct pointer, by using only one of internal struct pointer.

Example:

struct __wait_queue ent unsigned int flags; struct task_struct * task; struct list_head task_list; ent; struct list_head ent struct list_head *next, *prev; ent; // and with type definition: typedef struct __wait_queue wait_queue_t; // we'll have wait_queue_t *out list_entry(tmp, wait_queue_t, task_list); // where tmp point to list_head

So, in this case, by means of *tmp pointer entlistentheadent we retrieve an *out pointer entwaitentqueueenttent.

____________ ent---- *out entwe calculate thatent |flags | /|ent |task *--ent | | |task_list |ent---- list_entry | prev * --ent| | | | next * --ent| | | |____________| ----- *tmp entwe have thisent

Sleep Sleep code

Files:

kernel/sched.cinclude/linux/sched.hinclude/linux/wait.hinclude/linux/list.h

Functions:

interruptibleentsleepentoninterruptibleentsleepentonenttimeoutsleepentonsleepentonenttimeout

Called functions:

initentwaitqueueententryententaddentwaitentqueuelistentaddententlistentaddententremoveentwaitentqueue

InterCallings Analysis:

Description:

Under Linux each resource (ideally an object shared between many users and many processes), , has a queue to manage ALL tasks requesting it.

This queue is called "wait queue" and it consists of many items we'll call the"wait queue element":

*** wait queue structure entinclude/linux/wait.hent *** struct __wait_queue ent unsigned int flags; struct task_struct * task; struct list_head task_list; ent struct list_head ent struct list_head *next, *prev; ent;

Graphic working:

*** wait queue element *** /|ent | ent--entprev *, flags, task *, next *ent--ent *** wait queue list *** /|ent /|ent /|ent /|ent | | | | --ent ent--enttask1ent--ent ent--enttask2ent--ent ent--enttask3ent--ent .... ent--enttaskNent--ent ent-- | | |__________________________________________________________________| *** wait queue head *** task1 ent--entprev *, lock, next *ent--ent taskN

"wait queue head" point to first (with next *) and last (with prev *) elements of the "wait queue list".

When a new element has to be added, "ententaddentwaitentqueue" entinclude/linux/wait.hent is called, after which the generic routine "listentadd" entinclude/linux/wait.hent, will be executed:

*** function list_add entinclude/linux/list.hent *** // classic double link list insert static __inline__ void __list_add (struct list_head * new, ent struct list_head * prev, ent struct list_head * next) ent next-entprev = new; new-entnext = next; new-entprev = prev; prev-entnext = new; ent

To complete the description, we see also "ententlistentdel" entinclude/linux/list.hent function called by "listentdel" entinclude/linux/list.hent inside "removeentwaitentqueue" entinclude/linux/wait.hent:

*** function list_del entinclude/linux/list.hent *** // classic double link list delete static __inline__ void __list_del (struct list_head * prev, struct list_head * next) ent next-entprev = prev; prev-entnext = next; ent

Stack consideration

A typical list (or queue) is usually managed allocating it into the Heap (see Cap.10 for Heap and Stack definition and about where variables are allocated). Otherwise here, we statically allocate Wait Queue data in a local variable (Stack), then function is interrupted by scheduling, in the end, (returning from scheduling) we'll erase local variable.

new task ent----| task1 ent------| task2 ent------| | | | | | | |..........| | |..........| | |..........| | |wait.flags| | |wait.flags| | |wait.flags| | |wait.task_|____| |wait.task_|____| |wait.task_|____| |wait.prev |--ent |wait.prev |--ent |wait.prev |--ent |wait.next |--ent |wait.next |--ent |wait.next |--ent |.. | |.. | |.. | |schedule()| |schedule()| |schedule()| |..........| |..........| |..........| |__________| |__________| |__________| Stack Stack Stack

Static variablesOverview

Linux is written in ''C'' language, and as every application has:

Local variablesModule variables (inside the source file and relative only to that module)Global/Static variables present in only 1 copy (the same for all modules)

When a Static variable is modified by a module, all other modules will see the new value.

Static variables under Linux are very important, cause they are the only kind to add new support to kernel: they typically are pointers to the head of a list of registered elements, which can be:

addeddeletedmaybe modified

_______ _______ _______ Global variable -------ent |Item(1)| -ent |Item(2)| -ent |Item(3)| .. |_______| |_______| |_______|

Main variablesCurrent

________________ Current ----------------ent | Actual process | |________________|

Current points to ''taskentstruct'' structure, which contains all data about a process like:

pid, name, state, counter, policy of schedulingpointers to many data structures like: files, vfs, other processes, signals...

Current is not a real variable, it is

static inline struct task_struct * get_current(void) ent struct task_struct *current; __asm__(entandl ententesp,ent0; ent:ent=rent (current) : ent0ent (ent8191UL)); return current; ent entdefine current get_current()

Above lines just takes value of ''esp'' register (stack pointer) and get it available like a variable, from which we can point to our taskentstruct structure.

From ''current'' element we can access directly to any other process (ready, stopped or in any other state) kernel data structure, for example changing STATE (like a I/O driver does), PID, presence in ready list or blocked list, etc.

Registered filesystems

______ _______ ______ file_systems ------ent | ext2 | -ent | msdos | -ent | ntfs | entfs/super.cent |______| |_______| |______|

When you use command like ''modprobe someentfs'' you will add a new entry to file systems list, while removing it (by using ''rmmod'') will delete it.

Mounted filesystems

______ _______ ______ mount_hash_table ----ent| / | -ent | /usr | -ent | /var | entfs/namespace.cent |______| |_______| |______|

When you use ''mount'' command to add a fs, the new entry will be inserted in the list, while an ''umount'' command will delete the entry.

Registered Network Packet Type

______ _______ ______ ptype_all ------ent| ip | -ent | x25 | -ent | ipv6 | entnet/core/dev.cent |______| |_______| |______|

For example, if you add support for IPv6 (loading relative module) a new entry will be added in the list.

Registered Network Internet Protocol

______ _______ _______ inet_protocol_base -----ent| icmp | -ent | tcp | -ent | udp | entnet/ipv4/protocol.cent |______| |_______| |_______|

Also others packet type have many internal protocols in each list (like IPv6).

______ _______ _______ inet6_protos -----------ent|icmpv6| -ent | tcpv6 | -ent | udpv6 | entnet/ipv6/protocol.cent |______| |_______| |_______|

Registered Network Device

______ _______ _______ dev_base ---------------ent| lo | -ent | eth0 | -ent | ppp0 | entdrivers/core/Space.cent |______| |_______| |_______|

Registered Char Device

______ _______ ________ chrdevs ----------------ent| lp | -ent | keyb | -ent | serial | entfs/devices.cent |______| |_______| |________|

''chrdevs'' is not a pointer to a real list, but it is a standard vector.

Registered Block Device

______ ______ ________ bdev_hashtable ---------ent| fd | -ent | hd | -ent | scsi | entfs/block_dev.cent |______| |______| |________|

''bdeventhashtable'' is an hash vector.

GlossaryLinks