On 02/09/2012 05:32 PM, Jan Kiszka wrote:
> I mean just check kpcr.self. Yes, clear, but that means that Windows must have initialized FS.base to point to the KPCR also in UP mode. Is that really the case? E.g. when ACPI is off?! I wonder if that explains the reported bug of qemu-kvm with -no-acpi and in-kernel irqchip...
Yes, it does. It's used by some fast-path kernel APIs, and indeed the canonical way to find the KPCR base from ring 0 is to look at FS:[1Ch].
Similarly in userspace you can find the thread information block at FS:[sizeof(void*)*6], and FS:[1Ch] is something else. But your code cannot be reached from userspace, so that's always fine.
Paolo -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
