1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<16) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<17) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<17) /* Register operand. */
53 #define DstMem (3<<17) /* Memory operand. */
54 #define DstAcc (4<<17) /* Destination Accumulator */
55 #define DstDI (5<<17) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<17) /* 64bit memory operand */
57 #define DstMask (7<<17)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
85 #define GroupMask 0x0f /* Group number stored in bits 0:3 */
87 #define Undefined (1<<25) /* No Such Instruction */
88 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
89 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
91 /* Source 2 operand type */
92 #define Src2None (0<<29)
93 #define Src2CL (1<<29)
94 #define Src2ImmByte (2<<29)
95 #define Src2One (3<<29)
96 #define Src2Mask (7<<29)
99 #define X3(x) X2(x), x
100 #define X4(x) X2(x), X2(x)
101 #define X5(x) X4(x), x
102 #define X6(x) X4(x), X2(x)
103 #define X7(x) X4(x), X3(x)
104 #define X8(x) X4(x), X4(x)
105 #define X16(x) X8(x), X8(x)
108 NoGrp, Group5, Group7, Group8, Group9,
114 struct opcode *group;
115 struct group_dual *gdual;
120 struct opcode mod012[8];
121 struct opcode mod3[8];
124 #define D(_y) { .flags = (_y) }
126 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
127 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
129 static struct opcode group1[] = {
133 static struct opcode group1A[] = {
134 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
137 static struct opcode group3[] = {
138 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
139 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
143 static struct opcode group4[] = {
144 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
148 static struct opcode group_table[] = {
150 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
151 D(SrcMem | ModRM | Stack), N,
152 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
153 D(SrcMem | ModRM | Stack), N,
155 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
156 D(SrcNone | ModRM | DstMem | Mov), N,
157 D(SrcMem16 | ModRM | Mov | Priv), D(SrcMem | ModRM | ByteOp | Priv),
160 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
161 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
163 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
166 static struct opcode group2_table[] = {
168 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
169 D(SrcNone | ModRM | DstMem | Mov), N,
170 D(SrcMem16 | ModRM | Mov | Priv), N,
172 N, N, N, N, N, N, N, N,
175 static struct opcode opcode_table[256] = {
177 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
178 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
179 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
180 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
182 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
183 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
184 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
185 D(ImplicitOps | Stack | No64), N,
187 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
188 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
189 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
190 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
192 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
193 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
194 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
195 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
197 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
198 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
199 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
201 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
202 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
203 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
205 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
206 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
207 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
209 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
210 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
211 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
216 X8(D(SrcReg | Stack)),
218 X8(D(DstReg | Stack)),
220 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
221 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
224 D(SrcImm | Mov | Stack), N, D(SrcImmByte | Mov | Stack), N,
225 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
226 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
230 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
231 G(DstMem | SrcImm | ModRM | Group, group1),
232 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
233 G(DstMem | SrcImmByte | ModRM | Group, group1),
234 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
235 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
237 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
238 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
239 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | DstReg),
240 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
242 D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg),
244 N, N, D(SrcImmFAddr | No64), N,
245 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
247 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
248 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
249 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
250 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
252 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm), D(ByteOp | DstDI | Mov | String), D(DstDI | Mov | String),
253 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
254 D(ByteOp | DstDI | String), D(DstDI | String),
256 X8(D(ByteOp | DstReg | SrcImm | Mov)),
258 X8(D(DstReg | SrcImm | Mov)),
260 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
261 N, D(ImplicitOps | Stack), N, N,
262 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
264 N, N, N, D(ImplicitOps | Stack),
265 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
267 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
268 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
271 N, N, N, N, N, N, N, N,
274 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
275 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
277 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
278 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
279 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
280 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
283 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
285 D(ImplicitOps), N, D(ImplicitOps), D(ImplicitOps),
286 D(ImplicitOps), D(ImplicitOps), G(0, group4), D(Group | Group5),
289 static struct opcode twobyte_table[256] = {
291 N, D(Group | GroupDual | Group7), N, N,
292 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
293 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
294 N, D(ImplicitOps | ModRM), N, N,
296 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
298 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
299 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
301 N, N, N, N, N, N, N, N,
303 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
304 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
305 N, N, N, N, N, N, N, N,
307 X16(D(DstReg | SrcMem | ModRM | Mov)),
309 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
311 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
313 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
317 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
319 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
320 N, D(DstMem | SrcReg | ModRM | BitOp),
321 D(DstMem | SrcReg | Src2ImmByte | ModRM),
322 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
324 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
325 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
326 D(DstMem | SrcReg | Src2ImmByte | ModRM),
327 D(DstMem | SrcReg | Src2CL | ModRM),
330 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
331 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
332 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
333 D(DstReg | SrcMem16 | ModRM | Mov),
336 D(Group | Group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
337 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
338 D(DstReg | SrcMem16 | ModRM | Mov),
340 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
341 N, N, N, D(Group | GroupDual | Group9),
342 N, N, N, N, N, N, N, N,
344 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
346 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
348 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
356 /* EFLAGS bit definitions. */
357 #define EFLG_ID (1<<21)
358 #define EFLG_VIP (1<<20)
359 #define EFLG_VIF (1<<19)
360 #define EFLG_AC (1<<18)
361 #define EFLG_VM (1<<17)
362 #define EFLG_RF (1<<16)
363 #define EFLG_IOPL (3<<12)
364 #define EFLG_NT (1<<14)
365 #define EFLG_OF (1<<11)
366 #define EFLG_DF (1<<10)
367 #define EFLG_IF (1<<9)
368 #define EFLG_TF (1<<8)
369 #define EFLG_SF (1<<7)
370 #define EFLG_ZF (1<<6)
371 #define EFLG_AF (1<<4)
372 #define EFLG_PF (1<<2)
373 #define EFLG_CF (1<<0)
375 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
376 #define EFLG_RESERVED_ONE_MASK 2
379 * Instruction emulation:
380 * Most instructions are emulated directly via a fragment of inline assembly
381 * code. This allows us to save/restore EFLAGS and thus very easily pick up
382 * any modified flags.
385 #if defined(CONFIG_X86_64)
386 #define _LO32 "k" /* force 32-bit operand */
387 #define _STK "%%rsp" /* stack pointer */
388 #elif defined(__i386__)
389 #define _LO32 "" /* force 32-bit operand */
390 #define _STK "%%esp" /* stack pointer */
394 * These EFLAGS bits are restored from saved value during emulation, and
395 * any changes are written back to the saved value after emulation.
397 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
399 /* Before executing instruction: restore necessary bits in EFLAGS. */
400 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
401 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
402 "movl %"_sav",%"_LO32 _tmp"; " \
405 "movl %"_msk",%"_LO32 _tmp"; " \
406 "andl %"_LO32 _tmp",("_STK"); " \
408 "notl %"_LO32 _tmp"; " \
409 "andl %"_LO32 _tmp",("_STK"); " \
410 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
412 "orl %"_LO32 _tmp",("_STK"); " \
416 /* After executing instruction: write-back necessary bits in EFLAGS. */
417 #define _POST_EFLAGS(_sav, _msk, _tmp) \
418 /* _sav |= EFLAGS & _msk; */ \
421 "andl %"_msk",%"_LO32 _tmp"; " \
422 "orl %"_LO32 _tmp",%"_sav"; "
430 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
432 __asm__ __volatile__ ( \
433 _PRE_EFLAGS("0", "4", "2") \
434 _op _suffix " %"_x"3,%1; " \
435 _POST_EFLAGS("0", "4", "2") \
436 : "=m" (_eflags), "=m" ((_dst).val), \
438 : _y ((_src).val), "i" (EFLAGS_MASK)); \
442 /* Raw emulation: instruction has two explicit operands. */
443 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
445 unsigned long _tmp; \
447 switch ((_dst).bytes) { \
449 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
452 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
455 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
460 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
462 unsigned long _tmp; \
463 switch ((_dst).bytes) { \
465 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
468 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
469 _wx, _wy, _lx, _ly, _qx, _qy); \
474 /* Source operand is byte-sized and may be restricted to just %cl. */
475 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
476 __emulate_2op(_op, _src, _dst, _eflags, \
477 "b", "c", "b", "c", "b", "c", "b", "c")
479 /* Source operand is byte, word, long or quad sized. */
480 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
481 __emulate_2op(_op, _src, _dst, _eflags, \
482 "b", "q", "w", "r", _LO32, "r", "", "r")
484 /* Source operand is word, long or quad sized. */
485 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
486 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
487 "w", "r", _LO32, "r", "", "r")
489 /* Instruction has three operands and one operand is stored in ECX register */
490 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
492 unsigned long _tmp; \
493 _type _clv = (_cl).val; \
494 _type _srcv = (_src).val; \
495 _type _dstv = (_dst).val; \
497 __asm__ __volatile__ ( \
498 _PRE_EFLAGS("0", "5", "2") \
499 _op _suffix " %4,%1 \n" \
500 _POST_EFLAGS("0", "5", "2") \
501 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
502 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
505 (_cl).val = (unsigned long) _clv; \
506 (_src).val = (unsigned long) _srcv; \
507 (_dst).val = (unsigned long) _dstv; \
510 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
512 switch ((_dst).bytes) { \
514 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
515 "w", unsigned short); \
518 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
519 "l", unsigned int); \
522 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
523 "q", unsigned long)); \
528 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
530 unsigned long _tmp; \
532 __asm__ __volatile__ ( \
533 _PRE_EFLAGS("0", "3", "2") \
534 _op _suffix " %1; " \
535 _POST_EFLAGS("0", "3", "2") \
536 : "=m" (_eflags), "+m" ((_dst).val), \
538 : "i" (EFLAGS_MASK)); \
541 /* Instruction has only one explicit operand (no source operand). */
542 #define emulate_1op(_op, _dst, _eflags) \
544 switch ((_dst).bytes) { \
545 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
546 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
547 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
548 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
552 /* Fetch next part of the instruction being emulated. */
553 #define insn_fetch(_type, _size, _eip) \
554 ({ unsigned long _x; \
555 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
556 if (rc != X86EMUL_CONTINUE) \
562 #define insn_fetch_arr(_arr, _size, _eip) \
563 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
564 if (rc != X86EMUL_CONTINUE) \
569 static inline unsigned long ad_mask(struct decode_cache *c)
571 return (1UL << (c->ad_bytes << 3)) - 1;
574 /* Access/update address held in a register, based on addressing mode. */
575 static inline unsigned long
576 address_mask(struct decode_cache *c, unsigned long reg)
578 if (c->ad_bytes == sizeof(unsigned long))
581 return reg & ad_mask(c);
584 static inline unsigned long
585 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
587 return base + address_mask(c, reg);
591 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
593 if (c->ad_bytes == sizeof(unsigned long))
596 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
599 static inline void jmp_rel(struct decode_cache *c, int rel)
601 register_address_increment(c, &c->eip, rel);
604 static void set_seg_override(struct decode_cache *c, int seg)
606 c->has_seg_override = true;
607 c->seg_override = seg;
610 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
611 struct x86_emulate_ops *ops, int seg)
613 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
616 return ops->get_cached_segment_base(seg, ctxt->vcpu);
619 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
620 struct x86_emulate_ops *ops,
621 struct decode_cache *c)
623 if (!c->has_seg_override)
626 return seg_base(ctxt, ops, c->seg_override);
629 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
630 struct x86_emulate_ops *ops)
632 return seg_base(ctxt, ops, VCPU_SREG_ES);
635 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
636 struct x86_emulate_ops *ops)
638 return seg_base(ctxt, ops, VCPU_SREG_SS);
641 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
642 u32 error, bool valid)
644 ctxt->exception = vec;
645 ctxt->error_code = error;
646 ctxt->error_code_valid = valid;
647 ctxt->restart = false;
650 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
652 emulate_exception(ctxt, GP_VECTOR, err, true);
655 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
659 emulate_exception(ctxt, PF_VECTOR, err, true);
662 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
664 emulate_exception(ctxt, UD_VECTOR, 0, false);
667 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
669 emulate_exception(ctxt, TS_VECTOR, err, true);
672 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
673 struct x86_emulate_ops *ops,
674 unsigned long eip, u8 *dest)
676 struct fetch_cache *fc = &ctxt->decode.fetch;
680 if (eip == fc->end) {
681 cur_size = fc->end - fc->start;
682 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
683 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
684 size, ctxt->vcpu, NULL);
685 if (rc != X86EMUL_CONTINUE)
689 *dest = fc->data[eip - fc->start];
690 return X86EMUL_CONTINUE;
693 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
694 struct x86_emulate_ops *ops,
695 unsigned long eip, void *dest, unsigned size)
699 /* x86 instructions are limited to 15 bytes. */
700 if (eip + size - ctxt->eip > 15)
701 return X86EMUL_UNHANDLEABLE;
703 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
704 if (rc != X86EMUL_CONTINUE)
707 return X86EMUL_CONTINUE;
711 * Given the 'reg' portion of a ModRM byte, and a register block, return a
712 * pointer into the block that addresses the relevant register.
713 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
715 static void *decode_register(u8 modrm_reg, unsigned long *regs,
720 p = ®s[modrm_reg];
721 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
722 p = (unsigned char *)®s[modrm_reg & 3] + 1;
726 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
727 struct x86_emulate_ops *ops,
729 u16 *size, unsigned long *address, int op_bytes)
736 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
738 if (rc != X86EMUL_CONTINUE)
740 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
745 static int test_cc(unsigned int condition, unsigned int flags)
749 switch ((condition & 15) >> 1) {
751 rc |= (flags & EFLG_OF);
753 case 1: /* b/c/nae */
754 rc |= (flags & EFLG_CF);
757 rc |= (flags & EFLG_ZF);
760 rc |= (flags & (EFLG_CF|EFLG_ZF));
763 rc |= (flags & EFLG_SF);
766 rc |= (flags & EFLG_PF);
769 rc |= (flags & EFLG_ZF);
772 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
776 /* Odd condition identifiers (lsb == 1) have inverted sense. */
777 return (!!rc ^ (condition & 1));
780 static void decode_register_operand(struct operand *op,
781 struct decode_cache *c,
784 unsigned reg = c->modrm_reg;
785 int highbyte_regs = c->rex_prefix == 0;
788 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
790 if ((c->d & ByteOp) && !inhibit_bytereg) {
791 op->ptr = decode_register(reg, c->regs, highbyte_regs);
792 op->val = *(u8 *)op->ptr;
795 op->ptr = decode_register(reg, c->regs, 0);
796 op->bytes = c->op_bytes;
799 op->val = *(u16 *)op->ptr;
802 op->val = *(u32 *)op->ptr;
805 op->val = *(u64 *) op->ptr;
809 op->orig_val = op->val;
812 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
813 struct x86_emulate_ops *ops)
815 struct decode_cache *c = &ctxt->decode;
817 int index_reg = 0, base_reg = 0, scale;
818 int rc = X86EMUL_CONTINUE;
821 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
822 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
823 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
826 c->modrm = insn_fetch(u8, 1, c->eip);
827 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
828 c->modrm_reg |= (c->modrm & 0x38) >> 3;
829 c->modrm_rm |= (c->modrm & 0x07);
833 if (c->modrm_mod == 3) {
834 c->modrm_ptr = decode_register(c->modrm_rm,
835 c->regs, c->d & ByteOp);
836 c->modrm_val = *(unsigned long *)c->modrm_ptr;
840 if (c->ad_bytes == 2) {
841 unsigned bx = c->regs[VCPU_REGS_RBX];
842 unsigned bp = c->regs[VCPU_REGS_RBP];
843 unsigned si = c->regs[VCPU_REGS_RSI];
844 unsigned di = c->regs[VCPU_REGS_RDI];
846 /* 16-bit ModR/M decode. */
847 switch (c->modrm_mod) {
849 if (c->modrm_rm == 6)
850 c->modrm_ea += insn_fetch(u16, 2, c->eip);
853 c->modrm_ea += insn_fetch(s8, 1, c->eip);
856 c->modrm_ea += insn_fetch(u16, 2, c->eip);
859 switch (c->modrm_rm) {
861 c->modrm_ea += bx + si;
864 c->modrm_ea += bx + di;
867 c->modrm_ea += bp + si;
870 c->modrm_ea += bp + di;
879 if (c->modrm_mod != 0)
886 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
887 (c->modrm_rm == 6 && c->modrm_mod != 0))
888 if (!c->has_seg_override)
889 set_seg_override(c, VCPU_SREG_SS);
890 c->modrm_ea = (u16)c->modrm_ea;
892 /* 32/64-bit ModR/M decode. */
893 if ((c->modrm_rm & 7) == 4) {
894 sib = insn_fetch(u8, 1, c->eip);
895 index_reg |= (sib >> 3) & 7;
899 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
900 c->modrm_ea += insn_fetch(s32, 4, c->eip);
902 c->modrm_ea += c->regs[base_reg];
904 c->modrm_ea += c->regs[index_reg] << scale;
905 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
906 if (ctxt->mode == X86EMUL_MODE_PROT64)
909 c->modrm_ea += c->regs[c->modrm_rm];
910 switch (c->modrm_mod) {
912 if (c->modrm_rm == 5)
913 c->modrm_ea += insn_fetch(s32, 4, c->eip);
916 c->modrm_ea += insn_fetch(s8, 1, c->eip);
919 c->modrm_ea += insn_fetch(s32, 4, c->eip);
927 static int decode_abs(struct x86_emulate_ctxt *ctxt,
928 struct x86_emulate_ops *ops)
930 struct decode_cache *c = &ctxt->decode;
931 int rc = X86EMUL_CONTINUE;
933 switch (c->ad_bytes) {
935 c->modrm_ea = insn_fetch(u16, 2, c->eip);
938 c->modrm_ea = insn_fetch(u32, 4, c->eip);
941 c->modrm_ea = insn_fetch(u64, 8, c->eip);
949 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
951 struct decode_cache *c = &ctxt->decode;
952 int rc = X86EMUL_CONTINUE;
953 int mode = ctxt->mode;
954 int def_op_bytes, def_ad_bytes, group, dual, goffset;
955 struct opcode opcode, *g_mod012, *g_mod3;
957 /* we cannot decode insn before we complete previous rep insn */
958 WARN_ON(ctxt->restart);
961 c->fetch.start = c->fetch.end = c->eip;
962 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
965 case X86EMUL_MODE_REAL:
966 case X86EMUL_MODE_VM86:
967 case X86EMUL_MODE_PROT16:
968 def_op_bytes = def_ad_bytes = 2;
970 case X86EMUL_MODE_PROT32:
971 def_op_bytes = def_ad_bytes = 4;
974 case X86EMUL_MODE_PROT64:
983 c->op_bytes = def_op_bytes;
984 c->ad_bytes = def_ad_bytes;
986 /* Legacy prefixes. */
988 switch (c->b = insn_fetch(u8, 1, c->eip)) {
989 case 0x66: /* operand-size override */
990 /* switch between 2/4 bytes */
991 c->op_bytes = def_op_bytes ^ 6;
993 case 0x67: /* address-size override */
994 if (mode == X86EMUL_MODE_PROT64)
995 /* switch between 4/8 bytes */
996 c->ad_bytes = def_ad_bytes ^ 12;
998 /* switch between 2/4 bytes */
999 c->ad_bytes = def_ad_bytes ^ 6;
1001 case 0x26: /* ES override */
1002 case 0x2e: /* CS override */
1003 case 0x36: /* SS override */
1004 case 0x3e: /* DS override */
1005 set_seg_override(c, (c->b >> 3) & 3);
1007 case 0x64: /* FS override */
1008 case 0x65: /* GS override */
1009 set_seg_override(c, c->b & 7);
1011 case 0x40 ... 0x4f: /* REX */
1012 if (mode != X86EMUL_MODE_PROT64)
1014 c->rex_prefix = c->b;
1016 case 0xf0: /* LOCK */
1019 case 0xf2: /* REPNE/REPNZ */
1020 c->rep_prefix = REPNE_PREFIX;
1022 case 0xf3: /* REP/REPE/REPZ */
1023 c->rep_prefix = REPE_PREFIX;
1029 /* Any legacy prefix after a REX prefix nullifies its effect. */
1038 if (c->rex_prefix & 8)
1039 c->op_bytes = 8; /* REX.W */
1041 /* Opcode byte(s). */
1042 opcode = opcode_table[c->b];
1043 if (opcode.flags == 0) {
1044 /* Two-byte opcode? */
1047 c->b = insn_fetch(u8, 1, c->eip);
1048 opcode = twobyte_table[c->b];
1051 c->d = opcode.flags;
1054 group = c->d & GroupMask;
1055 dual = c->d & GroupDual;
1056 c->modrm = insn_fetch(u8, 1, c->eip);
1060 g_mod012 = g_mod3 = &group_table[group * 8];
1061 if (c->d & GroupDual)
1062 g_mod3 = &group2_table[group * 8];
1064 if (c->d & GroupDual) {
1065 g_mod012 = opcode.u.gdual->mod012;
1066 g_mod3 = opcode.u.gdual->mod3;
1068 g_mod012 = g_mod3 = opcode.u.group;
1071 c->d &= ~(Group | GroupDual | GroupMask);
1073 goffset = (c->modrm >> 3) & 7;
1075 if ((c->modrm >> 6) == 3)
1076 opcode = g_mod3[goffset];
1078 opcode = g_mod012[goffset];
1079 c->d |= opcode.flags;
1083 if (c->d == 0 || (c->d & Undefined)) {
1084 DPRINTF("Cannot emulate %02x\n", c->b);
1088 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1091 /* ModRM and SIB bytes. */
1093 rc = decode_modrm(ctxt, ops);
1094 else if (c->d & MemAbs)
1095 rc = decode_abs(ctxt, ops);
1096 if (rc != X86EMUL_CONTINUE)
1099 if (!c->has_seg_override)
1100 set_seg_override(c, VCPU_SREG_DS);
1102 if (!(!c->twobyte && c->b == 0x8d))
1103 c->modrm_ea += seg_override_base(ctxt, ops, c);
1105 if (c->ad_bytes != 8)
1106 c->modrm_ea = (u32)c->modrm_ea;
1108 if (c->rip_relative)
1109 c->modrm_ea += c->eip;
1112 * Decode and fetch the source operand: register, memory
1115 switch (c->d & SrcMask) {
1119 decode_register_operand(&c->src, c, 0);
1128 c->src.bytes = (c->d & ByteOp) ? 1 :
1130 /* Don't fetch the address for invlpg: it could be unmapped. */
1131 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1135 * For instructions with a ModR/M byte, switch to register
1136 * access if Mod = 3.
1138 if ((c->d & ModRM) && c->modrm_mod == 3) {
1139 c->src.type = OP_REG;
1140 c->src.val = c->modrm_val;
1141 c->src.ptr = c->modrm_ptr;
1144 c->src.type = OP_MEM;
1145 c->src.ptr = (unsigned long *)c->modrm_ea;
1150 c->src.type = OP_IMM;
1151 c->src.ptr = (unsigned long *)c->eip;
1152 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1153 if (c->src.bytes == 8)
1155 /* NB. Immediates are sign-extended as necessary. */
1156 switch (c->src.bytes) {
1158 c->src.val = insn_fetch(s8, 1, c->eip);
1161 c->src.val = insn_fetch(s16, 2, c->eip);
1164 c->src.val = insn_fetch(s32, 4, c->eip);
1167 if ((c->d & SrcMask) == SrcImmU) {
1168 switch (c->src.bytes) {
1173 c->src.val &= 0xffff;
1176 c->src.val &= 0xffffffff;
1183 c->src.type = OP_IMM;
1184 c->src.ptr = (unsigned long *)c->eip;
1186 if ((c->d & SrcMask) == SrcImmByte)
1187 c->src.val = insn_fetch(s8, 1, c->eip);
1189 c->src.val = insn_fetch(u8, 1, c->eip);
1192 c->src.type = OP_REG;
1193 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1194 c->src.ptr = &c->regs[VCPU_REGS_RAX];
1195 switch (c->src.bytes) {
1197 c->src.val = *(u8 *)c->src.ptr;
1200 c->src.val = *(u16 *)c->src.ptr;
1203 c->src.val = *(u32 *)c->src.ptr;
1206 c->src.val = *(u64 *)c->src.ptr;
1215 c->src.type = OP_MEM;
1216 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1217 c->src.ptr = (unsigned long *)
1218 register_address(c, seg_override_base(ctxt, ops, c),
1219 c->regs[VCPU_REGS_RSI]);
1223 c->src.type = OP_IMM;
1224 c->src.ptr = (unsigned long *)c->eip;
1225 c->src.bytes = c->op_bytes + 2;
1226 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
1229 c->src.type = OP_MEM;
1230 c->src.ptr = (unsigned long *)c->modrm_ea;
1231 c->src.bytes = c->op_bytes + 2;
1236 * Decode and fetch the second source operand: register, memory
1239 switch (c->d & Src2Mask) {
1244 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1247 c->src2.type = OP_IMM;
1248 c->src2.ptr = (unsigned long *)c->eip;
1250 c->src2.val = insn_fetch(u8, 1, c->eip);
1258 /* Decode and fetch the destination operand: register or memory. */
1259 switch (c->d & DstMask) {
1261 /* Special instructions do their own operand decoding. */
1264 decode_register_operand(&c->dst, c,
1265 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1269 if ((c->d & ModRM) && c->modrm_mod == 3) {
1270 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1271 c->dst.type = OP_REG;
1272 c->dst.val = c->dst.orig_val = c->modrm_val;
1273 c->dst.ptr = c->modrm_ptr;
1276 c->dst.type = OP_MEM;
1277 c->dst.ptr = (unsigned long *)c->modrm_ea;
1278 if ((c->d & DstMask) == DstMem64)
1281 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1284 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1286 c->dst.ptr = (void *)c->dst.ptr +
1287 (c->src.val & mask) / 8;
1291 c->dst.type = OP_REG;
1292 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1293 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1294 switch (c->dst.bytes) {
1296 c->dst.val = *(u8 *)c->dst.ptr;
1299 c->dst.val = *(u16 *)c->dst.ptr;
1302 c->dst.val = *(u32 *)c->dst.ptr;
1305 c->dst.val = *(u64 *)c->dst.ptr;
1308 c->dst.orig_val = c->dst.val;
1311 c->dst.type = OP_MEM;
1312 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1313 c->dst.ptr = (unsigned long *)
1314 register_address(c, es_base(ctxt, ops),
1315 c->regs[VCPU_REGS_RDI]);
1321 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1324 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1325 struct x86_emulate_ops *ops,
1326 unsigned long addr, void *dest, unsigned size)
1329 struct read_cache *mc = &ctxt->decode.mem_read;
1333 int n = min(size, 8u);
1335 if (mc->pos < mc->end)
1338 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
1340 if (rc == X86EMUL_PROPAGATE_FAULT)
1341 emulate_pf(ctxt, addr, err);
1342 if (rc != X86EMUL_CONTINUE)
1347 memcpy(dest, mc->data + mc->pos, n);
1352 return X86EMUL_CONTINUE;
1355 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1356 struct x86_emulate_ops *ops,
1357 unsigned int size, unsigned short port,
1360 struct read_cache *rc = &ctxt->decode.io_read;
1362 if (rc->pos == rc->end) { /* refill pio read ahead */
1363 struct decode_cache *c = &ctxt->decode;
1364 unsigned int in_page, n;
1365 unsigned int count = c->rep_prefix ?
1366 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
1367 in_page = (ctxt->eflags & EFLG_DF) ?
1368 offset_in_page(c->regs[VCPU_REGS_RDI]) :
1369 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
1370 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1374 rc->pos = rc->end = 0;
1375 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
1380 memcpy(dest, rc->data + rc->pos, size);
1385 static u32 desc_limit_scaled(struct desc_struct *desc)
1387 u32 limit = get_desc_limit(desc);
1389 return desc->g ? (limit << 12) | 0xfff : limit;
1392 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1393 struct x86_emulate_ops *ops,
1394 u16 selector, struct desc_ptr *dt)
1396 if (selector & 1 << 2) {
1397 struct desc_struct desc;
1398 memset (dt, 0, sizeof *dt);
1399 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1402 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1403 dt->address = get_desc_base(&desc);
1405 ops->get_gdt(dt, ctxt->vcpu);
1408 /* allowed just for 8 bytes segments */
1409 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1410 struct x86_emulate_ops *ops,
1411 u16 selector, struct desc_struct *desc)
1414 u16 index = selector >> 3;
1419 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1421 if (dt.size < index * 8 + 7) {
1422 emulate_gp(ctxt, selector & 0xfffc);
1423 return X86EMUL_PROPAGATE_FAULT;
1425 addr = dt.address + index * 8;
1426 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1427 if (ret == X86EMUL_PROPAGATE_FAULT)
1428 emulate_pf(ctxt, addr, err);
1433 /* allowed just for 8 bytes segments */
1434 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1435 struct x86_emulate_ops *ops,
1436 u16 selector, struct desc_struct *desc)
1439 u16 index = selector >> 3;
1444 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1446 if (dt.size < index * 8 + 7) {
1447 emulate_gp(ctxt, selector & 0xfffc);
1448 return X86EMUL_PROPAGATE_FAULT;
1451 addr = dt.address + index * 8;
1452 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1453 if (ret == X86EMUL_PROPAGATE_FAULT)
1454 emulate_pf(ctxt, addr, err);
1459 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1460 struct x86_emulate_ops *ops,
1461 u16 selector, int seg)
1463 struct desc_struct seg_desc;
1465 unsigned err_vec = GP_VECTOR;
1467 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1470 memset(&seg_desc, 0, sizeof seg_desc);
1472 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1473 || ctxt->mode == X86EMUL_MODE_REAL) {
1474 /* set real mode segment descriptor */
1475 set_desc_base(&seg_desc, selector << 4);
1476 set_desc_limit(&seg_desc, 0xffff);
1483 /* NULL selector is not valid for TR, CS and SS */
1484 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1488 /* TR should be in GDT only */
1489 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1492 if (null_selector) /* for NULL selector skip all following checks */
1495 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1496 if (ret != X86EMUL_CONTINUE)
1499 err_code = selector & 0xfffc;
1500 err_vec = GP_VECTOR;
1502 /* can't load system descriptor into segment selecor */
1503 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1507 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1513 cpl = ops->cpl(ctxt->vcpu);
1518 * segment is not a writable data segment or segment
1519 * selector's RPL != CPL or segment selector's RPL != CPL
1521 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1525 if (!(seg_desc.type & 8))
1528 if (seg_desc.type & 4) {
1534 if (rpl > cpl || dpl != cpl)
1537 /* CS(RPL) <- CPL */
1538 selector = (selector & 0xfffc) | cpl;
1541 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1544 case VCPU_SREG_LDTR:
1545 if (seg_desc.s || seg_desc.type != 2)
1548 default: /* DS, ES, FS, or GS */
1550 * segment is not a data or readable code segment or
1551 * ((segment is a data or nonconforming code segment)
1552 * and (both RPL and CPL > DPL))
1554 if ((seg_desc.type & 0xa) == 0x8 ||
1555 (((seg_desc.type & 0xc) != 0xc) &&
1556 (rpl > dpl && cpl > dpl)))
1562 /* mark segment as accessed */
1564 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1565 if (ret != X86EMUL_CONTINUE)
1569 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1570 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1571 return X86EMUL_CONTINUE;
1573 emulate_exception(ctxt, err_vec, err_code, true);
1574 return X86EMUL_PROPAGATE_FAULT;
1577 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1578 struct x86_emulate_ops *ops)
1581 struct decode_cache *c = &ctxt->decode;
1584 switch (c->dst.type) {
1586 /* The 4-byte case *is* correct:
1587 * in 64-bit mode we zero-extend.
1589 switch (c->dst.bytes) {
1591 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1594 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1597 *c->dst.ptr = (u32)c->dst.val;
1598 break; /* 64b: zero-ext */
1600 *c->dst.ptr = c->dst.val;
1606 rc = ops->cmpxchg_emulated(
1607 (unsigned long)c->dst.ptr,
1614 rc = ops->write_emulated(
1615 (unsigned long)c->dst.ptr,
1620 if (rc == X86EMUL_PROPAGATE_FAULT)
1622 (unsigned long)c->dst.ptr, err);
1623 if (rc != X86EMUL_CONTINUE)
1632 return X86EMUL_CONTINUE;
1635 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1636 struct x86_emulate_ops *ops)
1638 struct decode_cache *c = &ctxt->decode;
1640 c->dst.type = OP_MEM;
1641 c->dst.bytes = c->op_bytes;
1642 c->dst.val = c->src.val;
1643 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1644 c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1645 c->regs[VCPU_REGS_RSP]);
1648 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1649 struct x86_emulate_ops *ops,
1650 void *dest, int len)
1652 struct decode_cache *c = &ctxt->decode;
1655 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1656 c->regs[VCPU_REGS_RSP]),
1658 if (rc != X86EMUL_CONTINUE)
1661 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1665 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1666 struct x86_emulate_ops *ops,
1667 void *dest, int len)
1670 unsigned long val, change_mask;
1671 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1672 int cpl = ops->cpl(ctxt->vcpu);
1674 rc = emulate_pop(ctxt, ops, &val, len);
1675 if (rc != X86EMUL_CONTINUE)
1678 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1679 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1681 switch(ctxt->mode) {
1682 case X86EMUL_MODE_PROT64:
1683 case X86EMUL_MODE_PROT32:
1684 case X86EMUL_MODE_PROT16:
1686 change_mask |= EFLG_IOPL;
1688 change_mask |= EFLG_IF;
1690 case X86EMUL_MODE_VM86:
1692 emulate_gp(ctxt, 0);
1693 return X86EMUL_PROPAGATE_FAULT;
1695 change_mask |= EFLG_IF;
1697 default: /* real mode */
1698 change_mask |= (EFLG_IOPL | EFLG_IF);
1702 *(unsigned long *)dest =
1703 (ctxt->eflags & ~change_mask) | (val & change_mask);
1708 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1709 struct x86_emulate_ops *ops, int seg)
1711 struct decode_cache *c = &ctxt->decode;
1713 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1715 emulate_push(ctxt, ops);
1718 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1719 struct x86_emulate_ops *ops, int seg)
1721 struct decode_cache *c = &ctxt->decode;
1722 unsigned long selector;
1725 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1726 if (rc != X86EMUL_CONTINUE)
1729 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1733 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1734 struct x86_emulate_ops *ops)
1736 struct decode_cache *c = &ctxt->decode;
1737 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1738 int rc = X86EMUL_CONTINUE;
1739 int reg = VCPU_REGS_RAX;
1741 while (reg <= VCPU_REGS_RDI) {
1742 (reg == VCPU_REGS_RSP) ?
1743 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1745 emulate_push(ctxt, ops);
1747 rc = writeback(ctxt, ops);
1748 if (rc != X86EMUL_CONTINUE)
1754 /* Disable writeback. */
1755 c->dst.type = OP_NONE;
1760 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1761 struct x86_emulate_ops *ops)
1763 struct decode_cache *c = &ctxt->decode;
1764 int rc = X86EMUL_CONTINUE;
1765 int reg = VCPU_REGS_RDI;
1767 while (reg >= VCPU_REGS_RAX) {
1768 if (reg == VCPU_REGS_RSP) {
1769 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1774 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1775 if (rc != X86EMUL_CONTINUE)
1782 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1783 struct x86_emulate_ops *ops)
1785 struct decode_cache *c = &ctxt->decode;
1786 int rc = X86EMUL_CONTINUE;
1787 unsigned long temp_eip = 0;
1788 unsigned long temp_eflags = 0;
1789 unsigned long cs = 0;
1790 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1791 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1792 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1793 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1795 /* TODO: Add stack limit check */
1797 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1799 if (rc != X86EMUL_CONTINUE)
1802 if (temp_eip & ~0xffff) {
1803 emulate_gp(ctxt, 0);
1804 return X86EMUL_PROPAGATE_FAULT;
1807 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1809 if (rc != X86EMUL_CONTINUE)
1812 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1814 if (rc != X86EMUL_CONTINUE)
1817 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1819 if (rc != X86EMUL_CONTINUE)
1825 if (c->op_bytes == 4)
1826 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1827 else if (c->op_bytes == 2) {
1828 ctxt->eflags &= ~0xffff;
1829 ctxt->eflags |= temp_eflags;
1832 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1833 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1838 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1839 struct x86_emulate_ops* ops)
1841 switch(ctxt->mode) {
1842 case X86EMUL_MODE_REAL:
1843 return emulate_iret_real(ctxt, ops);
1844 case X86EMUL_MODE_VM86:
1845 case X86EMUL_MODE_PROT16:
1846 case X86EMUL_MODE_PROT32:
1847 case X86EMUL_MODE_PROT64:
1849 /* iret from protected mode unimplemented yet */
1850 return X86EMUL_UNHANDLEABLE;
1854 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1855 struct x86_emulate_ops *ops)
1857 struct decode_cache *c = &ctxt->decode;
1859 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1862 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1864 struct decode_cache *c = &ctxt->decode;
1865 switch (c->modrm_reg) {
1867 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1870 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1873 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1876 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1878 case 4: /* sal/shl */
1879 case 6: /* sal/shl */
1880 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1883 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1886 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1891 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1892 struct x86_emulate_ops *ops)
1894 struct decode_cache *c = &ctxt->decode;
1896 switch (c->modrm_reg) {
1897 case 0 ... 1: /* test */
1898 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1901 c->dst.val = ~c->dst.val;
1904 emulate_1op("neg", c->dst, ctxt->eflags);
1912 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1913 struct x86_emulate_ops *ops)
1915 struct decode_cache *c = &ctxt->decode;
1917 switch (c->modrm_reg) {
1919 emulate_1op("inc", c->dst, ctxt->eflags);
1922 emulate_1op("dec", c->dst, ctxt->eflags);
1924 case 2: /* call near abs */ {
1927 c->eip = c->src.val;
1928 c->src.val = old_eip;
1929 emulate_push(ctxt, ops);
1932 case 4: /* jmp abs */
1933 c->eip = c->src.val;
1936 emulate_push(ctxt, ops);
1939 return X86EMUL_CONTINUE;
1942 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1943 struct x86_emulate_ops *ops)
1945 struct decode_cache *c = &ctxt->decode;
1946 u64 old = c->dst.orig_val64;
1948 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1949 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1950 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1951 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1952 ctxt->eflags &= ~EFLG_ZF;
1954 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1955 (u32) c->regs[VCPU_REGS_RBX];
1957 ctxt->eflags |= EFLG_ZF;
1959 return X86EMUL_CONTINUE;
1962 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1963 struct x86_emulate_ops *ops)
1965 struct decode_cache *c = &ctxt->decode;
1969 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1970 if (rc != X86EMUL_CONTINUE)
1972 if (c->op_bytes == 4)
1973 c->eip = (u32)c->eip;
1974 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1975 if (rc != X86EMUL_CONTINUE)
1977 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1982 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1983 struct x86_emulate_ops *ops, struct desc_struct *cs,
1984 struct desc_struct *ss)
1986 memset(cs, 0, sizeof(struct desc_struct));
1987 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1988 memset(ss, 0, sizeof(struct desc_struct));
1990 cs->l = 0; /* will be adjusted later */
1991 set_desc_base(cs, 0); /* flat segment */
1992 cs->g = 1; /* 4kb granularity */
1993 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1994 cs->type = 0x0b; /* Read, Execute, Accessed */
1996 cs->dpl = 0; /* will be adjusted later */
2000 set_desc_base(ss, 0); /* flat segment */
2001 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2002 ss->g = 1; /* 4kb granularity */
2004 ss->type = 0x03; /* Read/Write, Accessed */
2005 ss->d = 1; /* 32bit stack segment */
2011 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2013 struct decode_cache *c = &ctxt->decode;
2014 struct desc_struct cs, ss;
2018 /* syscall is not available in real mode */
2019 if (ctxt->mode == X86EMUL_MODE_REAL ||
2020 ctxt->mode == X86EMUL_MODE_VM86) {
2022 return X86EMUL_PROPAGATE_FAULT;
2025 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2027 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
2029 cs_sel = (u16)(msr_data & 0xfffc);
2030 ss_sel = (u16)(msr_data + 8);
2032 if (is_long_mode(ctxt->vcpu)) {
2036 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2037 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2038 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2039 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2041 c->regs[VCPU_REGS_RCX] = c->eip;
2042 if (is_long_mode(ctxt->vcpu)) {
2043 #ifdef CONFIG_X86_64
2044 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
2046 ops->get_msr(ctxt->vcpu,
2047 ctxt->mode == X86EMUL_MODE_PROT64 ?
2048 MSR_LSTAR : MSR_CSTAR, &msr_data);
2051 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
2052 ctxt->eflags &= ~(msr_data | EFLG_RF);
2056 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
2057 c->eip = (u32)msr_data;
2059 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2062 return X86EMUL_CONTINUE;
2066 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2068 struct decode_cache *c = &ctxt->decode;
2069 struct desc_struct cs, ss;
2073 /* inject #GP if in real mode */
2074 if (ctxt->mode == X86EMUL_MODE_REAL) {
2075 emulate_gp(ctxt, 0);
2076 return X86EMUL_PROPAGATE_FAULT;
2079 /* XXX sysenter/sysexit have not been tested in 64bit mode.
2080 * Therefore, we inject an #UD.
2082 if (ctxt->mode == X86EMUL_MODE_PROT64) {
2084 return X86EMUL_PROPAGATE_FAULT;
2087 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2089 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2090 switch (ctxt->mode) {
2091 case X86EMUL_MODE_PROT32:
2092 if ((msr_data & 0xfffc) == 0x0) {
2093 emulate_gp(ctxt, 0);
2094 return X86EMUL_PROPAGATE_FAULT;
2097 case X86EMUL_MODE_PROT64:
2098 if (msr_data == 0x0) {
2099 emulate_gp(ctxt, 0);
2100 return X86EMUL_PROPAGATE_FAULT;
2105 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2106 cs_sel = (u16)msr_data;
2107 cs_sel &= ~SELECTOR_RPL_MASK;
2108 ss_sel = cs_sel + 8;
2109 ss_sel &= ~SELECTOR_RPL_MASK;
2110 if (ctxt->mode == X86EMUL_MODE_PROT64
2111 || is_long_mode(ctxt->vcpu)) {
2116 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2117 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2118 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2119 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2121 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
2124 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
2125 c->regs[VCPU_REGS_RSP] = msr_data;
2127 return X86EMUL_CONTINUE;
2131 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2133 struct decode_cache *c = &ctxt->decode;
2134 struct desc_struct cs, ss;
2139 /* inject #GP if in real mode or Virtual 8086 mode */
2140 if (ctxt->mode == X86EMUL_MODE_REAL ||
2141 ctxt->mode == X86EMUL_MODE_VM86) {
2142 emulate_gp(ctxt, 0);
2143 return X86EMUL_PROPAGATE_FAULT;
2146 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2148 if ((c->rex_prefix & 0x8) != 0x0)
2149 usermode = X86EMUL_MODE_PROT64;
2151 usermode = X86EMUL_MODE_PROT32;
2155 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2157 case X86EMUL_MODE_PROT32:
2158 cs_sel = (u16)(msr_data + 16);
2159 if ((msr_data & 0xfffc) == 0x0) {
2160 emulate_gp(ctxt, 0);
2161 return X86EMUL_PROPAGATE_FAULT;
2163 ss_sel = (u16)(msr_data + 24);
2165 case X86EMUL_MODE_PROT64:
2166 cs_sel = (u16)(msr_data + 32);
2167 if (msr_data == 0x0) {
2168 emulate_gp(ctxt, 0);
2169 return X86EMUL_PROPAGATE_FAULT;
2171 ss_sel = cs_sel + 8;
2176 cs_sel |= SELECTOR_RPL_MASK;
2177 ss_sel |= SELECTOR_RPL_MASK;
2179 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2180 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2181 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2182 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2184 c->eip = c->regs[VCPU_REGS_RDX];
2185 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
2187 return X86EMUL_CONTINUE;
2190 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
2191 struct x86_emulate_ops *ops)
2194 if (ctxt->mode == X86EMUL_MODE_REAL)
2196 if (ctxt->mode == X86EMUL_MODE_VM86)
2198 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2199 return ops->cpl(ctxt->vcpu) > iopl;
2202 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2203 struct x86_emulate_ops *ops,
2206 struct desc_struct tr_seg;
2209 u8 perm, bit_idx = port & 0x7;
2210 unsigned mask = (1 << len) - 1;
2212 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
2215 if (desc_limit_scaled(&tr_seg) < 103)
2217 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
2219 if (r != X86EMUL_CONTINUE)
2221 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2223 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
2224 &perm, 1, ctxt->vcpu, NULL);
2225 if (r != X86EMUL_CONTINUE)
2227 if ((perm >> bit_idx) & mask)
2232 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2233 struct x86_emulate_ops *ops,
2236 if (emulator_bad_iopl(ctxt, ops))
2237 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
2242 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2243 struct x86_emulate_ops *ops,
2244 struct tss_segment_16 *tss)
2246 struct decode_cache *c = &ctxt->decode;
2249 tss->flag = ctxt->eflags;
2250 tss->ax = c->regs[VCPU_REGS_RAX];
2251 tss->cx = c->regs[VCPU_REGS_RCX];
2252 tss->dx = c->regs[VCPU_REGS_RDX];
2253 tss->bx = c->regs[VCPU_REGS_RBX];
2254 tss->sp = c->regs[VCPU_REGS_RSP];
2255 tss->bp = c->regs[VCPU_REGS_RBP];
2256 tss->si = c->regs[VCPU_REGS_RSI];
2257 tss->di = c->regs[VCPU_REGS_RDI];
2259 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2260 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2261 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2262 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2263 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2266 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2267 struct x86_emulate_ops *ops,
2268 struct tss_segment_16 *tss)
2270 struct decode_cache *c = &ctxt->decode;
2274 ctxt->eflags = tss->flag | 2;
2275 c->regs[VCPU_REGS_RAX] = tss->ax;
2276 c->regs[VCPU_REGS_RCX] = tss->cx;
2277 c->regs[VCPU_REGS_RDX] = tss->dx;
2278 c->regs[VCPU_REGS_RBX] = tss->bx;
2279 c->regs[VCPU_REGS_RSP] = tss->sp;
2280 c->regs[VCPU_REGS_RBP] = tss->bp;
2281 c->regs[VCPU_REGS_RSI] = tss->si;
2282 c->regs[VCPU_REGS_RDI] = tss->di;
2285 * SDM says that segment selectors are loaded before segment
2288 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
2289 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2290 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2291 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2292 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2295 * Now load segment descriptors. If fault happenes at this stage
2296 * it is handled in a context of new task
2298 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
2299 if (ret != X86EMUL_CONTINUE)
2301 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2302 if (ret != X86EMUL_CONTINUE)
2304 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2305 if (ret != X86EMUL_CONTINUE)
2307 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2308 if (ret != X86EMUL_CONTINUE)
2310 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2311 if (ret != X86EMUL_CONTINUE)
2314 return X86EMUL_CONTINUE;
2317 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2318 struct x86_emulate_ops *ops,
2319 u16 tss_selector, u16 old_tss_sel,
2320 ulong old_tss_base, struct desc_struct *new_desc)
2322 struct tss_segment_16 tss_seg;
2324 u32 err, new_tss_base = get_desc_base(new_desc);
2326 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2328 if (ret == X86EMUL_PROPAGATE_FAULT) {
2329 /* FIXME: need to provide precise fault address */
2330 emulate_pf(ctxt, old_tss_base, err);
2334 save_state_to_tss16(ctxt, ops, &tss_seg);
2336 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2338 if (ret == X86EMUL_PROPAGATE_FAULT) {
2339 /* FIXME: need to provide precise fault address */
2340 emulate_pf(ctxt, old_tss_base, err);
2344 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2346 if (ret == X86EMUL_PROPAGATE_FAULT) {
2347 /* FIXME: need to provide precise fault address */
2348 emulate_pf(ctxt, new_tss_base, err);
2352 if (old_tss_sel != 0xffff) {
2353 tss_seg.prev_task_link = old_tss_sel;
2355 ret = ops->write_std(new_tss_base,
2356 &tss_seg.prev_task_link,
2357 sizeof tss_seg.prev_task_link,
2359 if (ret == X86EMUL_PROPAGATE_FAULT) {
2360 /* FIXME: need to provide precise fault address */
2361 emulate_pf(ctxt, new_tss_base, err);
2366 return load_state_from_tss16(ctxt, ops, &tss_seg);
2369 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2370 struct x86_emulate_ops *ops,
2371 struct tss_segment_32 *tss)
2373 struct decode_cache *c = &ctxt->decode;
2375 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2377 tss->eflags = ctxt->eflags;
2378 tss->eax = c->regs[VCPU_REGS_RAX];
2379 tss->ecx = c->regs[VCPU_REGS_RCX];
2380 tss->edx = c->regs[VCPU_REGS_RDX];
2381 tss->ebx = c->regs[VCPU_REGS_RBX];
2382 tss->esp = c->regs[VCPU_REGS_RSP];
2383 tss->ebp = c->regs[VCPU_REGS_RBP];
2384 tss->esi = c->regs[VCPU_REGS_RSI];
2385 tss->edi = c->regs[VCPU_REGS_RDI];
2387 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2388 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2389 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2390 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2391 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2392 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2393 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2396 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2397 struct x86_emulate_ops *ops,
2398 struct tss_segment_32 *tss)
2400 struct decode_cache *c = &ctxt->decode;
2403 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
2404 emulate_gp(ctxt, 0);
2405 return X86EMUL_PROPAGATE_FAULT;
2408 ctxt->eflags = tss->eflags | 2;
2409 c->regs[VCPU_REGS_RAX] = tss->eax;
2410 c->regs[VCPU_REGS_RCX] = tss->ecx;
2411 c->regs[VCPU_REGS_RDX] = tss->edx;
2412 c->regs[VCPU_REGS_RBX] = tss->ebx;
2413 c->regs[VCPU_REGS_RSP] = tss->esp;
2414 c->regs[VCPU_REGS_RBP] = tss->ebp;
2415 c->regs[VCPU_REGS_RSI] = tss->esi;
2416 c->regs[VCPU_REGS_RDI] = tss->edi;
2419 * SDM says that segment selectors are loaded before segment
2422 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2423 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2424 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2425 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2426 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2427 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2428 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2431 * Now load segment descriptors. If fault happenes at this stage
2432 * it is handled in a context of new task
2434 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2435 if (ret != X86EMUL_CONTINUE)
2437 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2438 if (ret != X86EMUL_CONTINUE)
2440 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2441 if (ret != X86EMUL_CONTINUE)
2443 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2444 if (ret != X86EMUL_CONTINUE)
2446 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2447 if (ret != X86EMUL_CONTINUE)
2449 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2450 if (ret != X86EMUL_CONTINUE)
2452 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2453 if (ret != X86EMUL_CONTINUE)
2456 return X86EMUL_CONTINUE;
2459 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2460 struct x86_emulate_ops *ops,
2461 u16 tss_selector, u16 old_tss_sel,
2462 ulong old_tss_base, struct desc_struct *new_desc)
2464 struct tss_segment_32 tss_seg;
2466 u32 err, new_tss_base = get_desc_base(new_desc);
2468 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2470 if (ret == X86EMUL_PROPAGATE_FAULT) {
2471 /* FIXME: need to provide precise fault address */
2472 emulate_pf(ctxt, old_tss_base, err);
2476 save_state_to_tss32(ctxt, ops, &tss_seg);
2478 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2480 if (ret == X86EMUL_PROPAGATE_FAULT) {
2481 /* FIXME: need to provide precise fault address */
2482 emulate_pf(ctxt, old_tss_base, err);
2486 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2488 if (ret == X86EMUL_PROPAGATE_FAULT) {
2489 /* FIXME: need to provide precise fault address */
2490 emulate_pf(ctxt, new_tss_base, err);
2494 if (old_tss_sel != 0xffff) {
2495 tss_seg.prev_task_link = old_tss_sel;
2497 ret = ops->write_std(new_tss_base,
2498 &tss_seg.prev_task_link,
2499 sizeof tss_seg.prev_task_link,
2501 if (ret == X86EMUL_PROPAGATE_FAULT) {
2502 /* FIXME: need to provide precise fault address */
2503 emulate_pf(ctxt, new_tss_base, err);
2508 return load_state_from_tss32(ctxt, ops, &tss_seg);
2511 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2512 struct x86_emulate_ops *ops,
2513 u16 tss_selector, int reason,
2514 bool has_error_code, u32 error_code)
2516 struct desc_struct curr_tss_desc, next_tss_desc;
2518 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2519 ulong old_tss_base =
2520 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2523 /* FIXME: old_tss_base == ~0 ? */
2525 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2526 if (ret != X86EMUL_CONTINUE)
2528 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2529 if (ret != X86EMUL_CONTINUE)
2532 /* FIXME: check that next_tss_desc is tss */
2534 if (reason != TASK_SWITCH_IRET) {
2535 if ((tss_selector & 3) > next_tss_desc.dpl ||
2536 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2537 emulate_gp(ctxt, 0);
2538 return X86EMUL_PROPAGATE_FAULT;
2542 desc_limit = desc_limit_scaled(&next_tss_desc);
2543 if (!next_tss_desc.p ||
2544 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2545 desc_limit < 0x2b)) {
2546 emulate_ts(ctxt, tss_selector & 0xfffc);
2547 return X86EMUL_PROPAGATE_FAULT;
2550 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2551 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2552 write_segment_descriptor(ctxt, ops, old_tss_sel,
2556 if (reason == TASK_SWITCH_IRET)
2557 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2559 /* set back link to prev task only if NT bit is set in eflags
2560 note that old_tss_sel is not used afetr this point */
2561 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2562 old_tss_sel = 0xffff;
2564 if (next_tss_desc.type & 8)
2565 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2566 old_tss_base, &next_tss_desc);
2568 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2569 old_tss_base, &next_tss_desc);
2570 if (ret != X86EMUL_CONTINUE)
2573 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2574 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2576 if (reason != TASK_SWITCH_IRET) {
2577 next_tss_desc.type |= (1 << 1); /* set busy flag */
2578 write_segment_descriptor(ctxt, ops, tss_selector,
2582 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2583 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2584 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2586 if (has_error_code) {
2587 struct decode_cache *c = &ctxt->decode;
2589 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2591 c->src.val = (unsigned long) error_code;
2592 emulate_push(ctxt, ops);
2598 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2599 struct x86_emulate_ops *ops,
2600 u16 tss_selector, int reason,
2601 bool has_error_code, u32 error_code)
2603 struct decode_cache *c = &ctxt->decode;
2607 c->dst.type = OP_NONE;
2609 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2610 has_error_code, error_code);
2612 if (rc == X86EMUL_CONTINUE) {
2613 rc = writeback(ctxt, ops);
2614 if (rc == X86EMUL_CONTINUE)
2618 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2621 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2622 int reg, struct operand *op)
2624 struct decode_cache *c = &ctxt->decode;
2625 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2627 register_address_increment(c, &c->regs[reg], df * op->bytes);
2628 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2632 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2635 struct decode_cache *c = &ctxt->decode;
2636 int rc = X86EMUL_CONTINUE;
2637 int saved_dst_type = c->dst.type;
2639 ctxt->decode.mem_read.pos = 0;
2641 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2646 /* LOCK prefix is allowed only with some instructions */
2647 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2652 /* Privileged instruction can be executed only in CPL=0 */
2653 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2654 emulate_gp(ctxt, 0);
2658 if (c->rep_prefix && (c->d & String)) {
2659 ctxt->restart = true;
2660 /* All REP prefixes have the same first termination condition */
2661 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2663 ctxt->restart = false;
2667 /* The second termination condition only applies for REPE
2668 * and REPNE. Test if the repeat string operation prefix is
2669 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2670 * corresponding termination condition according to:
2671 * - if REPE/REPZ and ZF = 0 then done
2672 * - if REPNE/REPNZ and ZF = 1 then done
2674 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2675 (c->b == 0xae) || (c->b == 0xaf)) {
2676 if ((c->rep_prefix == REPE_PREFIX) &&
2677 ((ctxt->eflags & EFLG_ZF) == 0))
2679 if ((c->rep_prefix == REPNE_PREFIX) &&
2680 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2686 if (c->src.type == OP_MEM) {
2687 rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2688 c->src.valptr, c->src.bytes);
2689 if (rc != X86EMUL_CONTINUE)
2691 c->src.orig_val64 = c->src.val64;
2694 if (c->src2.type == OP_MEM) {
2695 rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
2696 &c->src2.val, c->src2.bytes);
2697 if (rc != X86EMUL_CONTINUE)
2701 if ((c->d & DstMask) == ImplicitOps)
2705 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2706 /* optimisation - avoid slow emulated read if Mov */
2707 rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
2708 &c->dst.val, c->dst.bytes);
2709 if (rc != X86EMUL_CONTINUE)
2712 c->dst.orig_val = c->dst.val;
2722 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2724 case 0x06: /* push es */
2725 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2727 case 0x07: /* pop es */
2728 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2729 if (rc != X86EMUL_CONTINUE)
2734 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2736 case 0x0e: /* push cs */
2737 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2741 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2743 case 0x16: /* push ss */
2744 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2746 case 0x17: /* pop ss */
2747 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2748 if (rc != X86EMUL_CONTINUE)
2753 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2755 case 0x1e: /* push ds */
2756 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2758 case 0x1f: /* pop ds */
2759 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2760 if (rc != X86EMUL_CONTINUE)
2765 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2769 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2773 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2777 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2779 case 0x40 ... 0x47: /* inc r16/r32 */
2780 emulate_1op("inc", c->dst, ctxt->eflags);
2782 case 0x48 ... 0x4f: /* dec r16/r32 */
2783 emulate_1op("dec", c->dst, ctxt->eflags);
2785 case 0x50 ... 0x57: /* push reg */
2786 emulate_push(ctxt, ops);
2788 case 0x58 ... 0x5f: /* pop reg */
2790 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2791 if (rc != X86EMUL_CONTINUE)
2794 case 0x60: /* pusha */
2795 rc = emulate_pusha(ctxt, ops);
2796 if (rc != X86EMUL_CONTINUE)
2799 case 0x61: /* popa */
2800 rc = emulate_popa(ctxt, ops);
2801 if (rc != X86EMUL_CONTINUE)
2804 case 0x63: /* movsxd */
2805 if (ctxt->mode != X86EMUL_MODE_PROT64)
2806 goto cannot_emulate;
2807 c->dst.val = (s32) c->src.val;
2809 case 0x68: /* push imm */
2810 case 0x6a: /* push imm8 */
2811 emulate_push(ctxt, ops);
2813 case 0x6c: /* insb */
2814 case 0x6d: /* insw/insd */
2815 c->dst.bytes = min(c->dst.bytes, 4u);
2816 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2818 emulate_gp(ctxt, 0);
2821 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2822 c->regs[VCPU_REGS_RDX], &c->dst.val))
2823 goto done; /* IO is needed, skip writeback */
2825 case 0x6e: /* outsb */
2826 case 0x6f: /* outsw/outsd */
2827 c->src.bytes = min(c->src.bytes, 4u);
2828 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2830 emulate_gp(ctxt, 0);
2833 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2834 &c->src.val, 1, ctxt->vcpu);
2836 c->dst.type = OP_NONE; /* nothing to writeback */
2838 case 0x70 ... 0x7f: /* jcc (short) */
2839 if (test_cc(c->b, ctxt->eflags))
2840 jmp_rel(c, c->src.val);
2842 case 0x80 ... 0x83: /* Grp1 */
2843 switch (c->modrm_reg) {
2864 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2866 case 0x86 ... 0x87: /* xchg */
2868 /* Write back the register source. */
2869 switch (c->dst.bytes) {
2871 *(u8 *) c->src.ptr = (u8) c->dst.val;
2874 *(u16 *) c->src.ptr = (u16) c->dst.val;
2877 *c->src.ptr = (u32) c->dst.val;
2878 break; /* 64b reg: zero-extend */
2880 *c->src.ptr = c->dst.val;
2884 * Write back the memory destination with implicit LOCK
2887 c->dst.val = c->src.val;
2890 case 0x88 ... 0x8b: /* mov */
2892 case 0x8c: /* mov r/m, sreg */
2893 if (c->modrm_reg > VCPU_SREG_GS) {
2897 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2899 case 0x8d: /* lea r16/r32, m */
2900 c->dst.val = c->modrm_ea;
2902 case 0x8e: { /* mov seg, r/m16 */
2907 if (c->modrm_reg == VCPU_SREG_CS ||
2908 c->modrm_reg > VCPU_SREG_GS) {
2913 if (c->modrm_reg == VCPU_SREG_SS)
2914 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2916 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2918 c->dst.type = OP_NONE; /* Disable writeback. */
2921 case 0x8f: /* pop (sole member of Grp1a) */
2922 rc = emulate_grp1a(ctxt, ops);
2923 if (rc != X86EMUL_CONTINUE)
2926 case 0x90: /* nop / xchg r8,rax */
2927 if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
2928 c->dst.type = OP_NONE; /* nop */
2931 case 0x91 ... 0x97: /* xchg reg,rax */
2932 c->src.type = OP_REG;
2933 c->src.bytes = c->op_bytes;
2934 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2935 c->src.val = *(c->src.ptr);
2937 case 0x9c: /* pushf */
2938 c->src.val = (unsigned long) ctxt->eflags;
2939 emulate_push(ctxt, ops);
2941 case 0x9d: /* popf */
2942 c->dst.type = OP_REG;
2943 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2944 c->dst.bytes = c->op_bytes;
2945 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2946 if (rc != X86EMUL_CONTINUE)
2949 case 0xa0 ... 0xa3: /* mov */
2950 case 0xa4 ... 0xa5: /* movs */
2952 case 0xa6 ... 0xa7: /* cmps */
2953 c->dst.type = OP_NONE; /* Disable writeback. */
2954 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2956 case 0xa8 ... 0xa9: /* test ax, imm */
2958 case 0xaa ... 0xab: /* stos */
2959 c->dst.val = c->regs[VCPU_REGS_RAX];
2961 case 0xac ... 0xad: /* lods */
2963 case 0xae ... 0xaf: /* scas */
2964 DPRINTF("Urk! I don't handle SCAS.\n");
2965 goto cannot_emulate;
2966 case 0xb0 ... 0xbf: /* mov r, imm */
2971 case 0xc3: /* ret */
2972 c->dst.type = OP_REG;
2973 c->dst.ptr = &c->eip;
2974 c->dst.bytes = c->op_bytes;
2975 goto pop_instruction;
2976 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2978 c->dst.val = c->src.val;
2980 case 0xcb: /* ret far */
2981 rc = emulate_ret_far(ctxt, ops);
2982 if (rc != X86EMUL_CONTINUE)
2985 case 0xcf: /* iret */
2986 rc = emulate_iret(ctxt, ops);
2988 if (rc != X86EMUL_CONTINUE)
2991 case 0xd0 ... 0xd1: /* Grp2 */
2995 case 0xd2 ... 0xd3: /* Grp2 */
2996 c->src.val = c->regs[VCPU_REGS_RCX];
2999 case 0xe4: /* inb */
3002 case 0xe6: /* outb */
3003 case 0xe7: /* out */
3005 case 0xe8: /* call (near) */ {
3006 long int rel = c->src.val;
3007 c->src.val = (unsigned long) c->eip;
3009 emulate_push(ctxt, ops);
3012 case 0xe9: /* jmp rel */
3014 case 0xea: { /* jmp far */
3017 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3019 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3023 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3027 jmp: /* jmp rel short */
3028 jmp_rel(c, c->src.val);
3029 c->dst.type = OP_NONE; /* Disable writeback. */
3031 case 0xec: /* in al,dx */
3032 case 0xed: /* in (e/r)ax,dx */
3033 c->src.val = c->regs[VCPU_REGS_RDX];
3035 c->dst.bytes = min(c->dst.bytes, 4u);
3036 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3037 emulate_gp(ctxt, 0);
3040 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3042 goto done; /* IO is needed */
3044 case 0xee: /* out dx,al */
3045 case 0xef: /* out dx,(e/r)ax */
3046 c->src.val = c->regs[VCPU_REGS_RDX];
3048 c->dst.bytes = min(c->dst.bytes, 4u);
3049 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3050 emulate_gp(ctxt, 0);
3053 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3055 c->dst.type = OP_NONE; /* Disable writeback. */
3057 case 0xf4: /* hlt */
3058 ctxt->vcpu->arch.halt_request = 1;
3060 case 0xf5: /* cmc */
3061 /* complement carry flag from eflags reg */
3062 ctxt->eflags ^= EFLG_CF;
3063 c->dst.type = OP_NONE; /* Disable writeback. */
3065 case 0xf6 ... 0xf7: /* Grp3 */
3066 if (!emulate_grp3(ctxt, ops))
3067 goto cannot_emulate;
3069 case 0xf8: /* clc */
3070 ctxt->eflags &= ~EFLG_CF;
3071 c->dst.type = OP_NONE; /* Disable writeback. */
3073 case 0xfa: /* cli */
3074 if (emulator_bad_iopl(ctxt, ops)) {
3075 emulate_gp(ctxt, 0);
3078 ctxt->eflags &= ~X86_EFLAGS_IF;
3079 c->dst.type = OP_NONE; /* Disable writeback. */
3082 case 0xfb: /* sti */
3083 if (emulator_bad_iopl(ctxt, ops)) {
3084 emulate_gp(ctxt, 0);
3087 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3088 ctxt->eflags |= X86_EFLAGS_IF;
3089 c->dst.type = OP_NONE; /* Disable writeback. */
3092 case 0xfc: /* cld */
3093 ctxt->eflags &= ~EFLG_DF;
3094 c->dst.type = OP_NONE; /* Disable writeback. */
3096 case 0xfd: /* std */
3097 ctxt->eflags |= EFLG_DF;
3098 c->dst.type = OP_NONE; /* Disable writeback. */
3100 case 0xfe: /* Grp4 */
3102 rc = emulate_grp45(ctxt, ops);
3103 if (rc != X86EMUL_CONTINUE)
3106 case 0xff: /* Grp5 */
3107 if (c->modrm_reg == 5)
3111 goto cannot_emulate;
3115 rc = writeback(ctxt, ops);
3116 if (rc != X86EMUL_CONTINUE)
3120 * restore dst type in case the decoding will be reused
3121 * (happens for string instruction )
3123 c->dst.type = saved_dst_type;
3125 if ((c->d & SrcMask) == SrcSI)
3126 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3127 VCPU_REGS_RSI, &c->src);
3129 if ((c->d & DstMask) == DstDI)
3130 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3133 if (c->rep_prefix && (c->d & String)) {
3134 struct read_cache *rc = &ctxt->decode.io_read;
3135 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3137 * Re-enter guest when pio read ahead buffer is empty or,
3138 * if it is not used, after each 1024 iteration.
3140 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3141 (rc->end != 0 && rc->end == rc->pos))
3142 ctxt->restart = false;
3145 * reset read cache here in case string instruction is restared
3148 ctxt->decode.mem_read.end = 0;
3152 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3156 case 0x01: /* lgdt, lidt, lmsw */
3157 switch (c->modrm_reg) {
3159 unsigned long address;
3161 case 0: /* vmcall */
3162 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3163 goto cannot_emulate;
3165 rc = kvm_fix_hypercall(ctxt->vcpu);
3166 if (rc != X86EMUL_CONTINUE)
3169 /* Let the processor re-execute the fixed hypercall */
3171 /* Disable writeback. */
3172 c->dst.type = OP_NONE;
3175 rc = read_descriptor(ctxt, ops, c->src.ptr,
3176 &size, &address, c->op_bytes);
3177 if (rc != X86EMUL_CONTINUE)
3179 realmode_lgdt(ctxt->vcpu, size, address);
3180 /* Disable writeback. */
3181 c->dst.type = OP_NONE;
3183 case 3: /* lidt/vmmcall */
3184 if (c->modrm_mod == 3) {
3185 switch (c->modrm_rm) {
3187 rc = kvm_fix_hypercall(ctxt->vcpu);
3188 if (rc != X86EMUL_CONTINUE)
3192 goto cannot_emulate;
3195 rc = read_descriptor(ctxt, ops, c->src.ptr,
3198 if (rc != X86EMUL_CONTINUE)
3200 realmode_lidt(ctxt->vcpu, size, address);
3202 /* Disable writeback. */
3203 c->dst.type = OP_NONE;
3207 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3210 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3211 (c->src.val & 0x0f), ctxt->vcpu);
3212 c->dst.type = OP_NONE;
3214 case 5: /* not defined */
3218 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3219 /* Disable writeback. */
3220 c->dst.type = OP_NONE;
3223 goto cannot_emulate;
3226 case 0x05: /* syscall */
3227 rc = emulate_syscall(ctxt, ops);
3228 if (rc != X86EMUL_CONTINUE)
3234 emulate_clts(ctxt->vcpu);
3235 c->dst.type = OP_NONE;
3237 case 0x09: /* wbinvd */
3238 kvm_emulate_wbinvd(ctxt->vcpu);
3239 c->dst.type = OP_NONE;
3241 case 0x08: /* invd */
3242 case 0x0d: /* GrpP (prefetch) */
3243 case 0x18: /* Grp16 (prefetch/nop) */
3244 c->dst.type = OP_NONE;
3246 case 0x20: /* mov cr, reg */
3247 switch (c->modrm_reg) {
3254 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3255 c->dst.type = OP_NONE; /* no writeback */
3257 case 0x21: /* mov from dr to reg */
3258 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3259 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3263 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3264 c->dst.type = OP_NONE; /* no writeback */
3266 case 0x22: /* mov reg, cr */
3267 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3268 emulate_gp(ctxt, 0);
3271 c->dst.type = OP_NONE;
3273 case 0x23: /* mov from reg to dr */
3274 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3275 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3280 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3281 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3282 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3283 /* #UD condition is already handled by the code above */
3284 emulate_gp(ctxt, 0);
3288 c->dst.type = OP_NONE; /* no writeback */
3292 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3293 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3294 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3295 emulate_gp(ctxt, 0);
3298 rc = X86EMUL_CONTINUE;
3299 c->dst.type = OP_NONE;
3303 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3304 emulate_gp(ctxt, 0);
3307 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3308 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3310 rc = X86EMUL_CONTINUE;
3311 c->dst.type = OP_NONE;
3313 case 0x34: /* sysenter */
3314 rc = emulate_sysenter(ctxt, ops);
3315 if (rc != X86EMUL_CONTINUE)
3320 case 0x35: /* sysexit */
3321 rc = emulate_sysexit(ctxt, ops);
3322 if (rc != X86EMUL_CONTINUE)
3327 case 0x40 ... 0x4f: /* cmov */
3328 c->dst.val = c->dst.orig_val = c->src.val;
3329 if (!test_cc(c->b, ctxt->eflags))
3330 c->dst.type = OP_NONE; /* no writeback */
3332 case 0x80 ... 0x8f: /* jnz rel, etc*/
3333 if (test_cc(c->b, ctxt->eflags))
3334 jmp_rel(c, c->src.val);
3335 c->dst.type = OP_NONE;
3337 case 0xa0: /* push fs */
3338 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3340 case 0xa1: /* pop fs */
3341 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3342 if (rc != X86EMUL_CONTINUE)
3347 c->dst.type = OP_NONE;
3348 /* only subword offset */
3349 c->src.val &= (c->dst.bytes << 3) - 1;
3350 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3352 case 0xa4: /* shld imm8, r, r/m */
3353 case 0xa5: /* shld cl, r, r/m */
3354 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3356 case 0xa8: /* push gs */
3357 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3359 case 0xa9: /* pop gs */
3360 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3361 if (rc != X86EMUL_CONTINUE)
3366 /* only subword offset */
3367 c->src.val &= (c->dst.bytes << 3) - 1;
3368 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3370 case 0xac: /* shrd imm8, r, r/m */
3371 case 0xad: /* shrd cl, r, r/m */
3372 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3374 case 0xae: /* clflush */
3376 case 0xb0 ... 0xb1: /* cmpxchg */
3378 * Save real source value, then compare EAX against
3381 c->src.orig_val = c->src.val;
3382 c->src.val = c->regs[VCPU_REGS_RAX];
3383 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3384 if (ctxt->eflags & EFLG_ZF) {
3385 /* Success: write back to memory. */
3386 c->dst.val = c->src.orig_val;
3388 /* Failure: write the value we saw to EAX. */
3389 c->dst.type = OP_REG;
3390 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3395 /* only subword offset */
3396 c->src.val &= (c->dst.bytes << 3) - 1;
3397 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3399 case 0xb6 ... 0xb7: /* movzx */
3400 c->dst.bytes = c->op_bytes;
3401 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3404 case 0xba: /* Grp8 */
3405 switch (c->modrm_reg & 3) {
3418 /* only subword offset */
3419 c->src.val &= (c->dst.bytes << 3) - 1;
3420 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3422 case 0xbe ... 0xbf: /* movsx */
3423 c->dst.bytes = c->op_bytes;
3424 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3427 case 0xc3: /* movnti */
3428 c->dst.bytes = c->op_bytes;
3429 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3432 case 0xc7: /* Grp9 (cmpxchg8b) */
3433 rc = emulate_grp9(ctxt, ops);
3434 if (rc != X86EMUL_CONTINUE)
3438 goto cannot_emulate;
3443 DPRINTF("Cannot emulate %02x\n", c->b);
projects / firefly-linux-kernel-4.4.55.git / blob