1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
86 #define Undefined (1<<25) /* No Such Instruction */
87 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
88 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
90 /* Source 2 operand type */
91 #define Src2None (0<<29)
92 #define Src2CL (1<<29)
93 #define Src2ImmByte (2<<29)
94 #define Src2One (3<<29)
95 #define Src2Mask (7<<29)
98 #define X3(x...) X2(x), x
99 #define X4(x...) X2(x), X2(x)
100 #define X5(x...) X4(x), x
101 #define X6(x...) X4(x), X2(x)
102 #define X7(x...) X4(x), X3(x)
103 #define X8(x...) X4(x), X4(x)
104 #define X16(x...) X8(x), X8(x)
109 int (*execute)(struct x86_emulate_ctxt *ctxt);
110 struct opcode *group;
111 struct group_dual *gdual;
116 struct opcode mod012[8];
117 struct opcode mod3[8];
120 /* EFLAGS bit definitions. */
121 #define EFLG_ID (1<<21)
122 #define EFLG_VIP (1<<20)
123 #define EFLG_VIF (1<<19)
124 #define EFLG_AC (1<<18)
125 #define EFLG_VM (1<<17)
126 #define EFLG_RF (1<<16)
127 #define EFLG_IOPL (3<<12)
128 #define EFLG_NT (1<<14)
129 #define EFLG_OF (1<<11)
130 #define EFLG_DF (1<<10)
131 #define EFLG_IF (1<<9)
132 #define EFLG_TF (1<<8)
133 #define EFLG_SF (1<<7)
134 #define EFLG_ZF (1<<6)
135 #define EFLG_AF (1<<4)
136 #define EFLG_PF (1<<2)
137 #define EFLG_CF (1<<0)
139 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
140 #define EFLG_RESERVED_ONE_MASK 2
143 * Instruction emulation:
144 * Most instructions are emulated directly via a fragment of inline assembly
145 * code. This allows us to save/restore EFLAGS and thus very easily pick up
146 * any modified flags.
149 #if defined(CONFIG_X86_64)
150 #define _LO32 "k" /* force 32-bit operand */
151 #define _STK "%%rsp" /* stack pointer */
152 #elif defined(__i386__)
153 #define _LO32 "" /* force 32-bit operand */
154 #define _STK "%%esp" /* stack pointer */
158 * These EFLAGS bits are restored from saved value during emulation, and
159 * any changes are written back to the saved value after emulation.
161 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
163 /* Before executing instruction: restore necessary bits in EFLAGS. */
164 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
165 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
166 "movl %"_sav",%"_LO32 _tmp"; " \
169 "movl %"_msk",%"_LO32 _tmp"; " \
170 "andl %"_LO32 _tmp",("_STK"); " \
172 "notl %"_LO32 _tmp"; " \
173 "andl %"_LO32 _tmp",("_STK"); " \
174 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
176 "orl %"_LO32 _tmp",("_STK"); " \
180 /* After executing instruction: write-back necessary bits in EFLAGS. */
181 #define _POST_EFLAGS(_sav, _msk, _tmp) \
182 /* _sav |= EFLAGS & _msk; */ \
185 "andl %"_msk",%"_LO32 _tmp"; " \
186 "orl %"_LO32 _tmp",%"_sav"; "
194 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
196 __asm__ __volatile__ ( \
197 _PRE_EFLAGS("0", "4", "2") \
198 _op _suffix " %"_x"3,%1; " \
199 _POST_EFLAGS("0", "4", "2") \
200 : "=m" (_eflags), "=m" ((_dst).val), \
202 : _y ((_src).val), "i" (EFLAGS_MASK)); \
206 /* Raw emulation: instruction has two explicit operands. */
207 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
209 unsigned long _tmp; \
211 switch ((_dst).bytes) { \
213 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
216 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
219 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
224 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
226 unsigned long _tmp; \
227 switch ((_dst).bytes) { \
229 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
232 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
233 _wx, _wy, _lx, _ly, _qx, _qy); \
238 /* Source operand is byte-sized and may be restricted to just %cl. */
239 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
240 __emulate_2op(_op, _src, _dst, _eflags, \
241 "b", "c", "b", "c", "b", "c", "b", "c")
243 /* Source operand is byte, word, long or quad sized. */
244 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
245 __emulate_2op(_op, _src, _dst, _eflags, \
246 "b", "q", "w", "r", _LO32, "r", "", "r")
248 /* Source operand is word, long or quad sized. */
249 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
250 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
251 "w", "r", _LO32, "r", "", "r")
253 /* Instruction has three operands and one operand is stored in ECX register */
254 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
256 unsigned long _tmp; \
257 _type _clv = (_cl).val; \
258 _type _srcv = (_src).val; \
259 _type _dstv = (_dst).val; \
261 __asm__ __volatile__ ( \
262 _PRE_EFLAGS("0", "5", "2") \
263 _op _suffix " %4,%1 \n" \
264 _POST_EFLAGS("0", "5", "2") \
265 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
266 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
269 (_cl).val = (unsigned long) _clv; \
270 (_src).val = (unsigned long) _srcv; \
271 (_dst).val = (unsigned long) _dstv; \
274 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
276 switch ((_dst).bytes) { \
278 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
279 "w", unsigned short); \
282 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
283 "l", unsigned int); \
286 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
287 "q", unsigned long)); \
292 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
294 unsigned long _tmp; \
296 __asm__ __volatile__ ( \
297 _PRE_EFLAGS("0", "3", "2") \
298 _op _suffix " %1; " \
299 _POST_EFLAGS("0", "3", "2") \
300 : "=m" (_eflags), "+m" ((_dst).val), \
302 : "i" (EFLAGS_MASK)); \
305 /* Instruction has only one explicit operand (no source operand). */
306 #define emulate_1op(_op, _dst, _eflags) \
308 switch ((_dst).bytes) { \
309 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
310 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
311 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
312 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
316 /* Fetch next part of the instruction being emulated. */
317 #define insn_fetch(_type, _size, _eip) \
318 ({ unsigned long _x; \
319 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
320 if (rc != X86EMUL_CONTINUE) \
326 #define insn_fetch_arr(_arr, _size, _eip) \
327 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
328 if (rc != X86EMUL_CONTINUE) \
333 static inline unsigned long ad_mask(struct decode_cache *c)
335 return (1UL << (c->ad_bytes << 3)) - 1;
338 /* Access/update address held in a register, based on addressing mode. */
339 static inline unsigned long
340 address_mask(struct decode_cache *c, unsigned long reg)
342 if (c->ad_bytes == sizeof(unsigned long))
345 return reg & ad_mask(c);
348 static inline unsigned long
349 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
351 return base + address_mask(c, reg);
355 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
357 if (c->ad_bytes == sizeof(unsigned long))
360 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
363 static inline void jmp_rel(struct decode_cache *c, int rel)
365 register_address_increment(c, &c->eip, rel);
368 static void set_seg_override(struct decode_cache *c, int seg)
370 c->has_seg_override = true;
371 c->seg_override = seg;
374 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
375 struct x86_emulate_ops *ops, int seg)
377 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
380 return ops->get_cached_segment_base(seg, ctxt->vcpu);
383 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
384 struct x86_emulate_ops *ops,
385 struct decode_cache *c)
387 if (!c->has_seg_override)
390 return seg_base(ctxt, ops, c->seg_override);
393 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
394 struct x86_emulate_ops *ops)
396 return seg_base(ctxt, ops, VCPU_SREG_ES);
399 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
400 struct x86_emulate_ops *ops)
402 return seg_base(ctxt, ops, VCPU_SREG_SS);
405 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
406 u32 error, bool valid)
408 ctxt->exception = vec;
409 ctxt->error_code = error;
410 ctxt->error_code_valid = valid;
411 ctxt->restart = false;
414 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
416 emulate_exception(ctxt, GP_VECTOR, err, true);
419 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
423 emulate_exception(ctxt, PF_VECTOR, err, true);
426 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
428 emulate_exception(ctxt, UD_VECTOR, 0, false);
431 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
433 emulate_exception(ctxt, TS_VECTOR, err, true);
436 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
437 struct x86_emulate_ops *ops,
438 unsigned long eip, u8 *dest)
440 struct fetch_cache *fc = &ctxt->decode.fetch;
444 if (eip == fc->end) {
445 cur_size = fc->end - fc->start;
446 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
447 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
448 size, ctxt->vcpu, NULL);
449 if (rc != X86EMUL_CONTINUE)
453 *dest = fc->data[eip - fc->start];
454 return X86EMUL_CONTINUE;
457 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
458 struct x86_emulate_ops *ops,
459 unsigned long eip, void *dest, unsigned size)
463 /* x86 instructions are limited to 15 bytes. */
464 if (eip + size - ctxt->eip > 15)
465 return X86EMUL_UNHANDLEABLE;
467 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
468 if (rc != X86EMUL_CONTINUE)
471 return X86EMUL_CONTINUE;
475 * Given the 'reg' portion of a ModRM byte, and a register block, return a
476 * pointer into the block that addresses the relevant register.
477 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
479 static void *decode_register(u8 modrm_reg, unsigned long *regs,
484 p = ®s[modrm_reg];
485 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
486 p = (unsigned char *)®s[modrm_reg & 3] + 1;
490 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
491 struct x86_emulate_ops *ops,
493 u16 *size, unsigned long *address, int op_bytes)
500 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
501 if (rc != X86EMUL_CONTINUE)
503 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
507 static int test_cc(unsigned int condition, unsigned int flags)
511 switch ((condition & 15) >> 1) {
513 rc |= (flags & EFLG_OF);
515 case 1: /* b/c/nae */
516 rc |= (flags & EFLG_CF);
519 rc |= (flags & EFLG_ZF);
522 rc |= (flags & (EFLG_CF|EFLG_ZF));
525 rc |= (flags & EFLG_SF);
528 rc |= (flags & EFLG_PF);
531 rc |= (flags & EFLG_ZF);
534 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
538 /* Odd condition identifiers (lsb == 1) have inverted sense. */
539 return (!!rc ^ (condition & 1));
542 static void decode_register_operand(struct operand *op,
543 struct decode_cache *c,
546 unsigned reg = c->modrm_reg;
547 int highbyte_regs = c->rex_prefix == 0;
550 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
552 if ((c->d & ByteOp) && !inhibit_bytereg) {
553 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
554 op->val = *(u8 *)op->addr.reg;
557 op->addr.reg = decode_register(reg, c->regs, 0);
558 op->bytes = c->op_bytes;
561 op->val = *(u16 *)op->addr.reg;
564 op->val = *(u32 *)op->addr.reg;
567 op->val = *(u64 *) op->addr.reg;
571 op->orig_val = op->val;
574 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
575 struct x86_emulate_ops *ops)
577 struct decode_cache *c = &ctxt->decode;
579 int index_reg = 0, base_reg = 0, scale;
580 int rc = X86EMUL_CONTINUE;
583 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
584 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
585 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
588 c->modrm = insn_fetch(u8, 1, c->eip);
589 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
590 c->modrm_reg |= (c->modrm & 0x38) >> 3;
591 c->modrm_rm |= (c->modrm & 0x07);
594 c->modrm_seg = VCPU_SREG_DS;
596 if (c->modrm_mod == 3) {
597 c->modrm_ptr = decode_register(c->modrm_rm,
598 c->regs, c->d & ByteOp);
599 c->modrm_val = *(unsigned long *)c->modrm_ptr;
603 if (c->ad_bytes == 2) {
604 unsigned bx = c->regs[VCPU_REGS_RBX];
605 unsigned bp = c->regs[VCPU_REGS_RBP];
606 unsigned si = c->regs[VCPU_REGS_RSI];
607 unsigned di = c->regs[VCPU_REGS_RDI];
609 /* 16-bit ModR/M decode. */
610 switch (c->modrm_mod) {
612 if (c->modrm_rm == 6)
613 c->modrm_ea += insn_fetch(u16, 2, c->eip);
616 c->modrm_ea += insn_fetch(s8, 1, c->eip);
619 c->modrm_ea += insn_fetch(u16, 2, c->eip);
622 switch (c->modrm_rm) {
624 c->modrm_ea += bx + si;
627 c->modrm_ea += bx + di;
630 c->modrm_ea += bp + si;
633 c->modrm_ea += bp + di;
642 if (c->modrm_mod != 0)
649 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
650 (c->modrm_rm == 6 && c->modrm_mod != 0))
651 c->modrm_seg = VCPU_SREG_SS;
652 c->modrm_ea = (u16)c->modrm_ea;
654 /* 32/64-bit ModR/M decode. */
655 if ((c->modrm_rm & 7) == 4) {
656 sib = insn_fetch(u8, 1, c->eip);
657 index_reg |= (sib >> 3) & 7;
661 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
662 c->modrm_ea += insn_fetch(s32, 4, c->eip);
664 c->modrm_ea += c->regs[base_reg];
666 c->modrm_ea += c->regs[index_reg] << scale;
667 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
668 if (ctxt->mode == X86EMUL_MODE_PROT64)
671 c->modrm_ea += c->regs[c->modrm_rm];
672 switch (c->modrm_mod) {
674 if (c->modrm_rm == 5)
675 c->modrm_ea += insn_fetch(s32, 4, c->eip);
678 c->modrm_ea += insn_fetch(s8, 1, c->eip);
681 c->modrm_ea += insn_fetch(s32, 4, c->eip);
689 static int decode_abs(struct x86_emulate_ctxt *ctxt,
690 struct x86_emulate_ops *ops)
692 struct decode_cache *c = &ctxt->decode;
693 int rc = X86EMUL_CONTINUE;
695 switch (c->ad_bytes) {
697 c->modrm_ea = insn_fetch(u16, 2, c->eip);
700 c->modrm_ea = insn_fetch(u32, 4, c->eip);
703 c->modrm_ea = insn_fetch(u64, 8, c->eip);
710 static int read_emulated(struct x86_emulate_ctxt *ctxt,
711 struct x86_emulate_ops *ops,
712 unsigned long addr, void *dest, unsigned size)
715 struct read_cache *mc = &ctxt->decode.mem_read;
719 int n = min(size, 8u);
721 if (mc->pos < mc->end)
724 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
726 if (rc == X86EMUL_PROPAGATE_FAULT)
727 emulate_pf(ctxt, addr, err);
728 if (rc != X86EMUL_CONTINUE)
733 memcpy(dest, mc->data + mc->pos, n);
738 return X86EMUL_CONTINUE;
741 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
742 struct x86_emulate_ops *ops,
743 unsigned int size, unsigned short port,
746 struct read_cache *rc = &ctxt->decode.io_read;
748 if (rc->pos == rc->end) { /* refill pio read ahead */
749 struct decode_cache *c = &ctxt->decode;
750 unsigned int in_page, n;
751 unsigned int count = c->rep_prefix ?
752 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
753 in_page = (ctxt->eflags & EFLG_DF) ?
754 offset_in_page(c->regs[VCPU_REGS_RDI]) :
755 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
756 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
760 rc->pos = rc->end = 0;
761 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
766 memcpy(dest, rc->data + rc->pos, size);
771 static u32 desc_limit_scaled(struct desc_struct *desc)
773 u32 limit = get_desc_limit(desc);
775 return desc->g ? (limit << 12) | 0xfff : limit;
778 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
779 struct x86_emulate_ops *ops,
780 u16 selector, struct desc_ptr *dt)
782 if (selector & 1 << 2) {
783 struct desc_struct desc;
784 memset (dt, 0, sizeof *dt);
785 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
788 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
789 dt->address = get_desc_base(&desc);
791 ops->get_gdt(dt, ctxt->vcpu);
794 /* allowed just for 8 bytes segments */
795 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
796 struct x86_emulate_ops *ops,
797 u16 selector, struct desc_struct *desc)
800 u16 index = selector >> 3;
805 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
807 if (dt.size < index * 8 + 7) {
808 emulate_gp(ctxt, selector & 0xfffc);
809 return X86EMUL_PROPAGATE_FAULT;
811 addr = dt.address + index * 8;
812 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
813 if (ret == X86EMUL_PROPAGATE_FAULT)
814 emulate_pf(ctxt, addr, err);
819 /* allowed just for 8 bytes segments */
820 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
821 struct x86_emulate_ops *ops,
822 u16 selector, struct desc_struct *desc)
825 u16 index = selector >> 3;
830 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
832 if (dt.size < index * 8 + 7) {
833 emulate_gp(ctxt, selector & 0xfffc);
834 return X86EMUL_PROPAGATE_FAULT;
837 addr = dt.address + index * 8;
838 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
839 if (ret == X86EMUL_PROPAGATE_FAULT)
840 emulate_pf(ctxt, addr, err);
845 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
846 struct x86_emulate_ops *ops,
847 u16 selector, int seg)
849 struct desc_struct seg_desc;
851 unsigned err_vec = GP_VECTOR;
853 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
856 memset(&seg_desc, 0, sizeof seg_desc);
858 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
859 || ctxt->mode == X86EMUL_MODE_REAL) {
860 /* set real mode segment descriptor */
861 set_desc_base(&seg_desc, selector << 4);
862 set_desc_limit(&seg_desc, 0xffff);
869 /* NULL selector is not valid for TR, CS and SS */
870 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
874 /* TR should be in GDT only */
875 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
878 if (null_selector) /* for NULL selector skip all following checks */
881 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
882 if (ret != X86EMUL_CONTINUE)
885 err_code = selector & 0xfffc;
888 /* can't load system descriptor into segment selecor */
889 if (seg <= VCPU_SREG_GS && !seg_desc.s)
893 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
899 cpl = ops->cpl(ctxt->vcpu);
904 * segment is not a writable data segment or segment
905 * selector's RPL != CPL or segment selector's RPL != CPL
907 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
911 if (!(seg_desc.type & 8))
914 if (seg_desc.type & 4) {
920 if (rpl > cpl || dpl != cpl)
924 selector = (selector & 0xfffc) | cpl;
927 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
931 if (seg_desc.s || seg_desc.type != 2)
934 default: /* DS, ES, FS, or GS */
936 * segment is not a data or readable code segment or
937 * ((segment is a data or nonconforming code segment)
938 * and (both RPL and CPL > DPL))
940 if ((seg_desc.type & 0xa) == 0x8 ||
941 (((seg_desc.type & 0xc) != 0xc) &&
942 (rpl > dpl && cpl > dpl)))
948 /* mark segment as accessed */
950 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
951 if (ret != X86EMUL_CONTINUE)
955 ops->set_segment_selector(selector, seg, ctxt->vcpu);
956 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
957 return X86EMUL_CONTINUE;
959 emulate_exception(ctxt, err_vec, err_code, true);
960 return X86EMUL_PROPAGATE_FAULT;
963 static inline int writeback(struct x86_emulate_ctxt *ctxt,
964 struct x86_emulate_ops *ops)
967 struct decode_cache *c = &ctxt->decode;
970 switch (c->dst.type) {
972 /* The 4-byte case *is* correct:
973 * in 64-bit mode we zero-extend.
975 switch (c->dst.bytes) {
977 *(u8 *)c->dst.addr.reg = (u8)c->dst.val;
980 *(u16 *)c->dst.addr.reg = (u16)c->dst.val;
983 *c->dst.addr.reg = (u32)c->dst.val;
984 break; /* 64b: zero-ext */
986 *c->dst.addr.reg = c->dst.val;
992 rc = ops->cmpxchg_emulated(
1000 rc = ops->write_emulated(
1006 if (rc == X86EMUL_PROPAGATE_FAULT)
1007 emulate_pf(ctxt, c->dst.addr.mem, err);
1008 if (rc != X86EMUL_CONTINUE)
1017 return X86EMUL_CONTINUE;
1020 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1021 struct x86_emulate_ops *ops)
1023 struct decode_cache *c = &ctxt->decode;
1025 c->dst.type = OP_MEM;
1026 c->dst.bytes = c->op_bytes;
1027 c->dst.val = c->src.val;
1028 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1029 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1030 c->regs[VCPU_REGS_RSP]);
1033 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1034 struct x86_emulate_ops *ops,
1035 void *dest, int len)
1037 struct decode_cache *c = &ctxt->decode;
1040 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1041 c->regs[VCPU_REGS_RSP]),
1043 if (rc != X86EMUL_CONTINUE)
1046 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1050 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1051 struct x86_emulate_ops *ops,
1052 void *dest, int len)
1055 unsigned long val, change_mask;
1056 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1057 int cpl = ops->cpl(ctxt->vcpu);
1059 rc = emulate_pop(ctxt, ops, &val, len);
1060 if (rc != X86EMUL_CONTINUE)
1063 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1064 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1066 switch(ctxt->mode) {
1067 case X86EMUL_MODE_PROT64:
1068 case X86EMUL_MODE_PROT32:
1069 case X86EMUL_MODE_PROT16:
1071 change_mask |= EFLG_IOPL;
1073 change_mask |= EFLG_IF;
1075 case X86EMUL_MODE_VM86:
1077 emulate_gp(ctxt, 0);
1078 return X86EMUL_PROPAGATE_FAULT;
1080 change_mask |= EFLG_IF;
1082 default: /* real mode */
1083 change_mask |= (EFLG_IOPL | EFLG_IF);
1087 *(unsigned long *)dest =
1088 (ctxt->eflags & ~change_mask) | (val & change_mask);
1093 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1094 struct x86_emulate_ops *ops, int seg)
1096 struct decode_cache *c = &ctxt->decode;
1098 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1100 emulate_push(ctxt, ops);
1103 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1104 struct x86_emulate_ops *ops, int seg)
1106 struct decode_cache *c = &ctxt->decode;
1107 unsigned long selector;
1110 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1111 if (rc != X86EMUL_CONTINUE)
1114 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1118 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1119 struct x86_emulate_ops *ops)
1121 struct decode_cache *c = &ctxt->decode;
1122 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1123 int rc = X86EMUL_CONTINUE;
1124 int reg = VCPU_REGS_RAX;
1126 while (reg <= VCPU_REGS_RDI) {
1127 (reg == VCPU_REGS_RSP) ?
1128 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1130 emulate_push(ctxt, ops);
1132 rc = writeback(ctxt, ops);
1133 if (rc != X86EMUL_CONTINUE)
1139 /* Disable writeback. */
1140 c->dst.type = OP_NONE;
1145 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1146 struct x86_emulate_ops *ops)
1148 struct decode_cache *c = &ctxt->decode;
1149 int rc = X86EMUL_CONTINUE;
1150 int reg = VCPU_REGS_RDI;
1152 while (reg >= VCPU_REGS_RAX) {
1153 if (reg == VCPU_REGS_RSP) {
1154 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1159 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1160 if (rc != X86EMUL_CONTINUE)
1167 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1168 struct x86_emulate_ops *ops)
1170 struct decode_cache *c = &ctxt->decode;
1171 int rc = X86EMUL_CONTINUE;
1172 unsigned long temp_eip = 0;
1173 unsigned long temp_eflags = 0;
1174 unsigned long cs = 0;
1175 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1176 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1177 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1178 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1180 /* TODO: Add stack limit check */
1182 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1184 if (rc != X86EMUL_CONTINUE)
1187 if (temp_eip & ~0xffff) {
1188 emulate_gp(ctxt, 0);
1189 return X86EMUL_PROPAGATE_FAULT;
1192 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1194 if (rc != X86EMUL_CONTINUE)
1197 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1199 if (rc != X86EMUL_CONTINUE)
1202 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1204 if (rc != X86EMUL_CONTINUE)
1210 if (c->op_bytes == 4)
1211 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1212 else if (c->op_bytes == 2) {
1213 ctxt->eflags &= ~0xffff;
1214 ctxt->eflags |= temp_eflags;
1217 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1218 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1223 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1224 struct x86_emulate_ops* ops)
1226 switch(ctxt->mode) {
1227 case X86EMUL_MODE_REAL:
1228 return emulate_iret_real(ctxt, ops);
1229 case X86EMUL_MODE_VM86:
1230 case X86EMUL_MODE_PROT16:
1231 case X86EMUL_MODE_PROT32:
1232 case X86EMUL_MODE_PROT64:
1234 /* iret from protected mode unimplemented yet */
1235 return X86EMUL_UNHANDLEABLE;
1239 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1240 struct x86_emulate_ops *ops)
1242 struct decode_cache *c = &ctxt->decode;
1244 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1247 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1249 struct decode_cache *c = &ctxt->decode;
1250 switch (c->modrm_reg) {
1252 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1255 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1258 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1261 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1263 case 4: /* sal/shl */
1264 case 6: /* sal/shl */
1265 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1268 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1271 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1276 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1277 struct x86_emulate_ops *ops)
1279 struct decode_cache *c = &ctxt->decode;
1281 switch (c->modrm_reg) {
1282 case 0 ... 1: /* test */
1283 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1286 c->dst.val = ~c->dst.val;
1289 emulate_1op("neg", c->dst, ctxt->eflags);
1297 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1298 struct x86_emulate_ops *ops)
1300 struct decode_cache *c = &ctxt->decode;
1302 switch (c->modrm_reg) {
1304 emulate_1op("inc", c->dst, ctxt->eflags);
1307 emulate_1op("dec", c->dst, ctxt->eflags);
1309 case 2: /* call near abs */ {
1312 c->eip = c->src.val;
1313 c->src.val = old_eip;
1314 emulate_push(ctxt, ops);
1317 case 4: /* jmp abs */
1318 c->eip = c->src.val;
1321 emulate_push(ctxt, ops);
1324 return X86EMUL_CONTINUE;
1327 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1328 struct x86_emulate_ops *ops)
1330 struct decode_cache *c = &ctxt->decode;
1331 u64 old = c->dst.orig_val64;
1333 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1334 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1335 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1336 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1337 ctxt->eflags &= ~EFLG_ZF;
1339 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1340 (u32) c->regs[VCPU_REGS_RBX];
1342 ctxt->eflags |= EFLG_ZF;
1344 return X86EMUL_CONTINUE;
1347 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1348 struct x86_emulate_ops *ops)
1350 struct decode_cache *c = &ctxt->decode;
1354 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1355 if (rc != X86EMUL_CONTINUE)
1357 if (c->op_bytes == 4)
1358 c->eip = (u32)c->eip;
1359 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1360 if (rc != X86EMUL_CONTINUE)
1362 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1367 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1368 struct x86_emulate_ops *ops, struct desc_struct *cs,
1369 struct desc_struct *ss)
1371 memset(cs, 0, sizeof(struct desc_struct));
1372 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1373 memset(ss, 0, sizeof(struct desc_struct));
1375 cs->l = 0; /* will be adjusted later */
1376 set_desc_base(cs, 0); /* flat segment */
1377 cs->g = 1; /* 4kb granularity */
1378 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1379 cs->type = 0x0b; /* Read, Execute, Accessed */
1381 cs->dpl = 0; /* will be adjusted later */
1385 set_desc_base(ss, 0); /* flat segment */
1386 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1387 ss->g = 1; /* 4kb granularity */
1389 ss->type = 0x03; /* Read/Write, Accessed */
1390 ss->d = 1; /* 32bit stack segment */
1396 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1398 struct decode_cache *c = &ctxt->decode;
1399 struct desc_struct cs, ss;
1403 /* syscall is not available in real mode */
1404 if (ctxt->mode == X86EMUL_MODE_REAL ||
1405 ctxt->mode == X86EMUL_MODE_VM86) {
1407 return X86EMUL_PROPAGATE_FAULT;
1410 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1412 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1414 cs_sel = (u16)(msr_data & 0xfffc);
1415 ss_sel = (u16)(msr_data + 8);
1417 if (is_long_mode(ctxt->vcpu)) {
1421 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1422 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1423 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1424 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1426 c->regs[VCPU_REGS_RCX] = c->eip;
1427 if (is_long_mode(ctxt->vcpu)) {
1428 #ifdef CONFIG_X86_64
1429 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1431 ops->get_msr(ctxt->vcpu,
1432 ctxt->mode == X86EMUL_MODE_PROT64 ?
1433 MSR_LSTAR : MSR_CSTAR, &msr_data);
1436 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1437 ctxt->eflags &= ~(msr_data | EFLG_RF);
1441 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1442 c->eip = (u32)msr_data;
1444 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1447 return X86EMUL_CONTINUE;
1451 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1453 struct decode_cache *c = &ctxt->decode;
1454 struct desc_struct cs, ss;
1458 /* inject #GP if in real mode */
1459 if (ctxt->mode == X86EMUL_MODE_REAL) {
1460 emulate_gp(ctxt, 0);
1461 return X86EMUL_PROPAGATE_FAULT;
1464 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1465 * Therefore, we inject an #UD.
1467 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1469 return X86EMUL_PROPAGATE_FAULT;
1472 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1474 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1475 switch (ctxt->mode) {
1476 case X86EMUL_MODE_PROT32:
1477 if ((msr_data & 0xfffc) == 0x0) {
1478 emulate_gp(ctxt, 0);
1479 return X86EMUL_PROPAGATE_FAULT;
1482 case X86EMUL_MODE_PROT64:
1483 if (msr_data == 0x0) {
1484 emulate_gp(ctxt, 0);
1485 return X86EMUL_PROPAGATE_FAULT;
1490 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1491 cs_sel = (u16)msr_data;
1492 cs_sel &= ~SELECTOR_RPL_MASK;
1493 ss_sel = cs_sel + 8;
1494 ss_sel &= ~SELECTOR_RPL_MASK;
1495 if (ctxt->mode == X86EMUL_MODE_PROT64
1496 || is_long_mode(ctxt->vcpu)) {
1501 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1502 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1503 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1504 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1506 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1509 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1510 c->regs[VCPU_REGS_RSP] = msr_data;
1512 return X86EMUL_CONTINUE;
1516 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1518 struct decode_cache *c = &ctxt->decode;
1519 struct desc_struct cs, ss;
1524 /* inject #GP if in real mode or Virtual 8086 mode */
1525 if (ctxt->mode == X86EMUL_MODE_REAL ||
1526 ctxt->mode == X86EMUL_MODE_VM86) {
1527 emulate_gp(ctxt, 0);
1528 return X86EMUL_PROPAGATE_FAULT;
1531 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1533 if ((c->rex_prefix & 0x8) != 0x0)
1534 usermode = X86EMUL_MODE_PROT64;
1536 usermode = X86EMUL_MODE_PROT32;
1540 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1542 case X86EMUL_MODE_PROT32:
1543 cs_sel = (u16)(msr_data + 16);
1544 if ((msr_data & 0xfffc) == 0x0) {
1545 emulate_gp(ctxt, 0);
1546 return X86EMUL_PROPAGATE_FAULT;
1548 ss_sel = (u16)(msr_data + 24);
1550 case X86EMUL_MODE_PROT64:
1551 cs_sel = (u16)(msr_data + 32);
1552 if (msr_data == 0x0) {
1553 emulate_gp(ctxt, 0);
1554 return X86EMUL_PROPAGATE_FAULT;
1556 ss_sel = cs_sel + 8;
1561 cs_sel |= SELECTOR_RPL_MASK;
1562 ss_sel |= SELECTOR_RPL_MASK;
1564 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1565 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1566 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1567 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1569 c->eip = c->regs[VCPU_REGS_RDX];
1570 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1572 return X86EMUL_CONTINUE;
1575 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1576 struct x86_emulate_ops *ops)
1579 if (ctxt->mode == X86EMUL_MODE_REAL)
1581 if (ctxt->mode == X86EMUL_MODE_VM86)
1583 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1584 return ops->cpl(ctxt->vcpu) > iopl;
1587 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1588 struct x86_emulate_ops *ops,
1591 struct desc_struct tr_seg;
1594 u8 perm, bit_idx = port & 0x7;
1595 unsigned mask = (1 << len) - 1;
1597 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1600 if (desc_limit_scaled(&tr_seg) < 103)
1602 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1604 if (r != X86EMUL_CONTINUE)
1606 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1608 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1609 &perm, 1, ctxt->vcpu, NULL);
1610 if (r != X86EMUL_CONTINUE)
1612 if ((perm >> bit_idx) & mask)
1617 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1618 struct x86_emulate_ops *ops,
1624 if (emulator_bad_iopl(ctxt, ops))
1625 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1628 ctxt->perm_ok = true;
1633 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1634 struct x86_emulate_ops *ops,
1635 struct tss_segment_16 *tss)
1637 struct decode_cache *c = &ctxt->decode;
1640 tss->flag = ctxt->eflags;
1641 tss->ax = c->regs[VCPU_REGS_RAX];
1642 tss->cx = c->regs[VCPU_REGS_RCX];
1643 tss->dx = c->regs[VCPU_REGS_RDX];
1644 tss->bx = c->regs[VCPU_REGS_RBX];
1645 tss->sp = c->regs[VCPU_REGS_RSP];
1646 tss->bp = c->regs[VCPU_REGS_RBP];
1647 tss->si = c->regs[VCPU_REGS_RSI];
1648 tss->di = c->regs[VCPU_REGS_RDI];
1650 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1651 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1652 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1653 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1654 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1657 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1658 struct x86_emulate_ops *ops,
1659 struct tss_segment_16 *tss)
1661 struct decode_cache *c = &ctxt->decode;
1665 ctxt->eflags = tss->flag | 2;
1666 c->regs[VCPU_REGS_RAX] = tss->ax;
1667 c->regs[VCPU_REGS_RCX] = tss->cx;
1668 c->regs[VCPU_REGS_RDX] = tss->dx;
1669 c->regs[VCPU_REGS_RBX] = tss->bx;
1670 c->regs[VCPU_REGS_RSP] = tss->sp;
1671 c->regs[VCPU_REGS_RBP] = tss->bp;
1672 c->regs[VCPU_REGS_RSI] = tss->si;
1673 c->regs[VCPU_REGS_RDI] = tss->di;
1676 * SDM says that segment selectors are loaded before segment
1679 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1680 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1681 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1682 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1683 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1686 * Now load segment descriptors. If fault happenes at this stage
1687 * it is handled in a context of new task
1689 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1690 if (ret != X86EMUL_CONTINUE)
1692 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1693 if (ret != X86EMUL_CONTINUE)
1695 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1696 if (ret != X86EMUL_CONTINUE)
1698 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1699 if (ret != X86EMUL_CONTINUE)
1701 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1702 if (ret != X86EMUL_CONTINUE)
1705 return X86EMUL_CONTINUE;
1708 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1709 struct x86_emulate_ops *ops,
1710 u16 tss_selector, u16 old_tss_sel,
1711 ulong old_tss_base, struct desc_struct *new_desc)
1713 struct tss_segment_16 tss_seg;
1715 u32 err, new_tss_base = get_desc_base(new_desc);
1717 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1719 if (ret == X86EMUL_PROPAGATE_FAULT) {
1720 /* FIXME: need to provide precise fault address */
1721 emulate_pf(ctxt, old_tss_base, err);
1725 save_state_to_tss16(ctxt, ops, &tss_seg);
1727 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1729 if (ret == X86EMUL_PROPAGATE_FAULT) {
1730 /* FIXME: need to provide precise fault address */
1731 emulate_pf(ctxt, old_tss_base, err);
1735 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1737 if (ret == X86EMUL_PROPAGATE_FAULT) {
1738 /* FIXME: need to provide precise fault address */
1739 emulate_pf(ctxt, new_tss_base, err);
1743 if (old_tss_sel != 0xffff) {
1744 tss_seg.prev_task_link = old_tss_sel;
1746 ret = ops->write_std(new_tss_base,
1747 &tss_seg.prev_task_link,
1748 sizeof tss_seg.prev_task_link,
1750 if (ret == X86EMUL_PROPAGATE_FAULT) {
1751 /* FIXME: need to provide precise fault address */
1752 emulate_pf(ctxt, new_tss_base, err);
1757 return load_state_from_tss16(ctxt, ops, &tss_seg);
1760 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1761 struct x86_emulate_ops *ops,
1762 struct tss_segment_32 *tss)
1764 struct decode_cache *c = &ctxt->decode;
1766 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1768 tss->eflags = ctxt->eflags;
1769 tss->eax = c->regs[VCPU_REGS_RAX];
1770 tss->ecx = c->regs[VCPU_REGS_RCX];
1771 tss->edx = c->regs[VCPU_REGS_RDX];
1772 tss->ebx = c->regs[VCPU_REGS_RBX];
1773 tss->esp = c->regs[VCPU_REGS_RSP];
1774 tss->ebp = c->regs[VCPU_REGS_RBP];
1775 tss->esi = c->regs[VCPU_REGS_RSI];
1776 tss->edi = c->regs[VCPU_REGS_RDI];
1778 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1779 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1780 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1781 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1782 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1783 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1784 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1787 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1788 struct x86_emulate_ops *ops,
1789 struct tss_segment_32 *tss)
1791 struct decode_cache *c = &ctxt->decode;
1794 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1795 emulate_gp(ctxt, 0);
1796 return X86EMUL_PROPAGATE_FAULT;
1799 ctxt->eflags = tss->eflags | 2;
1800 c->regs[VCPU_REGS_RAX] = tss->eax;
1801 c->regs[VCPU_REGS_RCX] = tss->ecx;
1802 c->regs[VCPU_REGS_RDX] = tss->edx;
1803 c->regs[VCPU_REGS_RBX] = tss->ebx;
1804 c->regs[VCPU_REGS_RSP] = tss->esp;
1805 c->regs[VCPU_REGS_RBP] = tss->ebp;
1806 c->regs[VCPU_REGS_RSI] = tss->esi;
1807 c->regs[VCPU_REGS_RDI] = tss->edi;
1810 * SDM says that segment selectors are loaded before segment
1813 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1814 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1815 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1816 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1817 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1818 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1819 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1822 * Now load segment descriptors. If fault happenes at this stage
1823 * it is handled in a context of new task
1825 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1826 if (ret != X86EMUL_CONTINUE)
1828 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1829 if (ret != X86EMUL_CONTINUE)
1831 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1832 if (ret != X86EMUL_CONTINUE)
1834 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1835 if (ret != X86EMUL_CONTINUE)
1837 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1838 if (ret != X86EMUL_CONTINUE)
1840 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1841 if (ret != X86EMUL_CONTINUE)
1843 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1844 if (ret != X86EMUL_CONTINUE)
1847 return X86EMUL_CONTINUE;
1850 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
1851 struct x86_emulate_ops *ops,
1852 u16 tss_selector, u16 old_tss_sel,
1853 ulong old_tss_base, struct desc_struct *new_desc)
1855 struct tss_segment_32 tss_seg;
1857 u32 err, new_tss_base = get_desc_base(new_desc);
1859 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1861 if (ret == X86EMUL_PROPAGATE_FAULT) {
1862 /* FIXME: need to provide precise fault address */
1863 emulate_pf(ctxt, old_tss_base, err);
1867 save_state_to_tss32(ctxt, ops, &tss_seg);
1869 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1871 if (ret == X86EMUL_PROPAGATE_FAULT) {
1872 /* FIXME: need to provide precise fault address */
1873 emulate_pf(ctxt, old_tss_base, err);
1877 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1879 if (ret == X86EMUL_PROPAGATE_FAULT) {
1880 /* FIXME: need to provide precise fault address */
1881 emulate_pf(ctxt, new_tss_base, err);
1885 if (old_tss_sel != 0xffff) {
1886 tss_seg.prev_task_link = old_tss_sel;
1888 ret = ops->write_std(new_tss_base,
1889 &tss_seg.prev_task_link,
1890 sizeof tss_seg.prev_task_link,
1892 if (ret == X86EMUL_PROPAGATE_FAULT) {
1893 /* FIXME: need to provide precise fault address */
1894 emulate_pf(ctxt, new_tss_base, err);
1899 return load_state_from_tss32(ctxt, ops, &tss_seg);
1902 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
1903 struct x86_emulate_ops *ops,
1904 u16 tss_selector, int reason,
1905 bool has_error_code, u32 error_code)
1907 struct desc_struct curr_tss_desc, next_tss_desc;
1909 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
1910 ulong old_tss_base =
1911 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
1914 /* FIXME: old_tss_base == ~0 ? */
1916 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
1917 if (ret != X86EMUL_CONTINUE)
1919 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
1920 if (ret != X86EMUL_CONTINUE)
1923 /* FIXME: check that next_tss_desc is tss */
1925 if (reason != TASK_SWITCH_IRET) {
1926 if ((tss_selector & 3) > next_tss_desc.dpl ||
1927 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
1928 emulate_gp(ctxt, 0);
1929 return X86EMUL_PROPAGATE_FAULT;
1933 desc_limit = desc_limit_scaled(&next_tss_desc);
1934 if (!next_tss_desc.p ||
1935 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
1936 desc_limit < 0x2b)) {
1937 emulate_ts(ctxt, tss_selector & 0xfffc);
1938 return X86EMUL_PROPAGATE_FAULT;
1941 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
1942 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
1943 write_segment_descriptor(ctxt, ops, old_tss_sel,
1947 if (reason == TASK_SWITCH_IRET)
1948 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
1950 /* set back link to prev task only if NT bit is set in eflags
1951 note that old_tss_sel is not used afetr this point */
1952 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
1953 old_tss_sel = 0xffff;
1955 if (next_tss_desc.type & 8)
1956 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
1957 old_tss_base, &next_tss_desc);
1959 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
1960 old_tss_base, &next_tss_desc);
1961 if (ret != X86EMUL_CONTINUE)
1964 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
1965 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
1967 if (reason != TASK_SWITCH_IRET) {
1968 next_tss_desc.type |= (1 << 1); /* set busy flag */
1969 write_segment_descriptor(ctxt, ops, tss_selector,
1973 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
1974 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
1975 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
1977 if (has_error_code) {
1978 struct decode_cache *c = &ctxt->decode;
1980 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
1982 c->src.val = (unsigned long) error_code;
1983 emulate_push(ctxt, ops);
1989 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
1990 u16 tss_selector, int reason,
1991 bool has_error_code, u32 error_code)
1993 struct x86_emulate_ops *ops = ctxt->ops;
1994 struct decode_cache *c = &ctxt->decode;
1998 c->dst.type = OP_NONE;
2000 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2001 has_error_code, error_code);
2003 if (rc == X86EMUL_CONTINUE) {
2004 rc = writeback(ctxt, ops);
2005 if (rc == X86EMUL_CONTINUE)
2009 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2012 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2013 int reg, struct operand *op)
2015 struct decode_cache *c = &ctxt->decode;
2016 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2018 register_address_increment(c, &c->regs[reg], df * op->bytes);
2019 op->addr.mem = register_address(c, base, c->regs[reg]);
2022 static int em_push(struct x86_emulate_ctxt *ctxt)
2024 emulate_push(ctxt, ctxt->ops);
2025 return X86EMUL_CONTINUE;
2028 #define D(_y) { .flags = (_y) }
2030 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2031 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2032 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2034 static struct opcode group1[] = {
2038 static struct opcode group1A[] = {
2039 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2042 static struct opcode group3[] = {
2043 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2044 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2048 static struct opcode group4[] = {
2049 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2053 static struct opcode group5[] = {
2054 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2055 D(SrcMem | ModRM | Stack), N,
2056 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2057 D(SrcMem | ModRM | Stack), N,
2060 static struct group_dual group7 = { {
2061 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2062 D(SrcNone | ModRM | DstMem | Mov), N,
2063 D(SrcMem16 | ModRM | Mov | Priv), D(SrcMem | ModRM | ByteOp | Priv),
2065 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2066 D(SrcNone | ModRM | DstMem | Mov), N,
2067 D(SrcMem16 | ModRM | Mov | Priv), N,
2070 static struct opcode group8[] = {
2072 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2073 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2076 static struct group_dual group9 = { {
2077 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2079 N, N, N, N, N, N, N, N,
2082 static struct opcode opcode_table[256] = {
2084 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2085 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2086 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2087 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2089 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2090 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2091 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2092 D(ImplicitOps | Stack | No64), N,
2094 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2095 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2096 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2097 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2099 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2100 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2101 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2102 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2104 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2105 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2106 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2108 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2109 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2110 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2112 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2113 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2114 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2116 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2117 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2118 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2123 X8(I(SrcReg | Stack, em_push)),
2125 X8(D(DstReg | Stack)),
2127 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2128 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2131 I(SrcImm | Mov | Stack, em_push), N,
2132 I(SrcImmByte | Mov | Stack, em_push), N,
2133 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2134 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2138 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2139 G(DstMem | SrcImm | ModRM | Group, group1),
2140 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2141 G(DstMem | SrcImmByte | ModRM | Group, group1),
2142 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2143 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2145 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2146 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2147 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | DstReg),
2148 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2152 N, N, D(SrcImmFAddr | No64), N,
2153 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2155 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2156 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2157 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2158 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2160 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm), D(ByteOp | DstDI | Mov | String), D(DstDI | Mov | String),
2161 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2162 D(ByteOp | DstDI | String), D(DstDI | String),
2164 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2166 X8(D(DstReg | SrcImm | Mov)),
2168 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2169 N, D(ImplicitOps | Stack), N, N,
2170 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2172 N, N, N, D(ImplicitOps | Stack),
2173 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2175 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2176 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2179 N, N, N, N, N, N, N, N,
2182 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2183 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2185 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2186 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2187 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2188 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2191 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2193 D(ImplicitOps), N, D(ImplicitOps), D(ImplicitOps),
2194 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2197 static struct opcode twobyte_table[256] = {
2199 N, GD(0, &group7), N, N,
2200 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2201 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2202 N, D(ImplicitOps | ModRM), N, N,
2204 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2206 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
2207 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
2209 N, N, N, N, N, N, N, N,
2211 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
2212 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2213 N, N, N, N, N, N, N, N,
2215 X16(D(DstReg | SrcMem | ModRM | Mov)),
2217 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2219 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2221 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2225 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2227 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2228 N, D(DstMem | SrcReg | ModRM | BitOp),
2229 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2230 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2232 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2233 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2234 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2235 D(DstMem | SrcReg | Src2CL | ModRM),
2238 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2239 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2240 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2241 D(DstReg | SrcMem16 | ModRM | Mov),
2244 G(0, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2245 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2246 D(DstReg | SrcMem16 | ModRM | Mov),
2248 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
2249 N, N, N, GD(0, &group9),
2250 N, N, N, N, N, N, N, N,
2252 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2254 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2256 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2266 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2268 struct x86_emulate_ops *ops = ctxt->ops;
2269 struct decode_cache *c = &ctxt->decode;
2270 int rc = X86EMUL_CONTINUE;
2271 int mode = ctxt->mode;
2272 int def_op_bytes, def_ad_bytes, dual, goffset;
2273 struct opcode opcode, *g_mod012, *g_mod3;
2275 /* we cannot decode insn before we complete previous rep insn */
2276 WARN_ON(ctxt->restart);
2279 c->fetch.start = c->fetch.end = c->eip;
2280 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2283 case X86EMUL_MODE_REAL:
2284 case X86EMUL_MODE_VM86:
2285 case X86EMUL_MODE_PROT16:
2286 def_op_bytes = def_ad_bytes = 2;
2288 case X86EMUL_MODE_PROT32:
2289 def_op_bytes = def_ad_bytes = 4;
2291 #ifdef CONFIG_X86_64
2292 case X86EMUL_MODE_PROT64:
2301 c->op_bytes = def_op_bytes;
2302 c->ad_bytes = def_ad_bytes;
2304 /* Legacy prefixes. */
2306 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2307 case 0x66: /* operand-size override */
2308 /* switch between 2/4 bytes */
2309 c->op_bytes = def_op_bytes ^ 6;
2311 case 0x67: /* address-size override */
2312 if (mode == X86EMUL_MODE_PROT64)
2313 /* switch between 4/8 bytes */
2314 c->ad_bytes = def_ad_bytes ^ 12;
2316 /* switch between 2/4 bytes */
2317 c->ad_bytes = def_ad_bytes ^ 6;
2319 case 0x26: /* ES override */
2320 case 0x2e: /* CS override */
2321 case 0x36: /* SS override */
2322 case 0x3e: /* DS override */
2323 set_seg_override(c, (c->b >> 3) & 3);
2325 case 0x64: /* FS override */
2326 case 0x65: /* GS override */
2327 set_seg_override(c, c->b & 7);
2329 case 0x40 ... 0x4f: /* REX */
2330 if (mode != X86EMUL_MODE_PROT64)
2332 c->rex_prefix = c->b;
2334 case 0xf0: /* LOCK */
2337 case 0xf2: /* REPNE/REPNZ */
2338 c->rep_prefix = REPNE_PREFIX;
2340 case 0xf3: /* REP/REPE/REPZ */
2341 c->rep_prefix = REPE_PREFIX;
2347 /* Any legacy prefix after a REX prefix nullifies its effect. */
2356 if (c->rex_prefix & 8)
2357 c->op_bytes = 8; /* REX.W */
2359 /* Opcode byte(s). */
2360 opcode = opcode_table[c->b];
2361 if (opcode.flags == 0) {
2362 /* Two-byte opcode? */
2365 c->b = insn_fetch(u8, 1, c->eip);
2366 opcode = twobyte_table[c->b];
2369 c->d = opcode.flags;
2372 dual = c->d & GroupDual;
2373 c->modrm = insn_fetch(u8, 1, c->eip);
2376 if (c->d & GroupDual) {
2377 g_mod012 = opcode.u.gdual->mod012;
2378 g_mod3 = opcode.u.gdual->mod3;
2380 g_mod012 = g_mod3 = opcode.u.group;
2382 c->d &= ~(Group | GroupDual);
2384 goffset = (c->modrm >> 3) & 7;
2386 if ((c->modrm >> 6) == 3)
2387 opcode = g_mod3[goffset];
2389 opcode = g_mod012[goffset];
2390 c->d |= opcode.flags;
2393 c->execute = opcode.u.execute;
2396 if (c->d == 0 || (c->d & Undefined)) {
2397 DPRINTF("Cannot emulate %02x\n", c->b);
2401 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2404 /* ModRM and SIB bytes. */
2406 rc = decode_modrm(ctxt, ops);
2407 if (!c->has_seg_override)
2408 set_seg_override(c, c->modrm_seg);
2409 } else if (c->d & MemAbs)
2410 rc = decode_abs(ctxt, ops);
2411 if (rc != X86EMUL_CONTINUE)
2414 if (!c->has_seg_override)
2415 set_seg_override(c, VCPU_SREG_DS);
2417 if (!(!c->twobyte && c->b == 0x8d))
2418 c->modrm_ea += seg_override_base(ctxt, ops, c);
2420 if (c->ad_bytes != 8)
2421 c->modrm_ea = (u32)c->modrm_ea;
2423 if (c->rip_relative)
2424 c->modrm_ea += c->eip;
2427 * Decode and fetch the source operand: register, memory
2430 switch (c->d & SrcMask) {
2434 decode_register_operand(&c->src, c, 0);
2443 c->src.bytes = (c->d & ByteOp) ? 1 :
2445 /* Don't fetch the address for invlpg: it could be unmapped. */
2446 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
2450 * For instructions with a ModR/M byte, switch to register
2451 * access if Mod = 3.
2453 if ((c->d & ModRM) && c->modrm_mod == 3) {
2454 c->src.type = OP_REG;
2455 c->src.val = c->modrm_val;
2456 c->src.addr.reg = c->modrm_ptr;
2459 c->src.type = OP_MEM;
2460 c->src.addr.mem = c->modrm_ea;
2465 c->src.type = OP_IMM;
2466 c->src.addr.mem = c->eip;
2467 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2468 if (c->src.bytes == 8)
2470 /* NB. Immediates are sign-extended as necessary. */
2471 switch (c->src.bytes) {
2473 c->src.val = insn_fetch(s8, 1, c->eip);
2476 c->src.val = insn_fetch(s16, 2, c->eip);
2479 c->src.val = insn_fetch(s32, 4, c->eip);
2482 if ((c->d & SrcMask) == SrcImmU) {
2483 switch (c->src.bytes) {
2488 c->src.val &= 0xffff;
2491 c->src.val &= 0xffffffff;
2498 c->src.type = OP_IMM;
2499 c->src.addr.mem = c->eip;
2501 if ((c->d & SrcMask) == SrcImmByte)
2502 c->src.val = insn_fetch(s8, 1, c->eip);
2504 c->src.val = insn_fetch(u8, 1, c->eip);
2507 c->src.type = OP_REG;
2508 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2509 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2510 switch (c->src.bytes) {
2512 c->src.val = *(u8 *)c->src.addr.reg;
2515 c->src.val = *(u16 *)c->src.addr.reg;
2518 c->src.val = *(u32 *)c->src.addr.reg;
2521 c->src.val = *(u64 *)c->src.addr.reg;
2530 c->src.type = OP_MEM;
2531 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2533 register_address(c, seg_override_base(ctxt, ops, c),
2534 c->regs[VCPU_REGS_RSI]);
2538 c->src.type = OP_IMM;
2539 c->src.addr.mem = c->eip;
2540 c->src.bytes = c->op_bytes + 2;
2541 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2544 c->src.type = OP_MEM;
2545 c->src.addr.mem = c->modrm_ea;
2546 c->src.bytes = c->op_bytes + 2;
2551 * Decode and fetch the second source operand: register, memory
2554 switch (c->d & Src2Mask) {
2559 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2562 c->src2.type = OP_IMM;
2563 c->src2.addr.mem = c->eip;
2565 c->src2.val = insn_fetch(u8, 1, c->eip);
2573 /* Decode and fetch the destination operand: register or memory. */
2574 switch (c->d & DstMask) {
2576 /* Special instructions do their own operand decoding. */
2579 decode_register_operand(&c->dst, c,
2580 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2584 if ((c->d & ModRM) && c->modrm_mod == 3) {
2585 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2586 c->dst.type = OP_REG;
2587 c->dst.val = c->dst.orig_val = c->modrm_val;
2588 c->dst.addr.reg = c->modrm_ptr;
2591 c->dst.type = OP_MEM;
2592 c->dst.addr.mem = c->modrm_ea;
2593 if ((c->d & DstMask) == DstMem64)
2596 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2599 unsigned long mask = ~(c->dst.bytes * 8 - 1);
2601 c->dst.addr.mem = c->dst.addr.mem +
2602 (c->src.val & mask) / 8;
2606 c->dst.type = OP_REG;
2607 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2608 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2609 switch (c->dst.bytes) {
2611 c->dst.val = *(u8 *)c->dst.addr.reg;
2614 c->dst.val = *(u16 *)c->dst.addr.reg;
2617 c->dst.val = *(u32 *)c->dst.addr.reg;
2620 c->dst.val = *(u64 *)c->dst.addr.reg;
2623 c->dst.orig_val = c->dst.val;
2626 c->dst.type = OP_MEM;
2627 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2629 register_address(c, es_base(ctxt, ops),
2630 c->regs[VCPU_REGS_RDI]);
2636 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2640 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2642 struct x86_emulate_ops *ops = ctxt->ops;
2644 struct decode_cache *c = &ctxt->decode;
2645 int rc = X86EMUL_CONTINUE;
2646 int saved_dst_type = c->dst.type;
2648 ctxt->decode.mem_read.pos = 0;
2650 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2655 /* LOCK prefix is allowed only with some instructions */
2656 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2661 /* Privileged instruction can be executed only in CPL=0 */
2662 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2663 emulate_gp(ctxt, 0);
2667 if (c->rep_prefix && (c->d & String)) {
2668 ctxt->restart = true;
2669 /* All REP prefixes have the same first termination condition */
2670 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2672 ctxt->restart = false;
2676 /* The second termination condition only applies for REPE
2677 * and REPNE. Test if the repeat string operation prefix is
2678 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2679 * corresponding termination condition according to:
2680 * - if REPE/REPZ and ZF = 0 then done
2681 * - if REPNE/REPNZ and ZF = 1 then done
2683 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2684 (c->b == 0xae) || (c->b == 0xaf)) {
2685 if ((c->rep_prefix == REPE_PREFIX) &&
2686 ((ctxt->eflags & EFLG_ZF) == 0))
2688 if ((c->rep_prefix == REPNE_PREFIX) &&
2689 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2695 if (c->src.type == OP_MEM) {
2696 rc = read_emulated(ctxt, ops, c->src.addr.mem,
2697 c->src.valptr, c->src.bytes);
2698 if (rc != X86EMUL_CONTINUE)
2700 c->src.orig_val64 = c->src.val64;
2703 if (c->src2.type == OP_MEM) {
2704 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
2705 &c->src2.val, c->src2.bytes);
2706 if (rc != X86EMUL_CONTINUE)
2710 if ((c->d & DstMask) == ImplicitOps)
2714 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2715 /* optimisation - avoid slow emulated read if Mov */
2716 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
2717 &c->dst.val, c->dst.bytes);
2718 if (rc != X86EMUL_CONTINUE)
2721 c->dst.orig_val = c->dst.val;
2726 rc = c->execute(ctxt);
2727 if (rc != X86EMUL_CONTINUE)
2738 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2740 case 0x06: /* push es */
2741 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2743 case 0x07: /* pop es */
2744 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2745 if (rc != X86EMUL_CONTINUE)
2750 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2752 case 0x0e: /* push cs */
2753 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2757 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2759 case 0x16: /* push ss */
2760 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2762 case 0x17: /* pop ss */
2763 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2764 if (rc != X86EMUL_CONTINUE)
2769 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2771 case 0x1e: /* push ds */
2772 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2774 case 0x1f: /* pop ds */
2775 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2776 if (rc != X86EMUL_CONTINUE)
2781 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2785 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2789 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2793 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2795 case 0x40 ... 0x47: /* inc r16/r32 */
2796 emulate_1op("inc", c->dst, ctxt->eflags);
2798 case 0x48 ... 0x4f: /* dec r16/r32 */
2799 emulate_1op("dec", c->dst, ctxt->eflags);
2801 case 0x58 ... 0x5f: /* pop reg */
2803 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2804 if (rc != X86EMUL_CONTINUE)
2807 case 0x60: /* pusha */
2808 rc = emulate_pusha(ctxt, ops);
2809 if (rc != X86EMUL_CONTINUE)
2812 case 0x61: /* popa */
2813 rc = emulate_popa(ctxt, ops);
2814 if (rc != X86EMUL_CONTINUE)
2817 case 0x63: /* movsxd */
2818 if (ctxt->mode != X86EMUL_MODE_PROT64)
2819 goto cannot_emulate;
2820 c->dst.val = (s32) c->src.val;
2822 case 0x6c: /* insb */
2823 case 0x6d: /* insw/insd */
2824 c->dst.bytes = min(c->dst.bytes, 4u);
2825 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2827 emulate_gp(ctxt, 0);
2830 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2831 c->regs[VCPU_REGS_RDX], &c->dst.val))
2832 goto done; /* IO is needed, skip writeback */
2834 case 0x6e: /* outsb */
2835 case 0x6f: /* outsw/outsd */
2836 c->src.bytes = min(c->src.bytes, 4u);
2837 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2839 emulate_gp(ctxt, 0);
2842 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2843 &c->src.val, 1, ctxt->vcpu);
2845 c->dst.type = OP_NONE; /* nothing to writeback */
2847 case 0x70 ... 0x7f: /* jcc (short) */
2848 if (test_cc(c->b, ctxt->eflags))
2849 jmp_rel(c, c->src.val);
2851 case 0x80 ... 0x83: /* Grp1 */
2852 switch (c->modrm_reg) {
2873 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2875 case 0x86 ... 0x87: /* xchg */
2877 /* Write back the register source. */
2878 switch (c->dst.bytes) {
2880 *(u8 *) c->src.addr.reg = (u8) c->dst.val;
2883 *(u16 *) c->src.addr.reg = (u16) c->dst.val;
2886 *c->src.addr.reg = (u32) c->dst.val;
2887 break; /* 64b reg: zero-extend */
2889 *c->src.addr.reg = c->dst.val;
2893 * Write back the memory destination with implicit LOCK
2896 c->dst.val = c->src.val;
2899 case 0x88 ... 0x8b: /* mov */
2901 case 0x8c: /* mov r/m, sreg */
2902 if (c->modrm_reg > VCPU_SREG_GS) {
2906 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2908 case 0x8d: /* lea r16/r32, m */
2909 c->dst.val = c->modrm_ea;
2911 case 0x8e: { /* mov seg, r/m16 */
2916 if (c->modrm_reg == VCPU_SREG_CS ||
2917 c->modrm_reg > VCPU_SREG_GS) {
2922 if (c->modrm_reg == VCPU_SREG_SS)
2923 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2925 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2927 c->dst.type = OP_NONE; /* Disable writeback. */
2930 case 0x8f: /* pop (sole member of Grp1a) */
2931 rc = emulate_grp1a(ctxt, ops);
2932 if (rc != X86EMUL_CONTINUE)
2935 case 0x90: /* nop / xchg r8,rax */
2936 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX]) {
2937 c->dst.type = OP_NONE; /* nop */
2940 case 0x91 ... 0x97: /* xchg reg,rax */
2941 c->src.type = OP_REG;
2942 c->src.bytes = c->op_bytes;
2943 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2944 c->src.val = *(c->src.addr.reg);
2946 case 0x9c: /* pushf */
2947 c->src.val = (unsigned long) ctxt->eflags;
2948 emulate_push(ctxt, ops);
2950 case 0x9d: /* popf */
2951 c->dst.type = OP_REG;
2952 c->dst.addr.reg = &ctxt->eflags;
2953 c->dst.bytes = c->op_bytes;
2954 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2955 if (rc != X86EMUL_CONTINUE)
2958 case 0xa0 ... 0xa3: /* mov */
2959 case 0xa4 ... 0xa5: /* movs */
2961 case 0xa6 ... 0xa7: /* cmps */
2962 c->dst.type = OP_NONE; /* Disable writeback. */
2963 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
2965 case 0xa8 ... 0xa9: /* test ax, imm */
2967 case 0xaa ... 0xab: /* stos */
2968 c->dst.val = c->regs[VCPU_REGS_RAX];
2970 case 0xac ... 0xad: /* lods */
2972 case 0xae ... 0xaf: /* scas */
2973 DPRINTF("Urk! I don't handle SCAS.\n");
2974 goto cannot_emulate;
2975 case 0xb0 ... 0xbf: /* mov r, imm */
2980 case 0xc3: /* ret */
2981 c->dst.type = OP_REG;
2982 c->dst.addr.reg = &c->eip;
2983 c->dst.bytes = c->op_bytes;
2984 goto pop_instruction;
2985 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2987 c->dst.val = c->src.val;
2989 case 0xcb: /* ret far */
2990 rc = emulate_ret_far(ctxt, ops);
2991 if (rc != X86EMUL_CONTINUE)
2994 case 0xcf: /* iret */
2995 rc = emulate_iret(ctxt, ops);
2997 if (rc != X86EMUL_CONTINUE)
3000 case 0xd0 ... 0xd1: /* Grp2 */
3004 case 0xd2 ... 0xd3: /* Grp2 */
3005 c->src.val = c->regs[VCPU_REGS_RCX];
3008 case 0xe4: /* inb */
3011 case 0xe6: /* outb */
3012 case 0xe7: /* out */
3014 case 0xe8: /* call (near) */ {
3015 long int rel = c->src.val;
3016 c->src.val = (unsigned long) c->eip;
3018 emulate_push(ctxt, ops);
3021 case 0xe9: /* jmp rel */
3023 case 0xea: { /* jmp far */
3026 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3028 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3032 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3036 jmp: /* jmp rel short */
3037 jmp_rel(c, c->src.val);
3038 c->dst.type = OP_NONE; /* Disable writeback. */
3040 case 0xec: /* in al,dx */
3041 case 0xed: /* in (e/r)ax,dx */
3042 c->src.val = c->regs[VCPU_REGS_RDX];
3044 c->dst.bytes = min(c->dst.bytes, 4u);
3045 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3046 emulate_gp(ctxt, 0);
3049 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3051 goto done; /* IO is needed */
3053 case 0xee: /* out dx,al */
3054 case 0xef: /* out dx,(e/r)ax */
3055 c->src.val = c->regs[VCPU_REGS_RDX];
3057 c->dst.bytes = min(c->dst.bytes, 4u);
3058 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3059 emulate_gp(ctxt, 0);
3062 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3064 c->dst.type = OP_NONE; /* Disable writeback. */
3066 case 0xf4: /* hlt */
3067 ctxt->vcpu->arch.halt_request = 1;
3069 case 0xf5: /* cmc */
3070 /* complement carry flag from eflags reg */
3071 ctxt->eflags ^= EFLG_CF;
3072 c->dst.type = OP_NONE; /* Disable writeback. */
3074 case 0xf6 ... 0xf7: /* Grp3 */
3075 if (!emulate_grp3(ctxt, ops))
3076 goto cannot_emulate;
3078 case 0xf8: /* clc */
3079 ctxt->eflags &= ~EFLG_CF;
3080 c->dst.type = OP_NONE; /* Disable writeback. */
3082 case 0xfa: /* cli */
3083 if (emulator_bad_iopl(ctxt, ops)) {
3084 emulate_gp(ctxt, 0);
3087 ctxt->eflags &= ~X86_EFLAGS_IF;
3088 c->dst.type = OP_NONE; /* Disable writeback. */
3091 case 0xfb: /* sti */
3092 if (emulator_bad_iopl(ctxt, ops)) {
3093 emulate_gp(ctxt, 0);
3096 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3097 ctxt->eflags |= X86_EFLAGS_IF;
3098 c->dst.type = OP_NONE; /* Disable writeback. */
3101 case 0xfc: /* cld */
3102 ctxt->eflags &= ~EFLG_DF;
3103 c->dst.type = OP_NONE; /* Disable writeback. */
3105 case 0xfd: /* std */
3106 ctxt->eflags |= EFLG_DF;
3107 c->dst.type = OP_NONE; /* Disable writeback. */
3109 case 0xfe: /* Grp4 */
3111 rc = emulate_grp45(ctxt, ops);
3112 if (rc != X86EMUL_CONTINUE)
3115 case 0xff: /* Grp5 */
3116 if (c->modrm_reg == 5)
3120 goto cannot_emulate;
3124 rc = writeback(ctxt, ops);
3125 if (rc != X86EMUL_CONTINUE)
3129 * restore dst type in case the decoding will be reused
3130 * (happens for string instruction )
3132 c->dst.type = saved_dst_type;
3134 if ((c->d & SrcMask) == SrcSI)
3135 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3136 VCPU_REGS_RSI, &c->src);
3138 if ((c->d & DstMask) == DstDI)
3139 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3142 if (c->rep_prefix && (c->d & String)) {
3143 struct read_cache *rc = &ctxt->decode.io_read;
3144 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3146 * Re-enter guest when pio read ahead buffer is empty or,
3147 * if it is not used, after each 1024 iteration.
3149 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3150 (rc->end != 0 && rc->end == rc->pos))
3151 ctxt->restart = false;
3154 * reset read cache here in case string instruction is restared
3157 ctxt->decode.mem_read.end = 0;
3161 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3165 case 0x01: /* lgdt, lidt, lmsw */
3166 switch (c->modrm_reg) {
3168 unsigned long address;
3170 case 0: /* vmcall */
3171 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3172 goto cannot_emulate;
3174 rc = kvm_fix_hypercall(ctxt->vcpu);
3175 if (rc != X86EMUL_CONTINUE)
3178 /* Let the processor re-execute the fixed hypercall */
3180 /* Disable writeback. */
3181 c->dst.type = OP_NONE;
3184 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3185 &size, &address, c->op_bytes);
3186 if (rc != X86EMUL_CONTINUE)
3188 realmode_lgdt(ctxt->vcpu, size, address);
3189 /* Disable writeback. */
3190 c->dst.type = OP_NONE;
3192 case 3: /* lidt/vmmcall */
3193 if (c->modrm_mod == 3) {
3194 switch (c->modrm_rm) {
3196 rc = kvm_fix_hypercall(ctxt->vcpu);
3197 if (rc != X86EMUL_CONTINUE)
3201 goto cannot_emulate;
3204 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3207 if (rc != X86EMUL_CONTINUE)
3209 realmode_lidt(ctxt->vcpu, size, address);
3211 /* Disable writeback. */
3212 c->dst.type = OP_NONE;
3216 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3219 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3220 (c->src.val & 0x0f), ctxt->vcpu);
3221 c->dst.type = OP_NONE;
3223 case 5: /* not defined */
3227 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3228 /* Disable writeback. */
3229 c->dst.type = OP_NONE;
3232 goto cannot_emulate;
3235 case 0x05: /* syscall */
3236 rc = emulate_syscall(ctxt, ops);
3237 if (rc != X86EMUL_CONTINUE)
3243 emulate_clts(ctxt->vcpu);
3244 c->dst.type = OP_NONE;
3246 case 0x09: /* wbinvd */
3247 kvm_emulate_wbinvd(ctxt->vcpu);
3248 c->dst.type = OP_NONE;
3250 case 0x08: /* invd */
3251 case 0x0d: /* GrpP (prefetch) */
3252 case 0x18: /* Grp16 (prefetch/nop) */
3253 c->dst.type = OP_NONE;
3255 case 0x20: /* mov cr, reg */
3256 switch (c->modrm_reg) {
3263 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3264 c->dst.type = OP_NONE; /* no writeback */
3266 case 0x21: /* mov from dr to reg */
3267 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3268 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3272 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3273 c->dst.type = OP_NONE; /* no writeback */
3275 case 0x22: /* mov reg, cr */
3276 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3277 emulate_gp(ctxt, 0);
3280 c->dst.type = OP_NONE;
3282 case 0x23: /* mov from reg to dr */
3283 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3284 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3289 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3290 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3291 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3292 /* #UD condition is already handled by the code above */
3293 emulate_gp(ctxt, 0);
3297 c->dst.type = OP_NONE; /* no writeback */
3301 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3302 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3303 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3304 emulate_gp(ctxt, 0);
3307 rc = X86EMUL_CONTINUE;
3308 c->dst.type = OP_NONE;
3312 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3313 emulate_gp(ctxt, 0);
3316 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3317 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3319 rc = X86EMUL_CONTINUE;
3320 c->dst.type = OP_NONE;
3322 case 0x34: /* sysenter */
3323 rc = emulate_sysenter(ctxt, ops);
3324 if (rc != X86EMUL_CONTINUE)
3329 case 0x35: /* sysexit */
3330 rc = emulate_sysexit(ctxt, ops);
3331 if (rc != X86EMUL_CONTINUE)
3336 case 0x40 ... 0x4f: /* cmov */
3337 c->dst.val = c->dst.orig_val = c->src.val;
3338 if (!test_cc(c->b, ctxt->eflags))
3339 c->dst.type = OP_NONE; /* no writeback */
3341 case 0x80 ... 0x8f: /* jnz rel, etc*/
3342 if (test_cc(c->b, ctxt->eflags))
3343 jmp_rel(c, c->src.val);
3344 c->dst.type = OP_NONE;
3346 case 0xa0: /* push fs */
3347 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3349 case 0xa1: /* pop fs */
3350 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3351 if (rc != X86EMUL_CONTINUE)
3356 c->dst.type = OP_NONE;
3357 /* only subword offset */
3358 c->src.val &= (c->dst.bytes << 3) - 1;
3359 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3361 case 0xa4: /* shld imm8, r, r/m */
3362 case 0xa5: /* shld cl, r, r/m */
3363 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3365 case 0xa8: /* push gs */
3366 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3368 case 0xa9: /* pop gs */
3369 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3370 if (rc != X86EMUL_CONTINUE)
3375 /* only subword offset */
3376 c->src.val &= (c->dst.bytes << 3) - 1;
3377 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3379 case 0xac: /* shrd imm8, r, r/m */
3380 case 0xad: /* shrd cl, r, r/m */
3381 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3383 case 0xae: /* clflush */
3385 case 0xb0 ... 0xb1: /* cmpxchg */
3387 * Save real source value, then compare EAX against
3390 c->src.orig_val = c->src.val;
3391 c->src.val = c->regs[VCPU_REGS_RAX];
3392 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3393 if (ctxt->eflags & EFLG_ZF) {
3394 /* Success: write back to memory. */
3395 c->dst.val = c->src.orig_val;
3397 /* Failure: write the value we saw to EAX. */
3398 c->dst.type = OP_REG;
3399 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3404 /* only subword offset */
3405 c->src.val &= (c->dst.bytes << 3) - 1;
3406 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3408 case 0xb6 ... 0xb7: /* movzx */
3409 c->dst.bytes = c->op_bytes;
3410 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3413 case 0xba: /* Grp8 */
3414 switch (c->modrm_reg & 3) {
3427 /* only subword offset */
3428 c->src.val &= (c->dst.bytes << 3) - 1;
3429 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3431 case 0xbe ... 0xbf: /* movsx */
3432 c->dst.bytes = c->op_bytes;
3433 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3436 case 0xc3: /* movnti */
3437 c->dst.bytes = c->op_bytes;
3438 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3441 case 0xc7: /* Grp9 (cmpxchg8b) */
3442 rc = emulate_grp9(ctxt, ops);
3443 if (rc != X86EMUL_CONTINUE)
3447 goto cannot_emulate;
3452 DPRINTF("Cannot emulate %02x\n", c->b);