1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
86 #define Undefined (1<<25) /* No Such Instruction */
87 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
88 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
90 /* Source 2 operand type */
91 #define Src2None (0<<29)
92 #define Src2CL (1<<29)
93 #define Src2ImmByte (2<<29)
94 #define Src2One (3<<29)
95 #define Src2Mask (7<<29)
98 #define X3(x...) X2(x), x
99 #define X4(x...) X2(x), X2(x)
100 #define X5(x...) X4(x), x
101 #define X6(x...) X4(x), X2(x)
102 #define X7(x...) X4(x), X3(x)
103 #define X8(x...) X4(x), X4(x)
104 #define X16(x...) X8(x), X8(x)
109 int (*execute)(struct x86_emulate_ctxt *ctxt);
110 struct opcode *group;
111 struct group_dual *gdual;
116 struct opcode mod012[8];
117 struct opcode mod3[8];
120 /* EFLAGS bit definitions. */
121 #define EFLG_ID (1<<21)
122 #define EFLG_VIP (1<<20)
123 #define EFLG_VIF (1<<19)
124 #define EFLG_AC (1<<18)
125 #define EFLG_VM (1<<17)
126 #define EFLG_RF (1<<16)
127 #define EFLG_IOPL (3<<12)
128 #define EFLG_NT (1<<14)
129 #define EFLG_OF (1<<11)
130 #define EFLG_DF (1<<10)
131 #define EFLG_IF (1<<9)
132 #define EFLG_TF (1<<8)
133 #define EFLG_SF (1<<7)
134 #define EFLG_ZF (1<<6)
135 #define EFLG_AF (1<<4)
136 #define EFLG_PF (1<<2)
137 #define EFLG_CF (1<<0)
139 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
140 #define EFLG_RESERVED_ONE_MASK 2
143 * Instruction emulation:
144 * Most instructions are emulated directly via a fragment of inline assembly
145 * code. This allows us to save/restore EFLAGS and thus very easily pick up
146 * any modified flags.
149 #if defined(CONFIG_X86_64)
150 #define _LO32 "k" /* force 32-bit operand */
151 #define _STK "%%rsp" /* stack pointer */
152 #elif defined(__i386__)
153 #define _LO32 "" /* force 32-bit operand */
154 #define _STK "%%esp" /* stack pointer */
158 * These EFLAGS bits are restored from saved value during emulation, and
159 * any changes are written back to the saved value after emulation.
161 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
163 /* Before executing instruction: restore necessary bits in EFLAGS. */
164 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
165 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
166 "movl %"_sav",%"_LO32 _tmp"; " \
169 "movl %"_msk",%"_LO32 _tmp"; " \
170 "andl %"_LO32 _tmp",("_STK"); " \
172 "notl %"_LO32 _tmp"; " \
173 "andl %"_LO32 _tmp",("_STK"); " \
174 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
176 "orl %"_LO32 _tmp",("_STK"); " \
180 /* After executing instruction: write-back necessary bits in EFLAGS. */
181 #define _POST_EFLAGS(_sav, _msk, _tmp) \
182 /* _sav |= EFLAGS & _msk; */ \
185 "andl %"_msk",%"_LO32 _tmp"; " \
186 "orl %"_LO32 _tmp",%"_sav"; "
194 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
196 __asm__ __volatile__ ( \
197 _PRE_EFLAGS("0", "4", "2") \
198 _op _suffix " %"_x"3,%1; " \
199 _POST_EFLAGS("0", "4", "2") \
200 : "=m" (_eflags), "=m" ((_dst).val), \
202 : _y ((_src).val), "i" (EFLAGS_MASK)); \
206 /* Raw emulation: instruction has two explicit operands. */
207 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
209 unsigned long _tmp; \
211 switch ((_dst).bytes) { \
213 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
216 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
219 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
224 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
226 unsigned long _tmp; \
227 switch ((_dst).bytes) { \
229 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
232 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
233 _wx, _wy, _lx, _ly, _qx, _qy); \
238 /* Source operand is byte-sized and may be restricted to just %cl. */
239 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
240 __emulate_2op(_op, _src, _dst, _eflags, \
241 "b", "c", "b", "c", "b", "c", "b", "c")
243 /* Source operand is byte, word, long or quad sized. */
244 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
245 __emulate_2op(_op, _src, _dst, _eflags, \
246 "b", "q", "w", "r", _LO32, "r", "", "r")
248 /* Source operand is word, long or quad sized. */
249 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
250 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
251 "w", "r", _LO32, "r", "", "r")
253 /* Instruction has three operands and one operand is stored in ECX register */
254 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
256 unsigned long _tmp; \
257 _type _clv = (_cl).val; \
258 _type _srcv = (_src).val; \
259 _type _dstv = (_dst).val; \
261 __asm__ __volatile__ ( \
262 _PRE_EFLAGS("0", "5", "2") \
263 _op _suffix " %4,%1 \n" \
264 _POST_EFLAGS("0", "5", "2") \
265 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
266 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
269 (_cl).val = (unsigned long) _clv; \
270 (_src).val = (unsigned long) _srcv; \
271 (_dst).val = (unsigned long) _dstv; \
274 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
276 switch ((_dst).bytes) { \
278 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
279 "w", unsigned short); \
282 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
283 "l", unsigned int); \
286 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
287 "q", unsigned long)); \
292 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
294 unsigned long _tmp; \
296 __asm__ __volatile__ ( \
297 _PRE_EFLAGS("0", "3", "2") \
298 _op _suffix " %1; " \
299 _POST_EFLAGS("0", "3", "2") \
300 : "=m" (_eflags), "+m" ((_dst).val), \
302 : "i" (EFLAGS_MASK)); \
305 /* Instruction has only one explicit operand (no source operand). */
306 #define emulate_1op(_op, _dst, _eflags) \
308 switch ((_dst).bytes) { \
309 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
310 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
311 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
312 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
316 /* Fetch next part of the instruction being emulated. */
317 #define insn_fetch(_type, _size, _eip) \
318 ({ unsigned long _x; \
319 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
320 if (rc != X86EMUL_CONTINUE) \
326 #define insn_fetch_arr(_arr, _size, _eip) \
327 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
328 if (rc != X86EMUL_CONTINUE) \
333 static inline unsigned long ad_mask(struct decode_cache *c)
335 return (1UL << (c->ad_bytes << 3)) - 1;
338 /* Access/update address held in a register, based on addressing mode. */
339 static inline unsigned long
340 address_mask(struct decode_cache *c, unsigned long reg)
342 if (c->ad_bytes == sizeof(unsigned long))
345 return reg & ad_mask(c);
348 static inline unsigned long
349 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
351 return base + address_mask(c, reg);
355 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
357 if (c->ad_bytes == sizeof(unsigned long))
360 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
363 static inline void jmp_rel(struct decode_cache *c, int rel)
365 register_address_increment(c, &c->eip, rel);
368 static void set_seg_override(struct decode_cache *c, int seg)
370 c->has_seg_override = true;
371 c->seg_override = seg;
374 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
375 struct x86_emulate_ops *ops, int seg)
377 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
380 return ops->get_cached_segment_base(seg, ctxt->vcpu);
383 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
384 struct x86_emulate_ops *ops,
385 struct decode_cache *c)
387 if (!c->has_seg_override)
390 return seg_base(ctxt, ops, c->seg_override);
393 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
394 struct x86_emulate_ops *ops)
396 return seg_base(ctxt, ops, VCPU_SREG_ES);
399 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
400 struct x86_emulate_ops *ops)
402 return seg_base(ctxt, ops, VCPU_SREG_SS);
405 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
406 u32 error, bool valid)
408 ctxt->exception = vec;
409 ctxt->error_code = error;
410 ctxt->error_code_valid = valid;
411 ctxt->restart = false;
414 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
416 emulate_exception(ctxt, GP_VECTOR, err, true);
419 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
423 emulate_exception(ctxt, PF_VECTOR, err, true);
426 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
428 emulate_exception(ctxt, UD_VECTOR, 0, false);
431 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
433 emulate_exception(ctxt, TS_VECTOR, err, true);
436 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
437 struct x86_emulate_ops *ops,
438 unsigned long eip, u8 *dest)
440 struct fetch_cache *fc = &ctxt->decode.fetch;
444 if (eip == fc->end) {
445 cur_size = fc->end - fc->start;
446 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
447 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
448 size, ctxt->vcpu, NULL);
449 if (rc != X86EMUL_CONTINUE)
453 *dest = fc->data[eip - fc->start];
454 return X86EMUL_CONTINUE;
457 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
458 struct x86_emulate_ops *ops,
459 unsigned long eip, void *dest, unsigned size)
463 /* x86 instructions are limited to 15 bytes. */
464 if (eip + size - ctxt->eip > 15)
465 return X86EMUL_UNHANDLEABLE;
467 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
468 if (rc != X86EMUL_CONTINUE)
471 return X86EMUL_CONTINUE;
475 * Given the 'reg' portion of a ModRM byte, and a register block, return a
476 * pointer into the block that addresses the relevant register.
477 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
479 static void *decode_register(u8 modrm_reg, unsigned long *regs,
484 p = ®s[modrm_reg];
485 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
486 p = (unsigned char *)®s[modrm_reg & 3] + 1;
490 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
491 struct x86_emulate_ops *ops,
493 u16 *size, unsigned long *address, int op_bytes)
500 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
502 if (rc != X86EMUL_CONTINUE)
504 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
509 static int test_cc(unsigned int condition, unsigned int flags)
513 switch ((condition & 15) >> 1) {
515 rc |= (flags & EFLG_OF);
517 case 1: /* b/c/nae */
518 rc |= (flags & EFLG_CF);
521 rc |= (flags & EFLG_ZF);
524 rc |= (flags & (EFLG_CF|EFLG_ZF));
527 rc |= (flags & EFLG_SF);
530 rc |= (flags & EFLG_PF);
533 rc |= (flags & EFLG_ZF);
536 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
540 /* Odd condition identifiers (lsb == 1) have inverted sense. */
541 return (!!rc ^ (condition & 1));
544 static void decode_register_operand(struct operand *op,
545 struct decode_cache *c,
548 unsigned reg = c->modrm_reg;
549 int highbyte_regs = c->rex_prefix == 0;
552 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
554 if ((c->d & ByteOp) && !inhibit_bytereg) {
555 op->ptr = decode_register(reg, c->regs, highbyte_regs);
556 op->val = *(u8 *)op->ptr;
559 op->ptr = decode_register(reg, c->regs, 0);
560 op->bytes = c->op_bytes;
563 op->val = *(u16 *)op->ptr;
566 op->val = *(u32 *)op->ptr;
569 op->val = *(u64 *) op->ptr;
573 op->orig_val = op->val;
576 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
577 struct x86_emulate_ops *ops)
579 struct decode_cache *c = &ctxt->decode;
581 int index_reg = 0, base_reg = 0, scale;
582 int rc = X86EMUL_CONTINUE;
585 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
586 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
587 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
590 c->modrm = insn_fetch(u8, 1, c->eip);
591 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
592 c->modrm_reg |= (c->modrm & 0x38) >> 3;
593 c->modrm_rm |= (c->modrm & 0x07);
596 c->modrm_seg = VCPU_SREG_DS;
598 if (c->modrm_mod == 3) {
599 c->modrm_ptr = decode_register(c->modrm_rm,
600 c->regs, c->d & ByteOp);
601 c->modrm_val = *(unsigned long *)c->modrm_ptr;
605 if (c->ad_bytes == 2) {
606 unsigned bx = c->regs[VCPU_REGS_RBX];
607 unsigned bp = c->regs[VCPU_REGS_RBP];
608 unsigned si = c->regs[VCPU_REGS_RSI];
609 unsigned di = c->regs[VCPU_REGS_RDI];
611 /* 16-bit ModR/M decode. */
612 switch (c->modrm_mod) {
614 if (c->modrm_rm == 6)
615 c->modrm_ea += insn_fetch(u16, 2, c->eip);
618 c->modrm_ea += insn_fetch(s8, 1, c->eip);
621 c->modrm_ea += insn_fetch(u16, 2, c->eip);
624 switch (c->modrm_rm) {
626 c->modrm_ea += bx + si;
629 c->modrm_ea += bx + di;
632 c->modrm_ea += bp + si;
635 c->modrm_ea += bp + di;
644 if (c->modrm_mod != 0)
651 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
652 (c->modrm_rm == 6 && c->modrm_mod != 0))
653 c->modrm_seg = VCPU_SREG_SS;
654 c->modrm_ea = (u16)c->modrm_ea;
656 /* 32/64-bit ModR/M decode. */
657 if ((c->modrm_rm & 7) == 4) {
658 sib = insn_fetch(u8, 1, c->eip);
659 index_reg |= (sib >> 3) & 7;
663 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
664 c->modrm_ea += insn_fetch(s32, 4, c->eip);
666 c->modrm_ea += c->regs[base_reg];
668 c->modrm_ea += c->regs[index_reg] << scale;
669 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
670 if (ctxt->mode == X86EMUL_MODE_PROT64)
673 c->modrm_ea += c->regs[c->modrm_rm];
674 switch (c->modrm_mod) {
676 if (c->modrm_rm == 5)
677 c->modrm_ea += insn_fetch(s32, 4, c->eip);
680 c->modrm_ea += insn_fetch(s8, 1, c->eip);
683 c->modrm_ea += insn_fetch(s32, 4, c->eip);
691 static int decode_abs(struct x86_emulate_ctxt *ctxt,
692 struct x86_emulate_ops *ops)
694 struct decode_cache *c = &ctxt->decode;
695 int rc = X86EMUL_CONTINUE;
697 switch (c->ad_bytes) {
699 c->modrm_ea = insn_fetch(u16, 2, c->eip);
702 c->modrm_ea = insn_fetch(u32, 4, c->eip);
705 c->modrm_ea = insn_fetch(u64, 8, c->eip);
712 static int read_emulated(struct x86_emulate_ctxt *ctxt,
713 struct x86_emulate_ops *ops,
714 unsigned long addr, void *dest, unsigned size)
717 struct read_cache *mc = &ctxt->decode.mem_read;
721 int n = min(size, 8u);
723 if (mc->pos < mc->end)
726 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
728 if (rc == X86EMUL_PROPAGATE_FAULT)
729 emulate_pf(ctxt, addr, err);
730 if (rc != X86EMUL_CONTINUE)
735 memcpy(dest, mc->data + mc->pos, n);
740 return X86EMUL_CONTINUE;
743 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
744 struct x86_emulate_ops *ops,
745 unsigned int size, unsigned short port,
748 struct read_cache *rc = &ctxt->decode.io_read;
750 if (rc->pos == rc->end) { /* refill pio read ahead */
751 struct decode_cache *c = &ctxt->decode;
752 unsigned int in_page, n;
753 unsigned int count = c->rep_prefix ?
754 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
755 in_page = (ctxt->eflags & EFLG_DF) ?
756 offset_in_page(c->regs[VCPU_REGS_RDI]) :
757 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
758 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
762 rc->pos = rc->end = 0;
763 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
768 memcpy(dest, rc->data + rc->pos, size);
773 static u32 desc_limit_scaled(struct desc_struct *desc)
775 u32 limit = get_desc_limit(desc);
777 return desc->g ? (limit << 12) | 0xfff : limit;
780 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
781 struct x86_emulate_ops *ops,
782 u16 selector, struct desc_ptr *dt)
784 if (selector & 1 << 2) {
785 struct desc_struct desc;
786 memset (dt, 0, sizeof *dt);
787 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
790 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
791 dt->address = get_desc_base(&desc);
793 ops->get_gdt(dt, ctxt->vcpu);
796 /* allowed just for 8 bytes segments */
797 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
798 struct x86_emulate_ops *ops,
799 u16 selector, struct desc_struct *desc)
802 u16 index = selector >> 3;
807 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
809 if (dt.size < index * 8 + 7) {
810 emulate_gp(ctxt, selector & 0xfffc);
811 return X86EMUL_PROPAGATE_FAULT;
813 addr = dt.address + index * 8;
814 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
815 if (ret == X86EMUL_PROPAGATE_FAULT)
816 emulate_pf(ctxt, addr, err);
821 /* allowed just for 8 bytes segments */
822 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
823 struct x86_emulate_ops *ops,
824 u16 selector, struct desc_struct *desc)
827 u16 index = selector >> 3;
832 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
834 if (dt.size < index * 8 + 7) {
835 emulate_gp(ctxt, selector & 0xfffc);
836 return X86EMUL_PROPAGATE_FAULT;
839 addr = dt.address + index * 8;
840 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
841 if (ret == X86EMUL_PROPAGATE_FAULT)
842 emulate_pf(ctxt, addr, err);
847 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
848 struct x86_emulate_ops *ops,
849 u16 selector, int seg)
851 struct desc_struct seg_desc;
853 unsigned err_vec = GP_VECTOR;
855 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
858 memset(&seg_desc, 0, sizeof seg_desc);
860 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
861 || ctxt->mode == X86EMUL_MODE_REAL) {
862 /* set real mode segment descriptor */
863 set_desc_base(&seg_desc, selector << 4);
864 set_desc_limit(&seg_desc, 0xffff);
871 /* NULL selector is not valid for TR, CS and SS */
872 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
876 /* TR should be in GDT only */
877 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
880 if (null_selector) /* for NULL selector skip all following checks */
883 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
884 if (ret != X86EMUL_CONTINUE)
887 err_code = selector & 0xfffc;
890 /* can't load system descriptor into segment selecor */
891 if (seg <= VCPU_SREG_GS && !seg_desc.s)
895 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
901 cpl = ops->cpl(ctxt->vcpu);
906 * segment is not a writable data segment or segment
907 * selector's RPL != CPL or segment selector's RPL != CPL
909 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
913 if (!(seg_desc.type & 8))
916 if (seg_desc.type & 4) {
922 if (rpl > cpl || dpl != cpl)
926 selector = (selector & 0xfffc) | cpl;
929 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
933 if (seg_desc.s || seg_desc.type != 2)
936 default: /* DS, ES, FS, or GS */
938 * segment is not a data or readable code segment or
939 * ((segment is a data or nonconforming code segment)
940 * and (both RPL and CPL > DPL))
942 if ((seg_desc.type & 0xa) == 0x8 ||
943 (((seg_desc.type & 0xc) != 0xc) &&
944 (rpl > dpl && cpl > dpl)))
950 /* mark segment as accessed */
952 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
953 if (ret != X86EMUL_CONTINUE)
957 ops->set_segment_selector(selector, seg, ctxt->vcpu);
958 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
959 return X86EMUL_CONTINUE;
961 emulate_exception(ctxt, err_vec, err_code, true);
962 return X86EMUL_PROPAGATE_FAULT;
965 static inline int writeback(struct x86_emulate_ctxt *ctxt,
966 struct x86_emulate_ops *ops)
969 struct decode_cache *c = &ctxt->decode;
972 switch (c->dst.type) {
974 /* The 4-byte case *is* correct:
975 * in 64-bit mode we zero-extend.
977 switch (c->dst.bytes) {
979 *(u8 *)c->dst.ptr = (u8)c->dst.val;
982 *(u16 *)c->dst.ptr = (u16)c->dst.val;
985 *c->dst.ptr = (u32)c->dst.val;
986 break; /* 64b: zero-ext */
988 *c->dst.ptr = c->dst.val;
994 rc = ops->cmpxchg_emulated(
995 (unsigned long)c->dst.ptr,
1002 rc = ops->write_emulated(
1003 (unsigned long)c->dst.ptr,
1008 if (rc == X86EMUL_PROPAGATE_FAULT)
1010 (unsigned long)c->dst.ptr, err);
1011 if (rc != X86EMUL_CONTINUE)
1020 return X86EMUL_CONTINUE;
1023 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1024 struct x86_emulate_ops *ops)
1026 struct decode_cache *c = &ctxt->decode;
1028 c->dst.type = OP_MEM;
1029 c->dst.bytes = c->op_bytes;
1030 c->dst.val = c->src.val;
1031 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1032 c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1033 c->regs[VCPU_REGS_RSP]);
1036 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1037 struct x86_emulate_ops *ops,
1038 void *dest, int len)
1040 struct decode_cache *c = &ctxt->decode;
1043 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1044 c->regs[VCPU_REGS_RSP]),
1046 if (rc != X86EMUL_CONTINUE)
1049 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1053 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1054 struct x86_emulate_ops *ops,
1055 void *dest, int len)
1058 unsigned long val, change_mask;
1059 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1060 int cpl = ops->cpl(ctxt->vcpu);
1062 rc = emulate_pop(ctxt, ops, &val, len);
1063 if (rc != X86EMUL_CONTINUE)
1066 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1067 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1069 switch(ctxt->mode) {
1070 case X86EMUL_MODE_PROT64:
1071 case X86EMUL_MODE_PROT32:
1072 case X86EMUL_MODE_PROT16:
1074 change_mask |= EFLG_IOPL;
1076 change_mask |= EFLG_IF;
1078 case X86EMUL_MODE_VM86:
1080 emulate_gp(ctxt, 0);
1081 return X86EMUL_PROPAGATE_FAULT;
1083 change_mask |= EFLG_IF;
1085 default: /* real mode */
1086 change_mask |= (EFLG_IOPL | EFLG_IF);
1090 *(unsigned long *)dest =
1091 (ctxt->eflags & ~change_mask) | (val & change_mask);
1096 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1097 struct x86_emulate_ops *ops, int seg)
1099 struct decode_cache *c = &ctxt->decode;
1101 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1103 emulate_push(ctxt, ops);
1106 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1107 struct x86_emulate_ops *ops, int seg)
1109 struct decode_cache *c = &ctxt->decode;
1110 unsigned long selector;
1113 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1114 if (rc != X86EMUL_CONTINUE)
1117 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1121 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1122 struct x86_emulate_ops *ops)
1124 struct decode_cache *c = &ctxt->decode;
1125 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1126 int rc = X86EMUL_CONTINUE;
1127 int reg = VCPU_REGS_RAX;
1129 while (reg <= VCPU_REGS_RDI) {
1130 (reg == VCPU_REGS_RSP) ?
1131 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1133 emulate_push(ctxt, ops);
1135 rc = writeback(ctxt, ops);
1136 if (rc != X86EMUL_CONTINUE)
1142 /* Disable writeback. */
1143 c->dst.type = OP_NONE;
1148 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1149 struct x86_emulate_ops *ops)
1151 struct decode_cache *c = &ctxt->decode;
1152 int rc = X86EMUL_CONTINUE;
1153 int reg = VCPU_REGS_RDI;
1155 while (reg >= VCPU_REGS_RAX) {
1156 if (reg == VCPU_REGS_RSP) {
1157 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1162 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1163 if (rc != X86EMUL_CONTINUE)
1170 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1171 struct x86_emulate_ops *ops)
1173 struct decode_cache *c = &ctxt->decode;
1174 int rc = X86EMUL_CONTINUE;
1175 unsigned long temp_eip = 0;
1176 unsigned long temp_eflags = 0;
1177 unsigned long cs = 0;
1178 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1179 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1180 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1181 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1183 /* TODO: Add stack limit check */
1185 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1187 if (rc != X86EMUL_CONTINUE)
1190 if (temp_eip & ~0xffff) {
1191 emulate_gp(ctxt, 0);
1192 return X86EMUL_PROPAGATE_FAULT;
1195 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1197 if (rc != X86EMUL_CONTINUE)
1200 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1202 if (rc != X86EMUL_CONTINUE)
1205 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1207 if (rc != X86EMUL_CONTINUE)
1213 if (c->op_bytes == 4)
1214 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1215 else if (c->op_bytes == 2) {
1216 ctxt->eflags &= ~0xffff;
1217 ctxt->eflags |= temp_eflags;
1220 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1221 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1226 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1227 struct x86_emulate_ops* ops)
1229 switch(ctxt->mode) {
1230 case X86EMUL_MODE_REAL:
1231 return emulate_iret_real(ctxt, ops);
1232 case X86EMUL_MODE_VM86:
1233 case X86EMUL_MODE_PROT16:
1234 case X86EMUL_MODE_PROT32:
1235 case X86EMUL_MODE_PROT64:
1237 /* iret from protected mode unimplemented yet */
1238 return X86EMUL_UNHANDLEABLE;
1242 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1243 struct x86_emulate_ops *ops)
1245 struct decode_cache *c = &ctxt->decode;
1247 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1250 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1252 struct decode_cache *c = &ctxt->decode;
1253 switch (c->modrm_reg) {
1255 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1258 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1261 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1264 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1266 case 4: /* sal/shl */
1267 case 6: /* sal/shl */
1268 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1271 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1274 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1279 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1280 struct x86_emulate_ops *ops)
1282 struct decode_cache *c = &ctxt->decode;
1284 switch (c->modrm_reg) {
1285 case 0 ... 1: /* test */
1286 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1289 c->dst.val = ~c->dst.val;
1292 emulate_1op("neg", c->dst, ctxt->eflags);
1300 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1301 struct x86_emulate_ops *ops)
1303 struct decode_cache *c = &ctxt->decode;
1305 switch (c->modrm_reg) {
1307 emulate_1op("inc", c->dst, ctxt->eflags);
1310 emulate_1op("dec", c->dst, ctxt->eflags);
1312 case 2: /* call near abs */ {
1315 c->eip = c->src.val;
1316 c->src.val = old_eip;
1317 emulate_push(ctxt, ops);
1320 case 4: /* jmp abs */
1321 c->eip = c->src.val;
1324 emulate_push(ctxt, ops);
1327 return X86EMUL_CONTINUE;
1330 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1331 struct x86_emulate_ops *ops)
1333 struct decode_cache *c = &ctxt->decode;
1334 u64 old = c->dst.orig_val64;
1336 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1337 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1338 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1339 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1340 ctxt->eflags &= ~EFLG_ZF;
1342 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1343 (u32) c->regs[VCPU_REGS_RBX];
1345 ctxt->eflags |= EFLG_ZF;
1347 return X86EMUL_CONTINUE;
1350 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1351 struct x86_emulate_ops *ops)
1353 struct decode_cache *c = &ctxt->decode;
1357 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1358 if (rc != X86EMUL_CONTINUE)
1360 if (c->op_bytes == 4)
1361 c->eip = (u32)c->eip;
1362 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1363 if (rc != X86EMUL_CONTINUE)
1365 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1370 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1371 struct x86_emulate_ops *ops, struct desc_struct *cs,
1372 struct desc_struct *ss)
1374 memset(cs, 0, sizeof(struct desc_struct));
1375 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1376 memset(ss, 0, sizeof(struct desc_struct));
1378 cs->l = 0; /* will be adjusted later */
1379 set_desc_base(cs, 0); /* flat segment */
1380 cs->g = 1; /* 4kb granularity */
1381 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1382 cs->type = 0x0b; /* Read, Execute, Accessed */
1384 cs->dpl = 0; /* will be adjusted later */
1388 set_desc_base(ss, 0); /* flat segment */
1389 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1390 ss->g = 1; /* 4kb granularity */
1392 ss->type = 0x03; /* Read/Write, Accessed */
1393 ss->d = 1; /* 32bit stack segment */
1399 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1401 struct decode_cache *c = &ctxt->decode;
1402 struct desc_struct cs, ss;
1406 /* syscall is not available in real mode */
1407 if (ctxt->mode == X86EMUL_MODE_REAL ||
1408 ctxt->mode == X86EMUL_MODE_VM86) {
1410 return X86EMUL_PROPAGATE_FAULT;
1413 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1415 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1417 cs_sel = (u16)(msr_data & 0xfffc);
1418 ss_sel = (u16)(msr_data + 8);
1420 if (is_long_mode(ctxt->vcpu)) {
1424 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1425 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1426 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1427 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1429 c->regs[VCPU_REGS_RCX] = c->eip;
1430 if (is_long_mode(ctxt->vcpu)) {
1431 #ifdef CONFIG_X86_64
1432 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1434 ops->get_msr(ctxt->vcpu,
1435 ctxt->mode == X86EMUL_MODE_PROT64 ?
1436 MSR_LSTAR : MSR_CSTAR, &msr_data);
1439 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1440 ctxt->eflags &= ~(msr_data | EFLG_RF);
1444 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1445 c->eip = (u32)msr_data;
1447 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1450 return X86EMUL_CONTINUE;
1454 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1456 struct decode_cache *c = &ctxt->decode;
1457 struct desc_struct cs, ss;
1461 /* inject #GP if in real mode */
1462 if (ctxt->mode == X86EMUL_MODE_REAL) {
1463 emulate_gp(ctxt, 0);
1464 return X86EMUL_PROPAGATE_FAULT;
1467 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1468 * Therefore, we inject an #UD.
1470 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1472 return X86EMUL_PROPAGATE_FAULT;
1475 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1477 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1478 switch (ctxt->mode) {
1479 case X86EMUL_MODE_PROT32:
1480 if ((msr_data & 0xfffc) == 0x0) {
1481 emulate_gp(ctxt, 0);
1482 return X86EMUL_PROPAGATE_FAULT;
1485 case X86EMUL_MODE_PROT64:
1486 if (msr_data == 0x0) {
1487 emulate_gp(ctxt, 0);
1488 return X86EMUL_PROPAGATE_FAULT;
1493 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1494 cs_sel = (u16)msr_data;
1495 cs_sel &= ~SELECTOR_RPL_MASK;
1496 ss_sel = cs_sel + 8;
1497 ss_sel &= ~SELECTOR_RPL_MASK;
1498 if (ctxt->mode == X86EMUL_MODE_PROT64
1499 || is_long_mode(ctxt->vcpu)) {
1504 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1505 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1506 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1507 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1509 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1512 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1513 c->regs[VCPU_REGS_RSP] = msr_data;
1515 return X86EMUL_CONTINUE;
1519 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1521 struct decode_cache *c = &ctxt->decode;
1522 struct desc_struct cs, ss;
1527 /* inject #GP if in real mode or Virtual 8086 mode */
1528 if (ctxt->mode == X86EMUL_MODE_REAL ||
1529 ctxt->mode == X86EMUL_MODE_VM86) {
1530 emulate_gp(ctxt, 0);
1531 return X86EMUL_PROPAGATE_FAULT;
1534 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1536 if ((c->rex_prefix & 0x8) != 0x0)
1537 usermode = X86EMUL_MODE_PROT64;
1539 usermode = X86EMUL_MODE_PROT32;
1543 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1545 case X86EMUL_MODE_PROT32:
1546 cs_sel = (u16)(msr_data + 16);
1547 if ((msr_data & 0xfffc) == 0x0) {
1548 emulate_gp(ctxt, 0);
1549 return X86EMUL_PROPAGATE_FAULT;
1551 ss_sel = (u16)(msr_data + 24);
1553 case X86EMUL_MODE_PROT64:
1554 cs_sel = (u16)(msr_data + 32);
1555 if (msr_data == 0x0) {
1556 emulate_gp(ctxt, 0);
1557 return X86EMUL_PROPAGATE_FAULT;
1559 ss_sel = cs_sel + 8;
1564 cs_sel |= SELECTOR_RPL_MASK;
1565 ss_sel |= SELECTOR_RPL_MASK;
1567 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1568 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1569 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1570 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1572 c->eip = c->regs[VCPU_REGS_RDX];
1573 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1575 return X86EMUL_CONTINUE;
1578 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1579 struct x86_emulate_ops *ops)
1582 if (ctxt->mode == X86EMUL_MODE_REAL)
1584 if (ctxt->mode == X86EMUL_MODE_VM86)
1586 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1587 return ops->cpl(ctxt->vcpu) > iopl;
1590 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1591 struct x86_emulate_ops *ops,
1594 struct desc_struct tr_seg;
1597 u8 perm, bit_idx = port & 0x7;
1598 unsigned mask = (1 << len) - 1;
1600 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1603 if (desc_limit_scaled(&tr_seg) < 103)
1605 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1607 if (r != X86EMUL_CONTINUE)
1609 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1611 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1612 &perm, 1, ctxt->vcpu, NULL);
1613 if (r != X86EMUL_CONTINUE)
1615 if ((perm >> bit_idx) & mask)
1620 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1621 struct x86_emulate_ops *ops,
1627 if (emulator_bad_iopl(ctxt, ops))
1628 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1631 ctxt->perm_ok = true;
1636 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1637 struct x86_emulate_ops *ops,
1638 struct tss_segment_16 *tss)
1640 struct decode_cache *c = &ctxt->decode;
1643 tss->flag = ctxt->eflags;
1644 tss->ax = c->regs[VCPU_REGS_RAX];
1645 tss->cx = c->regs[VCPU_REGS_RCX];
1646 tss->dx = c->regs[VCPU_REGS_RDX];
1647 tss->bx = c->regs[VCPU_REGS_RBX];
1648 tss->sp = c->regs[VCPU_REGS_RSP];
1649 tss->bp = c->regs[VCPU_REGS_RBP];
1650 tss->si = c->regs[VCPU_REGS_RSI];
1651 tss->di = c->regs[VCPU_REGS_RDI];
1653 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1654 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1655 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1656 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1657 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1660 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1661 struct x86_emulate_ops *ops,
1662 struct tss_segment_16 *tss)
1664 struct decode_cache *c = &ctxt->decode;
1668 ctxt->eflags = tss->flag | 2;
1669 c->regs[VCPU_REGS_RAX] = tss->ax;
1670 c->regs[VCPU_REGS_RCX] = tss->cx;
1671 c->regs[VCPU_REGS_RDX] = tss->dx;
1672 c->regs[VCPU_REGS_RBX] = tss->bx;
1673 c->regs[VCPU_REGS_RSP] = tss->sp;
1674 c->regs[VCPU_REGS_RBP] = tss->bp;
1675 c->regs[VCPU_REGS_RSI] = tss->si;
1676 c->regs[VCPU_REGS_RDI] = tss->di;
1679 * SDM says that segment selectors are loaded before segment
1682 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1683 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1684 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1685 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1686 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1689 * Now load segment descriptors. If fault happenes at this stage
1690 * it is handled in a context of new task
1692 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1693 if (ret != X86EMUL_CONTINUE)
1695 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1696 if (ret != X86EMUL_CONTINUE)
1698 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1699 if (ret != X86EMUL_CONTINUE)
1701 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1702 if (ret != X86EMUL_CONTINUE)
1704 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1705 if (ret != X86EMUL_CONTINUE)
1708 return X86EMUL_CONTINUE;
1711 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1712 struct x86_emulate_ops *ops,
1713 u16 tss_selector, u16 old_tss_sel,
1714 ulong old_tss_base, struct desc_struct *new_desc)
1716 struct tss_segment_16 tss_seg;
1718 u32 err, new_tss_base = get_desc_base(new_desc);
1720 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1722 if (ret == X86EMUL_PROPAGATE_FAULT) {
1723 /* FIXME: need to provide precise fault address */
1724 emulate_pf(ctxt, old_tss_base, err);
1728 save_state_to_tss16(ctxt, ops, &tss_seg);
1730 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1732 if (ret == X86EMUL_PROPAGATE_FAULT) {
1733 /* FIXME: need to provide precise fault address */
1734 emulate_pf(ctxt, old_tss_base, err);
1738 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1740 if (ret == X86EMUL_PROPAGATE_FAULT) {
1741 /* FIXME: need to provide precise fault address */
1742 emulate_pf(ctxt, new_tss_base, err);
1746 if (old_tss_sel != 0xffff) {
1747 tss_seg.prev_task_link = old_tss_sel;
1749 ret = ops->write_std(new_tss_base,
1750 &tss_seg.prev_task_link,
1751 sizeof tss_seg.prev_task_link,
1753 if (ret == X86EMUL_PROPAGATE_FAULT) {
1754 /* FIXME: need to provide precise fault address */
1755 emulate_pf(ctxt, new_tss_base, err);
1760 return load_state_from_tss16(ctxt, ops, &tss_seg);
1763 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1764 struct x86_emulate_ops *ops,
1765 struct tss_segment_32 *tss)
1767 struct decode_cache *c = &ctxt->decode;
1769 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1771 tss->eflags = ctxt->eflags;
1772 tss->eax = c->regs[VCPU_REGS_RAX];
1773 tss->ecx = c->regs[VCPU_REGS_RCX];
1774 tss->edx = c->regs[VCPU_REGS_RDX];
1775 tss->ebx = c->regs[VCPU_REGS_RBX];
1776 tss->esp = c->regs[VCPU_REGS_RSP];
1777 tss->ebp = c->regs[VCPU_REGS_RBP];
1778 tss->esi = c->regs[VCPU_REGS_RSI];
1779 tss->edi = c->regs[VCPU_REGS_RDI];
1781 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1782 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1783 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1784 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1785 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1786 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1787 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1790 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1791 struct x86_emulate_ops *ops,
1792 struct tss_segment_32 *tss)
1794 struct decode_cache *c = &ctxt->decode;
1797 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1798 emulate_gp(ctxt, 0);
1799 return X86EMUL_PROPAGATE_FAULT;
1802 ctxt->eflags = tss->eflags | 2;
1803 c->regs[VCPU_REGS_RAX] = tss->eax;
1804 c->regs[VCPU_REGS_RCX] = tss->ecx;
1805 c->regs[VCPU_REGS_RDX] = tss->edx;
1806 c->regs[VCPU_REGS_RBX] = tss->ebx;
1807 c->regs[VCPU_REGS_RSP] = tss->esp;
1808 c->regs[VCPU_REGS_RBP] = tss->ebp;
1809 c->regs[VCPU_REGS_RSI] = tss->esi;
1810 c->regs[VCPU_REGS_RDI] = tss->edi;
1813 * SDM says that segment selectors are loaded before segment
1816 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1817 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1818 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1819 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1820 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1821 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1822 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1825 * Now load segment descriptors. If fault happenes at this stage
1826 * it is handled in a context of new task
1828 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1829 if (ret != X86EMUL_CONTINUE)
1831 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1832 if (ret != X86EMUL_CONTINUE)
1834 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1835 if (ret != X86EMUL_CONTINUE)
1837 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1838 if (ret != X86EMUL_CONTINUE)
1840 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1841 if (ret != X86EMUL_CONTINUE)
1843 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1844 if (ret != X86EMUL_CONTINUE)
1846 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1847 if (ret != X86EMUL_CONTINUE)
1850 return X86EMUL_CONTINUE;
1853 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
1854 struct x86_emulate_ops *ops,
1855 u16 tss_selector, u16 old_tss_sel,
1856 ulong old_tss_base, struct desc_struct *new_desc)
1858 struct tss_segment_32 tss_seg;
1860 u32 err, new_tss_base = get_desc_base(new_desc);
1862 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1864 if (ret == X86EMUL_PROPAGATE_FAULT) {
1865 /* FIXME: need to provide precise fault address */
1866 emulate_pf(ctxt, old_tss_base, err);
1870 save_state_to_tss32(ctxt, ops, &tss_seg);
1872 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1874 if (ret == X86EMUL_PROPAGATE_FAULT) {
1875 /* FIXME: need to provide precise fault address */
1876 emulate_pf(ctxt, old_tss_base, err);
1880 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1882 if (ret == X86EMUL_PROPAGATE_FAULT) {
1883 /* FIXME: need to provide precise fault address */
1884 emulate_pf(ctxt, new_tss_base, err);
1888 if (old_tss_sel != 0xffff) {
1889 tss_seg.prev_task_link = old_tss_sel;
1891 ret = ops->write_std(new_tss_base,
1892 &tss_seg.prev_task_link,
1893 sizeof tss_seg.prev_task_link,
1895 if (ret == X86EMUL_PROPAGATE_FAULT) {
1896 /* FIXME: need to provide precise fault address */
1897 emulate_pf(ctxt, new_tss_base, err);
1902 return load_state_from_tss32(ctxt, ops, &tss_seg);
1905 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
1906 struct x86_emulate_ops *ops,
1907 u16 tss_selector, int reason,
1908 bool has_error_code, u32 error_code)
1910 struct desc_struct curr_tss_desc, next_tss_desc;
1912 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
1913 ulong old_tss_base =
1914 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
1917 /* FIXME: old_tss_base == ~0 ? */
1919 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
1920 if (ret != X86EMUL_CONTINUE)
1922 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
1923 if (ret != X86EMUL_CONTINUE)
1926 /* FIXME: check that next_tss_desc is tss */
1928 if (reason != TASK_SWITCH_IRET) {
1929 if ((tss_selector & 3) > next_tss_desc.dpl ||
1930 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
1931 emulate_gp(ctxt, 0);
1932 return X86EMUL_PROPAGATE_FAULT;
1936 desc_limit = desc_limit_scaled(&next_tss_desc);
1937 if (!next_tss_desc.p ||
1938 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
1939 desc_limit < 0x2b)) {
1940 emulate_ts(ctxt, tss_selector & 0xfffc);
1941 return X86EMUL_PROPAGATE_FAULT;
1944 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
1945 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
1946 write_segment_descriptor(ctxt, ops, old_tss_sel,
1950 if (reason == TASK_SWITCH_IRET)
1951 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
1953 /* set back link to prev task only if NT bit is set in eflags
1954 note that old_tss_sel is not used afetr this point */
1955 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
1956 old_tss_sel = 0xffff;
1958 if (next_tss_desc.type & 8)
1959 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
1960 old_tss_base, &next_tss_desc);
1962 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
1963 old_tss_base, &next_tss_desc);
1964 if (ret != X86EMUL_CONTINUE)
1967 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
1968 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
1970 if (reason != TASK_SWITCH_IRET) {
1971 next_tss_desc.type |= (1 << 1); /* set busy flag */
1972 write_segment_descriptor(ctxt, ops, tss_selector,
1976 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
1977 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
1978 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
1980 if (has_error_code) {
1981 struct decode_cache *c = &ctxt->decode;
1983 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
1985 c->src.val = (unsigned long) error_code;
1986 emulate_push(ctxt, ops);
1992 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
1993 u16 tss_selector, int reason,
1994 bool has_error_code, u32 error_code)
1996 struct x86_emulate_ops *ops = ctxt->ops;
1997 struct decode_cache *c = &ctxt->decode;
2001 c->dst.type = OP_NONE;
2003 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2004 has_error_code, error_code);
2006 if (rc == X86EMUL_CONTINUE) {
2007 rc = writeback(ctxt, ops);
2008 if (rc == X86EMUL_CONTINUE)
2012 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2015 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2016 int reg, struct operand *op)
2018 struct decode_cache *c = &ctxt->decode;
2019 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2021 register_address_increment(c, &c->regs[reg], df * op->bytes);
2022 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2025 static int em_push(struct x86_emulate_ctxt *ctxt)
2027 emulate_push(ctxt, ctxt->ops);
2028 return X86EMUL_CONTINUE;
2031 #define D(_y) { .flags = (_y) }
2033 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2034 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2035 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2037 static struct opcode group1[] = {
2041 static struct opcode group1A[] = {
2042 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2045 static struct opcode group3[] = {
2046 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2047 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2051 static struct opcode group4[] = {
2052 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2056 static struct opcode group5[] = {
2057 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2058 D(SrcMem | ModRM | Stack), N,
2059 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2060 D(SrcMem | ModRM | Stack), N,
2063 static struct group_dual group7 = { {
2064 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2065 D(SrcNone | ModRM | DstMem | Mov), N,
2066 D(SrcMem16 | ModRM | Mov | Priv), D(SrcMem | ModRM | ByteOp | Priv),
2068 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2069 D(SrcNone | ModRM | DstMem | Mov), N,
2070 D(SrcMem16 | ModRM | Mov | Priv), N,
2073 static struct opcode group8[] = {
2075 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2076 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2079 static struct group_dual group9 = { {
2080 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2082 N, N, N, N, N, N, N, N,
2085 static struct opcode opcode_table[256] = {
2087 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2088 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2089 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2090 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2092 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2093 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2094 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2095 D(ImplicitOps | Stack | No64), N,
2097 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2098 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2099 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2100 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2102 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2103 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2104 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2105 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2107 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2108 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2109 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2111 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2112 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2113 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2115 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2116 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2117 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2119 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2120 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2121 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2126 X8(I(SrcReg | Stack, em_push)),
2128 X8(D(DstReg | Stack)),
2130 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2131 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2134 I(SrcImm | Mov | Stack, em_push), N,
2135 I(SrcImmByte | Mov | Stack, em_push), N,
2136 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2137 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2141 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2142 G(DstMem | SrcImm | ModRM | Group, group1),
2143 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2144 G(DstMem | SrcImmByte | ModRM | Group, group1),
2145 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2146 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2148 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2149 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2150 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | DstReg),
2151 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2153 D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg),
2155 N, N, D(SrcImmFAddr | No64), N,
2156 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2158 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2159 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2160 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2161 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2163 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm), D(ByteOp | DstDI | Mov | String), D(DstDI | Mov | String),
2164 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2165 D(ByteOp | DstDI | String), D(DstDI | String),
2167 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2169 X8(D(DstReg | SrcImm | Mov)),
2171 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2172 N, D(ImplicitOps | Stack), N, N,
2173 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2175 N, N, N, D(ImplicitOps | Stack),
2176 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2178 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2179 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2182 N, N, N, N, N, N, N, N,
2185 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2186 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2188 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2189 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2190 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2191 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2194 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2196 D(ImplicitOps), N, D(ImplicitOps), D(ImplicitOps),
2197 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2200 static struct opcode twobyte_table[256] = {
2202 N, GD(0, &group7), N, N,
2203 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2204 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2205 N, D(ImplicitOps | ModRM), N, N,
2207 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2209 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
2210 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
2212 N, N, N, N, N, N, N, N,
2214 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
2215 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2216 N, N, N, N, N, N, N, N,
2218 X16(D(DstReg | SrcMem | ModRM | Mov)),
2220 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2222 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2224 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2228 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2230 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2231 N, D(DstMem | SrcReg | ModRM | BitOp),
2232 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2233 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2235 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2236 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2237 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2238 D(DstMem | SrcReg | Src2CL | ModRM),
2241 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2242 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2243 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2244 D(DstReg | SrcMem16 | ModRM | Mov),
2247 G(0, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2248 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2249 D(DstReg | SrcMem16 | ModRM | Mov),
2251 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
2252 N, N, N, GD(0, &group9),
2253 N, N, N, N, N, N, N, N,
2255 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2257 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2259 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2269 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2271 struct x86_emulate_ops *ops = ctxt->ops;
2272 struct decode_cache *c = &ctxt->decode;
2273 int rc = X86EMUL_CONTINUE;
2274 int mode = ctxt->mode;
2275 int def_op_bytes, def_ad_bytes, dual, goffset;
2276 struct opcode opcode, *g_mod012, *g_mod3;
2278 /* we cannot decode insn before we complete previous rep insn */
2279 WARN_ON(ctxt->restart);
2282 c->fetch.start = c->fetch.end = c->eip;
2283 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2286 case X86EMUL_MODE_REAL:
2287 case X86EMUL_MODE_VM86:
2288 case X86EMUL_MODE_PROT16:
2289 def_op_bytes = def_ad_bytes = 2;
2291 case X86EMUL_MODE_PROT32:
2292 def_op_bytes = def_ad_bytes = 4;
2294 #ifdef CONFIG_X86_64
2295 case X86EMUL_MODE_PROT64:
2304 c->op_bytes = def_op_bytes;
2305 c->ad_bytes = def_ad_bytes;
2307 /* Legacy prefixes. */
2309 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2310 case 0x66: /* operand-size override */
2311 /* switch between 2/4 bytes */
2312 c->op_bytes = def_op_bytes ^ 6;
2314 case 0x67: /* address-size override */
2315 if (mode == X86EMUL_MODE_PROT64)
2316 /* switch between 4/8 bytes */
2317 c->ad_bytes = def_ad_bytes ^ 12;
2319 /* switch between 2/4 bytes */
2320 c->ad_bytes = def_ad_bytes ^ 6;
2322 case 0x26: /* ES override */
2323 case 0x2e: /* CS override */
2324 case 0x36: /* SS override */
2325 case 0x3e: /* DS override */
2326 set_seg_override(c, (c->b >> 3) & 3);
2328 case 0x64: /* FS override */
2329 case 0x65: /* GS override */
2330 set_seg_override(c, c->b & 7);
2332 case 0x40 ... 0x4f: /* REX */
2333 if (mode != X86EMUL_MODE_PROT64)
2335 c->rex_prefix = c->b;
2337 case 0xf0: /* LOCK */
2340 case 0xf2: /* REPNE/REPNZ */
2341 c->rep_prefix = REPNE_PREFIX;
2343 case 0xf3: /* REP/REPE/REPZ */
2344 c->rep_prefix = REPE_PREFIX;
2350 /* Any legacy prefix after a REX prefix nullifies its effect. */
2359 if (c->rex_prefix & 8)
2360 c->op_bytes = 8; /* REX.W */
2362 /* Opcode byte(s). */
2363 opcode = opcode_table[c->b];
2364 if (opcode.flags == 0) {
2365 /* Two-byte opcode? */
2368 c->b = insn_fetch(u8, 1, c->eip);
2369 opcode = twobyte_table[c->b];
2372 c->d = opcode.flags;
2375 dual = c->d & GroupDual;
2376 c->modrm = insn_fetch(u8, 1, c->eip);
2379 if (c->d & GroupDual) {
2380 g_mod012 = opcode.u.gdual->mod012;
2381 g_mod3 = opcode.u.gdual->mod3;
2383 g_mod012 = g_mod3 = opcode.u.group;
2385 c->d &= ~(Group | GroupDual);
2387 goffset = (c->modrm >> 3) & 7;
2389 if ((c->modrm >> 6) == 3)
2390 opcode = g_mod3[goffset];
2392 opcode = g_mod012[goffset];
2393 c->d |= opcode.flags;
2396 c->execute = opcode.u.execute;
2399 if (c->d == 0 || (c->d & Undefined)) {
2400 DPRINTF("Cannot emulate %02x\n", c->b);
2404 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2407 /* ModRM and SIB bytes. */
2409 rc = decode_modrm(ctxt, ops);
2410 if (!c->has_seg_override)
2411 set_seg_override(c, c->modrm_seg);
2412 } else if (c->d & MemAbs)
2413 rc = decode_abs(ctxt, ops);
2414 if (rc != X86EMUL_CONTINUE)
2417 if (!c->has_seg_override)
2418 set_seg_override(c, VCPU_SREG_DS);
2420 if (!(!c->twobyte && c->b == 0x8d))
2421 c->modrm_ea += seg_override_base(ctxt, ops, c);
2423 if (c->ad_bytes != 8)
2424 c->modrm_ea = (u32)c->modrm_ea;
2426 if (c->rip_relative)
2427 c->modrm_ea += c->eip;
2430 * Decode and fetch the source operand: register, memory
2433 switch (c->d & SrcMask) {
2437 decode_register_operand(&c->src, c, 0);
2446 c->src.bytes = (c->d & ByteOp) ? 1 :
2448 /* Don't fetch the address for invlpg: it could be unmapped. */
2449 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
2453 * For instructions with a ModR/M byte, switch to register
2454 * access if Mod = 3.
2456 if ((c->d & ModRM) && c->modrm_mod == 3) {
2457 c->src.type = OP_REG;
2458 c->src.val = c->modrm_val;
2459 c->src.ptr = c->modrm_ptr;
2462 c->src.type = OP_MEM;
2463 c->src.ptr = (unsigned long *)c->modrm_ea;
2468 c->src.type = OP_IMM;
2469 c->src.ptr = (unsigned long *)c->eip;
2470 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2471 if (c->src.bytes == 8)
2473 /* NB. Immediates are sign-extended as necessary. */
2474 switch (c->src.bytes) {
2476 c->src.val = insn_fetch(s8, 1, c->eip);
2479 c->src.val = insn_fetch(s16, 2, c->eip);
2482 c->src.val = insn_fetch(s32, 4, c->eip);
2485 if ((c->d & SrcMask) == SrcImmU) {
2486 switch (c->src.bytes) {
2491 c->src.val &= 0xffff;
2494 c->src.val &= 0xffffffff;
2501 c->src.type = OP_IMM;
2502 c->src.ptr = (unsigned long *)c->eip;
2504 if ((c->d & SrcMask) == SrcImmByte)
2505 c->src.val = insn_fetch(s8, 1, c->eip);
2507 c->src.val = insn_fetch(u8, 1, c->eip);
2510 c->src.type = OP_REG;
2511 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2512 c->src.ptr = &c->regs[VCPU_REGS_RAX];
2513 switch (c->src.bytes) {
2515 c->src.val = *(u8 *)c->src.ptr;
2518 c->src.val = *(u16 *)c->src.ptr;
2521 c->src.val = *(u32 *)c->src.ptr;
2524 c->src.val = *(u64 *)c->src.ptr;
2533 c->src.type = OP_MEM;
2534 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2535 c->src.ptr = (unsigned long *)
2536 register_address(c, seg_override_base(ctxt, ops, c),
2537 c->regs[VCPU_REGS_RSI]);
2541 c->src.type = OP_IMM;
2542 c->src.ptr = (unsigned long *)c->eip;
2543 c->src.bytes = c->op_bytes + 2;
2544 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2547 c->src.type = OP_MEM;
2548 c->src.ptr = (unsigned long *)c->modrm_ea;
2549 c->src.bytes = c->op_bytes + 2;
2554 * Decode and fetch the second source operand: register, memory
2557 switch (c->d & Src2Mask) {
2562 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2565 c->src2.type = OP_IMM;
2566 c->src2.ptr = (unsigned long *)c->eip;
2568 c->src2.val = insn_fetch(u8, 1, c->eip);
2576 /* Decode and fetch the destination operand: register or memory. */
2577 switch (c->d & DstMask) {
2579 /* Special instructions do their own operand decoding. */
2582 decode_register_operand(&c->dst, c,
2583 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2587 if ((c->d & ModRM) && c->modrm_mod == 3) {
2588 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2589 c->dst.type = OP_REG;
2590 c->dst.val = c->dst.orig_val = c->modrm_val;
2591 c->dst.ptr = c->modrm_ptr;
2594 c->dst.type = OP_MEM;
2595 c->dst.ptr = (unsigned long *)c->modrm_ea;
2596 if ((c->d & DstMask) == DstMem64)
2599 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2602 unsigned long mask = ~(c->dst.bytes * 8 - 1);
2604 c->dst.ptr = (void *)c->dst.ptr +
2605 (c->src.val & mask) / 8;
2609 c->dst.type = OP_REG;
2610 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2611 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
2612 switch (c->dst.bytes) {
2614 c->dst.val = *(u8 *)c->dst.ptr;
2617 c->dst.val = *(u16 *)c->dst.ptr;
2620 c->dst.val = *(u32 *)c->dst.ptr;
2623 c->dst.val = *(u64 *)c->dst.ptr;
2626 c->dst.orig_val = c->dst.val;
2629 c->dst.type = OP_MEM;
2630 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2631 c->dst.ptr = (unsigned long *)
2632 register_address(c, es_base(ctxt, ops),
2633 c->regs[VCPU_REGS_RDI]);
2639 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2643 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2645 struct x86_emulate_ops *ops = ctxt->ops;
2647 struct decode_cache *c = &ctxt->decode;
2648 int rc = X86EMUL_CONTINUE;
2649 int saved_dst_type = c->dst.type;
2651 ctxt->decode.mem_read.pos = 0;
2653 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2658 /* LOCK prefix is allowed only with some instructions */
2659 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2664 /* Privileged instruction can be executed only in CPL=0 */
2665 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2666 emulate_gp(ctxt, 0);
2670 if (c->rep_prefix && (c->d & String)) {
2671 ctxt->restart = true;
2672 /* All REP prefixes have the same first termination condition */
2673 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2675 ctxt->restart = false;
2679 /* The second termination condition only applies for REPE
2680 * and REPNE. Test if the repeat string operation prefix is
2681 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2682 * corresponding termination condition according to:
2683 * - if REPE/REPZ and ZF = 0 then done
2684 * - if REPNE/REPNZ and ZF = 1 then done
2686 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2687 (c->b == 0xae) || (c->b == 0xaf)) {
2688 if ((c->rep_prefix == REPE_PREFIX) &&
2689 ((ctxt->eflags & EFLG_ZF) == 0))
2691 if ((c->rep_prefix == REPNE_PREFIX) &&
2692 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2698 if (c->src.type == OP_MEM) {
2699 rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2700 c->src.valptr, c->src.bytes);
2701 if (rc != X86EMUL_CONTINUE)
2703 c->src.orig_val64 = c->src.val64;
2706 if (c->src2.type == OP_MEM) {
2707 rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
2708 &c->src2.val, c->src2.bytes);
2709 if (rc != X86EMUL_CONTINUE)
2713 if ((c->d & DstMask) == ImplicitOps)
2717 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2718 /* optimisation - avoid slow emulated read if Mov */
2719 rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
2720 &c->dst.val, c->dst.bytes);
2721 if (rc != X86EMUL_CONTINUE)
2724 c->dst.orig_val = c->dst.val;
2729 rc = c->execute(ctxt);
2730 if (rc != X86EMUL_CONTINUE)
2741 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2743 case 0x06: /* push es */
2744 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2746 case 0x07: /* pop es */
2747 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2748 if (rc != X86EMUL_CONTINUE)
2753 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2755 case 0x0e: /* push cs */
2756 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2760 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2762 case 0x16: /* push ss */
2763 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2765 case 0x17: /* pop ss */
2766 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2767 if (rc != X86EMUL_CONTINUE)
2772 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2774 case 0x1e: /* push ds */
2775 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2777 case 0x1f: /* pop ds */
2778 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2779 if (rc != X86EMUL_CONTINUE)
2784 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2788 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2792 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2796 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2798 case 0x40 ... 0x47: /* inc r16/r32 */
2799 emulate_1op("inc", c->dst, ctxt->eflags);
2801 case 0x48 ... 0x4f: /* dec r16/r32 */
2802 emulate_1op("dec", c->dst, ctxt->eflags);
2804 case 0x58 ... 0x5f: /* pop reg */
2806 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2807 if (rc != X86EMUL_CONTINUE)
2810 case 0x60: /* pusha */
2811 rc = emulate_pusha(ctxt, ops);
2812 if (rc != X86EMUL_CONTINUE)
2815 case 0x61: /* popa */
2816 rc = emulate_popa(ctxt, ops);
2817 if (rc != X86EMUL_CONTINUE)
2820 case 0x63: /* movsxd */
2821 if (ctxt->mode != X86EMUL_MODE_PROT64)
2822 goto cannot_emulate;
2823 c->dst.val = (s32) c->src.val;
2825 case 0x6c: /* insb */
2826 case 0x6d: /* insw/insd */
2827 c->dst.bytes = min(c->dst.bytes, 4u);
2828 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2830 emulate_gp(ctxt, 0);
2833 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2834 c->regs[VCPU_REGS_RDX], &c->dst.val))
2835 goto done; /* IO is needed, skip writeback */
2837 case 0x6e: /* outsb */
2838 case 0x6f: /* outsw/outsd */
2839 c->src.bytes = min(c->src.bytes, 4u);
2840 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2842 emulate_gp(ctxt, 0);
2845 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2846 &c->src.val, 1, ctxt->vcpu);
2848 c->dst.type = OP_NONE; /* nothing to writeback */
2850 case 0x70 ... 0x7f: /* jcc (short) */
2851 if (test_cc(c->b, ctxt->eflags))
2852 jmp_rel(c, c->src.val);
2854 case 0x80 ... 0x83: /* Grp1 */
2855 switch (c->modrm_reg) {
2876 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2878 case 0x86 ... 0x87: /* xchg */
2880 /* Write back the register source. */
2881 switch (c->dst.bytes) {
2883 *(u8 *) c->src.ptr = (u8) c->dst.val;
2886 *(u16 *) c->src.ptr = (u16) c->dst.val;
2889 *c->src.ptr = (u32) c->dst.val;
2890 break; /* 64b reg: zero-extend */
2892 *c->src.ptr = c->dst.val;
2896 * Write back the memory destination with implicit LOCK
2899 c->dst.val = c->src.val;
2902 case 0x88 ... 0x8b: /* mov */
2904 case 0x8c: /* mov r/m, sreg */
2905 if (c->modrm_reg > VCPU_SREG_GS) {
2909 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2911 case 0x8d: /* lea r16/r32, m */
2912 c->dst.val = c->modrm_ea;
2914 case 0x8e: { /* mov seg, r/m16 */
2919 if (c->modrm_reg == VCPU_SREG_CS ||
2920 c->modrm_reg > VCPU_SREG_GS) {
2925 if (c->modrm_reg == VCPU_SREG_SS)
2926 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2928 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2930 c->dst.type = OP_NONE; /* Disable writeback. */
2933 case 0x8f: /* pop (sole member of Grp1a) */
2934 rc = emulate_grp1a(ctxt, ops);
2935 if (rc != X86EMUL_CONTINUE)
2938 case 0x90: /* nop / xchg r8,rax */
2939 if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
2940 c->dst.type = OP_NONE; /* nop */
2943 case 0x91 ... 0x97: /* xchg reg,rax */
2944 c->src.type = OP_REG;
2945 c->src.bytes = c->op_bytes;
2946 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2947 c->src.val = *(c->src.ptr);
2949 case 0x9c: /* pushf */
2950 c->src.val = (unsigned long) ctxt->eflags;
2951 emulate_push(ctxt, ops);
2953 case 0x9d: /* popf */
2954 c->dst.type = OP_REG;
2955 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2956 c->dst.bytes = c->op_bytes;
2957 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2958 if (rc != X86EMUL_CONTINUE)
2961 case 0xa0 ... 0xa3: /* mov */
2962 case 0xa4 ... 0xa5: /* movs */
2964 case 0xa6 ... 0xa7: /* cmps */
2965 c->dst.type = OP_NONE; /* Disable writeback. */
2966 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2968 case 0xa8 ... 0xa9: /* test ax, imm */
2970 case 0xaa ... 0xab: /* stos */
2971 c->dst.val = c->regs[VCPU_REGS_RAX];
2973 case 0xac ... 0xad: /* lods */
2975 case 0xae ... 0xaf: /* scas */
2976 DPRINTF("Urk! I don't handle SCAS.\n");
2977 goto cannot_emulate;
2978 case 0xb0 ... 0xbf: /* mov r, imm */
2983 case 0xc3: /* ret */
2984 c->dst.type = OP_REG;
2985 c->dst.ptr = &c->eip;
2986 c->dst.bytes = c->op_bytes;
2987 goto pop_instruction;
2988 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2990 c->dst.val = c->src.val;
2992 case 0xcb: /* ret far */
2993 rc = emulate_ret_far(ctxt, ops);
2994 if (rc != X86EMUL_CONTINUE)
2997 case 0xcf: /* iret */
2998 rc = emulate_iret(ctxt, ops);
3000 if (rc != X86EMUL_CONTINUE)
3003 case 0xd0 ... 0xd1: /* Grp2 */
3007 case 0xd2 ... 0xd3: /* Grp2 */
3008 c->src.val = c->regs[VCPU_REGS_RCX];
3011 case 0xe4: /* inb */
3014 case 0xe6: /* outb */
3015 case 0xe7: /* out */
3017 case 0xe8: /* call (near) */ {
3018 long int rel = c->src.val;
3019 c->src.val = (unsigned long) c->eip;
3021 emulate_push(ctxt, ops);
3024 case 0xe9: /* jmp rel */
3026 case 0xea: { /* jmp far */
3029 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3031 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3035 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3039 jmp: /* jmp rel short */
3040 jmp_rel(c, c->src.val);
3041 c->dst.type = OP_NONE; /* Disable writeback. */
3043 case 0xec: /* in al,dx */
3044 case 0xed: /* in (e/r)ax,dx */
3045 c->src.val = c->regs[VCPU_REGS_RDX];
3047 c->dst.bytes = min(c->dst.bytes, 4u);
3048 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3049 emulate_gp(ctxt, 0);
3052 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3054 goto done; /* IO is needed */
3056 case 0xee: /* out dx,al */
3057 case 0xef: /* out dx,(e/r)ax */
3058 c->src.val = c->regs[VCPU_REGS_RDX];
3060 c->dst.bytes = min(c->dst.bytes, 4u);
3061 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3062 emulate_gp(ctxt, 0);
3065 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3067 c->dst.type = OP_NONE; /* Disable writeback. */
3069 case 0xf4: /* hlt */
3070 ctxt->vcpu->arch.halt_request = 1;
3072 case 0xf5: /* cmc */
3073 /* complement carry flag from eflags reg */
3074 ctxt->eflags ^= EFLG_CF;
3075 c->dst.type = OP_NONE; /* Disable writeback. */
3077 case 0xf6 ... 0xf7: /* Grp3 */
3078 if (!emulate_grp3(ctxt, ops))
3079 goto cannot_emulate;
3081 case 0xf8: /* clc */
3082 ctxt->eflags &= ~EFLG_CF;
3083 c->dst.type = OP_NONE; /* Disable writeback. */
3085 case 0xfa: /* cli */
3086 if (emulator_bad_iopl(ctxt, ops)) {
3087 emulate_gp(ctxt, 0);
3090 ctxt->eflags &= ~X86_EFLAGS_IF;
3091 c->dst.type = OP_NONE; /* Disable writeback. */
3094 case 0xfb: /* sti */
3095 if (emulator_bad_iopl(ctxt, ops)) {
3096 emulate_gp(ctxt, 0);
3099 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3100 ctxt->eflags |= X86_EFLAGS_IF;
3101 c->dst.type = OP_NONE; /* Disable writeback. */
3104 case 0xfc: /* cld */
3105 ctxt->eflags &= ~EFLG_DF;
3106 c->dst.type = OP_NONE; /* Disable writeback. */
3108 case 0xfd: /* std */
3109 ctxt->eflags |= EFLG_DF;
3110 c->dst.type = OP_NONE; /* Disable writeback. */
3112 case 0xfe: /* Grp4 */
3114 rc = emulate_grp45(ctxt, ops);
3115 if (rc != X86EMUL_CONTINUE)
3118 case 0xff: /* Grp5 */
3119 if (c->modrm_reg == 5)
3123 goto cannot_emulate;
3127 rc = writeback(ctxt, ops);
3128 if (rc != X86EMUL_CONTINUE)
3132 * restore dst type in case the decoding will be reused
3133 * (happens for string instruction )
3135 c->dst.type = saved_dst_type;
3137 if ((c->d & SrcMask) == SrcSI)
3138 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3139 VCPU_REGS_RSI, &c->src);
3141 if ((c->d & DstMask) == DstDI)
3142 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3145 if (c->rep_prefix && (c->d & String)) {
3146 struct read_cache *rc = &ctxt->decode.io_read;
3147 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3149 * Re-enter guest when pio read ahead buffer is empty or,
3150 * if it is not used, after each 1024 iteration.
3152 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3153 (rc->end != 0 && rc->end == rc->pos))
3154 ctxt->restart = false;
3157 * reset read cache here in case string instruction is restared
3160 ctxt->decode.mem_read.end = 0;
3164 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3168 case 0x01: /* lgdt, lidt, lmsw */
3169 switch (c->modrm_reg) {
3171 unsigned long address;
3173 case 0: /* vmcall */
3174 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3175 goto cannot_emulate;
3177 rc = kvm_fix_hypercall(ctxt->vcpu);
3178 if (rc != X86EMUL_CONTINUE)
3181 /* Let the processor re-execute the fixed hypercall */
3183 /* Disable writeback. */
3184 c->dst.type = OP_NONE;
3187 rc = read_descriptor(ctxt, ops, c->src.ptr,
3188 &size, &address, c->op_bytes);
3189 if (rc != X86EMUL_CONTINUE)
3191 realmode_lgdt(ctxt->vcpu, size, address);
3192 /* Disable writeback. */
3193 c->dst.type = OP_NONE;
3195 case 3: /* lidt/vmmcall */
3196 if (c->modrm_mod == 3) {
3197 switch (c->modrm_rm) {
3199 rc = kvm_fix_hypercall(ctxt->vcpu);
3200 if (rc != X86EMUL_CONTINUE)
3204 goto cannot_emulate;
3207 rc = read_descriptor(ctxt, ops, c->src.ptr,
3210 if (rc != X86EMUL_CONTINUE)
3212 realmode_lidt(ctxt->vcpu, size, address);
3214 /* Disable writeback. */
3215 c->dst.type = OP_NONE;
3219 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3222 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3223 (c->src.val & 0x0f), ctxt->vcpu);
3224 c->dst.type = OP_NONE;
3226 case 5: /* not defined */
3230 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3231 /* Disable writeback. */
3232 c->dst.type = OP_NONE;
3235 goto cannot_emulate;
3238 case 0x05: /* syscall */
3239 rc = emulate_syscall(ctxt, ops);
3240 if (rc != X86EMUL_CONTINUE)
3246 emulate_clts(ctxt->vcpu);
3247 c->dst.type = OP_NONE;
3249 case 0x09: /* wbinvd */
3250 kvm_emulate_wbinvd(ctxt->vcpu);
3251 c->dst.type = OP_NONE;
3253 case 0x08: /* invd */
3254 case 0x0d: /* GrpP (prefetch) */
3255 case 0x18: /* Grp16 (prefetch/nop) */
3256 c->dst.type = OP_NONE;
3258 case 0x20: /* mov cr, reg */
3259 switch (c->modrm_reg) {
3266 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3267 c->dst.type = OP_NONE; /* no writeback */
3269 case 0x21: /* mov from dr to reg */
3270 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3271 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3275 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3276 c->dst.type = OP_NONE; /* no writeback */
3278 case 0x22: /* mov reg, cr */
3279 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3280 emulate_gp(ctxt, 0);
3283 c->dst.type = OP_NONE;
3285 case 0x23: /* mov from reg to dr */
3286 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3287 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3292 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3293 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3294 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3295 /* #UD condition is already handled by the code above */
3296 emulate_gp(ctxt, 0);
3300 c->dst.type = OP_NONE; /* no writeback */
3304 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3305 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3306 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3307 emulate_gp(ctxt, 0);
3310 rc = X86EMUL_CONTINUE;
3311 c->dst.type = OP_NONE;
3315 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3316 emulate_gp(ctxt, 0);
3319 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3320 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3322 rc = X86EMUL_CONTINUE;
3323 c->dst.type = OP_NONE;
3325 case 0x34: /* sysenter */
3326 rc = emulate_sysenter(ctxt, ops);
3327 if (rc != X86EMUL_CONTINUE)
3332 case 0x35: /* sysexit */
3333 rc = emulate_sysexit(ctxt, ops);
3334 if (rc != X86EMUL_CONTINUE)
3339 case 0x40 ... 0x4f: /* cmov */
3340 c->dst.val = c->dst.orig_val = c->src.val;
3341 if (!test_cc(c->b, ctxt->eflags))
3342 c->dst.type = OP_NONE; /* no writeback */
3344 case 0x80 ... 0x8f: /* jnz rel, etc*/
3345 if (test_cc(c->b, ctxt->eflags))
3346 jmp_rel(c, c->src.val);
3347 c->dst.type = OP_NONE;
3349 case 0xa0: /* push fs */
3350 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3352 case 0xa1: /* pop fs */
3353 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3354 if (rc != X86EMUL_CONTINUE)
3359 c->dst.type = OP_NONE;
3360 /* only subword offset */
3361 c->src.val &= (c->dst.bytes << 3) - 1;
3362 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3364 case 0xa4: /* shld imm8, r, r/m */
3365 case 0xa5: /* shld cl, r, r/m */
3366 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3368 case 0xa8: /* push gs */
3369 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3371 case 0xa9: /* pop gs */
3372 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3373 if (rc != X86EMUL_CONTINUE)
3378 /* only subword offset */
3379 c->src.val &= (c->dst.bytes << 3) - 1;
3380 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3382 case 0xac: /* shrd imm8, r, r/m */
3383 case 0xad: /* shrd cl, r, r/m */
3384 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3386 case 0xae: /* clflush */
3388 case 0xb0 ... 0xb1: /* cmpxchg */
3390 * Save real source value, then compare EAX against
3393 c->src.orig_val = c->src.val;
3394 c->src.val = c->regs[VCPU_REGS_RAX];
3395 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3396 if (ctxt->eflags & EFLG_ZF) {
3397 /* Success: write back to memory. */
3398 c->dst.val = c->src.orig_val;
3400 /* Failure: write the value we saw to EAX. */
3401 c->dst.type = OP_REG;
3402 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3407 /* only subword offset */
3408 c->src.val &= (c->dst.bytes << 3) - 1;
3409 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3411 case 0xb6 ... 0xb7: /* movzx */
3412 c->dst.bytes = c->op_bytes;
3413 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3416 case 0xba: /* Grp8 */
3417 switch (c->modrm_reg & 3) {
3430 /* only subword offset */
3431 c->src.val &= (c->dst.bytes << 3) - 1;
3432 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3434 case 0xbe ... 0xbf: /* movsx */
3435 c->dst.bytes = c->op_bytes;
3436 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3439 case 0xc3: /* movnti */
3440 c->dst.bytes = c->op_bytes;
3441 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3444 case 0xc7: /* Grp9 (cmpxchg8b) */
3445 rc = emulate_grp9(ctxt, ops);
3446 if (rc != X86EMUL_CONTINUE)
3450 goto cannot_emulate;
3455 DPRINTF("Cannot emulate %02x\n", c->b);