Changeset 45276 in vbox for trunk/src/VBox/VMM/VMMR3

Timestamp:

Apr 2, 2013 8:17:11 AM (12 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

84670

Message:

Ring-1 compression patches, courtesy of trivirt AG:

• main: diff to remove the hwvirt requirement for QNX
• rem: diff for dealing with raw ring 0/1 selectors and general changes to allowed guest execution states
• vmm: changes for using the guest's TSS selector index as our hypervisor TSS selector (makes str safe) (VBOX_WITH_SAFE_STR )
• vmm: changes for dealing with guest ring 1 code (VBOX_WITH_RAW_RING1)
• vmm: change to emulate smsw in RC/R0 (QNX uses this old style instruction a lot so going to qemu for emulation is very expensive)
• vmm: change (hack) to kick out patm virtual handlers in case they conflict with guest GDT/TSS write monitors; we should allow multiple handlers per page, but that change would be rather invasive

Location:

trunk/src/VBox/VMM/VMMR3

Files:

• CPUM.cpp (modified) (6 diffs)
• CSAM.cpp (modified) (4 diffs)
• DBGFDisas.cpp (modified) (2 diffs)
• EM.cpp (modified) (11 diffs)
• EMHM.cpp (modified) (1 diff)
• EMRaw.cpp (modified) (8 diffs)
• PATM.cpp (modified) (7 diffs)
• PATMA.asm (modified) (2 diffs)
• PATMPatch.cpp (modified) (4 diffs)
• PATMSSM.cpp (modified) (1 diff)
• PGMHandler.cpp (modified) (1 diff)
• SELM.cpp (modified) (24 diffs)
• TRPM.cpp (modified) (1 diff)
• VMM.cpp (modified) (1 diff)

trunk/src/VBox/VMM/VMMR3/CPUM.cpp

@@ -42 +42 @@
 #include <VBox/vmm/pdmapi.h>
 #include <VBox/vmm/mm.h>
+#include <VBox/vmm/em.h>
 #include <VBox/vmm/selm.h>
 #include <VBox/vmm/dbgf.h>
@@ -4192 +4193 @@
      * Are we in Ring-0?
      */
-    if (    pCtxCore->ss.Sel && (pCtxCore->ss.Sel & X86_SEL_RPL) == 0
+    if (    pCtxCore->ss.Sel 
+        &&  (pCtxCore->ss.Sel & X86_SEL_RPL) == 0
         &&  !pCtxCore->eflags.Bits.u1VM)
     {
@@ -4204 +4206 @@
          */
         pCtxCore->ss.Sel |= 1;
-        if (pCtxCore->cs.Sel && (pCtxCore->cs.Sel & X86_SEL_RPL) == 0)
+        if (    pCtxCore->cs.Sel 
+            &&  (pCtxCore->cs.Sel & X86_SEL_RPL) == 0)
             pCtxCore->cs.Sel |= 1;
     }
     else
     {
+#ifdef VBOX_WITH_RAW_RING1
+        if (    EMIsRawRing1Enabled(pVM)
+            &&  !pCtxCore->eflags.Bits.u1VM
+            &&  (pCtxCore->ss.Sel & X86_SEL_RPL) == 1)
+        {
+            /* Set CPL to Ring-2. */
+            pCtxCore->ss.Sel = (pCtxCore->ss.Sel & ~X86_SEL_RPL) | 2;
+            if (pCtxCore->cs.Sel && (pCtxCore->cs.Sel & X86_SEL_RPL) == 1)
+                pCtxCore->cs.Sel = (pCtxCore->cs.Sel & ~X86_SEL_RPL) | 2;
+        }
+#else
         AssertMsg((pCtxCore->ss.Sel & X86_SEL_RPL) >= 2 || pCtxCore->eflags.Bits.u1VM,
                   ("ring-1 code not supported\n"));
+#endif
         /*
          * PATM takes care of IOPL and IF flags for Ring-3 and Ring-2 code as well.
@@ -4221 +4236 @@
      */
     AssertMsg((pCtxCore->eflags.u32 & X86_EFL_IF), ("X86_EFL_IF is clear\n"));
-    AssertReleaseMsg(   pCtxCore->eflags.Bits.u2IOPL < (unsigned)(pCtxCore->ss.Sel & X86_SEL_RPL)
-                     || pCtxCore->eflags.Bits.u1VM,
+    AssertReleaseMsg(pCtxCore->eflags.Bits.u2IOPL == 0, 
                      ("X86_EFL_IOPL=%d CPL=%d\n", pCtxCore->eflags.Bits.u2IOPL, pCtxCore->ss.Sel & X86_SEL_RPL));
     Assert((pVCpu->cpum.s.Guest.cr0 & (X86_CR0_PG | X86_CR0_WP | X86_CR0_PE)) == (X86_CR0_PG | X86_CR0_PE | X86_CR0_WP));
@@ -4231 +4245 @@
     return VINF_SUCCESS;
 }
+
 
 
@@ -4300 +4315 @@
         if (!pCtxCore->eflags.Bits.u1VM)
         {
-            /** @todo See what happens if we remove this. */
-            if ((pCtxCore->ds.Sel & X86_SEL_RPL) == 1)
-                pCtxCore->ds.Sel &= ~X86_SEL_RPL;
-            if ((pCtxCore->es.Sel & X86_SEL_RPL) == 1)
-                pCtxCore->es.Sel &= ~X86_SEL_RPL;
-            if ((pCtxCore->fs.Sel & X86_SEL_RPL) == 1)
-                pCtxCore->fs.Sel &= ~X86_SEL_RPL;
-            if ((pCtxCore->gs.Sel & X86_SEL_RPL) == 1)
-                pCtxCore->gs.Sel &= ~X86_SEL_RPL;
+#ifdef VBOX_WITH_RAW_RING1
+            if (    EMIsRawRing1Enabled(pVM)
+                &&  (pCtxCore->ss.Sel & X86_SEL_RPL) == 2)
+            {
+                /* Not quite sure if this is really required, but shouldn't harm (too much anyways). */
+                /** @todo See what happens if we remove this. */
+                if ((pCtxCore->ds.Sel & X86_SEL_RPL) == 2)
+                    pCtxCore->ds.Sel = (pCtxCore->ds.Sel & ~X86_SEL_RPL) | 1;
+                if ((pCtxCore->es.Sel & X86_SEL_RPL) == 2)
+                    pCtxCore->es.Sel = (pCtxCore->es.Sel & ~X86_SEL_RPL) | 1;
+                if ((pCtxCore->fs.Sel & X86_SEL_RPL) == 2)
+                    pCtxCore->fs.Sel = (pCtxCore->fs.Sel & ~X86_SEL_RPL) | 1;
+                if ((pCtxCore->gs.Sel & X86_SEL_RPL) == 2)
+                    pCtxCore->gs.Sel = (pCtxCore->gs.Sel & ~X86_SEL_RPL) | 1;
+
+                /*
+                 * Ring-2 selector => Ring-1.
+                 */
+                pCtxCore->ss.Sel = (pCtxCore->ss.Sel & ~X86_SEL_RPL) | 1;
+                if ((pCtxCore->cs.Sel & X86_SEL_RPL) == 2)
+                    pCtxCore->cs.Sel = (pCtxCore->cs.Sel & ~X86_SEL_RPL) | 1;
+            }
+            else
+            {
+#endif
+                /** @todo See what happens if we remove this. */
+                if ((pCtxCore->ds.Sel & X86_SEL_RPL) == 1)
+                    pCtxCore->ds.Sel &= ~X86_SEL_RPL;
+                if ((pCtxCore->es.Sel & X86_SEL_RPL) == 1)
+                    pCtxCore->es.Sel &= ~X86_SEL_RPL;
+                if ((pCtxCore->fs.Sel & X86_SEL_RPL) == 1)
+                    pCtxCore->fs.Sel &= ~X86_SEL_RPL;
+                if ((pCtxCore->gs.Sel & X86_SEL_RPL) == 1)
+                    pCtxCore->gs.Sel &= ~X86_SEL_RPL;
+#ifdef VBOX_WITH_RAW_RING1
+            }
+#endif
         }
     }

trunk/src/VBox/VMM/VMMR3/CSAM.cpp

@@ -847 +847 @@
         break;
 
+    /* removing breaks win2k guests? */
+    case OP_IRET:
+#ifdef VBOX_WITH_RAW_RING1
+        if (EMIsRawRing1Enabled(pVM))
+            break;
+#endif
+        /* no break */
+
     case OP_ILLUD2:
         /* This appears to be some kind of kernel panic in Linux 2.4; no point to continue. */
@@ -852 +860 @@
     case OP_INT3:
     case OP_INVALID:
-#if 1
-    /* removing breaks win2k guests? */
-    case OP_IRET:
-#endif
         return VINF_SUCCESS;
     }
@@ -919 +923 @@
     }
 
+#ifdef VBOX_WITH_RAW_RING1
+    case OP_MOV:
+        /* mov xx, CS is a dangerous instruction as our raw ring usage leaks through. */
+        if (    EMIsRawRing1Enabled(pVM)
+            &&  (pCpu->Param2.fUse & DISUSE_REG_SEG) 
+            &&  (pCpu->Param2.Base.idxSegReg == DISSELREG_CS))
+        {
+            Log(("CSAM: Patching dangerous 'mov xx, cs' instruction at %RGv with an int3\n", pCurInstrGC));
+            if (PATMR3HasBeenPatched(pVM, pCurInstrGC) == false)
+            {
+                rc = PATMR3InstallPatch(pVM, pCurInstrGC, (pPage->fCode32) ? PATMFL_CODE32 : 0);
+                if (RT_FAILURE(rc))
+                {
+                    Log(("PATMR3InstallPatch failed with %d\n", rc));
+                    return VWRN_CONTINUE_ANALYSIS;
+                }
+            }
+            return VWRN_CONTINUE_ANALYSIS;
+        }
+        break;
+#endif
+
     case OP_PUSH:
+        /** @todo broken comparison!! should be if ((pCpu->Param1.fUse & DISUSE_REG_SEG) &&  (pCpu->Param1.Base.idxSegReg == DISSELREG_SS)) */
         if (pCpu->pCurInstr->fParam1 != OP_PARM_REG_CS)
             break;
 
         /* no break */
+#ifndef VBOX_WITH_SAFE_STR
     case OP_STR:
+#endif
     case OP_LSL:
     case OP_LAR:
@@ -2642 +2671 @@
 
             rc = PATMR3InstallPatch(pVM, pHandler, fPatchFlags);
-            if (RT_SUCCESS(rc) || rc == VERR_PATM_ALREADY_PATCHED)
+            if (    RT_SUCCESS(rc) 
+                ||  rc == VERR_PATM_ALREADY_PATCHED)
             {
                 Log(("Gate handler 0x%X is SAFE!\n", iGate));

trunk/src/VBox/VMM/VMMR3/DBGFDisas.cpp

@@ -661 +661 @@
         RTStrPrintf(szBuf, sizeof(szBuf), "DBGFR3DisasInstrCurrentLog failed with rc=%Rrc\n", rc);
     if (pszPrefix && *pszPrefix)
-        RTLogPrintf("%s-CPU%u: %s\n", pszPrefix, pVCpu->idCpu, szBuf);
+    {
+        if (pVCpu->CTX_SUFF(pVM)->cCpus > 1)
+            RTLogPrintf("%s-CPU%u: %s\n", pszPrefix, pVCpu->idCpu, szBuf);
+        else
+            RTLogPrintf("%s: %s\n", pszPrefix, szBuf);
+    }
     else
         RTLogPrintf("%s\n", szBuf);
@@ -692 +697 @@
         RTStrPrintf(szBuf, sizeof(szBuf), "DBGFR3DisasInstrLog(, %RTsel, %RGv) failed with rc=%Rrc\n", Sel, GCPtr, rc);
     if (pszPrefix && *pszPrefix)
-        RTLogPrintf("%s-CPU%u: %s\n", pszPrefix, pVCpu->idCpu, szBuf);
+    {
+        if (pVCpu->CTX_SUFF(pVM)->cCpus > 1)
+            RTLogPrintf("%s-CPU%u: %s\n", pszPrefix, pVCpu->idCpu, szBuf);
+        else
+            RTLogPrintf("%s: %s\n", pszPrefix, szBuf);
+    }
     else
         RTLogPrintf("%s\n", szBuf);

trunk/src/VBox/VMM/VMMR3/EM.cpp

@@ -124 +124 @@
     pVM->fRecompileSupervisor = RT_SUCCESS(rc) ? !fEnabled : false;
     Log(("EMR3Init: fRecompileUser=%RTbool fRecompileSupervisor=%RTbool\n", pVM->fRecompileUser, pVM->fRecompileSupervisor));
+
+#ifdef VBOX_WITH_RAW_RING1
+    rc = CFGMR3QueryBool(CFGMR3GetRoot(pVM), "RawR1Enabled", &fEnabled);
+    pVM->fRawRing1Enabled = RT_SUCCESS(rc) ? fEnabled : false;
+    Log(("EMR3Init: fRawRing1Enabled=%RTbool\n", pVM->fRawRing1Enabled));
+#else
+    pVM->fRawRing1Enabled = false;      /* disabled by default. */
+#endif
 
 #ifdef VBOX_WITH_REM
@@ -268 +276 @@
         EM_REG_COUNTER_USED(&pStats->StatRZLmsw,                 "/EM/CPU%d/RZ/Interpret/Success/Lmsw",       "The number of times LMSW was successfully interpreted.");
         EM_REG_COUNTER_USED(&pStats->StatR3Lmsw,                 "/EM/CPU%d/R3/Interpret/Success/Lmsw",       "The number of times LMSW was successfully interpreted.");
+        EM_REG_COUNTER_USED(&pStats->StatRZSmsw,                 "/EM/CPU%d/RZ/Interpret/Success/Smsw",       "The number of times SMSW was successfully interpreted.");
+        EM_REG_COUNTER_USED(&pStats->StatR3Smsw,                 "/EM/CPU%d/R3/Interpret/Success/Smsw",       "The number of times SMSW was successfully interpreted.");
 
         EM_REG_COUNTER(&pStats->StatRZInterpretFailed,           "/EM/CPU%d/RZ/Interpret/Failed",            "The number of times an instruction was not interpreted.");
@@ -322 +332 @@
         EM_REG_COUNTER_USED(&pStats->StatRZFailedLmsw,           "/EM/CPU%d/RZ/Interpret/Failed/Lmsw",       "The number of times LMSW was not interpreted.");
         EM_REG_COUNTER_USED(&pStats->StatR3FailedLmsw,           "/EM/CPU%d/R3/Interpret/Failed/Lmsw",       "The number of times LMSW was not interpreted.");
+        EM_REG_COUNTER_USED(&pStats->StatRZFailedSmsw,           "/EM/CPU%d/RZ/Interpret/Failed/Smsw",       "The number of times SMSW was not interpreted.");
+        EM_REG_COUNTER_USED(&pStats->StatR3FailedSmsw,           "/EM/CPU%d/R3/Interpret/Failed/Smsw",       "The number of times SMSW was not interpreted.");
 
         EM_REG_COUNTER_USED(&pStats->StatRZFailedMisc,           "/EM/CPU%d/RZ/Interpret/Failed/Misc",       "The number of times some misc instruction was encountered.");
@@ -938 +950 @@
 static int emR3RemStep(PVM pVM, PVMCPU pVCpu)
 {
-    LogFlow(("emR3RemStep: cs:eip=%04x:%08x\n", CPUMGetGuestCS(pVCpu),  CPUMGetGuestEIP(pVCpu)));
+    Log3(("emR3RemStep: cs:eip=%04x:%08x\n", CPUMGetGuestCS(pVCpu),  CPUMGetGuestEIP(pVCpu)));
 
 #ifdef VBOX_WITH_REM
@@ -958 +970 @@
 #endif
 
-    LogFlow(("emR3RemStep: returns %Rrc cs:eip=%04x:%08x\n", rc, CPUMGetGuestCS(pVCpu),  CPUMGetGuestEIP(pVCpu)));
+    Log3(("emR3RemStep: returns %Rrc cs:eip=%04x:%08x\n", rc, CPUMGetGuestCS(pVCpu),  CPUMGetGuestEIP(pVCpu)));
     return rc;
 }
@@ -1182 +1194 @@
     {
         DBGFR3PrgStep(pVCpu);
-        DBGFR3_DISAS_INSTR_CUR_LOG(pVCpu, "RSS: ");
+        DBGFR3_DISAS_INSTR_CUR_LOG(pVCpu, "RSS");
         emR3RemStep(pVM, pVCpu);
         if (emR3Reschedule(pVM, pVCpu, pVCpu->em.s.pCtx) != EMSTATE_REM)
@@ -1308 +1320 @@
             return EMSTATE_REM;
 
+# ifdef VBOX_WITH_RAW_RING1
+        /* Only ring 0 and 1 supervisor code. */
+        if (EMIsRawRing1Enabled(pVM))
+        {
+            if ((uSS & X86_SEL_RPL) == 2)   /* ring 1 code is moved into ring 2, so we can't support ring-2 in that case. */
+            {
+                Log2(("raw r0 mode refused: CPL %d\n", uSS & X86_SEL_RPL));
+                return EMSTATE_REM;
+            }
+        }
+        else
+# endif
         /* Only ring 0 supervisor code. */
         if ((uSS & X86_SEL_RPL) != 0)
@@ -1334 +1358 @@
         {
             Log2(("raw r0 mode forced: patch code\n"));
+# ifdef VBOX_WITH_SAFE_STR
+            Assert(pCtx->tr.Sel);
+# endif
             return EMSTATE_RAW;
         }
@@ -1346 +1373 @@
 # endif
 
+# ifndef VBOX_WITH_RAW_RING1
         /** @todo still necessary??? */
         if (EFlags.Bits.u2IOPL != 0)
@@ -1352 +1380 @@
             return EMSTATE_REM;
         }
+# endif
     }
 
@@ -1387 +1416 @@
         return EMSTATE_REM;
     }
+
+# ifdef VBOX_WITH_SAFE_STR
+    if (pCtx->tr.Sel == 0)
+    {
+        Log(("Raw mode refused -> TR=0\n"));
+        return EMSTATE_REM;
+    }
+# endif
 
     /*Assert(PGMPhysIsA20Enabled(pVCpu));*/

trunk/src/VBox/VMM/VMMR3/EMHM.cpp

@@ -137 +137 @@
     {
         DBGFR3PrgStep(pVCpu);
-        DBGFR3_DISAS_INSTR_CUR_LOG(pVCpu, "RSS: ");
+        DBGFR3_DISAS_INSTR_CUR_LOG(pVCpu, "RSS");
         rc = emR3HmStep(pVM, pVCpu);
         if (    rc != VINF_SUCCESS

trunk/src/VBox/VMM/VMMR3/EMRaw.cpp

@@ -159 +159 @@
     PCPUMCTX    pCtx   = pVCpu->em.s.pCtx;
     bool        fGuest = pVCpu->em.s.enmState != EMSTATE_DEBUG_HYPER;
-#ifndef DEBUG_sandervl
+#ifndef DEBUG_sander
     Log(("emR3RawStep: cs:eip=%RTsel:%RGr efl=%RGr\n", fGuest ? CPUMGetGuestCS(pVCpu) : CPUMGetHyperCS(pVCpu),
          fGuest ? CPUMGetGuestEIP(pVCpu) : CPUMGetHyperEIP(pVCpu), fGuest ? CPUMGetGuestEFlags(pVCpu) : CPUMGetHyperEFlags(pVCpu)));
@@ -196 +196 @@
         else
             rc = VMMR3RawRunGC(pVM, pVCpu);
-#ifndef DEBUG_sandervl
+#ifndef DEBUG_sander
         Log(("emR3RawStep: cs:eip=%RTsel:%RGr efl=%RGr - GC rc %Rrc\n", fGuest ? CPUMGetGuestCS(pVCpu) : CPUMGetHyperCS(pVCpu),
              fGuest ? CPUMGetGuestEIP(pVCpu) : CPUMGetHyperEIP(pVCpu), fGuest ? CPUMGetGuestEFlags(pVCpu) : CPUMGetHyperEFlags(pVCpu), rc));
@@ -237 +237 @@
     {
         DBGFR3PrgStep(pVCpu);
-        DBGFR3_DISAS_INSTR_CUR_LOG(pVCpu, "RSS: ");
+        DBGFR3_DISAS_INSTR_CUR_LOG(pVCpu, "RSS");
         rc = emR3RawStep(pVM, pVCpu);
-        if (rc != VINF_SUCCESS)
+        if (   rc != VINF_SUCCESS
+            && rc != VINF_EM_DBG_STEPPED)
             break;
     }
@@ -950 +951 @@
     {
         DBGFR3_INFO_LOG(pVM, "cpumguest", "PRIV");
-        DBGFR3_DISAS_INSTR_CUR_LOG(pVCpu, "Privileged instr: ");
+        DBGFR3_DISAS_INSTR_CUR_LOG(pVCpu, "Privileged instr");
     }
 #endif
@@ -1090 +1091 @@
                     {
                         DBGFR3_INFO_LOG(pVM, "cpumguest", "PRIV");
-                        DBGFR3_DISAS_INSTR_CUR_LOG(pVCpu, "Privileged instr: ");
+                        DBGFR3_DISAS_INSTR_CUR_LOG(pVCpu, "Privileged instr");
                     }
 #endif
@@ -1361 +1362 @@
         Assert(REMR3QueryPendingInterrupt(pVM, pVCpu) == REM_NO_PENDING_IRQ);
 # endif
+# ifdef VBOX_WITH_RAW_RING1
+        Assert(pCtx->eflags.Bits.u1VM || (pCtx->ss.Sel & X86_SEL_RPL) == 3 || (pCtx->ss.Sel & X86_SEL_RPL) == 0 || (EMIsRawRing1Enabled(pVM) && (pCtx->ss.Sel & X86_SEL_RPL) == 1));
+# else
         Assert(pCtx->eflags.Bits.u1VM || (pCtx->ss.Sel & X86_SEL_RPL) == 3 || (pCtx->ss.Sel & X86_SEL_RPL) == 0);
+# endif
         AssertMsg(   (pCtx->eflags.u32 & X86_EFL_IF)
                   || PATMShouldUseRawMode(pVM, (RTGCPTR)pCtx->eip),
@@ -1429 +1434 @@
             Log(("RV86: %04x:%08x IF=%d VMFlags=%x\n", pCtx->cs.Sel, pCtx->eip, pCtx->eflags.Bits.u1IF, pGCState->uVMFlags));
         else if ((pCtx->ss.Sel & X86_SEL_RPL) == 1)
-            Log(("RR0: %08x ESP=%08x EFL=%x IF=%d/%d VMFlags=%x PIF=%d CPL=%d (Scanned=%d)\n",
-                 pCtx->eip, pCtx->esp, CPUMRawGetEFlags(pVCpu), !!(pGCState->uVMFlags & X86_EFL_IF), pCtx->eflags.Bits.u1IF,
+            Log(("RR0: %x:%08x ESP=%x:%08x EFL=%x IF=%d/%d VMFlags=%x PIF=%d CPL=%d (Scanned=%d)\n",
+                 pCtx->cs.Sel, pCtx->eip, pCtx->ss.Sel, pCtx->esp, CPUMRawGetEFlags(pVCpu), !!(pGCState->uVMFlags & X86_EFL_IF), pCtx->eflags.Bits.u1IF,
                  pGCState->uVMFlags, pGCState->fPIF, (pCtx->ss.Sel & X86_SEL_RPL), CSAMIsPageScanned(pVM, (RTGCPTR)pCtx->eip)));
+# ifdef VBOX_WITH_RAW_RING1
+        else if ((pCtx->ss.Sel & X86_SEL_RPL) == 2)
+            Log(("RR1: %x:%08x ESP=%x:%08x IF=%d VMFlags=%x CPL=%x\n", pCtx->cs.Sel, pCtx->eip, pCtx->ss.Sel, pCtx->esp, pCtx->eflags.Bits.u1IF, pGCState->uVMFlags, (pCtx->ss.Sel & X86_SEL_RPL)));
+# endif
         else if ((pCtx->ss.Sel & X86_SEL_RPL) == 3)
-            Log(("RR3: %08x ESP=%08x IF=%d VMFlags=%x\n", pCtx->eip, pCtx->esp, pCtx->eflags.Bits.u1IF, pGCState->uVMFlags));
+            Log(("RR3: %x:%08x ESP=%x:%08x IF=%d VMFlags=%x\n", pCtx->cs.Sel, pCtx->eip, pCtx->ss.Sel, pCtx->esp, pCtx->eflags.Bits.u1IF, pGCState->uVMFlags));
 #endif /* LOG_ENABLED */
-
 
 
@@ -1543 +1551 @@
             ||  VMCPU_FF_ISPENDING(pVCpu, ~VMCPU_FF_HIGH_PRIORITY_PRE_RAW_MASK))
         {
-            Assert(pCtx->eflags.Bits.u1VM || (pCtx->ss.Sel & X86_SEL_RPL) != 1);
+            Assert(pCtx->eflags.Bits.u1VM || (EMIsRawRing1Enabled(pVM) ? ((pCtx->ss.Sel & X86_SEL_RPL) != 2) : ((pCtx->ss.Sel & X86_SEL_RPL) != 1)));
 
             STAM_REL_PROFILE_ADV_SUSPEND(&pVCpu->em.s.StatRAWTotal, a);

trunk/src/VBox/VMM/VMMR3/PATM.cpp

@@ -1535 +1535 @@
         break;
 
+#ifdef VBOX_WITH_SAFE_STR   /* @todo remove DISOPTYPE_PRIVILEGED_NOTRAP from disasm table */
+    case OP_STR:
+        break;
+#endif
+
     default:
         if (pCpu->pCurInstr->fOpType & (DISOPTYPE_PRIVILEGED_NOTRAP))
@@ -1645 +1650 @@
     case OP_RETN:
         return VINF_SUCCESS;
+
+#ifdef VBOX_WITH_SAFE_STR   /* @todo remove DISOPTYPE_PRIVILEGED_NOTRAP from disasm table */
+    case OP_STR:
+        break;
+#endif
 
     case OP_POPF:
@@ -1806 +1816 @@
 
     case OP_POP:
+        /** @todo broken comparison!! should be if ((pCpu->Param1.fUse & DISUSE_REG_SEG) &&  (pCpu->Param1.Base.idxSegReg == DISSELREG_SS)) */
         if (pCpu->pCurInstr->fParam1 == OP_PARM_REG_SS)
         {
@@ -1913 +1924 @@
 
     case OP_PUSH:
+        /** @todo broken comparison!! should be if ((pCpu->Param1.fUse & DISUSE_REG_SEG) &&  (pCpu->Param1.Base.idxSegReg == DISSELREG_SS)) */
         if (pCpu->pCurInstr->fParam1 == OP_PARM_REG_CS)
         {
@@ -1947 +1959 @@
 
     case OP_STR:
+#ifdef VBOX_WITH_SAFE_STR   /* @todo remove DISOPTYPE_PRIVILEGED_NOTRAP from disasm table and move OP_STR into #ifndef */
+        /* Now safe because our shadow TR entry is identical to the guest's. */
+        goto duplicate_instr;
+#endif
     case OP_SLDT:
         rc = patmPatchGenSldtStr(pVM, pPatch, pCpu, pCurInstrGC);
@@ -4442 +4458 @@
             break;
 
+#ifndef VBOX_WITH_SAFE_STR
         case OP_STR:
+#endif
         case OP_SGDT:
         case OP_SLDT:
@@ -4453 +4471 @@
         case OP_VERR:
         case OP_IRET:
+#ifdef VBOX_WITH_RAW_RING1
+        case OP_MOV:
+#endif
             rc = patmR3PatchInstrInt3(pVM, pInstrGC, pInstrHC, &cpu, &pPatchRec->patch);
             break;

trunk/src/VBox/VMM/VMMR3/PATMA.asm

@@ -1262 +1262 @@
 
     ; force ring 1 CS RPL
-    or      dword [esp+8], 1
+    or      dword [esp+8], 1        ;-> @todo we leave traces or raw mode if we jump back to the host context to handle pending interrupts! (below)
 iret_notring0:
 
@@ -1443 +1443 @@
     DD      PATM_FIXUP
     DD      PATMIretTable - PATMIretStart
+    DD      PATM_IRET_FUNCTION
+    DD      0
+    DD      PATM_VMFLAGS
+    DD      0
+    DD      PATM_VMFLAGS
+    DD      0
+    DD      PATM_VMFLAGS
+    DD      0
+    DD      PATM_TEMP_EAX
+    DD      0
+    DD      PATM_TEMP_ECX
+    DD      0
+    DD      PATM_TEMP_RESTORE_FLAGS
+    DD      0
+    DD      PATM_PENDINGACTION
+    DD      0
+    DD      0ffffffffh
+SECTION .text
+
+;;****************************************************
+;; Abstract:
+;;
+;; if eflags.NT==0 && iretstack.eflags.VM==0 && iretstack.eflags.IOPL==0
+;; then
+;;     if return to ring 0 (iretstack.new_cs & 3 == 0)
+;;     then
+;;          if iretstack.new_eflags.IF == 1 && iretstack.new_eflags.IOPL == 0
+;;          then
+;;              iretstack.new_cs |= 1
+;;          else
+;;              int 3
+;;     endif
+;;     uVMFlags &= ~X86_EFL_IF
+;;     iret
+;; else
+;;     int 3
+;;****************************************************
+;;
+; Stack:
+;
+; esp + 32 - GS         (V86 only)
+; esp + 28 - FS         (V86 only)
+; esp + 24 - DS         (V86 only)
+; esp + 20 - ES         (V86 only)
+; esp + 16 - SS         (if transfer to outer ring)
+; esp + 12 - ESP        (if transfer to outer ring)
+; esp + 8  - EFLAGS
+; esp + 4  - CS
+; esp      - EIP
+;;
+BEGINPROC   PATMIretRing1Replacement
+PATMIretRing1Start:
+    mov     dword [ss:PATM_INTERRUPTFLAG], 0
+    pushfd
+
+%ifdef PATM_LOG_PATCHIRET
+    push    eax
+    push    ecx
+    push    edx
+    lea     edx, dword [ss:esp+12+4]        ;3 dwords + pushed flags -> iret eip
+    mov     eax, PATM_ACTION_LOG_IRET
+    lock    or dword [ss:PATM_PENDINGACTION], eax
+    mov     ecx, PATM_ACTION_MAGIC
+    db      0fh, 0bh        ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
+    pop     edx
+    pop     ecx
+    pop     eax
+%endif
+
+    test    dword [esp], X86_EFL_NT
+    jnz     near iretring1_fault1
+
+    ; we can't do an iret to v86 code, as we run with CPL=1. The iret would attempt a protected mode iret and (most likely) fault.
+    test    dword [esp+12], X86_EFL_VM
+    jnz     near iretring1_return_to_v86
+
+    ;;!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+    ;;@todo: not correct for iret back to ring 2!!!!!
+    ;;!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+    test    dword [esp+8], 2
+    jnz     iretring1_checkpendingirq
+
+    test    dword [esp+12], X86_EFL_IF
+    jz      near iretring1_clearIF
+
+iretring1_checkpendingirq:
+
+; if interrupts are pending, then we must go back to the host context to handle them!
+; Note: This is very important as pending pic interrupts can be overridden by apic interrupts if we don't check early enough (Fedora 5 boot)
+; @@todo fix this properly, so we can dispatch pending interrupts in GC
+    test    dword [ss:PATM_VM_FORCEDACTIONS], VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC
+    jz      iretring1_continue
+
+; Go to our hypervisor trap handler to dispatch the pending irq
+    mov     dword [ss:PATM_TEMP_EAX], eax
+    mov     dword [ss:PATM_TEMP_ECX], ecx
+    mov     dword [ss:PATM_TEMP_EDI], edi
+    mov     dword [ss:PATM_TEMP_RESTORE_FLAGS], PATM_RESTORE_EAX | PATM_RESTORE_ECX | PATM_RESTORE_EDI
+    mov     eax, PATM_ACTION_PENDING_IRQ_AFTER_IRET
+    lock    or dword [ss:PATM_PENDINGACTION], eax
+    mov     ecx, PATM_ACTION_MAGIC
+    mov     edi, PATM_CURINSTRADDR
+
+    popfd
+    db      0fh, 0bh        ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
+    ; does not return
+
+iretring1_continue:
+
+    test    dword [esp+8], 2
+    jnz     iretring1_notring01
+
+    test    dword [esp+8], 1
+    jz      iretring1_ring0
+
+    ; ring 1 return change CS & SS RPL to 2 from 1
+    and     dword [esp+8], ~1       ; CS
+    or      dword [esp+8], 2
+
+    and     dword [esp+20], ~1      ; SS
+    or      dword [esp+20], 2
+
+    jmp     short iretring1_notring01
+iretring1_ring0:
+    ; force ring 1 CS RPL
+    or      dword [esp+8], 1
+
+iretring1_notring01:
+    ; This section must *always* be executed (!!)
+    ; Extract the IOPL from the return flags, save them to our virtual flags and
+    ; put them back to zero
+    ; @note we assume iretd doesn't fault!!!
+    push    eax
+    mov     eax, dword [esp+16]
+    and     eax, X86_EFL_IOPL
+    and     dword [ss:PATM_VMFLAGS], ~X86_EFL_IOPL
+    or      dword [ss:PATM_VMFLAGS], eax
+    pop     eax
+    and     dword [esp+12], ~X86_EFL_IOPL
+
+    ; Set IF again; below we make sure this won't cause problems.
+    or      dword [ss:PATM_VMFLAGS], X86_EFL_IF
+
+    ; make sure iret is executed fully (including the iret below; cli ... iret can otherwise be interrupted)
+    mov     dword [ss:PATM_INHIBITIRQADDR], PATM_CURINSTRADDR
+
+    popfd
+    mov     dword [ss:PATM_INTERRUPTFLAG], 1
+    iretd
+    PATM_INT3
+
+iretring1_fault:
+    popfd
+    mov     dword [ss:PATM_INTERRUPTFLAG], 1
+    PATM_INT3
+
+iretring1_fault1:
+    nop
+    popfd
+    mov     dword [ss:PATM_INTERRUPTFLAG], 1
+    PATM_INT3
+
+iretring1_clearIF:
+    push    dword [esp+4]           ; eip to return to
+    pushfd
+    push    eax
+    push    PATM_FIXUP
+    DB      0E8h                    ; call
+    DD      PATM_IRET_FUNCTION
+    add     esp, 4                  ; pushed address of jump table
+
+    cmp     eax, 0
+    je      near iretring1_fault3
+
+    mov     dword [esp+12+4], eax   ; stored eip in iret frame
+    pop     eax
+    popfd
+    add     esp, 4                  ; pushed eip
+
+    ; This section must *always* be executed (!!)
+    ; Extract the IOPL from the return flags, save them to our virtual flags and
+    ; put them back to zero
+    push    eax
+    mov     eax, dword [esp+16]
+    and     eax, X86_EFL_IOPL
+    and     dword [ss:PATM_VMFLAGS], ~X86_EFL_IOPL
+    or      dword [ss:PATM_VMFLAGS], eax
+    pop     eax
+    and     dword [esp+12], ~X86_EFL_IOPL
+
+    ; Clear IF
+    and     dword [ss:PATM_VMFLAGS], ~X86_EFL_IF
+    popfd
+
+    test    dword [esp+8], 1
+    jz      iretring1_clearIF_ring0
+
+    ; ring 1 return change CS & SS RPL to 2 from 1
+    and     dword [esp+8], ~1       ; CS
+    or      dword [esp+8], 2
+
+    and     dword [esp+20], ~1      ; SS
+    or      dword [esp+20], 2
+                                                ; the patched destination code will set PATM_INTERRUPTFLAG after the return!
+    iretd
+
+iretring1_clearIF_ring0:
+    ; force ring 1 CS RPL
+    or      dword [esp+8], 1
+                                                ; the patched destination code will set PATM_INTERRUPTFLAG after the return!
+    iretd
+
+iretring1_return_to_v86:
+    test    dword [esp+12], X86_EFL_IF
+    jz      iretring1_fault
+
+    ; Go to our hypervisor trap handler to perform the iret to v86 code
+    mov     dword [ss:PATM_TEMP_EAX], eax
+    mov     dword [ss:PATM_TEMP_ECX], ecx
+    mov     dword [ss:PATM_TEMP_RESTORE_FLAGS], PATM_RESTORE_EAX | PATM_RESTORE_ECX
+    mov     eax, PATM_ACTION_DO_V86_IRET
+    lock    or dword [ss:PATM_PENDINGACTION], eax
+    mov     ecx, PATM_ACTION_MAGIC
+
+    popfd
+
+    db      0fh, 0bh        ; illegal instr (hardcoded assumption in PATMHandleIllegalInstrTrap)
+    ; does not return
+
+
+iretring1_fault3:
+    pop     eax
+    popfd
+    add     esp, 4                  ; pushed eip
+    jmp     iretring1_fault
+
+align   4
+PATMIretRing1Table:
+    DW      PATM_MAX_JUMPTABLE_ENTRIES          ; nrSlots
+    DW      0                                   ; ulInsertPos
+    DD      0                                   ; cAddresses
+    TIMES PATCHJUMPTABLE_SIZE DB 0              ; lookup slots
+
+PATMIretRing1End:
+ENDPROC     PATMIretRing1Replacement
+
+SECTION .data
+; Patch record for 'iretd'
+GLOBALNAME PATMIretRing1Record
+    RTCCPTR_DEF PATMIretRing1Start
+    DD      0
+    DD      0
+    DD      0
+    DD      PATMIretRing1End- PATMIretRing1Start
+%ifdef PATM_LOG_PATCHIRET
+    DD      26
+%else
+    DD      25
+%endif
+    DD      PATM_INTERRUPTFLAG
+    DD      0
+%ifdef PATM_LOG_PATCHIRET
+    DD      PATM_PENDINGACTION
+    DD      0
+%endif
+    DD      PATM_VM_FORCEDACTIONS
+    DD      0
+    DD      PATM_TEMP_EAX
+    DD      0
+    DD      PATM_TEMP_ECX
+    DD      0
+    DD      PATM_TEMP_EDI
+    DD      0
+    DD      PATM_TEMP_RESTORE_FLAGS
+    DD      0
+    DD      PATM_PENDINGACTION
+    DD      0
+    DD      PATM_CURINSTRADDR
+    DD      0
+    DD      PATM_VMFLAGS
+    DD      0
+    DD      PATM_VMFLAGS
+    DD      0
+    DD      PATM_VMFLAGS
+    DD      0
+    DD      PATM_INHIBITIRQADDR
+    DD      0
+    DD      PATM_CURINSTRADDR
+    DD      0
+    DD      PATM_INTERRUPTFLAG
+    DD      0
+    DD      PATM_INTERRUPTFLAG
+    DD      0
+    DD      PATM_INTERRUPTFLAG
+    DD      0
+    DD      PATM_FIXUP
+    DD      PATMIretRing1Table - PATMIretRing1Start
     DD      PATM_IRET_FUNCTION
     DD      0

trunk/src/VBox/VMM/VMMR3/PATMPatch.cpp

@@ -27 +27 @@
 #include <VBox/vmm/cpum.h>
 #include <VBox/vmm/mm.h>
+#include <VBox/vmm/em.h>
 #include <VBox/vmm/trpm.h>
 #include <VBox/param.h>
@@ -436 +437 @@
 
     AssertMsg(fSizeOverride == false, ("operand size override!!\n"));
-
     callInfo.pCurInstrGC = pCurInstrGC;
 
-    size = patmPatchGenCode(pVM, pPatch, pPB, &PATMIretRecord, 0, false, &callInfo);
+#ifdef VBOX_WITH_RAW_RING1
+    if (EMIsRawRing1Enabled(pVM))
+    {
+        size = patmPatchGenCode(pVM, pPatch, pPB, &PATMIretRing1Record, 0, false, &callInfo);
+    }
+    else
+#endif
+        size = patmPatchGenCode(pVM, pPatch, pPB, &PATMIretRecord, 0, false, &callInfo);
 
     PATCHGEN_EPILOG(pPatch, size);
@@ -1074 +1081 @@
 int patmPatchGenIntEntry(PVM pVM, PPATCHINFO pPatch, RTRCPTR pIntHandlerGC)
 {
-    uint32_t size;
     int rc = VINF_SUCCESS;
 
-    PATCHGEN_PROLOG(pVM, pPatch);
-
-    /* Add lookup record for patch to guest address translation */
-    patmR3AddP2GLookupRecord(pVM, pPatch, pPB, pIntHandlerGC, PATM_LOOKUP_PATCH2GUEST);
-
-    /* Generate entrypoint for the interrupt handler (correcting CS in the interrupt stack frame) */
-    size = patmPatchGenCode(pVM, pPatch, pPB,
-                            (pPatch->flags & PATMFL_INTHANDLER_WITH_ERRORCODE) ? &PATMIntEntryRecordErrorCode : &PATMIntEntryRecord,
-                            0, false);
-
-    PATCHGEN_EPILOG(pPatch, size);
+#ifdef VBOX_WITH_RAW_RING1
+    if (!EMIsRawRing1Enabled(pVM))    /* direct passthru of interrupts is not allowed in the ring-1 support case as we can't deal with the ring-1/2 ambiguity in the patm asm code and we don't need it either as TRPMForwardTrap takes care of the details. */
+    {
+#endif
+        uint32_t size;
+        PATCHGEN_PROLOG(pVM, pPatch);
+
+        /* Add lookup record for patch to guest address translation */
+        patmR3AddP2GLookupRecord(pVM, pPatch, pPB, pIntHandlerGC, PATM_LOOKUP_PATCH2GUEST);
+
+        /* Generate entrypoint for the interrupt handler (correcting CS in the interrupt stack frame) */
+        size = patmPatchGenCode(pVM, pPatch, pPB,
+                                (pPatch->flags & PATMFL_INTHANDLER_WITH_ERRORCODE) ? &PATMIntEntryRecordErrorCode : &PATMIntEntryRecord,
+                                0, false);
+
+        PATCHGEN_EPILOG(pPatch, size);
+#ifdef VBOX_WITH_RAW_RING1
+    }
+#endif
 
     // Interrupt gates set IF to 0
@@ -1107 +1121 @@
 {
     uint32_t size;
+
+    Assert(!EMIsRawRing1Enabled(pVM));
 
     PATCHGEN_PROLOG(pVM, pPatch);

trunk/src/VBox/VMM/VMMR3/PATMSSM.cpp

@@ -810 +810 @@
         patmR3PatchConvertSSM2Mem(pPatchRec, &patch);
 
-        Log(("Restoring patch %RRv -> %RRv\n", pPatchRec->patch.pPrivInstrGC, patmInfo.pPatchMemGC + pPatchRec->patch.pPatchBlockOffset));
+        Log(("Restoring patch %RRv -> %RRv state %x\n", pPatchRec->patch.pPrivInstrGC, patmInfo.pPatchMemGC + pPatchRec->patch.pPatchBlockOffset, pPatchRec->patch.uState));
         bool ret = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pPatchRec->Core);
         Assert(ret);

trunk/src/VBox/VMM/VMMR3/PGMHandler.cpp

@@ -494 +494 @@
         {
             pgmUnlock(pVM);
+#ifndef DEBUG_sander
             AssertMsgFailed(("Range %#x not found!\n", GCPtr));
+#endif
             return VERR_INVALID_PARAMETER;
         }

trunk/src/VBox/VMM/VMMR3/SELM.cpp

@@ -80 +80 @@
 #include <iprt/string.h>
 
-
-/**
- * Enable or disable tracking of Shadow GDT/LDT/TSS.
- * @{
- */
-#define SELM_TRACK_SHADOW_GDT_CHANGES
-#define SELM_TRACK_SHADOW_LDT_CHANGES
-#define SELM_TRACK_SHADOW_TSS_CHANGES
-/** @} */
 
 
@@ -565 +556 @@
      * Uninstall guest GDT/LDT/TSS write access handlers.
      */
-    int rc;
+    int rc = VINF_SUCCESS;
     if (pVM->selm.s.GuestGdtr.pGdt != RTRCPTR_MAX && pVM->selm.s.fGDTRangeRegistered)
     {
+#ifdef SELM_TRACK_GUEST_GDT_CHANGES
         rc = PGMHandlerVirtualDeregister(pVM, pVM->selm.s.GuestGdtr.pGdt);
         AssertRC(rc);
+#endif
         pVM->selm.s.GuestGdtr.pGdt = RTRCPTR_MAX;
         pVM->selm.s.GuestGdtr.cbGdt = 0;
@@ -576 +569 @@
     if (pVM->selm.s.GCPtrGuestLdt != RTRCPTR_MAX)
     {
+#ifdef SELM_TRACK_GUEST_LDT_CHANGES
         rc = PGMHandlerVirtualDeregister(pVM, pVM->selm.s.GCPtrGuestLdt);
         AssertRC(rc);
+#endif
         pVM->selm.s.GCPtrGuestLdt = RTRCPTR_MAX;
     }
     if (pVM->selm.s.GCPtrGuestTss != RTRCPTR_MAX)
     {
+#ifdef SELM_TRACK_GUEST_TSS_CHANGES
         rc = PGMHandlerVirtualDeregister(pVM, pVM->selm.s.GCPtrGuestTss);
         AssertRC(rc);
+#endif
         pVM->selm.s.GCPtrGuestTss = RTRCPTR_MAX;
         pVM->selm.s.GCSelTss      = RTSEL_MAX;
@@ -619 +616 @@
     if (pVM->selm.s.GuestGdtr.pGdt != RTRCPTR_MAX && pVM->selm.s.fGDTRangeRegistered)
     {
+#ifdef SELM_TRACK_GUEST_GDT_CHANGES
         rc = PGMHandlerVirtualDeregister(pVM, pVM->selm.s.GuestGdtr.pGdt);
         AssertRC(rc);
+#endif
         pVM->selm.s.GuestGdtr.pGdt = RTRCPTR_MAX;
         pVM->selm.s.GuestGdtr.cbGdt = 0;
@@ -627 +626 @@
     if (pVM->selm.s.GCPtrGuestLdt != RTRCPTR_MAX)
     {
+#ifdef SELM_TRACK_GUEST_LDT_CHANGES
         rc = PGMHandlerVirtualDeregister(pVM, pVM->selm.s.GCPtrGuestLdt);
         AssertRC(rc);
+#endif
         pVM->selm.s.GCPtrGuestLdt = RTRCPTR_MAX;
     }
     if (pVM->selm.s.GCPtrGuestTss != RTRCPTR_MAX)
     {
+#ifdef SELM_TRACK_GUEST_TSS_CHANGES
         rc = PGMHandlerVirtualDeregister(pVM, pVM->selm.s.GCPtrGuestTss);
         AssertRC(rc);
+#endif
         pVM->selm.s.GCPtrGuestTss = RTRCPTR_MAX;
         pVM->selm.s.GCSelTss      = RTSEL_MAX;
@@ -953 +956 @@
     }
 
+#ifdef VBOX_WITH_SAFE_STR
+    /** Use the guest's TR selector to plug the str virtualization hole. */
+    if (CPUMGetGuestTR(pVCpu, NULL) != 0)
+    {
+        Log(("SELM: Use guest TSS selector %x\n", CPUMGetGuestTR(pVCpu, NULL)));
+        aHyperSel[SELM_HYPER_SEL_TSS] = CPUMGetGuestTR(pVCpu, NULL);
+    }
+#endif
+
     /*
      * Work thru the copied GDT entries adjusting them for correct virtualization.
@@ -960 +972 @@
     {
         if (pGDTE->Gen.u1Present)
-            selmGuestToShadowDesc(pGDTE);
+            selmGuestToShadowDesc(pVM, pGDTE);
 
         /* Next GDT entry. */
@@ -990 +1002 @@
         VMR3Relocate(pVM, 0);
     }
-    else if (cbEffLimit >= SELM_HYPER_DEFAULT_BASE)
+    else 
+#ifdef VBOX_WITH_SAFE_STR
+    if (    cbEffLimit >= SELM_HYPER_DEFAULT_BASE
+        ||  CPUMGetGuestTR(pVCpu, NULL) != 0)       /* Our shadow TR entry was overwritten when we synced the guest's GDT. */
+#else
+    if (cbEffLimit >= SELM_HYPER_DEFAULT_BASE)
+#endif
         /* We overwrote all entries above, so we have to save them again. */
         selmR3SetupHyperGDTSelectors(pVM);
@@ -1011 +1029 @@
     {
         Log(("SELMR3UpdateFromCPUM: Guest's GDT is changed to pGdt=%016RX64 cbGdt=%08X\n", GDTR.pGdt, GDTR.cbGdt));
-
+#ifdef SELM_TRACK_GUEST_GDT_CHANGES
         /*
          * [Re]Register write virtual handler for guest's GDT.
@@ -1025 +1043 @@
                                          0, selmR3GuestGDTWriteHandler, "selmRCGuestGDTWriteHandler", 0,
                                          "Guest GDT write access handler");
+# ifdef VBOX_WITH_RAW_RING1
+        /* Some guest OSes (QNX) share code and the GDT on the same page; PGMR3HandlerVirtualRegister doesn't support more than one handler, so we kick out the 
+         * PATM handler as this one is more important. 
+         * @todo fix this properly in PGMR3HandlerVirtualRegister
+         */
+        if (rc == VERR_PGM_HANDLER_VIRTUAL_CONFLICT)
+        {
+            LogRel(("selmR3UpdateShadowGdt: Virtual handler conflict %RGv -> kick out PATM handler for the higher priority GDT page monitor\n", GDTR.pGdt));
+            rc = PGMHandlerVirtualDeregister(pVM, GDTR.pGdt & PAGE_BASE_GC_MASK);
+            AssertRC(rc);
+
+            rc = PGMR3HandlerVirtualRegister(pVM, PGMVIRTHANDLERTYPE_WRITE,
+                                             GDTR.pGdt, GDTR.pGdt + GDTR.cbGdt /* already inclusive */,
+                                             0, selmR3GuestGDTWriteHandler, "selmRCGuestGDTWriteHandler", 0,
+                                             "Guest GDT write access handler");
+        }
+# endif
         if (RT_FAILURE(rc))
             return rc;
-
+#endif
         /* Update saved Guest GDTR. */
         pVM->selm.s.GuestGdtr = GDTR;
@@ -1137 +1172 @@
                  pVM->selm.s.GCPtrGuestLdt, pVM->selm.s.cbLdtLimit, GCPtrLdt, cbLdt, pVM->selm.s.GuestGdtr.pGdt, pVM->selm.s.GuestGdtr.cbGdt));
 
+#ifdef SELM_TRACK_GUEST_LDT_CHANGES
             /*
              * [Re]Register write virtual handler for guest's GDT.
@@ -1146 +1182 @@
                 AssertRC(rc);
             }
-#ifdef DEBUG
+# ifdef DEBUG
             if (pDesc->Gen.u1Present)
                 Log(("LDT selector marked not present!!\n"));
-#endif
+# endif
             rc = PGMR3HandlerVirtualRegister(pVM, PGMVIRTHANDLERTYPE_WRITE, GCPtrLdt, GCPtrLdt + cbLdt /* already inclusive */,
                                              0, selmR3GuestLDTWriteHandler, "selmRCGuestLDTWriteHandler", 0, "Guest LDT write access handler");
@@ -1166 +1202 @@
                 return rc;
             }
-
+#else
+            pVM->selm.s.GCPtrGuestLdt = GCPtrLdt;
+#endif
             pVM->selm.s.cbLdtLimit = cbLdt;
         }
@@ -1205 +1243 @@
     /** @todo investigate how intel handle various operations on half present cross page entries. */
     off = GCPtrLdt & (sizeof(X86DESC) - 1);
-    AssertMsg(!off, ("LDT is not aligned on entry size! GCPtrLdt=%08x\n", GCPtrLdt));
+////    AssertMsg(!off, ("LDT is not aligned on entry size! GCPtrLdt=%08x\n", GCPtrLdt));
 
     /* Note: Do not skip the first selector; unlike the GDT, a zero LDT selector is perfectly valid. */
@@ -1239 +1277 @@
             {
                 if (pLDTE->Gen.u1Present)
-                    selmGuestToShadowDesc(pLDTE);
+                    selmGuestToShadowDesc(pVM, pLDTE);
 
                 /* Next LDT entry. */
@@ -1438 +1476 @@
 }
 
-
+#ifdef SELM_TRACK_GUEST_GDT_CHANGES
 /**
  * \#PF Handler callback for virtual access handler ranges.
@@ -1465 +1503 @@
     return VINF_PGM_HANDLER_DO_DEFAULT;
 }
-
-
+#endif
+
+#ifdef SELM_TRACK_GUEST_LDT_CHANGES
 /**
  * \#PF Handler callback for virtual access handler ranges.
@@ -1493 +1532 @@
     return VINF_PGM_HANDLER_DO_DEFAULT;
 }
-
-
+#endif
+
+
+#ifdef SELM_TRACK_GUEST_TSS_CHANGES
 /**
  * \#PF Handler callback for virtual access handler ranges.
@@ -1526 +1567 @@
     return VINF_PGM_HANDLER_DO_DEFAULT;
 }
-
+#endif
 
 /**
@@ -1675 +1716 @@
             selmSetRing1Stack(pVM, Tss.ss0 | 1, Tss.esp0);
             pVM->selm.s.fSyncTSSRing0Stack = fNoRing1Stack = false;
+
+#ifdef VBOX_WITH_RAW_RING1
+            /* Update our TSS structure for the guest's ring 2 stack */
+            selmSetRing2Stack(pVM, (Tss.ss1 & ~1) | 2, Tss.esp1);
+
+            if (    (pVM->selm.s.Tss.ss2 != ((Tss.ss1 & ~2) | 1))
+                ||  pVM->selm.s.Tss.esp2 != Tss.esp1)
+            {
+                Log(("SELMR3SyncTSS: Updating TSS ring 1 stack to %04X:%08X from %04X:%08X\n", Tss.ss1, Tss.esp1, (pVM->selm.s.Tss.ss2 & ~2) | 1, pVM->selm.s.Tss.esp2));
+            }
+#endif
         }
     }
@@ -1711 +1763 @@
         if (cbMonitoredTss != 0)
         {
+#ifdef SELM_TRACK_GUEST_TSS_CHANGES
             rc = PGMR3HandlerVirtualRegister(pVM, PGMVIRTHANDLERTYPE_WRITE, GCPtrTss, GCPtrTss + cbMonitoredTss - 1,
                                              0, selmR3GuestTSSWriteHandler,
@@ -1716 +1769 @@
             if (RT_FAILURE(rc))
             {
+# ifdef VBOX_WITH_RAW_RING1
+                /* Some guest OSes (QNX) share code and the TSS on the same page; PGMR3HandlerVirtualRegister doesn't support more than one handler, so we kick out the 
+                 * PATM handler as this one is more important. 
+                 * @todo fix this properly in PGMR3HandlerVirtualRegister
+                 */
+                if (rc == VERR_PGM_HANDLER_VIRTUAL_CONFLICT)
+                {
+                    LogRel(("SELMR3SyncTSS: Virtual handler conflict %RGv -> kick out PATM handler for the higher priority TSS page monitor\n", GCPtrTss));
+                    rc = PGMHandlerVirtualDeregister(pVM, GCPtrTss & PAGE_BASE_GC_MASK);
+                    AssertRC(rc);
+
+                    rc = PGMR3HandlerVirtualRegister(pVM, PGMVIRTHANDLERTYPE_WRITE, GCPtrTss, GCPtrTss + cbMonitoredTss - 1,
+                                                     0, selmR3GuestTSSWriteHandler,
+                                                     "selmRCGuestTSSWriteHandler", 0, "Guest TSS write access handler");
+                    if (RT_FAILURE(rc))
+                    {
+                        STAM_PROFILE_STOP(&pVM->selm.s.StatUpdateFromCPUM, a);
+                        return rc;
+                    }
+                }
+# else
                 STAM_PROFILE_STOP(&pVM->selm.s.StatUpdateFromCPUM, a);
                 return rc;
-            }
-
+# endif
+           }
+#endif
             /* Update saved Guest TSS info. */
             pVM->selm.s.GCPtrGuestTss       = GCPtrTss;
@@ -1888 +1963 @@
 VMMR3DECL(bool) SELMR3CheckTSS(PVM pVM)
 {
-#ifdef VBOX_STRICT
+#if defined(VBOX_STRICT) && defined(SELM_TRACK_GUEST_TSS_CHANGES)
     PVMCPU pVCpu = VMMGetCpu(pVM);
 
@@ -2019 +2094 @@
 #endif /* !VBOX_STRICT */
 }
+
+# ifdef VBOX_WITH_SAFE_STR
+/**
+ * Validates the RawR0 TR shadow GDT entry
+ *
+ * @returns true if it matches.
+ * @returns false and assertions on mismatch..
+ * @param   pVM     Pointer to the VM.
+ */
+VMMR3DECL(bool) SELMR3CheckShadowTR(PVM pVM)
+{
+#  ifdef VBOX_STRICT
+    PX86DESC paGdt = pVM->selm.s.paGdtR3;
+
+    /*
+     * TSS descriptor
+     */
+    PX86DESC pDesc = &paGdt[pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS] >> 3];
+    RTRCPTR RCPtrTSS = VM_RC_ADDR(pVM, &pVM->selm.s.Tss);
+
+    if (    pDesc->Gen.u16BaseLow      != RT_LOWORD(RCPtrTSS)
+        ||  pDesc->Gen.u8BaseHigh1     != RT_BYTE3(RCPtrTSS)
+        ||  pDesc->Gen.u8BaseHigh2     != RT_BYTE4(RCPtrTSS)
+        ||  pDesc->Gen.u16LimitLow     != sizeof(VBOXTSS) - 1
+        ||  pDesc->Gen.u4LimitHigh     != 0
+        ||  (pDesc->Gen.u4Type         != X86_SEL_TYPE_SYS_386_TSS_AVAIL && pDesc->Gen.u4Type != X86_SEL_TYPE_SYS_386_TSS_BUSY)
+        ||  pDesc->Gen.u1DescType      != 0 /* system */
+        ||  pDesc->Gen.u2Dpl           != 0 /* supervisor */
+        ||  pDesc->Gen.u1Present       != 1
+        ||  pDesc->Gen.u1Available     != 0
+        ||  pDesc->Gen.u1Long          != 0
+        ||  pDesc->Gen.u1DefBig        != 0
+        ||  pDesc->Gen.u1Granularity   != 0 /* byte limit */
+        )
+    {
+        AssertFailed();
+        return false;
+    }
+#  endif
+    return true;
+}
+# endif 
 
 #endif /* VBOX_WITH_RAW_MODE */

trunk/src/VBox/VMM/VMMR3/TRPM.cpp

@@ -1330 +1330 @@
     }
 
-    if (EMIsRawRing0Enabled(pVM))
+    if (    EMIsRawRing0Enabled(pVM)
+#ifdef VBOX_WITH_RAW_RING1
+        && !EMIsRawRing1Enabled(pVM)    /* can't deal with the ambiguity of ring 1 & 2 in the patch code. */
+#endif
+       )
     {
         /*

trunk/src/VBox/VMM/VMMR3/VMM.cpp

@@ -1257 +1257 @@
             EMR3FatalError(pVCpu, VERR_VMM_HYPER_CR3_MISMATCH);
         PGMMapCheck(pVM);
+# ifdef VBOX_WITH_SAFE_STR
+        SELMR3CheckShadowTR(pVM);
+# endif
 #endif
         int rc;