[PATCH] target/i386: fix access to the T bit of the TSS

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] target/i386: fix access to the T bit of the TSS
@ 2025-10-13 16:11 Paolo Bonzini
  2025-10-13 16:15 ` Thomas Huth
  0 siblings, 1 reply; 2+ messages in thread
From: Paolo Bonzini @ 2025-10-13 16:11 UTC (permalink / raw)
  To: qemu-devel; +Cc: qemu-stable, Thomas Huth

The T bit is bit 0 of the 16-bit word at offset 100 of the TSS.  However,
accessing it with a 32-bit word is not really correct, because bytes
102-103 contain the I/O map base address (relative to the base of the
TSS) and bits 1-15 are reserved.  In particular, any task switch to a TSS that
has a nonzero I/O map base address is broken.

This fixes the eventinj and taskswitch tests in kvm-unit-tests.

Cc: qemu-stable@nongnu.org
Fixes: ad441b8b791 ("target/i386: implement TSS trap bit", 2025-05-12)
Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target/i386/tcg/seg_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index 071f3fbd83d..f49fe851cdf 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -456,7 +456,7 @@ static void switch_tss_ra(CPUX86State *env, int tss_selector,
             new_segs[i] = access_ldw(&new, tss_base + (0x48 + i * 4));
         }
         new_ldt = access_ldw(&new, tss_base + 0x60);
-        new_trap = access_ldl(&new, tss_base + 0x64);
+        new_trap = access_ldw(&new, tss_base + 0x64) & 1;
     } else {
         /* 16 bit */
         new_cr3 = 0;
-- 
2.51.0



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] target/i386: fix access to the T bit of the TSS
  2025-10-13 16:11 [PATCH] target/i386: fix access to the T bit of the TSS Paolo Bonzini
@ 2025-10-13 16:15 ` Thomas Huth
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Huth @ 2025-10-13 16:15 UTC (permalink / raw)
  To: Paolo Bonzini, qemu-devel; +Cc: qemu-stable

On 13/10/2025 18.11, Paolo Bonzini wrote:
> The T bit is bit 0 of the 16-bit word at offset 100 of the TSS.  However,
> accessing it with a 32-bit word is not really correct, because bytes
> 102-103 contain the I/O map base address (relative to the base of the
> TSS) and bits 1-15 are reserved.  In particular, any task switch to a TSS that
> has a nonzero I/O map base address is broken.
> 
> This fixes the eventinj and taskswitch tests in kvm-unit-tests.
> 
> Cc: qemu-stable@nongnu.org
> Fixes: ad441b8b791 ("target/i386: implement TSS trap bit", 2025-05-12)
> Reported-by: Thomas Huth <thuth@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Closes: https://gitlab.com/qemu-project/qemu/-/issues/3101
Tested-by: Thomas Huth <thuth@redhat.com>



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-10-13 16:15 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-13 16:11 [PATCH] target/i386: fix access to the T bit of the TSS Paolo Bonzini
2025-10-13 16:15 ` Thomas Huth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).