From nobody Sun Sep 28 14:52:13 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=google.com ARC-Seal: i=1; a=rsa-sha256; t=1758806848; cv=none; d=zohomail.com; s=zohoarc; b=FVlgWL1UCVN0aX3VFYWgPjBiUtgBbGB2WHgmj5k9p6Jw3md4eeh9nqZShv3vnAh4hQx3iP8siHBAfFgl8cJ0FMXZ/ryfFpU8h7I0Xjc62FTpXQ6kQ+Ec0mKjikb8Z14mLN/H2PYMp08mvh8O9nM4YCcren7S8I9djEpt+mcdGJs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758806848; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=SENrR9IBQB26yG3dhbEdUf0q9fDrxQ/WMEddajrDBPc=; b=ZlG5169XduAi5f50b7SwlNvXkK+0cCvsSToB4wdMX9/kJ29OudSWPv2DC4VLMRJlczH6khVNJyCVXd9Suvc5jLD7ykLAVMDmexNplFqPCh3QPBO3RJbvguhx2NBORgUbybRD60mAW1njd1TAebZYdXN8aRIPlgKFFGIXCWs/tos= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758806848564971.9863727734945; Thu, 25 Sep 2025 06:27:28 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v1lyn-0008QA-C8; Thu, 25 Sep 2025 09:25:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <3CBrVaAgKCt0YGTXHEDHFNNFKD.BNLPDLT-CDUDKMNMFMT.NQF@flex--zhuyifei.bounces.google.com>) id 1v1jGJ-0006pZ-Sc for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:31:44 -0400 Received: from mail-pj1-x1049.google.com ([2607:f8b0:4864:20::1049]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <3CBrVaAgKCt0YGTXHEDHFNNFKD.BNLPDLT-CDUDKMNMFMT.NQF@flex--zhuyifei.bounces.google.com>) id 1v1jGH-0003Ps-Dh for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:31:43 -0400 Received: by mail-pj1-x1049.google.com with SMTP id 98e67ed59e1d1-33428befc3aso960063a91.2 for ; Thu, 25 Sep 2025 03:31:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1758796296; x=1759401096; darn=nongnu.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=SENrR9IBQB26yG3dhbEdUf0q9fDrxQ/WMEddajrDBPc=; b=hkj+D74fR4WpDB4Hl8zDj8IELqbbowi5oJ1dqOYsWM6CJfXZE+pJxh24BAEaR73lwk nyX82Acr9FAbG+2a4ueLnKKG5lgS6OGshGxeBhvt8nFCBcP+jKvTMQpiAesMZjC+V5VI pjoQLj+rZk9TOYwp7wjWevFyeonS7ZcnpUgBp04Eb2ITAGbUY4sp4gncEwXnuKeLzobY SxmVrkjPHmgykXAG1jQlAD5ClJz02iT1QCWQFE200hg8Yx1UscDudZ2MldwvFiY4yOSV ndUme3YMnF390NV8hffGM8bOtyeNsFdnZz6BFlOfpWGODIh3zS+0B8XSNeOgv1dZ4l5C 23Xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758796296; x=1759401096; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SENrR9IBQB26yG3dhbEdUf0q9fDrxQ/WMEddajrDBPc=; b=nakVtPMkah85Ors46V77lDaEl1nIwIiL47pKUAXzi4puaM3LZ5S/UIKlIYKp96oghs g/c9MG3uMa7bu4I/H7++Fwu1Ux6A8Xcq1vmfp6k5YRs+K16kX+fo2wVRfh4CD9olwrwp Oja/PbUS5j74z1sfwJopFFjb6AcBYqg3vQIUHuEZoc9BXIruxfQZ5vpzBLasBxQOXQ0Y Ai/336eTFLjfSa8r1h3GOZNlANwPHq/zB4z2pdSThq4/OpdMMKiYn4w/w2fbUgXEy2GH CiHX9nTKrOq1up8my01mRMCI36HvPvP8GIetCCes29cCRgH5rg1+Cgm8ZxTdD6CsZfjj jN0Q== X-Gm-Message-State: AOJu0YxzN0+DwqHKlPBQOnmAVptegjaZApOn6S7GQPvMu9IvT98HAuGs j8+/joue7T+X4DJ7ByB5hqxP4cdH3tBytGcJy4m0apfDInmOyqgfihSeMcGirxw8UmWxTj17OA3 OkRaUjS+tc1prvmyoIflBofjZ4jbQo+ZshNtojolJO3QDbXZau3QStq+zWQBDEv0q9+0Up1vAP7 jk4pQR30g0f83GYYOR1lX6bw4unPtV0TawCb7UKuSawtbb9g== X-Google-Smtp-Source: AGHT+IEGBXFWs4pspBuYxCzTpiDHTqgxyiebOGh2LayUlgpPrKui8nkWTztN7hJC+3fB69+qfE3fq9pFfNCoJQ== X-Received: from pjoo14.prod.google.com ([2002:a17:90b:582e:b0:32b:ae4c:196c]) (user=zhuyifei job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:3b4b:b0:329:e4d1:c20f with SMTP id 98e67ed59e1d1-3342a2595a2mr3277634a91.9.1758796296242; Thu, 25 Sep 2025 03:31:36 -0700 (PDT) Date: Thu, 25 Sep 2025 10:30:56 +0000 In-Reply-To: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.51.0.536.g15c5d4f767-goog Message-ID: Subject: [PATCH 1/2] i386/cpu: Prevent delivering SIPI during SMM in TCG mode From: YiFei Zhu To: qemu-devel@nongnu.org Cc: Paolo Bonzini , Zhao Liu , Richard Henderson , Eduardo Habkost , qemu-stable@nongnu.org, unvariant.winter@gmail.com, YiFei Zhu , YiFei Zhu Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::1049; envelope-from=3CBrVaAgKCt0YGTXHEDHFNNFKD.BNLPDLT-CDUDKMNMFMT.NQF@flex--zhuyifei.bounces.google.com; helo=mail-pj1-x1049.google.com X-Spam_score_int: -95 X-Spam_score: -9.6 X-Spam_bar: --------- X-Spam_report: (-9.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 25 Sep 2025 09:25:43 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @google.com) X-ZM-MESSAGEID: 1758806849265116600 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A malicious kernel may control the instruction pointer in SMM in a multi-processor VM by sending a sequence of IPIs via APIC: CPU0 CPU1 IPI(CPU1, MODE_INIT) x86_cpu_exec_reset() apic_init_reset() s->wait_for_sipi =3D true IPI(CPU1, MODE_SMI) do_smm_enter() env->hflags |=3D HF_SMM_MASK; IPI(CPU1, MODE_STARTUP, vector) do_cpu_sipi() apic_sipi() /* s->wait_for_sipi check passes */ cpu_x86_load_seg_cache_sipi(vector) A different sequence, SMI INIT SIPI, is also buggy in TCG because INIT is not blocked or latched during SMM. However, it is not vulnerable to an instruction pointer control in the same way because x86_cpu_exec_reset clears env->hflags, exiting SMM. Fixes: a9bad65d2c1f ("target-i386: wake up processors that receive an SMI") Signed-off-by: YiFei Zhu --- target/i386/cpu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 6d85149e6e..697cc4e63b 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -9762,7 +9762,8 @@ int x86_cpu_pending_interrupt(CPUState *cs, int inter= rupt_request) if (interrupt_request & CPU_INTERRUPT_POLL) { return CPU_INTERRUPT_POLL; } - if (interrupt_request & CPU_INTERRUPT_SIPI) { + if ((interrupt_request & CPU_INTERRUPT_SIPI) && + !(env->hflags & HF_SMM_MASK)) { return CPU_INTERRUPT_SIPI; } =20 --=20 2.51.0.536.g15c5d4f767-goog From nobody Sun Sep 28 14:52:13 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=google.com ARC-Seal: i=1; a=rsa-sha256; t=1758806830; cv=none; d=zohomail.com; s=zohoarc; b=OKWJz6aMwDSKEZNoJLFN38luNhwCkdVLO7shvYmBMOfO19d2inPPj3ipQvHGEwXnn9qXYQLrx9sc/wur0GWWrKQZ5sIvmIDQ2CjjcNxPsMZ4JFPJZCs4MKc7gXn2rMhXxv6bo/4NBnSrGfFwMD8MWYqCq91q3ItgcolP43QRBAk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758806830; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=YemKi91g7ARuyO0/fukWjxkMGSCeafJRb6DqN69yA+g=; b=gNHsFCdpanO8FErr8+B+ZOecFrP3MDtK89jGExmL8V0kTWuALmQYXTOhbbu+v7Lgm4G7bVQovx52fB5vcucuvceOA8RVZL2GvwprLv8x+eJkLUcA+I93RV5tgSWgrSpZR1tiq6EDYIvTrgDot6MhdTOuVWkK3WqCsXMQ+JxEr/s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 17588068306731000.0134834563095; Thu, 25 Sep 2025 06:27:10 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v1lyo-0008Qi-MU; Thu, 25 Sep 2025 09:25:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <3CRrVaAgKCt4ZHUYIFEIGOOGLE.COMQEMU-DEVELNONGNU.ORG@flex--zhuyifei.bounces.google.com>) id 1v1jGV-0006uL-Ki for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:31:55 -0400 Received: from mail-pg1-x549.google.com ([2607:f8b0:4864:20::549]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <3CRrVaAgKCt4ZHUYIFEIGOOGLE.COMQEMU-DEVELNONGNU.ORG@flex--zhuyifei.bounces.google.com>) id 1v1jGK-0003QD-6U for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:31:55 -0400 Received: by mail-pg1-x549.google.com with SMTP id 41be03b00d2f7-b55283ff3fcso643777a12.3 for ; Thu, 25 Sep 2025 03:31:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1758796298; x=1759401098; darn=nongnu.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=YemKi91g7ARuyO0/fukWjxkMGSCeafJRb6DqN69yA+g=; b=v4tT0gDC+53vqJb7yekw6CHdgiOV4kWawRBdFFqDCAY3nQYyGGAkLyiSOmGCESgCti ZhNJrkXmz5DQL0q9wl26Nz2e04YLz1SmBCiEMtgUFIWoOTu6y0lQEQQH4STrrgWcDvT+ ZRtIYcKHABFIpZsUcJm/Mpdt7kczElTyGyWRW6DhTPq6K4KIxeZ8tujg45JpJlw6DLv2 PCGLtzKU4plOAYR8V/Te/462iW1zt6JWfP/cPKQ1qMSUbkmy3XlfLwU+FVS+95xOrBFS uMMWlfxl+D5vlWvNC2FhEsRUBNRvMdXuTOmDX+Xx42x+vVxUYT4Gr5Z5vo4ag9GQZFkp x3cA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758796298; x=1759401098; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=YemKi91g7ARuyO0/fukWjxkMGSCeafJRb6DqN69yA+g=; b=IDZSfs5QfuzIvP7kzvAisYIrEjEV/CxKGQFwjfw5XfQIHfdtHHrfaP1jW82ZgpHrlC kl3nLotVeAYrHOmCP+29JylMPN4x/EOjIDalFJN2n2H3rX35WIG7m6XNVYM7wjQ4nrjc uSIuEBF/Nek0zS0dsQHEks6igIxCcXByE521M66V4mZmB/NLbcFwypQiNPLdOPf1A3Cv 3SORzosvGVcO6OWcQ/vYimMP2OHDzGg7a/gKQ1f7C+aJvFJT738QfJPsB8GD4lxZ+zO9 JpSf8dlLRZeq9AlBGA6b1kwCGe9sb4zeHFNFe0DpPdagwksiaHHNQ3+FS3pFFqdSJ2pB cK4Q== X-Gm-Message-State: AOJu0YxkE18pZgDGyFRRvViEjNpwlMLaOoxD3QW9iCJ0GgDi+hj0lOdX SnsoYgtqsjaboPvKTATnm3eHoT4ooLyH9JR7n6pIHLlekaIn9AVXKKI7o/BIbsqQQEViDPLi+fK aDXEf8Ba8GR5WCTYKxuB399BsZX+C9CnCfJYpNQ0itKVo7EjPipRHmHGieP9T/typmxLM4fQ0NG p0EzXUA2d/ZFAEiX28XlP6wgtJd8pv4lRP2ECNwu/2d0wGeQ== X-Google-Smtp-Source: AGHT+IF/XdGu8daZGR+d5C5TvYEzLCs2WJ6qY5IEQXsGcogJpG4Vq1M2fNNAW8Ww++EuAxvO1pvpikR9J/MzKg== X-Received: from pjbpq4.prod.google.com ([2002:a17:90b:3d84:b0:332:8246:26ae]) (user=zhuyifei job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:3a8b:b0:32e:1b61:309 with SMTP id 98e67ed59e1d1-3342a299f27mr3043852a91.23.1758796297773; Thu, 25 Sep 2025 03:31:37 -0700 (PDT) Date: Thu, 25 Sep 2025 10:30:57 +0000 In-Reply-To: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.51.0.536.g15c5d4f767-goog Message-ID: <2bacb9b24e9d337dbe48791aa25d349eb9c52c3a.1758794468.git.zhuyifei@google.com> Subject: [PATCH 2/2] i386/tcg/smm_helper: Properly apply DR values on SMM entry / exit From: YiFei Zhu To: qemu-devel@nongnu.org Cc: Paolo Bonzini , Zhao Liu , Richard Henderson , Eduardo Habkost , qemu-stable@nongnu.org, unvariant.winter@gmail.com, YiFei Zhu , YiFei Zhu Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::549; envelope-from=3CRrVaAgKCt4ZHUYIFEIGOOGLE.COMQEMU-DEVELNONGNU.ORG@flex--zhuyifei.bounces.google.com; helo=mail-pg1-x549.google.com X-Spam_score_int: -95 X-Spam_score: -9.6 X-Spam_bar: --------- X-Spam_report: (-9.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, USER_IN_DEF_DKIM_WL=-7.5 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 25 Sep 2025 09:25:46 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @google.com) X-ZM-MESSAGEID: 1758806833200116600 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" do_smm_enter and helper_rsm sets the env->dr, but does not sync the values with cpu_x86_update_dr7. A malicious kernel may control the instruction pointer in SMM by setting a breakpoint on the SMI entry point, and after do_smm_enter cpu->breakpoints contains the stale breakpoint; and because IDT is not reloaded upon SMI entry, the debug exception handler controlled by the malicious kernel is invoked. Fixes: 01df040b5247 ("x86: Debug register emulation (Jan Kiszka)") Reported-by: unvariant.winter@gmail.com Signed-off-by: YiFei Zhu --- target/i386/tcg/system/smm_helper.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/target/i386/tcg/system/smm_helper.c b/target/i386/tcg/system/s= mm_helper.c index 251eb7856c..fb028a8272 100644 --- a/target/i386/tcg/system/smm_helper.c +++ b/target/i386/tcg/system/smm_helper.c @@ -168,7 +168,7 @@ void do_smm_enter(X86CPU *cpu) env->cr[0] & ~(CR0_PE_MASK | CR0_EM_MASK | CR0_TS_M= ASK | CR0_PG_MASK)); cpu_x86_update_cr4(env, 0); - env->dr[7] =3D 0x00000400; + helper_set_dr(env, 7, 0x00000400); =20 cpu_x86_load_seg_cache(env, R_CS, (env->smbase >> 4) & 0xffff, env->sm= base, 0xffffffff, @@ -233,8 +233,8 @@ void helper_rsm(CPUX86State *env) env->eip =3D x86_ldq_phys(cs, sm_state + 0x7f78); cpu_load_eflags(env, x86_ldl_phys(cs, sm_state + 0x7f70), ~(CC_O | CC_S | CC_Z | CC_A | CC_P | CC_C | DF_MASK)); - env->dr[6] =3D x86_ldl_phys(cs, sm_state + 0x7f68); - env->dr[7] =3D x86_ldl_phys(cs, sm_state + 0x7f60); + helper_set_dr(env, 6, x86_ldl_phys(cs, sm_state + 0x7f68)); + helper_set_dr(env, 7, x86_ldl_phys(cs, sm_state + 0x7f60)); =20 cpu_x86_update_cr4(env, x86_ldl_phys(cs, sm_state + 0x7f48)); cpu_x86_update_cr3(env, x86_ldq_phys(cs, sm_state + 0x7f50)); @@ -268,8 +268,8 @@ void helper_rsm(CPUX86State *env) env->regs[R_EDX] =3D x86_ldl_phys(cs, sm_state + 0x7fd8); env->regs[R_ECX] =3D x86_ldl_phys(cs, sm_state + 0x7fd4); env->regs[R_EAX] =3D x86_ldl_phys(cs, sm_state + 0x7fd0); - env->dr[6] =3D x86_ldl_phys(cs, sm_state + 0x7fcc); - env->dr[7] =3D x86_ldl_phys(cs, sm_state + 0x7fc8); + helper_set_dr(env, 6, x86_ldl_phys(cs, sm_state + 0x7fcc)); + helper_set_dr(env, 7, x86_ldl_phys(cs, sm_state + 0x7fc8)); =20 env->tr.selector =3D x86_ldl_phys(cs, sm_state + 0x7fc4) & 0xffff; env->tr.base =3D x86_ldl_phys(cs, sm_state + 0x7f64); --=20 2.51.0.536.g15c5d4f767-goog