xref: /openbmc/qemu/target/i386/tcg/seg_helper.c (revision 1d76437b45ab9982307b95d325d627f7b6f06088)
1 /*
2  *  x86 segmentation related helpers:
3  *  TSS, interrupts, system calls, jumps and call/task gates, descriptors
4  *
5  *  Copyright (c) 2003 Fabrice Bellard
6  *
7  * This library is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * This library is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19  */
20 
21 #include "qemu/osdep.h"
22 #include "cpu.h"
23 #include "qemu/log.h"
24 #include "exec/helper-proto.h"
25 #include "exec/exec-all.h"
26 #include "exec/cpu_ldst.h"
27 #include "exec/log.h"
28 #include "helper-tcg.h"
29 #include "seg_helper.h"
30 
31 /* return non zero if error */
32 static inline int load_segment_ra(CPUX86State *env, uint32_t *e1_ptr,
33                                uint32_t *e2_ptr, int selector,
34                                uintptr_t retaddr)
35 {
36     SegmentCache *dt;
37     int index;
38     target_ulong ptr;
39 
40     if (selector & 0x4) {
41         dt = &env->ldt;
42     } else {
43         dt = &env->gdt;
44     }
45     index = selector & ~7;
46     if ((index + 7) > dt->limit) {
47         return -1;
48     }
49     ptr = dt->base + index;
50     *e1_ptr = cpu_ldl_kernel_ra(env, ptr, retaddr);
51     *e2_ptr = cpu_ldl_kernel_ra(env, ptr + 4, retaddr);
52     return 0;
53 }
54 
55 static inline int load_segment(CPUX86State *env, uint32_t *e1_ptr,
56                                uint32_t *e2_ptr, int selector)
57 {
58     return load_segment_ra(env, e1_ptr, e2_ptr, selector, 0);
59 }
60 
61 static inline unsigned int get_seg_limit(uint32_t e1, uint32_t e2)
62 {
63     unsigned int limit;
64 
65     limit = (e1 & 0xffff) | (e2 & 0x000f0000);
66     if (e2 & DESC_G_MASK) {
67         limit = (limit << 12) | 0xfff;
68     }
69     return limit;
70 }
71 
72 static inline uint32_t get_seg_base(uint32_t e1, uint32_t e2)
73 {
74     return (e1 >> 16) | ((e2 & 0xff) << 16) | (e2 & 0xff000000);
75 }
76 
77 static inline void load_seg_cache_raw_dt(SegmentCache *sc, uint32_t e1,
78                                          uint32_t e2)
79 {
80     sc->base = get_seg_base(e1, e2);
81     sc->limit = get_seg_limit(e1, e2);
82     sc->flags = e2;
83 }
84 
85 /* init the segment cache in vm86 mode. */
86 static inline void load_seg_vm(CPUX86State *env, int seg, int selector)
87 {
88     selector &= 0xffff;
89 
90     cpu_x86_load_seg_cache(env, seg, selector, (selector << 4), 0xffff,
91                            DESC_P_MASK | DESC_S_MASK | DESC_W_MASK |
92                            DESC_A_MASK | (3 << DESC_DPL_SHIFT));
93 }
94 
95 static inline void get_ss_esp_from_tss(CPUX86State *env, uint32_t *ss_ptr,
96                                        uint32_t *esp_ptr, int dpl,
97                                        uintptr_t retaddr)
98 {
99     X86CPU *cpu = env_archcpu(env);
100     int type, index, shift;
101 
102 #if 0
103     {
104         int i;
105         printf("TR: base=%p limit=%x\n", env->tr.base, env->tr.limit);
106         for (i = 0; i < env->tr.limit; i++) {
107             printf("%02x ", env->tr.base[i]);
108             if ((i & 7) == 7) {
109                 printf("\n");
110             }
111         }
112         printf("\n");
113     }
114 #endif
115 
116     if (!(env->tr.flags & DESC_P_MASK)) {
117         cpu_abort(CPU(cpu), "invalid tss");
118     }
119     type = (env->tr.flags >> DESC_TYPE_SHIFT) & 0xf;
120     if ((type & 7) != 1) {
121         cpu_abort(CPU(cpu), "invalid tss type");
122     }
123     shift = type >> 3;
124     index = (dpl * 4 + 2) << shift;
125     if (index + (4 << shift) - 1 > env->tr.limit) {
126         raise_exception_err_ra(env, EXCP0A_TSS, env->tr.selector & 0xfffc, retaddr);
127     }
128     if (shift == 0) {
129         *esp_ptr = cpu_lduw_kernel_ra(env, env->tr.base + index, retaddr);
130         *ss_ptr = cpu_lduw_kernel_ra(env, env->tr.base + index + 2, retaddr);
131     } else {
132         *esp_ptr = cpu_ldl_kernel_ra(env, env->tr.base + index, retaddr);
133         *ss_ptr = cpu_lduw_kernel_ra(env, env->tr.base + index + 4, retaddr);
134     }
135 }
136 
137 static void tss_load_seg(CPUX86State *env, X86Seg seg_reg, int selector,
138                          int cpl, uintptr_t retaddr)
139 {
140     uint32_t e1, e2;
141     int rpl, dpl;
142 
143     if ((selector & 0xfffc) != 0) {
144         if (load_segment_ra(env, &e1, &e2, selector, retaddr) != 0) {
145             raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
146         }
147         if (!(e2 & DESC_S_MASK)) {
148             raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
149         }
150         rpl = selector & 3;
151         dpl = (e2 >> DESC_DPL_SHIFT) & 3;
152         if (seg_reg == R_CS) {
153             if (!(e2 & DESC_CS_MASK)) {
154                 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
155             }
156             if (dpl != rpl) {
157                 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
158             }
159         } else if (seg_reg == R_SS) {
160             /* SS must be writable data */
161             if ((e2 & DESC_CS_MASK) || !(e2 & DESC_W_MASK)) {
162                 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
163             }
164             if (dpl != cpl || dpl != rpl) {
165                 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
166             }
167         } else {
168             /* not readable code */
169             if ((e2 & DESC_CS_MASK) && !(e2 & DESC_R_MASK)) {
170                 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
171             }
172             /* if data or non conforming code, checks the rights */
173             if (((e2 >> DESC_TYPE_SHIFT) & 0xf) < 12) {
174                 if (dpl < cpl || dpl < rpl) {
175                     raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
176                 }
177             }
178         }
179         if (!(e2 & DESC_P_MASK)) {
180             raise_exception_err_ra(env, EXCP0B_NOSEG, selector & 0xfffc, retaddr);
181         }
182         cpu_x86_load_seg_cache(env, seg_reg, selector,
183                                get_seg_base(e1, e2),
184                                get_seg_limit(e1, e2),
185                                e2);
186     } else {
187         if (seg_reg == R_SS || seg_reg == R_CS) {
188             raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
189         }
190     }
191 }
192 
193 #define SWITCH_TSS_JMP  0
194 #define SWITCH_TSS_IRET 1
195 #define SWITCH_TSS_CALL 2
196 
197 /* XXX: restore CPU state in registers (PowerPC case) */
198 static void switch_tss_ra(CPUX86State *env, int tss_selector,
199                           uint32_t e1, uint32_t e2, int source,
200                           uint32_t next_eip, uintptr_t retaddr)
201 {
202     int tss_limit, tss_limit_max, type, old_tss_limit_max, old_type, v1, v2, i;
203     target_ulong tss_base;
204     uint32_t new_regs[8], new_segs[6];
205     uint32_t new_eflags, new_eip, new_cr3, new_ldt, new_trap;
206     uint32_t old_eflags, eflags_mask;
207     SegmentCache *dt;
208     int index;
209     target_ulong ptr;
210 
211     type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
212     LOG_PCALL("switch_tss: sel=0x%04x type=%d src=%d\n", tss_selector, type,
213               source);
214 
215     /* if task gate, we read the TSS segment and we load it */
216     if (type == 5) {
217         if (!(e2 & DESC_P_MASK)) {
218             raise_exception_err_ra(env, EXCP0B_NOSEG, tss_selector & 0xfffc, retaddr);
219         }
220         tss_selector = e1 >> 16;
221         if (tss_selector & 4) {
222             raise_exception_err_ra(env, EXCP0A_TSS, tss_selector & 0xfffc, retaddr);
223         }
224         if (load_segment_ra(env, &e1, &e2, tss_selector, retaddr) != 0) {
225             raise_exception_err_ra(env, EXCP0D_GPF, tss_selector & 0xfffc, retaddr);
226         }
227         if (e2 & DESC_S_MASK) {
228             raise_exception_err_ra(env, EXCP0D_GPF, tss_selector & 0xfffc, retaddr);
229         }
230         type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
231         if ((type & 7) != 1) {
232             raise_exception_err_ra(env, EXCP0D_GPF, tss_selector & 0xfffc, retaddr);
233         }
234     }
235 
236     if (!(e2 & DESC_P_MASK)) {
237         raise_exception_err_ra(env, EXCP0B_NOSEG, tss_selector & 0xfffc, retaddr);
238     }
239 
240     if (type & 8) {
241         tss_limit_max = 103;
242     } else {
243         tss_limit_max = 43;
244     }
245     tss_limit = get_seg_limit(e1, e2);
246     tss_base = get_seg_base(e1, e2);
247     if ((tss_selector & 4) != 0 ||
248         tss_limit < tss_limit_max) {
249         raise_exception_err_ra(env, EXCP0A_TSS, tss_selector & 0xfffc, retaddr);
250     }
251     old_type = (env->tr.flags >> DESC_TYPE_SHIFT) & 0xf;
252     if (old_type & 8) {
253         old_tss_limit_max = 103;
254     } else {
255         old_tss_limit_max = 43;
256     }
257 
258     /* read all the registers from the new TSS */
259     if (type & 8) {
260         /* 32 bit */
261         new_cr3 = cpu_ldl_kernel_ra(env, tss_base + 0x1c, retaddr);
262         new_eip = cpu_ldl_kernel_ra(env, tss_base + 0x20, retaddr);
263         new_eflags = cpu_ldl_kernel_ra(env, tss_base + 0x24, retaddr);
264         for (i = 0; i < 8; i++) {
265             new_regs[i] = cpu_ldl_kernel_ra(env, tss_base + (0x28 + i * 4),
266                                             retaddr);
267         }
268         for (i = 0; i < 6; i++) {
269             new_segs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x48 + i * 4),
270                                              retaddr);
271         }
272         new_ldt = cpu_lduw_kernel_ra(env, tss_base + 0x60, retaddr);
273         new_trap = cpu_ldl_kernel_ra(env, tss_base + 0x64, retaddr);
274     } else {
275         /* 16 bit */
276         new_cr3 = 0;
277         new_eip = cpu_lduw_kernel_ra(env, tss_base + 0x0e, retaddr);
278         new_eflags = cpu_lduw_kernel_ra(env, tss_base + 0x10, retaddr);
279         for (i = 0; i < 8; i++) {
280             new_regs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x12 + i * 2), retaddr);
281         }
282         for (i = 0; i < 4; i++) {
283             new_segs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x22 + i * 2),
284                                              retaddr);
285         }
286         new_ldt = cpu_lduw_kernel_ra(env, tss_base + 0x2a, retaddr);
287         new_segs[R_FS] = 0;
288         new_segs[R_GS] = 0;
289         new_trap = 0;
290     }
291     /* XXX: avoid a compiler warning, see
292      http://support.amd.com/us/Processor_TechDocs/24593.pdf
293      chapters 12.2.5 and 13.2.4 on how to implement TSS Trap bit */
294     (void)new_trap;
295 
296     /* NOTE: we must avoid memory exceptions during the task switch,
297        so we make dummy accesses before */
298     /* XXX: it can still fail in some cases, so a bigger hack is
299        necessary to valid the TLB after having done the accesses */
300 
301     v1 = cpu_ldub_kernel_ra(env, env->tr.base, retaddr);
302     v2 = cpu_ldub_kernel_ra(env, env->tr.base + old_tss_limit_max, retaddr);
303     cpu_stb_kernel_ra(env, env->tr.base, v1, retaddr);
304     cpu_stb_kernel_ra(env, env->tr.base + old_tss_limit_max, v2, retaddr);
305 
306     /* clear busy bit (it is restartable) */
307     if (source == SWITCH_TSS_JMP || source == SWITCH_TSS_IRET) {
308         target_ulong ptr;
309         uint32_t e2;
310 
311         ptr = env->gdt.base + (env->tr.selector & ~7);
312         e2 = cpu_ldl_kernel_ra(env, ptr + 4, retaddr);
313         e2 &= ~DESC_TSS_BUSY_MASK;
314         cpu_stl_kernel_ra(env, ptr + 4, e2, retaddr);
315     }
316     old_eflags = cpu_compute_eflags(env);
317     if (source == SWITCH_TSS_IRET) {
318         old_eflags &= ~NT_MASK;
319     }
320 
321     /* save the current state in the old TSS */
322     if (old_type & 8) {
323         /* 32 bit */
324         cpu_stl_kernel_ra(env, env->tr.base + 0x20, next_eip, retaddr);
325         cpu_stl_kernel_ra(env, env->tr.base + 0x24, old_eflags, retaddr);
326         cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 0 * 4), env->regs[R_EAX], retaddr);
327         cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 1 * 4), env->regs[R_ECX], retaddr);
328         cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 2 * 4), env->regs[R_EDX], retaddr);
329         cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 3 * 4), env->regs[R_EBX], retaddr);
330         cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 4 * 4), env->regs[R_ESP], retaddr);
331         cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 5 * 4), env->regs[R_EBP], retaddr);
332         cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 6 * 4), env->regs[R_ESI], retaddr);
333         cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 7 * 4), env->regs[R_EDI], retaddr);
334         for (i = 0; i < 6; i++) {
335             cpu_stw_kernel_ra(env, env->tr.base + (0x48 + i * 4),
336                               env->segs[i].selector, retaddr);
337         }
338     } else {
339         /* 16 bit */
340         cpu_stw_kernel_ra(env, env->tr.base + 0x0e, next_eip, retaddr);
341         cpu_stw_kernel_ra(env, env->tr.base + 0x10, old_eflags, retaddr);
342         cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 0 * 2), env->regs[R_EAX], retaddr);
343         cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 1 * 2), env->regs[R_ECX], retaddr);
344         cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 2 * 2), env->regs[R_EDX], retaddr);
345         cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 3 * 2), env->regs[R_EBX], retaddr);
346         cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 4 * 2), env->regs[R_ESP], retaddr);
347         cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 5 * 2), env->regs[R_EBP], retaddr);
348         cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 6 * 2), env->regs[R_ESI], retaddr);
349         cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 7 * 2), env->regs[R_EDI], retaddr);
350         for (i = 0; i < 4; i++) {
351             cpu_stw_kernel_ra(env, env->tr.base + (0x22 + i * 2),
352                               env->segs[i].selector, retaddr);
353         }
354     }
355 
356     /* now if an exception occurs, it will occurs in the next task
357        context */
358 
359     if (source == SWITCH_TSS_CALL) {
360         cpu_stw_kernel_ra(env, tss_base, env->tr.selector, retaddr);
361         new_eflags |= NT_MASK;
362     }
363 
364     /* set busy bit */
365     if (source == SWITCH_TSS_JMP || source == SWITCH_TSS_CALL) {
366         target_ulong ptr;
367         uint32_t e2;
368 
369         ptr = env->gdt.base + (tss_selector & ~7);
370         e2 = cpu_ldl_kernel_ra(env, ptr + 4, retaddr);
371         e2 |= DESC_TSS_BUSY_MASK;
372         cpu_stl_kernel_ra(env, ptr + 4, e2, retaddr);
373     }
374 
375     /* set the new CPU state */
376     /* from this point, any exception which occurs can give problems */
377     env->cr[0] |= CR0_TS_MASK;
378     env->hflags |= HF_TS_MASK;
379     env->tr.selector = tss_selector;
380     env->tr.base = tss_base;
381     env->tr.limit = tss_limit;
382     env->tr.flags = e2 & ~DESC_TSS_BUSY_MASK;
383 
384     if ((type & 8) && (env->cr[0] & CR0_PG_MASK)) {
385         cpu_x86_update_cr3(env, new_cr3);
386     }
387 
388     /* load all registers without an exception, then reload them with
389        possible exception */
390     env->eip = new_eip;
391     eflags_mask = TF_MASK | AC_MASK | ID_MASK |
392         IF_MASK | IOPL_MASK | VM_MASK | RF_MASK | NT_MASK;
393     if (type & 8) {
394         cpu_load_eflags(env, new_eflags, eflags_mask);
395         for (i = 0; i < 8; i++) {
396             env->regs[i] = new_regs[i];
397         }
398     } else {
399         cpu_load_eflags(env, new_eflags, eflags_mask & 0xffff);
400         for (i = 0; i < 8; i++) {
401             env->regs[i] = (env->regs[i] & 0xffff0000) | new_regs[i];
402         }
403     }
404     if (new_eflags & VM_MASK) {
405         for (i = 0; i < 6; i++) {
406             load_seg_vm(env, i, new_segs[i]);
407         }
408     } else {
409         /* first just selectors as the rest may trigger exceptions */
410         for (i = 0; i < 6; i++) {
411             cpu_x86_load_seg_cache(env, i, new_segs[i], 0, 0, 0);
412         }
413     }
414 
415     env->ldt.selector = new_ldt & ~4;
416     env->ldt.base = 0;
417     env->ldt.limit = 0;
418     env->ldt.flags = 0;
419 
420     /* load the LDT */
421     if (new_ldt & 4) {
422         raise_exception_err_ra(env, EXCP0A_TSS, new_ldt & 0xfffc, retaddr);
423     }
424 
425     if ((new_ldt & 0xfffc) != 0) {
426         dt = &env->gdt;
427         index = new_ldt & ~7;
428         if ((index + 7) > dt->limit) {
429             raise_exception_err_ra(env, EXCP0A_TSS, new_ldt & 0xfffc, retaddr);
430         }
431         ptr = dt->base + index;
432         e1 = cpu_ldl_kernel_ra(env, ptr, retaddr);
433         e2 = cpu_ldl_kernel_ra(env, ptr + 4, retaddr);
434         if ((e2 & DESC_S_MASK) || ((e2 >> DESC_TYPE_SHIFT) & 0xf) != 2) {
435             raise_exception_err_ra(env, EXCP0A_TSS, new_ldt & 0xfffc, retaddr);
436         }
437         if (!(e2 & DESC_P_MASK)) {
438             raise_exception_err_ra(env, EXCP0A_TSS, new_ldt & 0xfffc, retaddr);
439         }
440         load_seg_cache_raw_dt(&env->ldt, e1, e2);
441     }
442 
443     /* load the segments */
444     if (!(new_eflags & VM_MASK)) {
445         int cpl = new_segs[R_CS] & 3;
446         tss_load_seg(env, R_CS, new_segs[R_CS], cpl, retaddr);
447         tss_load_seg(env, R_SS, new_segs[R_SS], cpl, retaddr);
448         tss_load_seg(env, R_ES, new_segs[R_ES], cpl, retaddr);
449         tss_load_seg(env, R_DS, new_segs[R_DS], cpl, retaddr);
450         tss_load_seg(env, R_FS, new_segs[R_FS], cpl, retaddr);
451         tss_load_seg(env, R_GS, new_segs[R_GS], cpl, retaddr);
452     }
453 
454     /* check that env->eip is in the CS segment limits */
455     if (new_eip > env->segs[R_CS].limit) {
456         /* XXX: different exception if CALL? */
457         raise_exception_err_ra(env, EXCP0D_GPF, 0, retaddr);
458     }
459 
460 #ifndef CONFIG_USER_ONLY
461     /* reset local breakpoints */
462     if (env->dr[7] & DR7_LOCAL_BP_MASK) {
463         cpu_x86_update_dr7(env, env->dr[7] & ~DR7_LOCAL_BP_MASK);
464     }
465 #endif
466 }
467 
468 static void switch_tss(CPUX86State *env, int tss_selector,
469                        uint32_t e1, uint32_t e2, int source,
470                         uint32_t next_eip)
471 {
472     switch_tss_ra(env, tss_selector, e1, e2, source, next_eip, 0);
473 }
474 
475 static inline unsigned int get_sp_mask(unsigned int e2)
476 {
477 #ifdef TARGET_X86_64
478     if (e2 & DESC_L_MASK) {
479         return 0;
480     } else
481 #endif
482     if (e2 & DESC_B_MASK) {
483         return 0xffffffff;
484     } else {
485         return 0xffff;
486     }
487 }
488 
489 int exception_has_error_code(int intno)
490 {
491     switch (intno) {
492     case 8:
493     case 10:
494     case 11:
495     case 12:
496     case 13:
497     case 14:
498     case 17:
499         return 1;
500     }
501     return 0;
502 }
503 
504 #ifdef TARGET_X86_64
505 #define SET_ESP(val, sp_mask)                                   \
506     do {                                                        \
507         if ((sp_mask) == 0xffff) {                              \
508             env->regs[R_ESP] = (env->regs[R_ESP] & ~0xffff) |   \
509                 ((val) & 0xffff);                               \
510         } else if ((sp_mask) == 0xffffffffLL) {                 \
511             env->regs[R_ESP] = (uint32_t)(val);                 \
512         } else {                                                \
513             env->regs[R_ESP] = (val);                           \
514         }                                                       \
515     } while (0)
516 #else
517 #define SET_ESP(val, sp_mask)                                   \
518     do {                                                        \
519         env->regs[R_ESP] = (env->regs[R_ESP] & ~(sp_mask)) |    \
520             ((val) & (sp_mask));                                \
521     } while (0)
522 #endif
523 
524 /* in 64-bit machines, this can overflow. So this segment addition macro
525  * can be used to trim the value to 32-bit whenever needed */
526 #define SEG_ADDL(ssp, sp, sp_mask) ((uint32_t)((ssp) + (sp & (sp_mask))))
527 
528 /* XXX: add a is_user flag to have proper security support */
529 #define PUSHW_RA(ssp, sp, sp_mask, val, ra)                      \
530     {                                                            \
531         sp -= 2;                                                 \
532         cpu_stw_kernel_ra(env, (ssp) + (sp & (sp_mask)), (val), ra); \
533     }
534 
535 #define PUSHL_RA(ssp, sp, sp_mask, val, ra)                             \
536     {                                                                   \
537         sp -= 4;                                                        \
538         cpu_stl_kernel_ra(env, SEG_ADDL(ssp, sp, sp_mask), (uint32_t)(val), ra); \
539     }
540 
541 #define POPW_RA(ssp, sp, sp_mask, val, ra)                       \
542     {                                                            \
543         val = cpu_lduw_kernel_ra(env, (ssp) + (sp & (sp_mask)), ra); \
544         sp += 2;                                                 \
545     }
546 
547 #define POPL_RA(ssp, sp, sp_mask, val, ra)                              \
548     {                                                                   \
549         val = (uint32_t)cpu_ldl_kernel_ra(env, SEG_ADDL(ssp, sp, sp_mask), ra); \
550         sp += 4;                                                        \
551     }
552 
553 #define PUSHW(ssp, sp, sp_mask, val) PUSHW_RA(ssp, sp, sp_mask, val, 0)
554 #define PUSHL(ssp, sp, sp_mask, val) PUSHL_RA(ssp, sp, sp_mask, val, 0)
555 #define POPW(ssp, sp, sp_mask, val) POPW_RA(ssp, sp, sp_mask, val, 0)
556 #define POPL(ssp, sp, sp_mask, val) POPL_RA(ssp, sp, sp_mask, val, 0)
557 
558 /* protected mode interrupt */
559 static void do_interrupt_protected(CPUX86State *env, int intno, int is_int,
560                                    int error_code, unsigned int next_eip,
561                                    int is_hw)
562 {
563     SegmentCache *dt;
564     target_ulong ptr, ssp;
565     int type, dpl, selector, ss_dpl, cpl;
566     int has_error_code, new_stack, shift;
567     uint32_t e1, e2, offset, ss = 0, esp, ss_e1 = 0, ss_e2 = 0;
568     uint32_t old_eip, sp_mask;
569     int vm86 = env->eflags & VM_MASK;
570 
571     has_error_code = 0;
572     if (!is_int && !is_hw) {
573         has_error_code = exception_has_error_code(intno);
574     }
575     if (is_int) {
576         old_eip = next_eip;
577     } else {
578         old_eip = env->eip;
579     }
580 
581     dt = &env->idt;
582     if (intno * 8 + 7 > dt->limit) {
583         raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
584     }
585     ptr = dt->base + intno * 8;
586     e1 = cpu_ldl_kernel(env, ptr);
587     e2 = cpu_ldl_kernel(env, ptr + 4);
588     /* check gate type */
589     type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
590     switch (type) {
591     case 5: /* task gate */
592     case 6: /* 286 interrupt gate */
593     case 7: /* 286 trap gate */
594     case 14: /* 386 interrupt gate */
595     case 15: /* 386 trap gate */
596         break;
597     default:
598         raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
599         break;
600     }
601     dpl = (e2 >> DESC_DPL_SHIFT) & 3;
602     cpl = env->hflags & HF_CPL_MASK;
603     /* check privilege if software int */
604     if (is_int && dpl < cpl) {
605         raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
606     }
607 
608     if (type == 5) {
609         /* task gate */
610         /* must do that check here to return the correct error code */
611         if (!(e2 & DESC_P_MASK)) {
612             raise_exception_err(env, EXCP0B_NOSEG, intno * 8 + 2);
613         }
614         switch_tss(env, intno * 8, e1, e2, SWITCH_TSS_CALL, old_eip);
615         if (has_error_code) {
616             int type;
617             uint32_t mask;
618 
619             /* push the error code */
620             type = (env->tr.flags >> DESC_TYPE_SHIFT) & 0xf;
621             shift = type >> 3;
622             if (env->segs[R_SS].flags & DESC_B_MASK) {
623                 mask = 0xffffffff;
624             } else {
625                 mask = 0xffff;
626             }
627             esp = (env->regs[R_ESP] - (2 << shift)) & mask;
628             ssp = env->segs[R_SS].base + esp;
629             if (shift) {
630                 cpu_stl_kernel(env, ssp, error_code);
631             } else {
632                 cpu_stw_kernel(env, ssp, error_code);
633             }
634             SET_ESP(esp, mask);
635         }
636         return;
637     }
638 
639     /* Otherwise, trap or interrupt gate */
640 
641     /* check valid bit */
642     if (!(e2 & DESC_P_MASK)) {
643         raise_exception_err(env, EXCP0B_NOSEG, intno * 8 + 2);
644     }
645     selector = e1 >> 16;
646     offset = (e2 & 0xffff0000) | (e1 & 0x0000ffff);
647     if ((selector & 0xfffc) == 0) {
648         raise_exception_err(env, EXCP0D_GPF, 0);
649     }
650     if (load_segment(env, &e1, &e2, selector) != 0) {
651         raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
652     }
653     if (!(e2 & DESC_S_MASK) || !(e2 & (DESC_CS_MASK))) {
654         raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
655     }
656     dpl = (e2 >> DESC_DPL_SHIFT) & 3;
657     if (dpl > cpl) {
658         raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
659     }
660     if (!(e2 & DESC_P_MASK)) {
661         raise_exception_err(env, EXCP0B_NOSEG, selector & 0xfffc);
662     }
663     if (e2 & DESC_C_MASK) {
664         dpl = cpl;
665     }
666     if (dpl < cpl) {
667         /* to inner privilege */
668         get_ss_esp_from_tss(env, &ss, &esp, dpl, 0);
669         if ((ss & 0xfffc) == 0) {
670             raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
671         }
672         if ((ss & 3) != dpl) {
673             raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
674         }
675         if (load_segment(env, &ss_e1, &ss_e2, ss) != 0) {
676             raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
677         }
678         ss_dpl = (ss_e2 >> DESC_DPL_SHIFT) & 3;
679         if (ss_dpl != dpl) {
680             raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
681         }
682         if (!(ss_e2 & DESC_S_MASK) ||
683             (ss_e2 & DESC_CS_MASK) ||
684             !(ss_e2 & DESC_W_MASK)) {
685             raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
686         }
687         if (!(ss_e2 & DESC_P_MASK)) {
688             raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
689         }
690         new_stack = 1;
691         sp_mask = get_sp_mask(ss_e2);
692         ssp = get_seg_base(ss_e1, ss_e2);
693     } else  {
694         /* to same privilege */
695         if (vm86) {
696             raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
697         }
698         new_stack = 0;
699         sp_mask = get_sp_mask(env->segs[R_SS].flags);
700         ssp = env->segs[R_SS].base;
701         esp = env->regs[R_ESP];
702     }
703 
704     shift = type >> 3;
705 
706 #if 0
707     /* XXX: check that enough room is available */
708     push_size = 6 + (new_stack << 2) + (has_error_code << 1);
709     if (vm86) {
710         push_size += 8;
711     }
712     push_size <<= shift;
713 #endif
714     if (shift == 1) {
715         if (new_stack) {
716             if (vm86) {
717                 PUSHL(ssp, esp, sp_mask, env->segs[R_GS].selector);
718                 PUSHL(ssp, esp, sp_mask, env->segs[R_FS].selector);
719                 PUSHL(ssp, esp, sp_mask, env->segs[R_DS].selector);
720                 PUSHL(ssp, esp, sp_mask, env->segs[R_ES].selector);
721             }
722             PUSHL(ssp, esp, sp_mask, env->segs[R_SS].selector);
723             PUSHL(ssp, esp, sp_mask, env->regs[R_ESP]);
724         }
725         PUSHL(ssp, esp, sp_mask, cpu_compute_eflags(env));
726         PUSHL(ssp, esp, sp_mask, env->segs[R_CS].selector);
727         PUSHL(ssp, esp, sp_mask, old_eip);
728         if (has_error_code) {
729             PUSHL(ssp, esp, sp_mask, error_code);
730         }
731     } else {
732         if (new_stack) {
733             if (vm86) {
734                 PUSHW(ssp, esp, sp_mask, env->segs[R_GS].selector);
735                 PUSHW(ssp, esp, sp_mask, env->segs[R_FS].selector);
736                 PUSHW(ssp, esp, sp_mask, env->segs[R_DS].selector);
737                 PUSHW(ssp, esp, sp_mask, env->segs[R_ES].selector);
738             }
739             PUSHW(ssp, esp, sp_mask, env->segs[R_SS].selector);
740             PUSHW(ssp, esp, sp_mask, env->regs[R_ESP]);
741         }
742         PUSHW(ssp, esp, sp_mask, cpu_compute_eflags(env));
743         PUSHW(ssp, esp, sp_mask, env->segs[R_CS].selector);
744         PUSHW(ssp, esp, sp_mask, old_eip);
745         if (has_error_code) {
746             PUSHW(ssp, esp, sp_mask, error_code);
747         }
748     }
749 
750     /* interrupt gate clear IF mask */
751     if ((type & 1) == 0) {
752         env->eflags &= ~IF_MASK;
753     }
754     env->eflags &= ~(TF_MASK | VM_MASK | RF_MASK | NT_MASK);
755 
756     if (new_stack) {
757         if (vm86) {
758             cpu_x86_load_seg_cache(env, R_ES, 0, 0, 0, 0);
759             cpu_x86_load_seg_cache(env, R_DS, 0, 0, 0, 0);
760             cpu_x86_load_seg_cache(env, R_FS, 0, 0, 0, 0);
761             cpu_x86_load_seg_cache(env, R_GS, 0, 0, 0, 0);
762         }
763         ss = (ss & ~3) | dpl;
764         cpu_x86_load_seg_cache(env, R_SS, ss,
765                                ssp, get_seg_limit(ss_e1, ss_e2), ss_e2);
766     }
767     SET_ESP(esp, sp_mask);
768 
769     selector = (selector & ~3) | dpl;
770     cpu_x86_load_seg_cache(env, R_CS, selector,
771                    get_seg_base(e1, e2),
772                    get_seg_limit(e1, e2),
773                    e2);
774     env->eip = offset;
775 }
776 
777 #ifdef TARGET_X86_64
778 
779 #define PUSHQ_RA(sp, val, ra)                   \
780     {                                           \
781         sp -= 8;                                \
782         cpu_stq_kernel_ra(env, sp, (val), ra);  \
783     }
784 
785 #define POPQ_RA(sp, val, ra)                    \
786     {                                           \
787         val = cpu_ldq_kernel_ra(env, sp, ra);   \
788         sp += 8;                                \
789     }
790 
791 #define PUSHQ(sp, val) PUSHQ_RA(sp, val, 0)
792 #define POPQ(sp, val) POPQ_RA(sp, val, 0)
793 
794 static inline target_ulong get_rsp_from_tss(CPUX86State *env, int level)
795 {
796     X86CPU *cpu = env_archcpu(env);
797     int index;
798 
799 #if 0
800     printf("TR: base=" TARGET_FMT_lx " limit=%x\n",
801            env->tr.base, env->tr.limit);
802 #endif
803 
804     if (!(env->tr.flags & DESC_P_MASK)) {
805         cpu_abort(CPU(cpu), "invalid tss");
806     }
807     index = 8 * level + 4;
808     if ((index + 7) > env->tr.limit) {
809         raise_exception_err(env, EXCP0A_TSS, env->tr.selector & 0xfffc);
810     }
811     return cpu_ldq_kernel(env, env->tr.base + index);
812 }
813 
814 /* 64 bit interrupt */
815 static void do_interrupt64(CPUX86State *env, int intno, int is_int,
816                            int error_code, target_ulong next_eip, int is_hw)
817 {
818     SegmentCache *dt;
819     target_ulong ptr;
820     int type, dpl, selector, cpl, ist;
821     int has_error_code, new_stack;
822     uint32_t e1, e2, e3, ss;
823     target_ulong old_eip, esp, offset;
824 
825     has_error_code = 0;
826     if (!is_int && !is_hw) {
827         has_error_code = exception_has_error_code(intno);
828     }
829     if (is_int) {
830         old_eip = next_eip;
831     } else {
832         old_eip = env->eip;
833     }
834 
835     dt = &env->idt;
836     if (intno * 16 + 15 > dt->limit) {
837         raise_exception_err(env, EXCP0D_GPF, intno * 16 + 2);
838     }
839     ptr = dt->base + intno * 16;
840     e1 = cpu_ldl_kernel(env, ptr);
841     e2 = cpu_ldl_kernel(env, ptr + 4);
842     e3 = cpu_ldl_kernel(env, ptr + 8);
843     /* check gate type */
844     type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
845     switch (type) {
846     case 14: /* 386 interrupt gate */
847     case 15: /* 386 trap gate */
848         break;
849     default:
850         raise_exception_err(env, EXCP0D_GPF, intno * 16 + 2);
851         break;
852     }
853     dpl = (e2 >> DESC_DPL_SHIFT) & 3;
854     cpl = env->hflags & HF_CPL_MASK;
855     /* check privilege if software int */
856     if (is_int && dpl < cpl) {
857         raise_exception_err(env, EXCP0D_GPF, intno * 16 + 2);
858     }
859     /* check valid bit */
860     if (!(e2 & DESC_P_MASK)) {
861         raise_exception_err(env, EXCP0B_NOSEG, intno * 16 + 2);
862     }
863     selector = e1 >> 16;
864     offset = ((target_ulong)e3 << 32) | (e2 & 0xffff0000) | (e1 & 0x0000ffff);
865     ist = e2 & 7;
866     if ((selector & 0xfffc) == 0) {
867         raise_exception_err(env, EXCP0D_GPF, 0);
868     }
869 
870     if (load_segment(env, &e1, &e2, selector) != 0) {
871         raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
872     }
873     if (!(e2 & DESC_S_MASK) || !(e2 & (DESC_CS_MASK))) {
874         raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
875     }
876     dpl = (e2 >> DESC_DPL_SHIFT) & 3;
877     if (dpl > cpl) {
878         raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
879     }
880     if (!(e2 & DESC_P_MASK)) {
881         raise_exception_err(env, EXCP0B_NOSEG, selector & 0xfffc);
882     }
883     if (!(e2 & DESC_L_MASK) || (e2 & DESC_B_MASK)) {
884         raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
885     }
886     if (e2 & DESC_C_MASK) {
887         dpl = cpl;
888     }
889     if (dpl < cpl || ist != 0) {
890         /* to inner privilege */
891         new_stack = 1;
892         esp = get_rsp_from_tss(env, ist != 0 ? ist + 3 : dpl);
893         ss = 0;
894     } else {
895         /* to same privilege */
896         if (env->eflags & VM_MASK) {
897             raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
898         }
899         new_stack = 0;
900         esp = env->regs[R_ESP];
901     }
902     esp &= ~0xfLL; /* align stack */
903 
904     PUSHQ(esp, env->segs[R_SS].selector);
905     PUSHQ(esp, env->regs[R_ESP]);
906     PUSHQ(esp, cpu_compute_eflags(env));
907     PUSHQ(esp, env->segs[R_CS].selector);
908     PUSHQ(esp, old_eip);
909     if (has_error_code) {
910         PUSHQ(esp, error_code);
911     }
912 
913     /* interrupt gate clear IF mask */
914     if ((type & 1) == 0) {
915         env->eflags &= ~IF_MASK;
916     }
917     env->eflags &= ~(TF_MASK | VM_MASK | RF_MASK | NT_MASK);
918 
919     if (new_stack) {
920         ss = 0 | dpl;
921         cpu_x86_load_seg_cache(env, R_SS, ss, 0, 0, dpl << DESC_DPL_SHIFT);
922     }
923     env->regs[R_ESP] = esp;
924 
925     selector = (selector & ~3) | dpl;
926     cpu_x86_load_seg_cache(env, R_CS, selector,
927                    get_seg_base(e1, e2),
928                    get_seg_limit(e1, e2),
929                    e2);
930     env->eip = offset;
931 }
932 #endif
933 
934 #ifdef TARGET_X86_64
935 void helper_sysret(CPUX86State *env, int dflag)
936 {
937     int cpl, selector;
938 
939     if (!(env->efer & MSR_EFER_SCE)) {
940         raise_exception_err_ra(env, EXCP06_ILLOP, 0, GETPC());
941     }
942     cpl = env->hflags & HF_CPL_MASK;
943     if (!(env->cr[0] & CR0_PE_MASK) || cpl != 0) {
944         raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
945     }
946     selector = (env->star >> 48) & 0xffff;
947     if (env->hflags & HF_LMA_MASK) {
948         cpu_load_eflags(env, (uint32_t)(env->regs[11]), TF_MASK | AC_MASK
949                         | ID_MASK | IF_MASK | IOPL_MASK | VM_MASK | RF_MASK |
950                         NT_MASK);
951         if (dflag == 2) {
952             cpu_x86_load_seg_cache(env, R_CS, (selector + 16) | 3,
953                                    0, 0xffffffff,
954                                    DESC_G_MASK | DESC_P_MASK |
955                                    DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
956                                    DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK |
957                                    DESC_L_MASK);
958             env->eip = env->regs[R_ECX];
959         } else {
960             cpu_x86_load_seg_cache(env, R_CS, selector | 3,
961                                    0, 0xffffffff,
962                                    DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
963                                    DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
964                                    DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
965             env->eip = (uint32_t)env->regs[R_ECX];
966         }
967         cpu_x86_load_seg_cache(env, R_SS, (selector + 8) | 3,
968                                0, 0xffffffff,
969                                DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
970                                DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
971                                DESC_W_MASK | DESC_A_MASK);
972     } else {
973         env->eflags |= IF_MASK;
974         cpu_x86_load_seg_cache(env, R_CS, selector | 3,
975                                0, 0xffffffff,
976                                DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
977                                DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
978                                DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
979         env->eip = (uint32_t)env->regs[R_ECX];
980         cpu_x86_load_seg_cache(env, R_SS, (selector + 8) | 3,
981                                0, 0xffffffff,
982                                DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
983                                DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
984                                DESC_W_MASK | DESC_A_MASK);
985     }
986 }
987 #endif
988 
989 /* real mode interrupt */
990 static void do_interrupt_real(CPUX86State *env, int intno, int is_int,
991                               int error_code, unsigned int next_eip)
992 {
993     SegmentCache *dt;
994     target_ulong ptr, ssp;
995     int selector;
996     uint32_t offset, esp;
997     uint32_t old_cs, old_eip;
998 
999     /* real mode (simpler!) */
1000     dt = &env->idt;
1001     if (intno * 4 + 3 > dt->limit) {
1002         raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
1003     }
1004     ptr = dt->base + intno * 4;
1005     offset = cpu_lduw_kernel(env, ptr);
1006     selector = cpu_lduw_kernel(env, ptr + 2);
1007     esp = env->regs[R_ESP];
1008     ssp = env->segs[R_SS].base;
1009     if (is_int) {
1010         old_eip = next_eip;
1011     } else {
1012         old_eip = env->eip;
1013     }
1014     old_cs = env->segs[R_CS].selector;
1015     /* XXX: use SS segment size? */
1016     PUSHW(ssp, esp, 0xffff, cpu_compute_eflags(env));
1017     PUSHW(ssp, esp, 0xffff, old_cs);
1018     PUSHW(ssp, esp, 0xffff, old_eip);
1019 
1020     /* update processor state */
1021     env->regs[R_ESP] = (env->regs[R_ESP] & ~0xffff) | (esp & 0xffff);
1022     env->eip = offset;
1023     env->segs[R_CS].selector = selector;
1024     env->segs[R_CS].base = (selector << 4);
1025     env->eflags &= ~(IF_MASK | TF_MASK | AC_MASK | RF_MASK);
1026 }
1027 
1028 /*
1029  * Begin execution of an interruption. is_int is TRUE if coming from
1030  * the int instruction. next_eip is the env->eip value AFTER the interrupt
1031  * instruction. It is only relevant if is_int is TRUE.
1032  */
1033 void do_interrupt_all(X86CPU *cpu, int intno, int is_int,
1034                       int error_code, target_ulong next_eip, int is_hw)
1035 {
1036     CPUX86State *env = &cpu->env;
1037 
1038     if (qemu_loglevel_mask(CPU_LOG_INT)) {
1039         if ((env->cr[0] & CR0_PE_MASK)) {
1040             static int count;
1041 
1042             qemu_log("%6d: v=%02x e=%04x i=%d cpl=%d IP=%04x:" TARGET_FMT_lx
1043                      " pc=" TARGET_FMT_lx " SP=%04x:" TARGET_FMT_lx,
1044                      count, intno, error_code, is_int,
1045                      env->hflags & HF_CPL_MASK,
1046                      env->segs[R_CS].selector, env->eip,
1047                      (int)env->segs[R_CS].base + env->eip,
1048                      env->segs[R_SS].selector, env->regs[R_ESP]);
1049             if (intno == 0x0e) {
1050                 qemu_log(" CR2=" TARGET_FMT_lx, env->cr[2]);
1051             } else {
1052                 qemu_log(" env->regs[R_EAX]=" TARGET_FMT_lx, env->regs[R_EAX]);
1053             }
1054             qemu_log("\n");
1055             log_cpu_state(CPU(cpu), CPU_DUMP_CCOP);
1056 #if 0
1057             {
1058                 int i;
1059                 target_ulong ptr;
1060 
1061                 qemu_log("       code=");
1062                 ptr = env->segs[R_CS].base + env->eip;
1063                 for (i = 0; i < 16; i++) {
1064                     qemu_log(" %02x", ldub(ptr + i));
1065                 }
1066                 qemu_log("\n");
1067             }
1068 #endif
1069             count++;
1070         }
1071     }
1072     if (env->cr[0] & CR0_PE_MASK) {
1073 #if !defined(CONFIG_USER_ONLY)
1074         if (env->hflags & HF_GUEST_MASK) {
1075             handle_even_inj(env, intno, is_int, error_code, is_hw, 0);
1076         }
1077 #endif
1078 #ifdef TARGET_X86_64
1079         if (env->hflags & HF_LMA_MASK) {
1080             do_interrupt64(env, intno, is_int, error_code, next_eip, is_hw);
1081         } else
1082 #endif
1083         {
1084             do_interrupt_protected(env, intno, is_int, error_code, next_eip,
1085                                    is_hw);
1086         }
1087     } else {
1088 #if !defined(CONFIG_USER_ONLY)
1089         if (env->hflags & HF_GUEST_MASK) {
1090             handle_even_inj(env, intno, is_int, error_code, is_hw, 1);
1091         }
1092 #endif
1093         do_interrupt_real(env, intno, is_int, error_code, next_eip);
1094     }
1095 
1096 #if !defined(CONFIG_USER_ONLY)
1097     if (env->hflags & HF_GUEST_MASK) {
1098         CPUState *cs = CPU(cpu);
1099         uint32_t event_inj = x86_ldl_phys(cs, env->vm_vmcb +
1100                                       offsetof(struct vmcb,
1101                                                control.event_inj));
1102 
1103         x86_stl_phys(cs,
1104                  env->vm_vmcb + offsetof(struct vmcb, control.event_inj),
1105                  event_inj & ~SVM_EVTINJ_VALID);
1106     }
1107 #endif
1108 }
1109 
1110 void do_interrupt_x86_hardirq(CPUX86State *env, int intno, int is_hw)
1111 {
1112     do_interrupt_all(env_archcpu(env), intno, 0, 0, 0, is_hw);
1113 }
1114 
1115 bool x86_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
1116 {
1117     X86CPU *cpu = X86_CPU(cs);
1118     CPUX86State *env = &cpu->env;
1119     int intno;
1120 
1121     interrupt_request = x86_cpu_pending_interrupt(cs, interrupt_request);
1122     if (!interrupt_request) {
1123         return false;
1124     }
1125 
1126     /* Don't process multiple interrupt requests in a single call.
1127      * This is required to make icount-driven execution deterministic.
1128      */
1129     switch (interrupt_request) {
1130 #if !defined(CONFIG_USER_ONLY)
1131     case CPU_INTERRUPT_POLL:
1132         cs->interrupt_request &= ~CPU_INTERRUPT_POLL;
1133         apic_poll_irq(cpu->apic_state);
1134         break;
1135 #endif
1136     case CPU_INTERRUPT_SIPI:
1137         do_cpu_sipi(cpu);
1138         break;
1139     case CPU_INTERRUPT_SMI:
1140         cpu_svm_check_intercept_param(env, SVM_EXIT_SMI, 0, 0);
1141         cs->interrupt_request &= ~CPU_INTERRUPT_SMI;
1142 #ifdef CONFIG_USER_ONLY
1143         cpu_abort(CPU(cpu), "SMI interrupt: cannot enter SMM in user-mode");
1144 #else
1145         do_smm_enter(cpu);
1146 #endif /* CONFIG_USER_ONLY */
1147         break;
1148     case CPU_INTERRUPT_NMI:
1149         cpu_svm_check_intercept_param(env, SVM_EXIT_NMI, 0, 0);
1150         cs->interrupt_request &= ~CPU_INTERRUPT_NMI;
1151         env->hflags2 |= HF2_NMI_MASK;
1152         do_interrupt_x86_hardirq(env, EXCP02_NMI, 1);
1153         break;
1154     case CPU_INTERRUPT_MCE:
1155         cs->interrupt_request &= ~CPU_INTERRUPT_MCE;
1156         do_interrupt_x86_hardirq(env, EXCP12_MCHK, 0);
1157         break;
1158     case CPU_INTERRUPT_HARD:
1159         cpu_svm_check_intercept_param(env, SVM_EXIT_INTR, 0, 0);
1160         cs->interrupt_request &= ~(CPU_INTERRUPT_HARD |
1161                                    CPU_INTERRUPT_VIRQ);
1162         intno = cpu_get_pic_interrupt(env);
1163         qemu_log_mask(CPU_LOG_TB_IN_ASM,
1164                       "Servicing hardware INT=0x%02x\n", intno);
1165         do_interrupt_x86_hardirq(env, intno, 1);
1166         break;
1167 #if !defined(CONFIG_USER_ONLY)
1168     case CPU_INTERRUPT_VIRQ:
1169         /* FIXME: this should respect TPR */
1170         cpu_svm_check_intercept_param(env, SVM_EXIT_VINTR, 0, 0);
1171         intno = x86_ldl_phys(cs, env->vm_vmcb
1172                              + offsetof(struct vmcb, control.int_vector));
1173         qemu_log_mask(CPU_LOG_TB_IN_ASM,
1174                       "Servicing virtual hardware INT=0x%02x\n", intno);
1175         do_interrupt_x86_hardirq(env, intno, 1);
1176         cs->interrupt_request &= ~CPU_INTERRUPT_VIRQ;
1177         break;
1178 #endif
1179     }
1180 
1181     /* Ensure that no TB jump will be modified as the program flow was changed.  */
1182     return true;
1183 }
1184 
1185 void helper_lldt(CPUX86State *env, int selector)
1186 {
1187     SegmentCache *dt;
1188     uint32_t e1, e2;
1189     int index, entry_limit;
1190     target_ulong ptr;
1191 
1192     selector &= 0xffff;
1193     if ((selector & 0xfffc) == 0) {
1194         /* XXX: NULL selector case: invalid LDT */
1195         env->ldt.base = 0;
1196         env->ldt.limit = 0;
1197     } else {
1198         if (selector & 0x4) {
1199             raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1200         }
1201         dt = &env->gdt;
1202         index = selector & ~7;
1203 #ifdef TARGET_X86_64
1204         if (env->hflags & HF_LMA_MASK) {
1205             entry_limit = 15;
1206         } else
1207 #endif
1208         {
1209             entry_limit = 7;
1210         }
1211         if ((index + entry_limit) > dt->limit) {
1212             raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1213         }
1214         ptr = dt->base + index;
1215         e1 = cpu_ldl_kernel_ra(env, ptr, GETPC());
1216         e2 = cpu_ldl_kernel_ra(env, ptr + 4, GETPC());
1217         if ((e2 & DESC_S_MASK) || ((e2 >> DESC_TYPE_SHIFT) & 0xf) != 2) {
1218             raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1219         }
1220         if (!(e2 & DESC_P_MASK)) {
1221             raise_exception_err_ra(env, EXCP0B_NOSEG, selector & 0xfffc, GETPC());
1222         }
1223 #ifdef TARGET_X86_64
1224         if (env->hflags & HF_LMA_MASK) {
1225             uint32_t e3;
1226 
1227             e3 = cpu_ldl_kernel_ra(env, ptr + 8, GETPC());
1228             load_seg_cache_raw_dt(&env->ldt, e1, e2);
1229             env->ldt.base |= (target_ulong)e3 << 32;
1230         } else
1231 #endif
1232         {
1233             load_seg_cache_raw_dt(&env->ldt, e1, e2);
1234         }
1235     }
1236     env->ldt.selector = selector;
1237 }
1238 
1239 void helper_ltr(CPUX86State *env, int selector)
1240 {
1241     SegmentCache *dt;
1242     uint32_t e1, e2;
1243     int index, type, entry_limit;
1244     target_ulong ptr;
1245 
1246     selector &= 0xffff;
1247     if ((selector & 0xfffc) == 0) {
1248         /* NULL selector case: invalid TR */
1249         env->tr.base = 0;
1250         env->tr.limit = 0;
1251         env->tr.flags = 0;
1252     } else {
1253         if (selector & 0x4) {
1254             raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1255         }
1256         dt = &env->gdt;
1257         index = selector & ~7;
1258 #ifdef TARGET_X86_64
1259         if (env->hflags & HF_LMA_MASK) {
1260             entry_limit = 15;
1261         } else
1262 #endif
1263         {
1264             entry_limit = 7;
1265         }
1266         if ((index + entry_limit) > dt->limit) {
1267             raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1268         }
1269         ptr = dt->base + index;
1270         e1 = cpu_ldl_kernel_ra(env, ptr, GETPC());
1271         e2 = cpu_ldl_kernel_ra(env, ptr + 4, GETPC());
1272         type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
1273         if ((e2 & DESC_S_MASK) ||
1274             (type != 1 && type != 9)) {
1275             raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1276         }
1277         if (!(e2 & DESC_P_MASK)) {
1278             raise_exception_err_ra(env, EXCP0B_NOSEG, selector & 0xfffc, GETPC());
1279         }
1280 #ifdef TARGET_X86_64
1281         if (env->hflags & HF_LMA_MASK) {
1282             uint32_t e3, e4;
1283 
1284             e3 = cpu_ldl_kernel_ra(env, ptr + 8, GETPC());
1285             e4 = cpu_ldl_kernel_ra(env, ptr + 12, GETPC());
1286             if ((e4 >> DESC_TYPE_SHIFT) & 0xf) {
1287                 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1288             }
1289             load_seg_cache_raw_dt(&env->tr, e1, e2);
1290             env->tr.base |= (target_ulong)e3 << 32;
1291         } else
1292 #endif
1293         {
1294             load_seg_cache_raw_dt(&env->tr, e1, e2);
1295         }
1296         e2 |= DESC_TSS_BUSY_MASK;
1297         cpu_stl_kernel_ra(env, ptr + 4, e2, GETPC());
1298     }
1299     env->tr.selector = selector;
1300 }
1301 
1302 /* only works if protected mode and not VM86. seg_reg must be != R_CS */
1303 void helper_load_seg(CPUX86State *env, int seg_reg, int selector)
1304 {
1305     uint32_t e1, e2;
1306     int cpl, dpl, rpl;
1307     SegmentCache *dt;
1308     int index;
1309     target_ulong ptr;
1310 
1311     selector &= 0xffff;
1312     cpl = env->hflags & HF_CPL_MASK;
1313     if ((selector & 0xfffc) == 0) {
1314         /* null selector case */
1315         if (seg_reg == R_SS
1316 #ifdef TARGET_X86_64
1317             && (!(env->hflags & HF_CS64_MASK) || cpl == 3)
1318 #endif
1319             ) {
1320             raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
1321         }
1322         cpu_x86_load_seg_cache(env, seg_reg, selector, 0, 0, 0);
1323     } else {
1324 
1325         if (selector & 0x4) {
1326             dt = &env->ldt;
1327         } else {
1328             dt = &env->gdt;
1329         }
1330         index = selector & ~7;
1331         if ((index + 7) > dt->limit) {
1332             raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1333         }
1334         ptr = dt->base + index;
1335         e1 = cpu_ldl_kernel_ra(env, ptr, GETPC());
1336         e2 = cpu_ldl_kernel_ra(env, ptr + 4, GETPC());
1337 
1338         if (!(e2 & DESC_S_MASK)) {
1339             raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1340         }
1341         rpl = selector & 3;
1342         dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1343         if (seg_reg == R_SS) {
1344             /* must be writable segment */
1345             if ((e2 & DESC_CS_MASK) || !(e2 & DESC_W_MASK)) {
1346                 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1347             }
1348             if (rpl != cpl || dpl != cpl) {
1349                 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1350             }
1351         } else {
1352             /* must be readable segment */
1353             if ((e2 & (DESC_CS_MASK | DESC_R_MASK)) == DESC_CS_MASK) {
1354                 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1355             }
1356 
1357             if (!(e2 & DESC_CS_MASK) || !(e2 & DESC_C_MASK)) {
1358                 /* if not conforming code, test rights */
1359                 if (dpl < cpl || dpl < rpl) {
1360                     raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1361                 }
1362             }
1363         }
1364 
1365         if (!(e2 & DESC_P_MASK)) {
1366             if (seg_reg == R_SS) {
1367                 raise_exception_err_ra(env, EXCP0C_STACK, selector & 0xfffc, GETPC());
1368             } else {
1369                 raise_exception_err_ra(env, EXCP0B_NOSEG, selector & 0xfffc, GETPC());
1370             }
1371         }
1372 
1373         /* set the access bit if not already set */
1374         if (!(e2 & DESC_A_MASK)) {
1375             e2 |= DESC_A_MASK;
1376             cpu_stl_kernel_ra(env, ptr + 4, e2, GETPC());
1377         }
1378 
1379         cpu_x86_load_seg_cache(env, seg_reg, selector,
1380                        get_seg_base(e1, e2),
1381                        get_seg_limit(e1, e2),
1382                        e2);
1383 #if 0
1384         qemu_log("load_seg: sel=0x%04x base=0x%08lx limit=0x%08lx flags=%08x\n",
1385                 selector, (unsigned long)sc->base, sc->limit, sc->flags);
1386 #endif
1387     }
1388 }
1389 
1390 /* protected mode jump */
1391 void helper_ljmp_protected(CPUX86State *env, int new_cs, target_ulong new_eip,
1392                            target_ulong next_eip)
1393 {
1394     int gate_cs, type;
1395     uint32_t e1, e2, cpl, dpl, rpl, limit;
1396 
1397     if ((new_cs & 0xfffc) == 0) {
1398         raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
1399     }
1400     if (load_segment_ra(env, &e1, &e2, new_cs, GETPC()) != 0) {
1401         raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1402     }
1403     cpl = env->hflags & HF_CPL_MASK;
1404     if (e2 & DESC_S_MASK) {
1405         if (!(e2 & DESC_CS_MASK)) {
1406             raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1407         }
1408         dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1409         if (e2 & DESC_C_MASK) {
1410             /* conforming code segment */
1411             if (dpl > cpl) {
1412                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1413             }
1414         } else {
1415             /* non conforming code segment */
1416             rpl = new_cs & 3;
1417             if (rpl > cpl) {
1418                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1419             }
1420             if (dpl != cpl) {
1421                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1422             }
1423         }
1424         if (!(e2 & DESC_P_MASK)) {
1425             raise_exception_err_ra(env, EXCP0B_NOSEG, new_cs & 0xfffc, GETPC());
1426         }
1427         limit = get_seg_limit(e1, e2);
1428         if (new_eip > limit &&
1429             (!(env->hflags & HF_LMA_MASK) || !(e2 & DESC_L_MASK))) {
1430             raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
1431         }
1432         cpu_x86_load_seg_cache(env, R_CS, (new_cs & 0xfffc) | cpl,
1433                        get_seg_base(e1, e2), limit, e2);
1434         env->eip = new_eip;
1435     } else {
1436         /* jump to call or task gate */
1437         dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1438         rpl = new_cs & 3;
1439         cpl = env->hflags & HF_CPL_MASK;
1440         type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
1441 
1442 #ifdef TARGET_X86_64
1443         if (env->efer & MSR_EFER_LMA) {
1444             if (type != 12) {
1445                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1446             }
1447         }
1448 #endif
1449         switch (type) {
1450         case 1: /* 286 TSS */
1451         case 9: /* 386 TSS */
1452         case 5: /* task gate */
1453             if (dpl < cpl || dpl < rpl) {
1454                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1455             }
1456             switch_tss_ra(env, new_cs, e1, e2, SWITCH_TSS_JMP, next_eip, GETPC());
1457             break;
1458         case 4: /* 286 call gate */
1459         case 12: /* 386 call gate */
1460             if ((dpl < cpl) || (dpl < rpl)) {
1461                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1462             }
1463             if (!(e2 & DESC_P_MASK)) {
1464                 raise_exception_err_ra(env, EXCP0B_NOSEG, new_cs & 0xfffc, GETPC());
1465             }
1466             gate_cs = e1 >> 16;
1467             new_eip = (e1 & 0xffff);
1468             if (type == 12) {
1469                 new_eip |= (e2 & 0xffff0000);
1470             }
1471 
1472 #ifdef TARGET_X86_64
1473             if (env->efer & MSR_EFER_LMA) {
1474                 /* load the upper 8 bytes of the 64-bit call gate */
1475                 if (load_segment_ra(env, &e1, &e2, new_cs + 8, GETPC())) {
1476                     raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc,
1477                                            GETPC());
1478                 }
1479                 type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
1480                 if (type != 0) {
1481                     raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc,
1482                                            GETPC());
1483                 }
1484                 new_eip |= ((target_ulong)e1) << 32;
1485             }
1486 #endif
1487 
1488             if (load_segment_ra(env, &e1, &e2, gate_cs, GETPC()) != 0) {
1489                 raise_exception_err_ra(env, EXCP0D_GPF, gate_cs & 0xfffc, GETPC());
1490             }
1491             dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1492             /* must be code segment */
1493             if (((e2 & (DESC_S_MASK | DESC_CS_MASK)) !=
1494                  (DESC_S_MASK | DESC_CS_MASK))) {
1495                 raise_exception_err_ra(env, EXCP0D_GPF, gate_cs & 0xfffc, GETPC());
1496             }
1497             if (((e2 & DESC_C_MASK) && (dpl > cpl)) ||
1498                 (!(e2 & DESC_C_MASK) && (dpl != cpl))) {
1499                 raise_exception_err_ra(env, EXCP0D_GPF, gate_cs & 0xfffc, GETPC());
1500             }
1501 #ifdef TARGET_X86_64
1502             if (env->efer & MSR_EFER_LMA) {
1503                 if (!(e2 & DESC_L_MASK)) {
1504                     raise_exception_err_ra(env, EXCP0D_GPF, gate_cs & 0xfffc, GETPC());
1505                 }
1506                 if (e2 & DESC_B_MASK) {
1507                     raise_exception_err_ra(env, EXCP0D_GPF, gate_cs & 0xfffc, GETPC());
1508                 }
1509             }
1510 #endif
1511             if (!(e2 & DESC_P_MASK)) {
1512                 raise_exception_err_ra(env, EXCP0D_GPF, gate_cs & 0xfffc, GETPC());
1513             }
1514             limit = get_seg_limit(e1, e2);
1515             if (new_eip > limit &&
1516                 (!(env->hflags & HF_LMA_MASK) || !(e2 & DESC_L_MASK))) {
1517                 raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
1518             }
1519             cpu_x86_load_seg_cache(env, R_CS, (gate_cs & 0xfffc) | cpl,
1520                                    get_seg_base(e1, e2), limit, e2);
1521             env->eip = new_eip;
1522             break;
1523         default:
1524             raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1525             break;
1526         }
1527     }
1528 }
1529 
1530 /* real mode call */
1531 void helper_lcall_real(CPUX86State *env, int new_cs, target_ulong new_eip1,
1532                        int shift, int next_eip)
1533 {
1534     int new_eip;
1535     uint32_t esp, esp_mask;
1536     target_ulong ssp;
1537 
1538     new_eip = new_eip1;
1539     esp = env->regs[R_ESP];
1540     esp_mask = get_sp_mask(env->segs[R_SS].flags);
1541     ssp = env->segs[R_SS].base;
1542     if (shift) {
1543         PUSHL_RA(ssp, esp, esp_mask, env->segs[R_CS].selector, GETPC());
1544         PUSHL_RA(ssp, esp, esp_mask, next_eip, GETPC());
1545     } else {
1546         PUSHW_RA(ssp, esp, esp_mask, env->segs[R_CS].selector, GETPC());
1547         PUSHW_RA(ssp, esp, esp_mask, next_eip, GETPC());
1548     }
1549 
1550     SET_ESP(esp, esp_mask);
1551     env->eip = new_eip;
1552     env->segs[R_CS].selector = new_cs;
1553     env->segs[R_CS].base = (new_cs << 4);
1554 }
1555 
1556 /* protected mode call */
1557 void helper_lcall_protected(CPUX86State *env, int new_cs, target_ulong new_eip,
1558                             int shift, target_ulong next_eip)
1559 {
1560     int new_stack, i;
1561     uint32_t e1, e2, cpl, dpl, rpl, selector, param_count;
1562     uint32_t ss = 0, ss_e1 = 0, ss_e2 = 0, type, ss_dpl, sp_mask;
1563     uint32_t val, limit, old_sp_mask;
1564     target_ulong ssp, old_ssp, offset, sp;
1565 
1566     LOG_PCALL("lcall %04x:" TARGET_FMT_lx " s=%d\n", new_cs, new_eip, shift);
1567     LOG_PCALL_STATE(env_cpu(env));
1568     if ((new_cs & 0xfffc) == 0) {
1569         raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
1570     }
1571     if (load_segment_ra(env, &e1, &e2, new_cs, GETPC()) != 0) {
1572         raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1573     }
1574     cpl = env->hflags & HF_CPL_MASK;
1575     LOG_PCALL("desc=%08x:%08x\n", e1, e2);
1576     if (e2 & DESC_S_MASK) {
1577         if (!(e2 & DESC_CS_MASK)) {
1578             raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1579         }
1580         dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1581         if (e2 & DESC_C_MASK) {
1582             /* conforming code segment */
1583             if (dpl > cpl) {
1584                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1585             }
1586         } else {
1587             /* non conforming code segment */
1588             rpl = new_cs & 3;
1589             if (rpl > cpl) {
1590                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1591             }
1592             if (dpl != cpl) {
1593                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1594             }
1595         }
1596         if (!(e2 & DESC_P_MASK)) {
1597             raise_exception_err_ra(env, EXCP0B_NOSEG, new_cs & 0xfffc, GETPC());
1598         }
1599 
1600 #ifdef TARGET_X86_64
1601         /* XXX: check 16/32 bit cases in long mode */
1602         if (shift == 2) {
1603             target_ulong rsp;
1604 
1605             /* 64 bit case */
1606             rsp = env->regs[R_ESP];
1607             PUSHQ_RA(rsp, env->segs[R_CS].selector, GETPC());
1608             PUSHQ_RA(rsp, next_eip, GETPC());
1609             /* from this point, not restartable */
1610             env->regs[R_ESP] = rsp;
1611             cpu_x86_load_seg_cache(env, R_CS, (new_cs & 0xfffc) | cpl,
1612                                    get_seg_base(e1, e2),
1613                                    get_seg_limit(e1, e2), e2);
1614             env->eip = new_eip;
1615         } else
1616 #endif
1617         {
1618             sp = env->regs[R_ESP];
1619             sp_mask = get_sp_mask(env->segs[R_SS].flags);
1620             ssp = env->segs[R_SS].base;
1621             if (shift) {
1622                 PUSHL_RA(ssp, sp, sp_mask, env->segs[R_CS].selector, GETPC());
1623                 PUSHL_RA(ssp, sp, sp_mask, next_eip, GETPC());
1624             } else {
1625                 PUSHW_RA(ssp, sp, sp_mask, env->segs[R_CS].selector, GETPC());
1626                 PUSHW_RA(ssp, sp, sp_mask, next_eip, GETPC());
1627             }
1628 
1629             limit = get_seg_limit(e1, e2);
1630             if (new_eip > limit) {
1631                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1632             }
1633             /* from this point, not restartable */
1634             SET_ESP(sp, sp_mask);
1635             cpu_x86_load_seg_cache(env, R_CS, (new_cs & 0xfffc) | cpl,
1636                                    get_seg_base(e1, e2), limit, e2);
1637             env->eip = new_eip;
1638         }
1639     } else {
1640         /* check gate type */
1641         type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
1642         dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1643         rpl = new_cs & 3;
1644 
1645 #ifdef TARGET_X86_64
1646         if (env->efer & MSR_EFER_LMA) {
1647             if (type != 12) {
1648                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1649             }
1650         }
1651 #endif
1652 
1653         switch (type) {
1654         case 1: /* available 286 TSS */
1655         case 9: /* available 386 TSS */
1656         case 5: /* task gate */
1657             if (dpl < cpl || dpl < rpl) {
1658                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1659             }
1660             switch_tss_ra(env, new_cs, e1, e2, SWITCH_TSS_CALL, next_eip, GETPC());
1661             return;
1662         case 4: /* 286 call gate */
1663         case 12: /* 386 call gate */
1664             break;
1665         default:
1666             raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1667             break;
1668         }
1669         shift = type >> 3;
1670 
1671         if (dpl < cpl || dpl < rpl) {
1672             raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1673         }
1674         /* check valid bit */
1675         if (!(e2 & DESC_P_MASK)) {
1676             raise_exception_err_ra(env, EXCP0B_NOSEG,  new_cs & 0xfffc, GETPC());
1677         }
1678         selector = e1 >> 16;
1679         param_count = e2 & 0x1f;
1680         offset = (e2 & 0xffff0000) | (e1 & 0x0000ffff);
1681 #ifdef TARGET_X86_64
1682         if (env->efer & MSR_EFER_LMA) {
1683             /* load the upper 8 bytes of the 64-bit call gate */
1684             if (load_segment_ra(env, &e1, &e2, new_cs + 8, GETPC())) {
1685                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc,
1686                                        GETPC());
1687             }
1688             type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
1689             if (type != 0) {
1690                 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc,
1691                                        GETPC());
1692             }
1693             offset |= ((target_ulong)e1) << 32;
1694         }
1695 #endif
1696         if ((selector & 0xfffc) == 0) {
1697             raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
1698         }
1699 
1700         if (load_segment_ra(env, &e1, &e2, selector, GETPC()) != 0) {
1701             raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1702         }
1703         if (!(e2 & DESC_S_MASK) || !(e2 & (DESC_CS_MASK))) {
1704             raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1705         }
1706         dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1707         if (dpl > cpl) {
1708             raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1709         }
1710 #ifdef TARGET_X86_64
1711         if (env->efer & MSR_EFER_LMA) {
1712             if (!(e2 & DESC_L_MASK)) {
1713                 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1714             }
1715             if (e2 & DESC_B_MASK) {
1716                 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1717             }
1718             shift++;
1719         }
1720 #endif
1721         if (!(e2 & DESC_P_MASK)) {
1722             raise_exception_err_ra(env, EXCP0B_NOSEG, selector & 0xfffc, GETPC());
1723         }
1724 
1725         if (!(e2 & DESC_C_MASK) && dpl < cpl) {
1726             /* to inner privilege */
1727 #ifdef TARGET_X86_64
1728             if (shift == 2) {
1729                 sp = get_rsp_from_tss(env, dpl);
1730                 ss = dpl;  /* SS = NULL selector with RPL = new CPL */
1731                 new_stack = 1;
1732                 sp_mask = 0;
1733                 ssp = 0;  /* SS base is always zero in IA-32e mode */
1734                 LOG_PCALL("new ss:rsp=%04x:%016llx env->regs[R_ESP]="
1735                           TARGET_FMT_lx "\n", ss, sp, env->regs[R_ESP]);
1736             } else
1737 #endif
1738             {
1739                 uint32_t sp32;
1740                 get_ss_esp_from_tss(env, &ss, &sp32, dpl, GETPC());
1741                 LOG_PCALL("new ss:esp=%04x:%08x param_count=%d env->regs[R_ESP]="
1742                           TARGET_FMT_lx "\n", ss, sp32, param_count,
1743                           env->regs[R_ESP]);
1744                 sp = sp32;
1745                 if ((ss & 0xfffc) == 0) {
1746                     raise_exception_err_ra(env, EXCP0A_TSS, ss & 0xfffc, GETPC());
1747                 }
1748                 if ((ss & 3) != dpl) {
1749                     raise_exception_err_ra(env, EXCP0A_TSS, ss & 0xfffc, GETPC());
1750                 }
1751                 if (load_segment_ra(env, &ss_e1, &ss_e2, ss, GETPC()) != 0) {
1752                     raise_exception_err_ra(env, EXCP0A_TSS, ss & 0xfffc, GETPC());
1753                 }
1754                 ss_dpl = (ss_e2 >> DESC_DPL_SHIFT) & 3;
1755                 if (ss_dpl != dpl) {
1756                     raise_exception_err_ra(env, EXCP0A_TSS, ss & 0xfffc, GETPC());
1757                 }
1758                 if (!(ss_e2 & DESC_S_MASK) ||
1759                     (ss_e2 & DESC_CS_MASK) ||
1760                     !(ss_e2 & DESC_W_MASK)) {
1761                     raise_exception_err_ra(env, EXCP0A_TSS, ss & 0xfffc, GETPC());
1762                 }
1763                 if (!(ss_e2 & DESC_P_MASK)) {
1764                     raise_exception_err_ra(env, EXCP0A_TSS, ss & 0xfffc, GETPC());
1765                 }
1766 
1767                 sp_mask = get_sp_mask(ss_e2);
1768                 ssp = get_seg_base(ss_e1, ss_e2);
1769             }
1770 
1771             /* push_size = ((param_count * 2) + 8) << shift; */
1772 
1773             old_sp_mask = get_sp_mask(env->segs[R_SS].flags);
1774             old_ssp = env->segs[R_SS].base;
1775 #ifdef TARGET_X86_64
1776             if (shift == 2) {
1777                 /* XXX: verify if new stack address is canonical */
1778                 PUSHQ_RA(sp, env->segs[R_SS].selector, GETPC());
1779                 PUSHQ_RA(sp, env->regs[R_ESP], GETPC());
1780                 /* parameters aren't supported for 64-bit call gates */
1781             } else
1782 #endif
1783             if (shift == 1) {
1784                 PUSHL_RA(ssp, sp, sp_mask, env->segs[R_SS].selector, GETPC());
1785                 PUSHL_RA(ssp, sp, sp_mask, env->regs[R_ESP], GETPC());
1786                 for (i = param_count - 1; i >= 0; i--) {
1787                     val = cpu_ldl_kernel_ra(env, old_ssp +
1788                                             ((env->regs[R_ESP] + i * 4) &
1789                                              old_sp_mask), GETPC());
1790                     PUSHL_RA(ssp, sp, sp_mask, val, GETPC());
1791                 }
1792             } else {
1793                 PUSHW_RA(ssp, sp, sp_mask, env->segs[R_SS].selector, GETPC());
1794                 PUSHW_RA(ssp, sp, sp_mask, env->regs[R_ESP], GETPC());
1795                 for (i = param_count - 1; i >= 0; i--) {
1796                     val = cpu_lduw_kernel_ra(env, old_ssp +
1797                                              ((env->regs[R_ESP] + i * 2) &
1798                                               old_sp_mask), GETPC());
1799                     PUSHW_RA(ssp, sp, sp_mask, val, GETPC());
1800                 }
1801             }
1802             new_stack = 1;
1803         } else {
1804             /* to same privilege */
1805             sp = env->regs[R_ESP];
1806             sp_mask = get_sp_mask(env->segs[R_SS].flags);
1807             ssp = env->segs[R_SS].base;
1808             /* push_size = (4 << shift); */
1809             new_stack = 0;
1810         }
1811 
1812 #ifdef TARGET_X86_64
1813         if (shift == 2) {
1814             PUSHQ_RA(sp, env->segs[R_CS].selector, GETPC());
1815             PUSHQ_RA(sp, next_eip, GETPC());
1816         } else
1817 #endif
1818         if (shift == 1) {
1819             PUSHL_RA(ssp, sp, sp_mask, env->segs[R_CS].selector, GETPC());
1820             PUSHL_RA(ssp, sp, sp_mask, next_eip, GETPC());
1821         } else {
1822             PUSHW_RA(ssp, sp, sp_mask, env->segs[R_CS].selector, GETPC());
1823             PUSHW_RA(ssp, sp, sp_mask, next_eip, GETPC());
1824         }
1825 
1826         /* from this point, not restartable */
1827 
1828         if (new_stack) {
1829 #ifdef TARGET_X86_64
1830             if (shift == 2) {
1831                 cpu_x86_load_seg_cache(env, R_SS, ss, 0, 0, 0);
1832             } else
1833 #endif
1834             {
1835                 ss = (ss & ~3) | dpl;
1836                 cpu_x86_load_seg_cache(env, R_SS, ss,
1837                                        ssp,
1838                                        get_seg_limit(ss_e1, ss_e2),
1839                                        ss_e2);
1840             }
1841         }
1842 
1843         selector = (selector & ~3) | dpl;
1844         cpu_x86_load_seg_cache(env, R_CS, selector,
1845                        get_seg_base(e1, e2),
1846                        get_seg_limit(e1, e2),
1847                        e2);
1848         SET_ESP(sp, sp_mask);
1849         env->eip = offset;
1850     }
1851 }
1852 
1853 /* real and vm86 mode iret */
1854 void helper_iret_real(CPUX86State *env, int shift)
1855 {
1856     uint32_t sp, new_cs, new_eip, new_eflags, sp_mask;
1857     target_ulong ssp;
1858     int eflags_mask;
1859 
1860     sp_mask = 0xffff; /* XXXX: use SS segment size? */
1861     sp = env->regs[R_ESP];
1862     ssp = env->segs[R_SS].base;
1863     if (shift == 1) {
1864         /* 32 bits */
1865         POPL_RA(ssp, sp, sp_mask, new_eip, GETPC());
1866         POPL_RA(ssp, sp, sp_mask, new_cs, GETPC());
1867         new_cs &= 0xffff;
1868         POPL_RA(ssp, sp, sp_mask, new_eflags, GETPC());
1869     } else {
1870         /* 16 bits */
1871         POPW_RA(ssp, sp, sp_mask, new_eip, GETPC());
1872         POPW_RA(ssp, sp, sp_mask, new_cs, GETPC());
1873         POPW_RA(ssp, sp, sp_mask, new_eflags, GETPC());
1874     }
1875     env->regs[R_ESP] = (env->regs[R_ESP] & ~sp_mask) | (sp & sp_mask);
1876     env->segs[R_CS].selector = new_cs;
1877     env->segs[R_CS].base = (new_cs << 4);
1878     env->eip = new_eip;
1879     if (env->eflags & VM_MASK) {
1880         eflags_mask = TF_MASK | AC_MASK | ID_MASK | IF_MASK | RF_MASK |
1881             NT_MASK;
1882     } else {
1883         eflags_mask = TF_MASK | AC_MASK | ID_MASK | IF_MASK | IOPL_MASK |
1884             RF_MASK | NT_MASK;
1885     }
1886     if (shift == 0) {
1887         eflags_mask &= 0xffff;
1888     }
1889     cpu_load_eflags(env, new_eflags, eflags_mask);
1890     env->hflags2 &= ~HF2_NMI_MASK;
1891 }
1892 
1893 static inline void validate_seg(CPUX86State *env, X86Seg seg_reg, int cpl)
1894 {
1895     int dpl;
1896     uint32_t e2;
1897 
1898     /* XXX: on x86_64, we do not want to nullify FS and GS because
1899        they may still contain a valid base. I would be interested to
1900        know how a real x86_64 CPU behaves */
1901     if ((seg_reg == R_FS || seg_reg == R_GS) &&
1902         (env->segs[seg_reg].selector & 0xfffc) == 0) {
1903         return;
1904     }
1905 
1906     e2 = env->segs[seg_reg].flags;
1907     dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1908     if (!(e2 & DESC_CS_MASK) || !(e2 & DESC_C_MASK)) {
1909         /* data or non conforming code segment */
1910         if (dpl < cpl) {
1911             cpu_x86_load_seg_cache(env, seg_reg, 0,
1912                                    env->segs[seg_reg].base,
1913                                    env->segs[seg_reg].limit,
1914                                    env->segs[seg_reg].flags & ~DESC_P_MASK);
1915         }
1916     }
1917 }
1918 
1919 /* protected mode iret */
1920 static inline void helper_ret_protected(CPUX86State *env, int shift,
1921                                         int is_iret, int addend,
1922                                         uintptr_t retaddr)
1923 {
1924     uint32_t new_cs, new_eflags, new_ss;
1925     uint32_t new_es, new_ds, new_fs, new_gs;
1926     uint32_t e1, e2, ss_e1, ss_e2;
1927     int cpl, dpl, rpl, eflags_mask, iopl;
1928     target_ulong ssp, sp, new_eip, new_esp, sp_mask;
1929 
1930 #ifdef TARGET_X86_64
1931     if (shift == 2) {
1932         sp_mask = -1;
1933     } else
1934 #endif
1935     {
1936         sp_mask = get_sp_mask(env->segs[R_SS].flags);
1937     }
1938     sp = env->regs[R_ESP];
1939     ssp = env->segs[R_SS].base;
1940     new_eflags = 0; /* avoid warning */
1941 #ifdef TARGET_X86_64
1942     if (shift == 2) {
1943         POPQ_RA(sp, new_eip, retaddr);
1944         POPQ_RA(sp, new_cs, retaddr);
1945         new_cs &= 0xffff;
1946         if (is_iret) {
1947             POPQ_RA(sp, new_eflags, retaddr);
1948         }
1949     } else
1950 #endif
1951     {
1952         if (shift == 1) {
1953             /* 32 bits */
1954             POPL_RA(ssp, sp, sp_mask, new_eip, retaddr);
1955             POPL_RA(ssp, sp, sp_mask, new_cs, retaddr);
1956             new_cs &= 0xffff;
1957             if (is_iret) {
1958                 POPL_RA(ssp, sp, sp_mask, new_eflags, retaddr);
1959                 if (new_eflags & VM_MASK) {
1960                     goto return_to_vm86;
1961                 }
1962             }
1963         } else {
1964             /* 16 bits */
1965             POPW_RA(ssp, sp, sp_mask, new_eip, retaddr);
1966             POPW_RA(ssp, sp, sp_mask, new_cs, retaddr);
1967             if (is_iret) {
1968                 POPW_RA(ssp, sp, sp_mask, new_eflags, retaddr);
1969             }
1970         }
1971     }
1972     LOG_PCALL("lret new %04x:" TARGET_FMT_lx " s=%d addend=0x%x\n",
1973               new_cs, new_eip, shift, addend);
1974     LOG_PCALL_STATE(env_cpu(env));
1975     if ((new_cs & 0xfffc) == 0) {
1976         raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, retaddr);
1977     }
1978     if (load_segment_ra(env, &e1, &e2, new_cs, retaddr) != 0) {
1979         raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, retaddr);
1980     }
1981     if (!(e2 & DESC_S_MASK) ||
1982         !(e2 & DESC_CS_MASK)) {
1983         raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, retaddr);
1984     }
1985     cpl = env->hflags & HF_CPL_MASK;
1986     rpl = new_cs & 3;
1987     if (rpl < cpl) {
1988         raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, retaddr);
1989     }
1990     dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1991     if (e2 & DESC_C_MASK) {
1992         if (dpl > rpl) {
1993             raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, retaddr);
1994         }
1995     } else {
1996         if (dpl != rpl) {
1997             raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, retaddr);
1998         }
1999     }
2000     if (!(e2 & DESC_P_MASK)) {
2001         raise_exception_err_ra(env, EXCP0B_NOSEG, new_cs & 0xfffc, retaddr);
2002     }
2003 
2004     sp += addend;
2005     if (rpl == cpl && (!(env->hflags & HF_CS64_MASK) ||
2006                        ((env->hflags & HF_CS64_MASK) && !is_iret))) {
2007         /* return to same privilege level */
2008         cpu_x86_load_seg_cache(env, R_CS, new_cs,
2009                        get_seg_base(e1, e2),
2010                        get_seg_limit(e1, e2),
2011                        e2);
2012     } else {
2013         /* return to different privilege level */
2014 #ifdef TARGET_X86_64
2015         if (shift == 2) {
2016             POPQ_RA(sp, new_esp, retaddr);
2017             POPQ_RA(sp, new_ss, retaddr);
2018             new_ss &= 0xffff;
2019         } else
2020 #endif
2021         {
2022             if (shift == 1) {
2023                 /* 32 bits */
2024                 POPL_RA(ssp, sp, sp_mask, new_esp, retaddr);
2025                 POPL_RA(ssp, sp, sp_mask, new_ss, retaddr);
2026                 new_ss &= 0xffff;
2027             } else {
2028                 /* 16 bits */
2029                 POPW_RA(ssp, sp, sp_mask, new_esp, retaddr);
2030                 POPW_RA(ssp, sp, sp_mask, new_ss, retaddr);
2031             }
2032         }
2033         LOG_PCALL("new ss:esp=%04x:" TARGET_FMT_lx "\n",
2034                   new_ss, new_esp);
2035         if ((new_ss & 0xfffc) == 0) {
2036 #ifdef TARGET_X86_64
2037             /* NULL ss is allowed in long mode if cpl != 3 */
2038             /* XXX: test CS64? */
2039             if ((env->hflags & HF_LMA_MASK) && rpl != 3) {
2040                 cpu_x86_load_seg_cache(env, R_SS, new_ss,
2041                                        0, 0xffffffff,
2042                                        DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2043                                        DESC_S_MASK | (rpl << DESC_DPL_SHIFT) |
2044                                        DESC_W_MASK | DESC_A_MASK);
2045                 ss_e2 = DESC_B_MASK; /* XXX: should not be needed? */
2046             } else
2047 #endif
2048             {
2049                 raise_exception_err_ra(env, EXCP0D_GPF, 0, retaddr);
2050             }
2051         } else {
2052             if ((new_ss & 3) != rpl) {
2053                 raise_exception_err_ra(env, EXCP0D_GPF, new_ss & 0xfffc, retaddr);
2054             }
2055             if (load_segment_ra(env, &ss_e1, &ss_e2, new_ss, retaddr) != 0) {
2056                 raise_exception_err_ra(env, EXCP0D_GPF, new_ss & 0xfffc, retaddr);
2057             }
2058             if (!(ss_e2 & DESC_S_MASK) ||
2059                 (ss_e2 & DESC_CS_MASK) ||
2060                 !(ss_e2 & DESC_W_MASK)) {
2061                 raise_exception_err_ra(env, EXCP0D_GPF, new_ss & 0xfffc, retaddr);
2062             }
2063             dpl = (ss_e2 >> DESC_DPL_SHIFT) & 3;
2064             if (dpl != rpl) {
2065                 raise_exception_err_ra(env, EXCP0D_GPF, new_ss & 0xfffc, retaddr);
2066             }
2067             if (!(ss_e2 & DESC_P_MASK)) {
2068                 raise_exception_err_ra(env, EXCP0B_NOSEG, new_ss & 0xfffc, retaddr);
2069             }
2070             cpu_x86_load_seg_cache(env, R_SS, new_ss,
2071                                    get_seg_base(ss_e1, ss_e2),
2072                                    get_seg_limit(ss_e1, ss_e2),
2073                                    ss_e2);
2074         }
2075 
2076         cpu_x86_load_seg_cache(env, R_CS, new_cs,
2077                        get_seg_base(e1, e2),
2078                        get_seg_limit(e1, e2),
2079                        e2);
2080         sp = new_esp;
2081 #ifdef TARGET_X86_64
2082         if (env->hflags & HF_CS64_MASK) {
2083             sp_mask = -1;
2084         } else
2085 #endif
2086         {
2087             sp_mask = get_sp_mask(ss_e2);
2088         }
2089 
2090         /* validate data segments */
2091         validate_seg(env, R_ES, rpl);
2092         validate_seg(env, R_DS, rpl);
2093         validate_seg(env, R_FS, rpl);
2094         validate_seg(env, R_GS, rpl);
2095 
2096         sp += addend;
2097     }
2098     SET_ESP(sp, sp_mask);
2099     env->eip = new_eip;
2100     if (is_iret) {
2101         /* NOTE: 'cpl' is the _old_ CPL */
2102         eflags_mask = TF_MASK | AC_MASK | ID_MASK | RF_MASK | NT_MASK;
2103         if (cpl == 0) {
2104             eflags_mask |= IOPL_MASK;
2105         }
2106         iopl = (env->eflags >> IOPL_SHIFT) & 3;
2107         if (cpl <= iopl) {
2108             eflags_mask |= IF_MASK;
2109         }
2110         if (shift == 0) {
2111             eflags_mask &= 0xffff;
2112         }
2113         cpu_load_eflags(env, new_eflags, eflags_mask);
2114     }
2115     return;
2116 
2117  return_to_vm86:
2118     POPL_RA(ssp, sp, sp_mask, new_esp, retaddr);
2119     POPL_RA(ssp, sp, sp_mask, new_ss, retaddr);
2120     POPL_RA(ssp, sp, sp_mask, new_es, retaddr);
2121     POPL_RA(ssp, sp, sp_mask, new_ds, retaddr);
2122     POPL_RA(ssp, sp, sp_mask, new_fs, retaddr);
2123     POPL_RA(ssp, sp, sp_mask, new_gs, retaddr);
2124 
2125     /* modify processor state */
2126     cpu_load_eflags(env, new_eflags, TF_MASK | AC_MASK | ID_MASK |
2127                     IF_MASK | IOPL_MASK | VM_MASK | NT_MASK | VIF_MASK |
2128                     VIP_MASK);
2129     load_seg_vm(env, R_CS, new_cs & 0xffff);
2130     load_seg_vm(env, R_SS, new_ss & 0xffff);
2131     load_seg_vm(env, R_ES, new_es & 0xffff);
2132     load_seg_vm(env, R_DS, new_ds & 0xffff);
2133     load_seg_vm(env, R_FS, new_fs & 0xffff);
2134     load_seg_vm(env, R_GS, new_gs & 0xffff);
2135 
2136     env->eip = new_eip & 0xffff;
2137     env->regs[R_ESP] = new_esp;
2138 }
2139 
2140 void helper_iret_protected(CPUX86State *env, int shift, int next_eip)
2141 {
2142     int tss_selector, type;
2143     uint32_t e1, e2;
2144 
2145     /* specific case for TSS */
2146     if (env->eflags & NT_MASK) {
2147 #ifdef TARGET_X86_64
2148         if (env->hflags & HF_LMA_MASK) {
2149             raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
2150         }
2151 #endif
2152         tss_selector = cpu_lduw_kernel_ra(env, env->tr.base + 0, GETPC());
2153         if (tss_selector & 4) {
2154             raise_exception_err_ra(env, EXCP0A_TSS, tss_selector & 0xfffc, GETPC());
2155         }
2156         if (load_segment_ra(env, &e1, &e2, tss_selector, GETPC()) != 0) {
2157             raise_exception_err_ra(env, EXCP0A_TSS, tss_selector & 0xfffc, GETPC());
2158         }
2159         type = (e2 >> DESC_TYPE_SHIFT) & 0x17;
2160         /* NOTE: we check both segment and busy TSS */
2161         if (type != 3) {
2162             raise_exception_err_ra(env, EXCP0A_TSS, tss_selector & 0xfffc, GETPC());
2163         }
2164         switch_tss_ra(env, tss_selector, e1, e2, SWITCH_TSS_IRET, next_eip, GETPC());
2165     } else {
2166         helper_ret_protected(env, shift, 1, 0, GETPC());
2167     }
2168     env->hflags2 &= ~HF2_NMI_MASK;
2169 }
2170 
2171 void helper_lret_protected(CPUX86State *env, int shift, int addend)
2172 {
2173     helper_ret_protected(env, shift, 0, addend, GETPC());
2174 }
2175 
2176 void helper_sysenter(CPUX86State *env)
2177 {
2178     if (env->sysenter_cs == 0) {
2179         raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
2180     }
2181     env->eflags &= ~(VM_MASK | IF_MASK | RF_MASK);
2182 
2183 #ifdef TARGET_X86_64
2184     if (env->hflags & HF_LMA_MASK) {
2185         cpu_x86_load_seg_cache(env, R_CS, env->sysenter_cs & 0xfffc,
2186                                0, 0xffffffff,
2187                                DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2188                                DESC_S_MASK |
2189                                DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK |
2190                                DESC_L_MASK);
2191     } else
2192 #endif
2193     {
2194         cpu_x86_load_seg_cache(env, R_CS, env->sysenter_cs & 0xfffc,
2195                                0, 0xffffffff,
2196                                DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2197                                DESC_S_MASK |
2198                                DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
2199     }
2200     cpu_x86_load_seg_cache(env, R_SS, (env->sysenter_cs + 8) & 0xfffc,
2201                            0, 0xffffffff,
2202                            DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2203                            DESC_S_MASK |
2204                            DESC_W_MASK | DESC_A_MASK);
2205     env->regs[R_ESP] = env->sysenter_esp;
2206     env->eip = env->sysenter_eip;
2207 }
2208 
2209 void helper_sysexit(CPUX86State *env, int dflag)
2210 {
2211     int cpl;
2212 
2213     cpl = env->hflags & HF_CPL_MASK;
2214     if (env->sysenter_cs == 0 || cpl != 0) {
2215         raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
2216     }
2217 #ifdef TARGET_X86_64
2218     if (dflag == 2) {
2219         cpu_x86_load_seg_cache(env, R_CS, ((env->sysenter_cs + 32) & 0xfffc) |
2220                                3, 0, 0xffffffff,
2221                                DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2222                                DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
2223                                DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK |
2224                                DESC_L_MASK);
2225         cpu_x86_load_seg_cache(env, R_SS, ((env->sysenter_cs + 40) & 0xfffc) |
2226                                3, 0, 0xffffffff,
2227                                DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2228                                DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
2229                                DESC_W_MASK | DESC_A_MASK);
2230     } else
2231 #endif
2232     {
2233         cpu_x86_load_seg_cache(env, R_CS, ((env->sysenter_cs + 16) & 0xfffc) |
2234                                3, 0, 0xffffffff,
2235                                DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2236                                DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
2237                                DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
2238         cpu_x86_load_seg_cache(env, R_SS, ((env->sysenter_cs + 24) & 0xfffc) |
2239                                3, 0, 0xffffffff,
2240                                DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2241                                DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
2242                                DESC_W_MASK | DESC_A_MASK);
2243     }
2244     env->regs[R_ESP] = env->regs[R_ECX];
2245     env->eip = env->regs[R_EDX];
2246 }
2247 
2248 target_ulong helper_lsl(CPUX86State *env, target_ulong selector1)
2249 {
2250     unsigned int limit;
2251     uint32_t e1, e2, eflags, selector;
2252     int rpl, dpl, cpl, type;
2253 
2254     selector = selector1 & 0xffff;
2255     eflags = cpu_cc_compute_all(env, CC_OP);
2256     if ((selector & 0xfffc) == 0) {
2257         goto fail;
2258     }
2259     if (load_segment_ra(env, &e1, &e2, selector, GETPC()) != 0) {
2260         goto fail;
2261     }
2262     rpl = selector & 3;
2263     dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2264     cpl = env->hflags & HF_CPL_MASK;
2265     if (e2 & DESC_S_MASK) {
2266         if ((e2 & DESC_CS_MASK) && (e2 & DESC_C_MASK)) {
2267             /* conforming */
2268         } else {
2269             if (dpl < cpl || dpl < rpl) {
2270                 goto fail;
2271             }
2272         }
2273     } else {
2274         type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
2275         switch (type) {
2276         case 1:
2277         case 2:
2278         case 3:
2279         case 9:
2280         case 11:
2281             break;
2282         default:
2283             goto fail;
2284         }
2285         if (dpl < cpl || dpl < rpl) {
2286         fail:
2287             CC_SRC = eflags & ~CC_Z;
2288             return 0;
2289         }
2290     }
2291     limit = get_seg_limit(e1, e2);
2292     CC_SRC = eflags | CC_Z;
2293     return limit;
2294 }
2295 
2296 target_ulong helper_lar(CPUX86State *env, target_ulong selector1)
2297 {
2298     uint32_t e1, e2, eflags, selector;
2299     int rpl, dpl, cpl, type;
2300 
2301     selector = selector1 & 0xffff;
2302     eflags = cpu_cc_compute_all(env, CC_OP);
2303     if ((selector & 0xfffc) == 0) {
2304         goto fail;
2305     }
2306     if (load_segment_ra(env, &e1, &e2, selector, GETPC()) != 0) {
2307         goto fail;
2308     }
2309     rpl = selector & 3;
2310     dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2311     cpl = env->hflags & HF_CPL_MASK;
2312     if (e2 & DESC_S_MASK) {
2313         if ((e2 & DESC_CS_MASK) && (e2 & DESC_C_MASK)) {
2314             /* conforming */
2315         } else {
2316             if (dpl < cpl || dpl < rpl) {
2317                 goto fail;
2318             }
2319         }
2320     } else {
2321         type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
2322         switch (type) {
2323         case 1:
2324         case 2:
2325         case 3:
2326         case 4:
2327         case 5:
2328         case 9:
2329         case 11:
2330         case 12:
2331             break;
2332         default:
2333             goto fail;
2334         }
2335         if (dpl < cpl || dpl < rpl) {
2336         fail:
2337             CC_SRC = eflags & ~CC_Z;
2338             return 0;
2339         }
2340     }
2341     CC_SRC = eflags | CC_Z;
2342     return e2 & 0x00f0ff00;
2343 }
2344 
2345 void helper_verr(CPUX86State *env, target_ulong selector1)
2346 {
2347     uint32_t e1, e2, eflags, selector;
2348     int rpl, dpl, cpl;
2349 
2350     selector = selector1 & 0xffff;
2351     eflags = cpu_cc_compute_all(env, CC_OP);
2352     if ((selector & 0xfffc) == 0) {
2353         goto fail;
2354     }
2355     if (load_segment_ra(env, &e1, &e2, selector, GETPC()) != 0) {
2356         goto fail;
2357     }
2358     if (!(e2 & DESC_S_MASK)) {
2359         goto fail;
2360     }
2361     rpl = selector & 3;
2362     dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2363     cpl = env->hflags & HF_CPL_MASK;
2364     if (e2 & DESC_CS_MASK) {
2365         if (!(e2 & DESC_R_MASK)) {
2366             goto fail;
2367         }
2368         if (!(e2 & DESC_C_MASK)) {
2369             if (dpl < cpl || dpl < rpl) {
2370                 goto fail;
2371             }
2372         }
2373     } else {
2374         if (dpl < cpl || dpl < rpl) {
2375         fail:
2376             CC_SRC = eflags & ~CC_Z;
2377             return;
2378         }
2379     }
2380     CC_SRC = eflags | CC_Z;
2381 }
2382 
2383 void helper_verw(CPUX86State *env, target_ulong selector1)
2384 {
2385     uint32_t e1, e2, eflags, selector;
2386     int rpl, dpl, cpl;
2387 
2388     selector = selector1 & 0xffff;
2389     eflags = cpu_cc_compute_all(env, CC_OP);
2390     if ((selector & 0xfffc) == 0) {
2391         goto fail;
2392     }
2393     if (load_segment_ra(env, &e1, &e2, selector, GETPC()) != 0) {
2394         goto fail;
2395     }
2396     if (!(e2 & DESC_S_MASK)) {
2397         goto fail;
2398     }
2399     rpl = selector & 3;
2400     dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2401     cpl = env->hflags & HF_CPL_MASK;
2402     if (e2 & DESC_CS_MASK) {
2403         goto fail;
2404     } else {
2405         if (dpl < cpl || dpl < rpl) {
2406             goto fail;
2407         }
2408         if (!(e2 & DESC_W_MASK)) {
2409         fail:
2410             CC_SRC = eflags & ~CC_Z;
2411             return;
2412         }
2413     }
2414     CC_SRC = eflags | CC_Z;
2415 }
2416