search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
i386: split seg_helper into user-only and sysemu parts
[qemu/kevin.git] / target / i386 / tcg / seg_helper.c
blobcf3f05152424434d3cb70a963775eed83c943aab
1 /*
2 * x86 segmentation related helpers:
3 * TSS, interrupts, system calls, jumps and call/task gates, descriptors
4 *
5 * Copyright (c) 2003 Fabrice Bellard
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "qemu/osdep.h"
22 #include "cpu.h"
23 #include "qemu/log.h"
24 #include "exec/helper-proto.h"
25 #include "exec/exec-all.h"
26 #include "exec/cpu_ldst.h"
27 #include "exec/log.h"
28 #include "helper-tcg.h"
29 #include "seg_helper.h"
30
31 /* return non zero if error */
32 static inline int load_segment_ra(CPUX86State *env, uint32_t *e1_ptr,
33 uint32_t *e2_ptr, int selector,
34 uintptr_t retaddr)
35 {
36 SegmentCache *dt;
37 int index;
38 target_ulong ptr;
39
40 if (selector & 0x4) {
41 dt = &env->ldt;
42 } else {
43 dt = &env->gdt;
44 }
45 index = selector & ~7;
46 if ((index + 7) > dt->limit) {
47 return -1;
48 }
49 ptr = dt->base + index;
50 *e1_ptr = cpu_ldl_kernel_ra(env, ptr, retaddr);
51 *e2_ptr = cpu_ldl_kernel_ra(env, ptr + 4, retaddr);
52 return 0;
53 }
54
55 static inline int load_segment(CPUX86State *env, uint32_t *e1_ptr,
56 uint32_t *e2_ptr, int selector)
57 {
58 return load_segment_ra(env, e1_ptr, e2_ptr, selector, 0);
59 }
60
61 static inline unsigned int get_seg_limit(uint32_t e1, uint32_t e2)
62 {
63 unsigned int limit;
64
65 limit = (e1 & 0xffff) | (e2 & 0x000f0000);
66 if (e2 & DESC_G_MASK) {
67 limit = (limit << 12) | 0xfff;
68 }
69 return limit;
70 }
71
72 static inline uint32_t get_seg_base(uint32_t e1, uint32_t e2)
73 {
74 return (e1 >> 16) | ((e2 & 0xff) << 16) | (e2 & 0xff000000);
75 }
76
77 static inline void load_seg_cache_raw_dt(SegmentCache *sc, uint32_t e1,
78 uint32_t e2)
79 {
80 sc->base = get_seg_base(e1, e2);
81 sc->limit = get_seg_limit(e1, e2);
82 sc->flags = e2;
83 }
84
85 /* init the segment cache in vm86 mode. */
86 static inline void load_seg_vm(CPUX86State *env, int seg, int selector)
87 {
88 selector &= 0xffff;
89
90 cpu_x86_load_seg_cache(env, seg, selector, (selector << 4), 0xffff,
91 DESC_P_MASK | DESC_S_MASK | DESC_W_MASK |
92 DESC_A_MASK | (3 << DESC_DPL_SHIFT));
93 }
94
95 static inline void get_ss_esp_from_tss(CPUX86State *env, uint32_t *ss_ptr,
96 uint32_t *esp_ptr, int dpl,
97 uintptr_t retaddr)
98 {
99 X86CPU *cpu = env_archcpu(env);
100 int type, index, shift;
101
102 #if 0
103 {
104 int i;
105 printf("TR: base=%p limit=%x\n", env->tr.base, env->tr.limit);
106 for (i = 0; i < env->tr.limit; i++) {
107 printf("%02x ", env->tr.base[i]);
108 if ((i & 7) == 7) {
109 printf("\n");
110 }
111 }
112 printf("\n");
113 }
114 #endif
115
116 if (!(env->tr.flags & DESC_P_MASK)) {
117 cpu_abort(CPU(cpu), "invalid tss");
118 }
119 type = (env->tr.flags >> DESC_TYPE_SHIFT) & 0xf;
120 if ((type & 7) != 1) {
121 cpu_abort(CPU(cpu), "invalid tss type");
122 }
123 shift = type >> 3;
124 index = (dpl * 4 + 2) << shift;
125 if (index + (4 << shift) - 1 > env->tr.limit) {
126 raise_exception_err_ra(env, EXCP0A_TSS, env->tr.selector & 0xfffc, retaddr);
127 }
128 if (shift == 0) {
129 *esp_ptr = cpu_lduw_kernel_ra(env, env->tr.base + index, retaddr);
130 *ss_ptr = cpu_lduw_kernel_ra(env, env->tr.base + index + 2, retaddr);
131 } else {
132 *esp_ptr = cpu_ldl_kernel_ra(env, env->tr.base + index, retaddr);
133 *ss_ptr = cpu_lduw_kernel_ra(env, env->tr.base + index + 4, retaddr);
134 }
135 }
136
137 static void tss_load_seg(CPUX86State *env, X86Seg seg_reg, int selector,
138 int cpl, uintptr_t retaddr)
139 {
140 uint32_t e1, e2;
141 int rpl, dpl;
142
143 if ((selector & 0xfffc) != 0) {
144 if (load_segment_ra(env, &e1, &e2, selector, retaddr) != 0) {
145 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
146 }
147 if (!(e2 & DESC_S_MASK)) {
148 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
149 }
150 rpl = selector & 3;
151 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
152 if (seg_reg == R_CS) {
153 if (!(e2 & DESC_CS_MASK)) {
154 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
155 }
156 if (dpl != rpl) {
157 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
158 }
159 } else if (seg_reg == R_SS) {
160 /* SS must be writable data */
161 if ((e2 & DESC_CS_MASK) || !(e2 & DESC_W_MASK)) {
162 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
163 }
164 if (dpl != cpl || dpl != rpl) {
165 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
166 }
167 } else {
168 /* not readable code */
169 if ((e2 & DESC_CS_MASK) && !(e2 & DESC_R_MASK)) {
170 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
171 }
172 /* if data or non conforming code, checks the rights */
173 if (((e2 >> DESC_TYPE_SHIFT) & 0xf) < 12) {
174 if (dpl < cpl || dpl < rpl) {
175 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
176 }
177 }
178 }
179 if (!(e2 & DESC_P_MASK)) {
180 raise_exception_err_ra(env, EXCP0B_NOSEG, selector & 0xfffc, retaddr);
181 }
182 cpu_x86_load_seg_cache(env, seg_reg, selector,
183 get_seg_base(e1, e2),
184 get_seg_limit(e1, e2),
185 e2);
186 } else {
187 if (seg_reg == R_SS || seg_reg == R_CS) {
188 raise_exception_err_ra(env, EXCP0A_TSS, selector & 0xfffc, retaddr);
189 }
190 }
191 }
192
193 #define SWITCH_TSS_JMP 0
194 #define SWITCH_TSS_IRET 1
195 #define SWITCH_TSS_CALL 2
196
197 /* XXX: restore CPU state in registers (PowerPC case) */
198 static void switch_tss_ra(CPUX86State *env, int tss_selector,
199 uint32_t e1, uint32_t e2, int source,
200 uint32_t next_eip, uintptr_t retaddr)
201 {
202 int tss_limit, tss_limit_max, type, old_tss_limit_max, old_type, v1, v2, i;
203 target_ulong tss_base;
204 uint32_t new_regs[8], new_segs[6];
205 uint32_t new_eflags, new_eip, new_cr3, new_ldt, new_trap;
206 uint32_t old_eflags, eflags_mask;
207 SegmentCache *dt;
208 int index;
209 target_ulong ptr;
210
211 type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
212 LOG_PCALL("switch_tss: sel=0x%04x type=%d src=%d\n", tss_selector, type,
213 source);
214
215 /* if task gate, we read the TSS segment and we load it */
216 if (type == 5) {
217 if (!(e2 & DESC_P_MASK)) {
218 raise_exception_err_ra(env, EXCP0B_NOSEG, tss_selector & 0xfffc, retaddr);
219 }
220 tss_selector = e1 >> 16;
221 if (tss_selector & 4) {
222 raise_exception_err_ra(env, EXCP0A_TSS, tss_selector & 0xfffc, retaddr);
223 }
224 if (load_segment_ra(env, &e1, &e2, tss_selector, retaddr) != 0) {
225 raise_exception_err_ra(env, EXCP0D_GPF, tss_selector & 0xfffc, retaddr);
226 }
227 if (e2 & DESC_S_MASK) {
228 raise_exception_err_ra(env, EXCP0D_GPF, tss_selector & 0xfffc, retaddr);
229 }
230 type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
231 if ((type & 7) != 1) {
232 raise_exception_err_ra(env, EXCP0D_GPF, tss_selector & 0xfffc, retaddr);
233 }
234 }
235
236 if (!(e2 & DESC_P_MASK)) {
237 raise_exception_err_ra(env, EXCP0B_NOSEG, tss_selector & 0xfffc, retaddr);
238 }
239
240 if (type & 8) {
241 tss_limit_max = 103;
242 } else {
243 tss_limit_max = 43;
244 }
245 tss_limit = get_seg_limit(e1, e2);
246 tss_base = get_seg_base(e1, e2);
247 if ((tss_selector & 4) != 0 ||
248 tss_limit < tss_limit_max) {
249 raise_exception_err_ra(env, EXCP0A_TSS, tss_selector & 0xfffc, retaddr);
250 }
251 old_type = (env->tr.flags >> DESC_TYPE_SHIFT) & 0xf;
252 if (old_type & 8) {
253 old_tss_limit_max = 103;
254 } else {
255 old_tss_limit_max = 43;
256 }
257
258 /* read all the registers from the new TSS */
259 if (type & 8) {
260 /* 32 bit */
261 new_cr3 = cpu_ldl_kernel_ra(env, tss_base + 0x1c, retaddr);
262 new_eip = cpu_ldl_kernel_ra(env, tss_base + 0x20, retaddr);
263 new_eflags = cpu_ldl_kernel_ra(env, tss_base + 0x24, retaddr);
264 for (i = 0; i < 8; i++) {
265 new_regs[i] = cpu_ldl_kernel_ra(env, tss_base + (0x28 + i * 4),
266 retaddr);
267 }
268 for (i = 0; i < 6; i++) {
269 new_segs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x48 + i * 4),
270 retaddr);
271 }
272 new_ldt = cpu_lduw_kernel_ra(env, tss_base + 0x60, retaddr);
273 new_trap = cpu_ldl_kernel_ra(env, tss_base + 0x64, retaddr);
274 } else {
275 /* 16 bit */
276 new_cr3 = 0;
277 new_eip = cpu_lduw_kernel_ra(env, tss_base + 0x0e, retaddr);
278 new_eflags = cpu_lduw_kernel_ra(env, tss_base + 0x10, retaddr);
279 for (i = 0; i < 8; i++) {
280 new_regs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x12 + i * 2),
281 retaddr) | 0xffff0000;
282 }
283 for (i = 0; i < 4; i++) {
284 new_segs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x22 + i * 4),
285 retaddr);
286 }
287 new_ldt = cpu_lduw_kernel_ra(env, tss_base + 0x2a, retaddr);
288 new_segs[R_FS] = 0;
289 new_segs[R_GS] = 0;
290 new_trap = 0;
291 }
292 /* XXX: avoid a compiler warning, see
293 http://support.amd.com/us/Processor_TechDocs/24593.pdf
294 chapters 12.2.5 and 13.2.4 on how to implement TSS Trap bit */
295 (void)new_trap;
296
297 /* NOTE: we must avoid memory exceptions during the task switch,
298 so we make dummy accesses before */
299 /* XXX: it can still fail in some cases, so a bigger hack is
300 necessary to valid the TLB after having done the accesses */
301
302 v1 = cpu_ldub_kernel_ra(env, env->tr.base, retaddr);
303 v2 = cpu_ldub_kernel_ra(env, env->tr.base + old_tss_limit_max, retaddr);
304 cpu_stb_kernel_ra(env, env->tr.base, v1, retaddr);
305 cpu_stb_kernel_ra(env, env->tr.base + old_tss_limit_max, v2, retaddr);
306
307 /* clear busy bit (it is restartable) */
308 if (source == SWITCH_TSS_JMP || source == SWITCH_TSS_IRET) {
309 target_ulong ptr;
310 uint32_t e2;
311
312 ptr = env->gdt.base + (env->tr.selector & ~7);
313 e2 = cpu_ldl_kernel_ra(env, ptr + 4, retaddr);
314 e2 &= ~DESC_TSS_BUSY_MASK;
315 cpu_stl_kernel_ra(env, ptr + 4, e2, retaddr);
316 }
317 old_eflags = cpu_compute_eflags(env);
318 if (source == SWITCH_TSS_IRET) {
319 old_eflags &= ~NT_MASK;
320 }
321
322 /* save the current state in the old TSS */
323 if (type & 8) {
324 /* 32 bit */
325 cpu_stl_kernel_ra(env, env->tr.base + 0x20, next_eip, retaddr);
326 cpu_stl_kernel_ra(env, env->tr.base + 0x24, old_eflags, retaddr);
327 cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 0 * 4), env->regs[R_EAX], retaddr);
328 cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 1 * 4), env->regs[R_ECX], retaddr);
329 cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 2 * 4), env->regs[R_EDX], retaddr);
330 cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 3 * 4), env->regs[R_EBX], retaddr);
331 cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 4 * 4), env->regs[R_ESP], retaddr);
332 cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 5 * 4), env->regs[R_EBP], retaddr);
333 cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 6 * 4), env->regs[R_ESI], retaddr);
334 cpu_stl_kernel_ra(env, env->tr.base + (0x28 + 7 * 4), env->regs[R_EDI], retaddr);
335 for (i = 0; i < 6; i++) {
336 cpu_stw_kernel_ra(env, env->tr.base + (0x48 + i * 4),
337 env->segs[i].selector, retaddr);
338 }
339 } else {
340 /* 16 bit */
341 cpu_stw_kernel_ra(env, env->tr.base + 0x0e, next_eip, retaddr);
342 cpu_stw_kernel_ra(env, env->tr.base + 0x10, old_eflags, retaddr);
343 cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 0 * 2), env->regs[R_EAX], retaddr);
344 cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 1 * 2), env->regs[R_ECX], retaddr);
345 cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 2 * 2), env->regs[R_EDX], retaddr);
346 cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 3 * 2), env->regs[R_EBX], retaddr);
347 cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 4 * 2), env->regs[R_ESP], retaddr);
348 cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 5 * 2), env->regs[R_EBP], retaddr);
349 cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 6 * 2), env->regs[R_ESI], retaddr);
350 cpu_stw_kernel_ra(env, env->tr.base + (0x12 + 7 * 2), env->regs[R_EDI], retaddr);
351 for (i = 0; i < 4; i++) {
352 cpu_stw_kernel_ra(env, env->tr.base + (0x22 + i * 4),
353 env->segs[i].selector, retaddr);
354 }
355 }
356
357 /* now if an exception occurs, it will occurs in the next task
358 context */
359
360 if (source == SWITCH_TSS_CALL) {
361 cpu_stw_kernel_ra(env, tss_base, env->tr.selector, retaddr);
362 new_eflags |= NT_MASK;
363 }
364
365 /* set busy bit */
366 if (source == SWITCH_TSS_JMP || source == SWITCH_TSS_CALL) {
367 target_ulong ptr;
368 uint32_t e2;
369
370 ptr = env->gdt.base + (tss_selector & ~7);
371 e2 = cpu_ldl_kernel_ra(env, ptr + 4, retaddr);
372 e2 |= DESC_TSS_BUSY_MASK;
373 cpu_stl_kernel_ra(env, ptr + 4, e2, retaddr);
374 }
375
376 /* set the new CPU state */
377 /* from this point, any exception which occurs can give problems */
378 env->cr[0] |= CR0_TS_MASK;
379 env->hflags |= HF_TS_MASK;
380 env->tr.selector = tss_selector;
381 env->tr.base = tss_base;
382 env->tr.limit = tss_limit;
383 env->tr.flags = e2 & ~DESC_TSS_BUSY_MASK;
384
385 if ((type & 8) && (env->cr[0] & CR0_PG_MASK)) {
386 cpu_x86_update_cr3(env, new_cr3);
387 }
388
389 /* load all registers without an exception, then reload them with
390 possible exception */
391 env->eip = new_eip;
392 eflags_mask = TF_MASK | AC_MASK | ID_MASK |
393 IF_MASK | IOPL_MASK | VM_MASK | RF_MASK | NT_MASK;
394 if (!(type & 8)) {
395 eflags_mask &= 0xffff;
396 }
397 cpu_load_eflags(env, new_eflags, eflags_mask);
398 /* XXX: what to do in 16 bit case? */
399 env->regs[R_EAX] = new_regs[0];
400 env->regs[R_ECX] = new_regs[1];
401 env->regs[R_EDX] = new_regs[2];
402 env->regs[R_EBX] = new_regs[3];
403 env->regs[R_ESP] = new_regs[4];
404 env->regs[R_EBP] = new_regs[5];
405 env->regs[R_ESI] = new_regs[6];
406 env->regs[R_EDI] = new_regs[7];
407 if (new_eflags & VM_MASK) {
408 for (i = 0; i < 6; i++) {
409 load_seg_vm(env, i, new_segs[i]);
410 }
411 } else {
412 /* first just selectors as the rest may trigger exceptions */
413 for (i = 0; i < 6; i++) {
414 cpu_x86_load_seg_cache(env, i, new_segs[i], 0, 0, 0);
415 }
416 }
417
418 env->ldt.selector = new_ldt & ~4;
419 env->ldt.base = 0;
420 env->ldt.limit = 0;
421 env->ldt.flags = 0;
422
423 /* load the LDT */
424 if (new_ldt & 4) {
425 raise_exception_err_ra(env, EXCP0A_TSS, new_ldt & 0xfffc, retaddr);
426 }
427
428 if ((new_ldt & 0xfffc) != 0) {
429 dt = &env->gdt;
430 index = new_ldt & ~7;
431 if ((index + 7) > dt->limit) {
432 raise_exception_err_ra(env, EXCP0A_TSS, new_ldt & 0xfffc, retaddr);
433 }
434 ptr = dt->base + index;
435 e1 = cpu_ldl_kernel_ra(env, ptr, retaddr);
436 e2 = cpu_ldl_kernel_ra(env, ptr + 4, retaddr);
437 if ((e2 & DESC_S_MASK) || ((e2 >> DESC_TYPE_SHIFT) & 0xf) != 2) {
438 raise_exception_err_ra(env, EXCP0A_TSS, new_ldt & 0xfffc, retaddr);
439 }
440 if (!(e2 & DESC_P_MASK)) {
441 raise_exception_err_ra(env, EXCP0A_TSS, new_ldt & 0xfffc, retaddr);
442 }
443 load_seg_cache_raw_dt(&env->ldt, e1, e2);
444 }
445
446 /* load the segments */
447 if (!(new_eflags & VM_MASK)) {
448 int cpl = new_segs[R_CS] & 3;
449 tss_load_seg(env, R_CS, new_segs[R_CS], cpl, retaddr);
450 tss_load_seg(env, R_SS, new_segs[R_SS], cpl, retaddr);
451 tss_load_seg(env, R_ES, new_segs[R_ES], cpl, retaddr);
452 tss_load_seg(env, R_DS, new_segs[R_DS], cpl, retaddr);
453 tss_load_seg(env, R_FS, new_segs[R_FS], cpl, retaddr);
454 tss_load_seg(env, R_GS, new_segs[R_GS], cpl, retaddr);
455 }
456
457 /* check that env->eip is in the CS segment limits */
458 if (new_eip > env->segs[R_CS].limit) {
459 /* XXX: different exception if CALL? */
460 raise_exception_err_ra(env, EXCP0D_GPF, 0, retaddr);
461 }
462
463 #ifndef CONFIG_USER_ONLY
464 /* reset local breakpoints */
465 if (env->dr[7] & DR7_LOCAL_BP_MASK) {
466 cpu_x86_update_dr7(env, env->dr[7] & ~DR7_LOCAL_BP_MASK);
467 }
468 #endif
469 }
470
471 static void switch_tss(CPUX86State *env, int tss_selector,
472 uint32_t e1, uint32_t e2, int source,
473 uint32_t next_eip)
474 {
475 switch_tss_ra(env, tss_selector, e1, e2, source, next_eip, 0);
476 }
477
478 static inline unsigned int get_sp_mask(unsigned int e2)
479 {
480 #ifdef TARGET_X86_64
481 if (e2 & DESC_L_MASK) {
482 return 0;
483 } else
484 #endif
485 if (e2 & DESC_B_MASK) {
486 return 0xffffffff;
487 } else {
488 return 0xffff;
489 }
490 }
491
492 int exception_has_error_code(int intno)
493 {
494 switch (intno) {
495 case 8:
496 case 10:
497 case 11:
498 case 12:
499 case 13:
500 case 14:
501 case 17:
502 return 1;
503 }
504 return 0;
505 }
506
507 #ifdef TARGET_X86_64
508 #define SET_ESP(val, sp_mask) \
509 do { \
510 if ((sp_mask) == 0xffff) { \
511 env->regs[R_ESP] = (env->regs[R_ESP] & ~0xffff) | \
512 ((val) & 0xffff); \
513 } else if ((sp_mask) == 0xffffffffLL) { \
514 env->regs[R_ESP] = (uint32_t)(val); \
515 } else { \
516 env->regs[R_ESP] = (val); \
517 } \
518 } while (0)
519 #else
520 #define SET_ESP(val, sp_mask) \
521 do { \
522 env->regs[R_ESP] = (env->regs[R_ESP] & ~(sp_mask)) | \
523 ((val) & (sp_mask)); \
524 } while (0)
525 #endif
526
527 /* in 64-bit machines, this can overflow. So this segment addition macro
528 * can be used to trim the value to 32-bit whenever needed */
529 #define SEG_ADDL(ssp, sp, sp_mask) ((uint32_t)((ssp) + (sp & (sp_mask))))
530
531 /* XXX: add a is_user flag to have proper security support */
532 #define PUSHW_RA(ssp, sp, sp_mask, val, ra) \
533 { \
534 sp -= 2; \
535 cpu_stw_kernel_ra(env, (ssp) + (sp & (sp_mask)), (val), ra); \
536 }
537
538 #define PUSHL_RA(ssp, sp, sp_mask, val, ra) \
539 { \
540 sp -= 4; \
541 cpu_stl_kernel_ra(env, SEG_ADDL(ssp, sp, sp_mask), (uint32_t)(val), ra); \
542 }
543
544 #define POPW_RA(ssp, sp, sp_mask, val, ra) \
545 { \
546 val = cpu_lduw_kernel_ra(env, (ssp) + (sp & (sp_mask)), ra); \
547 sp += 2; \
548 }
549
550 #define POPL_RA(ssp, sp, sp_mask, val, ra) \
551 { \
552 val = (uint32_t)cpu_ldl_kernel_ra(env, SEG_ADDL(ssp, sp, sp_mask), ra); \
553 sp += 4; \
554 }
555
556 #define PUSHW(ssp, sp, sp_mask, val) PUSHW_RA(ssp, sp, sp_mask, val, 0)
557 #define PUSHL(ssp, sp, sp_mask, val) PUSHL_RA(ssp, sp, sp_mask, val, 0)
558 #define POPW(ssp, sp, sp_mask, val) POPW_RA(ssp, sp, sp_mask, val, 0)
559 #define POPL(ssp, sp, sp_mask, val) POPL_RA(ssp, sp, sp_mask, val, 0)
560
561 /* protected mode interrupt */
562 static void do_interrupt_protected(CPUX86State *env, int intno, int is_int,
563 int error_code, unsigned int next_eip,
564 int is_hw)
565 {
566 SegmentCache *dt;
567 target_ulong ptr, ssp;
568 int type, dpl, selector, ss_dpl, cpl;
569 int has_error_code, new_stack, shift;
570 uint32_t e1, e2, offset, ss = 0, esp, ss_e1 = 0, ss_e2 = 0;
571 uint32_t old_eip, sp_mask;
572 int vm86 = env->eflags & VM_MASK;
573
574 has_error_code = 0;
575 if (!is_int && !is_hw) {
576 has_error_code = exception_has_error_code(intno);
577 }
578 if (is_int) {
579 old_eip = next_eip;
580 } else {
581 old_eip = env->eip;
582 }
583
584 dt = &env->idt;
585 if (intno * 8 + 7 > dt->limit) {
586 raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
587 }
588 ptr = dt->base + intno * 8;
589 e1 = cpu_ldl_kernel(env, ptr);
590 e2 = cpu_ldl_kernel(env, ptr + 4);
591 /* check gate type */
592 type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
593 switch (type) {
594 case 5: /* task gate */
595 case 6: /* 286 interrupt gate */
596 case 7: /* 286 trap gate */
597 case 14: /* 386 interrupt gate */
598 case 15: /* 386 trap gate */
599 break;
600 default:
601 raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
602 break;
603 }
604 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
605 cpl = env->hflags & HF_CPL_MASK;
606 /* check privilege if software int */
607 if (is_int && dpl < cpl) {
608 raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
609 }
610
611 if (type == 5) {
612 /* task gate */
613 /* must do that check here to return the correct error code */
614 if (!(e2 & DESC_P_MASK)) {
615 raise_exception_err(env, EXCP0B_NOSEG, intno * 8 + 2);
616 }
617 switch_tss(env, intno * 8, e1, e2, SWITCH_TSS_CALL, old_eip);
618 if (has_error_code) {
619 int type;
620 uint32_t mask;
621
622 /* push the error code */
623 type = (env->tr.flags >> DESC_TYPE_SHIFT) & 0xf;
624 shift = type >> 3;
625 if (env->segs[R_SS].flags & DESC_B_MASK) {
626 mask = 0xffffffff;
627 } else {
628 mask = 0xffff;
629 }
630 esp = (env->regs[R_ESP] - (2 << shift)) & mask;
631 ssp = env->segs[R_SS].base + esp;
632 if (shift) {
633 cpu_stl_kernel(env, ssp, error_code);
634 } else {
635 cpu_stw_kernel(env, ssp, error_code);
636 }
637 SET_ESP(esp, mask);
638 }
639 return;
640 }
641
642 /* Otherwise, trap or interrupt gate */
643
644 /* check valid bit */
645 if (!(e2 & DESC_P_MASK)) {
646 raise_exception_err(env, EXCP0B_NOSEG, intno * 8 + 2);
647 }
648 selector = e1 >> 16;
649 offset = (e2 & 0xffff0000) | (e1 & 0x0000ffff);
650 if ((selector & 0xfffc) == 0) {
651 raise_exception_err(env, EXCP0D_GPF, 0);
652 }
653 if (load_segment(env, &e1, &e2, selector) != 0) {
654 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
655 }
656 if (!(e2 & DESC_S_MASK) || !(e2 & (DESC_CS_MASK))) {
657 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
658 }
659 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
660 if (dpl > cpl) {
661 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
662 }
663 if (!(e2 & DESC_P_MASK)) {
664 raise_exception_err(env, EXCP0B_NOSEG, selector & 0xfffc);
665 }
666 if (e2 & DESC_C_MASK) {
667 dpl = cpl;
668 }
669 if (dpl < cpl) {
670 /* to inner privilege */
671 get_ss_esp_from_tss(env, &ss, &esp, dpl, 0);
672 if ((ss & 0xfffc) == 0) {
673 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
674 }
675 if ((ss & 3) != dpl) {
676 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
677 }
678 if (load_segment(env, &ss_e1, &ss_e2, ss) != 0) {
679 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
680 }
681 ss_dpl = (ss_e2 >> DESC_DPL_SHIFT) & 3;
682 if (ss_dpl != dpl) {
683 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
684 }
685 if (!(ss_e2 & DESC_S_MASK) ||
686 (ss_e2 & DESC_CS_MASK) ||
687 !(ss_e2 & DESC_W_MASK)) {
688 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
689 }
690 if (!(ss_e2 & DESC_P_MASK)) {
691 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
692 }
693 new_stack = 1;
694 sp_mask = get_sp_mask(ss_e2);
695 ssp = get_seg_base(ss_e1, ss_e2);
696 } else {
697 /* to same privilege */
698 if (vm86) {
699 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
700 }
701 new_stack = 0;
702 sp_mask = get_sp_mask(env->segs[R_SS].flags);
703 ssp = env->segs[R_SS].base;
704 esp = env->regs[R_ESP];
705 }
706
707 shift = type >> 3;
708
709 #if 0
710 /* XXX: check that enough room is available */
711 push_size = 6 + (new_stack << 2) + (has_error_code << 1);
712 if (vm86) {
713 push_size += 8;
714 }
715 push_size <<= shift;
716 #endif
717 if (shift == 1) {
718 if (new_stack) {
719 if (vm86) {
720 PUSHL(ssp, esp, sp_mask, env->segs[R_GS].selector);
721 PUSHL(ssp, esp, sp_mask, env->segs[R_FS].selector);
722 PUSHL(ssp, esp, sp_mask, env->segs[R_DS].selector);
723 PUSHL(ssp, esp, sp_mask, env->segs[R_ES].selector);
724 }
725 PUSHL(ssp, esp, sp_mask, env->segs[R_SS].selector);
726 PUSHL(ssp, esp, sp_mask, env->regs[R_ESP]);
727 }
728 PUSHL(ssp, esp, sp_mask, cpu_compute_eflags(env));
729 PUSHL(ssp, esp, sp_mask, env->segs[R_CS].selector);
730 PUSHL(ssp, esp, sp_mask, old_eip);
731 if (has_error_code) {
732 PUSHL(ssp, esp, sp_mask, error_code);
733 }
734 } else {
735 if (new_stack) {
736 if (vm86) {
737 PUSHW(ssp, esp, sp_mask, env->segs[R_GS].selector);
738 PUSHW(ssp, esp, sp_mask, env->segs[R_FS].selector);
739 PUSHW(ssp, esp, sp_mask, env->segs[R_DS].selector);
740 PUSHW(ssp, esp, sp_mask, env->segs[R_ES].selector);
741 }
742 PUSHW(ssp, esp, sp_mask, env->segs[R_SS].selector);
743 PUSHW(ssp, esp, sp_mask, env->regs[R_ESP]);
744 }
745 PUSHW(ssp, esp, sp_mask, cpu_compute_eflags(env));
746 PUSHW(ssp, esp, sp_mask, env->segs[R_CS].selector);
747 PUSHW(ssp, esp, sp_mask, old_eip);
748 if (has_error_code) {
749 PUSHW(ssp, esp, sp_mask, error_code);
750 }
751 }
752
753 /* interrupt gate clear IF mask */
754 if ((type & 1) == 0) {
755 env->eflags &= ~IF_MASK;
756 }
757 env->eflags &= ~(TF_MASK | VM_MASK | RF_MASK | NT_MASK);
758
759 if (new_stack) {
760 if (vm86) {
761 cpu_x86_load_seg_cache(env, R_ES, 0, 0, 0, 0);
762 cpu_x86_load_seg_cache(env, R_DS, 0, 0, 0, 0);
763 cpu_x86_load_seg_cache(env, R_FS, 0, 0, 0, 0);
764 cpu_x86_load_seg_cache(env, R_GS, 0, 0, 0, 0);
765 }
766 ss = (ss & ~3) | dpl;
767 cpu_x86_load_seg_cache(env, R_SS, ss,
768 ssp, get_seg_limit(ss_e1, ss_e2), ss_e2);
769 }
770 SET_ESP(esp, sp_mask);
771
772 selector = (selector & ~3) | dpl;
773 cpu_x86_load_seg_cache(env, R_CS, selector,
774 get_seg_base(e1, e2),
775 get_seg_limit(e1, e2),
776 e2);
777 env->eip = offset;
778 }
779
780 #ifdef TARGET_X86_64
781
782 #define PUSHQ_RA(sp, val, ra) \
783 { \
784 sp -= 8; \
785 cpu_stq_kernel_ra(env, sp, (val), ra); \
786 }
787
788 #define POPQ_RA(sp, val, ra) \
789 { \
790 val = cpu_ldq_kernel_ra(env, sp, ra); \
791 sp += 8; \
792 }
793
794 #define PUSHQ(sp, val) PUSHQ_RA(sp, val, 0)
795 #define POPQ(sp, val) POPQ_RA(sp, val, 0)
796
797 static inline target_ulong get_rsp_from_tss(CPUX86State *env, int level)
798 {
799 X86CPU *cpu = env_archcpu(env);
800 int index;
801
802 #if 0
803 printf("TR: base=" TARGET_FMT_lx " limit=%x\n",
804 env->tr.base, env->tr.limit);
805 #endif
806
807 if (!(env->tr.flags & DESC_P_MASK)) {
808 cpu_abort(CPU(cpu), "invalid tss");
809 }
810 index = 8 * level + 4;
811 if ((index + 7) > env->tr.limit) {
812 raise_exception_err(env, EXCP0A_TSS, env->tr.selector & 0xfffc);
813 }
814 return cpu_ldq_kernel(env, env->tr.base + index);
815 }
816
817 /* 64 bit interrupt */
818 static void do_interrupt64(CPUX86State *env, int intno, int is_int,
819 int error_code, target_ulong next_eip, int is_hw)
820 {
821 SegmentCache *dt;
822 target_ulong ptr;
823 int type, dpl, selector, cpl, ist;
824 int has_error_code, new_stack;
825 uint32_t e1, e2, e3, ss;
826 target_ulong old_eip, esp, offset;
827
828 has_error_code = 0;
829 if (!is_int && !is_hw) {
830 has_error_code = exception_has_error_code(intno);
831 }
832 if (is_int) {
833 old_eip = next_eip;
834 } else {
835 old_eip = env->eip;
836 }
837
838 dt = &env->idt;
839 if (intno * 16 + 15 > dt->limit) {
840 raise_exception_err(env, EXCP0D_GPF, intno * 16 + 2);
841 }
842 ptr = dt->base + intno * 16;
843 e1 = cpu_ldl_kernel(env, ptr);
844 e2 = cpu_ldl_kernel(env, ptr + 4);
845 e3 = cpu_ldl_kernel(env, ptr + 8);
846 /* check gate type */
847 type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
848 switch (type) {
849 case 14: /* 386 interrupt gate */
850 case 15: /* 386 trap gate */
851 break;
852 default:
853 raise_exception_err(env, EXCP0D_GPF, intno * 16 + 2);
854 break;
855 }
856 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
857 cpl = env->hflags & HF_CPL_MASK;
858 /* check privilege if software int */
859 if (is_int && dpl < cpl) {
860 raise_exception_err(env, EXCP0D_GPF, intno * 16 + 2);
861 }
862 /* check valid bit */
863 if (!(e2 & DESC_P_MASK)) {
864 raise_exception_err(env, EXCP0B_NOSEG, intno * 16 + 2);
865 }
866 selector = e1 >> 16;
867 offset = ((target_ulong)e3 << 32) | (e2 & 0xffff0000) | (e1 & 0x0000ffff);
868 ist = e2 & 7;
869 if ((selector & 0xfffc) == 0) {
870 raise_exception_err(env, EXCP0D_GPF, 0);
871 }
872
873 if (load_segment(env, &e1, &e2, selector) != 0) {
874 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
875 }
876 if (!(e2 & DESC_S_MASK) || !(e2 & (DESC_CS_MASK))) {
877 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
878 }
879 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
880 if (dpl > cpl) {
881 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
882 }
883 if (!(e2 & DESC_P_MASK)) {
884 raise_exception_err(env, EXCP0B_NOSEG, selector & 0xfffc);
885 }
886 if (!(e2 & DESC_L_MASK) || (e2 & DESC_B_MASK)) {
887 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
888 }
889 if (e2 & DESC_C_MASK) {
890 dpl = cpl;
891 }
892 if (dpl < cpl || ist != 0) {
893 /* to inner privilege */
894 new_stack = 1;
895 esp = get_rsp_from_tss(env, ist != 0 ? ist + 3 : dpl);
896 ss = 0;
897 } else {
898 /* to same privilege */
899 if (env->eflags & VM_MASK) {
900 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
901 }
902 new_stack = 0;
903 esp = env->regs[R_ESP];
904 }
905 esp &= ~0xfLL; /* align stack */
906
907 PUSHQ(esp, env->segs[R_SS].selector);
908 PUSHQ(esp, env->regs[R_ESP]);
909 PUSHQ(esp, cpu_compute_eflags(env));
910 PUSHQ(esp, env->segs[R_CS].selector);
911 PUSHQ(esp, old_eip);
912 if (has_error_code) {
913 PUSHQ(esp, error_code);
914 }
915
916 /* interrupt gate clear IF mask */
917 if ((type & 1) == 0) {
918 env->eflags &= ~IF_MASK;
919 }
920 env->eflags &= ~(TF_MASK | VM_MASK | RF_MASK | NT_MASK);
921
922 if (new_stack) {
923 ss = 0 | dpl;
924 cpu_x86_load_seg_cache(env, R_SS, ss, 0, 0, dpl << DESC_DPL_SHIFT);
925 }
926 env->regs[R_ESP] = esp;
927
928 selector = (selector & ~3) | dpl;
929 cpu_x86_load_seg_cache(env, R_CS, selector,
930 get_seg_base(e1, e2),
931 get_seg_limit(e1, e2),
932 e2);
933 env->eip = offset;
934 }
935 #endif
936
937 #ifdef TARGET_X86_64
938 void helper_sysret(CPUX86State *env, int dflag)
939 {
940 int cpl, selector;
941
942 if (!(env->efer & MSR_EFER_SCE)) {
943 raise_exception_err_ra(env, EXCP06_ILLOP, 0, GETPC());
944 }
945 cpl = env->hflags & HF_CPL_MASK;
946 if (!(env->cr[0] & CR0_PE_MASK) || cpl != 0) {
947 raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
948 }
949 selector = (env->star >> 48) & 0xffff;
950 if (env->hflags & HF_LMA_MASK) {
951 cpu_load_eflags(env, (uint32_t)(env->regs[11]), TF_MASK | AC_MASK
952 | ID_MASK | IF_MASK | IOPL_MASK | VM_MASK | RF_MASK |
953 NT_MASK);
954 if (dflag == 2) {
955 cpu_x86_load_seg_cache(env, R_CS, (selector + 16) | 3,
956 0, 0xffffffff,
957 DESC_G_MASK | DESC_P_MASK |
958 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
959 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK |
960 DESC_L_MASK);
961 env->eip = env->regs[R_ECX];
962 } else {
963 cpu_x86_load_seg_cache(env, R_CS, selector | 3,
964 0, 0xffffffff,
965 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
966 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
967 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
968 env->eip = (uint32_t)env->regs[R_ECX];
969 }
970 cpu_x86_load_seg_cache(env, R_SS, (selector + 8) | 3,
971 0, 0xffffffff,
972 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
973 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
974 DESC_W_MASK | DESC_A_MASK);
975 } else {
976 env->eflags |= IF_MASK;
977 cpu_x86_load_seg_cache(env, R_CS, selector | 3,
978 0, 0xffffffff,
979 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
980 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
981 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
982 env->eip = (uint32_t)env->regs[R_ECX];
983 cpu_x86_load_seg_cache(env, R_SS, (selector + 8) | 3,
984 0, 0xffffffff,
985 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
986 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
987 DESC_W_MASK | DESC_A_MASK);
988 }
989 }
990 #endif
991
992 /* real mode interrupt */
993 static void do_interrupt_real(CPUX86State *env, int intno, int is_int,
994 int error_code, unsigned int next_eip)
995 {
996 SegmentCache *dt;
997 target_ulong ptr, ssp;
998 int selector;
999 uint32_t offset, esp;
1000 uint32_t old_cs, old_eip;
1001
1002 /* real mode (simpler!) */
1003 dt = &env->idt;
1004 if (intno * 4 + 3 > dt->limit) {
1005 raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
1006 }
1007 ptr = dt->base + intno * 4;
1008 offset = cpu_lduw_kernel(env, ptr);
1009 selector = cpu_lduw_kernel(env, ptr + 2);
1010 esp = env->regs[R_ESP];
1011 ssp = env->segs[R_SS].base;
1012 if (is_int) {
1013 old_eip = next_eip;
1014 } else {
1015 old_eip = env->eip;
1016 }
1017 old_cs = env->segs[R_CS].selector;
1018 /* XXX: use SS segment size? */
1019 PUSHW(ssp, esp, 0xffff, cpu_compute_eflags(env));
1020 PUSHW(ssp, esp, 0xffff, old_cs);
1021 PUSHW(ssp, esp, 0xffff, old_eip);
1022
1023 /* update processor state */
1024 env->regs[R_ESP] = (env->regs[R_ESP] & ~0xffff) | (esp & 0xffff);
1025 env->eip = offset;
1026 env->segs[R_CS].selector = selector;
1027 env->segs[R_CS].base = (selector << 4);
1028 env->eflags &= ~(IF_MASK | TF_MASK | AC_MASK | RF_MASK);
1029 }
1030
1031 /*
1032 * Begin execution of an interruption. is_int is TRUE if coming from
1033 * the int instruction. next_eip is the env->eip value AFTER the interrupt
1034 * instruction. It is only relevant if is_int is TRUE.
1035 */
1036 void do_interrupt_all(X86CPU *cpu, int intno, int is_int,
1037 int error_code, target_ulong next_eip, int is_hw)
1038 {
1039 CPUX86State *env = &cpu->env;
1040
1041 if (qemu_loglevel_mask(CPU_LOG_INT)) {
1042 if ((env->cr[0] & CR0_PE_MASK)) {
1043 static int count;
1044
1045 qemu_log("%6d: v=%02x e=%04x i=%d cpl=%d IP=%04x:" TARGET_FMT_lx
1046 " pc=" TARGET_FMT_lx " SP=%04x:" TARGET_FMT_lx,
1047 count, intno, error_code, is_int,
1048 env->hflags & HF_CPL_MASK,
1049 env->segs[R_CS].selector, env->eip,
1050 (int)env->segs[R_CS].base + env->eip,
1051 env->segs[R_SS].selector, env->regs[R_ESP]);
1052 if (intno == 0x0e) {
1053 qemu_log(" CR2=" TARGET_FMT_lx, env->cr[2]);
1054 } else {
1055 qemu_log(" env->regs[R_EAX]=" TARGET_FMT_lx, env->regs[R_EAX]);
1056 }
1057 qemu_log("\n");
1058 log_cpu_state(CPU(cpu), CPU_DUMP_CCOP);
1059 #if 0
1060 {
1061 int i;
1062 target_ulong ptr;
1063
1064 qemu_log(" code=");
1065 ptr = env->segs[R_CS].base + env->eip;
1066 for (i = 0; i < 16; i++) {
1067 qemu_log(" %02x", ldub(ptr + i));
1068 }
1069 qemu_log("\n");
1070 }
1071 #endif
1072 count++;
1073 }
1074 }
1075 if (env->cr[0] & CR0_PE_MASK) {
1076 #if !defined(CONFIG_USER_ONLY)
1077 if (env->hflags & HF_GUEST_MASK) {
1078 handle_even_inj(env, intno, is_int, error_code, is_hw, 0);
1079 }
1080 #endif
1081 #ifdef TARGET_X86_64
1082 if (env->hflags & HF_LMA_MASK) {
1083 do_interrupt64(env, intno, is_int, error_code, next_eip, is_hw);
1084 } else
1085 #endif
1086 {
1087 do_interrupt_protected(env, intno, is_int, error_code, next_eip,
1088 is_hw);
1089 }
1090 } else {
1091 #if !defined(CONFIG_USER_ONLY)
1092 if (env->hflags & HF_GUEST_MASK) {
1093 handle_even_inj(env, intno, is_int, error_code, is_hw, 1);
1094 }
1095 #endif
1096 do_interrupt_real(env, intno, is_int, error_code, next_eip);
1097 }
1098
1099 #if !defined(CONFIG_USER_ONLY)
1100 if (env->hflags & HF_GUEST_MASK) {
1101 CPUState *cs = CPU(cpu);
1102 uint32_t event_inj = x86_ldl_phys(cs, env->vm_vmcb +
1103 offsetof(struct vmcb,
1104 control.event_inj));
1105
1106 x86_stl_phys(cs,
1107 env->vm_vmcb + offsetof(struct vmcb, control.event_inj),
1108 event_inj & ~SVM_EVTINJ_VALID);
1109 }
1110 #endif
1111 }
1112
1113 void do_interrupt_x86_hardirq(CPUX86State *env, int intno, int is_hw)
1114 {
1115 do_interrupt_all(env_archcpu(env), intno, 0, 0, 0, is_hw);
1116 }
1117
1118 bool x86_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
1119 {
1120 X86CPU *cpu = X86_CPU(cs);
1121 CPUX86State *env = &cpu->env;
1122 int intno;
1123
1124 interrupt_request = x86_cpu_pending_interrupt(cs, interrupt_request);
1125 if (!interrupt_request) {
1126 return false;
1127 }
1128
1129 /* Don't process multiple interrupt requests in a single call.
1130 * This is required to make icount-driven execution deterministic.
1131 */
1132 switch (interrupt_request) {
1133 #if !defined(CONFIG_USER_ONLY)
1134 case CPU_INTERRUPT_POLL:
1135 cs->interrupt_request &= ~CPU_INTERRUPT_POLL;
1136 apic_poll_irq(cpu->apic_state);
1137 break;
1138 #endif
1139 case CPU_INTERRUPT_SIPI:
1140 do_cpu_sipi(cpu);
1141 break;
1142 case CPU_INTERRUPT_SMI:
1143 cpu_svm_check_intercept_param(env, SVM_EXIT_SMI, 0, 0);
1144 cs->interrupt_request &= ~CPU_INTERRUPT_SMI;
1145 #ifdef CONFIG_USER_ONLY
1146 cpu_abort(CPU(cpu), "SMI interrupt: cannot enter SMM in user-mode");
1147 #else
1148 do_smm_enter(cpu);
1149 #endif /* CONFIG_USER_ONLY */
1150 break;
1151 case CPU_INTERRUPT_NMI:
1152 cpu_svm_check_intercept_param(env, SVM_EXIT_NMI, 0, 0);
1153 cs->interrupt_request &= ~CPU_INTERRUPT_NMI;
1154 env->hflags2 |= HF2_NMI_MASK;
1155 do_interrupt_x86_hardirq(env, EXCP02_NMI, 1);
1156 break;
1157 case CPU_INTERRUPT_MCE:
1158 cs->interrupt_request &= ~CPU_INTERRUPT_MCE;
1159 do_interrupt_x86_hardirq(env, EXCP12_MCHK, 0);
1160 break;
1161 case CPU_INTERRUPT_HARD:
1162 cpu_svm_check_intercept_param(env, SVM_EXIT_INTR, 0, 0);
1163 cs->interrupt_request &= ~(CPU_INTERRUPT_HARD |
1164 CPU_INTERRUPT_VIRQ);
1165 intno = cpu_get_pic_interrupt(env);
1166 qemu_log_mask(CPU_LOG_TB_IN_ASM,
1167 "Servicing hardware INT=0x%02x\n", intno);
1168 do_interrupt_x86_hardirq(env, intno, 1);
1169 break;
1170 #if !defined(CONFIG_USER_ONLY)
1171 case CPU_INTERRUPT_VIRQ:
1172 /* FIXME: this should respect TPR */
1173 cpu_svm_check_intercept_param(env, SVM_EXIT_VINTR, 0, 0);
1174 intno = x86_ldl_phys(cs, env->vm_vmcb
1175 + offsetof(struct vmcb, control.int_vector));
1176 qemu_log_mask(CPU_LOG_TB_IN_ASM,
1177 "Servicing virtual hardware INT=0x%02x\n", intno);
1178 do_interrupt_x86_hardirq(env, intno, 1);
1179 cs->interrupt_request &= ~CPU_INTERRUPT_VIRQ;
1180 break;
1181 #endif
1182 }
1183
1184 /* Ensure that no TB jump will be modified as the program flow was changed. */
1185 return true;
1186 }
1187
1188 void helper_lldt(CPUX86State *env, int selector)
1189 {
1190 SegmentCache *dt;
1191 uint32_t e1, e2;
1192 int index, entry_limit;
1193 target_ulong ptr;
1194
1195 selector &= 0xffff;
1196 if ((selector & 0xfffc) == 0) {
1197 /* XXX: NULL selector case: invalid LDT */
1198 env->ldt.base = 0;
1199 env->ldt.limit = 0;
1200 } else {
1201 if (selector & 0x4) {
1202 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1203 }
1204 dt = &env->gdt;
1205 index = selector & ~7;
1206 #ifdef TARGET_X86_64
1207 if (env->hflags & HF_LMA_MASK) {
1208 entry_limit = 15;
1209 } else
1210 #endif
1211 {
1212 entry_limit = 7;
1213 }
1214 if ((index + entry_limit) > dt->limit) {
1215 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1216 }
1217 ptr = dt->base + index;
1218 e1 = cpu_ldl_kernel_ra(env, ptr, GETPC());
1219 e2 = cpu_ldl_kernel_ra(env, ptr + 4, GETPC());
1220 if ((e2 & DESC_S_MASK) || ((e2 >> DESC_TYPE_SHIFT) & 0xf) != 2) {
1221 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1222 }
1223 if (!(e2 & DESC_P_MASK)) {
1224 raise_exception_err_ra(env, EXCP0B_NOSEG, selector & 0xfffc, GETPC());
1225 }
1226 #ifdef TARGET_X86_64
1227 if (env->hflags & HF_LMA_MASK) {
1228 uint32_t e3;
1229
1230 e3 = cpu_ldl_kernel_ra(env, ptr + 8, GETPC());
1231 load_seg_cache_raw_dt(&env->ldt, e1, e2);
1232 env->ldt.base |= (target_ulong)e3 << 32;
1233 } else
1234 #endif
1235 {
1236 load_seg_cache_raw_dt(&env->ldt, e1, e2);
1237 }
1238 }
1239 env->ldt.selector = selector;
1240 }
1241
1242 void helper_ltr(CPUX86State *env, int selector)
1243 {
1244 SegmentCache *dt;
1245 uint32_t e1, e2;
1246 int index, type, entry_limit;
1247 target_ulong ptr;
1248
1249 selector &= 0xffff;
1250 if ((selector & 0xfffc) == 0) {
1251 /* NULL selector case: invalid TR */
1252 env->tr.base = 0;
1253 env->tr.limit = 0;
1254 env->tr.flags = 0;
1255 } else {
1256 if (selector & 0x4) {
1257 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1258 }
1259 dt = &env->gdt;
1260 index = selector & ~7;
1261 #ifdef TARGET_X86_64
1262 if (env->hflags & HF_LMA_MASK) {
1263 entry_limit = 15;
1264 } else
1265 #endif
1266 {
1267 entry_limit = 7;
1268 }
1269 if ((index + entry_limit) > dt->limit) {
1270 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1271 }
1272 ptr = dt->base + index;
1273 e1 = cpu_ldl_kernel_ra(env, ptr, GETPC());
1274 e2 = cpu_ldl_kernel_ra(env, ptr + 4, GETPC());
1275 type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
1276 if ((e2 & DESC_S_MASK) ||
1277 (type != 1 && type != 9)) {
1278 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1279 }
1280 if (!(e2 & DESC_P_MASK)) {
1281 raise_exception_err_ra(env, EXCP0B_NOSEG, selector & 0xfffc, GETPC());
1282 }
1283 #ifdef TARGET_X86_64
1284 if (env->hflags & HF_LMA_MASK) {
1285 uint32_t e3, e4;
1286
1287 e3 = cpu_ldl_kernel_ra(env, ptr + 8, GETPC());
1288 e4 = cpu_ldl_kernel_ra(env, ptr + 12, GETPC());
1289 if ((e4 >> DESC_TYPE_SHIFT) & 0xf) {
1290 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1291 }
1292 load_seg_cache_raw_dt(&env->tr, e1, e2);
1293 env->tr.base |= (target_ulong)e3 << 32;
1294 } else
1295 #endif
1296 {
1297 load_seg_cache_raw_dt(&env->tr, e1, e2);
1298 }
1299 e2 |= DESC_TSS_BUSY_MASK;
1300 cpu_stl_kernel_ra(env, ptr + 4, e2, GETPC());
1301 }
1302 env->tr.selector = selector;
1303 }
1304
1305 /* only works if protected mode and not VM86. seg_reg must be != R_CS */
1306 void helper_load_seg(CPUX86State *env, int seg_reg, int selector)
1307 {
1308 uint32_t e1, e2;
1309 int cpl, dpl, rpl;
1310 SegmentCache *dt;
1311 int index;
1312 target_ulong ptr;
1313
1314 selector &= 0xffff;
1315 cpl = env->hflags & HF_CPL_MASK;
1316 if ((selector & 0xfffc) == 0) {
1317 /* null selector case */
1318 if (seg_reg == R_SS
1319 #ifdef TARGET_X86_64
1320 && (!(env->hflags & HF_CS64_MASK) || cpl == 3)
1321 #endif
1322 ) {
1323 raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
1324 }
1325 cpu_x86_load_seg_cache(env, seg_reg, selector, 0, 0, 0);
1326 } else {
1327
1328 if (selector & 0x4) {
1329 dt = &env->ldt;
1330 } else {
1331 dt = &env->gdt;
1332 }
1333 index = selector & ~7;
1334 if ((index + 7) > dt->limit) {
1335 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1336 }
1337 ptr = dt->base + index;
1338 e1 = cpu_ldl_kernel_ra(env, ptr, GETPC());
1339 e2 = cpu_ldl_kernel_ra(env, ptr + 4, GETPC());
1340
1341 if (!(e2 & DESC_S_MASK)) {
1342 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1343 }
1344 rpl = selector & 3;
1345 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1346 if (seg_reg == R_SS) {
1347 /* must be writable segment */
1348 if ((e2 & DESC_CS_MASK) || !(e2 & DESC_W_MASK)) {
1349 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1350 }
1351 if (rpl != cpl || dpl != cpl) {
1352 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1353 }
1354 } else {
1355 /* must be readable segment */
1356 if ((e2 & (DESC_CS_MASK | DESC_R_MASK)) == DESC_CS_MASK) {
1357 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1358 }
1359
1360 if (!(e2 & DESC_CS_MASK) || !(e2 & DESC_C_MASK)) {
1361 /* if not conforming code, test rights */
1362 if (dpl < cpl || dpl < rpl) {
1363 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1364 }
1365 }
1366 }
1367
1368 if (!(e2 & DESC_P_MASK)) {
1369 if (seg_reg == R_SS) {
1370 raise_exception_err_ra(env, EXCP0C_STACK, selector & 0xfffc, GETPC());
1371 } else {
1372 raise_exception_err_ra(env, EXCP0B_NOSEG, selector & 0xfffc, GETPC());
1373 }
1374 }
1375
1376 /* set the access bit if not already set */
1377 if (!(e2 & DESC_A_MASK)) {
1378 e2 |= DESC_A_MASK;
1379 cpu_stl_kernel_ra(env, ptr + 4, e2, GETPC());
1380 }
1381
1382 cpu_x86_load_seg_cache(env, seg_reg, selector,
1383 get_seg_base(e1, e2),
1384 get_seg_limit(e1, e2),
1385 e2);
1386 #if 0
1387 qemu_log("load_seg: sel=0x%04x base=0x%08lx limit=0x%08lx flags=%08x\n",
1388 selector, (unsigned long)sc->base, sc->limit, sc->flags);
1389 #endif
1390 }
1391 }
1392
1393 /* protected mode jump */
1394 void helper_ljmp_protected(CPUX86State *env, int new_cs, target_ulong new_eip,
1395 target_ulong next_eip)
1396 {
1397 int gate_cs, type;
1398 uint32_t e1, e2, cpl, dpl, rpl, limit;
1399
1400 if ((new_cs & 0xfffc) == 0) {
1401 raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
1402 }
1403 if (load_segment_ra(env, &e1, &e2, new_cs, GETPC()) != 0) {
1404 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1405 }
1406 cpl = env->hflags & HF_CPL_MASK;
1407 if (e2 & DESC_S_MASK) {
1408 if (!(e2 & DESC_CS_MASK)) {
1409 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1410 }
1411 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1412 if (e2 & DESC_C_MASK) {
1413 /* conforming code segment */
1414 if (dpl > cpl) {
1415 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1416 }
1417 } else {
1418 /* non conforming code segment */
1419 rpl = new_cs & 3;
1420 if (rpl > cpl) {
1421 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1422 }
1423 if (dpl != cpl) {
1424 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1425 }
1426 }
1427 if (!(e2 & DESC_P_MASK)) {
1428 raise_exception_err_ra(env, EXCP0B_NOSEG, new_cs & 0xfffc, GETPC());
1429 }
1430 limit = get_seg_limit(e1, e2);
1431 if (new_eip > limit &&
1432 (!(env->hflags & HF_LMA_MASK) || !(e2 & DESC_L_MASK))) {
1433 raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
1434 }
1435 cpu_x86_load_seg_cache(env, R_CS, (new_cs & 0xfffc) | cpl,
1436 get_seg_base(e1, e2), limit, e2);
1437 env->eip = new_eip;
1438 } else {
1439 /* jump to call or task gate */
1440 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1441 rpl = new_cs & 3;
1442 cpl = env->hflags & HF_CPL_MASK;
1443 type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
1444
1445 #ifdef TARGET_X86_64
1446 if (env->efer & MSR_EFER_LMA) {
1447 if (type != 12) {
1448 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1449 }
1450 }
1451 #endif
1452 switch (type) {
1453 case 1: /* 286 TSS */
1454 case 9: /* 386 TSS */
1455 case 5: /* task gate */
1456 if (dpl < cpl || dpl < rpl) {
1457 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1458 }
1459 switch_tss_ra(env, new_cs, e1, e2, SWITCH_TSS_JMP, next_eip, GETPC());
1460 break;
1461 case 4: /* 286 call gate */
1462 case 12: /* 386 call gate */
1463 if ((dpl < cpl) || (dpl < rpl)) {
1464 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1465 }
1466 if (!(e2 & DESC_P_MASK)) {
1467 raise_exception_err_ra(env, EXCP0B_NOSEG, new_cs & 0xfffc, GETPC());
1468 }
1469 gate_cs = e1 >> 16;
1470 new_eip = (e1 & 0xffff);
1471 if (type == 12) {
1472 new_eip |= (e2 & 0xffff0000);
1473 }
1474
1475 #ifdef TARGET_X86_64
1476 if (env->efer & MSR_EFER_LMA) {
1477 /* load the upper 8 bytes of the 64-bit call gate */
1478 if (load_segment_ra(env, &e1, &e2, new_cs + 8, GETPC())) {
1479 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc,
1480 GETPC());
1481 }
1482 type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
1483 if (type != 0) {
1484 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc,
1485 GETPC());
1486 }
1487 new_eip |= ((target_ulong)e1) << 32;
1488 }
1489 #endif
1490
1491 if (load_segment_ra(env, &e1, &e2, gate_cs, GETPC()) != 0) {
1492 raise_exception_err_ra(env, EXCP0D_GPF, gate_cs & 0xfffc, GETPC());
1493 }
1494 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1495 /* must be code segment */
1496 if (((e2 & (DESC_S_MASK | DESC_CS_MASK)) !=
1497 (DESC_S_MASK | DESC_CS_MASK))) {
1498 raise_exception_err_ra(env, EXCP0D_GPF, gate_cs & 0xfffc, GETPC());
1499 }
1500 if (((e2 & DESC_C_MASK) && (dpl > cpl)) ||
1501 (!(e2 & DESC_C_MASK) && (dpl != cpl))) {
1502 raise_exception_err_ra(env, EXCP0D_GPF, gate_cs & 0xfffc, GETPC());
1503 }
1504 #ifdef TARGET_X86_64
1505 if (env->efer & MSR_EFER_LMA) {
1506 if (!(e2 & DESC_L_MASK)) {
1507 raise_exception_err_ra(env, EXCP0D_GPF, gate_cs & 0xfffc, GETPC());
1508 }
1509 if (e2 & DESC_B_MASK) {
1510 raise_exception_err_ra(env, EXCP0D_GPF, gate_cs & 0xfffc, GETPC());
1511 }
1512 }
1513 #endif
1514 if (!(e2 & DESC_P_MASK)) {
1515 raise_exception_err_ra(env, EXCP0D_GPF, gate_cs & 0xfffc, GETPC());
1516 }
1517 limit = get_seg_limit(e1, e2);
1518 if (new_eip > limit &&
1519 (!(env->hflags & HF_LMA_MASK) || !(e2 & DESC_L_MASK))) {
1520 raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
1521 }
1522 cpu_x86_load_seg_cache(env, R_CS, (gate_cs & 0xfffc) | cpl,
1523 get_seg_base(e1, e2), limit, e2);
1524 env->eip = new_eip;
1525 break;
1526 default:
1527 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1528 break;
1529 }
1530 }
1531 }
1532
1533 /* real mode call */
1534 void helper_lcall_real(CPUX86State *env, int new_cs, target_ulong new_eip1,
1535 int shift, int next_eip)
1536 {
1537 int new_eip;
1538 uint32_t esp, esp_mask;
1539 target_ulong ssp;
1540
1541 new_eip = new_eip1;
1542 esp = env->regs[R_ESP];
1543 esp_mask = get_sp_mask(env->segs[R_SS].flags);
1544 ssp = env->segs[R_SS].base;
1545 if (shift) {
1546 PUSHL_RA(ssp, esp, esp_mask, env->segs[R_CS].selector, GETPC());
1547 PUSHL_RA(ssp, esp, esp_mask, next_eip, GETPC());
1548 } else {
1549 PUSHW_RA(ssp, esp, esp_mask, env->segs[R_CS].selector, GETPC());
1550 PUSHW_RA(ssp, esp, esp_mask, next_eip, GETPC());
1551 }
1552
1553 SET_ESP(esp, esp_mask);
1554 env->eip = new_eip;
1555 env->segs[R_CS].selector = new_cs;
1556 env->segs[R_CS].base = (new_cs << 4);
1557 }
1558
1559 /* protected mode call */
1560 void helper_lcall_protected(CPUX86State *env, int new_cs, target_ulong new_eip,
1561 int shift, target_ulong next_eip)
1562 {
1563 int new_stack, i;
1564 uint32_t e1, e2, cpl, dpl, rpl, selector, param_count;
1565 uint32_t ss = 0, ss_e1 = 0, ss_e2 = 0, type, ss_dpl, sp_mask;
1566 uint32_t val, limit, old_sp_mask;
1567 target_ulong ssp, old_ssp, offset, sp;
1568
1569 LOG_PCALL("lcall %04x:" TARGET_FMT_lx " s=%d\n", new_cs, new_eip, shift);
1570 LOG_PCALL_STATE(env_cpu(env));
1571 if ((new_cs & 0xfffc) == 0) {
1572 raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
1573 }
1574 if (load_segment_ra(env, &e1, &e2, new_cs, GETPC()) != 0) {
1575 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1576 }
1577 cpl = env->hflags & HF_CPL_MASK;
1578 LOG_PCALL("desc=%08x:%08x\n", e1, e2);
1579 if (e2 & DESC_S_MASK) {
1580 if (!(e2 & DESC_CS_MASK)) {
1581 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1582 }
1583 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1584 if (e2 & DESC_C_MASK) {
1585 /* conforming code segment */
1586 if (dpl > cpl) {
1587 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1588 }
1589 } else {
1590 /* non conforming code segment */
1591 rpl = new_cs & 3;
1592 if (rpl > cpl) {
1593 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1594 }
1595 if (dpl != cpl) {
1596 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1597 }
1598 }
1599 if (!(e2 & DESC_P_MASK)) {
1600 raise_exception_err_ra(env, EXCP0B_NOSEG, new_cs & 0xfffc, GETPC());
1601 }
1602
1603 #ifdef TARGET_X86_64
1604 /* XXX: check 16/32 bit cases in long mode */
1605 if (shift == 2) {
1606 target_ulong rsp;
1607
1608 /* 64 bit case */
1609 rsp = env->regs[R_ESP];
1610 PUSHQ_RA(rsp, env->segs[R_CS].selector, GETPC());
1611 PUSHQ_RA(rsp, next_eip, GETPC());
1612 /* from this point, not restartable */
1613 env->regs[R_ESP] = rsp;
1614 cpu_x86_load_seg_cache(env, R_CS, (new_cs & 0xfffc) | cpl,
1615 get_seg_base(e1, e2),
1616 get_seg_limit(e1, e2), e2);
1617 env->eip = new_eip;
1618 } else
1619 #endif
1620 {
1621 sp = env->regs[R_ESP];
1622 sp_mask = get_sp_mask(env->segs[R_SS].flags);
1623 ssp = env->segs[R_SS].base;
1624 if (shift) {
1625 PUSHL_RA(ssp, sp, sp_mask, env->segs[R_CS].selector, GETPC());
1626 PUSHL_RA(ssp, sp, sp_mask, next_eip, GETPC());
1627 } else {
1628 PUSHW_RA(ssp, sp, sp_mask, env->segs[R_CS].selector, GETPC());
1629 PUSHW_RA(ssp, sp, sp_mask, next_eip, GETPC());
1630 }
1631
1632 limit = get_seg_limit(e1, e2);
1633 if (new_eip > limit) {
1634 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1635 }
1636 /* from this point, not restartable */
1637 SET_ESP(sp, sp_mask);
1638 cpu_x86_load_seg_cache(env, R_CS, (new_cs & 0xfffc) | cpl,
1639 get_seg_base(e1, e2), limit, e2);
1640 env->eip = new_eip;
1641 }
1642 } else {
1643 /* check gate type */
1644 type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
1645 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1646 rpl = new_cs & 3;
1647
1648 #ifdef TARGET_X86_64
1649 if (env->efer & MSR_EFER_LMA) {
1650 if (type != 12) {
1651 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1652 }
1653 }
1654 #endif
1655
1656 switch (type) {
1657 case 1: /* available 286 TSS */
1658 case 9: /* available 386 TSS */
1659 case 5: /* task gate */
1660 if (dpl < cpl || dpl < rpl) {
1661 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1662 }
1663 switch_tss_ra(env, new_cs, e1, e2, SWITCH_TSS_CALL, next_eip, GETPC());
1664 return;
1665 case 4: /* 286 call gate */
1666 case 12: /* 386 call gate */
1667 break;
1668 default:
1669 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1670 break;
1671 }
1672 shift = type >> 3;
1673
1674 if (dpl < cpl || dpl < rpl) {
1675 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
1676 }
1677 /* check valid bit */
1678 if (!(e2 & DESC_P_MASK)) {
1679 raise_exception_err_ra(env, EXCP0B_NOSEG, new_cs & 0xfffc, GETPC());
1680 }
1681 selector = e1 >> 16;
1682 param_count = e2 & 0x1f;
1683 offset = (e2 & 0xffff0000) | (e1 & 0x0000ffff);
1684 #ifdef TARGET_X86_64
1685 if (env->efer & MSR_EFER_LMA) {
1686 /* load the upper 8 bytes of the 64-bit call gate */
1687 if (load_segment_ra(env, &e1, &e2, new_cs + 8, GETPC())) {
1688 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc,
1689 GETPC());
1690 }
1691 type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
1692 if (type != 0) {
1693 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc,
1694 GETPC());
1695 }
1696 offset |= ((target_ulong)e1) << 32;
1697 }
1698 #endif
1699 if ((selector & 0xfffc) == 0) {
1700 raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
1701 }
1702
1703 if (load_segment_ra(env, &e1, &e2, selector, GETPC()) != 0) {
1704 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1705 }
1706 if (!(e2 & DESC_S_MASK) || !(e2 & (DESC_CS_MASK))) {
1707 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1708 }
1709 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1710 if (dpl > cpl) {
1711 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1712 }
1713 #ifdef TARGET_X86_64
1714 if (env->efer & MSR_EFER_LMA) {
1715 if (!(e2 & DESC_L_MASK)) {
1716 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1717 }
1718 if (e2 & DESC_B_MASK) {
1719 raise_exception_err_ra(env, EXCP0D_GPF, selector & 0xfffc, GETPC());
1720 }
1721 shift++;
1722 }
1723 #endif
1724 if (!(e2 & DESC_P_MASK)) {
1725 raise_exception_err_ra(env, EXCP0B_NOSEG, selector & 0xfffc, GETPC());
1726 }
1727
1728 if (!(e2 & DESC_C_MASK) && dpl < cpl) {
1729 /* to inner privilege */
1730 #ifdef TARGET_X86_64
1731 if (shift == 2) {
1732 sp = get_rsp_from_tss(env, dpl);
1733 ss = dpl; /* SS = NULL selector with RPL = new CPL */
1734 new_stack = 1;
1735 sp_mask = 0;
1736 ssp = 0; /* SS base is always zero in IA-32e mode */
1737 LOG_PCALL("new ss:rsp=%04x:%016llx env->regs[R_ESP]="
1738 TARGET_FMT_lx "\n", ss, sp, env->regs[R_ESP]);
1739 } else
1740 #endif
1741 {
1742 uint32_t sp32;
1743 get_ss_esp_from_tss(env, &ss, &sp32, dpl, GETPC());
1744 LOG_PCALL("new ss:esp=%04x:%08x param_count=%d env->regs[R_ESP]="
1745 TARGET_FMT_lx "\n", ss, sp32, param_count,
1746 env->regs[R_ESP]);
1747 sp = sp32;
1748 if ((ss & 0xfffc) == 0) {
1749 raise_exception_err_ra(env, EXCP0A_TSS, ss & 0xfffc, GETPC());
1750 }
1751 if ((ss & 3) != dpl) {
1752 raise_exception_err_ra(env, EXCP0A_TSS, ss & 0xfffc, GETPC());
1753 }
1754 if (load_segment_ra(env, &ss_e1, &ss_e2, ss, GETPC()) != 0) {
1755 raise_exception_err_ra(env, EXCP0A_TSS, ss & 0xfffc, GETPC());
1756 }
1757 ss_dpl = (ss_e2 >> DESC_DPL_SHIFT) & 3;
1758 if (ss_dpl != dpl) {
1759 raise_exception_err_ra(env, EXCP0A_TSS, ss & 0xfffc, GETPC());
1760 }
1761 if (!(ss_e2 & DESC_S_MASK) ||
1762 (ss_e2 & DESC_CS_MASK) ||
1763 !(ss_e2 & DESC_W_MASK)) {
1764 raise_exception_err_ra(env, EXCP0A_TSS, ss & 0xfffc, GETPC());
1765 }
1766 if (!(ss_e2 & DESC_P_MASK)) {
1767 raise_exception_err_ra(env, EXCP0A_TSS, ss & 0xfffc, GETPC());
1768 }
1769
1770 sp_mask = get_sp_mask(ss_e2);
1771 ssp = get_seg_base(ss_e1, ss_e2);
1772 }
1773
1774 /* push_size = ((param_count * 2) + 8) << shift; */
1775
1776 old_sp_mask = get_sp_mask(env->segs[R_SS].flags);
1777 old_ssp = env->segs[R_SS].base;
1778 #ifdef TARGET_X86_64
1779 if (shift == 2) {
1780 /* XXX: verify if new stack address is canonical */
1781 PUSHQ_RA(sp, env->segs[R_SS].selector, GETPC());
1782 PUSHQ_RA(sp, env->regs[R_ESP], GETPC());
1783 /* parameters aren't supported for 64-bit call gates */
1784 } else
1785 #endif
1786 if (shift == 1) {
1787 PUSHL_RA(ssp, sp, sp_mask, env->segs[R_SS].selector, GETPC());
1788 PUSHL_RA(ssp, sp, sp_mask, env->regs[R_ESP], GETPC());
1789 for (i = param_count - 1; i >= 0; i--) {
1790 val = cpu_ldl_kernel_ra(env, old_ssp +
1791 ((env->regs[R_ESP] + i * 4) &
1792 old_sp_mask), GETPC());
1793 PUSHL_RA(ssp, sp, sp_mask, val, GETPC());
1794 }
1795 } else {
1796 PUSHW_RA(ssp, sp, sp_mask, env->segs[R_SS].selector, GETPC());
1797 PUSHW_RA(ssp, sp, sp_mask, env->regs[R_ESP], GETPC());
1798 for (i = param_count - 1; i >= 0; i--) {
1799 val = cpu_lduw_kernel_ra(env, old_ssp +
1800 ((env->regs[R_ESP] + i * 2) &
1801 old_sp_mask), GETPC());
1802 PUSHW_RA(ssp, sp, sp_mask, val, GETPC());
1803 }
1804 }
1805 new_stack = 1;
1806 } else {
1807 /* to same privilege */
1808 sp = env->regs[R_ESP];
1809 sp_mask = get_sp_mask(env->segs[R_SS].flags);
1810 ssp = env->segs[R_SS].base;
1811 /* push_size = (4 << shift); */
1812 new_stack = 0;
1813 }
1814
1815 #ifdef TARGET_X86_64
1816 if (shift == 2) {
1817 PUSHQ_RA(sp, env->segs[R_CS].selector, GETPC());
1818 PUSHQ_RA(sp, next_eip, GETPC());
1819 } else
1820 #endif
1821 if (shift == 1) {
1822 PUSHL_RA(ssp, sp, sp_mask, env->segs[R_CS].selector, GETPC());
1823 PUSHL_RA(ssp, sp, sp_mask, next_eip, GETPC());
1824 } else {
1825 PUSHW_RA(ssp, sp, sp_mask, env->segs[R_CS].selector, GETPC());
1826 PUSHW_RA(ssp, sp, sp_mask, next_eip, GETPC());
1827 }
1828
1829 /* from this point, not restartable */
1830
1831 if (new_stack) {
1832 #ifdef TARGET_X86_64
1833 if (shift == 2) {
1834 cpu_x86_load_seg_cache(env, R_SS, ss, 0, 0, 0);
1835 } else
1836 #endif
1837 {
1838 ss = (ss & ~3) | dpl;
1839 cpu_x86_load_seg_cache(env, R_SS, ss,
1840 ssp,
1841 get_seg_limit(ss_e1, ss_e2),
1842 ss_e2);
1843 }
1844 }
1845
1846 selector = (selector & ~3) | dpl;
1847 cpu_x86_load_seg_cache(env, R_CS, selector,
1848 get_seg_base(e1, e2),
1849 get_seg_limit(e1, e2),
1850 e2);
1851 SET_ESP(sp, sp_mask);
1852 env->eip = offset;
1853 }
1854 }
1855
1856 /* real and vm86 mode iret */
1857 void helper_iret_real(CPUX86State *env, int shift)
1858 {
1859 uint32_t sp, new_cs, new_eip, new_eflags, sp_mask;
1860 target_ulong ssp;
1861 int eflags_mask;
1862
1863 sp_mask = 0xffff; /* XXXX: use SS segment size? */
1864 sp = env->regs[R_ESP];
1865 ssp = env->segs[R_SS].base;
1866 if (shift == 1) {
1867 /* 32 bits */
1868 POPL_RA(ssp, sp, sp_mask, new_eip, GETPC());
1869 POPL_RA(ssp, sp, sp_mask, new_cs, GETPC());
1870 new_cs &= 0xffff;
1871 POPL_RA(ssp, sp, sp_mask, new_eflags, GETPC());
1872 } else {
1873 /* 16 bits */
1874 POPW_RA(ssp, sp, sp_mask, new_eip, GETPC());
1875 POPW_RA(ssp, sp, sp_mask, new_cs, GETPC());
1876 POPW_RA(ssp, sp, sp_mask, new_eflags, GETPC());
1877 }
1878 env->regs[R_ESP] = (env->regs[R_ESP] & ~sp_mask) | (sp & sp_mask);
1879 env->segs[R_CS].selector = new_cs;
1880 env->segs[R_CS].base = (new_cs << 4);
1881 env->eip = new_eip;
1882 if (env->eflags & VM_MASK) {
1883 eflags_mask = TF_MASK | AC_MASK | ID_MASK | IF_MASK | RF_MASK |
1884 NT_MASK;
1885 } else {
1886 eflags_mask = TF_MASK | AC_MASK | ID_MASK | IF_MASK | IOPL_MASK |
1887 RF_MASK | NT_MASK;
1888 }
1889 if (shift == 0) {
1890 eflags_mask &= 0xffff;
1891 }
1892 cpu_load_eflags(env, new_eflags, eflags_mask);
1893 env->hflags2 &= ~HF2_NMI_MASK;
1894 }
1895
1896 static inline void validate_seg(CPUX86State *env, X86Seg seg_reg, int cpl)
1897 {
1898 int dpl;
1899 uint32_t e2;
1900
1901 /* XXX: on x86_64, we do not want to nullify FS and GS because
1902 they may still contain a valid base. I would be interested to
1903 know how a real x86_64 CPU behaves */
1904 if ((seg_reg == R_FS || seg_reg == R_GS) &&
1905 (env->segs[seg_reg].selector & 0xfffc) == 0) {
1906 return;
1907 }
1908
1909 e2 = env->segs[seg_reg].flags;
1910 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1911 if (!(e2 & DESC_CS_MASK) || !(e2 & DESC_C_MASK)) {
1912 /* data or non conforming code segment */
1913 if (dpl < cpl) {
1914 cpu_x86_load_seg_cache(env, seg_reg, 0,
1915 env->segs[seg_reg].base,
1916 env->segs[seg_reg].limit,
1917 env->segs[seg_reg].flags & ~DESC_P_MASK);
1918 }
1919 }
1920 }
1921
1922 /* protected mode iret */
1923 static inline void helper_ret_protected(CPUX86State *env, int shift,
1924 int is_iret, int addend,
1925 uintptr_t retaddr)
1926 {
1927 uint32_t new_cs, new_eflags, new_ss;
1928 uint32_t new_es, new_ds, new_fs, new_gs;
1929 uint32_t e1, e2, ss_e1, ss_e2;
1930 int cpl, dpl, rpl, eflags_mask, iopl;
1931 target_ulong ssp, sp, new_eip, new_esp, sp_mask;
1932
1933 #ifdef TARGET_X86_64
1934 if (shift == 2) {
1935 sp_mask = -1;
1936 } else
1937 #endif
1938 {
1939 sp_mask = get_sp_mask(env->segs[R_SS].flags);
1940 }
1941 sp = env->regs[R_ESP];
1942 ssp = env->segs[R_SS].base;
1943 new_eflags = 0; /* avoid warning */
1944 #ifdef TARGET_X86_64
1945 if (shift == 2) {
1946 POPQ_RA(sp, new_eip, retaddr);
1947 POPQ_RA(sp, new_cs, retaddr);
1948 new_cs &= 0xffff;
1949 if (is_iret) {
1950 POPQ_RA(sp, new_eflags, retaddr);
1951 }
1952 } else
1953 #endif
1954 {
1955 if (shift == 1) {
1956 /* 32 bits */
1957 POPL_RA(ssp, sp, sp_mask, new_eip, retaddr);
1958 POPL_RA(ssp, sp, sp_mask, new_cs, retaddr);
1959 new_cs &= 0xffff;
1960 if (is_iret) {
1961 POPL_RA(ssp, sp, sp_mask, new_eflags, retaddr);
1962 if (new_eflags & VM_MASK) {
1963 goto return_to_vm86;
1964 }
1965 }
1966 } else {
1967 /* 16 bits */
1968 POPW_RA(ssp, sp, sp_mask, new_eip, retaddr);
1969 POPW_RA(ssp, sp, sp_mask, new_cs, retaddr);
1970 if (is_iret) {
1971 POPW_RA(ssp, sp, sp_mask, new_eflags, retaddr);
1972 }
1973 }
1974 }
1975 LOG_PCALL("lret new %04x:" TARGET_FMT_lx " s=%d addend=0x%x\n",
1976 new_cs, new_eip, shift, addend);
1977 LOG_PCALL_STATE(env_cpu(env));
1978 if ((new_cs & 0xfffc) == 0) {
1979 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, retaddr);
1980 }
1981 if (load_segment_ra(env, &e1, &e2, new_cs, retaddr) != 0) {
1982 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, retaddr);
1983 }
1984 if (!(e2 & DESC_S_MASK) ||
1985 !(e2 & DESC_CS_MASK)) {
1986 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, retaddr);
1987 }
1988 cpl = env->hflags & HF_CPL_MASK;
1989 rpl = new_cs & 3;
1990 if (rpl < cpl) {
1991 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, retaddr);
1992 }
1993 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1994 if (e2 & DESC_C_MASK) {
1995 if (dpl > rpl) {
1996 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, retaddr);
1997 }
1998 } else {
1999 if (dpl != rpl) {
2000 raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, retaddr);
2001 }
2002 }
2003 if (!(e2 & DESC_P_MASK)) {
2004 raise_exception_err_ra(env, EXCP0B_NOSEG, new_cs & 0xfffc, retaddr);
2005 }
2006
2007 sp += addend;
2008 if (rpl == cpl && (!(env->hflags & HF_CS64_MASK) ||
2009 ((env->hflags & HF_CS64_MASK) && !is_iret))) {
2010 /* return to same privilege level */
2011 cpu_x86_load_seg_cache(env, R_CS, new_cs,
2012 get_seg_base(e1, e2),
2013 get_seg_limit(e1, e2),
2014 e2);
2015 } else {
2016 /* return to different privilege level */
2017 #ifdef TARGET_X86_64
2018 if (shift == 2) {
2019 POPQ_RA(sp, new_esp, retaddr);
2020 POPQ_RA(sp, new_ss, retaddr);
2021 new_ss &= 0xffff;
2022 } else
2023 #endif
2024 {
2025 if (shift == 1) {
2026 /* 32 bits */
2027 POPL_RA(ssp, sp, sp_mask, new_esp, retaddr);
2028 POPL_RA(ssp, sp, sp_mask, new_ss, retaddr);
2029 new_ss &= 0xffff;
2030 } else {
2031 /* 16 bits */
2032 POPW_RA(ssp, sp, sp_mask, new_esp, retaddr);
2033 POPW_RA(ssp, sp, sp_mask, new_ss, retaddr);
2034 }
2035 }
2036 LOG_PCALL("new ss:esp=%04x:" TARGET_FMT_lx "\n",
2037 new_ss, new_esp);
2038 if ((new_ss & 0xfffc) == 0) {
2039 #ifdef TARGET_X86_64
2040 /* NULL ss is allowed in long mode if cpl != 3 */
2041 /* XXX: test CS64? */
2042 if ((env->hflags & HF_LMA_MASK) && rpl != 3) {
2043 cpu_x86_load_seg_cache(env, R_SS, new_ss,
2044 0, 0xffffffff,
2045 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2046 DESC_S_MASK | (rpl << DESC_DPL_SHIFT) |
2047 DESC_W_MASK | DESC_A_MASK);
2048 ss_e2 = DESC_B_MASK; /* XXX: should not be needed? */
2049 } else
2050 #endif
2051 {
2052 raise_exception_err_ra(env, EXCP0D_GPF, 0, retaddr);
2053 }
2054 } else {
2055 if ((new_ss & 3) != rpl) {
2056 raise_exception_err_ra(env, EXCP0D_GPF, new_ss & 0xfffc, retaddr);
2057 }
2058 if (load_segment_ra(env, &ss_e1, &ss_e2, new_ss, retaddr) != 0) {
2059 raise_exception_err_ra(env, EXCP0D_GPF, new_ss & 0xfffc, retaddr);
2060 }
2061 if (!(ss_e2 & DESC_S_MASK) ||
2062 (ss_e2 & DESC_CS_MASK) ||
2063 !(ss_e2 & DESC_W_MASK)) {
2064 raise_exception_err_ra(env, EXCP0D_GPF, new_ss & 0xfffc, retaddr);
2065 }
2066 dpl = (ss_e2 >> DESC_DPL_SHIFT) & 3;
2067 if (dpl != rpl) {
2068 raise_exception_err_ra(env, EXCP0D_GPF, new_ss & 0xfffc, retaddr);
2069 }
2070 if (!(ss_e2 & DESC_P_MASK)) {
2071 raise_exception_err_ra(env, EXCP0B_NOSEG, new_ss & 0xfffc, retaddr);
2072 }
2073 cpu_x86_load_seg_cache(env, R_SS, new_ss,
2074 get_seg_base(ss_e1, ss_e2),
2075 get_seg_limit(ss_e1, ss_e2),
2076 ss_e2);
2077 }
2078
2079 cpu_x86_load_seg_cache(env, R_CS, new_cs,
2080 get_seg_base(e1, e2),
2081 get_seg_limit(e1, e2),
2082 e2);
2083 sp = new_esp;
2084 #ifdef TARGET_X86_64
2085 if (env->hflags & HF_CS64_MASK) {
2086 sp_mask = -1;
2087 } else
2088 #endif
2089 {
2090 sp_mask = get_sp_mask(ss_e2);
2091 }
2092
2093 /* validate data segments */
2094 validate_seg(env, R_ES, rpl);
2095 validate_seg(env, R_DS, rpl);
2096 validate_seg(env, R_FS, rpl);
2097 validate_seg(env, R_GS, rpl);
2098
2099 sp += addend;
2100 }
2101 SET_ESP(sp, sp_mask);
2102 env->eip = new_eip;
2103 if (is_iret) {
2104 /* NOTE: 'cpl' is the _old_ CPL */
2105 eflags_mask = TF_MASK | AC_MASK | ID_MASK | RF_MASK | NT_MASK;
2106 if (cpl == 0) {
2107 eflags_mask |= IOPL_MASK;
2108 }
2109 iopl = (env->eflags >> IOPL_SHIFT) & 3;
2110 if (cpl <= iopl) {
2111 eflags_mask |= IF_MASK;
2112 }
2113 if (shift == 0) {
2114 eflags_mask &= 0xffff;
2115 }
2116 cpu_load_eflags(env, new_eflags, eflags_mask);
2117 }
2118 return;
2119
2120 return_to_vm86:
2121 POPL_RA(ssp, sp, sp_mask, new_esp, retaddr);
2122 POPL_RA(ssp, sp, sp_mask, new_ss, retaddr);
2123 POPL_RA(ssp, sp, sp_mask, new_es, retaddr);
2124 POPL_RA(ssp, sp, sp_mask, new_ds, retaddr);
2125 POPL_RA(ssp, sp, sp_mask, new_fs, retaddr);
2126 POPL_RA(ssp, sp, sp_mask, new_gs, retaddr);
2127
2128 /* modify processor state */
2129 cpu_load_eflags(env, new_eflags, TF_MASK | AC_MASK | ID_MASK |
2130 IF_MASK | IOPL_MASK | VM_MASK | NT_MASK | VIF_MASK |
2131 VIP_MASK);
2132 load_seg_vm(env, R_CS, new_cs & 0xffff);
2133 load_seg_vm(env, R_SS, new_ss & 0xffff);
2134 load_seg_vm(env, R_ES, new_es & 0xffff);
2135 load_seg_vm(env, R_DS, new_ds & 0xffff);
2136 load_seg_vm(env, R_FS, new_fs & 0xffff);
2137 load_seg_vm(env, R_GS, new_gs & 0xffff);
2138
2139 env->eip = new_eip & 0xffff;
2140 env->regs[R_ESP] = new_esp;
2141 }
2142
2143 void helper_iret_protected(CPUX86State *env, int shift, int next_eip)
2144 {
2145 int tss_selector, type;
2146 uint32_t e1, e2;
2147
2148 /* specific case for TSS */
2149 if (env->eflags & NT_MASK) {
2150 #ifdef TARGET_X86_64
2151 if (env->hflags & HF_LMA_MASK) {
2152 raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
2153 }
2154 #endif
2155 tss_selector = cpu_lduw_kernel_ra(env, env->tr.base + 0, GETPC());
2156 if (tss_selector & 4) {
2157 raise_exception_err_ra(env, EXCP0A_TSS, tss_selector & 0xfffc, GETPC());
2158 }
2159 if (load_segment_ra(env, &e1, &e2, tss_selector, GETPC()) != 0) {
2160 raise_exception_err_ra(env, EXCP0A_TSS, tss_selector & 0xfffc, GETPC());
2161 }
2162 type = (e2 >> DESC_TYPE_SHIFT) & 0x17;
2163 /* NOTE: we check both segment and busy TSS */
2164 if (type != 3) {
2165 raise_exception_err_ra(env, EXCP0A_TSS, tss_selector & 0xfffc, GETPC());
2166 }
2167 switch_tss_ra(env, tss_selector, e1, e2, SWITCH_TSS_IRET, next_eip, GETPC());
2168 } else {
2169 helper_ret_protected(env, shift, 1, 0, GETPC());
2170 }
2171 env->hflags2 &= ~HF2_NMI_MASK;
2172 }
2173
2174 void helper_lret_protected(CPUX86State *env, int shift, int addend)
2175 {
2176 helper_ret_protected(env, shift, 0, addend, GETPC());
2177 }
2178
2179 void helper_sysenter(CPUX86State *env)
2180 {
2181 if (env->sysenter_cs == 0) {
2182 raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
2183 }
2184 env->eflags &= ~(VM_MASK | IF_MASK | RF_MASK);
2185
2186 #ifdef TARGET_X86_64
2187 if (env->hflags & HF_LMA_MASK) {
2188 cpu_x86_load_seg_cache(env, R_CS, env->sysenter_cs & 0xfffc,
2189 0, 0xffffffff,
2190 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2191 DESC_S_MASK |
2192 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK |
2193 DESC_L_MASK);
2194 } else
2195 #endif
2196 {
2197 cpu_x86_load_seg_cache(env, R_CS, env->sysenter_cs & 0xfffc,
2198 0, 0xffffffff,
2199 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2200 DESC_S_MASK |
2201 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
2202 }
2203 cpu_x86_load_seg_cache(env, R_SS, (env->sysenter_cs + 8) & 0xfffc,
2204 0, 0xffffffff,
2205 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2206 DESC_S_MASK |
2207 DESC_W_MASK | DESC_A_MASK);
2208 env->regs[R_ESP] = env->sysenter_esp;
2209 env->eip = env->sysenter_eip;
2210 }
2211
2212 void helper_sysexit(CPUX86State *env, int dflag)
2213 {
2214 int cpl;
2215
2216 cpl = env->hflags & HF_CPL_MASK;
2217 if (env->sysenter_cs == 0 || cpl != 0) {
2218 raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
2219 }
2220 #ifdef TARGET_X86_64
2221 if (dflag == 2) {
2222 cpu_x86_load_seg_cache(env, R_CS, ((env->sysenter_cs + 32) & 0xfffc) |
2223 3, 0, 0xffffffff,
2224 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2225 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
2226 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK |
2227 DESC_L_MASK);
2228 cpu_x86_load_seg_cache(env, R_SS, ((env->sysenter_cs + 40) & 0xfffc) |
2229 3, 0, 0xffffffff,
2230 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2231 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
2232 DESC_W_MASK | DESC_A_MASK);
2233 } else
2234 #endif
2235 {
2236 cpu_x86_load_seg_cache(env, R_CS, ((env->sysenter_cs + 16) & 0xfffc) |
2237 3, 0, 0xffffffff,
2238 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2239 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
2240 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
2241 cpu_x86_load_seg_cache(env, R_SS, ((env->sysenter_cs + 24) & 0xfffc) |
2242 3, 0, 0xffffffff,
2243 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2244 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
2245 DESC_W_MASK | DESC_A_MASK);
2246 }
2247 env->regs[R_ESP] = env->regs[R_ECX];
2248 env->eip = env->regs[R_EDX];
2249 }
2250
2251 target_ulong helper_lsl(CPUX86State *env, target_ulong selector1)
2252 {
2253 unsigned int limit;
2254 uint32_t e1, e2, eflags, selector;
2255 int rpl, dpl, cpl, type;
2256
2257 selector = selector1 & 0xffff;
2258 eflags = cpu_cc_compute_all(env, CC_OP);
2259 if ((selector & 0xfffc) == 0) {
2260 goto fail;
2261 }
2262 if (load_segment_ra(env, &e1, &e2, selector, GETPC()) != 0) {
2263 goto fail;
2264 }
2265 rpl = selector & 3;
2266 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2267 cpl = env->hflags & HF_CPL_MASK;
2268 if (e2 & DESC_S_MASK) {
2269 if ((e2 & DESC_CS_MASK) && (e2 & DESC_C_MASK)) {
2270 /* conforming */
2271 } else {
2272 if (dpl < cpl || dpl < rpl) {
2273 goto fail;
2274 }
2275 }
2276 } else {
2277 type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
2278 switch (type) {
2279 case 1:
2280 case 2:
2281 case 3:
2282 case 9:
2283 case 11:
2284 break;
2285 default:
2286 goto fail;
2287 }
2288 if (dpl < cpl || dpl < rpl) {
2289 fail:
2290 CC_SRC = eflags & ~CC_Z;
2291 return 0;
2292 }
2293 }
2294 limit = get_seg_limit(e1, e2);
2295 CC_SRC = eflags | CC_Z;
2296 return limit;
2297 }
2298
2299 target_ulong helper_lar(CPUX86State *env, target_ulong selector1)
2300 {
2301 uint32_t e1, e2, eflags, selector;
2302 int rpl, dpl, cpl, type;
2303
2304 selector = selector1 & 0xffff;
2305 eflags = cpu_cc_compute_all(env, CC_OP);
2306 if ((selector & 0xfffc) == 0) {
2307 goto fail;
2308 }
2309 if (load_segment_ra(env, &e1, &e2, selector, GETPC()) != 0) {
2310 goto fail;
2311 }
2312 rpl = selector & 3;
2313 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2314 cpl = env->hflags & HF_CPL_MASK;
2315 if (e2 & DESC_S_MASK) {
2316 if ((e2 & DESC_CS_MASK) && (e2 & DESC_C_MASK)) {
2317 /* conforming */
2318 } else {
2319 if (dpl < cpl || dpl < rpl) {
2320 goto fail;
2321 }
2322 }
2323 } else {
2324 type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
2325 switch (type) {
2326 case 1:
2327 case 2:
2328 case 3:
2329 case 4:
2330 case 5:
2331 case 9:
2332 case 11:
2333 case 12:
2334 break;
2335 default:
2336 goto fail;
2337 }
2338 if (dpl < cpl || dpl < rpl) {
2339 fail:
2340 CC_SRC = eflags & ~CC_Z;
2341 return 0;
2342 }
2343 }
2344 CC_SRC = eflags | CC_Z;
2345 return e2 & 0x00f0ff00;
2346 }
2347
2348 void helper_verr(CPUX86State *env, target_ulong selector1)
2349 {
2350 uint32_t e1, e2, eflags, selector;
2351 int rpl, dpl, cpl;
2352
2353 selector = selector1 & 0xffff;
2354 eflags = cpu_cc_compute_all(env, CC_OP);
2355 if ((selector & 0xfffc) == 0) {
2356 goto fail;
2357 }
2358 if (load_segment_ra(env, &e1, &e2, selector, GETPC()) != 0) {
2359 goto fail;
2360 }
2361 if (!(e2 & DESC_S_MASK)) {
2362 goto fail;
2363 }
2364 rpl = selector & 3;
2365 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2366 cpl = env->hflags & HF_CPL_MASK;
2367 if (e2 & DESC_CS_MASK) {
2368 if (!(e2 & DESC_R_MASK)) {
2369 goto fail;
2370 }
2371 if (!(e2 & DESC_C_MASK)) {
2372 if (dpl < cpl || dpl < rpl) {
2373 goto fail;
2374 }
2375 }
2376 } else {
2377 if (dpl < cpl || dpl < rpl) {
2378 fail:
2379 CC_SRC = eflags & ~CC_Z;
2380 return;
2381 }
2382 }
2383 CC_SRC = eflags | CC_Z;
2384 }
2385
2386 void helper_verw(CPUX86State *env, target_ulong selector1)
2387 {
2388 uint32_t e1, e2, eflags, selector;
2389 int rpl, dpl, cpl;
2390
2391 selector = selector1 & 0xffff;
2392 eflags = cpu_cc_compute_all(env, CC_OP);
2393 if ((selector & 0xfffc) == 0) {
2394 goto fail;
2395 }
2396 if (load_segment_ra(env, &e1, &e2, selector, GETPC()) != 0) {
2397 goto fail;
2398 }
2399 if (!(e2 & DESC_S_MASK)) {
2400 goto fail;
2401 }
2402 rpl = selector & 3;
2403 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2404 cpl = env->hflags & HF_CPL_MASK;
2405 if (e2 & DESC_CS_MASK) {
2406 goto fail;
2407 } else {
2408 if (dpl < cpl || dpl < rpl) {
2409 goto fail;
2410 }
2411 if (!(e2 & DESC_W_MASK)) {
2412 fail:
2413 CC_SRC = eflags & ~CC_Z;
2414 return;
2415 }
2416 }
2417 CC_SRC = eflags | CC_Z;
2418 }
2419
2420 /* check if Port I/O is allowed in TSS */
2421 static inline void check_io(CPUX86State *env, int addr, int size,
2422 uintptr_t retaddr)
2423 {
2424 int io_offset, val, mask;
2425
2426 /* TSS must be a valid 32 bit one */
2427 if (!(env->tr.flags & DESC_P_MASK) ||
2428 ((env->tr.flags >> DESC_TYPE_SHIFT) & 0xf) != 9 ||
2429 env->tr.limit < 103) {
2430 goto fail;
2431 }
2432 io_offset = cpu_lduw_kernel_ra(env, env->tr.base + 0x66, retaddr);
2433 io_offset += (addr >> 3);
2434 /* Note: the check needs two bytes */
2435 if ((io_offset + 1) > env->tr.limit) {
2436 goto fail;
2437 }
2438 val = cpu_lduw_kernel_ra(env, env->tr.base + io_offset, retaddr);
2439 val >>= (addr & 7);
2440 mask = (1 << size) - 1;
2441 /* all bits must be zero to allow the I/O */
2442 if ((val & mask) != 0) {
2443 fail:
2444 raise_exception_err_ra(env, EXCP0D_GPF, 0, retaddr);
2445 }
2446 }
2447
2448 void helper_check_iob(CPUX86State *env, uint32_t t0)
2449 {
2450 check_io(env, t0, 1, GETPC());
2451 }
2452
2453 void helper_check_iow(CPUX86State *env, uint32_t t0)
2454 {
2455 check_io(env, t0, 2, GETPC());
2456 }
2457
2458 void helper_check_iol(CPUX86State *env, uint32_t t0)
2459 {
2460 check_io(env, t0, 4, GETPC());
2461 }
Random patches