1. Patchew
  2. QEMU
  3. [PULL 000/113] First batch of misc (i386, kernel-doc, memory, vl.c) changes for QEMU 6.0
  4. View patch

[PULL 003/113] target/i386: seg_helper: Correct segement selector nullification in the RET/IRET helper

Paolo Bonzini posted 113 patches 5 years, 2 months ago
Maintainers: Radoslaw Biernacki <rad@semihalf.com>, Igor Mammedov <imammedo@redhat.com>, Richard Henderson <richard.henderson@linaro.org>, Michael Rolnik <mrolnik@gmail.com>, Tyrone Ting <kfting@nuvoton.com>, "Daniel P. Berrangé" <berrange@redhat.com>, "Cédric Le Goater" <clg@kaod.org>, Sunil Muthuswamy <sunilmut@microsoft.com>, Aurelien Jarno <aurelien@aurel32.net>, Halil Pasic <pasic@linux.ibm.com>, Rob Herring <robh@kernel.org>, Alexander Bulekov <alxndr@bu.edu>, Sarah Harris <S.E.Harris@kent.ac.uk>, Sagar Karandikar <sagark@eecs.berkeley.edu>, Alistair Francis <alistair@alistair23.me>, David Hildenbrand <david@redhat.com>, BALATON Zoltan <balaton@eik.bme.hu>, Andrew Jeffery <andrew@aj.id.au>, "Michael S. Tsirkin" <mst@redhat.com>, Antony Pavlov <antonynpavlov@gmail.com>, Stefano Stabellini <sstabellini@kernel.org>, Laszlo Ersek <lersek@redhat.com>, Leif Lindholm <leif@nuviainc.com>, Juan Quintela <quintela@redhat.com>, Cornelia Huck <cohuck@redhat.com>, David Gibson <david@gibson.dropbear.id.au>, "Edgar E. Iglesias" <edgar.iglesias@gmail.com>, Stefan Hajnoczi <stefanha@redhat.com>, Laurent Vivier <laurent@vivier.eu>, Jiaxun Yang <jiaxun.yang@flygoat.com>, Bandan Das <bsd@redhat.com>, "Dr. David Alan Gilbert" <dgilbert@redhat.com>, Michael Walle <michael@walle.cc>, Artyom Tarasenko <atar4qemu@gmail.com>, Markus Armbruster <armbru@redhat.com>, Havard Skinnemoen <hskinnemoen@google.com>, Gerd Hoffmann <kraxel@redhat.com>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>, Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>, Peter Maydell <peter.maydell@linaro.org>, Cleber Rosa <crosa@redhat.com>, "Philippe Mathieu-Daudé" <f4bug@amsat.org>, Palmer Dabbelt <palmer@dabbelt.com>, Anthony Perard <anthony.perard@citrix.com>, "Hervé Poussineau" <hpoussin@reactos.org>, Fabien Chouteau <chouteau@adacore.com>, Paul Durrant <paul@xen.org>, Joel Stanley <joel@jms.id.au>, Bastian Koppelmann <kbastian@mail.uni-paderborn.de>, Helge Deller <deller@gmx.de>, Paolo Bonzini <pbonzini@redhat.com>, Thomas Huth <thuth@redhat.com>, Marcelo Tosatti <mtosatti@redhat.com>, Chris Wulff <crwulff@gmail.com>, Thomas Huth <huth@tuxfamily.org>, Marek Vasut <marex@denx.de>, Huacai Chen <chenhc@lemote.com>, Alistair Francis <Alistair.Francis@wdc.com>, John Snow <jsnow@redhat.com>, Eduardo Habkost <ehabkost@redhat.com>, Laurent Vivier <lvivier@redhat.com>, Andrzej Zaborowski <balrogg@gmail.com>, Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>, Christian Borntraeger <borntraeger@de.ibm.com>, KONRAD Frederic <frederic.konrad@adacore.com>
There is a newer version of this series
[PULL 003/113] target/i386: seg_helper: Correct segement selector nullification in the RET/IRET helper
Posted by Paolo Bonzini 5 years, 2 months ago 
From: Bin Meng <bin.meng@windriver.com>

Per the SDM, when returning to outer privilege level, for segment
registers (ES, FS, GS, and DS) if the check fails, the segment
selector becomes null, but QEMU clears the base/limit/flags as well
as nullifying the segment selector, which should be a spec violation.

Real hardware seems to be compliant with the spec, at least on one
Coffee Lake board I tested.

Signed-off-by: Bin Meng <bin.meng@windriver.com>

Message-Id: <1605261378-77971-1-git-send-email-bmeng.cn@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target/i386/seg_helper.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/target/i386/seg_helper.c b/target/i386/seg_helper.c
index 09b6554660..e6ffa1f018 100644
--- a/target/i386/seg_helper.c
+++ b/target/i386/seg_helper.c
@@ -2108,7 +2108,10 @@ static inline void validate_seg(CPUX86State *env, int seg_reg, int cpl)
     if (!(e2 & DESC_CS_MASK) || !(e2 & DESC_C_MASK)) {
         /* data or non conforming code segment */
         if (dpl < cpl) {
-            cpu_x86_load_seg_cache(env, seg_reg, 0, 0, 0, 0);
+            cpu_x86_load_seg_cache(env, seg_reg, 0,
+                                   env->segs[seg_reg].base,
+                                   env->segs[seg_reg].limit,
+                                   env->segs[seg_reg].flags & ~DESC_P_MASK);
         }
     }
 }
-- 
2.26.2

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.