* [PATCH 1/3] target/i386: tcg: fix segment register offsets for 16-bit TSS
2021-06-03 14:27 [PATCH 0/3] target/i386: tcg: fixes for 16-bit protected mode tasks Paolo Bonzini
@ 2021-06-03 14:27 ` Paolo Bonzini
2021-06-03 14:41 ` Peter Maydell
2021-06-03 14:27 ` [PATCH 2/3] target/i386: tcg: fix loading of registers from " Paolo Bonzini
2021-06-03 14:27 ` [PATCH 3/3] target/i386: tcg: fix switching from 16-bit to 32-bit tasks or vice versa Paolo Bonzini
2 siblings, 1 reply; 5+ messages in thread
From: Paolo Bonzini @ 2021-06-03 14:27 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell
The TSS offsets in the manuals have only 2-byte slots for the
segment registers. QEMU incorrectly uses 4-byte slots, so
that SS overlaps the LDT selector.
Resolves: #382
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/i386/tcg/seg_helper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index 2f6cdc8239..547b959689 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -281,7 +281,7 @@ static void switch_tss_ra(CPUX86State *env, int tss_selector,
retaddr) | 0xffff0000;
}
for (i = 0; i < 4; i++) {
- new_segs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x22 + i * 4),
+ new_segs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x22 + i * 2),
retaddr);
}
new_ldt = cpu_lduw_kernel_ra(env, tss_base + 0x2a, retaddr);
@@ -349,7 +349,7 @@ static void switch_tss_ra(CPUX86State *env, int tss_selector,
cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 6 * 2), env->regs[R_ESI], retaddr);
cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 7 * 2), env->regs[R_EDI], retaddr);
for (i = 0; i < 4; i++) {
- cpu_stw_kernel_ra(env, env->tr.base + (0x22 + i * 4),
+ cpu_stw_kernel_ra(env, env->tr.base + (0x22 + i * 2),
env->segs[i].selector, retaddr);
}
}
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] target/i386: tcg: fix loading of registers from 16-bit TSS
2021-06-03 14:27 [PATCH 0/3] target/i386: tcg: fixes for 16-bit protected mode tasks Paolo Bonzini
2021-06-03 14:27 ` [PATCH 1/3] target/i386: tcg: fix segment register offsets for 16-bit TSS Paolo Bonzini
@ 2021-06-03 14:27 ` Paolo Bonzini
2021-06-03 14:27 ` [PATCH 3/3] target/i386: tcg: fix switching from 16-bit to 32-bit tasks or vice versa Paolo Bonzini
2 siblings, 0 replies; 5+ messages in thread
From: Paolo Bonzini @ 2021-06-03 14:27 UTC (permalink / raw)
To: qemu-devel
According to the manual, the high 16-bit of the registers are preserved
when switching to a 16-bit task. Implement this in switch_tss_ra.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/i386/tcg/seg_helper.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index 547b959689..2112c5fc51 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -277,8 +277,7 @@ static void switch_tss_ra(CPUX86State *env, int tss_selector,
new_eip = cpu_lduw_kernel_ra(env, tss_base + 0x0e, retaddr);
new_eflags = cpu_lduw_kernel_ra(env, tss_base + 0x10, retaddr);
for (i = 0; i < 8; i++) {
- new_regs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x12 + i * 2),
- retaddr) | 0xffff0000;
+ new_regs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x12 + i * 2), retaddr);
}
for (i = 0; i < 4; i++) {
new_segs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x22 + i * 2),
@@ -391,19 +390,17 @@ static void switch_tss_ra(CPUX86State *env, int tss_selector,
env->eip = new_eip;
eflags_mask = TF_MASK | AC_MASK | ID_MASK |
IF_MASK | IOPL_MASK | VM_MASK | RF_MASK | NT_MASK;
- if (!(type & 8)) {
- eflags_mask &= 0xffff;
+ if (type & 8) {
+ cpu_load_eflags(env, new_eflags, eflags_mask);
+ for (i = 0; i < 8; i++) {
+ env->regs[i] = new_regs[i];
+ }
+ } else {
+ cpu_load_eflags(env, new_eflags, eflags_mask & 0xffff);
+ for (i = 0; i < 8; i++) {
+ env->regs[i] = (env->regs[i] & 0xffff0000) | new_regs[i];
+ }
}
- cpu_load_eflags(env, new_eflags, eflags_mask);
- /* XXX: what to do in 16 bit case? */
- env->regs[R_EAX] = new_regs[0];
- env->regs[R_ECX] = new_regs[1];
- env->regs[R_EDX] = new_regs[2];
- env->regs[R_EBX] = new_regs[3];
- env->regs[R_ESP] = new_regs[4];
- env->regs[R_EBP] = new_regs[5];
- env->regs[R_ESI] = new_regs[6];
- env->regs[R_EDI] = new_regs[7];
if (new_eflags & VM_MASK) {
for (i = 0; i < 6; i++) {
load_seg_vm(env, i, new_segs[i]);
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] target/i386: tcg: fix switching from 16-bit to 32-bit tasks or vice versa
2021-06-03 14:27 [PATCH 0/3] target/i386: tcg: fixes for 16-bit protected mode tasks Paolo Bonzini
2021-06-03 14:27 ` [PATCH 1/3] target/i386: tcg: fix segment register offsets for 16-bit TSS Paolo Bonzini
2021-06-03 14:27 ` [PATCH 2/3] target/i386: tcg: fix loading of registers from " Paolo Bonzini
@ 2021-06-03 14:27 ` Paolo Bonzini
2 siblings, 0 replies; 5+ messages in thread
From: Paolo Bonzini @ 2021-06-03 14:27 UTC (permalink / raw)
To: qemu-devel
The format of the task state segment is governed by bit 3 in the
descriptor type field. On a task switch, the format for saving
is given by the current value of TR's type field, while the
format for loading is given by the new descriptor.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/i386/tcg/seg_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index 2112c5fc51..3ed20ca31d 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -319,7 +319,7 @@ static void switch_tss_ra(CPUX86State *env, int tss_selector,
}
/* save the current state in the old TSS */
- if (type & 8) {
+ if (old_type & 8) {
/* 32 bit */
cpu_stl_kernel_ra(env, env->tr.base + 0x20, next_eip, retaddr);
cpu_stl_kernel_ra(env, env->tr.base + 0x24, old_eflags, retaddr);
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread