1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
86 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
87 #define Undefined (1<<25) /* No Such Instruction */
88 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
89 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
91 /* Source 2 operand type */
92 #define Src2None (0<<29)
93 #define Src2CL (1<<29)
94 #define Src2ImmByte (2<<29)
95 #define Src2One (3<<29)
96 #define Src2Mask (7<<29)
99 #define X3(x...) X2(x), x
100 #define X4(x...) X2(x), X2(x)
101 #define X5(x...) X4(x), x
102 #define X6(x...) X4(x), X2(x)
103 #define X7(x...) X4(x), X3(x)
104 #define X8(x...) X4(x), X4(x)
105 #define X16(x...) X8(x), X8(x)
110 int (*execute)(struct x86_emulate_ctxt *ctxt);
111 struct opcode *group;
112 struct group_dual *gdual;
117 struct opcode mod012[8];
118 struct opcode mod3[8];
121 /* EFLAGS bit definitions. */
122 #define EFLG_ID (1<<21)
123 #define EFLG_VIP (1<<20)
124 #define EFLG_VIF (1<<19)
125 #define EFLG_AC (1<<18)
126 #define EFLG_VM (1<<17)
127 #define EFLG_RF (1<<16)
128 #define EFLG_IOPL (3<<12)
129 #define EFLG_NT (1<<14)
130 #define EFLG_OF (1<<11)
131 #define EFLG_DF (1<<10)
132 #define EFLG_IF (1<<9)
133 #define EFLG_TF (1<<8)
134 #define EFLG_SF (1<<7)
135 #define EFLG_ZF (1<<6)
136 #define EFLG_AF (1<<4)
137 #define EFLG_PF (1<<2)
138 #define EFLG_CF (1<<0)
140 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
141 #define EFLG_RESERVED_ONE_MASK 2
144 * Instruction emulation:
145 * Most instructions are emulated directly via a fragment of inline assembly
146 * code. This allows us to save/restore EFLAGS and thus very easily pick up
147 * any modified flags.
150 #if defined(CONFIG_X86_64)
151 #define _LO32 "k" /* force 32-bit operand */
152 #define _STK "%%rsp" /* stack pointer */
153 #elif defined(__i386__)
154 #define _LO32 "" /* force 32-bit operand */
155 #define _STK "%%esp" /* stack pointer */
159 * These EFLAGS bits are restored from saved value during emulation, and
160 * any changes are written back to the saved value after emulation.
162 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
164 /* Before executing instruction: restore necessary bits in EFLAGS. */
165 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
166 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
167 "movl %"_sav",%"_LO32 _tmp"; " \
170 "movl %"_msk",%"_LO32 _tmp"; " \
171 "andl %"_LO32 _tmp",("_STK"); " \
173 "notl %"_LO32 _tmp"; " \
174 "andl %"_LO32 _tmp",("_STK"); " \
175 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
177 "orl %"_LO32 _tmp",("_STK"); " \
181 /* After executing instruction: write-back necessary bits in EFLAGS. */
182 #define _POST_EFLAGS(_sav, _msk, _tmp) \
183 /* _sav |= EFLAGS & _msk; */ \
186 "andl %"_msk",%"_LO32 _tmp"; " \
187 "orl %"_LO32 _tmp",%"_sav"; "
195 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
197 __asm__ __volatile__ ( \
198 _PRE_EFLAGS("0", "4", "2") \
199 _op _suffix " %"_x"3,%1; " \
200 _POST_EFLAGS("0", "4", "2") \
201 : "=m" (_eflags), "=m" ((_dst).val), \
203 : _y ((_src).val), "i" (EFLAGS_MASK)); \
207 /* Raw emulation: instruction has two explicit operands. */
208 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
210 unsigned long _tmp; \
212 switch ((_dst).bytes) { \
214 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
217 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
220 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
225 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
227 unsigned long _tmp; \
228 switch ((_dst).bytes) { \
230 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
233 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
234 _wx, _wy, _lx, _ly, _qx, _qy); \
239 /* Source operand is byte-sized and may be restricted to just %cl. */
240 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
241 __emulate_2op(_op, _src, _dst, _eflags, \
242 "b", "c", "b", "c", "b", "c", "b", "c")
244 /* Source operand is byte, word, long or quad sized. */
245 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
246 __emulate_2op(_op, _src, _dst, _eflags, \
247 "b", "q", "w", "r", _LO32, "r", "", "r")
249 /* Source operand is word, long or quad sized. */
250 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
251 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
252 "w", "r", _LO32, "r", "", "r")
254 /* Instruction has three operands and one operand is stored in ECX register */
255 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
257 unsigned long _tmp; \
258 _type _clv = (_cl).val; \
259 _type _srcv = (_src).val; \
260 _type _dstv = (_dst).val; \
262 __asm__ __volatile__ ( \
263 _PRE_EFLAGS("0", "5", "2") \
264 _op _suffix " %4,%1 \n" \
265 _POST_EFLAGS("0", "5", "2") \
266 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
267 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
270 (_cl).val = (unsigned long) _clv; \
271 (_src).val = (unsigned long) _srcv; \
272 (_dst).val = (unsigned long) _dstv; \
275 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
277 switch ((_dst).bytes) { \
279 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
280 "w", unsigned short); \
283 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
284 "l", unsigned int); \
287 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
288 "q", unsigned long)); \
293 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
295 unsigned long _tmp; \
297 __asm__ __volatile__ ( \
298 _PRE_EFLAGS("0", "3", "2") \
299 _op _suffix " %1; " \
300 _POST_EFLAGS("0", "3", "2") \
301 : "=m" (_eflags), "+m" ((_dst).val), \
303 : "i" (EFLAGS_MASK)); \
306 /* Instruction has only one explicit operand (no source operand). */
307 #define emulate_1op(_op, _dst, _eflags) \
309 switch ((_dst).bytes) { \
310 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
311 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
312 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
313 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
317 /* Fetch next part of the instruction being emulated. */
318 #define insn_fetch(_type, _size, _eip) \
319 ({ unsigned long _x; \
320 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
321 if (rc != X86EMUL_CONTINUE) \
327 #define insn_fetch_arr(_arr, _size, _eip) \
328 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
329 if (rc != X86EMUL_CONTINUE) \
334 static inline unsigned long ad_mask(struct decode_cache *c)
336 return (1UL << (c->ad_bytes << 3)) - 1;
339 /* Access/update address held in a register, based on addressing mode. */
340 static inline unsigned long
341 address_mask(struct decode_cache *c, unsigned long reg)
343 if (c->ad_bytes == sizeof(unsigned long))
346 return reg & ad_mask(c);
349 static inline unsigned long
350 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
352 return base + address_mask(c, reg);
356 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
358 if (c->ad_bytes == sizeof(unsigned long))
361 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
364 static inline void jmp_rel(struct decode_cache *c, int rel)
366 register_address_increment(c, &c->eip, rel);
369 static void set_seg_override(struct decode_cache *c, int seg)
371 c->has_seg_override = true;
372 c->seg_override = seg;
375 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
376 struct x86_emulate_ops *ops, int seg)
378 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
381 return ops->get_cached_segment_base(seg, ctxt->vcpu);
384 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
385 struct x86_emulate_ops *ops,
386 struct decode_cache *c)
388 if (!c->has_seg_override)
391 return seg_base(ctxt, ops, c->seg_override);
394 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
395 struct x86_emulate_ops *ops)
397 return seg_base(ctxt, ops, VCPU_SREG_ES);
400 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
401 struct x86_emulate_ops *ops)
403 return seg_base(ctxt, ops, VCPU_SREG_SS);
406 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
407 u32 error, bool valid)
409 ctxt->exception = vec;
410 ctxt->error_code = error;
411 ctxt->error_code_valid = valid;
412 ctxt->restart = false;
415 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
417 emulate_exception(ctxt, GP_VECTOR, err, true);
420 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
424 emulate_exception(ctxt, PF_VECTOR, err, true);
427 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
429 emulate_exception(ctxt, UD_VECTOR, 0, false);
432 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
434 emulate_exception(ctxt, TS_VECTOR, err, true);
437 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
438 struct x86_emulate_ops *ops,
439 unsigned long eip, u8 *dest)
441 struct fetch_cache *fc = &ctxt->decode.fetch;
445 if (eip == fc->end) {
446 cur_size = fc->end - fc->start;
447 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
448 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
449 size, ctxt->vcpu, NULL);
450 if (rc != X86EMUL_CONTINUE)
454 *dest = fc->data[eip - fc->start];
455 return X86EMUL_CONTINUE;
458 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
459 struct x86_emulate_ops *ops,
460 unsigned long eip, void *dest, unsigned size)
464 /* x86 instructions are limited to 15 bytes. */
465 if (eip + size - ctxt->eip > 15)
466 return X86EMUL_UNHANDLEABLE;
468 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
469 if (rc != X86EMUL_CONTINUE)
472 return X86EMUL_CONTINUE;
476 * Given the 'reg' portion of a ModRM byte, and a register block, return a
477 * pointer into the block that addresses the relevant register.
478 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
480 static void *decode_register(u8 modrm_reg, unsigned long *regs,
485 p = ®s[modrm_reg];
486 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
487 p = (unsigned char *)®s[modrm_reg & 3] + 1;
491 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
492 struct x86_emulate_ops *ops,
494 u16 *size, unsigned long *address, int op_bytes)
501 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
502 if (rc != X86EMUL_CONTINUE)
504 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
508 static int test_cc(unsigned int condition, unsigned int flags)
512 switch ((condition & 15) >> 1) {
514 rc |= (flags & EFLG_OF);
516 case 1: /* b/c/nae */
517 rc |= (flags & EFLG_CF);
520 rc |= (flags & EFLG_ZF);
523 rc |= (flags & (EFLG_CF|EFLG_ZF));
526 rc |= (flags & EFLG_SF);
529 rc |= (flags & EFLG_PF);
532 rc |= (flags & EFLG_ZF);
535 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
539 /* Odd condition identifiers (lsb == 1) have inverted sense. */
540 return (!!rc ^ (condition & 1));
543 static void fetch_register_operand(struct operand *op)
547 op->val = *(u8 *)op->addr.reg;
550 op->val = *(u16 *)op->addr.reg;
553 op->val = *(u32 *)op->addr.reg;
556 op->val = *(u64 *)op->addr.reg;
561 static void decode_register_operand(struct operand *op,
562 struct decode_cache *c,
565 unsigned reg = c->modrm_reg;
566 int highbyte_regs = c->rex_prefix == 0;
569 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
571 if ((c->d & ByteOp) && !inhibit_bytereg) {
572 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
575 op->addr.reg = decode_register(reg, c->regs, 0);
576 op->bytes = c->op_bytes;
578 fetch_register_operand(op);
579 op->orig_val = op->val;
582 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
583 struct x86_emulate_ops *ops)
585 struct decode_cache *c = &ctxt->decode;
587 int index_reg = 0, base_reg = 0, scale;
588 int rc = X86EMUL_CONTINUE;
591 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
592 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
593 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
596 c->modrm = insn_fetch(u8, 1, c->eip);
597 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
598 c->modrm_reg |= (c->modrm & 0x38) >> 3;
599 c->modrm_rm |= (c->modrm & 0x07);
601 c->modrm_seg = VCPU_SREG_DS;
603 if (c->modrm_mod == 3) {
604 c->modrm_ptr = decode_register(c->modrm_rm,
605 c->regs, c->d & ByteOp);
606 c->modrm_val = *(unsigned long *)c->modrm_ptr;
610 if (c->ad_bytes == 2) {
611 unsigned bx = c->regs[VCPU_REGS_RBX];
612 unsigned bp = c->regs[VCPU_REGS_RBP];
613 unsigned si = c->regs[VCPU_REGS_RSI];
614 unsigned di = c->regs[VCPU_REGS_RDI];
616 /* 16-bit ModR/M decode. */
617 switch (c->modrm_mod) {
619 if (c->modrm_rm == 6)
620 c->modrm_ea += insn_fetch(u16, 2, c->eip);
623 c->modrm_ea += insn_fetch(s8, 1, c->eip);
626 c->modrm_ea += insn_fetch(u16, 2, c->eip);
629 switch (c->modrm_rm) {
631 c->modrm_ea += bx + si;
634 c->modrm_ea += bx + di;
637 c->modrm_ea += bp + si;
640 c->modrm_ea += bp + di;
649 if (c->modrm_mod != 0)
656 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
657 (c->modrm_rm == 6 && c->modrm_mod != 0))
658 c->modrm_seg = VCPU_SREG_SS;
659 c->modrm_ea = (u16)c->modrm_ea;
661 /* 32/64-bit ModR/M decode. */
662 if ((c->modrm_rm & 7) == 4) {
663 sib = insn_fetch(u8, 1, c->eip);
664 index_reg |= (sib >> 3) & 7;
668 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
669 c->modrm_ea += insn_fetch(s32, 4, c->eip);
671 c->modrm_ea += c->regs[base_reg];
673 c->modrm_ea += c->regs[index_reg] << scale;
674 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
675 if (ctxt->mode == X86EMUL_MODE_PROT64)
678 c->modrm_ea += c->regs[c->modrm_rm];
679 switch (c->modrm_mod) {
681 if (c->modrm_rm == 5)
682 c->modrm_ea += insn_fetch(s32, 4, c->eip);
685 c->modrm_ea += insn_fetch(s8, 1, c->eip);
688 c->modrm_ea += insn_fetch(s32, 4, c->eip);
696 static int decode_abs(struct x86_emulate_ctxt *ctxt,
697 struct x86_emulate_ops *ops)
699 struct decode_cache *c = &ctxt->decode;
700 int rc = X86EMUL_CONTINUE;
702 switch (c->ad_bytes) {
704 c->modrm_ea = insn_fetch(u16, 2, c->eip);
707 c->modrm_ea = insn_fetch(u32, 4, c->eip);
710 c->modrm_ea = insn_fetch(u64, 8, c->eip);
717 static int read_emulated(struct x86_emulate_ctxt *ctxt,
718 struct x86_emulate_ops *ops,
719 unsigned long addr, void *dest, unsigned size)
722 struct read_cache *mc = &ctxt->decode.mem_read;
726 int n = min(size, 8u);
728 if (mc->pos < mc->end)
731 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
733 if (rc == X86EMUL_PROPAGATE_FAULT)
734 emulate_pf(ctxt, addr, err);
735 if (rc != X86EMUL_CONTINUE)
740 memcpy(dest, mc->data + mc->pos, n);
745 return X86EMUL_CONTINUE;
748 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
749 struct x86_emulate_ops *ops,
750 unsigned int size, unsigned short port,
753 struct read_cache *rc = &ctxt->decode.io_read;
755 if (rc->pos == rc->end) { /* refill pio read ahead */
756 struct decode_cache *c = &ctxt->decode;
757 unsigned int in_page, n;
758 unsigned int count = c->rep_prefix ?
759 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
760 in_page = (ctxt->eflags & EFLG_DF) ?
761 offset_in_page(c->regs[VCPU_REGS_RDI]) :
762 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
763 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
767 rc->pos = rc->end = 0;
768 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
773 memcpy(dest, rc->data + rc->pos, size);
778 static u32 desc_limit_scaled(struct desc_struct *desc)
780 u32 limit = get_desc_limit(desc);
782 return desc->g ? (limit << 12) | 0xfff : limit;
785 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
786 struct x86_emulate_ops *ops,
787 u16 selector, struct desc_ptr *dt)
789 if (selector & 1 << 2) {
790 struct desc_struct desc;
791 memset (dt, 0, sizeof *dt);
792 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
795 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
796 dt->address = get_desc_base(&desc);
798 ops->get_gdt(dt, ctxt->vcpu);
801 /* allowed just for 8 bytes segments */
802 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
803 struct x86_emulate_ops *ops,
804 u16 selector, struct desc_struct *desc)
807 u16 index = selector >> 3;
812 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
814 if (dt.size < index * 8 + 7) {
815 emulate_gp(ctxt, selector & 0xfffc);
816 return X86EMUL_PROPAGATE_FAULT;
818 addr = dt.address + index * 8;
819 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
820 if (ret == X86EMUL_PROPAGATE_FAULT)
821 emulate_pf(ctxt, addr, err);
826 /* allowed just for 8 bytes segments */
827 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
828 struct x86_emulate_ops *ops,
829 u16 selector, struct desc_struct *desc)
832 u16 index = selector >> 3;
837 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
839 if (dt.size < index * 8 + 7) {
840 emulate_gp(ctxt, selector & 0xfffc);
841 return X86EMUL_PROPAGATE_FAULT;
844 addr = dt.address + index * 8;
845 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
846 if (ret == X86EMUL_PROPAGATE_FAULT)
847 emulate_pf(ctxt, addr, err);
852 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
853 struct x86_emulate_ops *ops,
854 u16 selector, int seg)
856 struct desc_struct seg_desc;
858 unsigned err_vec = GP_VECTOR;
860 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
863 memset(&seg_desc, 0, sizeof seg_desc);
865 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
866 || ctxt->mode == X86EMUL_MODE_REAL) {
867 /* set real mode segment descriptor */
868 set_desc_base(&seg_desc, selector << 4);
869 set_desc_limit(&seg_desc, 0xffff);
876 /* NULL selector is not valid for TR, CS and SS */
877 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
881 /* TR should be in GDT only */
882 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
885 if (null_selector) /* for NULL selector skip all following checks */
888 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
889 if (ret != X86EMUL_CONTINUE)
892 err_code = selector & 0xfffc;
895 /* can't load system descriptor into segment selecor */
896 if (seg <= VCPU_SREG_GS && !seg_desc.s)
900 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
906 cpl = ops->cpl(ctxt->vcpu);
911 * segment is not a writable data segment or segment
912 * selector's RPL != CPL or segment selector's RPL != CPL
914 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
918 if (!(seg_desc.type & 8))
921 if (seg_desc.type & 4) {
927 if (rpl > cpl || dpl != cpl)
931 selector = (selector & 0xfffc) | cpl;
934 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
938 if (seg_desc.s || seg_desc.type != 2)
941 default: /* DS, ES, FS, or GS */
943 * segment is not a data or readable code segment or
944 * ((segment is a data or nonconforming code segment)
945 * and (both RPL and CPL > DPL))
947 if ((seg_desc.type & 0xa) == 0x8 ||
948 (((seg_desc.type & 0xc) != 0xc) &&
949 (rpl > dpl && cpl > dpl)))
955 /* mark segment as accessed */
957 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
958 if (ret != X86EMUL_CONTINUE)
962 ops->set_segment_selector(selector, seg, ctxt->vcpu);
963 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
964 return X86EMUL_CONTINUE;
966 emulate_exception(ctxt, err_vec, err_code, true);
967 return X86EMUL_PROPAGATE_FAULT;
970 static inline int writeback(struct x86_emulate_ctxt *ctxt,
971 struct x86_emulate_ops *ops)
974 struct decode_cache *c = &ctxt->decode;
977 switch (c->dst.type) {
979 /* The 4-byte case *is* correct:
980 * in 64-bit mode we zero-extend.
982 switch (c->dst.bytes) {
984 *(u8 *)c->dst.addr.reg = (u8)c->dst.val;
987 *(u16 *)c->dst.addr.reg = (u16)c->dst.val;
990 *c->dst.addr.reg = (u32)c->dst.val;
991 break; /* 64b: zero-ext */
993 *c->dst.addr.reg = c->dst.val;
999 rc = ops->cmpxchg_emulated(
1007 rc = ops->write_emulated(
1013 if (rc == X86EMUL_PROPAGATE_FAULT)
1014 emulate_pf(ctxt, c->dst.addr.mem, err);
1015 if (rc != X86EMUL_CONTINUE)
1024 return X86EMUL_CONTINUE;
1027 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1028 struct x86_emulate_ops *ops)
1030 struct decode_cache *c = &ctxt->decode;
1032 c->dst.type = OP_MEM;
1033 c->dst.bytes = c->op_bytes;
1034 c->dst.val = c->src.val;
1035 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1036 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1037 c->regs[VCPU_REGS_RSP]);
1040 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1041 struct x86_emulate_ops *ops,
1042 void *dest, int len)
1044 struct decode_cache *c = &ctxt->decode;
1047 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1048 c->regs[VCPU_REGS_RSP]),
1050 if (rc != X86EMUL_CONTINUE)
1053 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1057 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1058 struct x86_emulate_ops *ops,
1059 void *dest, int len)
1062 unsigned long val, change_mask;
1063 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1064 int cpl = ops->cpl(ctxt->vcpu);
1066 rc = emulate_pop(ctxt, ops, &val, len);
1067 if (rc != X86EMUL_CONTINUE)
1070 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1071 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1073 switch(ctxt->mode) {
1074 case X86EMUL_MODE_PROT64:
1075 case X86EMUL_MODE_PROT32:
1076 case X86EMUL_MODE_PROT16:
1078 change_mask |= EFLG_IOPL;
1080 change_mask |= EFLG_IF;
1082 case X86EMUL_MODE_VM86:
1084 emulate_gp(ctxt, 0);
1085 return X86EMUL_PROPAGATE_FAULT;
1087 change_mask |= EFLG_IF;
1089 default: /* real mode */
1090 change_mask |= (EFLG_IOPL | EFLG_IF);
1094 *(unsigned long *)dest =
1095 (ctxt->eflags & ~change_mask) | (val & change_mask);
1100 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1101 struct x86_emulate_ops *ops, int seg)
1103 struct decode_cache *c = &ctxt->decode;
1105 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1107 emulate_push(ctxt, ops);
1110 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1111 struct x86_emulate_ops *ops, int seg)
1113 struct decode_cache *c = &ctxt->decode;
1114 unsigned long selector;
1117 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1118 if (rc != X86EMUL_CONTINUE)
1121 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1125 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1126 struct x86_emulate_ops *ops)
1128 struct decode_cache *c = &ctxt->decode;
1129 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1130 int rc = X86EMUL_CONTINUE;
1131 int reg = VCPU_REGS_RAX;
1133 while (reg <= VCPU_REGS_RDI) {
1134 (reg == VCPU_REGS_RSP) ?
1135 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1137 emulate_push(ctxt, ops);
1139 rc = writeback(ctxt, ops);
1140 if (rc != X86EMUL_CONTINUE)
1146 /* Disable writeback. */
1147 c->dst.type = OP_NONE;
1152 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1153 struct x86_emulate_ops *ops)
1155 struct decode_cache *c = &ctxt->decode;
1156 int rc = X86EMUL_CONTINUE;
1157 int reg = VCPU_REGS_RDI;
1159 while (reg >= VCPU_REGS_RAX) {
1160 if (reg == VCPU_REGS_RSP) {
1161 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1166 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1167 if (rc != X86EMUL_CONTINUE)
1174 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1175 struct x86_emulate_ops *ops)
1177 struct decode_cache *c = &ctxt->decode;
1178 int rc = X86EMUL_CONTINUE;
1179 unsigned long temp_eip = 0;
1180 unsigned long temp_eflags = 0;
1181 unsigned long cs = 0;
1182 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1183 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1184 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1185 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1187 /* TODO: Add stack limit check */
1189 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1191 if (rc != X86EMUL_CONTINUE)
1194 if (temp_eip & ~0xffff) {
1195 emulate_gp(ctxt, 0);
1196 return X86EMUL_PROPAGATE_FAULT;
1199 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1201 if (rc != X86EMUL_CONTINUE)
1204 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1206 if (rc != X86EMUL_CONTINUE)
1209 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1211 if (rc != X86EMUL_CONTINUE)
1217 if (c->op_bytes == 4)
1218 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1219 else if (c->op_bytes == 2) {
1220 ctxt->eflags &= ~0xffff;
1221 ctxt->eflags |= temp_eflags;
1224 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1225 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1230 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1231 struct x86_emulate_ops* ops)
1233 switch(ctxt->mode) {
1234 case X86EMUL_MODE_REAL:
1235 return emulate_iret_real(ctxt, ops);
1236 case X86EMUL_MODE_VM86:
1237 case X86EMUL_MODE_PROT16:
1238 case X86EMUL_MODE_PROT32:
1239 case X86EMUL_MODE_PROT64:
1241 /* iret from protected mode unimplemented yet */
1242 return X86EMUL_UNHANDLEABLE;
1246 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1247 struct x86_emulate_ops *ops)
1249 struct decode_cache *c = &ctxt->decode;
1251 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1254 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1256 struct decode_cache *c = &ctxt->decode;
1257 switch (c->modrm_reg) {
1259 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1262 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1265 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1268 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1270 case 4: /* sal/shl */
1271 case 6: /* sal/shl */
1272 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1275 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1278 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1283 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1284 struct x86_emulate_ops *ops)
1286 struct decode_cache *c = &ctxt->decode;
1288 switch (c->modrm_reg) {
1289 case 0 ... 1: /* test */
1290 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1293 c->dst.val = ~c->dst.val;
1296 emulate_1op("neg", c->dst, ctxt->eflags);
1304 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1305 struct x86_emulate_ops *ops)
1307 struct decode_cache *c = &ctxt->decode;
1309 switch (c->modrm_reg) {
1311 emulate_1op("inc", c->dst, ctxt->eflags);
1314 emulate_1op("dec", c->dst, ctxt->eflags);
1316 case 2: /* call near abs */ {
1319 c->eip = c->src.val;
1320 c->src.val = old_eip;
1321 emulate_push(ctxt, ops);
1324 case 4: /* jmp abs */
1325 c->eip = c->src.val;
1328 emulate_push(ctxt, ops);
1331 return X86EMUL_CONTINUE;
1334 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1335 struct x86_emulate_ops *ops)
1337 struct decode_cache *c = &ctxt->decode;
1338 u64 old = c->dst.orig_val64;
1340 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1341 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1342 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1343 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1344 ctxt->eflags &= ~EFLG_ZF;
1346 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1347 (u32) c->regs[VCPU_REGS_RBX];
1349 ctxt->eflags |= EFLG_ZF;
1351 return X86EMUL_CONTINUE;
1354 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1355 struct x86_emulate_ops *ops)
1357 struct decode_cache *c = &ctxt->decode;
1361 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1362 if (rc != X86EMUL_CONTINUE)
1364 if (c->op_bytes == 4)
1365 c->eip = (u32)c->eip;
1366 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1367 if (rc != X86EMUL_CONTINUE)
1369 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1374 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1375 struct x86_emulate_ops *ops, struct desc_struct *cs,
1376 struct desc_struct *ss)
1378 memset(cs, 0, sizeof(struct desc_struct));
1379 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1380 memset(ss, 0, sizeof(struct desc_struct));
1382 cs->l = 0; /* will be adjusted later */
1383 set_desc_base(cs, 0); /* flat segment */
1384 cs->g = 1; /* 4kb granularity */
1385 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1386 cs->type = 0x0b; /* Read, Execute, Accessed */
1388 cs->dpl = 0; /* will be adjusted later */
1392 set_desc_base(ss, 0); /* flat segment */
1393 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1394 ss->g = 1; /* 4kb granularity */
1396 ss->type = 0x03; /* Read/Write, Accessed */
1397 ss->d = 1; /* 32bit stack segment */
1403 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1405 struct decode_cache *c = &ctxt->decode;
1406 struct desc_struct cs, ss;
1410 /* syscall is not available in real mode */
1411 if (ctxt->mode == X86EMUL_MODE_REAL ||
1412 ctxt->mode == X86EMUL_MODE_VM86) {
1414 return X86EMUL_PROPAGATE_FAULT;
1417 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1419 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1421 cs_sel = (u16)(msr_data & 0xfffc);
1422 ss_sel = (u16)(msr_data + 8);
1424 if (is_long_mode(ctxt->vcpu)) {
1428 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1429 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1430 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1431 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1433 c->regs[VCPU_REGS_RCX] = c->eip;
1434 if (is_long_mode(ctxt->vcpu)) {
1435 #ifdef CONFIG_X86_64
1436 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1438 ops->get_msr(ctxt->vcpu,
1439 ctxt->mode == X86EMUL_MODE_PROT64 ?
1440 MSR_LSTAR : MSR_CSTAR, &msr_data);
1443 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1444 ctxt->eflags &= ~(msr_data | EFLG_RF);
1448 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1449 c->eip = (u32)msr_data;
1451 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1454 return X86EMUL_CONTINUE;
1458 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1460 struct decode_cache *c = &ctxt->decode;
1461 struct desc_struct cs, ss;
1465 /* inject #GP if in real mode */
1466 if (ctxt->mode == X86EMUL_MODE_REAL) {
1467 emulate_gp(ctxt, 0);
1468 return X86EMUL_PROPAGATE_FAULT;
1471 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1472 * Therefore, we inject an #UD.
1474 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1476 return X86EMUL_PROPAGATE_FAULT;
1479 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1481 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1482 switch (ctxt->mode) {
1483 case X86EMUL_MODE_PROT32:
1484 if ((msr_data & 0xfffc) == 0x0) {
1485 emulate_gp(ctxt, 0);
1486 return X86EMUL_PROPAGATE_FAULT;
1489 case X86EMUL_MODE_PROT64:
1490 if (msr_data == 0x0) {
1491 emulate_gp(ctxt, 0);
1492 return X86EMUL_PROPAGATE_FAULT;
1497 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1498 cs_sel = (u16)msr_data;
1499 cs_sel &= ~SELECTOR_RPL_MASK;
1500 ss_sel = cs_sel + 8;
1501 ss_sel &= ~SELECTOR_RPL_MASK;
1502 if (ctxt->mode == X86EMUL_MODE_PROT64
1503 || is_long_mode(ctxt->vcpu)) {
1508 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1509 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1510 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1511 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1513 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1516 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1517 c->regs[VCPU_REGS_RSP] = msr_data;
1519 return X86EMUL_CONTINUE;
1523 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1525 struct decode_cache *c = &ctxt->decode;
1526 struct desc_struct cs, ss;
1531 /* inject #GP if in real mode or Virtual 8086 mode */
1532 if (ctxt->mode == X86EMUL_MODE_REAL ||
1533 ctxt->mode == X86EMUL_MODE_VM86) {
1534 emulate_gp(ctxt, 0);
1535 return X86EMUL_PROPAGATE_FAULT;
1538 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1540 if ((c->rex_prefix & 0x8) != 0x0)
1541 usermode = X86EMUL_MODE_PROT64;
1543 usermode = X86EMUL_MODE_PROT32;
1547 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1549 case X86EMUL_MODE_PROT32:
1550 cs_sel = (u16)(msr_data + 16);
1551 if ((msr_data & 0xfffc) == 0x0) {
1552 emulate_gp(ctxt, 0);
1553 return X86EMUL_PROPAGATE_FAULT;
1555 ss_sel = (u16)(msr_data + 24);
1557 case X86EMUL_MODE_PROT64:
1558 cs_sel = (u16)(msr_data + 32);
1559 if (msr_data == 0x0) {
1560 emulate_gp(ctxt, 0);
1561 return X86EMUL_PROPAGATE_FAULT;
1563 ss_sel = cs_sel + 8;
1568 cs_sel |= SELECTOR_RPL_MASK;
1569 ss_sel |= SELECTOR_RPL_MASK;
1571 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1572 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1573 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1574 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1576 c->eip = c->regs[VCPU_REGS_RDX];
1577 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1579 return X86EMUL_CONTINUE;
1582 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1583 struct x86_emulate_ops *ops)
1586 if (ctxt->mode == X86EMUL_MODE_REAL)
1588 if (ctxt->mode == X86EMUL_MODE_VM86)
1590 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1591 return ops->cpl(ctxt->vcpu) > iopl;
1594 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1595 struct x86_emulate_ops *ops,
1598 struct desc_struct tr_seg;
1601 u8 perm, bit_idx = port & 0x7;
1602 unsigned mask = (1 << len) - 1;
1604 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1607 if (desc_limit_scaled(&tr_seg) < 103)
1609 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1611 if (r != X86EMUL_CONTINUE)
1613 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1615 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1616 &perm, 1, ctxt->vcpu, NULL);
1617 if (r != X86EMUL_CONTINUE)
1619 if ((perm >> bit_idx) & mask)
1624 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1625 struct x86_emulate_ops *ops,
1631 if (emulator_bad_iopl(ctxt, ops))
1632 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1635 ctxt->perm_ok = true;
1640 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1641 struct x86_emulate_ops *ops,
1642 struct tss_segment_16 *tss)
1644 struct decode_cache *c = &ctxt->decode;
1647 tss->flag = ctxt->eflags;
1648 tss->ax = c->regs[VCPU_REGS_RAX];
1649 tss->cx = c->regs[VCPU_REGS_RCX];
1650 tss->dx = c->regs[VCPU_REGS_RDX];
1651 tss->bx = c->regs[VCPU_REGS_RBX];
1652 tss->sp = c->regs[VCPU_REGS_RSP];
1653 tss->bp = c->regs[VCPU_REGS_RBP];
1654 tss->si = c->regs[VCPU_REGS_RSI];
1655 tss->di = c->regs[VCPU_REGS_RDI];
1657 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1658 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1659 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1660 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1661 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1664 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1665 struct x86_emulate_ops *ops,
1666 struct tss_segment_16 *tss)
1668 struct decode_cache *c = &ctxt->decode;
1672 ctxt->eflags = tss->flag | 2;
1673 c->regs[VCPU_REGS_RAX] = tss->ax;
1674 c->regs[VCPU_REGS_RCX] = tss->cx;
1675 c->regs[VCPU_REGS_RDX] = tss->dx;
1676 c->regs[VCPU_REGS_RBX] = tss->bx;
1677 c->regs[VCPU_REGS_RSP] = tss->sp;
1678 c->regs[VCPU_REGS_RBP] = tss->bp;
1679 c->regs[VCPU_REGS_RSI] = tss->si;
1680 c->regs[VCPU_REGS_RDI] = tss->di;
1683 * SDM says that segment selectors are loaded before segment
1686 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1687 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1688 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1689 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1690 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1693 * Now load segment descriptors. If fault happenes at this stage
1694 * it is handled in a context of new task
1696 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1697 if (ret != X86EMUL_CONTINUE)
1699 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1700 if (ret != X86EMUL_CONTINUE)
1702 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1703 if (ret != X86EMUL_CONTINUE)
1705 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1706 if (ret != X86EMUL_CONTINUE)
1708 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1709 if (ret != X86EMUL_CONTINUE)
1712 return X86EMUL_CONTINUE;
1715 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1716 struct x86_emulate_ops *ops,
1717 u16 tss_selector, u16 old_tss_sel,
1718 ulong old_tss_base, struct desc_struct *new_desc)
1720 struct tss_segment_16 tss_seg;
1722 u32 err, new_tss_base = get_desc_base(new_desc);
1724 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1726 if (ret == X86EMUL_PROPAGATE_FAULT) {
1727 /* FIXME: need to provide precise fault address */
1728 emulate_pf(ctxt, old_tss_base, err);
1732 save_state_to_tss16(ctxt, ops, &tss_seg);
1734 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1736 if (ret == X86EMUL_PROPAGATE_FAULT) {
1737 /* FIXME: need to provide precise fault address */
1738 emulate_pf(ctxt, old_tss_base, err);
1742 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1744 if (ret == X86EMUL_PROPAGATE_FAULT) {
1745 /* FIXME: need to provide precise fault address */
1746 emulate_pf(ctxt, new_tss_base, err);
1750 if (old_tss_sel != 0xffff) {
1751 tss_seg.prev_task_link = old_tss_sel;
1753 ret = ops->write_std(new_tss_base,
1754 &tss_seg.prev_task_link,
1755 sizeof tss_seg.prev_task_link,
1757 if (ret == X86EMUL_PROPAGATE_FAULT) {
1758 /* FIXME: need to provide precise fault address */
1759 emulate_pf(ctxt, new_tss_base, err);
1764 return load_state_from_tss16(ctxt, ops, &tss_seg);
1767 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1768 struct x86_emulate_ops *ops,
1769 struct tss_segment_32 *tss)
1771 struct decode_cache *c = &ctxt->decode;
1773 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1775 tss->eflags = ctxt->eflags;
1776 tss->eax = c->regs[VCPU_REGS_RAX];
1777 tss->ecx = c->regs[VCPU_REGS_RCX];
1778 tss->edx = c->regs[VCPU_REGS_RDX];
1779 tss->ebx = c->regs[VCPU_REGS_RBX];
1780 tss->esp = c->regs[VCPU_REGS_RSP];
1781 tss->ebp = c->regs[VCPU_REGS_RBP];
1782 tss->esi = c->regs[VCPU_REGS_RSI];
1783 tss->edi = c->regs[VCPU_REGS_RDI];
1785 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1786 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1787 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1788 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1789 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1790 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1791 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1794 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1795 struct x86_emulate_ops *ops,
1796 struct tss_segment_32 *tss)
1798 struct decode_cache *c = &ctxt->decode;
1801 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1802 emulate_gp(ctxt, 0);
1803 return X86EMUL_PROPAGATE_FAULT;
1806 ctxt->eflags = tss->eflags | 2;
1807 c->regs[VCPU_REGS_RAX] = tss->eax;
1808 c->regs[VCPU_REGS_RCX] = tss->ecx;
1809 c->regs[VCPU_REGS_RDX] = tss->edx;
1810 c->regs[VCPU_REGS_RBX] = tss->ebx;
1811 c->regs[VCPU_REGS_RSP] = tss->esp;
1812 c->regs[VCPU_REGS_RBP] = tss->ebp;
1813 c->regs[VCPU_REGS_RSI] = tss->esi;
1814 c->regs[VCPU_REGS_RDI] = tss->edi;
1817 * SDM says that segment selectors are loaded before segment
1820 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1821 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1822 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1823 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1824 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1825 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1826 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1829 * Now load segment descriptors. If fault happenes at this stage
1830 * it is handled in a context of new task
1832 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1833 if (ret != X86EMUL_CONTINUE)
1835 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1836 if (ret != X86EMUL_CONTINUE)
1838 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1839 if (ret != X86EMUL_CONTINUE)
1841 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1842 if (ret != X86EMUL_CONTINUE)
1844 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1845 if (ret != X86EMUL_CONTINUE)
1847 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1848 if (ret != X86EMUL_CONTINUE)
1850 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1851 if (ret != X86EMUL_CONTINUE)
1854 return X86EMUL_CONTINUE;
1857 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
1858 struct x86_emulate_ops *ops,
1859 u16 tss_selector, u16 old_tss_sel,
1860 ulong old_tss_base, struct desc_struct *new_desc)
1862 struct tss_segment_32 tss_seg;
1864 u32 err, new_tss_base = get_desc_base(new_desc);
1866 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1868 if (ret == X86EMUL_PROPAGATE_FAULT) {
1869 /* FIXME: need to provide precise fault address */
1870 emulate_pf(ctxt, old_tss_base, err);
1874 save_state_to_tss32(ctxt, ops, &tss_seg);
1876 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1878 if (ret == X86EMUL_PROPAGATE_FAULT) {
1879 /* FIXME: need to provide precise fault address */
1880 emulate_pf(ctxt, old_tss_base, err);
1884 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1886 if (ret == X86EMUL_PROPAGATE_FAULT) {
1887 /* FIXME: need to provide precise fault address */
1888 emulate_pf(ctxt, new_tss_base, err);
1892 if (old_tss_sel != 0xffff) {
1893 tss_seg.prev_task_link = old_tss_sel;
1895 ret = ops->write_std(new_tss_base,
1896 &tss_seg.prev_task_link,
1897 sizeof tss_seg.prev_task_link,
1899 if (ret == X86EMUL_PROPAGATE_FAULT) {
1900 /* FIXME: need to provide precise fault address */
1901 emulate_pf(ctxt, new_tss_base, err);
1906 return load_state_from_tss32(ctxt, ops, &tss_seg);
1909 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
1910 struct x86_emulate_ops *ops,
1911 u16 tss_selector, int reason,
1912 bool has_error_code, u32 error_code)
1914 struct desc_struct curr_tss_desc, next_tss_desc;
1916 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
1917 ulong old_tss_base =
1918 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
1921 /* FIXME: old_tss_base == ~0 ? */
1923 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
1924 if (ret != X86EMUL_CONTINUE)
1926 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
1927 if (ret != X86EMUL_CONTINUE)
1930 /* FIXME: check that next_tss_desc is tss */
1932 if (reason != TASK_SWITCH_IRET) {
1933 if ((tss_selector & 3) > next_tss_desc.dpl ||
1934 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
1935 emulate_gp(ctxt, 0);
1936 return X86EMUL_PROPAGATE_FAULT;
1940 desc_limit = desc_limit_scaled(&next_tss_desc);
1941 if (!next_tss_desc.p ||
1942 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
1943 desc_limit < 0x2b)) {
1944 emulate_ts(ctxt, tss_selector & 0xfffc);
1945 return X86EMUL_PROPAGATE_FAULT;
1948 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
1949 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
1950 write_segment_descriptor(ctxt, ops, old_tss_sel,
1954 if (reason == TASK_SWITCH_IRET)
1955 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
1957 /* set back link to prev task only if NT bit is set in eflags
1958 note that old_tss_sel is not used afetr this point */
1959 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
1960 old_tss_sel = 0xffff;
1962 if (next_tss_desc.type & 8)
1963 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
1964 old_tss_base, &next_tss_desc);
1966 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
1967 old_tss_base, &next_tss_desc);
1968 if (ret != X86EMUL_CONTINUE)
1971 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
1972 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
1974 if (reason != TASK_SWITCH_IRET) {
1975 next_tss_desc.type |= (1 << 1); /* set busy flag */
1976 write_segment_descriptor(ctxt, ops, tss_selector,
1980 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
1981 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
1982 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
1984 if (has_error_code) {
1985 struct decode_cache *c = &ctxt->decode;
1987 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
1989 c->src.val = (unsigned long) error_code;
1990 emulate_push(ctxt, ops);
1996 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
1997 u16 tss_selector, int reason,
1998 bool has_error_code, u32 error_code)
2000 struct x86_emulate_ops *ops = ctxt->ops;
2001 struct decode_cache *c = &ctxt->decode;
2005 c->dst.type = OP_NONE;
2007 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2008 has_error_code, error_code);
2010 if (rc == X86EMUL_CONTINUE) {
2011 rc = writeback(ctxt, ops);
2012 if (rc == X86EMUL_CONTINUE)
2016 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2019 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2020 int reg, struct operand *op)
2022 struct decode_cache *c = &ctxt->decode;
2023 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2025 register_address_increment(c, &c->regs[reg], df * op->bytes);
2026 op->addr.mem = register_address(c, base, c->regs[reg]);
2029 static int em_push(struct x86_emulate_ctxt *ctxt)
2031 emulate_push(ctxt, ctxt->ops);
2032 return X86EMUL_CONTINUE;
2035 #define D(_y) { .flags = (_y) }
2037 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2038 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2039 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2041 static struct opcode group1[] = {
2045 static struct opcode group1A[] = {
2046 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2049 static struct opcode group3[] = {
2050 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2051 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2055 static struct opcode group4[] = {
2056 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2060 static struct opcode group5[] = {
2061 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2062 D(SrcMem | ModRM | Stack), N,
2063 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2064 D(SrcMem | ModRM | Stack), N,
2067 static struct group_dual group7 = { {
2068 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2069 D(SrcNone | ModRM | DstMem | Mov), N,
2070 D(SrcMem16 | ModRM | Mov | Priv), D(SrcMem | ModRM | ByteOp | Priv),
2072 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2073 D(SrcNone | ModRM | DstMem | Mov), N,
2074 D(SrcMem16 | ModRM | Mov | Priv), N,
2077 static struct opcode group8[] = {
2079 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2080 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2083 static struct group_dual group9 = { {
2084 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2086 N, N, N, N, N, N, N, N,
2089 static struct opcode opcode_table[256] = {
2091 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2092 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2093 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2094 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2096 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2097 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2098 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2099 D(ImplicitOps | Stack | No64), N,
2101 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2102 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2103 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2104 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2106 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2107 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2108 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2109 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2111 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2112 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2113 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2115 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2116 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2117 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2119 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2120 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2121 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2123 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2124 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2125 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2130 X8(I(SrcReg | Stack, em_push)),
2132 X8(D(DstReg | Stack)),
2134 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2135 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2138 I(SrcImm | Mov | Stack, em_push), N,
2139 I(SrcImmByte | Mov | Stack, em_push), N,
2140 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2141 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2145 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2146 G(DstMem | SrcImm | ModRM | Group, group1),
2147 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2148 G(DstMem | SrcImmByte | ModRM | Group, group1),
2149 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2150 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2152 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2153 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2154 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | DstReg),
2155 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2157 X8(D(SrcAcc | DstReg)),
2159 N, N, D(SrcImmFAddr | No64), N,
2160 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2162 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2163 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2164 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2165 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2167 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm), D(ByteOp | DstDI | Mov | String), D(DstDI | Mov | String),
2168 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2169 D(ByteOp | DstDI | String), D(DstDI | String),
2171 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2173 X8(D(DstReg | SrcImm | Mov)),
2175 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2176 N, D(ImplicitOps | Stack), N, N,
2177 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2179 N, N, N, D(ImplicitOps | Stack),
2180 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2182 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2183 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2186 N, N, N, N, N, N, N, N,
2189 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2190 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2192 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2193 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2194 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2195 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2198 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2200 D(ImplicitOps), N, D(ImplicitOps), D(ImplicitOps),
2201 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2204 static struct opcode twobyte_table[256] = {
2206 N, GD(0, &group7), N, N,
2207 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2208 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2209 N, D(ImplicitOps | ModRM), N, N,
2211 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2213 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2214 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2216 N, N, N, N, N, N, N, N,
2218 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
2219 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2220 N, N, N, N, N, N, N, N,
2222 X16(D(DstReg | SrcMem | ModRM | Mov)),
2224 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2226 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2228 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2232 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2234 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2235 N, D(DstMem | SrcReg | ModRM | BitOp),
2236 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2237 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2239 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2240 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2241 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2242 D(DstMem | SrcReg | Src2CL | ModRM),
2245 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2246 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2247 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2248 D(DstReg | SrcMem16 | ModRM | Mov),
2251 G(0, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2252 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2253 D(DstReg | SrcMem16 | ModRM | Mov),
2255 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
2256 N, N, N, GD(0, &group9),
2257 N, N, N, N, N, N, N, N,
2259 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2261 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2263 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2273 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2275 struct x86_emulate_ops *ops = ctxt->ops;
2276 struct decode_cache *c = &ctxt->decode;
2277 int rc = X86EMUL_CONTINUE;
2278 int mode = ctxt->mode;
2279 int def_op_bytes, def_ad_bytes, dual, goffset;
2280 struct opcode opcode, *g_mod012, *g_mod3;
2282 /* we cannot decode insn before we complete previous rep insn */
2283 WARN_ON(ctxt->restart);
2286 c->fetch.start = c->fetch.end = c->eip;
2287 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2290 case X86EMUL_MODE_REAL:
2291 case X86EMUL_MODE_VM86:
2292 case X86EMUL_MODE_PROT16:
2293 def_op_bytes = def_ad_bytes = 2;
2295 case X86EMUL_MODE_PROT32:
2296 def_op_bytes = def_ad_bytes = 4;
2298 #ifdef CONFIG_X86_64
2299 case X86EMUL_MODE_PROT64:
2308 c->op_bytes = def_op_bytes;
2309 c->ad_bytes = def_ad_bytes;
2311 /* Legacy prefixes. */
2313 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2314 case 0x66: /* operand-size override */
2315 /* switch between 2/4 bytes */
2316 c->op_bytes = def_op_bytes ^ 6;
2318 case 0x67: /* address-size override */
2319 if (mode == X86EMUL_MODE_PROT64)
2320 /* switch between 4/8 bytes */
2321 c->ad_bytes = def_ad_bytes ^ 12;
2323 /* switch between 2/4 bytes */
2324 c->ad_bytes = def_ad_bytes ^ 6;
2326 case 0x26: /* ES override */
2327 case 0x2e: /* CS override */
2328 case 0x36: /* SS override */
2329 case 0x3e: /* DS override */
2330 set_seg_override(c, (c->b >> 3) & 3);
2332 case 0x64: /* FS override */
2333 case 0x65: /* GS override */
2334 set_seg_override(c, c->b & 7);
2336 case 0x40 ... 0x4f: /* REX */
2337 if (mode != X86EMUL_MODE_PROT64)
2339 c->rex_prefix = c->b;
2341 case 0xf0: /* LOCK */
2344 case 0xf2: /* REPNE/REPNZ */
2345 c->rep_prefix = REPNE_PREFIX;
2347 case 0xf3: /* REP/REPE/REPZ */
2348 c->rep_prefix = REPE_PREFIX;
2354 /* Any legacy prefix after a REX prefix nullifies its effect. */
2362 if (c->rex_prefix & 8)
2363 c->op_bytes = 8; /* REX.W */
2365 /* Opcode byte(s). */
2366 opcode = opcode_table[c->b];
2367 if (opcode.flags == 0) {
2368 /* Two-byte opcode? */
2371 c->b = insn_fetch(u8, 1, c->eip);
2372 opcode = twobyte_table[c->b];
2375 c->d = opcode.flags;
2378 dual = c->d & GroupDual;
2379 c->modrm = insn_fetch(u8, 1, c->eip);
2382 if (c->d & GroupDual) {
2383 g_mod012 = opcode.u.gdual->mod012;
2384 g_mod3 = opcode.u.gdual->mod3;
2386 g_mod012 = g_mod3 = opcode.u.group;
2388 c->d &= ~(Group | GroupDual);
2390 goffset = (c->modrm >> 3) & 7;
2392 if ((c->modrm >> 6) == 3)
2393 opcode = g_mod3[goffset];
2395 opcode = g_mod012[goffset];
2396 c->d |= opcode.flags;
2399 c->execute = opcode.u.execute;
2402 if (c->d == 0 || (c->d & Undefined)) {
2403 DPRINTF("Cannot emulate %02x\n", c->b);
2407 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2410 if (c->d & Op3264) {
2411 if (mode == X86EMUL_MODE_PROT64)
2417 /* ModRM and SIB bytes. */
2419 rc = decode_modrm(ctxt, ops);
2420 if (!c->has_seg_override)
2421 set_seg_override(c, c->modrm_seg);
2422 } else if (c->d & MemAbs)
2423 rc = decode_abs(ctxt, ops);
2424 if (rc != X86EMUL_CONTINUE)
2427 if (!c->has_seg_override)
2428 set_seg_override(c, VCPU_SREG_DS);
2430 if (!(!c->twobyte && c->b == 0x8d))
2431 c->modrm_ea += seg_override_base(ctxt, ops, c);
2433 if (c->ad_bytes != 8)
2434 c->modrm_ea = (u32)c->modrm_ea;
2436 if (c->rip_relative)
2437 c->modrm_ea += c->eip;
2440 * Decode and fetch the source operand: register, memory
2443 switch (c->d & SrcMask) {
2447 decode_register_operand(&c->src, c, 0);
2456 c->src.bytes = (c->d & ByteOp) ? 1 :
2458 /* Don't fetch the address for invlpg: it could be unmapped. */
2459 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
2463 * For instructions with a ModR/M byte, switch to register
2464 * access if Mod = 3.
2466 if ((c->d & ModRM) && c->modrm_mod == 3) {
2467 c->src.type = OP_REG;
2468 c->src.val = c->modrm_val;
2469 c->src.addr.reg = c->modrm_ptr;
2472 c->src.type = OP_MEM;
2473 c->src.addr.mem = c->modrm_ea;
2478 c->src.type = OP_IMM;
2479 c->src.addr.mem = c->eip;
2480 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2481 if (c->src.bytes == 8)
2483 /* NB. Immediates are sign-extended as necessary. */
2484 switch (c->src.bytes) {
2486 c->src.val = insn_fetch(s8, 1, c->eip);
2489 c->src.val = insn_fetch(s16, 2, c->eip);
2492 c->src.val = insn_fetch(s32, 4, c->eip);
2495 if ((c->d & SrcMask) == SrcImmU) {
2496 switch (c->src.bytes) {
2501 c->src.val &= 0xffff;
2504 c->src.val &= 0xffffffff;
2511 c->src.type = OP_IMM;
2512 c->src.addr.mem = c->eip;
2514 if ((c->d & SrcMask) == SrcImmByte)
2515 c->src.val = insn_fetch(s8, 1, c->eip);
2517 c->src.val = insn_fetch(u8, 1, c->eip);
2520 c->src.type = OP_REG;
2521 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2522 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2523 fetch_register_operand(&c->src);
2530 c->src.type = OP_MEM;
2531 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2533 register_address(c, seg_override_base(ctxt, ops, c),
2534 c->regs[VCPU_REGS_RSI]);
2538 c->src.type = OP_IMM;
2539 c->src.addr.mem = c->eip;
2540 c->src.bytes = c->op_bytes + 2;
2541 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2544 c->src.type = OP_MEM;
2545 c->src.addr.mem = c->modrm_ea;
2546 c->src.bytes = c->op_bytes + 2;
2551 * Decode and fetch the second source operand: register, memory
2554 switch (c->d & Src2Mask) {
2559 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2562 c->src2.type = OP_IMM;
2563 c->src2.addr.mem = c->eip;
2565 c->src2.val = insn_fetch(u8, 1, c->eip);
2573 /* Decode and fetch the destination operand: register or memory. */
2574 switch (c->d & DstMask) {
2576 /* Special instructions do their own operand decoding. */
2579 decode_register_operand(&c->dst, c,
2580 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2584 if ((c->d & ModRM) && c->modrm_mod == 3) {
2585 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2586 c->dst.type = OP_REG;
2587 c->dst.val = c->dst.orig_val = c->modrm_val;
2588 c->dst.addr.reg = c->modrm_ptr;
2591 c->dst.type = OP_MEM;
2592 c->dst.addr.mem = c->modrm_ea;
2593 if ((c->d & DstMask) == DstMem64)
2596 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2599 unsigned long mask = ~(c->dst.bytes * 8 - 1);
2601 c->dst.addr.mem = c->dst.addr.mem +
2602 (c->src.val & mask) / 8;
2606 c->dst.type = OP_REG;
2607 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2608 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2609 fetch_register_operand(&c->dst);
2610 c->dst.orig_val = c->dst.val;
2613 c->dst.type = OP_MEM;
2614 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2616 register_address(c, es_base(ctxt, ops),
2617 c->regs[VCPU_REGS_RDI]);
2623 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2627 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2629 struct x86_emulate_ops *ops = ctxt->ops;
2631 struct decode_cache *c = &ctxt->decode;
2632 int rc = X86EMUL_CONTINUE;
2633 int saved_dst_type = c->dst.type;
2635 ctxt->decode.mem_read.pos = 0;
2637 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2642 /* LOCK prefix is allowed only with some instructions */
2643 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2648 /* Privileged instruction can be executed only in CPL=0 */
2649 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2650 emulate_gp(ctxt, 0);
2654 if (c->rep_prefix && (c->d & String)) {
2655 ctxt->restart = true;
2656 /* All REP prefixes have the same first termination condition */
2657 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2659 ctxt->restart = false;
2663 /* The second termination condition only applies for REPE
2664 * and REPNE. Test if the repeat string operation prefix is
2665 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2666 * corresponding termination condition according to:
2667 * - if REPE/REPZ and ZF = 0 then done
2668 * - if REPNE/REPNZ and ZF = 1 then done
2670 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2671 (c->b == 0xae) || (c->b == 0xaf)) {
2672 if ((c->rep_prefix == REPE_PREFIX) &&
2673 ((ctxt->eflags & EFLG_ZF) == 0))
2675 if ((c->rep_prefix == REPNE_PREFIX) &&
2676 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2682 if (c->src.type == OP_MEM) {
2683 rc = read_emulated(ctxt, ops, c->src.addr.mem,
2684 c->src.valptr, c->src.bytes);
2685 if (rc != X86EMUL_CONTINUE)
2687 c->src.orig_val64 = c->src.val64;
2690 if (c->src2.type == OP_MEM) {
2691 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
2692 &c->src2.val, c->src2.bytes);
2693 if (rc != X86EMUL_CONTINUE)
2697 if ((c->d & DstMask) == ImplicitOps)
2701 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2702 /* optimisation - avoid slow emulated read if Mov */
2703 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
2704 &c->dst.val, c->dst.bytes);
2705 if (rc != X86EMUL_CONTINUE)
2708 c->dst.orig_val = c->dst.val;
2713 rc = c->execute(ctxt);
2714 if (rc != X86EMUL_CONTINUE)
2725 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2727 case 0x06: /* push es */
2728 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2730 case 0x07: /* pop es */
2731 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2732 if (rc != X86EMUL_CONTINUE)
2737 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2739 case 0x0e: /* push cs */
2740 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2744 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2746 case 0x16: /* push ss */
2747 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2749 case 0x17: /* pop ss */
2750 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2751 if (rc != X86EMUL_CONTINUE)
2756 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2758 case 0x1e: /* push ds */
2759 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2761 case 0x1f: /* pop ds */
2762 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2763 if (rc != X86EMUL_CONTINUE)
2768 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2772 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2776 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2780 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2782 case 0x40 ... 0x47: /* inc r16/r32 */
2783 emulate_1op("inc", c->dst, ctxt->eflags);
2785 case 0x48 ... 0x4f: /* dec r16/r32 */
2786 emulate_1op("dec", c->dst, ctxt->eflags);
2788 case 0x58 ... 0x5f: /* pop reg */
2790 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2791 if (rc != X86EMUL_CONTINUE)
2794 case 0x60: /* pusha */
2795 rc = emulate_pusha(ctxt, ops);
2796 if (rc != X86EMUL_CONTINUE)
2799 case 0x61: /* popa */
2800 rc = emulate_popa(ctxt, ops);
2801 if (rc != X86EMUL_CONTINUE)
2804 case 0x63: /* movsxd */
2805 if (ctxt->mode != X86EMUL_MODE_PROT64)
2806 goto cannot_emulate;
2807 c->dst.val = (s32) c->src.val;
2809 case 0x6c: /* insb */
2810 case 0x6d: /* insw/insd */
2811 c->dst.bytes = min(c->dst.bytes, 4u);
2812 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2814 emulate_gp(ctxt, 0);
2817 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2818 c->regs[VCPU_REGS_RDX], &c->dst.val))
2819 goto done; /* IO is needed, skip writeback */
2821 case 0x6e: /* outsb */
2822 case 0x6f: /* outsw/outsd */
2823 c->src.bytes = min(c->src.bytes, 4u);
2824 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2826 emulate_gp(ctxt, 0);
2829 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2830 &c->src.val, 1, ctxt->vcpu);
2832 c->dst.type = OP_NONE; /* nothing to writeback */
2834 case 0x70 ... 0x7f: /* jcc (short) */
2835 if (test_cc(c->b, ctxt->eflags))
2836 jmp_rel(c, c->src.val);
2838 case 0x80 ... 0x83: /* Grp1 */
2839 switch (c->modrm_reg) {
2860 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2862 case 0x86 ... 0x87: /* xchg */
2864 /* Write back the register source. */
2865 switch (c->dst.bytes) {
2867 *(u8 *) c->src.addr.reg = (u8) c->dst.val;
2870 *(u16 *) c->src.addr.reg = (u16) c->dst.val;
2873 *c->src.addr.reg = (u32) c->dst.val;
2874 break; /* 64b reg: zero-extend */
2876 *c->src.addr.reg = c->dst.val;
2880 * Write back the memory destination with implicit LOCK
2883 c->dst.val = c->src.val;
2886 case 0x88 ... 0x8b: /* mov */
2888 case 0x8c: /* mov r/m, sreg */
2889 if (c->modrm_reg > VCPU_SREG_GS) {
2893 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2895 case 0x8d: /* lea r16/r32, m */
2896 c->dst.val = c->modrm_ea;
2898 case 0x8e: { /* mov seg, r/m16 */
2903 if (c->modrm_reg == VCPU_SREG_CS ||
2904 c->modrm_reg > VCPU_SREG_GS) {
2909 if (c->modrm_reg == VCPU_SREG_SS)
2910 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2912 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2914 c->dst.type = OP_NONE; /* Disable writeback. */
2917 case 0x8f: /* pop (sole member of Grp1a) */
2918 rc = emulate_grp1a(ctxt, ops);
2919 if (rc != X86EMUL_CONTINUE)
2922 case 0x90 ... 0x97: /* nop / xchg reg, rax */
2923 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
2926 case 0x9c: /* pushf */
2927 c->src.val = (unsigned long) ctxt->eflags;
2928 emulate_push(ctxt, ops);
2930 case 0x9d: /* popf */
2931 c->dst.type = OP_REG;
2932 c->dst.addr.reg = &ctxt->eflags;
2933 c->dst.bytes = c->op_bytes;
2934 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2935 if (rc != X86EMUL_CONTINUE)
2938 case 0xa0 ... 0xa3: /* mov */
2939 case 0xa4 ... 0xa5: /* movs */
2941 case 0xa6 ... 0xa7: /* cmps */
2942 c->dst.type = OP_NONE; /* Disable writeback. */
2943 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
2945 case 0xa8 ... 0xa9: /* test ax, imm */
2947 case 0xaa ... 0xab: /* stos */
2948 c->dst.val = c->regs[VCPU_REGS_RAX];
2950 case 0xac ... 0xad: /* lods */
2952 case 0xae ... 0xaf: /* scas */
2953 DPRINTF("Urk! I don't handle SCAS.\n");
2954 goto cannot_emulate;
2955 case 0xb0 ... 0xbf: /* mov r, imm */
2960 case 0xc3: /* ret */
2961 c->dst.type = OP_REG;
2962 c->dst.addr.reg = &c->eip;
2963 c->dst.bytes = c->op_bytes;
2964 goto pop_instruction;
2965 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2967 c->dst.val = c->src.val;
2969 case 0xcb: /* ret far */
2970 rc = emulate_ret_far(ctxt, ops);
2971 if (rc != X86EMUL_CONTINUE)
2974 case 0xcf: /* iret */
2975 rc = emulate_iret(ctxt, ops);
2977 if (rc != X86EMUL_CONTINUE)
2980 case 0xd0 ... 0xd1: /* Grp2 */
2984 case 0xd2 ... 0xd3: /* Grp2 */
2985 c->src.val = c->regs[VCPU_REGS_RCX];
2988 case 0xe4: /* inb */
2991 case 0xe6: /* outb */
2992 case 0xe7: /* out */
2994 case 0xe8: /* call (near) */ {
2995 long int rel = c->src.val;
2996 c->src.val = (unsigned long) c->eip;
2998 emulate_push(ctxt, ops);
3001 case 0xe9: /* jmp rel */
3003 case 0xea: { /* jmp far */
3006 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3008 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3012 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3016 jmp: /* jmp rel short */
3017 jmp_rel(c, c->src.val);
3018 c->dst.type = OP_NONE; /* Disable writeback. */
3020 case 0xec: /* in al,dx */
3021 case 0xed: /* in (e/r)ax,dx */
3022 c->src.val = c->regs[VCPU_REGS_RDX];
3024 c->dst.bytes = min(c->dst.bytes, 4u);
3025 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3026 emulate_gp(ctxt, 0);
3029 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3031 goto done; /* IO is needed */
3033 case 0xee: /* out dx,al */
3034 case 0xef: /* out dx,(e/r)ax */
3035 c->src.val = c->regs[VCPU_REGS_RDX];
3037 c->dst.bytes = min(c->dst.bytes, 4u);
3038 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3039 emulate_gp(ctxt, 0);
3042 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3044 c->dst.type = OP_NONE; /* Disable writeback. */
3046 case 0xf4: /* hlt */
3047 ctxt->vcpu->arch.halt_request = 1;
3049 case 0xf5: /* cmc */
3050 /* complement carry flag from eflags reg */
3051 ctxt->eflags ^= EFLG_CF;
3052 c->dst.type = OP_NONE; /* Disable writeback. */
3054 case 0xf6 ... 0xf7: /* Grp3 */
3055 if (!emulate_grp3(ctxt, ops))
3056 goto cannot_emulate;
3058 case 0xf8: /* clc */
3059 ctxt->eflags &= ~EFLG_CF;
3060 c->dst.type = OP_NONE; /* Disable writeback. */
3062 case 0xfa: /* cli */
3063 if (emulator_bad_iopl(ctxt, ops)) {
3064 emulate_gp(ctxt, 0);
3067 ctxt->eflags &= ~X86_EFLAGS_IF;
3068 c->dst.type = OP_NONE; /* Disable writeback. */
3071 case 0xfb: /* sti */
3072 if (emulator_bad_iopl(ctxt, ops)) {
3073 emulate_gp(ctxt, 0);
3076 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3077 ctxt->eflags |= X86_EFLAGS_IF;
3078 c->dst.type = OP_NONE; /* Disable writeback. */
3081 case 0xfc: /* cld */
3082 ctxt->eflags &= ~EFLG_DF;
3083 c->dst.type = OP_NONE; /* Disable writeback. */
3085 case 0xfd: /* std */
3086 ctxt->eflags |= EFLG_DF;
3087 c->dst.type = OP_NONE; /* Disable writeback. */
3089 case 0xfe: /* Grp4 */
3091 rc = emulate_grp45(ctxt, ops);
3092 if (rc != X86EMUL_CONTINUE)
3095 case 0xff: /* Grp5 */
3096 if (c->modrm_reg == 5)
3100 goto cannot_emulate;
3104 rc = writeback(ctxt, ops);
3105 if (rc != X86EMUL_CONTINUE)
3109 * restore dst type in case the decoding will be reused
3110 * (happens for string instruction )
3112 c->dst.type = saved_dst_type;
3114 if ((c->d & SrcMask) == SrcSI)
3115 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3116 VCPU_REGS_RSI, &c->src);
3118 if ((c->d & DstMask) == DstDI)
3119 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3122 if (c->rep_prefix && (c->d & String)) {
3123 struct read_cache *rc = &ctxt->decode.io_read;
3124 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3126 * Re-enter guest when pio read ahead buffer is empty or,
3127 * if it is not used, after each 1024 iteration.
3129 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3130 (rc->end != 0 && rc->end == rc->pos))
3131 ctxt->restart = false;
3134 * reset read cache here in case string instruction is restared
3137 ctxt->decode.mem_read.end = 0;
3141 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3145 case 0x01: /* lgdt, lidt, lmsw */
3146 switch (c->modrm_reg) {
3148 unsigned long address;
3150 case 0: /* vmcall */
3151 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3152 goto cannot_emulate;
3154 rc = kvm_fix_hypercall(ctxt->vcpu);
3155 if (rc != X86EMUL_CONTINUE)
3158 /* Let the processor re-execute the fixed hypercall */
3160 /* Disable writeback. */
3161 c->dst.type = OP_NONE;
3164 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3165 &size, &address, c->op_bytes);
3166 if (rc != X86EMUL_CONTINUE)
3168 realmode_lgdt(ctxt->vcpu, size, address);
3169 /* Disable writeback. */
3170 c->dst.type = OP_NONE;
3172 case 3: /* lidt/vmmcall */
3173 if (c->modrm_mod == 3) {
3174 switch (c->modrm_rm) {
3176 rc = kvm_fix_hypercall(ctxt->vcpu);
3177 if (rc != X86EMUL_CONTINUE)
3181 goto cannot_emulate;
3184 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3187 if (rc != X86EMUL_CONTINUE)
3189 realmode_lidt(ctxt->vcpu, size, address);
3191 /* Disable writeback. */
3192 c->dst.type = OP_NONE;
3196 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3199 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3200 (c->src.val & 0x0f), ctxt->vcpu);
3201 c->dst.type = OP_NONE;
3203 case 5: /* not defined */
3207 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3208 /* Disable writeback. */
3209 c->dst.type = OP_NONE;
3212 goto cannot_emulate;
3215 case 0x05: /* syscall */
3216 rc = emulate_syscall(ctxt, ops);
3217 if (rc != X86EMUL_CONTINUE)
3223 emulate_clts(ctxt->vcpu);
3224 c->dst.type = OP_NONE;
3226 case 0x09: /* wbinvd */
3227 kvm_emulate_wbinvd(ctxt->vcpu);
3228 c->dst.type = OP_NONE;
3230 case 0x08: /* invd */
3231 case 0x0d: /* GrpP (prefetch) */
3232 case 0x18: /* Grp16 (prefetch/nop) */
3233 c->dst.type = OP_NONE;
3235 case 0x20: /* mov cr, reg */
3236 switch (c->modrm_reg) {
3243 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3245 case 0x21: /* mov from dr to reg */
3246 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3247 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3251 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3253 case 0x22: /* mov reg, cr */
3254 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3255 emulate_gp(ctxt, 0);
3258 c->dst.type = OP_NONE;
3260 case 0x23: /* mov from reg to dr */
3261 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3262 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3267 if (ops->set_dr(c->modrm_reg, c->src.val &
3268 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3269 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3270 /* #UD condition is already handled by the code above */
3271 emulate_gp(ctxt, 0);
3275 c->dst.type = OP_NONE; /* no writeback */
3279 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3280 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3281 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3282 emulate_gp(ctxt, 0);
3285 rc = X86EMUL_CONTINUE;
3286 c->dst.type = OP_NONE;
3290 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3291 emulate_gp(ctxt, 0);
3294 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3295 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3297 rc = X86EMUL_CONTINUE;
3298 c->dst.type = OP_NONE;
3300 case 0x34: /* sysenter */
3301 rc = emulate_sysenter(ctxt, ops);
3302 if (rc != X86EMUL_CONTINUE)
3307 case 0x35: /* sysexit */
3308 rc = emulate_sysexit(ctxt, ops);
3309 if (rc != X86EMUL_CONTINUE)
3314 case 0x40 ... 0x4f: /* cmov */
3315 c->dst.val = c->dst.orig_val = c->src.val;
3316 if (!test_cc(c->b, ctxt->eflags))
3317 c->dst.type = OP_NONE; /* no writeback */
3319 case 0x80 ... 0x8f: /* jnz rel, etc*/
3320 if (test_cc(c->b, ctxt->eflags))
3321 jmp_rel(c, c->src.val);
3322 c->dst.type = OP_NONE;
3324 case 0xa0: /* push fs */
3325 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3327 case 0xa1: /* pop fs */
3328 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3329 if (rc != X86EMUL_CONTINUE)
3334 c->dst.type = OP_NONE;
3335 /* only subword offset */
3336 c->src.val &= (c->dst.bytes << 3) - 1;
3337 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3339 case 0xa4: /* shld imm8, r, r/m */
3340 case 0xa5: /* shld cl, r, r/m */
3341 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3343 case 0xa8: /* push gs */
3344 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3346 case 0xa9: /* pop gs */
3347 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3348 if (rc != X86EMUL_CONTINUE)
3353 /* only subword offset */
3354 c->src.val &= (c->dst.bytes << 3) - 1;
3355 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3357 case 0xac: /* shrd imm8, r, r/m */
3358 case 0xad: /* shrd cl, r, r/m */
3359 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3361 case 0xae: /* clflush */
3363 case 0xb0 ... 0xb1: /* cmpxchg */
3365 * Save real source value, then compare EAX against
3368 c->src.orig_val = c->src.val;
3369 c->src.val = c->regs[VCPU_REGS_RAX];
3370 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3371 if (ctxt->eflags & EFLG_ZF) {
3372 /* Success: write back to memory. */
3373 c->dst.val = c->src.orig_val;
3375 /* Failure: write the value we saw to EAX. */
3376 c->dst.type = OP_REG;
3377 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3382 /* only subword offset */
3383 c->src.val &= (c->dst.bytes << 3) - 1;
3384 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3386 case 0xb6 ... 0xb7: /* movzx */
3387 c->dst.bytes = c->op_bytes;
3388 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3391 case 0xba: /* Grp8 */
3392 switch (c->modrm_reg & 3) {
3405 /* only subword offset */
3406 c->src.val &= (c->dst.bytes << 3) - 1;
3407 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3409 case 0xbe ... 0xbf: /* movsx */
3410 c->dst.bytes = c->op_bytes;
3411 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3414 case 0xc3: /* movnti */
3415 c->dst.bytes = c->op_bytes;
3416 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3419 case 0xc7: /* Grp9 (cmpxchg8b) */
3420 rc = emulate_grp9(ctxt, ops);
3421 if (rc != X86EMUL_CONTINUE)
3425 goto cannot_emulate;
3430 DPRINTF("Cannot emulate %02x\n", c->b);