* [Qemu-devel] [PATCH 4/5] kqemu: Implement verr/verw in the monitor code interpreter
2009-05-29 17:18 [Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements Jan Kiszka
@ 2009-05-29 17:18 ` Jan Kiszka
2009-05-29 17:18 ` [Qemu-devel] [PATCH 3/5] kqemu: Fix forbidden selector range change Jan Kiszka
` (4 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Jan Kiszka @ 2009-05-29 17:18 UTC (permalink / raw)
To: qemu-devel
This avoids user space for handling verr/verw via TCG.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
common/interp.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 70 insertions(+), 1 deletions(-)
diff --git a/common/interp.c b/common/interp.c
index 4c042e9..4f93bc3 100644
--- a/common/interp.c
+++ b/common/interp.c
@@ -1720,6 +1720,65 @@ void helper_lldt(struct kqemu_state *s, int selector)
env->ldt.selector = selector;
}
+static void helper_verr(struct kqemu_state *s, int selector)
+{
+ uint32_t e1, e2;
+ int rpl, dpl, cpl;
+
+ if ((selector & 0xfffc) == 0)
+ goto fail;
+ if (load_segment(s, &e1, &e2, selector) != 0)
+ goto fail;
+ if (!(e2 & DESC_S_MASK))
+ goto fail;
+ rpl = selector & 3;
+ dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+ cpl = s->cpu_state.cpl;
+ if (e2 & DESC_CS_MASK) {
+ if (!(e2 & DESC_R_MASK))
+ goto fail;
+ if (!(e2 & DESC_C_MASK)) {
+ if (dpl < cpl || dpl < rpl)
+ goto fail;
+ }
+ } else {
+ if (dpl < cpl || dpl < rpl) {
+ fail:
+ set_reset_eflags(s, 0, CC_Z);
+ return;
+ }
+ }
+ set_reset_eflags(s, CC_Z, 0);
+}
+
+static void helper_verw(struct kqemu_state *s, int selector)
+{
+ uint32_t e1, e2;
+ int rpl, dpl, cpl;
+
+ if ((selector & 0xfffc) == 0)
+ goto fail;
+ if (load_segment(s, &e1, &e2, selector) != 0)
+ goto fail;
+ if (!(e2 & DESC_S_MASK))
+ goto fail;
+ rpl = selector & 3;
+ dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+ cpl = s->cpu_state.cpl;
+ if (e2 & DESC_CS_MASK) {
+ goto fail;
+ } else {
+ if (dpl < cpl || dpl < rpl)
+ goto fail;
+ if (!(e2 & DESC_W_MASK)) {
+ fail:
+ set_reset_eflags(s, 0, CC_Z);
+ return;
+ }
+ }
+ set_reset_eflags(s, CC_Z, 0);
+}
+
static void helper_wrmsr(struct kqemu_state *s)
{
#ifdef __x86_64__
@@ -4479,7 +4538,17 @@ QO( case OT_LONG | 8:\
case 5: /* verw */
if (!(s->cpu_state.cr0 & CR0_PE_MASK) || get_eflags_vm(s))
goto illegal_op;
- raise_exception(s, KQEMU_RET_SOFTMMU);
+ if (mod == 3) {
+ rm = (modrm & 7) | REX_B(s);
+ val = get_regS(s, OT_WORD, rm) & 0xffff;
+ } else {
+ addr = get_modrm(s, modrm);
+ val = ldS(s, OT_WORD, addr);
+ }
+ if (op == 4)
+ helper_verr(s, val);
+ else
+ helper_verw(s, val);
break;
default:
goto illegal_op;
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 3/5] kqemu: Fix forbidden selector range change
2009-05-29 17:18 [Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements Jan Kiszka
2009-05-29 17:18 ` [Qemu-devel] [PATCH 4/5] kqemu: Implement verr/verw in the monitor code interpreter Jan Kiszka
@ 2009-05-29 17:18 ` Jan Kiszka
2009-05-29 17:18 ` [Qemu-devel] [PATCH 1/5] kqemu: x86-64: Run 16-bit-stack-return in ring 0 Jan Kiszka
` (3 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Jan Kiszka @ 2009-05-29 17:18 UTC (permalink / raw)
To: qemu-devel
Do not bail out on LDT selectors that match the reserved monitor GDT
selector range. At this chance, improve the related panic message.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
common/interp.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/common/interp.c b/common/interp.c
index 088d2b2..4c042e9 100644
--- a/common/interp.c
+++ b/common/interp.c
@@ -775,9 +775,12 @@ static void load_seg_desc(struct kqemu_state *s,
#ifdef DEBUG_SEG
monitor_log(s, "load_seg_desc: reg=%d sel=0x%04x\n", seg_reg, selector);
#endif
- if (selector >= s->monitor_selector_base &&
+ if (!(selector & 0x4) && selector >= s->monitor_selector_base &&
selector <= (s->monitor_selector_base + MONITOR_SEL_RANGE)) {
- monitor_panic(s, "Trying to load a reserved selector\n");
+ monitor_panic(s, "Trying to load a reserved selector "
+ "(reg=%d sel=0x%04x cs:ip=%04x:" FMT_lx ")\n",
+ seg_reg, selector, env->segs[R_CS].selector,
+ (unsigned long)env->eip);
}
if ((selector & 0xfffc) == 0) {
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 1/5] kqemu: x86-64: Run 16-bit-stack-return in ring 0
2009-05-29 17:18 [Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements Jan Kiszka
2009-05-29 17:18 ` [Qemu-devel] [PATCH 4/5] kqemu: Implement verr/verw in the monitor code interpreter Jan Kiszka
2009-05-29 17:18 ` [Qemu-devel] [PATCH 3/5] kqemu: Fix forbidden selector range change Jan Kiszka
@ 2009-05-29 17:18 ` Jan Kiszka
2009-05-29 17:18 ` [Qemu-devel] [PATCH 5/5] kqemu: Implement lar/lsl in the monitor code interpreter Jan Kiszka
` (2 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Jan Kiszka @ 2009-05-29 17:18 UTC (permalink / raw)
To: qemu-devel
The fix-up code for returning to 16 bit stack segments is currently
executed in ring 1. This has the side effect that the interrupt flag
remains cleared on return from ring 1 to the guest's ring 3 as its
IOPL is 0 (ie. iret can only modify IF when run in ring 0).
Fix this by moving the 32 bit return trampoline into ring 0.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
common/kernel.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/common/kernel.c b/common/kernel.c
index 6a88452..1d7a69e 100644
--- a/common/kernel.c
+++ b/common/kernel.c
@@ -422,8 +422,8 @@ struct kqemu_state *kqemu_init(struct kqemu_init *d,
#ifdef __x86_64__
s->monitor_ds_sel = 0; /* no need for a specific data segment */
/* used for 16 bit esp fix */
- s->monitor_cs32_sel = (s->monitor_selector_base + (7 << 3)) | 1;
- s->monitor_ss16_sel = (s->monitor_selector_base + (6 << 3)) | 1;
+ s->monitor_cs32_sel = s->monitor_selector_base + (7 << 3);
+ s->monitor_ss16_sel = s->monitor_selector_base + (6 << 3);
s->monitor_ss_null_sel = (s->monitor_selector_base + (1 << 3)) | 3;
#else
s->monitor_ds_sel = s->monitor_selector_base + (1 << 3);
@@ -495,9 +495,9 @@ struct kqemu_state *kqemu_init(struct kqemu_init *d,
0, 0xfffff, 0xa09a); /* long mode segment */
set_seg((uint32_t *)(dt_table + (s->monitor_ss16_sel >> 3)),
(s->monitor_data_vaddr + offsetof(struct kqemu_state, stack)) & ~0xffff,
- 0xffff, 0x00b2); /* SS16 segment for 16 bit ESP fix */
+ 0xffff, 0x0092); /* SS16 segment for 16 bit ESP fix */
set_seg((uint32_t *)(dt_table + (s->monitor_cs32_sel >> 3)),
- 0, 0xfffff, 0xc0ba); /* CS32 segment for 16 bit ESP fix */
+ 0, 0xfffff, 0xc09a); /* CS32 segment for 16 bit ESP fix */
set_seg((uint32_t *)(dt_table + (s->monitor_ss_null_sel >> 3)),
0, 0, 0x40f2); /* substitute for null SS segment */
#else
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 5/5] kqemu: Implement lar/lsl in the monitor code interpreter
2009-05-29 17:18 [Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements Jan Kiszka
` (2 preceding siblings ...)
2009-05-29 17:18 ` [Qemu-devel] [PATCH 1/5] kqemu: x86-64: Run 16-bit-stack-return in ring 0 Jan Kiszka
@ 2009-05-29 17:18 ` Jan Kiszka
2009-05-29 17:18 ` [Qemu-devel] [PATCH 2/5] kqemu: i386: Reorder DS and ES on exception stack Jan Kiszka
2009-05-29 19:19 ` [Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements Andreas Färber
5 siblings, 0 replies; 9+ messages in thread
From: Jan Kiszka @ 2009-05-29 17:18 UTC (permalink / raw)
To: qemu-devel
This avoids user space for handling lar/lsl via TCG.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
common/interp.c | 111 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 109 insertions(+), 2 deletions(-)
diff --git a/common/interp.c b/common/interp.c
index 4f93bc3..577d666 100644
--- a/common/interp.c
+++ b/common/interp.c
@@ -1720,6 +1720,93 @@ void helper_lldt(struct kqemu_state *s, int selector)
env->ldt.selector = selector;
}
+static int helper_lar(struct kqemu_state *s, int selector)
+{
+ uint32_t e1, e2;
+ int rpl, dpl, cpl, type;
+
+ if ((selector & 0xfffc) == 0)
+ goto fail;
+ if (load_segment(s, &e1, &e2, selector) != 0)
+ goto fail;
+ rpl = selector & 3;
+ dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+ cpl = s->cpu_state.cpl;
+ if (e2 & DESC_S_MASK) {
+ if ((e2 & DESC_CS_MASK) && (e2 & DESC_C_MASK)) {
+ /* conforming */
+ } else {
+ if (dpl < cpl || dpl < rpl)
+ goto fail;
+ }
+ } else {
+ type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
+ switch(type) {
+ case 1:
+ case 2:
+ case 3:
+ case 4:
+ case 5:
+ case 9:
+ case 11:
+ case 12:
+ break;
+ default:
+ goto fail;
+ }
+ if (dpl < cpl || dpl < rpl) {
+ fail:
+ set_reset_eflags(s, 0, CC_Z);
+ return 0;
+ }
+ }
+ set_reset_eflags(s, CC_Z, 0);
+ return e2 & 0x00f0ff00;
+}
+
+static int helper_lsl(struct kqemu_state *s, int selector)
+{
+ unsigned int limit;
+ uint32_t e1, e2;
+ int rpl, dpl, cpl, type;
+
+ if ((selector & 0xfffc) == 0)
+ goto fail;
+ if (load_segment(s, &e1, &e2, selector) != 0)
+ goto fail;
+ rpl = selector & 3;
+ dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+ cpl = s->cpu_state.cpl;
+ if (e2 & DESC_S_MASK) {
+ if ((e2 & DESC_CS_MASK) && (e2 & DESC_C_MASK)) {
+ /* conforming */
+ } else {
+ if (dpl < cpl || dpl < rpl)
+ goto fail;
+ }
+ } else {
+ type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
+ switch(type) {
+ case 1:
+ case 2:
+ case 3:
+ case 9:
+ case 11:
+ break;
+ default:
+ goto fail;
+ }
+ if (dpl < cpl || dpl < rpl) {
+ fail:
+ set_reset_eflags(s, 0, CC_Z);
+ return 0;
+ }
+ }
+ limit = get_seg_limit(e1, e2);
+ set_reset_eflags(s, CC_Z, 0);
+ return limit;
+}
+
static void helper_verr(struct kqemu_state *s, int selector)
{
uint32_t e1, e2;
@@ -4616,6 +4703,28 @@ QO( case OT_LONG | 8:\
goto illegal_op;
}
goto insn_next;
+ LABEL(102) /* lar */
+ LABEL(103) /* lsl */
+ if (!(s->cpu_state.cr0 & CR0_PE_MASK) || get_eflags_vm(s))
+ goto illegal_op;
+ ot = s->dflag + OT_WORD;
+ modrm = ldub_code(s);
+ mod = (modrm >> 6);
+ if (mod == 3) {
+ rm = (modrm & 7) | REX_B(s);
+ val = get_regS(s, OT_WORD, rm) & 0xffff;
+ } else {
+ addr = get_modrm(s, modrm);
+ val = ldS(s, OT_WORD, addr);
+ }
+ rm = ((modrm >> 3) & 7) | REX_R(s);
+ if (b == 0x102)
+ val = helper_lar(s, val);
+ else
+ val = helper_lsl(s, val);
+ if (s->regs1.eflags & CC_Z)
+ set_regS(s, ot, rm, val);
+ goto insn_next;
LABEL(108) /* invd */
LABEL(109) /* wbinvd */
if (s->cpu_state.cpl != 0)
@@ -5214,8 +5323,6 @@ QO( case OT_LONG | 8:\
LABEL(10b)
LABEL(10a)
LABEL(104)
- LABEL(103)
- LABEL(102)
LABEL(f1)
LABEL(e2)
LABEL(e1)
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 2/5] kqemu: i386: Reorder DS and ES on exception stack
2009-05-29 17:18 [Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements Jan Kiszka
` (3 preceding siblings ...)
2009-05-29 17:18 ` [Qemu-devel] [PATCH 5/5] kqemu: Implement lar/lsl in the monitor code interpreter Jan Kiszka
@ 2009-05-29 17:18 ` Jan Kiszka
2009-05-29 19:19 ` [Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements Andreas Färber
5 siblings, 0 replies; 9+ messages in thread
From: Jan Kiszka @ 2009-05-29 17:18 UTC (permalink / raw)
To: qemu-devel
This is a KQEMU upstream bug: In case the non-trivial paths of
LOAD_SEG_CACHE in exception_return are taken for both DS and ES, the
current code will break as it assumes to read from the monitor's DS in
the restore code for ES. Fix this by swapping both segments on the stack
so that ES is always restored before DS.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
common/i386/monitor_asm.S | 16 ++++++++--------
common/kqemu_int.h | 6 +++---
2 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/common/i386/monitor_asm.S b/common/i386/monitor_asm.S
index 04f4258..e996553 100644
--- a/common/i386/monitor_asm.S
+++ b/common/i386/monitor_asm.S
@@ -214,8 +214,8 @@ __monitor_exception:
pushl %edx
pushl %ecx
pushl %eax
- pushl %es
pushl %ds
+ pushl %es
/* compute the address of the monitor context */
call 1f
@@ -260,17 +260,17 @@ exception_return:
cmpb $3, KQEMU_STATE_cpu_state_cpl(%ebx)
je normal_seg_load
popl %eax
- LOAD_SEG_CACHE(%ds, R_DS, (11 * 4))
+ LOAD_SEG_CACHE(%es, R_ES, (11 * 4))
popl %eax
- LOAD_SEG_CACHE(%es, R_ES, (10 * 4))
+ LOAD_SEG_CACHE(%ds, R_DS, (10 * 4))
jmp 2f
normal_seg_load:
#endif
1:
- popl %ds
+ popl %es
SEG_EXCEPTION(1b)
1:
- popl %es
+ popl %ds
SEG_EXCEPTION(1b)
2:
@@ -295,10 +295,10 @@ SEG_EXCEPTION(1b)
exception_return_to_monitor:
1:
- popl %ds
+ popl %es
SEG_EXCEPTION(1b)
1:
- popl %es
+ popl %ds
SEG_EXCEPTION(1b)
popl %eax
popl %ecx
@@ -363,8 +363,8 @@ __monitor_interrupt:
pushl %edx
pushl %ecx
pushl %eax
- pushl %es
pushl %ds
+ pushl %es
/* compute the address of the monitor context */
call 1f
diff --git a/common/kqemu_int.h b/common/kqemu_int.h
index f19f7ca..4b59cb3 100644
--- a/common/kqemu_int.h
+++ b/common/kqemu_int.h
@@ -367,10 +367,10 @@ struct kqemu_exception_regs {
};
#else
struct kqemu_exception_regs {
- uint16_t ds_sel; /* 0 */
- uint16_t ds_sel_h;
- uint16_t es_sel; /* 1 */
+ uint16_t es_sel; /* 0 */
uint16_t es_sel_h;
+ uint16_t ds_sel; /* 1 */
+ uint16_t ds_sel_h;
uint32_t eax; /* 2 */
uint32_t ecx;
uint32_t edx;
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements
2009-05-29 17:18 [Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements Jan Kiszka
` (4 preceding siblings ...)
2009-05-29 17:18 ` [Qemu-devel] [PATCH 2/5] kqemu: i386: Reorder DS and ES on exception stack Jan Kiszka
@ 2009-05-29 19:19 ` Andreas Färber
2009-05-30 8:01 ` [Qemu-devel] " Jan Kiszka
5 siblings, 1 reply; 9+ messages in thread
From: Andreas Färber @ 2009-05-29 19:19 UTC (permalink / raw)
To: Jan Kiszka; +Cc: qemu-devel
Hi,
Am 29.05.2009 um 19:18 schrieb Jan Kiszka:
> This is the series of patches we generated while developing a
> kqemu-1.4.0pre1-based prototype for guests that make real use of x86
> segments. If anyone is interested and maintaining some kqemu repos,
> pick
> them up as you like, they are for free (GPLv2).
I'd like to push them to http://repo.or.cz/w/kqemu.git
Do you have them on a Git branch I can pull from?
Andreas
> There is one more change set: An optimization of the segment cache
> emulation, but that one never truely stabilized (and I do not want to
> make anyone go through the same debugging pain we went, so I'm not
> posting that bits ;) ).
>
>
> Jan Kiszka (5):
> kqemu: x86-64: Run 16-bit-stack-return in ring 0
> kqemu: i386: Reorder DS and ES on exception stack
> kqemu: Fix forbidden selector range change
> kqemu: Implement verr/verw in the monitor code interpreter
> kqemu: Implement lar/lsl in the monitor code interpreter
>
> common/i386/monitor_asm.S | 16 ++--
> common/interp.c | 189 ++++++++++++++++++++++++++++++++++++
> +++++++-
> common/kernel.c | 8 +-
> common/kqemu_int.h | 6 +-
> 4 files changed, 199 insertions(+), 20 deletions(-)
>
> --
> Siemens AG, Corporate Technology, CT SE 2
> Corporate Competence Center Embedded Linux
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] Re: [PATCH 0/5] Some small kqemu fixes and enhancements
2009-05-29 19:19 ` [Qemu-devel] [PATCH 0/5] Some small kqemu fixes and enhancements Andreas Färber
@ 2009-05-30 8:01 ` Jan Kiszka
2009-05-30 9:25 ` Andreas Färber
0 siblings, 1 reply; 9+ messages in thread
From: Jan Kiszka @ 2009-05-30 8:01 UTC (permalink / raw)
To: Andreas Färber; +Cc: qemu-devel
[-- Attachment #1: Type: text/plain, Size: 514 bytes --]
Andreas Färber wrote:
> Hi,
>
> Am 29.05.2009 um 19:18 schrieb Jan Kiszka:
>
>> This is the series of patches we generated while developing a
>> kqemu-1.4.0pre1-based prototype for guests that make real use of x86
>> segments. If anyone is interested and maintaining some kqemu repos, pick
>> them up as you like, they are for free (GPLv2).
>
> I'd like to push them to http://repo.or.cz/w/kqemu.git
> Do you have them on a Git branch I can pull from?
Sorry, not in a public repository.
Jan
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 257 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] Re: [PATCH 0/5] Some small kqemu fixes and enhancements
2009-05-30 8:01 ` [Qemu-devel] " Jan Kiszka
@ 2009-05-30 9:25 ` Andreas Färber
0 siblings, 0 replies; 9+ messages in thread
From: Andreas Färber @ 2009-05-30 9:25 UTC (permalink / raw)
To: Jan Kiszka; +Cc: qemu-devel
Am 30.05.2009 um 10:01 schrieb Jan Kiszka:
> Andreas Färber wrote:
>> Am 29.05.2009 um 19:18 schrieb Jan Kiszka:
>>
>>> This is the series of patches we generated while developing a
>>> kqemu-1.4.0pre1-based prototype for guests that make real use of x86
>>> segments. If anyone is interested and maintaining some kqemu
>>> repos, pick
>>> them up as you like, they are for free (GPLv2).
>>
>> I'd like to push them to http://repo.or.cz/w/kqemu.git
>> Do you have them on a Git branch I can pull from?
>
> Sorry, not in a public repository.
`git am` kept saying the patches didn't apply, but it turns out `patch
-p1` worked okay.
Thanks,
Andreas
^ permalink raw reply [flat|nested] 9+ messages in thread