From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36465)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1WlCgX-0008N3-Fo
	for qemu-devel@nongnu.org; Fri, 16 May 2014 03:36:12 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1WlCgQ-0002Us-Lp
	for qemu-devel@nongnu.org; Fri, 16 May 2014 03:36:05 -0400
Received: from mail-ee0-x230.google.com ([2a00:1450:4013:c00::230]:60977)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1WlCgQ-0002UR-EN
	for qemu-devel@nongnu.org; Fri, 16 May 2014 03:35:58 -0400
Received: by mail-ee0-f48.google.com with SMTP id e49so1224248eek.21
	for <qemu-devel@nongnu.org>; Fri, 16 May 2014 00:35:57 -0700 (PDT)
Sender: Paolo Bonzini <paolo.bonzini@gmail.com>
Message-ID: <5375BFDA.10706@redhat.com>
Date: Fri, 16 May 2014 09:35:54 +0200
From: Paolo Bonzini <pbonzini@redhat.com>
MIME-Version: 1.0
References: <1400173016-27214-1-git-send-email-pbonzini@redhat.com>	<1400173016-27214-4-git-send-email-pbonzini@redhat.com>
	<20140515183831.GA22225@morn.localdomain>
In-Reply-To: <20140515183831.GA22225@morn.localdomain>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 3/3] target-i386: get CPL from SS.DPL
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Kevin O'Connor <kevin@koconnor.net>
Cc: qemu-devel@nongnu.org

Il 15/05/2014 20:38, Kevin O'Connor ha scritto:
> On Thu, May 15, 2014 at 06:56:56PM +0200, Paolo Bonzini wrote:
>> CS.RPL is not equal to the CPL in the few instructions between
>> setting CR0.PE and reloading CS.  We get this right in the common
>> case, because writes to CR0 do not modify the CPL, but it would
>> not be enough if an SMI comes exactly during that brief period.
>> Were this to happen, the RSM instruction would erroneously set
>> CPL to the low two bits of the real-mode selector; and if they are
>> not 00, the next instruction fetch cannot access the code segment
>> and causes a triple fault.
>>
>> However, SS.DPL *is* always equal to the CPL (except during task switches
>> as noted in the previous patch).  In real processors (AMD only) there
>> is a weird case of SYSRET setting SS.DPL=SS.RPL from the STAR register
>> while forcing CPL=3, but we do not emulate that.
>
> It looks to me like there could be a couple of places in the code
> where cpu_x86_load_seg_cache(R_CS) is called, but
> cpu_x86_load_seg_cache(R_SS) may not be.  In particular,
> helper_ret_protected() and cpu_x86_load_seg_cache_sipi().  Are these
> still okay?

Yes, helper_ret_protected() skips the SS load only if rpl == cpl (so if 
CS.RPL == SS.DPL, and the invariant is respected). 
cpu_x86_load_seg_cache_sipi() runs in real mode only.

Paolo