From mboxrd@z Thu Jan  1 00:00:00 1970
From: Nadav Amit <nadav.amit@gmail.com>
Subject: Re: [PATCH 20/21] KVM: x86: MOVNTI emulation min opsize is not respected
Date: Wed, 5 Nov 2014 21:58:37 +0200
Message-ID: <0C6FC6CA-5323-4CDB-9CDD-80040C26DFA0@gmail.com>
References: <1414922101-17626-1-git-send-email-namit@cs.technion.ac.il> <1414922101-17626-21-git-send-email-namit@cs.technion.ac.il> <545A15B3.9020608@redhat.com>
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: QUOTED-PRINTABLE
Cc: Nadav Amit <namit@cs.technion.ac.il>, kvm@vger.kernel.org
To: Paolo Bonzini <pbonzini@redhat.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-wi0-f176.google.com ([209.85.212.176]:38396 "EHLO
	mail-wi0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751702AbaKET6k convert rfc822-to-8bit (ORCPT
	<rfc822;kvm@vger.kernel.org>); Wed, 5 Nov 2014 14:58:40 -0500
Received: by mail-wi0-f176.google.com with SMTP id h11so13467599wiw.15
        for <kvm@vger.kernel.org>; Wed, 05 Nov 2014 11:58:39 -0800 (PST)
In-Reply-To: <545A15B3.9020608@redhat.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>


> On Nov 5, 2014, at 14:18, Paolo Bonzini <pbonzini@redhat.com> wrote:
>=20
>=20
>=20
> On 02/11/2014 10:55, Nadav Amit wrote:
>> Commit 3b32004a66e9 ("KVM: x86: movnti minimum op size of 32-bit is =
not kept")
>> did not fully fix the minimum operand size of MONTI emulation. Still=
, MOVNTI
>> may be mistakenly performed using 16-bit opsize.
>>=20
>> This patch add No16 flag to mark an instruction does not support 16-=
bits
>> operand size.
>=20
> So a
>=20
>   .byte 0x66
>   movntiw (%esi), %eax
>=20
> will zero the higher two bytes of %eax before this patch, and load 4
> bytes from (%esi) after?
>=20
Well, actually the 0x66 prefix is an illegal prefix for this instructio=
n, so it will cause #UD.
But if the default operand size is 16 (e.g., CS.D =3D 0), then yes - af=
ter this patch it will load 4 bytes from (%esi), and this is the expect=
ed behaviour.

Here is a small test to show the behaviour (build with -m32 ).
We set CS to 16-bit segment, so default operand size is 16-bit, but 32-=
bits are assigned.
If you replace movntil with movl, you=E2=80=99ll see only 16-bits are s=
tored, as you would expect from mov.

---
#include <sys/types.h>
#include <asm/ldt.h>
#include <stdio.h>

int main()
{
	unsigned int a =3D 0;
	unsigned int b =3D 0x87654321u;

	struct user_desc d =3D {
		.entry_number =3D 0,
		.base_addr =3D 0,
		.limit =3D 0xfffffu,
		.seg_32bit =3D 0,=20
		.contents =3D 2,
		.read_exec_only =3D 1,
		.limit_in_pages =3D 1,
		.seg_not_present =3D 0,
		.useable =3D 1,
	};

	modify_ldt(1, &d, sizeof(d));
	asm volatile (  "lcall $0x7, $1f\n\t"
			"jmp 2f\n\t"
			"1: .byte 0x67\n\t"
			"movntil %%ebx, (%%eax)\n\t"
			".byte 0x66\n\t"
			"lret\n\t"
			"2:\n\t"
			: : "a"(&a), "b"(b) : "memory");
	printf("result %x\n", a);
	return 0;
}
---

Nadav