[Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements

[Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements

[Jan Kiszka]

This is the series of patches we generated while developing a
kqemu-1.4.0pre1-based prototype for guests that make real use of x86
segments. If anyone is interested and maintaining some kqemu repos, pick
them up as you like, they are for free (GPLv2).

There is one more change set: An optimization of the segment cache
emulation, but that one never truely stabilized (and I do not want to
make anyone go through the same debugging pain we went, so I'm not
posting that bits ;) ).


Jan Kiszka (5):
      kqemu: x86-64: Run 16-bit-stack-return in ring 0
      kqemu: i386: Reorder DS and ES on exception stack
      kqemu: Fix forbidden selector range change
      kqemu: Implement verr/verw in the monitor code interpreter
      kqemu: Implement lar/lsl in the monitor code interpreter

 common/i386/monitor_asm.S |   16 ++--
 common/interp.c           |  189 +++++++++++++++++++++++++++++++++++++++++++-
 common/kernel.c           |    8 +-
 common/kqemu_int.h        |    6 +-
 4 files changed, 199 insertions(+), 20 deletions(-)

--
Siemens AG, Corporate Technology, CT SE 2
Corporate Competence Center Embedded Linux

[Qemu-devel] [PATCH 4/5] kqemu: Implement verr/verw in the monitor code interpreter

[Jan Kiszka]

This avoids user space for handling verr/verw via TCG.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

 common/interp.c |   71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 70 insertions(+), 1 deletions(-)

diff --git a/common/interp.c b/common/interp.c
index 4c042e9..4f93bc3 100644
--- a/common/interp.c
+++ b/common/interp.c
@@ -1720,6 +1720,65 @@ void helper_lldt(struct kqemu_state *s, int selector)
     env->ldt.selector = selector;
 }
 
+static void helper_verr(struct kqemu_state *s, int selector)
+{
+    uint32_t e1, e2;
+    int rpl, dpl, cpl;
+
+    if ((selector & 0xfffc) == 0)
+        goto fail;
+    if (load_segment(s, &e1, &e2, selector) != 0)
+        goto fail;
+    if (!(e2 & DESC_S_MASK))
+        goto fail;
+    rpl = selector & 3;
+    dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+    cpl = s->cpu_state.cpl;
+    if (e2 & DESC_CS_MASK) {
+        if (!(e2 & DESC_R_MASK))
+            goto fail;
+        if (!(e2 & DESC_C_MASK)) {
+            if (dpl < cpl || dpl < rpl)
+                goto fail;
+        }
+    } else {
+        if (dpl < cpl || dpl < rpl) {
+        fail:
+            set_reset_eflags(s, 0, CC_Z);
+            return;
+        }
+    }
+    set_reset_eflags(s, CC_Z, 0);
+}
+
+static void helper_verw(struct kqemu_state *s, int selector)
+{
+    uint32_t e1, e2;
+    int rpl, dpl, cpl;
+
+    if ((selector & 0xfffc) == 0)
+        goto fail;
+    if (load_segment(s, &e1, &e2, selector) != 0)
+        goto fail;
+    if (!(e2 & DESC_S_MASK))
+        goto fail;
+    rpl = selector & 3;
+    dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+    cpl = s->cpu_state.cpl;
+    if (e2 & DESC_CS_MASK) {
+        goto fail;
+    } else {
+        if (dpl < cpl || dpl < rpl)
+            goto fail;
+        if (!(e2 & DESC_W_MASK)) {
+        fail:
+            set_reset_eflags(s, 0, CC_Z);
+            return;
+        }
+    }
+    set_reset_eflags(s, CC_Z, 0);
+}
+
 static void helper_wrmsr(struct kqemu_state *s)
 {
 #ifdef __x86_64__
@@ -4479,7 +4538,17 @@ QO(                 case OT_LONG | 8:\
             case 5: /* verw */
                 if (!(s->cpu_state.cr0 & CR0_PE_MASK) || get_eflags_vm(s))
                     goto illegal_op;
-                raise_exception(s, KQEMU_RET_SOFTMMU);
+                if (mod == 3) {
+                    rm = (modrm & 7) | REX_B(s);
+                    val = get_regS(s, OT_WORD, rm) & 0xffff;
+                } else {
+                    addr = get_modrm(s, modrm);
+                    val = ldS(s, OT_WORD, addr);
+                }
+                if (op == 4)
+                    helper_verr(s, val);
+                else
+                    helper_verw(s, val);
                 break;
             default:
                 goto illegal_op;

[Qemu-devel] [PATCH 5/5] kqemu: Implement lar/lsl in the monitor code interpreter

[Jan Kiszka]

This avoids user space for handling lar/lsl via TCG.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

 common/interp.c |  111 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 109 insertions(+), 2 deletions(-)

diff --git a/common/interp.c b/common/interp.c
index 4f93bc3..577d666 100644
--- a/common/interp.c
+++ b/common/interp.c
@@ -1720,6 +1720,93 @@ void helper_lldt(struct kqemu_state *s, int selector)
     env->ldt.selector = selector;
 }
 
+static int helper_lar(struct kqemu_state *s, int selector)
+{
+    uint32_t e1, e2;
+    int rpl, dpl, cpl, type;
+
+    if ((selector & 0xfffc) == 0)
+        goto fail;
+    if (load_segment(s, &e1, &e2, selector) != 0)
+        goto fail;
+    rpl = selector & 3;
+    dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+    cpl = s->cpu_state.cpl;
+    if (e2 & DESC_S_MASK) {
+        if ((e2 & DESC_CS_MASK) && (e2 & DESC_C_MASK)) {
+            /* conforming */
+        } else {
+            if (dpl < cpl || dpl < rpl)
+                goto fail;
+        }
+    } else {
+        type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
+        switch(type) {
+        case 1:
+        case 2:
+        case 3:
+        case 4:
+        case 5:
+        case 9:
+        case 11:
+        case 12:
+            break;
+        default:
+            goto fail;
+        }
+        if (dpl < cpl || dpl < rpl) {
+        fail:
+            set_reset_eflags(s, 0, CC_Z);
+            return 0;
+        }
+    }
+    set_reset_eflags(s, CC_Z, 0);
+    return e2 & 0x00f0ff00;
+}
+
+static int helper_lsl(struct kqemu_state *s, int selector)
+{
+    unsigned int limit;
+    uint32_t e1, e2;
+    int rpl, dpl, cpl, type;
+
+    if ((selector & 0xfffc) == 0)
+        goto fail;
+    if (load_segment(s, &e1, &e2, selector) != 0)
+        goto fail;
+    rpl = selector & 3;
+    dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+    cpl = s->cpu_state.cpl;
+    if (e2 & DESC_S_MASK) {
+        if ((e2 & DESC_CS_MASK) && (e2 & DESC_C_MASK)) {
+            /* conforming */
+        } else {
+            if (dpl < cpl || dpl < rpl)
+                goto fail;
+        }
+    } else {
+        type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
+        switch(type) {
+        case 1:
+        case 2:
+        case 3:
+        case 9:
+        case 11:
+            break;
+        default:
+            goto fail;
+        }
+        if (dpl < cpl || dpl < rpl) {
+        fail:
+            set_reset_eflags(s, 0, CC_Z);
+            return 0;
+        }
+    }
+    limit = get_seg_limit(e1, e2);
+    set_reset_eflags(s, CC_Z, 0);
+    return limit;
+}
+
 static void helper_verr(struct kqemu_state *s, int selector)
 {
     uint32_t e1, e2;
@@ -4616,6 +4703,28 @@ QO(                 case OT_LONG | 8:\
                 goto illegal_op;
             }
             goto insn_next;
+        LABEL(102) /* lar */
+        LABEL(103) /* lsl */
+            if (!(s->cpu_state.cr0 & CR0_PE_MASK) || get_eflags_vm(s))
+                goto illegal_op;
+            ot = s->dflag + OT_WORD;
+            modrm = ldub_code(s);
+            mod = (modrm >> 6);
+            if (mod == 3) {
+                rm = (modrm & 7) | REX_B(s);
+                val = get_regS(s, OT_WORD, rm) & 0xffff;
+            } else {
+                addr = get_modrm(s, modrm);
+                val = ldS(s, OT_WORD, addr);
+            }
+            rm = ((modrm >> 3) & 7) | REX_R(s);
+            if (b == 0x102)
+                val = helper_lar(s, val);
+            else
+                val = helper_lsl(s, val);
+            if (s->regs1.eflags & CC_Z)
+                set_regS(s, ot, rm, val);
+            goto insn_next;
         LABEL(108) /* invd */
         LABEL(109) /* wbinvd */
             if (s->cpu_state.cpl != 0) 
@@ -5214,8 +5323,6 @@ QO(                 case OT_LONG | 8:\
     LABEL(10b)
     LABEL(10a)
     LABEL(104)
-    LABEL(103)
-    LABEL(102)
     LABEL(f1)
     LABEL(e2)
     LABEL(e1)

[Qemu-devel] [PATCH 1/5] kqemu: x86-64: Run 16-bit-stack-return in ring 0

[Jan Kiszka]

The fix-up code for returning to 16 bit stack segments is currently
executed in ring 1. This has the side effect that the interrupt flag
remains cleared on return from ring 1 to the guest's ring 3 as its
IOPL is 0 (ie. iret can only modify IF when run in ring 0).

Fix this by moving the 32 bit return trampoline into ring 0.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

 common/kernel.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/common/kernel.c b/common/kernel.c
index 6a88452..1d7a69e 100644
--- a/common/kernel.c
+++ b/common/kernel.c
@@ -422,8 +422,8 @@ struct kqemu_state *kqemu_init(struct kqemu_init *d,
 #ifdef __x86_64__
     s->monitor_ds_sel = 0; /* no need for a specific data segment */
     /* used for 16 bit esp fix */
-    s->monitor_cs32_sel = (s->monitor_selector_base + (7 << 3)) | 1;
-    s->monitor_ss16_sel = (s->monitor_selector_base + (6 << 3)) | 1;
+    s->monitor_cs32_sel = s->monitor_selector_base + (7 << 3);
+    s->monitor_ss16_sel = s->monitor_selector_base + (6 << 3);
     s->monitor_ss_null_sel = (s->monitor_selector_base + (1 << 3)) | 3;
 #else
     s->monitor_ds_sel = s->monitor_selector_base + (1 << 3);
@@ -495,9 +495,9 @@ struct kqemu_state *kqemu_init(struct kqemu_init *d,
                 0, 0xfffff, 0xa09a); /* long mode segment */
         set_seg((uint32_t *)(dt_table + (s->monitor_ss16_sel >> 3)),
                 (s->monitor_data_vaddr + offsetof(struct kqemu_state, stack)) & ~0xffff, 
-                0xffff, 0x00b2); /* SS16 segment for 16 bit ESP fix */
+                0xffff, 0x0092); /* SS16 segment for 16 bit ESP fix */
         set_seg((uint32_t *)(dt_table + (s->monitor_cs32_sel >> 3)),
-                0, 0xfffff, 0xc0ba); /* CS32 segment for 16 bit ESP fix */
+                0, 0xfffff, 0xc09a); /* CS32 segment for 16 bit ESP fix */
         set_seg((uint32_t *)(dt_table + (s->monitor_ss_null_sel >> 3)),
                 0, 0, 0x40f2); /* substitute for null SS segment */
 #else

[Qemu-devel] [PATCH 2/5] kqemu: i386: Reorder DS and ES on exception stack

[Jan Kiszka]

This is a KQEMU upstream bug: In case the non-trivial paths of
LOAD_SEG_CACHE in exception_return are taken for both DS and ES, the
current code will break as it assumes to read from the monitor's DS in
the restore code for ES. Fix this by swapping both segments on the stack
so that ES is always restored before DS.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

 common/i386/monitor_asm.S |   16 ++++++++--------
 common/kqemu_int.h        |    6 +++---
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/common/i386/monitor_asm.S b/common/i386/monitor_asm.S
index 04f4258..e996553 100644
--- a/common/i386/monitor_asm.S
+++ b/common/i386/monitor_asm.S
@@ -214,8 +214,8 @@ __monitor_exception:
         pushl %edx
         pushl %ecx
         pushl %eax
-        pushl %es
         pushl %ds
+        pushl %es
 
 /* compute the address of the monitor context */
         call 1f
@@ -260,17 +260,17 @@ exception_return:
         cmpb $3, KQEMU_STATE_cpu_state_cpl(%ebx)
         je normal_seg_load
         popl %eax
-        LOAD_SEG_CACHE(%ds, R_DS, (11 * 4))
+        LOAD_SEG_CACHE(%es, R_ES, (11 * 4))
         popl %eax
-        LOAD_SEG_CACHE(%es, R_ES, (10 * 4))
+        LOAD_SEG_CACHE(%ds, R_DS, (10 * 4))
         jmp 2f
 normal_seg_load:        
 #endif        
 1:
-        popl %ds
+        popl %es
         SEG_EXCEPTION(1b)
 1:
-        popl %es
+        popl %ds
         SEG_EXCEPTION(1b)
 2:      
                 
@@ -295,10 +295,10 @@ SEG_EXCEPTION(1b)
 
 exception_return_to_monitor:
 1:
-        popl %ds
+        popl %es
         SEG_EXCEPTION(1b)
 1:
-        popl %es
+        popl %ds
         SEG_EXCEPTION(1b)
         popl %eax
         popl %ecx
@@ -363,8 +363,8 @@ __monitor_interrupt:
         pushl %edx
         pushl %ecx
         pushl %eax
-        pushl %es
         pushl %ds
+        pushl %es
         
 /* compute the address of the monitor context */
         call 1f
diff --git a/common/kqemu_int.h b/common/kqemu_int.h
index f19f7ca..4b59cb3 100644
--- a/common/kqemu_int.h
+++ b/common/kqemu_int.h
@@ -367,10 +367,10 @@ struct kqemu_exception_regs {
 };
 #else
 struct kqemu_exception_regs {
-    uint16_t ds_sel; /* 0 */
-    uint16_t ds_sel_h;
-    uint16_t es_sel; /* 1 */
+    uint16_t es_sel; /* 0 */
     uint16_t es_sel_h;
+    uint16_t ds_sel; /* 1 */
+    uint16_t ds_sel_h;
     uint32_t eax;    /* 2 */
     uint32_t ecx;
     uint32_t edx;

[Qemu-devel] [PATCH 3/5] kqemu: Fix forbidden selector range change

[Jan Kiszka]

Do not bail out on LDT selectors that match the reserved monitor GDT
selector range. At this chance, improve the related panic message.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

 common/interp.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/common/interp.c b/common/interp.c
index 088d2b2..4c042e9 100644
--- a/common/interp.c
+++ b/common/interp.c
@@ -775,9 +775,12 @@ static void load_seg_desc(struct kqemu_state *s,
 #ifdef DEBUG_SEG
     monitor_log(s, "load_seg_desc: reg=%d sel=0x%04x\n", seg_reg, selector);
 #endif
-    if (selector >= s->monitor_selector_base &&
+    if (!(selector & 0x4) && selector >= s->monitor_selector_base &&
         selector <= (s->monitor_selector_base + MONITOR_SEL_RANGE)) {
-        monitor_panic(s, "Trying to load a reserved selector\n");
+        monitor_panic(s, "Trying to load a reserved selector "
+                         "(reg=%d sel=0x%04x cs:ip=%04x:" FMT_lx ")\n",
+                      seg_reg, selector, env->segs[R_CS].selector,
+                      (unsigned long)env->eip);
     }
 
     if ((selector & 0xfffc) == 0) {

Re: [Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements

[Andreas Färber]

Hi,

Am 29.05.2009 um 19:18 schrieb Jan Kiszka:

> This is the series of patches we generated while developing a
> kqemu-1.4.0pre1-based prototype for guests that make real use of x86
> segments. If anyone is interested and maintaining some kqemu repos,  
> pick
> them up as you like, they are for free (GPLv2).

I'd like to push them to http://repo.or.cz/w/kqemu.git
Do you have them on a Git branch I can pull from?

Andreas

> There is one more change set: An optimization of the segment cache
> emulation, but that one never truely stabilized (and I do not want to
> make anyone go through the same debugging pain we went, so I'm not
> posting that bits ;) ).
>
>
> Jan Kiszka (5):
>      kqemu: x86-64: Run 16-bit-stack-return in ring 0
>      kqemu: i386: Reorder DS and ES on exception stack
>      kqemu: Fix forbidden selector range change
>      kqemu: Implement verr/verw in the monitor code interpreter
>      kqemu: Implement lar/lsl in the monitor code interpreter
>
> common/i386/monitor_asm.S |   16 ++--
> common/interp.c           |  189 ++++++++++++++++++++++++++++++++++++ 
> +++++++-
> common/kernel.c           |    8 +-
> common/kqemu_int.h        |    6 +-
> 4 files changed, 199 insertions(+), 20 deletions(-)
>
> --
> Siemens AG, Corporate Technology, CT SE 2
> Corporate Competence Center Embedded Linux
>
>

[Qemu-devel] Re: [PATCH 0/5] Some small kqemu fixes and enhancements

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 514 bytes --]

Andreas Färber wrote:
> Hi,
> 
> Am 29.05.2009 um 19:18 schrieb Jan Kiszka:
> 
>> This is the series of patches we generated while developing a
>> kqemu-1.4.0pre1-based prototype for guests that make real use of x86
>> segments. If anyone is interested and maintaining some kqemu repos, pick
>> them up as you like, they are for free (GPLv2).
> 
> I'd like to push them to http://repo.or.cz/w/kqemu.git
> Do you have them on a Git branch I can pull from?

Sorry, not in a public repository.

Jan


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 257 bytes --]

Re: [Qemu-devel] Re: [PATCH 0/5] Some small kqemu fixes and enhancements

[Andreas Färber]

Am 30.05.2009 um 10:01 schrieb Jan Kiszka:

> Andreas Färber wrote:
>> Am 29.05.2009 um 19:18 schrieb Jan Kiszka:
>>
>>> This is the series of patches we generated while developing a
>>> kqemu-1.4.0pre1-based prototype for guests that make real use of x86
>>> segments. If anyone is interested and maintaining some kqemu  
>>> repos, pick
>>> them up as you like, they are for free (GPLv2).
>>
>> I'd like to push them to http://repo.or.cz/w/kqemu.git
>> Do you have them on a Git branch I can pull from?
>
> Sorry, not in a public repository.

`git am` kept saying the patches didn't apply, but it turns out `patch  
-p1` worked okay.

Thanks,
Andreas