target/i386/tcg/seg_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
The stack can be 32-bit even in real mode, and in this case
the stack pointer must be updated in its entirety rather than
just the bottom 16 bits. The same is true of real mode IRET,
for which there was even a comment suggesting the right thing
to do.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1506
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/i386/tcg/seg_helper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index 667b1c38696..227336c4ef2 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -1161,7 +1161,7 @@ static void do_interrupt_real(CPUX86State *env, int intno, int is_int,
sa.env = env;
sa.ra = 0;
sa.sp = env->regs[R_ESP];
- sa.sp_mask = 0xffff;
+ sa.sp_mask = get_sp_mask(env->segs[R_SS].flags);
sa.ss_base = env->segs[R_SS].base;
sa.mmu_index = x86_mmu_index_pl(env, 0);
@@ -1964,7 +1964,7 @@ void helper_iret_real(CPUX86State *env, int shift)
sa.env = env;
sa.ra = GETPC();
sa.mmu_index = x86_mmu_index_pl(env, 0);
- sa.sp_mask = 0xffff; /* XXXX: use SS segment size? */
+ sa.sp_mask = get_sp_mask(env->segs[R_SS].flags);
sa.sp = env->regs[R_ESP];
sa.ss_base = env->segs[R_SS].base;
--
2.51.1On 11/15/25 02:54, Paolo Bonzini wrote: > The stack can be 32-bit even in real mode, and in this case > the stack pointer must be updated in its entirety rather than > just the bottom 16 bits. The same is true of real mode IRET, > for which there was even a comment suggesting the right thing > to do. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1506 > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > --- > target/i386/tcg/seg_helper.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Applied, thanks. Please update https://wiki.qemu.org/ChangeLog/10.2 as appropriate. r~ > > diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c > index 667b1c38696..227336c4ef2 100644 > --- a/target/i386/tcg/seg_helper.c > +++ b/target/i386/tcg/seg_helper.c > @@ -1161,7 +1161,7 @@ static void do_interrupt_real(CPUX86State *env, int intno, int is_int, > sa.env = env; > sa.ra = 0; > sa.sp = env->regs[R_ESP]; > - sa.sp_mask = 0xffff; > + sa.sp_mask = get_sp_mask(env->segs[R_SS].flags); > sa.ss_base = env->segs[R_SS].base; > sa.mmu_index = x86_mmu_index_pl(env, 0); > > @@ -1964,7 +1964,7 @@ void helper_iret_real(CPUX86State *env, int shift) > sa.env = env; > sa.ra = GETPC(); > sa.mmu_index = x86_mmu_index_pl(env, 0); > - sa.sp_mask = 0xffff; /* XXXX: use SS segment size? */ > + sa.sp_mask = get_sp_mask(env->segs[R_SS].flags); > sa.sp = env->regs[R_ESP]; > sa.ss_base = env->segs[R_SS].base; >
On Sat, Nov 15, 2025 at 1:25 PM Richard Henderson <richard.henderson@linaro.org> wrote: > > On 11/15/25 02:54, Paolo Bonzini wrote: > > The stack can be 32-bit even in real mode, and in this case > > the stack pointer must be updated in its entirety rather than > > just the bottom 16 bits. The same is true of real mode IRET, > > for which there was even a comment suggesting the right thing > > to do. > > > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1506 > > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > > --- > > target/i386/tcg/seg_helper.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > Applied, thanks. Please update https://wiki.qemu.org/ChangeLog/10.2 as appropriate. Cc: qemu-stable@nongnu.org
© 2016 - 2025 Red Hat, Inc.