SEP bit disabled in FC

Arjan van de Ven arjanv at redhat.com
Fri Jun 10 07:32:55 UTC 2005


On Thu, 2005-06-09 at 21:25 -0400, Dave Jones wrote:
> On Thu, Jun 09, 2005 at 06:22:05PM -0700, Jeffrey Buell wrote:
>  > In arch/i386/kernel/cpu/common.c:
>  > 
>  >         /* hack: disable SEP for non-NX cpus; SEP breaks Execshield. */
>  >         #ifdef CONFIG_HIGHMEM64G
>  >         if (!test_bit(X86_FEATURE_NX, c->x86_capability))
>  >         #endif
>  >                 clear_bit(X86_FEATURE_SEP, c->x86_capability);
>  > 
>  > So, in order to enable Execshield, the SEP cpu bit (sysenter/sysexit) has to
>  > be turned off.  But this costs a lot of performance: as much as 2.5X in
>  > syscall-heavy benchmarks (e.g., process tests in lmbench).
>  > 
>  > How permanent is this hack?  Will Execshield be fixed (or removed) by FC5?
> 
> It was going to be reeanbled for FC4, but due to a last minute glitch,
> (which we think we fixed), we disabled for it for the release with
> the intention of reenabling it in the first kernel update that goes
> out for FC4.

You're confusing VDSO page with SEP. You can't have both SEP and the
segment limit part of execshield at the same time.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20050610/ba89cb58/attachment.sig>


More information about the fedora-devel-list mailing list