From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=60420 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1PXED0-00011Y-47
	for qemu-devel@nongnu.org; Mon, 27 Dec 2010 09:38:09 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jan.kiszka@web.de>) id 1PXECq-00012G-MM
	for qemu-devel@nongnu.org; Mon, 27 Dec 2010 09:37:58 -0500
Received: from fmmailgate02.web.de ([217.72.192.227]:38644)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jan.kiszka@web.de>) id 1PXECq-00011S-AP
	for qemu-devel@nongnu.org; Mon, 27 Dec 2010 09:37:48 -0500
Message-ID: <4D18A4B4.6030006@web.de>
Date: Mon, 27 Dec 2010 15:37:40 +0100
From: Jan Kiszka <jan.kiszka@web.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigDA44A51889986BCE556C9CCC"
Sender: jan.kiszka@web.de
Subject: [Qemu-devel] kvm: grub breakage due to SS.RPL/DPL alignment
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: kvm <kvm@vger.kernel.org>
Cc: Avi Kivity <avi@redhat.com>, qemu-devel <qemu-devel@nongnu.org>

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigDA44A51889986BCE556C9CCC
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Hi,

when interrupting a guest (grub in graphical mode) in this state

EAX=3D00000011 EBX=3D0004bc88 ECX=3D0000000d EDX=3D000db51d
ESI=3D000008ff EDI=3D002462da EBP=3D00000000 ESP=3D00001fbc
EIP=3D000078b6 EFL=3D00000006 [-----P-] CPL=3D0 II=3D0 A20=3D1 SMM=3D0 HL=
T=3D0
ES =3D0000 00000000 0000ffff 00009300 DPL=3D0 DS16 [-WA]
CS =3D2d32 0002d320 0000ffff 00009b00 DPL=3D0 CS16 [-RA]
SS =3D45aa 00045aa0 0000ffff 00009300 DPL=3D0 DS16 [-WA]
DS =3D2d32 0002d320 0000ffff 00009300 DPL=3D0 DS16 [-WA]
FS =3D0000 00000000 0000ffff 00009300 DPL=3D0 DS16 [-WA]
GS =3D0000 00000000 0000ffff 00009300 DPL=3D0 DS16 [-WA]
LDT=3D0000 00000000 ffffffff 00000000
TR =3D0048 00266009 00000067 00008b00 DPL=3D0 TSS32-busy
GDT=3D     0002dd48 0000004f
IDT=3D     0026607a 000007ff
CR0=3D00000011 CR2=3D00000000 CR3=3D00000000 CR4=3D00000000

the SS alignment to CPL corrupts the guest state on write back:

    if (env->cr[0] & CR0_PE_MASK) {
	/* force ss cpl to cs cpl */
	sregs.ss.selector =3D (sregs.ss.selector & ~3) |
		(sregs.cs.selector & 3);
	sregs.ss.dpl =3D sregs.ss.selector & 3;
    }

Aligning SS.RPL to CPL is not problematic here (as it already is), but
forcing SS.DPL to CPL is definitely wrong and causes an immediate guest
reboot.

Looking at commit 292a55081e5eee62db42209463cf385e7ff1d86d of qemu-kvm
which introduced this workaround I wonder if it still applies and if it
wasn't misplaced from day one anyway. If we really need this (when
BTW?), doesn't it belong into the kernel, particularly into vmx.c as it
addresses an _Intel_ quirk?

Jan

PS: There is another problem, namely in set_seg's DPL transfer, which
contributes to the guest crash, but that one is easily fixable. Patch
will follow.


--------------enigDA44A51889986BCE556C9CCC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk0YpLcACgkQitSsb3rl5xSXHQCgmjNhZ1A4heEOTkH5qPcKVvCb
Rz0AoMKfAbXVwcJ91YM2XxvKTCgbRQMu
=bwqy
-----END PGP SIGNATURE-----

--------------enigDA44A51889986BCE556C9CCC--