

## Recall: Second-Chance List Algorithm (Rearrangement)



- Split memory in two: Active list (RW), SC list (Invalid)
- · Access pages in Active list at full speed
- Otherwise, Page Fault
  - Always move overflow page from end of Active list to front of Second-chance list (SC) and mark invalid
  - Desired Page On SC List: move to front of Active list, mark RW



Lec 19.3



#### Recall: Second-Chance List Algorithm (Page in from Disk)



- Split memory in two: Active list (RW), SC list (Invalid)
- · Access pages in Active list at full speed
- Otherwise, Page Fault
  - Always move overflow page from end of Active list to front of Second-chance list (SC) and mark invalid
  - Desired Page On SC List: move to front of Active list, mark RW
  - Not on SC list: page in to front of Active list, mark RW; page out LRU victim at end of SC list Kubiatowicz CS162 © UCB Spring 2024





- Collected together in lower physical memory
- Can be accessed in kernel virtual space
- Linked together in various "LRU" lists
- · For 32-bit virtual memory architectures:
  - When physical memory < 896MB
    - » All physical memory mapped at 0xC0000000
  - When physical memory >= 896MB
    - » Not all physical memory mapped in kernel space all the time
    - » Can be temporarily mapped with addresses > 0xCC000000
- · For 64-bit virtual memory architectures:

4/2/2024

- All physical memory mapped above 0xFFFF80000000000

Lec 19.11

Exploit speculative execution to observe contents of kernel memory
1: // Set up side channel (array flushed from cache)
2: uchar array[256 \* 4096];
3: flush(array); // Make sure array out of cache
4: try { // ... catch and ignore SIGSEGV (illegal access)
5: uchar result = \*(uchar \*)kernel address; // Try access!
6: uchar dummy = array[result \* 4096]; // leak info!
7: } catch(){;} // Could use signal() and setjmp/longjmp
8: // scan through 256 array slots to determine which loaded
Some details:

Reason we skip 4096 for each value: avoid hardware cache prefetch
Note that value detected by fact that one cache line is loaded
Catch and ignore page fault: set signal handler for SIGSEGV, can use setjump/longjmp....

Patch: Need different page tables for user and kernel

Without PCID tag in TLB, flush TLB twice on syscall (800% overhead!)
Need at least Linux v 4.14 which utilizes PCID tag in new hardware to avoid flushing when change address space

Fix: better hardware without timing side-channels

Mostly implemented, but related problem (Spectre) much harder to fix



## **Recall: Range of Timescales**



Example: Device Transfer Rates in Mb/s (Sun Enterprise 6000)



### Recall: Recent Intel Chipset I/O Configuration





- Common set of wires for communication among hardware devices plus protocols for carrying out data transfer transactions
  - Operations: e.g., Read, Write
  - Control lines, Address lines, Data lines
  - Typically multiple devices
- Protocol: initiator requests access, arbitration to grant, identification of recipient, handshake to convey address, length, data
- Very high BW close to processor (wide, fast, and inflexible), low BW with high flexibility out in I/O subsystem

| Kubiatowicz | CS162 | © UCB | Spring | 2024 |
|-------------|-------|-------|--------|------|
|             |       |       |        |      |

Lec 19.22

## Why a Bus?

- Buses let us connect *n* devices over a single set of wires, connections, and protocols
  - $O(n^2)$  relationships with 1 set of wires (!)
- · Downside: Only one transaction at a time
  - The rest must wait
  - "Arbitration" aspect of bus protocol ensures the rest wait



**PCI Bus Evolution** 

- · PCI started life out as a physical (parallel) bus
  - Example: 32-bit system  $\Rightarrow$  32 address wires, 32 data wires, power, control
- · But a parallel bus has many limitations
  - Multiplexing address/data for many requests
  - Slowest devices must be able to tell what's happening (e.g., for arbitration)
  - Capacitance increases with each device you attach  $\Rightarrow$ Slowing down bus accesses!
  - Bus speed is set to that of the slowest device

Lec 19.23

4/2/2024



## How does the Processor Talk to the Device?



# Port-Mapped I/O in Pintos Speaker Driver

|          | Pintos: devices/speaker.c                                                                |    | Pintos: threads/io.h                                                   |
|----------|------------------------------------------------------------------------------------------|----|------------------------------------------------------------------------|
|          | /* Sets the PC speaker to emit a tone at the given FREQUENCY, in                         |    |                                                                        |
| 14       | Hz. */                                                                                   | 7  | /* Reads and returns a byte from PORT. */                              |
|          | void                                                                                     | 8  | static inline uint8_t                                                  |
|          | <pre>speaker_on (int frequency)</pre>                                                    | 9  | inb (uint16 t port)                                                    |
|          | (                                                                                        | 10 |                                                                        |
| 18       | if (frequency >= 20 && frequency <= 20000)                                               | 10 | /* See [IA32-v2a] "IN". */                                             |
|          | {                                                                                        |    | a local element donale analia del                                      |
|          | /" Set the timer channel that's connected to the speaker to                              | 12 | uint8_t data;                                                          |
|          | output a square wave at the given FREQUENCY, then                                        | 13 | <pre>asm volatile ("inb %w1, %b0" : "=a" (data) : "Nd" (port));</pre>  |
|          | connect the timer channel output to the speaker. */                                      | 14 | return data;                                                           |
|          | <pre>enum intr_level old_level = intr_disable ();</pre>                                  | 15 | }                                                                      |
| 24       | <pre>pit_configure_channel (2, 3, frequency);</pre>                                      |    |                                                                        |
|          | <pre>outb (SPEAKER_PORT_GATE, inb (SPEAKER_PORT_GATE)   SPEAKER_GATE_ENABLE);</pre>      |    |                                                                        |
|          | <pre>intr_set_level (old_level);</pre>                                                   |    |                                                                        |
|          | )<br>else                                                                                |    | (* 11.21                                                               |
|          | else                                                                                     | 64 | /* Writes byte DATA to PORT. */                                        |
|          | /* FREQUENCY is outside the range of normal human hearing.                               | 65 | static inline void                                                     |
|          | Just turn off the speaker. */                                                            | 66 | outb (uint16_t port, uint8_t data)                                     |
|          | <pre>speaker_off ();</pre>                                                               | 67 | 1                                                                      |
|          | }                                                                                        |    |                                                                        |
|          | }                                                                                        | 68 | /* See [IA32-v2b] "OUT". */                                            |
|          |                                                                                          | 69 | <pre>asm volatile ("outb %b0, %w1" : : "a" (data), "Nd" (port));</pre> |
| 36       | /* Turn off the PC speaker, by disconnecting the timer channel's                         | 70 | }                                                                      |
|          | output from the speaker. */                                                              |    |                                                                        |
| 38       | void                                                                                     |    |                                                                        |
| 39       | speaker_off (void)                                                                       |    |                                                                        |
| 40       | (                                                                                        |    |                                                                        |
| 41       | <pre>onum_intr_level old_levelintr_disable ();</pre>                                     |    |                                                                        |
| 42       | <pre>outb (SPEAKER_PORT_GATE, inb (SPEAKER_PORT_GATE) &amp; ~SPEAKER_GATE_ENABLE);</pre> |    |                                                                        |
| 43       | <pre>intr_set_level (old_level);</pre>                                                   |    |                                                                        |
| 4/2/2024 | V Kubiatowicz CS162 © UCB Spring 2024                                                    |    |                                                                        |

## Example: Memory-Mapped Display Controller

#### · Memory-Mapped: - Hardware maps control registers and display memory into physical address space » Addresses set by HW jumpers or at boot time - Simply writing to display memory (also called the "frame buffer") changes image on screen

- » Addr: 0x8000F000 0x8000FFFF
- Writing graphics description to cmd queue
  - » Say enter a set of triangles describing some scene
  - » Addr: 0x80010000 0x8001FFFF
- Writing to the command register may cause on-board graphics hardware to do something
  - » Say render the above scene
  - » Addr: 0x0007F004
- Can protect with address translation

4/2/2024



### **Operational Parameters for I/O**

 Data granularity: Byte vs. Block Some devices provide single byte at a time (e.g., keyboard) - Others provide whole blocks (e.g., disks, networks, etc.) Access pattern: Sequential vs. Random - Some devices must be accessed sequentially (e.g., tape) - Others can be accessed "randomly" (e.g., disk, cd, etc.) » Fixed overhead to start transfers - Some devices require continual monitoring - Others generate interrupts when they need service Transfer Mechanism: Programmed IO and DMA Lec 19.29 4/2/2024 Kubiatowicz CS162 © UCB Spring 2024 Lec 19.30

## Transferring Data To/From Controller

Kubiatowicz CS162 © UCB Spring 2024

#### Programmed I/O:

- Each byte transferred via processor in/out or load/store
- Pro: Simple hardware, easy to program
- Con: Consumes processor cycles proportional to data size

#### Direct Memory Access:

- Give controller access to memory bus
- Ask it to transfer data blocks to/from
- memory directly
- · Sample interaction with DMA controller (from OSC book):



# Transferring Data To/From Controller

- Programmed I/O:
  - Each byte transferred via processor in/out or load/store
  - Pro: Simple hardware, easy to program
  - Con: Consumes processor cycles proportional to data size

#### Direct Memory Access:

- Give controller access to memory bus
- Ask it to transfer data blocks to/from memory directly
- Sample interaction with DMA controller (from OSC book):



Lec 19.31

## I/O Device Notifying the OS



## **Recall: Device Drivers**

- Device Driver: Device-specific code in the kernel that interacts directly with the device hardware
  - Supports a standard, internal interface
  - Same kernel I/O system can interact easily with different device drivers
  - Special device-specific configuration supported with the ioctl() system call
- · Device Drivers typically divided into two pieces:
  - Top half: accessed in call path from system calls
    - » implements a set of standard, cross-device calls like open(), close(), read(), write(), ioctl(), strategy()
    - » This is the kernel's interface to the device driver
    - » Top half will start I/O to device, may put thread to sleep until finished
  - Bottom half: run as interrupt routine
    - » Gets input or transfers next block of output
    - » May wake sleeping threads if I/O now complete

## Recall: Life Cycle of An I/O Request

**Kernel Device Structure** 



Lec 19.35

4/2/2024

Lec 19.34

