{"id":2221985,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2221985/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260410142652.367541-1-magnuskulke@linux.microsoft.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.1/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260410142652.367541-1-magnuskulke@linux.microsoft.com>","date":"2026-04-10T14:26:52","name":"target/i386/mshv: Fix segment regression in MMIO emu","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"eb38c31b17cffb2d106dc9d1ae5bede03d313be7","submitter":{"id":90753,"url":"http://patchwork.ozlabs.org/api/1.1/people/90753/?format=json","name":"Magnus Kulke","email":"magnuskulke@linux.microsoft.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260410142652.367541-1-magnuskulke@linux.microsoft.com/mbox/","series":[{"id":499472,"url":"http://patchwork.ozlabs.org/api/1.1/series/499472/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=499472","date":"2026-04-10T14:26:52","name":"target/i386/mshv: Fix segment regression in MMIO emu","version":1,"mbox":"http://patchwork.ozlabs.org/series/499472/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2221985/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2221985/checks/","tags":{},"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com\n header.a=rsa-sha256 header.s=default header.b=aUvZb/Mp;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fsfKJ74Qhz1yGS\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 11 Apr 2026 00:27:47 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wBCpB-0001lj-JF; Fri, 10 Apr 2026 10:27:09 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <magnuskulke@linux.microsoft.com>)\n id 1wBCp6-0001lE-So\n for qemu-devel@nongnu.org; Fri, 10 Apr 2026 10:27:05 -0400","from linux.microsoft.com ([13.77.154.182])\n by eggs.gnu.org with esmtp (Exim 4.90_1)\n (envelope-from <magnuskulke@linux.microsoft.com>) id 1wBCp5-0007dw-2w\n for qemu-devel@nongnu.org; Fri, 10 Apr 2026 10:27:04 -0400","from DESKTOP-TUU1E5L.localdomain (unknown [167.220.208.74])\n by linux.microsoft.com (Postfix) with ESMTPSA id 9124520B710C;\n Fri, 10 Apr 2026 07:26:55 -0700 (PDT)"],"DKIM-Filter":"OpenDKIM Filter v2.11.0 linux.microsoft.com 9124520B710C","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;\n s=default; t=1775831217;\n bh=w4Et5vnM6DYRBOzmkM5lcO13jgnVys5sI6NHnXTE+6U=;\n h=From:To:Cc:Subject:Date:From;\n b=aUvZb/MpvM/jE4uiFb3/pZb3gmfBF2d39nV8nwtxa9XHFXw6sgxbLD1yO1jNZQW/4\n rYSlcSpCEcgaTQh270NTy6VeQ96PQ9yaou1olFILg6prmnjofMSalx6h5GE9oTmgXR\n 0zyWglquXuV9JGdDhV687I93AkzfiaYGaawL5eLo=","From":"Magnus Kulke <magnuskulke@linux.microsoft.com>","To":"qemu-devel@nongnu.org","Cc":"Magnus Kulke <magnuskulke@microsoft.com>,\n =?utf-8?q?Doru_Bl=C3=A2nzeanu?= <dblanzeanu@linux.microsoft.com>,\n Magnus Kulke <magnuskulke@linux.microsoft.com>,\n Mohamed Mediouni <mohamed@unpredictable.fr>, Wei Liu <wei.liu@kernel.org>,\n Wei Liu <liuwe@microsoft.com>","Subject":"[PATCH] target/i386/mshv: Fix segment regression in MMIO emu","Date":"Fri, 10 Apr 2026 16:26:52 +0200","Message-Id":"<20260410142652.367541-1-magnuskulke@linux.microsoft.com>","X-Mailer":"git-send-email 2.34.1","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=13.77.154.182;\n envelope-from=magnuskulke@linux.microsoft.com; helo=linux.microsoft.com","X-Spam_score_int":"-42","X-Spam_score":"-4.3","X-Spam_bar":"----","X-Spam_report":"(-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"When the segmentation code has been reworked, there is now an\nunconditional call to emul_ops->read_segment_descriptor(). The MSHV impl\nwas delegating this to x86_read_segement_descriptor(), which read from\nthe GDT in guest memory. This fails for selector.idx == 0 and when no\nGDT is set up (which is the case in real mode).\n\nIn the fix we change the MSHV impl to fill segment descriptor from\nSegmentCache, that was populated from the hypervisor by mshv_load_regs()\nbefore instruction emulation.\n\nFixes: 09442d98ab (target/i386: emulate: segmentation rework)\n\nSigned-off-by: Magnus Kulke <magnuskulke@linux.microsoft.com>\n---\n target/i386/mshv/mshv-cpu.c | 39 ++++++++++++++++++++++++++++++-------\n 1 file changed, 32 insertions(+), 7 deletions(-)","diff":"diff --git a/target/i386/mshv/mshv-cpu.c b/target/i386/mshv/mshv-cpu.c\nindex 2bc978deb2..4ed6e7548f 100644\n--- a/target/i386/mshv/mshv-cpu.c\n+++ b/target/i386/mshv/mshv-cpu.c\n@@ -1552,17 +1552,42 @@ static void read_segment_descriptor(CPUState *cpu,\n                                     struct x86_segment_descriptor *desc,\n                                     enum X86Seg seg_idx)\n {\n-    bool ret;\n     X86CPU *x86_cpu = X86_CPU(cpu);\n     CPUX86State *env = &x86_cpu->env;\n     SegmentCache *seg = &env->segs[seg_idx];\n-    x86_segment_selector sel = { .sel = seg->selector & 0xFFFF };\n-\n-    ret = x86_read_segment_descriptor(cpu, desc, sel);\n-    if (ret == false) {\n-        error_report(\"failed to read segment descriptor\");\n-        abort();\n+    uint32_t limit;\n+\n+    memset(desc, 0, sizeof(struct x86_segment_descriptor));\n+\n+    desc->type = (seg->flags & DESC_TYPE_MASK) >> DESC_TYPE_SHIFT;\n+    desc->s    = (seg->flags & DESC_S_MASK)    >> DESC_S_SHIFT;\n+    desc->dpl  = (seg->flags & DESC_DPL_MASK)  >> DESC_DPL_SHIFT;\n+    desc->p    = (seg->flags & DESC_P_MASK)    >> DESC_P_SHIFT;\n+    desc->avl  = (seg->flags & DESC_AVL_MASK)  >> DESC_AVL_SHIFT;\n+    desc->l    = (seg->flags & DESC_L_MASK)    >> DESC_L_SHIFT;\n+    desc->db   = (seg->flags & DESC_B_MASK)    >> DESC_B_SHIFT;\n+    desc->g    = (seg->flags & DESC_G_MASK)    >> DESC_G_SHIFT;\n+\n+    /*\n+     * SegmentCache stores the hypervisor-provided value verbatim (populated by\n+     * mshv_load_regs). We need to convert it to format expected by the\n+     * instruction emulator. We can have a limit value > 0xfffff with\n+     * granularity of 0 (byte granularity), which is not representable\n+     * in real x86_segment_descriptor. In this case we set granularity to 1\n+     * (4k granularity) and shift the limit accordingly.\n+     *\n+     * This quirk has been adopted from \"whpx_segment_to_x86_description()\"\n+     */\n+\n+    if (!desc->g && seg->limit <= 0xfffff) {\n+        limit = seg->limit;\n+    } else {\n+        limit = seg->limit >> 12;\n+        desc->g = 1;\n     }\n+\n+    x86_set_segment_limit(desc, limit);\n+    x86_set_segment_base(desc, seg->base);\n }\n \n static const struct x86_emul_ops mshv_x86_emul_ops = {\n","prefixes":[]}