All of lore.kernel.org
 help / color / mirror / Atom feed
From: Richard Henderson <richard.henderson@linaro.org>
To: qemu-devel@nongnu.org
Cc: pbonzini@redhat.com, f4bug@amsat.org, ehabkost@redhat.com,
	cfontana@suse.de
Subject: [PATCH v2 08/50] target/i386: Assert IOPL is 0 for user-only
Date: Fri, 14 May 2021 10:13:00 -0500	[thread overview]
Message-ID: <20210514151342.384376-9-richard.henderson@linaro.org> (raw)
In-Reply-To: <20210514151342.384376-1-richard.henderson@linaro.org>

On real hardware, the linux kernel has the iopl(2) syscall which
can set IOPL to 3, to allow e.g. the xserver to briefly disable
interrupts while programming the graphics card.

However, QEMU cannot and does not implement this syscall, so the
IOPL is never changed from 0.  Which means that all of the checks
vs CPL <= IOPL are false for user-only.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/i386/tcg/translate.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index 4c9194416d..b8cb7163ee 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -97,6 +97,7 @@ typedef struct DisasContext {
 
 #ifndef CONFIG_USER_ONLY
     uint8_t cpl;   /* code priv level */
+    uint8_t iopl;  /* i/o priv level */
 #endif
 
     int code32; /* 32 bit code segment */
@@ -116,7 +117,6 @@ typedef struct DisasContext {
     int addseg; /* non zero if either DS/ES/SS have a non zero base */
     int f_st;   /* currently unused */
     int vm86;   /* vm86 mode */
-    int iopl;
     int tf;     /* TF cpu flag */
     int jmp_opt; /* use direct block chaining for direct jumps */
     int repz_opt; /* optimize jumps within repz instructions */
@@ -153,9 +153,11 @@ typedef struct DisasContext {
 #ifdef CONFIG_USER_ONLY
 #define PE(S)     true
 #define CPL(S)    3
+#define IOPL(S)   0
 #else
 #define PE(S)     (((S)->flags & HF_PE_MASK) != 0)
 #define CPL(S)    ((S)->cpl)
+#define IOPL(S)   ((S)->iopl)
 #endif
 
 static void gen_eob(DisasContext *s);
@@ -629,7 +631,7 @@ static void gen_check_io(DisasContext *s, MemOp ot, target_ulong cur_eip,
 {
     target_ulong next_eip;
 
-    if (PE(s) && (CPL(s) > s->iopl || s->vm86)) {
+    if (PE(s) && (CPL(s) > IOPL(s) || s->vm86)) {
         tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
         switch (ot) {
         case MO_8:
@@ -1307,7 +1309,7 @@ static bool check_cpl0(DisasContext *s)
 /* If vm86, check for iopl == 3; if not, raise #GP and return false. */
 static bool check_vm86_iopl(DisasContext *s)
 {
-    if (!s->vm86 || s->iopl == 3) {
+    if (!s->vm86 || IOPL(s) == 3) {
         return true;
     }
     gen_exception_gpf(s);
@@ -1317,7 +1319,7 @@ static bool check_vm86_iopl(DisasContext *s)
 /* Check for iopl allowing access; if not, raise #GP and return false. */
 static bool check_iopl(DisasContext *s)
 {
-    if (s->vm86 ? s->iopl == 3 : CPL(s) <= s->iopl) {
+    if (s->vm86 ? IOPL(s) == 3 : CPL(s) <= IOPL(s)) {
         return true;
     }
     gen_exception_gpf(s);
@@ -6756,7 +6758,7 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
                                                           & 0xffff));
                 }
             } else {
-                if (CPL(s) <= s->iopl) {
+                if (CPL(s) <= IOPL(s)) {
                     if (dflag != MO_16) {
                         gen_helper_write_eflags(cpu_env, s->T0,
                                                 tcg_const_i32((TF_MASK |
@@ -8474,23 +8476,25 @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
     CPUX86State *env = cpu->env_ptr;
     uint32_t flags = dc->base.tb->flags;
     int cpl = (flags >> HF_CPL_SHIFT) & 3;
+    int iopl = (flags >> IOPL_SHIFT) & 3;
 
     dc->cs_base = dc->base.tb->cs_base;
     dc->flags = flags;
 #ifndef CONFIG_USER_ONLY
     dc->cpl = cpl;
+    dc->iopl = iopl;
 #endif
 
     /* We make some simplifying assumptions; validate they're correct. */
     g_assert(PE(dc) == ((flags & HF_PE_MASK) != 0));
     g_assert(CPL(dc) == cpl);
+    g_assert(IOPL(dc) == iopl);
 
     dc->code32 = (flags >> HF_CS32_SHIFT) & 1;
     dc->ss32 = (flags >> HF_SS32_SHIFT) & 1;
     dc->addseg = (flags >> HF_ADDSEG_SHIFT) & 1;
     dc->f_st = 0;
     dc->vm86 = (flags >> VM_SHIFT) & 1;
-    dc->iopl = (flags >> IOPL_SHIFT) & 3;
     dc->tf = (flags >> TF_SHIFT) & 1;
     dc->cc_op = CC_OP_DYNAMIC;
     dc->cc_op_dirty = false;
-- 
2.25.1



  parent reply	other threads:[~2021-05-14 15:18 UTC|newest]

Thread overview: 106+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-14 15:12 [PATCH v2 00/50] target/i386 translate cleanups Richard Henderson
2021-05-14 15:12 ` [PATCH v2 01/50] target/i386: Split out gen_exception_gpf Richard Henderson
2021-05-18  9:08   ` Paolo Bonzini
2021-05-14 15:12 ` [PATCH v2 02/50] target/i386: Split out check_cpl0 Richard Henderson
2021-05-18  9:10   ` Paolo Bonzini
2021-05-14 15:12 ` [PATCH v2 03/50] target/i386: Unify code paths for IRET Richard Henderson
2021-05-18  9:11   ` Paolo Bonzini
2021-05-14 15:12 ` [PATCH v2 04/50] target/i386: Split out check_vm86_iopl Richard Henderson
2021-05-18  9:48   ` Paolo Bonzini
2021-05-14 15:12 ` [PATCH v2 05/50] target/i386: Split out check_iopl Richard Henderson
2021-05-18  9:14   ` Paolo Bonzini
2021-05-14 15:12 ` [PATCH v2 06/50] target/i386: Assert PE is set for user-only Richard Henderson
2021-05-18  9:15   ` Paolo Bonzini
2021-05-14 15:12 ` [PATCH v2 07/50] target/i386: Assert CPL is 3 " Richard Henderson
2021-05-18  9:17   ` Paolo Bonzini
2021-05-14 15:13 ` Richard Henderson [this message]
2021-05-18  9:18   ` [PATCH v2 08/50] target/i386: Assert IOPL is 0 " Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 09/50] target/i386: Assert !VM86 for x86_64 user-only Richard Henderson
2021-05-18  9:19   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 10/50] target/i386: Assert CODE32 " Richard Henderson
2021-05-18  9:20   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 11/50] target/i386: Assert SS32 " Richard Henderson
2021-05-18  9:20   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 12/50] target/i386: Assert CODE64 " Richard Henderson
2021-05-18  9:21   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 13/50] target/i386: Assert LMA " Richard Henderson
2021-05-18  9:21   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 14/50] target/i386: Assert !ADDSEG " Richard Henderson
2021-05-18  9:23   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 15/50] target/i386: Introduce REX_PREFIX Richard Henderson
2021-05-18  9:26   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 16/50] target/i386: Tidy REX_B, REX_X definition Richard Henderson
2021-05-18  9:28   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 17/50] target/i386: Move rex_r into DisasContext Richard Henderson
2021-05-18  9:28   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 18/50] target/i386: Move rex_w " Richard Henderson
2021-05-18  9:30   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 19/50] target/i386: Remove DisasContext.f_st as unused Richard Henderson
2021-05-18  9:30   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 20/50] target/i386: Reduce DisasContext.flags to uint32_t Richard Henderson
2021-05-18  9:30   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 21/50] target/i386: Reduce DisasContext.override to int8_t Richard Henderson
2021-05-18  9:31   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 22/50] target/i386: Reduce DisasContext.prefix to uint8_t Richard Henderson
2021-05-18  9:31   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 23/50] target/i386: Reduce DisasContext.vex_[lv] " Richard Henderson
2021-05-18  9:32   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 24/50] target/i386: Reduce DisasContext popl_esp_hack and rip_offset " Richard Henderson
2021-05-18  9:34   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 25/50] target/i386: Leave TF in DisasContext.flags Richard Henderson
2021-05-18  9:36   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 26/50] target/i386: Reduce DisasContext jmp_opt, repz_opt to bool Richard Henderson
2021-05-18  9:36   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 27/50] target/i386: Fix the comment for repz_opt Richard Henderson
2021-05-18  9:48   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 28/50] target/i386: Reorder DisasContext members Richard Henderson
2021-05-18  9:49   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 29/50] target/i386: Add stub generator for helper_set_dr Richard Henderson
2021-05-18  9:49   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 30/50] target/i386: Assert !SVME for user-only Richard Henderson
2021-05-18  9:51   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 31/50] target/i386: Assert !GUEST " Richard Henderson
2021-05-18  9:51   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 32/50] target/i386: Implement skinit in translate.c Richard Henderson
2021-05-18  9:51   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 33/50] target/i386: Eliminate SVM helpers for user-only Richard Henderson
2021-05-18  9:52   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 34/50] target/i386: Mark some helpers as noreturn Richard Henderson
2021-05-18  9:56   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 35/50] target/i386: Simplify gen_debug usage Richard Henderson
2021-05-18  9:56   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 36/50] target/i386: Tidy svm_check_intercept from tcg Richard Henderson
2021-05-18  9:57   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 37/50] target/i386: Remove pc_start argument to gen_svm_check_intercept Richard Henderson
2021-05-18  9:58   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 38/50] target/i386: Remove user stub for cpu_vmexit Richard Henderson
2021-05-18  9:58   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 39/50] target/i386: Cleanup read_crN, write_crN, lmsw Richard Henderson
2021-05-18 10:30   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 40/50] target/i386: Pass env to do_pause and do_hlt Richard Henderson
2021-05-18  9:59   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 41/50] target/i386: Move invlpg, hlt, monitor, mwait to sysemu Richard Henderson
2021-05-18 10:00   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 42/50] target/i386: Unify invlpg, invlpga Richard Henderson
2021-05-18 10:00   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 43/50] target/i386: Inline user cpu_svm_check_intercept_param Richard Henderson
2021-05-18 10:01   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 44/50] target/i386: Eliminate user stubs for read/write_crN, rd/wrmsr Richard Henderson
2021-05-18 10:01   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 45/50] target/i386: Exit tb after wrmsr Richard Henderson
2021-05-18 10:02   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 46/50] target/i386: Tidy gen_check_io Richard Henderson
2021-05-18 10:18   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 47/50] target/i386: Pass in port to gen_check_io Richard Henderson
2021-05-18 10:20   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 48/50] target/i386: Create helper_check_io Richard Henderson
2021-05-18 10:21   ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 49/50] target/i386: Move helper_check_io to sysemu Richard Henderson
2021-05-14 17:45   ` Richard Henderson
2021-05-18 10:22     ` Paolo Bonzini
2021-05-14 15:13 ` [PATCH v2 50/50] target/i386: Remove user-only i/o stubs Richard Henderson
2021-05-18 10:23   ` Paolo Bonzini
2021-05-14 16:09 ` [PATCH v2 00/50] target/i386 translate cleanups no-reply
2021-05-18 10:31 ` Paolo Bonzini
2021-05-18 10:59   ` Richard Henderson
2021-05-18 12:33     ` Paolo Bonzini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210514151342.384376-9-richard.henderson@linaro.org \
    --to=richard.henderson@linaro.org \
    --cc=cfontana@suse.de \
    --cc=ehabkost@redhat.com \
    --cc=f4bug@amsat.org \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --subject='Re: [PATCH v2 08/50] target/i386: Assert IOPL is 0 for user-only' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.