1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <linux/module.h>
26 #include <asm/kvm_emulate.h>
27 #include <linux/stringify.h>
36 #define OpImplicit 1ull /* No generic decode */
37 #define OpReg 2ull /* Register */
38 #define OpMem 3ull /* Memory */
39 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
40 #define OpDI 5ull /* ES:DI/EDI/RDI */
41 #define OpMem64 6ull /* Memory, 64-bit */
42 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
43 #define OpDX 8ull /* DX register */
44 #define OpCL 9ull /* CL register (for shifts) */
45 #define OpImmByte 10ull /* 8-bit sign extended immediate */
46 #define OpOne 11ull /* Implied 1 */
47 #define OpImm 12ull /* Sign extended up to 32-bit immediate */
48 #define OpMem16 13ull /* Memory operand (16-bit). */
49 #define OpMem32 14ull /* Memory operand (32-bit). */
50 #define OpImmU 15ull /* Immediate operand, zero extended */
51 #define OpSI 16ull /* SI/ESI/RSI */
52 #define OpImmFAddr 17ull /* Immediate far address */
53 #define OpMemFAddr 18ull /* Far address in memory */
54 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
55 #define OpES 20ull /* ES */
56 #define OpCS 21ull /* CS */
57 #define OpSS 22ull /* SS */
58 #define OpDS 23ull /* DS */
59 #define OpFS 24ull /* FS */
60 #define OpGS 25ull /* GS */
61 #define OpMem8 26ull /* 8-bit zero extended memory operand */
62 #define OpImm64 27ull /* Sign extended 16/32/64-bit immediate */
64 #define OpBits 5 /* Width of operand field */
65 #define OpMask ((1ull << OpBits) - 1)
68 * Opcode effective-address decode tables.
69 * Note that we only emulate instructions that have at least one memory
70 * operand (excluding implicit stack references). We assume that stack
71 * references and instruction fetches will never occur in special memory
72 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
76 /* Operand sizes: 8-bit operands or specified/overridden size. */
77 #define ByteOp (1<<0) /* 8-bit operands. */
78 /* Destination operand type. */
80 #define ImplicitOps (OpImplicit << DstShift)
81 #define DstReg (OpReg << DstShift)
82 #define DstMem (OpMem << DstShift)
83 #define DstAcc (OpAcc << DstShift)
84 #define DstDI (OpDI << DstShift)
85 #define DstMem64 (OpMem64 << DstShift)
86 #define DstImmUByte (OpImmUByte << DstShift)
87 #define DstDX (OpDX << DstShift)
88 #define DstMask (OpMask << DstShift)
89 /* Source operand type. */
91 #define SrcNone (OpNone << SrcShift)
92 #define SrcReg (OpReg << SrcShift)
93 #define SrcMem (OpMem << SrcShift)
94 #define SrcMem16 (OpMem16 << SrcShift)
95 #define SrcMem32 (OpMem32 << SrcShift)
96 #define SrcImm (OpImm << SrcShift)
97 #define SrcImmByte (OpImmByte << SrcShift)
98 #define SrcOne (OpOne << SrcShift)
99 #define SrcImmUByte (OpImmUByte << SrcShift)
100 #define SrcImmU (OpImmU << SrcShift)
101 #define SrcSI (OpSI << SrcShift)
102 #define SrcImmFAddr (OpImmFAddr << SrcShift)
103 #define SrcMemFAddr (OpMemFAddr << SrcShift)
104 #define SrcAcc (OpAcc << SrcShift)
105 #define SrcImmU16 (OpImmU16 << SrcShift)
106 #define SrcImm64 (OpImm64 << SrcShift)
107 #define SrcDX (OpDX << SrcShift)
108 #define SrcMem8 (OpMem8 << SrcShift)
109 #define SrcMask (OpMask << SrcShift)
110 #define BitOp (1<<11)
111 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
112 #define String (1<<13) /* String instruction (rep capable) */
113 #define Stack (1<<14) /* Stack instruction (push/pop) */
114 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
115 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
116 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
117 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
118 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
119 #define Escape (5<<15) /* Escape to coprocessor instruction */
120 #define Sse (1<<18) /* SSE Vector instruction */
121 /* Generic ModRM decode. */
122 #define ModRM (1<<19)
123 /* Destination is only written; never read. */
126 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
127 #define VendorSpecific (1<<22) /* Vendor specific instruction */
128 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
129 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
130 #define Undefined (1<<25) /* No Such Instruction */
131 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
132 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
134 #define PageTable (1 << 29) /* instruction used to write page table */
135 #define NotImpl (1 << 30) /* instruction is not implemented */
136 /* Source 2 operand type */
137 #define Src2Shift (31)
138 #define Src2None (OpNone << Src2Shift)
139 #define Src2CL (OpCL << Src2Shift)
140 #define Src2ImmByte (OpImmByte << Src2Shift)
141 #define Src2One (OpOne << Src2Shift)
142 #define Src2Imm (OpImm << Src2Shift)
143 #define Src2ES (OpES << Src2Shift)
144 #define Src2CS (OpCS << Src2Shift)
145 #define Src2SS (OpSS << Src2Shift)
146 #define Src2DS (OpDS << Src2Shift)
147 #define Src2FS (OpFS << Src2Shift)
148 #define Src2GS (OpGS << Src2Shift)
149 #define Src2Mask (OpMask << Src2Shift)
150 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
151 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
152 #define Unaligned ((u64)1 << 42) /* Explicitly unaligned (e.g. MOVDQU) */
153 #define Avx ((u64)1 << 43) /* Advanced Vector Extensions */
154 #define Fastop ((u64)1 << 44) /* Use opcode::u.fastop */
155 #define NoWrite ((u64)1 << 45) /* No writeback */
157 #define X2(x...) x, x
158 #define X3(x...) X2(x), x
159 #define X4(x...) X2(x), X2(x)
160 #define X5(x...) X4(x), x
161 #define X6(x...) X4(x), X2(x)
162 #define X7(x...) X4(x), X3(x)
163 #define X8(x...) X4(x), X4(x)
164 #define X16(x...) X8(x), X8(x)
166 #define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
167 #define FASTOP_SIZE 8
170 * fastop functions have a special calling convention:
172 * dst: [rdx]:rax (in/out)
175 * flags: rflags (in/out)
177 * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
178 * different operand sizes can be reached by calculation, rather than a jump
179 * table (which would be bigger than the code).
181 * fastop functions are declared as taking a never-defined fastop parameter,
182 * so they can't be called from C directly.
191 int (*execute)(struct x86_emulate_ctxt *ctxt);
192 const struct opcode *group;
193 const struct group_dual *gdual;
194 const struct gprefix *gprefix;
195 const struct escape *esc;
196 void (*fastop)(struct fastop *fake);
198 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
202 struct opcode mod012[8];
203 struct opcode mod3[8];
207 struct opcode pfx_no;
208 struct opcode pfx_66;
209 struct opcode pfx_f2;
210 struct opcode pfx_f3;
215 struct opcode high[64];
218 /* EFLAGS bit definitions. */
219 #define EFLG_ID (1<<21)
220 #define EFLG_VIP (1<<20)
221 #define EFLG_VIF (1<<19)
222 #define EFLG_AC (1<<18)
223 #define EFLG_VM (1<<17)
224 #define EFLG_RF (1<<16)
225 #define EFLG_IOPL (3<<12)
226 #define EFLG_NT (1<<14)
227 #define EFLG_OF (1<<11)
228 #define EFLG_DF (1<<10)
229 #define EFLG_IF (1<<9)
230 #define EFLG_TF (1<<8)
231 #define EFLG_SF (1<<7)
232 #define EFLG_ZF (1<<6)
233 #define EFLG_AF (1<<4)
234 #define EFLG_PF (1<<2)
235 #define EFLG_CF (1<<0)
237 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
238 #define EFLG_RESERVED_ONE_MASK 2
240 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
242 if (!(ctxt->regs_valid & (1 << nr))) {
243 ctxt->regs_valid |= 1 << nr;
244 ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
246 return ctxt->_regs[nr];
249 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
251 ctxt->regs_valid |= 1 << nr;
252 ctxt->regs_dirty |= 1 << nr;
253 return &ctxt->_regs[nr];
256 static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
259 return reg_write(ctxt, nr);
262 static void writeback_registers(struct x86_emulate_ctxt *ctxt)
266 for_each_set_bit(reg, (ulong *)&ctxt->regs_dirty, 16)
267 ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
270 static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
272 ctxt->regs_dirty = 0;
273 ctxt->regs_valid = 0;
277 * Instruction emulation:
278 * Most instructions are emulated directly via a fragment of inline assembly
279 * code. This allows us to save/restore EFLAGS and thus very easily pick up
280 * any modified flags.
283 #if defined(CONFIG_X86_64)
284 #define _LO32 "k" /* force 32-bit operand */
285 #define _STK "%%rsp" /* stack pointer */
286 #elif defined(__i386__)
287 #define _LO32 "" /* force 32-bit operand */
288 #define _STK "%%esp" /* stack pointer */
292 * These EFLAGS bits are restored from saved value during emulation, and
293 * any changes are written back to the saved value after emulation.
295 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
297 /* Before executing instruction: restore necessary bits in EFLAGS. */
298 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
299 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
300 "movl %"_sav",%"_LO32 _tmp"; " \
303 "movl %"_msk",%"_LO32 _tmp"; " \
304 "andl %"_LO32 _tmp",("_STK"); " \
306 "notl %"_LO32 _tmp"; " \
307 "andl %"_LO32 _tmp",("_STK"); " \
308 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
310 "orl %"_LO32 _tmp",("_STK"); " \
314 /* After executing instruction: write-back necessary bits in EFLAGS. */
315 #define _POST_EFLAGS(_sav, _msk, _tmp) \
316 /* _sav |= EFLAGS & _msk; */ \
319 "andl %"_msk",%"_LO32 _tmp"; " \
320 "orl %"_LO32 _tmp",%"_sav"; "
328 #define ____emulate_2op(ctxt, _op, _x, _y, _suffix, _dsttype) \
330 __asm__ __volatile__ ( \
331 _PRE_EFLAGS("0", "4", "2") \
332 _op _suffix " %"_x"3,%1; " \
333 _POST_EFLAGS("0", "4", "2") \
334 : "=m" ((ctxt)->eflags), \
335 "+q" (*(_dsttype*)&(ctxt)->dst.val), \
337 : _y ((ctxt)->src.val), "i" (EFLAGS_MASK)); \
341 /* Raw emulation: instruction has two explicit operands. */
342 #define __emulate_2op_nobyte(ctxt,_op,_wx,_wy,_lx,_ly,_qx,_qy) \
344 unsigned long _tmp; \
346 switch ((ctxt)->dst.bytes) { \
348 ____emulate_2op(ctxt,_op,_wx,_wy,"w",u16); \
351 ____emulate_2op(ctxt,_op,_lx,_ly,"l",u32); \
354 ON64(____emulate_2op(ctxt,_op,_qx,_qy,"q",u64)); \
359 #define __emulate_2op(ctxt,_op,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
361 unsigned long _tmp; \
362 switch ((ctxt)->dst.bytes) { \
364 ____emulate_2op(ctxt,_op,_bx,_by,"b",u8); \
367 __emulate_2op_nobyte(ctxt, _op, \
368 _wx, _wy, _lx, _ly, _qx, _qy); \
373 /* Source operand is byte-sized and may be restricted to just %cl. */
374 #define emulate_2op_SrcB(ctxt, _op) \
375 __emulate_2op(ctxt, _op, "b", "c", "b", "c", "b", "c", "b", "c")
377 /* Source operand is byte, word, long or quad sized. */
378 #define emulate_2op_SrcV(ctxt, _op) \
379 __emulate_2op(ctxt, _op, "b", "q", "w", "r", _LO32, "r", "", "r")
381 /* Source operand is word, long or quad sized. */
382 #define emulate_2op_SrcV_nobyte(ctxt, _op) \
383 __emulate_2op_nobyte(ctxt, _op, "w", "r", _LO32, "r", "", "r")
385 /* Instruction has three operands and one operand is stored in ECX register */
386 #define __emulate_2op_cl(ctxt, _op, _suffix, _type) \
388 unsigned long _tmp; \
389 _type _clv = (ctxt)->src2.val; \
390 _type _srcv = (ctxt)->src.val; \
391 _type _dstv = (ctxt)->dst.val; \
393 __asm__ __volatile__ ( \
394 _PRE_EFLAGS("0", "5", "2") \
395 _op _suffix " %4,%1 \n" \
396 _POST_EFLAGS("0", "5", "2") \
397 : "=m" ((ctxt)->eflags), "+r" (_dstv), "=&r" (_tmp) \
398 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
401 (ctxt)->src2.val = (unsigned long) _clv; \
402 (ctxt)->src2.val = (unsigned long) _srcv; \
403 (ctxt)->dst.val = (unsigned long) _dstv; \
406 #define emulate_2op_cl(ctxt, _op) \
408 switch ((ctxt)->dst.bytes) { \
410 __emulate_2op_cl(ctxt, _op, "w", u16); \
413 __emulate_2op_cl(ctxt, _op, "l", u32); \
416 ON64(__emulate_2op_cl(ctxt, _op, "q", ulong)); \
421 #define __emulate_1op(ctxt, _op, _suffix) \
423 unsigned long _tmp; \
425 __asm__ __volatile__ ( \
426 _PRE_EFLAGS("0", "3", "2") \
427 _op _suffix " %1; " \
428 _POST_EFLAGS("0", "3", "2") \
429 : "=m" ((ctxt)->eflags), "+m" ((ctxt)->dst.val), \
431 : "i" (EFLAGS_MASK)); \
434 /* Instruction has only one explicit operand (no source operand). */
435 #define emulate_1op(ctxt, _op) \
437 switch ((ctxt)->dst.bytes) { \
438 case 1: __emulate_1op(ctxt, _op, "b"); break; \
439 case 2: __emulate_1op(ctxt, _op, "w"); break; \
440 case 4: __emulate_1op(ctxt, _op, "l"); break; \
441 case 8: ON64(__emulate_1op(ctxt, _op, "q")); break; \
445 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *));
447 #define FOP_ALIGN ".align " __stringify(FASTOP_SIZE) " \n\t"
448 #define FOP_RET "ret \n\t"
450 #define FOP_START(op) \
451 extern void em_##op(struct fastop *fake); \
452 asm(".pushsection .text, \"ax\" \n\t" \
453 ".global em_" #op " \n\t" \
460 #define FOPNOP() FOP_ALIGN FOP_RET
462 #define FOP1E(op, dst) \
463 FOP_ALIGN #op " %" #dst " \n\t" FOP_RET
465 #define FASTOP1(op) \
470 ON64(FOP1E(op##q, rax)) \
473 #define FOP2E(op, dst, src) \
474 FOP_ALIGN #op " %" #src ", %" #dst " \n\t" FOP_RET
476 #define FASTOP2(op) \
478 FOP2E(op##b, al, bl) \
479 FOP2E(op##w, ax, bx) \
480 FOP2E(op##l, eax, ebx) \
481 ON64(FOP2E(op##q, rax, rbx)) \
484 /* 2 operand, word only */
485 #define FASTOP2W(op) \
488 FOP2E(op##w, ax, bx) \
489 FOP2E(op##l, eax, ebx) \
490 ON64(FOP2E(op##q, rax, rbx)) \
493 /* 2 operand, src is CL */
494 #define FASTOP2CL(op) \
496 FOP2E(op##b, al, cl) \
497 FOP2E(op##w, ax, cl) \
498 FOP2E(op##l, eax, cl) \
499 ON64(FOP2E(op##q, rax, cl)) \
502 #define FOP3E(op, dst, src, src2) \
503 FOP_ALIGN #op " %" #src2 ", %" #src ", %" #dst " \n\t" FOP_RET
505 /* 3-operand, word-only, src2=cl */
506 #define FASTOP3WCL(op) \
509 FOP3E(op##w, ax, bx, cl) \
510 FOP3E(op##l, eax, ebx, cl) \
511 ON64(FOP3E(op##q, rax, rbx, cl)) \
514 /* Special case for SETcc - 1 instruction per cc */
515 #define FOP_SETCC(op) ".align 4; " #op " %al; ret \n\t"
536 #define __emulate_1op_rax_rdx(ctxt, _op, _suffix, _ex) \
538 unsigned long _tmp; \
539 ulong *rax = reg_rmw((ctxt), VCPU_REGS_RAX); \
540 ulong *rdx = reg_rmw((ctxt), VCPU_REGS_RDX); \
542 __asm__ __volatile__ ( \
543 _PRE_EFLAGS("0", "5", "1") \
545 _op _suffix " %6; " \
547 _POST_EFLAGS("0", "5", "1") \
548 ".pushsection .fixup,\"ax\" \n\t" \
549 "3: movb $1, %4 \n\t" \
552 _ASM_EXTABLE(1b, 3b) \
553 : "=m" ((ctxt)->eflags), "=&r" (_tmp), \
554 "+a" (*rax), "+d" (*rdx), "+qm"(_ex) \
555 : "i" (EFLAGS_MASK), "m" ((ctxt)->src.val)); \
558 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
559 #define emulate_1op_rax_rdx(ctxt, _op, _ex) \
561 switch((ctxt)->src.bytes) { \
563 __emulate_1op_rax_rdx(ctxt, _op, "b", _ex); \
566 __emulate_1op_rax_rdx(ctxt, _op, "w", _ex); \
569 __emulate_1op_rax_rdx(ctxt, _op, "l", _ex); \
572 __emulate_1op_rax_rdx(ctxt, _op, "q", _ex)); \
577 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
578 enum x86_intercept intercept,
579 enum x86_intercept_stage stage)
581 struct x86_instruction_info info = {
582 .intercept = intercept,
583 .rep_prefix = ctxt->rep_prefix,
584 .modrm_mod = ctxt->modrm_mod,
585 .modrm_reg = ctxt->modrm_reg,
586 .modrm_rm = ctxt->modrm_rm,
587 .src_val = ctxt->src.val64,
588 .src_bytes = ctxt->src.bytes,
589 .dst_bytes = ctxt->dst.bytes,
590 .ad_bytes = ctxt->ad_bytes,
591 .next_rip = ctxt->eip,
594 return ctxt->ops->intercept(ctxt, &info, stage);
597 static void assign_masked(ulong *dest, ulong src, ulong mask)
599 *dest = (*dest & ~mask) | (src & mask);
602 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
604 return (1UL << (ctxt->ad_bytes << 3)) - 1;
607 static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
610 struct desc_struct ss;
612 if (ctxt->mode == X86EMUL_MODE_PROT64)
614 ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
615 return ~0U >> ((ss.d ^ 1) * 16); /* d=0: 0xffff; d=1: 0xffffffff */
618 static int stack_size(struct x86_emulate_ctxt *ctxt)
620 return (__fls(stack_mask(ctxt)) + 1) >> 3;
623 /* Access/update address held in a register, based on addressing mode. */
624 static inline unsigned long
625 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
627 if (ctxt->ad_bytes == sizeof(unsigned long))
630 return reg & ad_mask(ctxt);
633 static inline unsigned long
634 register_address(struct x86_emulate_ctxt *ctxt, unsigned long reg)
636 return address_mask(ctxt, reg);
639 static void masked_increment(ulong *reg, ulong mask, int inc)
641 assign_masked(reg, *reg + inc, mask);
645 register_address_increment(struct x86_emulate_ctxt *ctxt, unsigned long *reg, int inc)
649 if (ctxt->ad_bytes == sizeof(unsigned long))
652 mask = ad_mask(ctxt);
653 masked_increment(reg, mask, inc);
656 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
658 masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
661 static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
663 register_address_increment(ctxt, &ctxt->_eip, rel);
666 static u32 desc_limit_scaled(struct desc_struct *desc)
668 u32 limit = get_desc_limit(desc);
670 return desc->g ? (limit << 12) | 0xfff : limit;
673 static void set_seg_override(struct x86_emulate_ctxt *ctxt, int seg)
675 ctxt->has_seg_override = true;
676 ctxt->seg_override = seg;
679 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
681 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
684 return ctxt->ops->get_cached_segment_base(ctxt, seg);
687 static unsigned seg_override(struct x86_emulate_ctxt *ctxt)
689 if (!ctxt->has_seg_override)
692 return ctxt->seg_override;
695 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
696 u32 error, bool valid)
698 ctxt->exception.vector = vec;
699 ctxt->exception.error_code = error;
700 ctxt->exception.error_code_valid = valid;
701 return X86EMUL_PROPAGATE_FAULT;
704 static int emulate_db(struct x86_emulate_ctxt *ctxt)
706 return emulate_exception(ctxt, DB_VECTOR, 0, false);
709 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
711 return emulate_exception(ctxt, GP_VECTOR, err, true);
714 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
716 return emulate_exception(ctxt, SS_VECTOR, err, true);
719 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
721 return emulate_exception(ctxt, UD_VECTOR, 0, false);
724 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
726 return emulate_exception(ctxt, TS_VECTOR, err, true);
729 static int emulate_de(struct x86_emulate_ctxt *ctxt)
731 return emulate_exception(ctxt, DE_VECTOR, 0, false);
734 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
736 return emulate_exception(ctxt, NM_VECTOR, 0, false);
739 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
742 struct desc_struct desc;
744 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
748 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
753 struct desc_struct desc;
755 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
756 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
760 * x86 defines three classes of vector instructions: explicitly
761 * aligned, explicitly unaligned, and the rest, which change behaviour
762 * depending on whether they're AVX encoded or not.
764 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
765 * subject to the same check.
767 static bool insn_aligned(struct x86_emulate_ctxt *ctxt, unsigned size)
769 if (likely(size < 16))
772 if (ctxt->d & Aligned)
774 else if (ctxt->d & Unaligned)
776 else if (ctxt->d & Avx)
782 static int __linearize(struct x86_emulate_ctxt *ctxt,
783 struct segmented_address addr,
784 unsigned size, bool write, bool fetch,
787 struct desc_struct desc;
794 la = seg_base(ctxt, addr.seg) + addr.ea;
795 switch (ctxt->mode) {
796 case X86EMUL_MODE_PROT64:
797 if (((signed long)la << 16) >> 16 != la)
798 return emulate_gp(ctxt, 0);
801 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
805 /* code segment in protected mode or read-only data segment */
806 if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8))
807 || !(desc.type & 2)) && write)
809 /* unreadable code segment */
810 if (!fetch && (desc.type & 8) && !(desc.type & 2))
812 lim = desc_limit_scaled(&desc);
813 if ((desc.type & 8) || !(desc.type & 4)) {
814 /* expand-up segment */
815 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
818 /* expand-down segment */
819 if (addr.ea <= lim || (u32)(addr.ea + size - 1) <= lim)
821 lim = desc.d ? 0xffffffff : 0xffff;
822 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
825 cpl = ctxt->ops->cpl(ctxt);
826 if (!(desc.type & 8)) {
830 } else if ((desc.type & 8) && !(desc.type & 4)) {
831 /* nonconforming code segment */
834 } else if ((desc.type & 8) && (desc.type & 4)) {
835 /* conforming code segment */
841 if (fetch ? ctxt->mode != X86EMUL_MODE_PROT64 : ctxt->ad_bytes != 8)
843 if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0))
844 return emulate_gp(ctxt, 0);
846 return X86EMUL_CONTINUE;
848 if (addr.seg == VCPU_SREG_SS)
849 return emulate_ss(ctxt, sel);
851 return emulate_gp(ctxt, sel);
854 static int linearize(struct x86_emulate_ctxt *ctxt,
855 struct segmented_address addr,
856 unsigned size, bool write,
859 return __linearize(ctxt, addr, size, write, false, linear);
863 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
864 struct segmented_address addr,
871 rc = linearize(ctxt, addr, size, false, &linear);
872 if (rc != X86EMUL_CONTINUE)
874 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
878 * Fetch the next byte of the instruction being emulated which is pointed to
879 * by ctxt->_eip, then increment ctxt->_eip.
881 * Also prefetch the remaining bytes of the instruction without crossing page
882 * boundary if they are not in fetch_cache yet.
884 static int do_insn_fetch_byte(struct x86_emulate_ctxt *ctxt, u8 *dest)
886 struct fetch_cache *fc = &ctxt->fetch;
890 if (ctxt->_eip == fc->end) {
891 unsigned long linear;
892 struct segmented_address addr = { .seg = VCPU_SREG_CS,
894 cur_size = fc->end - fc->start;
895 size = min(15UL - cur_size,
896 PAGE_SIZE - offset_in_page(ctxt->_eip));
897 rc = __linearize(ctxt, addr, size, false, true, &linear);
898 if (unlikely(rc != X86EMUL_CONTINUE))
900 rc = ctxt->ops->fetch(ctxt, linear, fc->data + cur_size,
901 size, &ctxt->exception);
902 if (unlikely(rc != X86EMUL_CONTINUE))
906 *dest = fc->data[ctxt->_eip - fc->start];
908 return X86EMUL_CONTINUE;
911 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
912 void *dest, unsigned size)
916 /* x86 instructions are limited to 15 bytes. */
917 if (unlikely(ctxt->_eip + size - ctxt->eip > 15))
918 return X86EMUL_UNHANDLEABLE;
920 rc = do_insn_fetch_byte(ctxt, dest++);
921 if (rc != X86EMUL_CONTINUE)
924 return X86EMUL_CONTINUE;
927 /* Fetch next part of the instruction being emulated. */
928 #define insn_fetch(_type, _ctxt) \
929 ({ unsigned long _x; \
930 rc = do_insn_fetch(_ctxt, &_x, sizeof(_type)); \
931 if (rc != X86EMUL_CONTINUE) \
936 #define insn_fetch_arr(_arr, _size, _ctxt) \
937 ({ rc = do_insn_fetch(_ctxt, _arr, (_size)); \
938 if (rc != X86EMUL_CONTINUE) \
943 * Given the 'reg' portion of a ModRM byte, and a register block, return a
944 * pointer into the block that addresses the relevant register.
945 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
947 static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
952 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
953 p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
955 p = reg_rmw(ctxt, modrm_reg);
959 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
960 struct segmented_address addr,
961 u16 *size, unsigned long *address, int op_bytes)
968 rc = segmented_read_std(ctxt, addr, size, 2);
969 if (rc != X86EMUL_CONTINUE)
972 rc = segmented_read_std(ctxt, addr, address, op_bytes);
1011 static u8 test_cc(unsigned int condition, unsigned long flags)
1014 void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf);
1016 flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
1017 asm("push %[flags]; popf; call *%[fastop]"
1018 : "=a"(rc) : [fastop]"r"(fop), [flags]"r"(flags));
1022 static void fetch_register_operand(struct operand *op)
1024 switch (op->bytes) {
1026 op->val = *(u8 *)op->addr.reg;
1029 op->val = *(u16 *)op->addr.reg;
1032 op->val = *(u32 *)op->addr.reg;
1035 op->val = *(u64 *)op->addr.reg;
1040 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
1042 ctxt->ops->get_fpu(ctxt);
1044 case 0: asm("movdqa %%xmm0, %0" : "=m"(*data)); break;
1045 case 1: asm("movdqa %%xmm1, %0" : "=m"(*data)); break;
1046 case 2: asm("movdqa %%xmm2, %0" : "=m"(*data)); break;
1047 case 3: asm("movdqa %%xmm3, %0" : "=m"(*data)); break;
1048 case 4: asm("movdqa %%xmm4, %0" : "=m"(*data)); break;
1049 case 5: asm("movdqa %%xmm5, %0" : "=m"(*data)); break;
1050 case 6: asm("movdqa %%xmm6, %0" : "=m"(*data)); break;
1051 case 7: asm("movdqa %%xmm7, %0" : "=m"(*data)); break;
1052 #ifdef CONFIG_X86_64
1053 case 8: asm("movdqa %%xmm8, %0" : "=m"(*data)); break;
1054 case 9: asm("movdqa %%xmm9, %0" : "=m"(*data)); break;
1055 case 10: asm("movdqa %%xmm10, %0" : "=m"(*data)); break;
1056 case 11: asm("movdqa %%xmm11, %0" : "=m"(*data)); break;
1057 case 12: asm("movdqa %%xmm12, %0" : "=m"(*data)); break;
1058 case 13: asm("movdqa %%xmm13, %0" : "=m"(*data)); break;
1059 case 14: asm("movdqa %%xmm14, %0" : "=m"(*data)); break;
1060 case 15: asm("movdqa %%xmm15, %0" : "=m"(*data)); break;
1064 ctxt->ops->put_fpu(ctxt);
1067 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
1070 ctxt->ops->get_fpu(ctxt);
1072 case 0: asm("movdqa %0, %%xmm0" : : "m"(*data)); break;
1073 case 1: asm("movdqa %0, %%xmm1" : : "m"(*data)); break;
1074 case 2: asm("movdqa %0, %%xmm2" : : "m"(*data)); break;
1075 case 3: asm("movdqa %0, %%xmm3" : : "m"(*data)); break;
1076 case 4: asm("movdqa %0, %%xmm4" : : "m"(*data)); break;
1077 case 5: asm("movdqa %0, %%xmm5" : : "m"(*data)); break;
1078 case 6: asm("movdqa %0, %%xmm6" : : "m"(*data)); break;
1079 case 7: asm("movdqa %0, %%xmm7" : : "m"(*data)); break;
1080 #ifdef CONFIG_X86_64
1081 case 8: asm("movdqa %0, %%xmm8" : : "m"(*data)); break;
1082 case 9: asm("movdqa %0, %%xmm9" : : "m"(*data)); break;
1083 case 10: asm("movdqa %0, %%xmm10" : : "m"(*data)); break;
1084 case 11: asm("movdqa %0, %%xmm11" : : "m"(*data)); break;
1085 case 12: asm("movdqa %0, %%xmm12" : : "m"(*data)); break;
1086 case 13: asm("movdqa %0, %%xmm13" : : "m"(*data)); break;
1087 case 14: asm("movdqa %0, %%xmm14" : : "m"(*data)); break;
1088 case 15: asm("movdqa %0, %%xmm15" : : "m"(*data)); break;
1092 ctxt->ops->put_fpu(ctxt);
1095 static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1097 ctxt->ops->get_fpu(ctxt);
1099 case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
1100 case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
1101 case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
1102 case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
1103 case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
1104 case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
1105 case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
1106 case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
1109 ctxt->ops->put_fpu(ctxt);
1112 static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1114 ctxt->ops->get_fpu(ctxt);
1116 case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
1117 case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
1118 case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
1119 case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
1120 case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
1121 case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
1122 case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
1123 case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
1126 ctxt->ops->put_fpu(ctxt);
1129 static int em_fninit(struct x86_emulate_ctxt *ctxt)
1131 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1132 return emulate_nm(ctxt);
1134 ctxt->ops->get_fpu(ctxt);
1135 asm volatile("fninit");
1136 ctxt->ops->put_fpu(ctxt);
1137 return X86EMUL_CONTINUE;
1140 static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
1144 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1145 return emulate_nm(ctxt);
1147 ctxt->ops->get_fpu(ctxt);
1148 asm volatile("fnstcw %0": "+m"(fcw));
1149 ctxt->ops->put_fpu(ctxt);
1151 /* force 2 byte destination */
1152 ctxt->dst.bytes = 2;
1153 ctxt->dst.val = fcw;
1155 return X86EMUL_CONTINUE;
1158 static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
1162 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1163 return emulate_nm(ctxt);
1165 ctxt->ops->get_fpu(ctxt);
1166 asm volatile("fnstsw %0": "+m"(fsw));
1167 ctxt->ops->put_fpu(ctxt);
1169 /* force 2 byte destination */
1170 ctxt->dst.bytes = 2;
1171 ctxt->dst.val = fsw;
1173 return X86EMUL_CONTINUE;
1176 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
1179 unsigned reg = ctxt->modrm_reg;
1180 int highbyte_regs = ctxt->rex_prefix == 0;
1182 if (!(ctxt->d & ModRM))
1183 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1185 if (ctxt->d & Sse) {
1189 read_sse_reg(ctxt, &op->vec_val, reg);
1192 if (ctxt->d & Mmx) {
1201 if (ctxt->d & ByteOp) {
1202 op->addr.reg = decode_register(ctxt, reg, highbyte_regs);
1205 op->addr.reg = decode_register(ctxt, reg, 0);
1206 op->bytes = ctxt->op_bytes;
1208 fetch_register_operand(op);
1209 op->orig_val = op->val;
1212 static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1214 if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1215 ctxt->modrm_seg = VCPU_SREG_SS;
1218 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1222 int index_reg = 0, base_reg = 0, scale;
1223 int rc = X86EMUL_CONTINUE;
1226 if (ctxt->rex_prefix) {
1227 ctxt->modrm_reg = (ctxt->rex_prefix & 4) << 1; /* REX.R */
1228 index_reg = (ctxt->rex_prefix & 2) << 2; /* REX.X */
1229 ctxt->modrm_rm = base_reg = (ctxt->rex_prefix & 1) << 3; /* REG.B */
1232 ctxt->modrm_mod |= (ctxt->modrm & 0xc0) >> 6;
1233 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1234 ctxt->modrm_rm |= (ctxt->modrm & 0x07);
1235 ctxt->modrm_seg = VCPU_SREG_DS;
1237 if (ctxt->modrm_mod == 3) {
1239 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1240 op->addr.reg = decode_register(ctxt, ctxt->modrm_rm, ctxt->d & ByteOp);
1241 if (ctxt->d & Sse) {
1244 op->addr.xmm = ctxt->modrm_rm;
1245 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
1248 if (ctxt->d & Mmx) {
1251 op->addr.xmm = ctxt->modrm_rm & 7;
1254 fetch_register_operand(op);
1260 if (ctxt->ad_bytes == 2) {
1261 unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1262 unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1263 unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1264 unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1266 /* 16-bit ModR/M decode. */
1267 switch (ctxt->modrm_mod) {
1269 if (ctxt->modrm_rm == 6)
1270 modrm_ea += insn_fetch(u16, ctxt);
1273 modrm_ea += insn_fetch(s8, ctxt);
1276 modrm_ea += insn_fetch(u16, ctxt);
1279 switch (ctxt->modrm_rm) {
1281 modrm_ea += bx + si;
1284 modrm_ea += bx + di;
1287 modrm_ea += bp + si;
1290 modrm_ea += bp + di;
1299 if (ctxt->modrm_mod != 0)
1306 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1307 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1308 ctxt->modrm_seg = VCPU_SREG_SS;
1309 modrm_ea = (u16)modrm_ea;
1311 /* 32/64-bit ModR/M decode. */
1312 if ((ctxt->modrm_rm & 7) == 4) {
1313 sib = insn_fetch(u8, ctxt);
1314 index_reg |= (sib >> 3) & 7;
1315 base_reg |= sib & 7;
1318 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1319 modrm_ea += insn_fetch(s32, ctxt);
1321 modrm_ea += reg_read(ctxt, base_reg);
1322 adjust_modrm_seg(ctxt, base_reg);
1325 modrm_ea += reg_read(ctxt, index_reg) << scale;
1326 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1327 if (ctxt->mode == X86EMUL_MODE_PROT64)
1328 ctxt->rip_relative = 1;
1330 base_reg = ctxt->modrm_rm;
1331 modrm_ea += reg_read(ctxt, base_reg);
1332 adjust_modrm_seg(ctxt, base_reg);
1334 switch (ctxt->modrm_mod) {
1336 if (ctxt->modrm_rm == 5)
1337 modrm_ea += insn_fetch(s32, ctxt);
1340 modrm_ea += insn_fetch(s8, ctxt);
1343 modrm_ea += insn_fetch(s32, ctxt);
1347 op->addr.mem.ea = modrm_ea;
1352 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1355 int rc = X86EMUL_CONTINUE;
1358 switch (ctxt->ad_bytes) {
1360 op->addr.mem.ea = insn_fetch(u16, ctxt);
1363 op->addr.mem.ea = insn_fetch(u32, ctxt);
1366 op->addr.mem.ea = insn_fetch(u64, ctxt);
1373 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1377 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1378 mask = ~(ctxt->dst.bytes * 8 - 1);
1380 if (ctxt->src.bytes == 2)
1381 sv = (s16)ctxt->src.val & (s16)mask;
1382 else if (ctxt->src.bytes == 4)
1383 sv = (s32)ctxt->src.val & (s32)mask;
1385 ctxt->dst.addr.mem.ea += (sv >> 3);
1388 /* only subword offset */
1389 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1392 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1393 unsigned long addr, void *dest, unsigned size)
1396 struct read_cache *mc = &ctxt->mem_read;
1398 if (mc->pos < mc->end)
1401 WARN_ON((mc->end + size) >= sizeof(mc->data));
1403 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1405 if (rc != X86EMUL_CONTINUE)
1411 memcpy(dest, mc->data + mc->pos, size);
1413 return X86EMUL_CONTINUE;
1416 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1417 struct segmented_address addr,
1424 rc = linearize(ctxt, addr, size, false, &linear);
1425 if (rc != X86EMUL_CONTINUE)
1427 return read_emulated(ctxt, linear, data, size);
1430 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1431 struct segmented_address addr,
1438 rc = linearize(ctxt, addr, size, true, &linear);
1439 if (rc != X86EMUL_CONTINUE)
1441 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1445 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1446 struct segmented_address addr,
1447 const void *orig_data, const void *data,
1453 rc = linearize(ctxt, addr, size, true, &linear);
1454 if (rc != X86EMUL_CONTINUE)
1456 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1457 size, &ctxt->exception);
1460 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1461 unsigned int size, unsigned short port,
1464 struct read_cache *rc = &ctxt->io_read;
1466 if (rc->pos == rc->end) { /* refill pio read ahead */
1467 unsigned int in_page, n;
1468 unsigned int count = ctxt->rep_prefix ?
1469 address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1470 in_page = (ctxt->eflags & EFLG_DF) ?
1471 offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1472 PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1473 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1477 rc->pos = rc->end = 0;
1478 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1483 if (ctxt->rep_prefix && !(ctxt->eflags & EFLG_DF)) {
1484 ctxt->dst.data = rc->data + rc->pos;
1485 ctxt->dst.type = OP_MEM_STR;
1486 ctxt->dst.count = (rc->end - rc->pos) / size;
1489 memcpy(dest, rc->data + rc->pos, size);
1495 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1496 u16 index, struct desc_struct *desc)
1501 ctxt->ops->get_idt(ctxt, &dt);
1503 if (dt.size < index * 8 + 7)
1504 return emulate_gp(ctxt, index << 3 | 0x2);
1506 addr = dt.address + index * 8;
1507 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1511 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1512 u16 selector, struct desc_ptr *dt)
1514 const struct x86_emulate_ops *ops = ctxt->ops;
1516 if (selector & 1 << 2) {
1517 struct desc_struct desc;
1520 memset (dt, 0, sizeof *dt);
1521 if (!ops->get_segment(ctxt, &sel, &desc, NULL, VCPU_SREG_LDTR))
1524 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1525 dt->address = get_desc_base(&desc);
1527 ops->get_gdt(ctxt, dt);
1530 /* allowed just for 8 bytes segments */
1531 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1532 u16 selector, struct desc_struct *desc,
1536 u16 index = selector >> 3;
1539 get_descriptor_table_ptr(ctxt, selector, &dt);
1541 if (dt.size < index * 8 + 7)
1542 return emulate_gp(ctxt, selector & 0xfffc);
1544 *desc_addr_p = addr = dt.address + index * 8;
1545 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1549 /* allowed just for 8 bytes segments */
1550 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1551 u16 selector, struct desc_struct *desc)
1554 u16 index = selector >> 3;
1557 get_descriptor_table_ptr(ctxt, selector, &dt);
1559 if (dt.size < index * 8 + 7)
1560 return emulate_gp(ctxt, selector & 0xfffc);
1562 addr = dt.address + index * 8;
1563 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1567 /* Does not support long mode */
1568 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1569 u16 selector, int seg)
1571 struct desc_struct seg_desc, old_desc;
1573 unsigned err_vec = GP_VECTOR;
1575 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1580 memset(&seg_desc, 0, sizeof seg_desc);
1582 if (ctxt->mode == X86EMUL_MODE_REAL) {
1583 /* set real mode segment descriptor (keep limit etc. for
1585 ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1586 set_desc_base(&seg_desc, selector << 4);
1588 } else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
1589 /* VM86 needs a clean new segment descriptor */
1590 set_desc_base(&seg_desc, selector << 4);
1591 set_desc_limit(&seg_desc, 0xffff);
1600 cpl = ctxt->ops->cpl(ctxt);
1602 /* NULL selector is not valid for TR, CS and SS (except for long mode) */
1603 if ((seg == VCPU_SREG_CS
1604 || (seg == VCPU_SREG_SS
1605 && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
1606 || seg == VCPU_SREG_TR)
1610 /* TR should be in GDT only */
1611 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1614 if (null_selector) /* for NULL selector skip all following checks */
1617 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1618 if (ret != X86EMUL_CONTINUE)
1621 err_code = selector & 0xfffc;
1622 err_vec = GP_VECTOR;
1624 /* can't load system descriptor into segment selector */
1625 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1629 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1638 * segment is not a writable data segment or segment
1639 * selector's RPL != CPL or segment selector's RPL != CPL
1641 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1645 if (!(seg_desc.type & 8))
1648 if (seg_desc.type & 4) {
1654 if (rpl > cpl || dpl != cpl)
1657 /* CS(RPL) <- CPL */
1658 selector = (selector & 0xfffc) | cpl;
1661 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1663 old_desc = seg_desc;
1664 seg_desc.type |= 2; /* busy */
1665 ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1666 sizeof(seg_desc), &ctxt->exception);
1667 if (ret != X86EMUL_CONTINUE)
1670 case VCPU_SREG_LDTR:
1671 if (seg_desc.s || seg_desc.type != 2)
1674 default: /* DS, ES, FS, or GS */
1676 * segment is not a data or readable code segment or
1677 * ((segment is a data or nonconforming code segment)
1678 * and (both RPL and CPL > DPL))
1680 if ((seg_desc.type & 0xa) == 0x8 ||
1681 (((seg_desc.type & 0xc) != 0xc) &&
1682 (rpl > dpl && cpl > dpl)))
1688 /* mark segment as accessed */
1690 ret = write_segment_descriptor(ctxt, selector, &seg_desc);
1691 if (ret != X86EMUL_CONTINUE)
1695 ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg);
1696 return X86EMUL_CONTINUE;
1698 emulate_exception(ctxt, err_vec, err_code, true);
1699 return X86EMUL_PROPAGATE_FAULT;
1702 static void write_register_operand(struct operand *op)
1704 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1705 switch (op->bytes) {
1707 *(u8 *)op->addr.reg = (u8)op->val;
1710 *(u16 *)op->addr.reg = (u16)op->val;
1713 *op->addr.reg = (u32)op->val;
1714 break; /* 64b: zero-extend */
1716 *op->addr.reg = op->val;
1721 static int writeback(struct x86_emulate_ctxt *ctxt)
1725 if (ctxt->d & NoWrite)
1726 return X86EMUL_CONTINUE;
1728 switch (ctxt->dst.type) {
1730 write_register_operand(&ctxt->dst);
1733 if (ctxt->lock_prefix)
1734 rc = segmented_cmpxchg(ctxt,
1736 &ctxt->dst.orig_val,
1740 rc = segmented_write(ctxt,
1744 if (rc != X86EMUL_CONTINUE)
1748 rc = segmented_write(ctxt,
1751 ctxt->dst.bytes * ctxt->dst.count);
1752 if (rc != X86EMUL_CONTINUE)
1756 write_sse_reg(ctxt, &ctxt->dst.vec_val, ctxt->dst.addr.xmm);
1759 write_mmx_reg(ctxt, &ctxt->dst.mm_val, ctxt->dst.addr.mm);
1767 return X86EMUL_CONTINUE;
1770 static int push(struct x86_emulate_ctxt *ctxt, void *data, int bytes)
1772 struct segmented_address addr;
1774 rsp_increment(ctxt, -bytes);
1775 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1776 addr.seg = VCPU_SREG_SS;
1778 return segmented_write(ctxt, addr, data, bytes);
1781 static int em_push(struct x86_emulate_ctxt *ctxt)
1783 /* Disable writeback. */
1784 ctxt->dst.type = OP_NONE;
1785 return push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1788 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1789 void *dest, int len)
1792 struct segmented_address addr;
1794 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1795 addr.seg = VCPU_SREG_SS;
1796 rc = segmented_read(ctxt, addr, dest, len);
1797 if (rc != X86EMUL_CONTINUE)
1800 rsp_increment(ctxt, len);
1804 static int em_pop(struct x86_emulate_ctxt *ctxt)
1806 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1809 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1810 void *dest, int len)
1813 unsigned long val, change_mask;
1814 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1815 int cpl = ctxt->ops->cpl(ctxt);
1817 rc = emulate_pop(ctxt, &val, len);
1818 if (rc != X86EMUL_CONTINUE)
1821 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1822 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1824 switch(ctxt->mode) {
1825 case X86EMUL_MODE_PROT64:
1826 case X86EMUL_MODE_PROT32:
1827 case X86EMUL_MODE_PROT16:
1829 change_mask |= EFLG_IOPL;
1831 change_mask |= EFLG_IF;
1833 case X86EMUL_MODE_VM86:
1835 return emulate_gp(ctxt, 0);
1836 change_mask |= EFLG_IF;
1838 default: /* real mode */
1839 change_mask |= (EFLG_IOPL | EFLG_IF);
1843 *(unsigned long *)dest =
1844 (ctxt->eflags & ~change_mask) | (val & change_mask);
1849 static int em_popf(struct x86_emulate_ctxt *ctxt)
1851 ctxt->dst.type = OP_REG;
1852 ctxt->dst.addr.reg = &ctxt->eflags;
1853 ctxt->dst.bytes = ctxt->op_bytes;
1854 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1857 static int em_enter(struct x86_emulate_ctxt *ctxt)
1860 unsigned frame_size = ctxt->src.val;
1861 unsigned nesting_level = ctxt->src2.val & 31;
1865 return X86EMUL_UNHANDLEABLE;
1867 rbp = reg_read(ctxt, VCPU_REGS_RBP);
1868 rc = push(ctxt, &rbp, stack_size(ctxt));
1869 if (rc != X86EMUL_CONTINUE)
1871 assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1873 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1874 reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1876 return X86EMUL_CONTINUE;
1879 static int em_leave(struct x86_emulate_ctxt *ctxt)
1881 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1883 return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1886 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1888 int seg = ctxt->src2.val;
1890 ctxt->src.val = get_segment_selector(ctxt, seg);
1892 return em_push(ctxt);
1895 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1897 int seg = ctxt->src2.val;
1898 unsigned long selector;
1901 rc = emulate_pop(ctxt, &selector, ctxt->op_bytes);
1902 if (rc != X86EMUL_CONTINUE)
1905 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1909 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1911 unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
1912 int rc = X86EMUL_CONTINUE;
1913 int reg = VCPU_REGS_RAX;
1915 while (reg <= VCPU_REGS_RDI) {
1916 (reg == VCPU_REGS_RSP) ?
1917 (ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
1920 if (rc != X86EMUL_CONTINUE)
1929 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1931 ctxt->src.val = (unsigned long)ctxt->eflags;
1932 return em_push(ctxt);
1935 static int em_popa(struct x86_emulate_ctxt *ctxt)
1937 int rc = X86EMUL_CONTINUE;
1938 int reg = VCPU_REGS_RDI;
1940 while (reg >= VCPU_REGS_RAX) {
1941 if (reg == VCPU_REGS_RSP) {
1942 rsp_increment(ctxt, ctxt->op_bytes);
1946 rc = emulate_pop(ctxt, reg_rmw(ctxt, reg), ctxt->op_bytes);
1947 if (rc != X86EMUL_CONTINUE)
1954 static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1956 const struct x86_emulate_ops *ops = ctxt->ops;
1963 /* TODO: Add limit checks */
1964 ctxt->src.val = ctxt->eflags;
1966 if (rc != X86EMUL_CONTINUE)
1969 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1971 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
1973 if (rc != X86EMUL_CONTINUE)
1976 ctxt->src.val = ctxt->_eip;
1978 if (rc != X86EMUL_CONTINUE)
1981 ops->get_idt(ctxt, &dt);
1983 eip_addr = dt.address + (irq << 2);
1984 cs_addr = dt.address + (irq << 2) + 2;
1986 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
1987 if (rc != X86EMUL_CONTINUE)
1990 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
1991 if (rc != X86EMUL_CONTINUE)
1994 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
1995 if (rc != X86EMUL_CONTINUE)
2003 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2007 invalidate_registers(ctxt);
2008 rc = __emulate_int_real(ctxt, irq);
2009 if (rc == X86EMUL_CONTINUE)
2010 writeback_registers(ctxt);
2014 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
2016 switch(ctxt->mode) {
2017 case X86EMUL_MODE_REAL:
2018 return __emulate_int_real(ctxt, irq);
2019 case X86EMUL_MODE_VM86:
2020 case X86EMUL_MODE_PROT16:
2021 case X86EMUL_MODE_PROT32:
2022 case X86EMUL_MODE_PROT64:
2024 /* Protected mode interrupts unimplemented yet */
2025 return X86EMUL_UNHANDLEABLE;
2029 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
2031 int rc = X86EMUL_CONTINUE;
2032 unsigned long temp_eip = 0;
2033 unsigned long temp_eflags = 0;
2034 unsigned long cs = 0;
2035 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
2036 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
2037 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
2038 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
2040 /* TODO: Add stack limit check */
2042 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
2044 if (rc != X86EMUL_CONTINUE)
2047 if (temp_eip & ~0xffff)
2048 return emulate_gp(ctxt, 0);
2050 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2052 if (rc != X86EMUL_CONTINUE)
2055 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
2057 if (rc != X86EMUL_CONTINUE)
2060 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2062 if (rc != X86EMUL_CONTINUE)
2065 ctxt->_eip = temp_eip;
2068 if (ctxt->op_bytes == 4)
2069 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
2070 else if (ctxt->op_bytes == 2) {
2071 ctxt->eflags &= ~0xffff;
2072 ctxt->eflags |= temp_eflags;
2075 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
2076 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
2081 static int em_iret(struct x86_emulate_ctxt *ctxt)
2083 switch(ctxt->mode) {
2084 case X86EMUL_MODE_REAL:
2085 return emulate_iret_real(ctxt);
2086 case X86EMUL_MODE_VM86:
2087 case X86EMUL_MODE_PROT16:
2088 case X86EMUL_MODE_PROT32:
2089 case X86EMUL_MODE_PROT64:
2091 /* iret from protected mode unimplemented yet */
2092 return X86EMUL_UNHANDLEABLE;
2096 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
2101 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2103 rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
2104 if (rc != X86EMUL_CONTINUE)
2108 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
2109 return X86EMUL_CONTINUE;
2112 static int em_mul_ex(struct x86_emulate_ctxt *ctxt)
2116 emulate_1op_rax_rdx(ctxt, "mul", ex);
2117 return X86EMUL_CONTINUE;
2120 static int em_imul_ex(struct x86_emulate_ctxt *ctxt)
2124 emulate_1op_rax_rdx(ctxt, "imul", ex);
2125 return X86EMUL_CONTINUE;
2128 static int em_div_ex(struct x86_emulate_ctxt *ctxt)
2132 emulate_1op_rax_rdx(ctxt, "div", de);
2134 return emulate_de(ctxt);
2135 return X86EMUL_CONTINUE;
2138 static int em_idiv_ex(struct x86_emulate_ctxt *ctxt)
2142 emulate_1op_rax_rdx(ctxt, "idiv", de);
2144 return emulate_de(ctxt);
2145 return X86EMUL_CONTINUE;
2148 static int em_grp45(struct x86_emulate_ctxt *ctxt)
2150 int rc = X86EMUL_CONTINUE;
2152 switch (ctxt->modrm_reg) {
2153 case 2: /* call near abs */ {
2155 old_eip = ctxt->_eip;
2156 ctxt->_eip = ctxt->src.val;
2157 ctxt->src.val = old_eip;
2161 case 4: /* jmp abs */
2162 ctxt->_eip = ctxt->src.val;
2164 case 5: /* jmp far */
2165 rc = em_jmp_far(ctxt);
2174 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
2176 u64 old = ctxt->dst.orig_val64;
2178 if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
2179 ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
2180 *reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
2181 *reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
2182 ctxt->eflags &= ~EFLG_ZF;
2184 ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2185 (u32) reg_read(ctxt, VCPU_REGS_RBX);
2187 ctxt->eflags |= EFLG_ZF;
2189 return X86EMUL_CONTINUE;
2192 static int em_ret(struct x86_emulate_ctxt *ctxt)
2194 ctxt->dst.type = OP_REG;
2195 ctxt->dst.addr.reg = &ctxt->_eip;
2196 ctxt->dst.bytes = ctxt->op_bytes;
2197 return em_pop(ctxt);
2200 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2205 rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes);
2206 if (rc != X86EMUL_CONTINUE)
2208 if (ctxt->op_bytes == 4)
2209 ctxt->_eip = (u32)ctxt->_eip;
2210 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2211 if (rc != X86EMUL_CONTINUE)
2213 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2217 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2219 /* Save real source value, then compare EAX against destination. */
2220 ctxt->src.orig_val = ctxt->src.val;
2221 ctxt->src.val = reg_read(ctxt, VCPU_REGS_RAX);
2222 fastop(ctxt, em_cmp);
2224 if (ctxt->eflags & EFLG_ZF) {
2225 /* Success: write back to memory. */
2226 ctxt->dst.val = ctxt->src.orig_val;
2228 /* Failure: write the value we saw to EAX. */
2229 ctxt->dst.type = OP_REG;
2230 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2232 return X86EMUL_CONTINUE;
2235 static int em_lseg(struct x86_emulate_ctxt *ctxt)
2237 int seg = ctxt->src2.val;
2241 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2243 rc = load_segment_descriptor(ctxt, sel, seg);
2244 if (rc != X86EMUL_CONTINUE)
2247 ctxt->dst.val = ctxt->src.val;
2252 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
2253 struct desc_struct *cs, struct desc_struct *ss)
2255 cs->l = 0; /* will be adjusted later */
2256 set_desc_base(cs, 0); /* flat segment */
2257 cs->g = 1; /* 4kb granularity */
2258 set_desc_limit(cs, 0xfffff); /* 4GB limit */
2259 cs->type = 0x0b; /* Read, Execute, Accessed */
2261 cs->dpl = 0; /* will be adjusted later */
2266 set_desc_base(ss, 0); /* flat segment */
2267 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2268 ss->g = 1; /* 4kb granularity */
2270 ss->type = 0x03; /* Read/Write, Accessed */
2271 ss->d = 1; /* 32bit stack segment */
2278 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
2280 u32 eax, ebx, ecx, edx;
2283 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2284 return ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
2285 && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
2286 && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
2289 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2291 const struct x86_emulate_ops *ops = ctxt->ops;
2292 u32 eax, ebx, ecx, edx;
2295 * syscall should always be enabled in longmode - so only become
2296 * vendor specific (cpuid) if other modes are active...
2298 if (ctxt->mode == X86EMUL_MODE_PROT64)
2303 ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2305 * Intel ("GenuineIntel")
2306 * remark: Intel CPUs only support "syscall" in 64bit
2307 * longmode. Also an 64bit guest with a
2308 * 32bit compat-app running will #UD !! While this
2309 * behaviour can be fixed (by emulating) into AMD
2310 * response - CPUs of AMD can't behave like Intel.
2312 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
2313 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
2314 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
2317 /* AMD ("AuthenticAMD") */
2318 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
2319 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
2320 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
2323 /* AMD ("AMDisbetter!") */
2324 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
2325 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
2326 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
2329 /* default: (not Intel, not AMD), apply Intel's stricter rules... */
2333 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2335 const struct x86_emulate_ops *ops = ctxt->ops;
2336 struct desc_struct cs, ss;
2341 /* syscall is not available in real mode */
2342 if (ctxt->mode == X86EMUL_MODE_REAL ||
2343 ctxt->mode == X86EMUL_MODE_VM86)
2344 return emulate_ud(ctxt);
2346 if (!(em_syscall_is_enabled(ctxt)))
2347 return emulate_ud(ctxt);
2349 ops->get_msr(ctxt, MSR_EFER, &efer);
2350 setup_syscalls_segments(ctxt, &cs, &ss);
2352 if (!(efer & EFER_SCE))
2353 return emulate_ud(ctxt);
2355 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2357 cs_sel = (u16)(msr_data & 0xfffc);
2358 ss_sel = (u16)(msr_data + 8);
2360 if (efer & EFER_LMA) {
2364 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2365 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2367 *reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2368 if (efer & EFER_LMA) {
2369 #ifdef CONFIG_X86_64
2370 *reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags & ~EFLG_RF;
2373 ctxt->mode == X86EMUL_MODE_PROT64 ?
2374 MSR_LSTAR : MSR_CSTAR, &msr_data);
2375 ctxt->_eip = msr_data;
2377 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2378 ctxt->eflags &= ~(msr_data | EFLG_RF);
2382 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2383 ctxt->_eip = (u32)msr_data;
2385 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2388 return X86EMUL_CONTINUE;
2391 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2393 const struct x86_emulate_ops *ops = ctxt->ops;
2394 struct desc_struct cs, ss;
2399 ops->get_msr(ctxt, MSR_EFER, &efer);
2400 /* inject #GP if in real mode */
2401 if (ctxt->mode == X86EMUL_MODE_REAL)
2402 return emulate_gp(ctxt, 0);
2405 * Not recognized on AMD in compat mode (but is recognized in legacy
2408 if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
2409 && !vendor_intel(ctxt))
2410 return emulate_ud(ctxt);
2412 /* XXX sysenter/sysexit have not been tested in 64bit mode.
2413 * Therefore, we inject an #UD.
2415 if (ctxt->mode == X86EMUL_MODE_PROT64)
2416 return emulate_ud(ctxt);
2418 setup_syscalls_segments(ctxt, &cs, &ss);
2420 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2421 switch (ctxt->mode) {
2422 case X86EMUL_MODE_PROT32:
2423 if ((msr_data & 0xfffc) == 0x0)
2424 return emulate_gp(ctxt, 0);
2426 case X86EMUL_MODE_PROT64:
2427 if (msr_data == 0x0)
2428 return emulate_gp(ctxt, 0);
2434 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2435 cs_sel = (u16)msr_data;
2436 cs_sel &= ~SELECTOR_RPL_MASK;
2437 ss_sel = cs_sel + 8;
2438 ss_sel &= ~SELECTOR_RPL_MASK;
2439 if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
2444 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2445 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2447 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2448 ctxt->_eip = msr_data;
2450 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2451 *reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
2453 return X86EMUL_CONTINUE;
2456 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2458 const struct x86_emulate_ops *ops = ctxt->ops;
2459 struct desc_struct cs, ss;
2462 u16 cs_sel = 0, ss_sel = 0;
2464 /* inject #GP if in real mode or Virtual 8086 mode */
2465 if (ctxt->mode == X86EMUL_MODE_REAL ||
2466 ctxt->mode == X86EMUL_MODE_VM86)
2467 return emulate_gp(ctxt, 0);
2469 setup_syscalls_segments(ctxt, &cs, &ss);
2471 if ((ctxt->rex_prefix & 0x8) != 0x0)
2472 usermode = X86EMUL_MODE_PROT64;
2474 usermode = X86EMUL_MODE_PROT32;
2478 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2480 case X86EMUL_MODE_PROT32:
2481 cs_sel = (u16)(msr_data + 16);
2482 if ((msr_data & 0xfffc) == 0x0)
2483 return emulate_gp(ctxt, 0);
2484 ss_sel = (u16)(msr_data + 24);
2486 case X86EMUL_MODE_PROT64:
2487 cs_sel = (u16)(msr_data + 32);
2488 if (msr_data == 0x0)
2489 return emulate_gp(ctxt, 0);
2490 ss_sel = cs_sel + 8;
2495 cs_sel |= SELECTOR_RPL_MASK;
2496 ss_sel |= SELECTOR_RPL_MASK;
2498 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2499 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2501 ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX);
2502 *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX);
2504 return X86EMUL_CONTINUE;
2507 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2510 if (ctxt->mode == X86EMUL_MODE_REAL)
2512 if (ctxt->mode == X86EMUL_MODE_VM86)
2514 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2515 return ctxt->ops->cpl(ctxt) > iopl;
2518 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2521 const struct x86_emulate_ops *ops = ctxt->ops;
2522 struct desc_struct tr_seg;
2525 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2526 unsigned mask = (1 << len) - 1;
2529 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2532 if (desc_limit_scaled(&tr_seg) < 103)
2534 base = get_desc_base(&tr_seg);
2535 #ifdef CONFIG_X86_64
2536 base |= ((u64)base3) << 32;
2538 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2539 if (r != X86EMUL_CONTINUE)
2541 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2543 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2544 if (r != X86EMUL_CONTINUE)
2546 if ((perm >> bit_idx) & mask)
2551 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2557 if (emulator_bad_iopl(ctxt))
2558 if (!emulator_io_port_access_allowed(ctxt, port, len))
2561 ctxt->perm_ok = true;
2566 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2567 struct tss_segment_16 *tss)
2569 tss->ip = ctxt->_eip;
2570 tss->flag = ctxt->eflags;
2571 tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
2572 tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
2573 tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
2574 tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
2575 tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
2576 tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
2577 tss->si = reg_read(ctxt, VCPU_REGS_RSI);
2578 tss->di = reg_read(ctxt, VCPU_REGS_RDI);
2580 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2581 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2582 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2583 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2584 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2587 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2588 struct tss_segment_16 *tss)
2592 ctxt->_eip = tss->ip;
2593 ctxt->eflags = tss->flag | 2;
2594 *reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
2595 *reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
2596 *reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
2597 *reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
2598 *reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
2599 *reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
2600 *reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
2601 *reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
2604 * SDM says that segment selectors are loaded before segment
2607 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2608 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2609 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2610 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2611 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2614 * Now load segment descriptors. If fault happens at this stage
2615 * it is handled in a context of new task
2617 ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR);
2618 if (ret != X86EMUL_CONTINUE)
2620 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2621 if (ret != X86EMUL_CONTINUE)
2623 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2624 if (ret != X86EMUL_CONTINUE)
2626 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2627 if (ret != X86EMUL_CONTINUE)
2629 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2630 if (ret != X86EMUL_CONTINUE)
2633 return X86EMUL_CONTINUE;
2636 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2637 u16 tss_selector, u16 old_tss_sel,
2638 ulong old_tss_base, struct desc_struct *new_desc)
2640 const struct x86_emulate_ops *ops = ctxt->ops;
2641 struct tss_segment_16 tss_seg;
2643 u32 new_tss_base = get_desc_base(new_desc);
2645 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2647 if (ret != X86EMUL_CONTINUE)
2648 /* FIXME: need to provide precise fault address */
2651 save_state_to_tss16(ctxt, &tss_seg);
2653 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2655 if (ret != X86EMUL_CONTINUE)
2656 /* FIXME: need to provide precise fault address */
2659 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2661 if (ret != X86EMUL_CONTINUE)
2662 /* FIXME: need to provide precise fault address */
2665 if (old_tss_sel != 0xffff) {
2666 tss_seg.prev_task_link = old_tss_sel;
2668 ret = ops->write_std(ctxt, new_tss_base,
2669 &tss_seg.prev_task_link,
2670 sizeof tss_seg.prev_task_link,
2672 if (ret != X86EMUL_CONTINUE)
2673 /* FIXME: need to provide precise fault address */
2677 return load_state_from_tss16(ctxt, &tss_seg);
2680 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2681 struct tss_segment_32 *tss)
2683 tss->cr3 = ctxt->ops->get_cr(ctxt, 3);
2684 tss->eip = ctxt->_eip;
2685 tss->eflags = ctxt->eflags;
2686 tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
2687 tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
2688 tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
2689 tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
2690 tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
2691 tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
2692 tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
2693 tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
2695 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2696 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2697 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2698 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2699 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
2700 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
2701 tss->ldt_selector = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2704 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2705 struct tss_segment_32 *tss)
2709 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
2710 return emulate_gp(ctxt, 0);
2711 ctxt->_eip = tss->eip;
2712 ctxt->eflags = tss->eflags | 2;
2714 /* General purpose registers */
2715 *reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
2716 *reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
2717 *reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
2718 *reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
2719 *reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
2720 *reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
2721 *reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
2722 *reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
2725 * SDM says that segment selectors are loaded before segment
2728 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2729 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2730 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2731 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2732 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2733 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
2734 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
2737 * If we're switching between Protected Mode and VM86, we need to make
2738 * sure to update the mode before loading the segment descriptors so
2739 * that the selectors are interpreted correctly.
2741 * Need to get rflags to the vcpu struct immediately because it
2742 * influences the CPL which is checked at least when loading the segment
2743 * descriptors and when pushing an error code to the new kernel stack.
2745 * TODO Introduce a separate ctxt->ops->set_cpl callback
2747 if (ctxt->eflags & X86_EFLAGS_VM)
2748 ctxt->mode = X86EMUL_MODE_VM86;
2750 ctxt->mode = X86EMUL_MODE_PROT32;
2752 ctxt->ops->set_rflags(ctxt, ctxt->eflags);
2755 * Now load segment descriptors. If fault happenes at this stage
2756 * it is handled in a context of new task
2758 ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2759 if (ret != X86EMUL_CONTINUE)
2761 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2762 if (ret != X86EMUL_CONTINUE)
2764 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2765 if (ret != X86EMUL_CONTINUE)
2767 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2768 if (ret != X86EMUL_CONTINUE)
2770 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2771 if (ret != X86EMUL_CONTINUE)
2773 ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS);
2774 if (ret != X86EMUL_CONTINUE)
2776 ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS);
2777 if (ret != X86EMUL_CONTINUE)
2780 return X86EMUL_CONTINUE;
2783 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2784 u16 tss_selector, u16 old_tss_sel,
2785 ulong old_tss_base, struct desc_struct *new_desc)
2787 const struct x86_emulate_ops *ops = ctxt->ops;
2788 struct tss_segment_32 tss_seg;
2790 u32 new_tss_base = get_desc_base(new_desc);
2792 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2794 if (ret != X86EMUL_CONTINUE)
2795 /* FIXME: need to provide precise fault address */
2798 save_state_to_tss32(ctxt, &tss_seg);
2800 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2802 if (ret != X86EMUL_CONTINUE)
2803 /* FIXME: need to provide precise fault address */
2806 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2808 if (ret != X86EMUL_CONTINUE)
2809 /* FIXME: need to provide precise fault address */
2812 if (old_tss_sel != 0xffff) {
2813 tss_seg.prev_task_link = old_tss_sel;
2815 ret = ops->write_std(ctxt, new_tss_base,
2816 &tss_seg.prev_task_link,
2817 sizeof tss_seg.prev_task_link,
2819 if (ret != X86EMUL_CONTINUE)
2820 /* FIXME: need to provide precise fault address */
2824 return load_state_from_tss32(ctxt, &tss_seg);
2827 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2828 u16 tss_selector, int idt_index, int reason,
2829 bool has_error_code, u32 error_code)
2831 const struct x86_emulate_ops *ops = ctxt->ops;
2832 struct desc_struct curr_tss_desc, next_tss_desc;
2834 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
2835 ulong old_tss_base =
2836 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
2840 /* FIXME: old_tss_base == ~0 ? */
2842 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
2843 if (ret != X86EMUL_CONTINUE)
2845 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
2846 if (ret != X86EMUL_CONTINUE)
2849 /* FIXME: check that next_tss_desc is tss */
2852 * Check privileges. The three cases are task switch caused by...
2854 * 1. jmp/call/int to task gate: Check against DPL of the task gate
2855 * 2. Exception/IRQ/iret: No check is performed
2856 * 3. jmp/call to TSS: Check against DPL of the TSS
2858 if (reason == TASK_SWITCH_GATE) {
2859 if (idt_index != -1) {
2860 /* Software interrupts */
2861 struct desc_struct task_gate_desc;
2864 ret = read_interrupt_descriptor(ctxt, idt_index,
2866 if (ret != X86EMUL_CONTINUE)
2869 dpl = task_gate_desc.dpl;
2870 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2871 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
2873 } else if (reason != TASK_SWITCH_IRET) {
2874 int dpl = next_tss_desc.dpl;
2875 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2876 return emulate_gp(ctxt, tss_selector);
2880 desc_limit = desc_limit_scaled(&next_tss_desc);
2881 if (!next_tss_desc.p ||
2882 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2883 desc_limit < 0x2b)) {
2884 emulate_ts(ctxt, tss_selector & 0xfffc);
2885 return X86EMUL_PROPAGATE_FAULT;
2888 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2889 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2890 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2893 if (reason == TASK_SWITCH_IRET)
2894 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2896 /* set back link to prev task only if NT bit is set in eflags
2897 note that old_tss_sel is not used after this point */
2898 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2899 old_tss_sel = 0xffff;
2901 if (next_tss_desc.type & 8)
2902 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
2903 old_tss_base, &next_tss_desc);
2905 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
2906 old_tss_base, &next_tss_desc);
2907 if (ret != X86EMUL_CONTINUE)
2910 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2911 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2913 if (reason != TASK_SWITCH_IRET) {
2914 next_tss_desc.type |= (1 << 1); /* set busy flag */
2915 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2918 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
2919 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
2921 if (has_error_code) {
2922 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2923 ctxt->lock_prefix = 0;
2924 ctxt->src.val = (unsigned long) error_code;
2925 ret = em_push(ctxt);
2931 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2932 u16 tss_selector, int idt_index, int reason,
2933 bool has_error_code, u32 error_code)
2937 invalidate_registers(ctxt);
2938 ctxt->_eip = ctxt->eip;
2939 ctxt->dst.type = OP_NONE;
2941 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
2942 has_error_code, error_code);
2944 if (rc == X86EMUL_CONTINUE) {
2945 ctxt->eip = ctxt->_eip;
2946 writeback_registers(ctxt);
2949 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
2952 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
2955 int df = (ctxt->eflags & EFLG_DF) ? -op->count : op->count;
2957 register_address_increment(ctxt, reg_rmw(ctxt, reg), df * op->bytes);
2958 op->addr.mem.ea = register_address(ctxt, reg_read(ctxt, reg));
2961 static int em_das(struct x86_emulate_ctxt *ctxt)
2964 bool af, cf, old_cf;
2966 cf = ctxt->eflags & X86_EFLAGS_CF;
2972 af = ctxt->eflags & X86_EFLAGS_AF;
2973 if ((al & 0x0f) > 9 || af) {
2975 cf = old_cf | (al >= 250);
2980 if (old_al > 0x99 || old_cf) {
2986 /* Set PF, ZF, SF */
2987 ctxt->src.type = OP_IMM;
2989 ctxt->src.bytes = 1;
2990 fastop(ctxt, em_or);
2991 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2993 ctxt->eflags |= X86_EFLAGS_CF;
2995 ctxt->eflags |= X86_EFLAGS_AF;
2996 return X86EMUL_CONTINUE;
2999 static int em_aad(struct x86_emulate_ctxt *ctxt)
3001 u8 al = ctxt->dst.val & 0xff;
3002 u8 ah = (ctxt->dst.val >> 8) & 0xff;
3004 al = (al + (ah * ctxt->src.val)) & 0xff;
3006 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
3008 /* Set PF, ZF, SF */
3009 ctxt->src.type = OP_IMM;
3011 ctxt->src.bytes = 1;
3012 fastop(ctxt, em_or);
3014 return X86EMUL_CONTINUE;
3017 static int em_call(struct x86_emulate_ctxt *ctxt)
3019 long rel = ctxt->src.val;
3021 ctxt->src.val = (unsigned long)ctxt->_eip;
3023 return em_push(ctxt);
3026 static int em_call_far(struct x86_emulate_ctxt *ctxt)
3032 old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
3033 old_eip = ctxt->_eip;
3035 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
3036 if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
3037 return X86EMUL_CONTINUE;
3040 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
3042 ctxt->src.val = old_cs;
3044 if (rc != X86EMUL_CONTINUE)
3047 ctxt->src.val = old_eip;
3048 return em_push(ctxt);
3051 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
3055 ctxt->dst.type = OP_REG;
3056 ctxt->dst.addr.reg = &ctxt->_eip;
3057 ctxt->dst.bytes = ctxt->op_bytes;
3058 rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
3059 if (rc != X86EMUL_CONTINUE)
3061 rsp_increment(ctxt, ctxt->src.val);
3062 return X86EMUL_CONTINUE;
3065 static int em_xchg(struct x86_emulate_ctxt *ctxt)
3067 /* Write back the register source. */
3068 ctxt->src.val = ctxt->dst.val;
3069 write_register_operand(&ctxt->src);
3071 /* Write back the memory destination with implicit LOCK prefix. */
3072 ctxt->dst.val = ctxt->src.orig_val;
3073 ctxt->lock_prefix = 1;
3074 return X86EMUL_CONTINUE;
3077 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
3079 ctxt->dst.val = ctxt->src2.val;
3080 return fastop(ctxt, em_imul);
3083 static int em_cwd(struct x86_emulate_ctxt *ctxt)
3085 ctxt->dst.type = OP_REG;
3086 ctxt->dst.bytes = ctxt->src.bytes;
3087 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
3088 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
3090 return X86EMUL_CONTINUE;
3093 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
3097 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
3098 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
3099 *reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
3100 return X86EMUL_CONTINUE;
3103 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
3107 if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
3108 return emulate_gp(ctxt, 0);
3109 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
3110 *reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
3111 return X86EMUL_CONTINUE;
3114 static int em_mov(struct x86_emulate_ctxt *ctxt)
3116 memcpy(ctxt->dst.valptr, ctxt->src.valptr, ctxt->op_bytes);
3117 return X86EMUL_CONTINUE;
3120 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3122 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
3123 return emulate_gp(ctxt, 0);
3125 /* Disable writeback. */
3126 ctxt->dst.type = OP_NONE;
3127 return X86EMUL_CONTINUE;
3130 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3134 if (ctxt->mode == X86EMUL_MODE_PROT64)
3135 val = ctxt->src.val & ~0ULL;
3137 val = ctxt->src.val & ~0U;
3139 /* #UD condition is already handled. */
3140 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3141 return emulate_gp(ctxt, 0);
3143 /* Disable writeback. */
3144 ctxt->dst.type = OP_NONE;
3145 return X86EMUL_CONTINUE;
3148 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3152 msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3153 | ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3154 if (ctxt->ops->set_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), msr_data))
3155 return emulate_gp(ctxt, 0);
3157 return X86EMUL_CONTINUE;
3160 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3164 if (ctxt->ops->get_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &msr_data))
3165 return emulate_gp(ctxt, 0);
3167 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3168 *reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3169 return X86EMUL_CONTINUE;
3172 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3174 if (ctxt->modrm_reg > VCPU_SREG_GS)
3175 return emulate_ud(ctxt);
3177 ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
3178 return X86EMUL_CONTINUE;
3181 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3183 u16 sel = ctxt->src.val;
3185 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3186 return emulate_ud(ctxt);
3188 if (ctxt->modrm_reg == VCPU_SREG_SS)
3189 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3191 /* Disable writeback. */
3192 ctxt->dst.type = OP_NONE;
3193 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3196 static int em_lldt(struct x86_emulate_ctxt *ctxt)
3198 u16 sel = ctxt->src.val;
3200 /* Disable writeback. */
3201 ctxt->dst.type = OP_NONE;
3202 return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3205 static int em_ltr(struct x86_emulate_ctxt *ctxt)
3207 u16 sel = ctxt->src.val;
3209 /* Disable writeback. */
3210 ctxt->dst.type = OP_NONE;
3211 return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3214 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3219 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
3220 if (rc == X86EMUL_CONTINUE)
3221 ctxt->ops->invlpg(ctxt, linear);
3222 /* Disable writeback. */
3223 ctxt->dst.type = OP_NONE;
3224 return X86EMUL_CONTINUE;
3227 static int em_clts(struct x86_emulate_ctxt *ctxt)
3231 cr0 = ctxt->ops->get_cr(ctxt, 0);
3233 ctxt->ops->set_cr(ctxt, 0, cr0);
3234 return X86EMUL_CONTINUE;
3237 static int em_vmcall(struct x86_emulate_ctxt *ctxt)
3241 if (ctxt->modrm_mod != 3 || ctxt->modrm_rm != 1)
3242 return X86EMUL_UNHANDLEABLE;
3244 rc = ctxt->ops->fix_hypercall(ctxt);
3245 if (rc != X86EMUL_CONTINUE)
3248 /* Let the processor re-execute the fixed hypercall */
3249 ctxt->_eip = ctxt->eip;
3250 /* Disable writeback. */
3251 ctxt->dst.type = OP_NONE;
3252 return X86EMUL_CONTINUE;
3255 static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3256 void (*get)(struct x86_emulate_ctxt *ctxt,
3257 struct desc_ptr *ptr))
3259 struct desc_ptr desc_ptr;
3261 if (ctxt->mode == X86EMUL_MODE_PROT64)
3263 get(ctxt, &desc_ptr);
3264 if (ctxt->op_bytes == 2) {
3266 desc_ptr.address &= 0x00ffffff;
3268 /* Disable writeback. */
3269 ctxt->dst.type = OP_NONE;
3270 return segmented_write(ctxt, ctxt->dst.addr.mem,
3271 &desc_ptr, 2 + ctxt->op_bytes);
3274 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3276 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3279 static int em_sidt(struct x86_emulate_ctxt *ctxt)
3281 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3284 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3286 struct desc_ptr desc_ptr;
3289 if (ctxt->mode == X86EMUL_MODE_PROT64)
3291 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3292 &desc_ptr.size, &desc_ptr.address,
3294 if (rc != X86EMUL_CONTINUE)
3296 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3297 /* Disable writeback. */
3298 ctxt->dst.type = OP_NONE;
3299 return X86EMUL_CONTINUE;
3302 static int em_vmmcall(struct x86_emulate_ctxt *ctxt)
3306 rc = ctxt->ops->fix_hypercall(ctxt);
3308 /* Disable writeback. */
3309 ctxt->dst.type = OP_NONE;
3313 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3315 struct desc_ptr desc_ptr;
3318 if (ctxt->mode == X86EMUL_MODE_PROT64)
3320 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3321 &desc_ptr.size, &desc_ptr.address,
3323 if (rc != X86EMUL_CONTINUE)
3325 ctxt->ops->set_idt(ctxt, &desc_ptr);
3326 /* Disable writeback. */
3327 ctxt->dst.type = OP_NONE;
3328 return X86EMUL_CONTINUE;
3331 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3333 ctxt->dst.bytes = 2;
3334 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3335 return X86EMUL_CONTINUE;
3338 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3340 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3341 | (ctxt->src.val & 0x0f));
3342 ctxt->dst.type = OP_NONE;
3343 return X86EMUL_CONTINUE;
3346 static int em_loop(struct x86_emulate_ctxt *ctxt)
3348 register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1);
3349 if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3350 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3351 jmp_rel(ctxt, ctxt->src.val);
3353 return X86EMUL_CONTINUE;
3356 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3358 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3359 jmp_rel(ctxt, ctxt->src.val);
3361 return X86EMUL_CONTINUE;
3364 static int em_in(struct x86_emulate_ctxt *ctxt)
3366 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3368 return X86EMUL_IO_NEEDED;
3370 return X86EMUL_CONTINUE;
3373 static int em_out(struct x86_emulate_ctxt *ctxt)
3375 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3377 /* Disable writeback. */
3378 ctxt->dst.type = OP_NONE;
3379 return X86EMUL_CONTINUE;
3382 static int em_cli(struct x86_emulate_ctxt *ctxt)
3384 if (emulator_bad_iopl(ctxt))
3385 return emulate_gp(ctxt, 0);
3387 ctxt->eflags &= ~X86_EFLAGS_IF;
3388 return X86EMUL_CONTINUE;
3391 static int em_sti(struct x86_emulate_ctxt *ctxt)
3393 if (emulator_bad_iopl(ctxt))
3394 return emulate_gp(ctxt, 0);
3396 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3397 ctxt->eflags |= X86_EFLAGS_IF;
3398 return X86EMUL_CONTINUE;
3401 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3403 u32 eax, ebx, ecx, edx;
3405 eax = reg_read(ctxt, VCPU_REGS_RAX);
3406 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3407 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
3408 *reg_write(ctxt, VCPU_REGS_RAX) = eax;
3409 *reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3410 *reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3411 *reg_write(ctxt, VCPU_REGS_RDX) = edx;
3412 return X86EMUL_CONTINUE;
3415 static int em_lahf(struct x86_emulate_ctxt *ctxt)
3417 *reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
3418 *reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
3419 return X86EMUL_CONTINUE;
3422 static int em_bswap(struct x86_emulate_ctxt *ctxt)
3424 switch (ctxt->op_bytes) {
3425 #ifdef CONFIG_X86_64
3427 asm("bswap %0" : "+r"(ctxt->dst.val));
3431 asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
3434 return X86EMUL_CONTINUE;
3437 static bool valid_cr(int nr)
3449 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
3451 if (!valid_cr(ctxt->modrm_reg))
3452 return emulate_ud(ctxt);
3454 return X86EMUL_CONTINUE;
3457 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
3459 u64 new_val = ctxt->src.val64;
3460 int cr = ctxt->modrm_reg;
3463 static u64 cr_reserved_bits[] = {
3464 0xffffffff00000000ULL,
3465 0, 0, 0, /* CR3 checked later */
3472 return emulate_ud(ctxt);
3474 if (new_val & cr_reserved_bits[cr])
3475 return emulate_gp(ctxt, 0);
3480 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
3481 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
3482 return emulate_gp(ctxt, 0);
3484 cr4 = ctxt->ops->get_cr(ctxt, 4);
3485 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3487 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
3488 !(cr4 & X86_CR4_PAE))
3489 return emulate_gp(ctxt, 0);
3496 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3497 if (efer & EFER_LMA)
3498 rsvd = CR3_L_MODE_RESERVED_BITS;
3499 else if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PAE)
3500 rsvd = CR3_PAE_RESERVED_BITS;
3501 else if (ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PG)
3502 rsvd = CR3_NONPAE_RESERVED_BITS;
3505 return emulate_gp(ctxt, 0);
3510 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3512 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
3513 return emulate_gp(ctxt, 0);
3519 return X86EMUL_CONTINUE;
3522 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
3526 ctxt->ops->get_dr(ctxt, 7, &dr7);
3528 /* Check if DR7.Global_Enable is set */
3529 return dr7 & (1 << 13);
3532 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
3534 int dr = ctxt->modrm_reg;
3538 return emulate_ud(ctxt);
3540 cr4 = ctxt->ops->get_cr(ctxt, 4);
3541 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
3542 return emulate_ud(ctxt);
3544 if (check_dr7_gd(ctxt))
3545 return emulate_db(ctxt);
3547 return X86EMUL_CONTINUE;
3550 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
3552 u64 new_val = ctxt->src.val64;
3553 int dr = ctxt->modrm_reg;
3555 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
3556 return emulate_gp(ctxt, 0);
3558 return check_dr_read(ctxt);
3561 static int check_svme(struct x86_emulate_ctxt *ctxt)
3565 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3567 if (!(efer & EFER_SVME))
3568 return emulate_ud(ctxt);
3570 return X86EMUL_CONTINUE;
3573 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
3575 u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
3577 /* Valid physical address? */
3578 if (rax & 0xffff000000000000ULL)
3579 return emulate_gp(ctxt, 0);
3581 return check_svme(ctxt);
3584 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
3586 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3588 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
3589 return emulate_ud(ctxt);
3591 return X86EMUL_CONTINUE;
3594 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
3596 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3597 u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
3599 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
3601 return emulate_gp(ctxt, 0);
3603 return X86EMUL_CONTINUE;
3606 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
3608 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
3609 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
3610 return emulate_gp(ctxt, 0);
3612 return X86EMUL_CONTINUE;
3615 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
3617 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
3618 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
3619 return emulate_gp(ctxt, 0);
3621 return X86EMUL_CONTINUE;
3624 #define D(_y) { .flags = (_y) }
3625 #define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
3626 #define DIP(_y, _i, _p) { .flags = (_y), .intercept = x86_intercept_##_i, \
3627 .check_perm = (_p) }
3628 #define N D(NotImpl)
3629 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
3630 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
3631 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
3632 #define E(_f, _e) { .flags = ((_f) | Escape | ModRM), .u.esc = (_e) }
3633 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
3634 #define F(_f, _e) { .flags = (_f) | Fastop, .u.fastop = (_e) }
3635 #define II(_f, _e, _i) \
3636 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
3637 #define IIP(_f, _e, _i, _p) \
3638 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i, \
3639 .check_perm = (_p) }
3640 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
3642 #define D2bv(_f) D((_f) | ByteOp), D(_f)
3643 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
3644 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
3645 #define F2bv(_f, _e) F((_f) | ByteOp, _e), F(_f, _e)
3646 #define I2bvIP(_f, _e, _i, _p) \
3647 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
3649 #define F6ALU(_f, _e) F2bv((_f) | DstMem | SrcReg | ModRM, _e), \
3650 F2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
3651 F2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
3653 static const struct opcode group7_rm1[] = {
3654 DI(SrcNone | Priv, monitor),
3655 DI(SrcNone | Priv, mwait),
3659 static const struct opcode group7_rm3[] = {
3660 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
3661 II(SrcNone | Prot | VendorSpecific, em_vmmcall, vmmcall),
3662 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
3663 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
3664 DIP(SrcNone | Prot | Priv, stgi, check_svme),
3665 DIP(SrcNone | Prot | Priv, clgi, check_svme),
3666 DIP(SrcNone | Prot | Priv, skinit, check_svme),
3667 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
3670 static const struct opcode group7_rm7[] = {
3672 DIP(SrcNone, rdtscp, check_rdtsc),
3676 static const struct opcode group1[] = {
3678 F(Lock | PageTable, em_or),
3681 F(Lock | PageTable, em_and),
3687 static const struct opcode group1A[] = {
3688 I(DstMem | SrcNone | Mov | Stack, em_pop), N, N, N, N, N, N, N,
3691 static const struct opcode group2[] = {
3692 F(DstMem | ModRM, em_rol),
3693 F(DstMem | ModRM, em_ror),
3694 F(DstMem | ModRM, em_rcl),
3695 F(DstMem | ModRM, em_rcr),
3696 F(DstMem | ModRM, em_shl),
3697 F(DstMem | ModRM, em_shr),
3698 F(DstMem | ModRM, em_shl),
3699 F(DstMem | ModRM, em_sar),
3702 static const struct opcode group3[] = {
3703 F(DstMem | SrcImm | NoWrite, em_test),
3704 F(DstMem | SrcImm | NoWrite, em_test),
3705 F(DstMem | SrcNone | Lock, em_not),
3706 F(DstMem | SrcNone | Lock, em_neg),
3707 I(SrcMem, em_mul_ex),
3708 I(SrcMem, em_imul_ex),
3709 I(SrcMem, em_div_ex),
3710 I(SrcMem, em_idiv_ex),
3713 static const struct opcode group4[] = {
3714 F(ByteOp | DstMem | SrcNone | Lock, em_inc),
3715 F(ByteOp | DstMem | SrcNone | Lock, em_dec),
3719 static const struct opcode group5[] = {
3720 F(DstMem | SrcNone | Lock, em_inc),
3721 F(DstMem | SrcNone | Lock, em_dec),
3722 I(SrcMem | Stack, em_grp45),
3723 I(SrcMemFAddr | ImplicitOps | Stack, em_call_far),
3724 I(SrcMem | Stack, em_grp45),
3725 I(SrcMemFAddr | ImplicitOps, em_grp45),
3726 I(SrcMem | Stack, em_grp45), D(Undefined),
3729 static const struct opcode group6[] = {
3732 II(Prot | Priv | SrcMem16, em_lldt, lldt),
3733 II(Prot | Priv | SrcMem16, em_ltr, ltr),
3737 static const struct group_dual group7 = { {
3738 II(Mov | DstMem | Priv, em_sgdt, sgdt),
3739 II(Mov | DstMem | Priv, em_sidt, sidt),
3740 II(SrcMem | Priv, em_lgdt, lgdt),
3741 II(SrcMem | Priv, em_lidt, lidt),
3742 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
3743 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
3744 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
3746 I(SrcNone | Priv | VendorSpecific, em_vmcall),
3748 N, EXT(0, group7_rm3),
3749 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
3750 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
3754 static const struct opcode group8[] = {
3756 F(DstMem | SrcImmByte | NoWrite, em_bt),
3757 F(DstMem | SrcImmByte | Lock | PageTable, em_bts),
3758 F(DstMem | SrcImmByte | Lock, em_btr),
3759 F(DstMem | SrcImmByte | Lock | PageTable, em_btc),
3762 static const struct group_dual group9 = { {
3763 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
3765 N, N, N, N, N, N, N, N,
3768 static const struct opcode group11[] = {
3769 I(DstMem | SrcImm | Mov | PageTable, em_mov),
3773 static const struct gprefix pfx_0f_6f_0f_7f = {
3774 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
3777 static const struct gprefix pfx_vmovntpx = {
3778 I(0, em_mov), N, N, N,
3781 static const struct escape escape_d9 = { {
3782 N, N, N, N, N, N, N, I(DstMem, em_fnstcw),
3785 N, N, N, N, N, N, N, N,
3787 N, N, N, N, N, N, N, N,
3789 N, N, N, N, N, N, N, N,
3791 N, N, N, N, N, N, N, N,
3793 N, N, N, N, N, N, N, N,
3795 N, N, N, N, N, N, N, N,
3797 N, N, N, N, N, N, N, N,
3799 N, N, N, N, N, N, N, N,
3802 static const struct escape escape_db = { {
3803 N, N, N, N, N, N, N, N,
3806 N, N, N, N, N, N, N, N,
3808 N, N, N, N, N, N, N, N,
3810 N, N, N, N, N, N, N, N,
3812 N, N, N, N, N, N, N, N,
3814 N, N, N, I(ImplicitOps, em_fninit), N, N, N, N,
3816 N, N, N, N, N, N, N, N,
3818 N, N, N, N, N, N, N, N,
3820 N, N, N, N, N, N, N, N,
3823 static const struct escape escape_dd = { {
3824 N, N, N, N, N, N, N, I(DstMem, em_fnstsw),
3827 N, N, N, N, N, N, N, N,
3829 N, N, N, N, N, N, N, N,
3831 N, N, N, N, N, N, N, N,
3833 N, N, N, N, N, N, N, N,
3835 N, N, N, N, N, N, N, N,
3837 N, N, N, N, N, N, N, N,
3839 N, N, N, N, N, N, N, N,
3841 N, N, N, N, N, N, N, N,
3844 static const struct opcode opcode_table[256] = {
3846 F6ALU(Lock, em_add),
3847 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
3848 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
3850 F6ALU(Lock | PageTable, em_or),
3851 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
3854 F6ALU(Lock, em_adc),
3855 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
3856 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
3858 F6ALU(Lock, em_sbb),
3859 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
3860 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
3862 F6ALU(Lock | PageTable, em_and), N, N,
3864 F6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
3866 F6ALU(Lock, em_xor), N, N,
3868 F6ALU(NoWrite, em_cmp), N, N,
3870 X8(F(DstReg, em_inc)), X8(F(DstReg, em_dec)),
3872 X8(I(SrcReg | Stack, em_push)),
3874 X8(I(DstReg | Stack, em_pop)),
3876 I(ImplicitOps | Stack | No64, em_pusha),
3877 I(ImplicitOps | Stack | No64, em_popa),
3878 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
3881 I(SrcImm | Mov | Stack, em_push),
3882 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
3883 I(SrcImmByte | Mov | Stack, em_push),
3884 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
3885 I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
3886 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
3890 G(ByteOp | DstMem | SrcImm, group1),
3891 G(DstMem | SrcImm, group1),
3892 G(ByteOp | DstMem | SrcImm | No64, group1),
3893 G(DstMem | SrcImmByte, group1),
3894 F2bv(DstMem | SrcReg | ModRM | NoWrite, em_test),
3895 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
3897 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
3898 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
3899 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
3900 D(ModRM | SrcMem | NoAccess | DstReg),
3901 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
3904 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
3906 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
3907 I(SrcImmFAddr | No64, em_call_far), N,
3908 II(ImplicitOps | Stack, em_pushf, pushf),
3909 II(ImplicitOps | Stack, em_popf, popf), N, I(ImplicitOps, em_lahf),
3911 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
3912 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
3913 I2bv(SrcSI | DstDI | Mov | String, em_mov),
3914 F2bv(SrcSI | DstDI | String | NoWrite, em_cmp),
3916 F2bv(DstAcc | SrcImm | NoWrite, em_test),
3917 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
3918 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
3919 F2bv(SrcAcc | DstDI | String | NoWrite, em_cmp),
3921 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
3923 X8(I(DstReg | SrcImm64 | Mov, em_mov)),
3925 G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
3926 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
3927 I(ImplicitOps | Stack, em_ret),
3928 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
3929 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
3930 G(ByteOp, group11), G(0, group11),
3932 I(Stack | SrcImmU16 | Src2ImmByte, em_enter), I(Stack, em_leave),
3933 N, I(ImplicitOps | Stack, em_ret_far),
3934 D(ImplicitOps), DI(SrcImmByte, intn),
3935 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
3937 G(Src2One | ByteOp, group2), G(Src2One, group2),
3938 G(Src2CL | ByteOp, group2), G(Src2CL, group2),
3939 N, I(DstAcc | SrcImmByte | No64, em_aad), N, N,
3941 N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
3943 X3(I(SrcImmByte, em_loop)),
3944 I(SrcImmByte, em_jcxz),
3945 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
3946 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
3948 I(SrcImm | Stack, em_call), D(SrcImm | ImplicitOps),
3949 I(SrcImmFAddr | No64, em_jmp_far), D(SrcImmByte | ImplicitOps),
3950 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
3951 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
3953 N, DI(ImplicitOps, icebp), N, N,
3954 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
3955 G(ByteOp, group3), G(0, group3),
3957 D(ImplicitOps), D(ImplicitOps),
3958 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
3959 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
3962 static const struct opcode twobyte_table[256] = {
3964 G(0, group6), GD(0, &group7), N, N,
3965 N, I(ImplicitOps | VendorSpecific, em_syscall),
3966 II(ImplicitOps | Priv, em_clts, clts), N,
3967 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
3968 N, D(ImplicitOps | ModRM), N, N,
3970 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
3972 DIP(ModRM | DstMem | Priv | Op3264, cr_read, check_cr_read),
3973 DIP(ModRM | DstMem | Priv | Op3264, dr_read, check_dr_read),
3974 IIP(ModRM | SrcMem | Priv | Op3264, em_cr_write, cr_write, check_cr_write),
3975 IIP(ModRM | SrcMem | Priv | Op3264, em_dr_write, dr_write, check_dr_write),
3977 N, N, N, GP(ModRM | DstMem | SrcReg | Sse | Mov | Aligned, &pfx_vmovntpx),
3980 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
3981 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
3982 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
3983 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
3984 I(ImplicitOps | VendorSpecific, em_sysenter),
3985 I(ImplicitOps | Priv | VendorSpecific, em_sysexit),
3987 N, N, N, N, N, N, N, N,
3989 X16(D(DstReg | SrcMem | ModRM | Mov)),
3991 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3996 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
4001 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
4005 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
4007 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
4008 II(ImplicitOps, em_cpuid, cpuid),
4009 F(DstMem | SrcReg | ModRM | BitOp | NoWrite, em_bt),
4010 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shld),
4011 F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
4013 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
4014 DI(ImplicitOps, rsm),
4015 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
4016 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
4017 F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
4018 D(ModRM), F(DstReg | SrcMem | ModRM, em_imul),
4020 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_cmpxchg),
4021 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
4022 F(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
4023 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
4024 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
4025 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4029 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
4030 F(DstReg | SrcMem | ModRM, em_bsf), F(DstReg | SrcMem | ModRM, em_bsr),
4031 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4033 D2bv(DstMem | SrcReg | ModRM | Lock),
4034 N, D(DstMem | SrcReg | ModRM | Mov),
4035 N, N, N, GD(0, &group9),
4037 X8(I(DstReg, em_bswap)),
4039 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4041 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4043 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
4060 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
4064 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4070 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
4071 unsigned size, bool sign_extension)
4073 int rc = X86EMUL_CONTINUE;
4077 op->addr.mem.ea = ctxt->_eip;
4078 /* NB. Immediates are sign-extended as necessary. */
4079 switch (op->bytes) {
4081 op->val = insn_fetch(s8, ctxt);
4084 op->val = insn_fetch(s16, ctxt);
4087 op->val = insn_fetch(s32, ctxt);
4090 op->val = insn_fetch(s64, ctxt);
4093 if (!sign_extension) {
4094 switch (op->bytes) {
4102 op->val &= 0xffffffff;
4110 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
4113 int rc = X86EMUL_CONTINUE;
4117 decode_register_operand(ctxt, op);
4120 rc = decode_imm(ctxt, op, 1, false);
4123 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4127 if ((ctxt->d & BitOp) && op == &ctxt->dst)
4128 fetch_bit_operand(ctxt);
4129 op->orig_val = op->val;
4132 ctxt->memop.bytes = 8;
4136 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4137 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4138 fetch_register_operand(op);
4139 op->orig_val = op->val;
4143 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4145 register_address(ctxt, reg_read(ctxt, VCPU_REGS_RDI));
4146 op->addr.mem.seg = VCPU_SREG_ES;
4153 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4154 fetch_register_operand(op);
4158 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
4161 rc = decode_imm(ctxt, op, 1, true);
4168 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
4171 rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
4174 ctxt->memop.bytes = 1;
4175 if (ctxt->memop.type == OP_REG) {
4176 ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm, 1);
4177 fetch_register_operand(&ctxt->memop);
4181 ctxt->memop.bytes = 2;
4184 ctxt->memop.bytes = 4;
4187 rc = decode_imm(ctxt, op, 2, false);
4190 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
4194 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4196 register_address(ctxt, reg_read(ctxt, VCPU_REGS_RSI));
4197 op->addr.mem.seg = seg_override(ctxt);
4203 op->addr.mem.ea = ctxt->_eip;
4204 op->bytes = ctxt->op_bytes + 2;
4205 insn_fetch_arr(op->valptr, op->bytes, ctxt);
4208 ctxt->memop.bytes = ctxt->op_bytes + 2;
4211 op->val = VCPU_SREG_ES;
4214 op->val = VCPU_SREG_CS;
4217 op->val = VCPU_SREG_SS;
4220 op->val = VCPU_SREG_DS;
4223 op->val = VCPU_SREG_FS;
4226 op->val = VCPU_SREG_GS;
4229 /* Special instructions do their own operand decoding. */
4231 op->type = OP_NONE; /* Disable writeback. */
4239 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
4241 int rc = X86EMUL_CONTINUE;
4242 int mode = ctxt->mode;
4243 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
4244 bool op_prefix = false;
4245 struct opcode opcode;
4247 ctxt->memop.type = OP_NONE;
4248 ctxt->memopp = NULL;
4249 ctxt->_eip = ctxt->eip;
4250 ctxt->fetch.start = ctxt->_eip;
4251 ctxt->fetch.end = ctxt->fetch.start + insn_len;
4253 memcpy(ctxt->fetch.data, insn, insn_len);
4256 case X86EMUL_MODE_REAL:
4257 case X86EMUL_MODE_VM86:
4258 case X86EMUL_MODE_PROT16:
4259 def_op_bytes = def_ad_bytes = 2;
4261 case X86EMUL_MODE_PROT32:
4262 def_op_bytes = def_ad_bytes = 4;
4264 #ifdef CONFIG_X86_64
4265 case X86EMUL_MODE_PROT64:
4271 return EMULATION_FAILED;
4274 ctxt->op_bytes = def_op_bytes;
4275 ctxt->ad_bytes = def_ad_bytes;
4277 /* Legacy prefixes. */
4279 switch (ctxt->b = insn_fetch(u8, ctxt)) {
4280 case 0x66: /* operand-size override */
4282 /* switch between 2/4 bytes */
4283 ctxt->op_bytes = def_op_bytes ^ 6;
4285 case 0x67: /* address-size override */
4286 if (mode == X86EMUL_MODE_PROT64)
4287 /* switch between 4/8 bytes */
4288 ctxt->ad_bytes = def_ad_bytes ^ 12;
4290 /* switch between 2/4 bytes */
4291 ctxt->ad_bytes = def_ad_bytes ^ 6;
4293 case 0x26: /* ES override */
4294 case 0x2e: /* CS override */
4295 case 0x36: /* SS override */
4296 case 0x3e: /* DS override */
4297 set_seg_override(ctxt, (ctxt->b >> 3) & 3);
4299 case 0x64: /* FS override */
4300 case 0x65: /* GS override */
4301 set_seg_override(ctxt, ctxt->b & 7);
4303 case 0x40 ... 0x4f: /* REX */
4304 if (mode != X86EMUL_MODE_PROT64)
4306 ctxt->rex_prefix = ctxt->b;
4308 case 0xf0: /* LOCK */
4309 ctxt->lock_prefix = 1;
4311 case 0xf2: /* REPNE/REPNZ */
4312 case 0xf3: /* REP/REPE/REPZ */
4313 ctxt->rep_prefix = ctxt->b;
4319 /* Any legacy prefix after a REX prefix nullifies its effect. */
4321 ctxt->rex_prefix = 0;
4327 if (ctxt->rex_prefix & 8)
4328 ctxt->op_bytes = 8; /* REX.W */
4330 /* Opcode byte(s). */
4331 opcode = opcode_table[ctxt->b];
4332 /* Two-byte opcode? */
4333 if (ctxt->b == 0x0f) {
4335 ctxt->b = insn_fetch(u8, ctxt);
4336 opcode = twobyte_table[ctxt->b];
4338 ctxt->d = opcode.flags;
4340 if (ctxt->d & ModRM)
4341 ctxt->modrm = insn_fetch(u8, ctxt);
4343 while (ctxt->d & GroupMask) {
4344 switch (ctxt->d & GroupMask) {
4346 goffset = (ctxt->modrm >> 3) & 7;
4347 opcode = opcode.u.group[goffset];
4350 goffset = (ctxt->modrm >> 3) & 7;
4351 if ((ctxt->modrm >> 6) == 3)
4352 opcode = opcode.u.gdual->mod3[goffset];
4354 opcode = opcode.u.gdual->mod012[goffset];
4357 goffset = ctxt->modrm & 7;
4358 opcode = opcode.u.group[goffset];
4361 if (ctxt->rep_prefix && op_prefix)
4362 return EMULATION_FAILED;
4363 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
4364 switch (simd_prefix) {
4365 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
4366 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
4367 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
4368 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
4372 if (ctxt->modrm > 0xbf)
4373 opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
4375 opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
4378 return EMULATION_FAILED;
4381 ctxt->d &= ~(u64)GroupMask;
4382 ctxt->d |= opcode.flags;
4385 ctxt->execute = opcode.u.execute;
4386 ctxt->check_perm = opcode.check_perm;
4387 ctxt->intercept = opcode.intercept;
4390 if (ctxt->d == 0 || (ctxt->d & NotImpl))
4391 return EMULATION_FAILED;
4393 if (!(ctxt->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
4394 return EMULATION_FAILED;
4396 if (mode == X86EMUL_MODE_PROT64 && (ctxt->d & Stack))
4399 if (ctxt->d & Op3264) {
4400 if (mode == X86EMUL_MODE_PROT64)
4407 ctxt->op_bytes = 16;
4408 else if (ctxt->d & Mmx)
4411 /* ModRM and SIB bytes. */
4412 if (ctxt->d & ModRM) {
4413 rc = decode_modrm(ctxt, &ctxt->memop);
4414 if (!ctxt->has_seg_override)
4415 set_seg_override(ctxt, ctxt->modrm_seg);
4416 } else if (ctxt->d & MemAbs)
4417 rc = decode_abs(ctxt, &ctxt->memop);
4418 if (rc != X86EMUL_CONTINUE)
4421 if (!ctxt->has_seg_override)
4422 set_seg_override(ctxt, VCPU_SREG_DS);
4424 ctxt->memop.addr.mem.seg = seg_override(ctxt);
4426 if (ctxt->memop.type == OP_MEM && ctxt->ad_bytes != 8)
4427 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
4430 * Decode and fetch the source operand: register, memory
4433 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
4434 if (rc != X86EMUL_CONTINUE)
4438 * Decode and fetch the second source operand: register, memory
4441 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
4442 if (rc != X86EMUL_CONTINUE)
4445 /* Decode and fetch the destination operand: register or memory. */
4446 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
4449 if (ctxt->memopp && ctxt->memopp->type == OP_MEM && ctxt->rip_relative)
4450 ctxt->memopp->addr.mem.ea += ctxt->_eip;
4452 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
4455 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
4457 return ctxt->d & PageTable;
4460 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
4462 /* The second termination condition only applies for REPE
4463 * and REPNE. Test if the repeat string operation prefix is
4464 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
4465 * corresponding termination condition according to:
4466 * - if REPE/REPZ and ZF = 0 then done
4467 * - if REPNE/REPNZ and ZF = 1 then done
4469 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
4470 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
4471 && (((ctxt->rep_prefix == REPE_PREFIX) &&
4472 ((ctxt->eflags & EFLG_ZF) == 0))
4473 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
4474 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
4480 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
4484 ctxt->ops->get_fpu(ctxt);
4485 asm volatile("1: fwait \n\t"
4487 ".pushsection .fixup,\"ax\" \n\t"
4489 "movb $1, %[fault] \n\t"
4492 _ASM_EXTABLE(1b, 3b)
4493 : [fault]"+qm"(fault));
4494 ctxt->ops->put_fpu(ctxt);
4496 if (unlikely(fault))
4497 return emulate_exception(ctxt, MF_VECTOR, 0, false);
4499 return X86EMUL_CONTINUE;
4502 static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
4505 if (op->type == OP_MM)
4506 read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
4509 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *))
4511 ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
4512 fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
4513 asm("push %[flags]; popf; call *%[fastop]; pushf; pop %[flags]\n"
4514 : "+a"(ctxt->dst.val), "+b"(ctxt->src.val), [flags]"+D"(flags)
4515 : "c"(ctxt->src2.val), [fastop]"S"(fop));
4516 ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
4517 return X86EMUL_CONTINUE;
4520 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
4522 const struct x86_emulate_ops *ops = ctxt->ops;
4523 int rc = X86EMUL_CONTINUE;
4524 int saved_dst_type = ctxt->dst.type;
4526 ctxt->mem_read.pos = 0;
4528 if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
4529 (ctxt->d & Undefined)) {
4530 rc = emulate_ud(ctxt);
4534 /* LOCK prefix is allowed only with some instructions */
4535 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
4536 rc = emulate_ud(ctxt);
4540 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
4541 rc = emulate_ud(ctxt);
4545 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
4546 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
4547 rc = emulate_ud(ctxt);
4551 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
4552 rc = emulate_nm(ctxt);
4556 if (ctxt->d & Mmx) {
4557 rc = flush_pending_x87_faults(ctxt);
4558 if (rc != X86EMUL_CONTINUE)
4561 * Now that we know the fpu is exception safe, we can fetch
4564 fetch_possible_mmx_operand(ctxt, &ctxt->src);
4565 fetch_possible_mmx_operand(ctxt, &ctxt->src2);
4566 if (!(ctxt->d & Mov))
4567 fetch_possible_mmx_operand(ctxt, &ctxt->dst);
4570 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4571 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4572 X86_ICPT_PRE_EXCEPT);
4573 if (rc != X86EMUL_CONTINUE)
4577 /* Privileged instruction can be executed only in CPL=0 */
4578 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
4579 rc = emulate_gp(ctxt, 0);
4583 /* Instruction can only be executed in protected mode */
4584 if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
4585 rc = emulate_ud(ctxt);
4589 /* Do instruction specific permission checks */
4590 if (ctxt->check_perm) {
4591 rc = ctxt->check_perm(ctxt);
4592 if (rc != X86EMUL_CONTINUE)
4596 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4597 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4598 X86_ICPT_POST_EXCEPT);
4599 if (rc != X86EMUL_CONTINUE)
4603 if (ctxt->rep_prefix && (ctxt->d & String)) {
4604 /* All REP prefixes have the same first termination condition */
4605 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
4606 ctxt->eip = ctxt->_eip;
4611 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
4612 rc = segmented_read(ctxt, ctxt->src.addr.mem,
4613 ctxt->src.valptr, ctxt->src.bytes);
4614 if (rc != X86EMUL_CONTINUE)
4616 ctxt->src.orig_val64 = ctxt->src.val64;
4619 if (ctxt->src2.type == OP_MEM) {
4620 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
4621 &ctxt->src2.val, ctxt->src2.bytes);
4622 if (rc != X86EMUL_CONTINUE)
4626 if ((ctxt->d & DstMask) == ImplicitOps)
4630 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
4631 /* optimisation - avoid slow emulated read if Mov */
4632 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
4633 &ctxt->dst.val, ctxt->dst.bytes);
4634 if (rc != X86EMUL_CONTINUE)
4637 ctxt->dst.orig_val = ctxt->dst.val;
4641 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4642 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4643 X86_ICPT_POST_MEMACCESS);
4644 if (rc != X86EMUL_CONTINUE)
4648 if (ctxt->execute) {
4649 if (ctxt->d & Fastop) {
4650 void (*fop)(struct fastop *) = (void *)ctxt->execute;
4651 rc = fastop(ctxt, fop);
4652 if (rc != X86EMUL_CONTINUE)
4656 rc = ctxt->execute(ctxt);
4657 if (rc != X86EMUL_CONTINUE)
4666 case 0x63: /* movsxd */
4667 if (ctxt->mode != X86EMUL_MODE_PROT64)
4668 goto cannot_emulate;
4669 ctxt->dst.val = (s32) ctxt->src.val;
4671 case 0x70 ... 0x7f: /* jcc (short) */
4672 if (test_cc(ctxt->b, ctxt->eflags))
4673 jmp_rel(ctxt, ctxt->src.val);
4675 case 0x8d: /* lea r16/r32, m */
4676 ctxt->dst.val = ctxt->src.addr.mem.ea;
4678 case 0x90 ... 0x97: /* nop / xchg reg, rax */
4679 if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
4683 case 0x98: /* cbw/cwde/cdqe */
4684 switch (ctxt->op_bytes) {
4685 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
4686 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
4687 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
4690 case 0xcc: /* int3 */
4691 rc = emulate_int(ctxt, 3);
4693 case 0xcd: /* int n */
4694 rc = emulate_int(ctxt, ctxt->src.val);
4696 case 0xce: /* into */
4697 if (ctxt->eflags & EFLG_OF)
4698 rc = emulate_int(ctxt, 4);
4700 case 0xe9: /* jmp rel */
4701 case 0xeb: /* jmp rel short */
4702 jmp_rel(ctxt, ctxt->src.val);
4703 ctxt->dst.type = OP_NONE; /* Disable writeback. */
4705 case 0xf4: /* hlt */
4706 ctxt->ops->halt(ctxt);
4708 case 0xf5: /* cmc */
4709 /* complement carry flag from eflags reg */
4710 ctxt->eflags ^= EFLG_CF;
4712 case 0xf8: /* clc */
4713 ctxt->eflags &= ~EFLG_CF;
4715 case 0xf9: /* stc */
4716 ctxt->eflags |= EFLG_CF;
4718 case 0xfc: /* cld */
4719 ctxt->eflags &= ~EFLG_DF;
4721 case 0xfd: /* std */
4722 ctxt->eflags |= EFLG_DF;
4725 goto cannot_emulate;
4728 if (rc != X86EMUL_CONTINUE)
4732 rc = writeback(ctxt);
4733 if (rc != X86EMUL_CONTINUE)
4737 * restore dst type in case the decoding will be reused
4738 * (happens for string instruction )
4740 ctxt->dst.type = saved_dst_type;
4742 if ((ctxt->d & SrcMask) == SrcSI)
4743 string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
4745 if ((ctxt->d & DstMask) == DstDI)
4746 string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
4748 if (ctxt->rep_prefix && (ctxt->d & String)) {
4750 struct read_cache *r = &ctxt->io_read;
4751 if ((ctxt->d & SrcMask) == SrcSI)
4752 count = ctxt->src.count;
4754 count = ctxt->dst.count;
4755 register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX),
4758 if (!string_insn_completed(ctxt)) {
4760 * Re-enter guest when pio read ahead buffer is empty
4761 * or, if it is not used, after each 1024 iteration.
4763 if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
4764 (r->end == 0 || r->end != r->pos)) {
4766 * Reset read cache. Usually happens before
4767 * decode, but since instruction is restarted
4768 * we have to do it here.
4770 ctxt->mem_read.end = 0;
4771 writeback_registers(ctxt);
4772 return EMULATION_RESTART;
4774 goto done; /* skip rip writeback */
4778 ctxt->eip = ctxt->_eip;
4781 if (rc == X86EMUL_PROPAGATE_FAULT)
4782 ctxt->have_exception = true;
4783 if (rc == X86EMUL_INTERCEPTED)
4784 return EMULATION_INTERCEPTED;
4786 if (rc == X86EMUL_CONTINUE)
4787 writeback_registers(ctxt);
4789 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
4793 case 0x09: /* wbinvd */
4794 (ctxt->ops->wbinvd)(ctxt);
4796 case 0x08: /* invd */
4797 case 0x0d: /* GrpP (prefetch) */
4798 case 0x18: /* Grp16 (prefetch/nop) */
4800 case 0x20: /* mov cr, reg */
4801 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
4803 case 0x21: /* mov from dr to reg */
4804 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
4806 case 0x40 ... 0x4f: /* cmov */
4807 ctxt->dst.val = ctxt->dst.orig_val = ctxt->src.val;
4808 if (!test_cc(ctxt->b, ctxt->eflags))
4809 ctxt->dst.type = OP_NONE; /* no writeback */
4811 case 0x80 ... 0x8f: /* jnz rel, etc*/
4812 if (test_cc(ctxt->b, ctxt->eflags))
4813 jmp_rel(ctxt, ctxt->src.val);
4815 case 0x90 ... 0x9f: /* setcc r/m8 */
4816 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
4818 case 0xae: /* clflush */
4820 case 0xb6 ... 0xb7: /* movzx */
4821 ctxt->dst.bytes = ctxt->op_bytes;
4822 ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
4823 : (u16) ctxt->src.val;
4825 case 0xbe ... 0xbf: /* movsx */
4826 ctxt->dst.bytes = ctxt->op_bytes;
4827 ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
4828 (s16) ctxt->src.val;
4830 case 0xc0 ... 0xc1: /* xadd */
4831 fastop(ctxt, em_add);
4832 /* Write back the register source. */
4833 ctxt->src.val = ctxt->dst.orig_val;
4834 write_register_operand(&ctxt->src);
4836 case 0xc3: /* movnti */
4837 ctxt->dst.bytes = ctxt->op_bytes;
4838 ctxt->dst.val = (ctxt->op_bytes == 4) ? (u32) ctxt->src.val :
4839 (u64) ctxt->src.val;
4842 goto cannot_emulate;
4845 if (rc != X86EMUL_CONTINUE)
4851 return EMULATION_FAILED;
4854 void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
4856 invalidate_registers(ctxt);
4859 void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
4861 writeback_registers(ctxt);
projects / firefly-linux-kernel-4.4.55.git / blob