From f316e90a827b82a33d7f125e100dd05c5a4caf96 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 13 Oct 2025 18:08:12 +0200 Subject: [PATCH] target/i386: fix access to the T bit of the TSS The T bit is bit 0 of the 16-bit word at offset 100 of the TSS. However, accessing it with a 32-bit word is not really correct, because bytes 102-103 contain the I/O map base address (relative to the base of the TSS) and bits 1-15 are reserved. In particular, any task switch to a TSS that has a nonzero I/O map base address is broken. This fixes the eventinj and taskswitch tests in kvm-unit-tests. Cc: qemu-stable@nongnu.org Fixes: ad441b8b791 ("target/i386: implement TSS trap bit", 2025-05-12) Reported-by: Thomas Huth Closes: https://gitlab.com/qemu-project/qemu/-/issues/3101 Tested-by: Thomas Huth Signed-off-by: Paolo Bonzini (cherry picked from commit 0d22b621b7969eefde3535a0805977a334936fd7) Signed-off-by: Michael Tokarev --- target/i386/tcg/seg_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c index 071f3fbd83..f49fe851cd 100644 --- a/target/i386/tcg/seg_helper.c +++ b/target/i386/tcg/seg_helper.c @@ -456,7 +456,7 @@ static void switch_tss_ra(CPUX86State *env, int tss_selector, new_segs[i] = access_ldw(&new, tss_base + (0x48 + i * 4)); } new_ldt = access_ldw(&new, tss_base + 0x60); - new_trap = access_ldl(&new, tss_base + 0x64); + new_trap = access_ldw(&new, tss_base + 0x64) & 1; } else { /* 16 bit */ new_cr3 = 0; -- 2.47.3