Identifying whether a user-process or kernel-thread execution takes place by looking at CPU registers

Dave Hylands dhylands at gmail.com
Thu May 12 21:55:16 EDT 2011


Hi guys,

On Thu, May 12, 2011 at 4:53 AM, Mulyadi Santosa
<mulyadi.santosa at gmail.com> wrote:
> Hi....
>
> On Thu, May 12, 2011 at 17:55, limp <johnkyr83 at hotmail.com> wrote:
>> I was wondering if any other CPU register (apart from CR3) can indicate if a
>> user-process or a kernel thread under it (and which one) is executed. Is it
>> possible to know such a thing *only* by looking at CPU registers?
>
> one thing you can use is by looking at so called CPL (Current
> Privilege level) and check it whether it is 0. According to
> http://en.wikipedia.org/wiki/X86_memory_segmentation, CPL is the lower
> 2 bits in CS.
>
> However, you need to watch it continously, because user space apps
> could switch to CPL=0 (which denotes kernel mode, where CPL=3 denotes
> user mode) in the case of system call etc.
>
> perhaps better is by looking at the address of mm. However, to do
> this, you need to check starting from its task_struct, which is mapped
> in its kernel stack in x86 AFAIK. In other arch such as ARM, AFAIK
> task_struct could be simply derived from certain register.

On the ARM, you can derive the task_struct from the stack pointer.

>From kernel context, you can just use "current" which is a pointer to
the currently running task.

If you want details about how to determine the task_struct from SP, I
can get into that, although it's subject to change. Using "current" it
the normal technique.

-- 
Dave Hylands
Shuswap, BC, Canada
http://www.davehylands.com



More information about the Kernelnewbies mailing list