first move to user mode, using software switch

[skoco]

this question i posted in alt.os.development too, dont be surprised when you see the same here.. :->>

hello guys!
  i have a little question for you, if you don't mind.
i used grub to load an elf module for me which i want to run
with USER privilegies. i have mapped its code and data into its
own address space, with user privilegies. i'm not using ldt, i wanna
use pure page based protection, so that user_code_sel and user_data_sel
point to gdt descriptors. i'm not using the tss for user task (but have one,
which holds kernel cr3,esp0,ss0 and cs,ds,es registers). ltr loaded the kernel tss.
and here is my problem :
i want to switch from kernel space to this user task. just something like
move_to_user_mode in early linux. but my sequence of steps which is :
push user_ss // 0x20
push user_esp // in user mapped data
push user_eflags // 0x0 for now, i dont wanna be interrupter with timer_irq
push user_cs // 0x18
push user_eip // ptr to user mapped text
mov cr3,user_pdbr
iret

this sequence doesn't work (int3, no resolution in bochs).
i'm not sure if those kernel values i put in tss are all the cpu needs.
maybe when in kernel mode the NT bit in eflags should be set to cause switch
(i thought that this is used just when doing tss switch, should i set it?).

i dont wanna use any task gates, nor tss switch. i want for example timer_irq to
make interrupt, push user regs of old task, load kernel segment values, call scheduler,
and than push new user task values into kernel stack and iret.
but this sequence of instructions doesn't work.

thanks for any ideas... skoco

p.s.: please don't send me any advices of type "why don't you use tss switch and so..." :->

[xdopamine]

First, your selectors are wrong. Assuming you are exiting to ring 3,
CS should be 0x1B and SS 0x23.

Second, make sure that eip and esp really map to valid virtual addresses
(try doing a dummy read before exiting to ring 3 or something, you never know).