1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
86 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
87 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
88 #define Undefined (1<<25) /* No Such Instruction */
89 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
90 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
92 /* Source 2 operand type */
93 #define Src2None (0<<29)
94 #define Src2CL (1<<29)
95 #define Src2ImmByte (2<<29)
96 #define Src2One (3<<29)
97 #define Src2Mask (7<<29)
100 #define X3(x...) X2(x), x
101 #define X4(x...) X2(x), X2(x)
102 #define X5(x...) X4(x), x
103 #define X6(x...) X4(x), X2(x)
104 #define X7(x...) X4(x), X3(x)
105 #define X8(x...) X4(x), X4(x)
106 #define X16(x...) X8(x), X8(x)
111 int (*execute)(struct x86_emulate_ctxt *ctxt);
112 struct opcode *group;
113 struct group_dual *gdual;
118 struct opcode mod012[8];
119 struct opcode mod3[8];
122 /* EFLAGS bit definitions. */
123 #define EFLG_ID (1<<21)
124 #define EFLG_VIP (1<<20)
125 #define EFLG_VIF (1<<19)
126 #define EFLG_AC (1<<18)
127 #define EFLG_VM (1<<17)
128 #define EFLG_RF (1<<16)
129 #define EFLG_IOPL (3<<12)
130 #define EFLG_NT (1<<14)
131 #define EFLG_OF (1<<11)
132 #define EFLG_DF (1<<10)
133 #define EFLG_IF (1<<9)
134 #define EFLG_TF (1<<8)
135 #define EFLG_SF (1<<7)
136 #define EFLG_ZF (1<<6)
137 #define EFLG_AF (1<<4)
138 #define EFLG_PF (1<<2)
139 #define EFLG_CF (1<<0)
141 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
142 #define EFLG_RESERVED_ONE_MASK 2
145 * Instruction emulation:
146 * Most instructions are emulated directly via a fragment of inline assembly
147 * code. This allows us to save/restore EFLAGS and thus very easily pick up
148 * any modified flags.
151 #if defined(CONFIG_X86_64)
152 #define _LO32 "k" /* force 32-bit operand */
153 #define _STK "%%rsp" /* stack pointer */
154 #elif defined(__i386__)
155 #define _LO32 "" /* force 32-bit operand */
156 #define _STK "%%esp" /* stack pointer */
160 * These EFLAGS bits are restored from saved value during emulation, and
161 * any changes are written back to the saved value after emulation.
163 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
165 /* Before executing instruction: restore necessary bits in EFLAGS. */
166 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
167 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
168 "movl %"_sav",%"_LO32 _tmp"; " \
171 "movl %"_msk",%"_LO32 _tmp"; " \
172 "andl %"_LO32 _tmp",("_STK"); " \
174 "notl %"_LO32 _tmp"; " \
175 "andl %"_LO32 _tmp",("_STK"); " \
176 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
178 "orl %"_LO32 _tmp",("_STK"); " \
182 /* After executing instruction: write-back necessary bits in EFLAGS. */
183 #define _POST_EFLAGS(_sav, _msk, _tmp) \
184 /* _sav |= EFLAGS & _msk; */ \
187 "andl %"_msk",%"_LO32 _tmp"; " \
188 "orl %"_LO32 _tmp",%"_sav"; "
196 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
198 __asm__ __volatile__ ( \
199 _PRE_EFLAGS("0", "4", "2") \
200 _op _suffix " %"_x"3,%1; " \
201 _POST_EFLAGS("0", "4", "2") \
202 : "=m" (_eflags), "=m" ((_dst).val), \
204 : _y ((_src).val), "i" (EFLAGS_MASK)); \
208 /* Raw emulation: instruction has two explicit operands. */
209 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
211 unsigned long _tmp; \
213 switch ((_dst).bytes) { \
215 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
218 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
221 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
226 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
228 unsigned long _tmp; \
229 switch ((_dst).bytes) { \
231 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
234 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
235 _wx, _wy, _lx, _ly, _qx, _qy); \
240 /* Source operand is byte-sized and may be restricted to just %cl. */
241 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
242 __emulate_2op(_op, _src, _dst, _eflags, \
243 "b", "c", "b", "c", "b", "c", "b", "c")
245 /* Source operand is byte, word, long or quad sized. */
246 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
247 __emulate_2op(_op, _src, _dst, _eflags, \
248 "b", "q", "w", "r", _LO32, "r", "", "r")
250 /* Source operand is word, long or quad sized. */
251 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
252 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
253 "w", "r", _LO32, "r", "", "r")
255 /* Instruction has three operands and one operand is stored in ECX register */
256 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
258 unsigned long _tmp; \
259 _type _clv = (_cl).val; \
260 _type _srcv = (_src).val; \
261 _type _dstv = (_dst).val; \
263 __asm__ __volatile__ ( \
264 _PRE_EFLAGS("0", "5", "2") \
265 _op _suffix " %4,%1 \n" \
266 _POST_EFLAGS("0", "5", "2") \
267 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
268 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
271 (_cl).val = (unsigned long) _clv; \
272 (_src).val = (unsigned long) _srcv; \
273 (_dst).val = (unsigned long) _dstv; \
276 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
278 switch ((_dst).bytes) { \
280 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
281 "w", unsigned short); \
284 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
285 "l", unsigned int); \
288 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
289 "q", unsigned long)); \
294 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
296 unsigned long _tmp; \
298 __asm__ __volatile__ ( \
299 _PRE_EFLAGS("0", "3", "2") \
300 _op _suffix " %1; " \
301 _POST_EFLAGS("0", "3", "2") \
302 : "=m" (_eflags), "+m" ((_dst).val), \
304 : "i" (EFLAGS_MASK)); \
307 /* Instruction has only one explicit operand (no source operand). */
308 #define emulate_1op(_op, _dst, _eflags) \
310 switch ((_dst).bytes) { \
311 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
312 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
313 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
314 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
318 #define __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, _suffix) \
320 unsigned long _tmp; \
322 __asm__ __volatile__ ( \
323 _PRE_EFLAGS("0", "4", "1") \
324 _op _suffix " %5; " \
325 _POST_EFLAGS("0", "4", "1") \
326 : "=m" (_eflags), "=&r" (_tmp), \
327 "+a" (_rax), "+d" (_rdx) \
328 : "i" (EFLAGS_MASK), "m" ((_src).val), \
329 "a" (_rax), "d" (_rdx)); \
332 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
333 #define emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags) \
335 switch((_src).bytes) { \
336 case 1: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "b"); break; \
337 case 2: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "w"); break; \
338 case 4: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "l"); break; \
339 case 8: ON64(__emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "q")); break; \
343 /* Fetch next part of the instruction being emulated. */
344 #define insn_fetch(_type, _size, _eip) \
345 ({ unsigned long _x; \
346 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
347 if (rc != X86EMUL_CONTINUE) \
353 #define insn_fetch_arr(_arr, _size, _eip) \
354 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
355 if (rc != X86EMUL_CONTINUE) \
360 static inline unsigned long ad_mask(struct decode_cache *c)
362 return (1UL << (c->ad_bytes << 3)) - 1;
365 /* Access/update address held in a register, based on addressing mode. */
366 static inline unsigned long
367 address_mask(struct decode_cache *c, unsigned long reg)
369 if (c->ad_bytes == sizeof(unsigned long))
372 return reg & ad_mask(c);
375 static inline unsigned long
376 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
378 return base + address_mask(c, reg);
382 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
384 if (c->ad_bytes == sizeof(unsigned long))
387 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
390 static inline void jmp_rel(struct decode_cache *c, int rel)
392 register_address_increment(c, &c->eip, rel);
395 static void set_seg_override(struct decode_cache *c, int seg)
397 c->has_seg_override = true;
398 c->seg_override = seg;
401 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
402 struct x86_emulate_ops *ops, int seg)
404 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
407 return ops->get_cached_segment_base(seg, ctxt->vcpu);
410 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
411 struct x86_emulate_ops *ops,
412 struct decode_cache *c)
414 if (!c->has_seg_override)
417 return seg_base(ctxt, ops, c->seg_override);
420 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
421 struct x86_emulate_ops *ops)
423 return seg_base(ctxt, ops, VCPU_SREG_ES);
426 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
427 struct x86_emulate_ops *ops)
429 return seg_base(ctxt, ops, VCPU_SREG_SS);
432 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
433 u32 error, bool valid)
435 ctxt->exception = vec;
436 ctxt->error_code = error;
437 ctxt->error_code_valid = valid;
438 ctxt->restart = false;
441 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
443 emulate_exception(ctxt, GP_VECTOR, err, true);
446 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
450 emulate_exception(ctxt, PF_VECTOR, err, true);
453 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
455 emulate_exception(ctxt, UD_VECTOR, 0, false);
458 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
460 emulate_exception(ctxt, TS_VECTOR, err, true);
463 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
464 struct x86_emulate_ops *ops,
465 unsigned long eip, u8 *dest)
467 struct fetch_cache *fc = &ctxt->decode.fetch;
471 if (eip == fc->end) {
472 cur_size = fc->end - fc->start;
473 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
474 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
475 size, ctxt->vcpu, NULL);
476 if (rc != X86EMUL_CONTINUE)
480 *dest = fc->data[eip - fc->start];
481 return X86EMUL_CONTINUE;
484 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
485 struct x86_emulate_ops *ops,
486 unsigned long eip, void *dest, unsigned size)
490 /* x86 instructions are limited to 15 bytes. */
491 if (eip + size - ctxt->eip > 15)
492 return X86EMUL_UNHANDLEABLE;
494 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
495 if (rc != X86EMUL_CONTINUE)
498 return X86EMUL_CONTINUE;
502 * Given the 'reg' portion of a ModRM byte, and a register block, return a
503 * pointer into the block that addresses the relevant register.
504 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
506 static void *decode_register(u8 modrm_reg, unsigned long *regs,
511 p = ®s[modrm_reg];
512 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
513 p = (unsigned char *)®s[modrm_reg & 3] + 1;
517 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
518 struct x86_emulate_ops *ops,
520 u16 *size, unsigned long *address, int op_bytes)
527 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
528 if (rc != X86EMUL_CONTINUE)
530 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
534 static int test_cc(unsigned int condition, unsigned int flags)
538 switch ((condition & 15) >> 1) {
540 rc |= (flags & EFLG_OF);
542 case 1: /* b/c/nae */
543 rc |= (flags & EFLG_CF);
546 rc |= (flags & EFLG_ZF);
549 rc |= (flags & (EFLG_CF|EFLG_ZF));
552 rc |= (flags & EFLG_SF);
555 rc |= (flags & EFLG_PF);
558 rc |= (flags & EFLG_ZF);
561 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
565 /* Odd condition identifiers (lsb == 1) have inverted sense. */
566 return (!!rc ^ (condition & 1));
569 static void fetch_register_operand(struct operand *op)
573 op->val = *(u8 *)op->addr.reg;
576 op->val = *(u16 *)op->addr.reg;
579 op->val = *(u32 *)op->addr.reg;
582 op->val = *(u64 *)op->addr.reg;
587 static void decode_register_operand(struct operand *op,
588 struct decode_cache *c,
591 unsigned reg = c->modrm_reg;
592 int highbyte_regs = c->rex_prefix == 0;
595 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
597 if ((c->d & ByteOp) && !inhibit_bytereg) {
598 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
601 op->addr.reg = decode_register(reg, c->regs, 0);
602 op->bytes = c->op_bytes;
604 fetch_register_operand(op);
605 op->orig_val = op->val;
608 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
609 struct x86_emulate_ops *ops,
612 struct decode_cache *c = &ctxt->decode;
614 int index_reg = 0, base_reg = 0, scale;
615 int rc = X86EMUL_CONTINUE;
619 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
620 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
621 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
624 c->modrm = insn_fetch(u8, 1, c->eip);
625 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
626 c->modrm_reg |= (c->modrm & 0x38) >> 3;
627 c->modrm_rm |= (c->modrm & 0x07);
628 c->modrm_seg = VCPU_SREG_DS;
630 if (c->modrm_mod == 3) {
632 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
633 op->addr.reg = decode_register(c->modrm_rm,
634 c->regs, c->d & ByteOp);
635 fetch_register_operand(op);
641 if (c->ad_bytes == 2) {
642 unsigned bx = c->regs[VCPU_REGS_RBX];
643 unsigned bp = c->regs[VCPU_REGS_RBP];
644 unsigned si = c->regs[VCPU_REGS_RSI];
645 unsigned di = c->regs[VCPU_REGS_RDI];
647 /* 16-bit ModR/M decode. */
648 switch (c->modrm_mod) {
650 if (c->modrm_rm == 6)
651 modrm_ea += insn_fetch(u16, 2, c->eip);
654 modrm_ea += insn_fetch(s8, 1, c->eip);
657 modrm_ea += insn_fetch(u16, 2, c->eip);
660 switch (c->modrm_rm) {
680 if (c->modrm_mod != 0)
687 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
688 (c->modrm_rm == 6 && c->modrm_mod != 0))
689 c->modrm_seg = VCPU_SREG_SS;
690 modrm_ea = (u16)modrm_ea;
692 /* 32/64-bit ModR/M decode. */
693 if ((c->modrm_rm & 7) == 4) {
694 sib = insn_fetch(u8, 1, c->eip);
695 index_reg |= (sib >> 3) & 7;
699 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
700 modrm_ea += insn_fetch(s32, 4, c->eip);
702 modrm_ea += c->regs[base_reg];
704 modrm_ea += c->regs[index_reg] << scale;
705 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
706 if (ctxt->mode == X86EMUL_MODE_PROT64)
709 modrm_ea += c->regs[c->modrm_rm];
710 switch (c->modrm_mod) {
712 if (c->modrm_rm == 5)
713 modrm_ea += insn_fetch(s32, 4, c->eip);
716 modrm_ea += insn_fetch(s8, 1, c->eip);
719 modrm_ea += insn_fetch(s32, 4, c->eip);
723 op->addr.mem = modrm_ea;
728 static int decode_abs(struct x86_emulate_ctxt *ctxt,
729 struct x86_emulate_ops *ops,
732 struct decode_cache *c = &ctxt->decode;
733 int rc = X86EMUL_CONTINUE;
736 switch (c->ad_bytes) {
738 op->addr.mem = insn_fetch(u16, 2, c->eip);
741 op->addr.mem = insn_fetch(u32, 4, c->eip);
744 op->addr.mem = insn_fetch(u64, 8, c->eip);
751 static void fetch_bit_operand(struct decode_cache *c)
755 if (c->dst.type == OP_MEM && c->src.type == OP_REG) {
756 mask = ~(c->dst.bytes * 8 - 1);
758 if (c->src.bytes == 2)
759 sv = (s16)c->src.val & (s16)mask;
760 else if (c->src.bytes == 4)
761 sv = (s32)c->src.val & (s32)mask;
763 c->dst.addr.mem += (sv >> 3);
766 /* only subword offset */
767 c->src.val &= (c->dst.bytes << 3) - 1;
770 static int read_emulated(struct x86_emulate_ctxt *ctxt,
771 struct x86_emulate_ops *ops,
772 unsigned long addr, void *dest, unsigned size)
775 struct read_cache *mc = &ctxt->decode.mem_read;
779 int n = min(size, 8u);
781 if (mc->pos < mc->end)
784 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
786 if (rc == X86EMUL_PROPAGATE_FAULT)
787 emulate_pf(ctxt, addr, err);
788 if (rc != X86EMUL_CONTINUE)
793 memcpy(dest, mc->data + mc->pos, n);
798 return X86EMUL_CONTINUE;
801 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
802 struct x86_emulate_ops *ops,
803 unsigned int size, unsigned short port,
806 struct read_cache *rc = &ctxt->decode.io_read;
808 if (rc->pos == rc->end) { /* refill pio read ahead */
809 struct decode_cache *c = &ctxt->decode;
810 unsigned int in_page, n;
811 unsigned int count = c->rep_prefix ?
812 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
813 in_page = (ctxt->eflags & EFLG_DF) ?
814 offset_in_page(c->regs[VCPU_REGS_RDI]) :
815 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
816 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
820 rc->pos = rc->end = 0;
821 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
826 memcpy(dest, rc->data + rc->pos, size);
831 static u32 desc_limit_scaled(struct desc_struct *desc)
833 u32 limit = get_desc_limit(desc);
835 return desc->g ? (limit << 12) | 0xfff : limit;
838 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
839 struct x86_emulate_ops *ops,
840 u16 selector, struct desc_ptr *dt)
842 if (selector & 1 << 2) {
843 struct desc_struct desc;
844 memset (dt, 0, sizeof *dt);
845 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
848 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
849 dt->address = get_desc_base(&desc);
851 ops->get_gdt(dt, ctxt->vcpu);
854 /* allowed just for 8 bytes segments */
855 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
856 struct x86_emulate_ops *ops,
857 u16 selector, struct desc_struct *desc)
860 u16 index = selector >> 3;
865 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
867 if (dt.size < index * 8 + 7) {
868 emulate_gp(ctxt, selector & 0xfffc);
869 return X86EMUL_PROPAGATE_FAULT;
871 addr = dt.address + index * 8;
872 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
873 if (ret == X86EMUL_PROPAGATE_FAULT)
874 emulate_pf(ctxt, addr, err);
879 /* allowed just for 8 bytes segments */
880 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
881 struct x86_emulate_ops *ops,
882 u16 selector, struct desc_struct *desc)
885 u16 index = selector >> 3;
890 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
892 if (dt.size < index * 8 + 7) {
893 emulate_gp(ctxt, selector & 0xfffc);
894 return X86EMUL_PROPAGATE_FAULT;
897 addr = dt.address + index * 8;
898 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
899 if (ret == X86EMUL_PROPAGATE_FAULT)
900 emulate_pf(ctxt, addr, err);
905 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
906 struct x86_emulate_ops *ops,
907 u16 selector, int seg)
909 struct desc_struct seg_desc;
911 unsigned err_vec = GP_VECTOR;
913 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
916 memset(&seg_desc, 0, sizeof seg_desc);
918 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
919 || ctxt->mode == X86EMUL_MODE_REAL) {
920 /* set real mode segment descriptor */
921 set_desc_base(&seg_desc, selector << 4);
922 set_desc_limit(&seg_desc, 0xffff);
929 /* NULL selector is not valid for TR, CS and SS */
930 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
934 /* TR should be in GDT only */
935 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
938 if (null_selector) /* for NULL selector skip all following checks */
941 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
942 if (ret != X86EMUL_CONTINUE)
945 err_code = selector & 0xfffc;
948 /* can't load system descriptor into segment selecor */
949 if (seg <= VCPU_SREG_GS && !seg_desc.s)
953 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
959 cpl = ops->cpl(ctxt->vcpu);
964 * segment is not a writable data segment or segment
965 * selector's RPL != CPL or segment selector's RPL != CPL
967 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
971 if (!(seg_desc.type & 8))
974 if (seg_desc.type & 4) {
980 if (rpl > cpl || dpl != cpl)
984 selector = (selector & 0xfffc) | cpl;
987 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
991 if (seg_desc.s || seg_desc.type != 2)
994 default: /* DS, ES, FS, or GS */
996 * segment is not a data or readable code segment or
997 * ((segment is a data or nonconforming code segment)
998 * and (both RPL and CPL > DPL))
1000 if ((seg_desc.type & 0xa) == 0x8 ||
1001 (((seg_desc.type & 0xc) != 0xc) &&
1002 (rpl > dpl && cpl > dpl)))
1008 /* mark segment as accessed */
1010 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1011 if (ret != X86EMUL_CONTINUE)
1015 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1016 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1017 return X86EMUL_CONTINUE;
1019 emulate_exception(ctxt, err_vec, err_code, true);
1020 return X86EMUL_PROPAGATE_FAULT;
1023 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1024 struct x86_emulate_ops *ops)
1027 struct decode_cache *c = &ctxt->decode;
1030 switch (c->dst.type) {
1032 /* The 4-byte case *is* correct:
1033 * in 64-bit mode we zero-extend.
1035 switch (c->dst.bytes) {
1037 *(u8 *)c->dst.addr.reg = (u8)c->dst.val;
1040 *(u16 *)c->dst.addr.reg = (u16)c->dst.val;
1043 *c->dst.addr.reg = (u32)c->dst.val;
1044 break; /* 64b: zero-ext */
1046 *c->dst.addr.reg = c->dst.val;
1052 rc = ops->cmpxchg_emulated(
1060 rc = ops->write_emulated(
1066 if (rc == X86EMUL_PROPAGATE_FAULT)
1067 emulate_pf(ctxt, c->dst.addr.mem, err);
1068 if (rc != X86EMUL_CONTINUE)
1077 return X86EMUL_CONTINUE;
1080 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1081 struct x86_emulate_ops *ops)
1083 struct decode_cache *c = &ctxt->decode;
1085 c->dst.type = OP_MEM;
1086 c->dst.bytes = c->op_bytes;
1087 c->dst.val = c->src.val;
1088 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1089 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1090 c->regs[VCPU_REGS_RSP]);
1093 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1094 struct x86_emulate_ops *ops,
1095 void *dest, int len)
1097 struct decode_cache *c = &ctxt->decode;
1100 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1101 c->regs[VCPU_REGS_RSP]),
1103 if (rc != X86EMUL_CONTINUE)
1106 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1110 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1111 struct x86_emulate_ops *ops,
1112 void *dest, int len)
1115 unsigned long val, change_mask;
1116 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1117 int cpl = ops->cpl(ctxt->vcpu);
1119 rc = emulate_pop(ctxt, ops, &val, len);
1120 if (rc != X86EMUL_CONTINUE)
1123 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1124 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1126 switch(ctxt->mode) {
1127 case X86EMUL_MODE_PROT64:
1128 case X86EMUL_MODE_PROT32:
1129 case X86EMUL_MODE_PROT16:
1131 change_mask |= EFLG_IOPL;
1133 change_mask |= EFLG_IF;
1135 case X86EMUL_MODE_VM86:
1137 emulate_gp(ctxt, 0);
1138 return X86EMUL_PROPAGATE_FAULT;
1140 change_mask |= EFLG_IF;
1142 default: /* real mode */
1143 change_mask |= (EFLG_IOPL | EFLG_IF);
1147 *(unsigned long *)dest =
1148 (ctxt->eflags & ~change_mask) | (val & change_mask);
1153 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1154 struct x86_emulate_ops *ops, int seg)
1156 struct decode_cache *c = &ctxt->decode;
1158 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1160 emulate_push(ctxt, ops);
1163 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1164 struct x86_emulate_ops *ops, int seg)
1166 struct decode_cache *c = &ctxt->decode;
1167 unsigned long selector;
1170 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1171 if (rc != X86EMUL_CONTINUE)
1174 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1178 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1179 struct x86_emulate_ops *ops)
1181 struct decode_cache *c = &ctxt->decode;
1182 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1183 int rc = X86EMUL_CONTINUE;
1184 int reg = VCPU_REGS_RAX;
1186 while (reg <= VCPU_REGS_RDI) {
1187 (reg == VCPU_REGS_RSP) ?
1188 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1190 emulate_push(ctxt, ops);
1192 rc = writeback(ctxt, ops);
1193 if (rc != X86EMUL_CONTINUE)
1199 /* Disable writeback. */
1200 c->dst.type = OP_NONE;
1205 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1206 struct x86_emulate_ops *ops)
1208 struct decode_cache *c = &ctxt->decode;
1209 int rc = X86EMUL_CONTINUE;
1210 int reg = VCPU_REGS_RDI;
1212 while (reg >= VCPU_REGS_RAX) {
1213 if (reg == VCPU_REGS_RSP) {
1214 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1219 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1220 if (rc != X86EMUL_CONTINUE)
1227 int emulate_int_real(struct x86_emulate_ctxt *ctxt,
1228 struct x86_emulate_ops *ops, int irq)
1230 struct decode_cache *c = &ctxt->decode;
1231 int rc = X86EMUL_CONTINUE;
1238 /* TODO: Add limit checks */
1239 c->src.val = ctxt->eflags;
1240 emulate_push(ctxt, ops);
1242 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1244 c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1245 emulate_push(ctxt, ops);
1247 c->src.val = c->eip;
1248 emulate_push(ctxt, ops);
1250 ops->get_idt(&dt, ctxt->vcpu);
1252 eip_addr = dt.address + (irq << 2);
1253 cs_addr = dt.address + (irq << 2) + 2;
1255 rc = ops->read_std(cs_addr, &cs, 2, ctxt->vcpu, &err);
1256 if (rc != X86EMUL_CONTINUE)
1259 rc = ops->read_std(eip_addr, &eip, 2, ctxt->vcpu, &err);
1260 if (rc != X86EMUL_CONTINUE)
1263 rc = load_segment_descriptor(ctxt, ops, cs, VCPU_SREG_CS);
1264 if (rc != X86EMUL_CONTINUE)
1272 static int emulate_int(struct x86_emulate_ctxt *ctxt,
1273 struct x86_emulate_ops *ops, int irq)
1275 switch(ctxt->mode) {
1276 case X86EMUL_MODE_REAL:
1277 return emulate_int_real(ctxt, ops, irq);
1278 case X86EMUL_MODE_VM86:
1279 case X86EMUL_MODE_PROT16:
1280 case X86EMUL_MODE_PROT32:
1281 case X86EMUL_MODE_PROT64:
1283 /* Protected mode interrupts unimplemented yet */
1284 return X86EMUL_UNHANDLEABLE;
1288 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1289 struct x86_emulate_ops *ops)
1291 struct decode_cache *c = &ctxt->decode;
1292 int rc = X86EMUL_CONTINUE;
1293 unsigned long temp_eip = 0;
1294 unsigned long temp_eflags = 0;
1295 unsigned long cs = 0;
1296 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1297 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1298 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1299 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1301 /* TODO: Add stack limit check */
1303 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1305 if (rc != X86EMUL_CONTINUE)
1308 if (temp_eip & ~0xffff) {
1309 emulate_gp(ctxt, 0);
1310 return X86EMUL_PROPAGATE_FAULT;
1313 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1315 if (rc != X86EMUL_CONTINUE)
1318 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1320 if (rc != X86EMUL_CONTINUE)
1323 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1325 if (rc != X86EMUL_CONTINUE)
1331 if (c->op_bytes == 4)
1332 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1333 else if (c->op_bytes == 2) {
1334 ctxt->eflags &= ~0xffff;
1335 ctxt->eflags |= temp_eflags;
1338 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1339 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1344 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1345 struct x86_emulate_ops* ops)
1347 switch(ctxt->mode) {
1348 case X86EMUL_MODE_REAL:
1349 return emulate_iret_real(ctxt, ops);
1350 case X86EMUL_MODE_VM86:
1351 case X86EMUL_MODE_PROT16:
1352 case X86EMUL_MODE_PROT32:
1353 case X86EMUL_MODE_PROT64:
1355 /* iret from protected mode unimplemented yet */
1356 return X86EMUL_UNHANDLEABLE;
1360 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1361 struct x86_emulate_ops *ops)
1363 struct decode_cache *c = &ctxt->decode;
1365 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1368 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1370 struct decode_cache *c = &ctxt->decode;
1371 switch (c->modrm_reg) {
1373 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1376 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1379 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1382 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1384 case 4: /* sal/shl */
1385 case 6: /* sal/shl */
1386 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1389 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1392 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1397 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1398 struct x86_emulate_ops *ops)
1400 struct decode_cache *c = &ctxt->decode;
1401 unsigned long *rax = &c->regs[VCPU_REGS_RAX];
1402 unsigned long *rdx = &c->regs[VCPU_REGS_RDX];
1404 switch (c->modrm_reg) {
1405 case 0 ... 1: /* test */
1406 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1409 c->dst.val = ~c->dst.val;
1412 emulate_1op("neg", c->dst, ctxt->eflags);
1415 emulate_1op_rax_rdx("mul", c->src, *rax, *rdx, ctxt->eflags);
1418 emulate_1op_rax_rdx("imul", c->src, *rax, *rdx, ctxt->eflags);
1421 emulate_1op_rax_rdx("div", c->src, *rax, *rdx, ctxt->eflags);
1424 emulate_1op_rax_rdx("idiv", c->src, *rax, *rdx, ctxt->eflags);
1432 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1433 struct x86_emulate_ops *ops)
1435 struct decode_cache *c = &ctxt->decode;
1437 switch (c->modrm_reg) {
1439 emulate_1op("inc", c->dst, ctxt->eflags);
1442 emulate_1op("dec", c->dst, ctxt->eflags);
1444 case 2: /* call near abs */ {
1447 c->eip = c->src.val;
1448 c->src.val = old_eip;
1449 emulate_push(ctxt, ops);
1452 case 4: /* jmp abs */
1453 c->eip = c->src.val;
1456 emulate_push(ctxt, ops);
1459 return X86EMUL_CONTINUE;
1462 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1463 struct x86_emulate_ops *ops)
1465 struct decode_cache *c = &ctxt->decode;
1466 u64 old = c->dst.orig_val64;
1468 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1469 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1470 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1471 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1472 ctxt->eflags &= ~EFLG_ZF;
1474 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1475 (u32) c->regs[VCPU_REGS_RBX];
1477 ctxt->eflags |= EFLG_ZF;
1479 return X86EMUL_CONTINUE;
1482 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1483 struct x86_emulate_ops *ops)
1485 struct decode_cache *c = &ctxt->decode;
1489 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1490 if (rc != X86EMUL_CONTINUE)
1492 if (c->op_bytes == 4)
1493 c->eip = (u32)c->eip;
1494 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1495 if (rc != X86EMUL_CONTINUE)
1497 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1502 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1503 struct x86_emulate_ops *ops, struct desc_struct *cs,
1504 struct desc_struct *ss)
1506 memset(cs, 0, sizeof(struct desc_struct));
1507 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1508 memset(ss, 0, sizeof(struct desc_struct));
1510 cs->l = 0; /* will be adjusted later */
1511 set_desc_base(cs, 0); /* flat segment */
1512 cs->g = 1; /* 4kb granularity */
1513 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1514 cs->type = 0x0b; /* Read, Execute, Accessed */
1516 cs->dpl = 0; /* will be adjusted later */
1520 set_desc_base(ss, 0); /* flat segment */
1521 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1522 ss->g = 1; /* 4kb granularity */
1524 ss->type = 0x03; /* Read/Write, Accessed */
1525 ss->d = 1; /* 32bit stack segment */
1531 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1533 struct decode_cache *c = &ctxt->decode;
1534 struct desc_struct cs, ss;
1538 /* syscall is not available in real mode */
1539 if (ctxt->mode == X86EMUL_MODE_REAL ||
1540 ctxt->mode == X86EMUL_MODE_VM86) {
1542 return X86EMUL_PROPAGATE_FAULT;
1545 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1547 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1549 cs_sel = (u16)(msr_data & 0xfffc);
1550 ss_sel = (u16)(msr_data + 8);
1552 if (is_long_mode(ctxt->vcpu)) {
1556 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1557 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1558 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1559 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1561 c->regs[VCPU_REGS_RCX] = c->eip;
1562 if (is_long_mode(ctxt->vcpu)) {
1563 #ifdef CONFIG_X86_64
1564 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1566 ops->get_msr(ctxt->vcpu,
1567 ctxt->mode == X86EMUL_MODE_PROT64 ?
1568 MSR_LSTAR : MSR_CSTAR, &msr_data);
1571 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1572 ctxt->eflags &= ~(msr_data | EFLG_RF);
1576 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1577 c->eip = (u32)msr_data;
1579 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1582 return X86EMUL_CONTINUE;
1586 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1588 struct decode_cache *c = &ctxt->decode;
1589 struct desc_struct cs, ss;
1593 /* inject #GP if in real mode */
1594 if (ctxt->mode == X86EMUL_MODE_REAL) {
1595 emulate_gp(ctxt, 0);
1596 return X86EMUL_PROPAGATE_FAULT;
1599 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1600 * Therefore, we inject an #UD.
1602 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1604 return X86EMUL_PROPAGATE_FAULT;
1607 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1609 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1610 switch (ctxt->mode) {
1611 case X86EMUL_MODE_PROT32:
1612 if ((msr_data & 0xfffc) == 0x0) {
1613 emulate_gp(ctxt, 0);
1614 return X86EMUL_PROPAGATE_FAULT;
1617 case X86EMUL_MODE_PROT64:
1618 if (msr_data == 0x0) {
1619 emulate_gp(ctxt, 0);
1620 return X86EMUL_PROPAGATE_FAULT;
1625 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1626 cs_sel = (u16)msr_data;
1627 cs_sel &= ~SELECTOR_RPL_MASK;
1628 ss_sel = cs_sel + 8;
1629 ss_sel &= ~SELECTOR_RPL_MASK;
1630 if (ctxt->mode == X86EMUL_MODE_PROT64
1631 || is_long_mode(ctxt->vcpu)) {
1636 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1637 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1638 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1639 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1641 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1644 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1645 c->regs[VCPU_REGS_RSP] = msr_data;
1647 return X86EMUL_CONTINUE;
1651 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1653 struct decode_cache *c = &ctxt->decode;
1654 struct desc_struct cs, ss;
1659 /* inject #GP if in real mode or Virtual 8086 mode */
1660 if (ctxt->mode == X86EMUL_MODE_REAL ||
1661 ctxt->mode == X86EMUL_MODE_VM86) {
1662 emulate_gp(ctxt, 0);
1663 return X86EMUL_PROPAGATE_FAULT;
1666 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1668 if ((c->rex_prefix & 0x8) != 0x0)
1669 usermode = X86EMUL_MODE_PROT64;
1671 usermode = X86EMUL_MODE_PROT32;
1675 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1677 case X86EMUL_MODE_PROT32:
1678 cs_sel = (u16)(msr_data + 16);
1679 if ((msr_data & 0xfffc) == 0x0) {
1680 emulate_gp(ctxt, 0);
1681 return X86EMUL_PROPAGATE_FAULT;
1683 ss_sel = (u16)(msr_data + 24);
1685 case X86EMUL_MODE_PROT64:
1686 cs_sel = (u16)(msr_data + 32);
1687 if (msr_data == 0x0) {
1688 emulate_gp(ctxt, 0);
1689 return X86EMUL_PROPAGATE_FAULT;
1691 ss_sel = cs_sel + 8;
1696 cs_sel |= SELECTOR_RPL_MASK;
1697 ss_sel |= SELECTOR_RPL_MASK;
1699 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1700 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1701 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1702 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1704 c->eip = c->regs[VCPU_REGS_RDX];
1705 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1707 return X86EMUL_CONTINUE;
1710 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1711 struct x86_emulate_ops *ops)
1714 if (ctxt->mode == X86EMUL_MODE_REAL)
1716 if (ctxt->mode == X86EMUL_MODE_VM86)
1718 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1719 return ops->cpl(ctxt->vcpu) > iopl;
1722 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1723 struct x86_emulate_ops *ops,
1726 struct desc_struct tr_seg;
1729 u8 perm, bit_idx = port & 0x7;
1730 unsigned mask = (1 << len) - 1;
1732 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1735 if (desc_limit_scaled(&tr_seg) < 103)
1737 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1739 if (r != X86EMUL_CONTINUE)
1741 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1743 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1744 &perm, 1, ctxt->vcpu, NULL);
1745 if (r != X86EMUL_CONTINUE)
1747 if ((perm >> bit_idx) & mask)
1752 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1753 struct x86_emulate_ops *ops,
1759 if (emulator_bad_iopl(ctxt, ops))
1760 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1763 ctxt->perm_ok = true;
1768 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1769 struct x86_emulate_ops *ops,
1770 struct tss_segment_16 *tss)
1772 struct decode_cache *c = &ctxt->decode;
1775 tss->flag = ctxt->eflags;
1776 tss->ax = c->regs[VCPU_REGS_RAX];
1777 tss->cx = c->regs[VCPU_REGS_RCX];
1778 tss->dx = c->regs[VCPU_REGS_RDX];
1779 tss->bx = c->regs[VCPU_REGS_RBX];
1780 tss->sp = c->regs[VCPU_REGS_RSP];
1781 tss->bp = c->regs[VCPU_REGS_RBP];
1782 tss->si = c->regs[VCPU_REGS_RSI];
1783 tss->di = c->regs[VCPU_REGS_RDI];
1785 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1786 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1787 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1788 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1789 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1792 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1793 struct x86_emulate_ops *ops,
1794 struct tss_segment_16 *tss)
1796 struct decode_cache *c = &ctxt->decode;
1800 ctxt->eflags = tss->flag | 2;
1801 c->regs[VCPU_REGS_RAX] = tss->ax;
1802 c->regs[VCPU_REGS_RCX] = tss->cx;
1803 c->regs[VCPU_REGS_RDX] = tss->dx;
1804 c->regs[VCPU_REGS_RBX] = tss->bx;
1805 c->regs[VCPU_REGS_RSP] = tss->sp;
1806 c->regs[VCPU_REGS_RBP] = tss->bp;
1807 c->regs[VCPU_REGS_RSI] = tss->si;
1808 c->regs[VCPU_REGS_RDI] = tss->di;
1811 * SDM says that segment selectors are loaded before segment
1814 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1815 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1816 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1817 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1818 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1821 * Now load segment descriptors. If fault happenes at this stage
1822 * it is handled in a context of new task
1824 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1825 if (ret != X86EMUL_CONTINUE)
1827 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1828 if (ret != X86EMUL_CONTINUE)
1830 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1831 if (ret != X86EMUL_CONTINUE)
1833 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1834 if (ret != X86EMUL_CONTINUE)
1836 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1837 if (ret != X86EMUL_CONTINUE)
1840 return X86EMUL_CONTINUE;
1843 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1844 struct x86_emulate_ops *ops,
1845 u16 tss_selector, u16 old_tss_sel,
1846 ulong old_tss_base, struct desc_struct *new_desc)
1848 struct tss_segment_16 tss_seg;
1850 u32 err, new_tss_base = get_desc_base(new_desc);
1852 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1854 if (ret == X86EMUL_PROPAGATE_FAULT) {
1855 /* FIXME: need to provide precise fault address */
1856 emulate_pf(ctxt, old_tss_base, err);
1860 save_state_to_tss16(ctxt, ops, &tss_seg);
1862 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1864 if (ret == X86EMUL_PROPAGATE_FAULT) {
1865 /* FIXME: need to provide precise fault address */
1866 emulate_pf(ctxt, old_tss_base, err);
1870 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1872 if (ret == X86EMUL_PROPAGATE_FAULT) {
1873 /* FIXME: need to provide precise fault address */
1874 emulate_pf(ctxt, new_tss_base, err);
1878 if (old_tss_sel != 0xffff) {
1879 tss_seg.prev_task_link = old_tss_sel;
1881 ret = ops->write_std(new_tss_base,
1882 &tss_seg.prev_task_link,
1883 sizeof tss_seg.prev_task_link,
1885 if (ret == X86EMUL_PROPAGATE_FAULT) {
1886 /* FIXME: need to provide precise fault address */
1887 emulate_pf(ctxt, new_tss_base, err);
1892 return load_state_from_tss16(ctxt, ops, &tss_seg);
1895 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1896 struct x86_emulate_ops *ops,
1897 struct tss_segment_32 *tss)
1899 struct decode_cache *c = &ctxt->decode;
1901 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1903 tss->eflags = ctxt->eflags;
1904 tss->eax = c->regs[VCPU_REGS_RAX];
1905 tss->ecx = c->regs[VCPU_REGS_RCX];
1906 tss->edx = c->regs[VCPU_REGS_RDX];
1907 tss->ebx = c->regs[VCPU_REGS_RBX];
1908 tss->esp = c->regs[VCPU_REGS_RSP];
1909 tss->ebp = c->regs[VCPU_REGS_RBP];
1910 tss->esi = c->regs[VCPU_REGS_RSI];
1911 tss->edi = c->regs[VCPU_REGS_RDI];
1913 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1914 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1915 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1916 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1917 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1918 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1919 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1922 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1923 struct x86_emulate_ops *ops,
1924 struct tss_segment_32 *tss)
1926 struct decode_cache *c = &ctxt->decode;
1929 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1930 emulate_gp(ctxt, 0);
1931 return X86EMUL_PROPAGATE_FAULT;
1934 ctxt->eflags = tss->eflags | 2;
1935 c->regs[VCPU_REGS_RAX] = tss->eax;
1936 c->regs[VCPU_REGS_RCX] = tss->ecx;
1937 c->regs[VCPU_REGS_RDX] = tss->edx;
1938 c->regs[VCPU_REGS_RBX] = tss->ebx;
1939 c->regs[VCPU_REGS_RSP] = tss->esp;
1940 c->regs[VCPU_REGS_RBP] = tss->ebp;
1941 c->regs[VCPU_REGS_RSI] = tss->esi;
1942 c->regs[VCPU_REGS_RDI] = tss->edi;
1945 * SDM says that segment selectors are loaded before segment
1948 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1949 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1950 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1951 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1952 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1953 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1954 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1957 * Now load segment descriptors. If fault happenes at this stage
1958 * it is handled in a context of new task
1960 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1961 if (ret != X86EMUL_CONTINUE)
1963 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1964 if (ret != X86EMUL_CONTINUE)
1966 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1967 if (ret != X86EMUL_CONTINUE)
1969 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1970 if (ret != X86EMUL_CONTINUE)
1972 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1973 if (ret != X86EMUL_CONTINUE)
1975 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1976 if (ret != X86EMUL_CONTINUE)
1978 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1979 if (ret != X86EMUL_CONTINUE)
1982 return X86EMUL_CONTINUE;
1985 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
1986 struct x86_emulate_ops *ops,
1987 u16 tss_selector, u16 old_tss_sel,
1988 ulong old_tss_base, struct desc_struct *new_desc)
1990 struct tss_segment_32 tss_seg;
1992 u32 err, new_tss_base = get_desc_base(new_desc);
1994 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1996 if (ret == X86EMUL_PROPAGATE_FAULT) {
1997 /* FIXME: need to provide precise fault address */
1998 emulate_pf(ctxt, old_tss_base, err);
2002 save_state_to_tss32(ctxt, ops, &tss_seg);
2004 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2006 if (ret == X86EMUL_PROPAGATE_FAULT) {
2007 /* FIXME: need to provide precise fault address */
2008 emulate_pf(ctxt, old_tss_base, err);
2012 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2014 if (ret == X86EMUL_PROPAGATE_FAULT) {
2015 /* FIXME: need to provide precise fault address */
2016 emulate_pf(ctxt, new_tss_base, err);
2020 if (old_tss_sel != 0xffff) {
2021 tss_seg.prev_task_link = old_tss_sel;
2023 ret = ops->write_std(new_tss_base,
2024 &tss_seg.prev_task_link,
2025 sizeof tss_seg.prev_task_link,
2027 if (ret == X86EMUL_PROPAGATE_FAULT) {
2028 /* FIXME: need to provide precise fault address */
2029 emulate_pf(ctxt, new_tss_base, err);
2034 return load_state_from_tss32(ctxt, ops, &tss_seg);
2037 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2038 struct x86_emulate_ops *ops,
2039 u16 tss_selector, int reason,
2040 bool has_error_code, u32 error_code)
2042 struct desc_struct curr_tss_desc, next_tss_desc;
2044 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2045 ulong old_tss_base =
2046 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2049 /* FIXME: old_tss_base == ~0 ? */
2051 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2052 if (ret != X86EMUL_CONTINUE)
2054 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2055 if (ret != X86EMUL_CONTINUE)
2058 /* FIXME: check that next_tss_desc is tss */
2060 if (reason != TASK_SWITCH_IRET) {
2061 if ((tss_selector & 3) > next_tss_desc.dpl ||
2062 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2063 emulate_gp(ctxt, 0);
2064 return X86EMUL_PROPAGATE_FAULT;
2068 desc_limit = desc_limit_scaled(&next_tss_desc);
2069 if (!next_tss_desc.p ||
2070 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2071 desc_limit < 0x2b)) {
2072 emulate_ts(ctxt, tss_selector & 0xfffc);
2073 return X86EMUL_PROPAGATE_FAULT;
2076 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2077 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2078 write_segment_descriptor(ctxt, ops, old_tss_sel,
2082 if (reason == TASK_SWITCH_IRET)
2083 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2085 /* set back link to prev task only if NT bit is set in eflags
2086 note that old_tss_sel is not used afetr this point */
2087 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2088 old_tss_sel = 0xffff;
2090 if (next_tss_desc.type & 8)
2091 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2092 old_tss_base, &next_tss_desc);
2094 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2095 old_tss_base, &next_tss_desc);
2096 if (ret != X86EMUL_CONTINUE)
2099 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2100 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2102 if (reason != TASK_SWITCH_IRET) {
2103 next_tss_desc.type |= (1 << 1); /* set busy flag */
2104 write_segment_descriptor(ctxt, ops, tss_selector,
2108 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2109 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2110 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2112 if (has_error_code) {
2113 struct decode_cache *c = &ctxt->decode;
2115 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2117 c->src.val = (unsigned long) error_code;
2118 emulate_push(ctxt, ops);
2124 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2125 u16 tss_selector, int reason,
2126 bool has_error_code, u32 error_code)
2128 struct x86_emulate_ops *ops = ctxt->ops;
2129 struct decode_cache *c = &ctxt->decode;
2133 c->dst.type = OP_NONE;
2135 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2136 has_error_code, error_code);
2138 if (rc == X86EMUL_CONTINUE) {
2139 rc = writeback(ctxt, ops);
2140 if (rc == X86EMUL_CONTINUE)
2144 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2147 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2148 int reg, struct operand *op)
2150 struct decode_cache *c = &ctxt->decode;
2151 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2153 register_address_increment(c, &c->regs[reg], df * op->bytes);
2154 op->addr.mem = register_address(c, base, c->regs[reg]);
2157 static int em_push(struct x86_emulate_ctxt *ctxt)
2159 emulate_push(ctxt, ctxt->ops);
2160 return X86EMUL_CONTINUE;
2163 #define D(_y) { .flags = (_y) }
2165 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2166 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2167 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2169 static struct opcode group1[] = {
2173 static struct opcode group1A[] = {
2174 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2177 static struct opcode group3[] = {
2178 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2179 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2180 X4(D(SrcMem | ModRM)),
2183 static struct opcode group4[] = {
2184 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2188 static struct opcode group5[] = {
2189 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2190 D(SrcMem | ModRM | Stack), N,
2191 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2192 D(SrcMem | ModRM | Stack), N,
2195 static struct group_dual group7 = { {
2196 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2197 D(SrcNone | ModRM | DstMem | Mov), N,
2198 D(SrcMem16 | ModRM | Mov | Priv),
2199 D(SrcMem | ModRM | ByteOp | Priv | NoAccess),
2201 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2202 D(SrcNone | ModRM | DstMem | Mov), N,
2203 D(SrcMem16 | ModRM | Mov | Priv), N,
2206 static struct opcode group8[] = {
2208 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2209 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2212 static struct group_dual group9 = { {
2213 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2215 N, N, N, N, N, N, N, N,
2218 static struct opcode opcode_table[256] = {
2220 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2221 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2222 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2223 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2225 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2226 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2227 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2228 D(ImplicitOps | Stack | No64), N,
2230 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2231 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2232 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2233 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2235 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2236 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2237 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2238 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2240 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2241 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2242 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2244 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2245 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2246 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2248 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2249 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2250 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2252 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2253 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2254 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2259 X8(I(SrcReg | Stack, em_push)),
2261 X8(D(DstReg | Stack)),
2263 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2264 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2267 I(SrcImm | Mov | Stack, em_push), N,
2268 I(SrcImmByte | Mov | Stack, em_push), N,
2269 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2270 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2274 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2275 G(DstMem | SrcImm | ModRM | Group, group1),
2276 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2277 G(DstMem | SrcImmByte | ModRM | Group, group1),
2278 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2279 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2281 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2282 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2283 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2284 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2286 X8(D(SrcAcc | DstReg)),
2288 N, N, D(SrcImmFAddr | No64), N,
2289 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2291 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2292 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2293 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2294 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2296 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm),
2297 D(ByteOp | SrcAcc | DstDI | Mov | String), D(SrcAcc | DstDI | Mov | String),
2298 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2299 D(ByteOp | DstDI | String), D(DstDI | String),
2301 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2303 X8(D(DstReg | SrcImm | Mov)),
2305 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2306 N, D(ImplicitOps | Stack), N, N,
2307 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2309 N, N, N, D(ImplicitOps | Stack),
2310 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2312 D(ByteOp | DstMem | SrcOne | ModRM), D(DstMem | SrcOne | ModRM),
2313 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2316 N, N, N, N, N, N, N, N,
2319 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2320 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2322 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2323 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2324 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2325 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2328 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2330 D(ImplicitOps), D(ImplicitOps), D(ImplicitOps), D(ImplicitOps),
2331 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2334 static struct opcode twobyte_table[256] = {
2336 N, GD(0, &group7), N, N,
2337 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2338 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2339 N, D(ImplicitOps | ModRM), N, N,
2341 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2343 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2344 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2346 N, N, N, N, N, N, N, N,
2348 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
2349 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2350 N, N, N, N, N, N, N, N,
2352 X16(D(DstReg | SrcMem | ModRM | Mov)),
2354 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2356 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2358 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2362 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2364 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2365 N, D(DstMem | SrcReg | ModRM | BitOp),
2366 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2367 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2369 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2370 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2371 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2372 D(DstMem | SrcReg | Src2CL | ModRM),
2375 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2376 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2377 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2378 D(DstReg | SrcMem16 | ModRM | Mov),
2381 G(BitOp, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2382 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2383 D(DstReg | SrcMem16 | ModRM | Mov),
2385 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
2386 N, N, N, GD(0, &group9),
2387 N, N, N, N, N, N, N, N,
2389 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2391 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2393 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2403 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2405 struct x86_emulate_ops *ops = ctxt->ops;
2406 struct decode_cache *c = &ctxt->decode;
2407 int rc = X86EMUL_CONTINUE;
2408 int mode = ctxt->mode;
2409 int def_op_bytes, def_ad_bytes, dual, goffset;
2410 struct opcode opcode, *g_mod012, *g_mod3;
2411 struct operand memop = { .type = OP_NONE };
2413 /* we cannot decode insn before we complete previous rep insn */
2414 WARN_ON(ctxt->restart);
2417 c->fetch.start = c->fetch.end = c->eip;
2418 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2421 case X86EMUL_MODE_REAL:
2422 case X86EMUL_MODE_VM86:
2423 case X86EMUL_MODE_PROT16:
2424 def_op_bytes = def_ad_bytes = 2;
2426 case X86EMUL_MODE_PROT32:
2427 def_op_bytes = def_ad_bytes = 4;
2429 #ifdef CONFIG_X86_64
2430 case X86EMUL_MODE_PROT64:
2439 c->op_bytes = def_op_bytes;
2440 c->ad_bytes = def_ad_bytes;
2442 /* Legacy prefixes. */
2444 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2445 case 0x66: /* operand-size override */
2446 /* switch between 2/4 bytes */
2447 c->op_bytes = def_op_bytes ^ 6;
2449 case 0x67: /* address-size override */
2450 if (mode == X86EMUL_MODE_PROT64)
2451 /* switch between 4/8 bytes */
2452 c->ad_bytes = def_ad_bytes ^ 12;
2454 /* switch between 2/4 bytes */
2455 c->ad_bytes = def_ad_bytes ^ 6;
2457 case 0x26: /* ES override */
2458 case 0x2e: /* CS override */
2459 case 0x36: /* SS override */
2460 case 0x3e: /* DS override */
2461 set_seg_override(c, (c->b >> 3) & 3);
2463 case 0x64: /* FS override */
2464 case 0x65: /* GS override */
2465 set_seg_override(c, c->b & 7);
2467 case 0x40 ... 0x4f: /* REX */
2468 if (mode != X86EMUL_MODE_PROT64)
2470 c->rex_prefix = c->b;
2472 case 0xf0: /* LOCK */
2475 case 0xf2: /* REPNE/REPNZ */
2476 c->rep_prefix = REPNE_PREFIX;
2478 case 0xf3: /* REP/REPE/REPZ */
2479 c->rep_prefix = REPE_PREFIX;
2485 /* Any legacy prefix after a REX prefix nullifies its effect. */
2493 if (c->rex_prefix & 8)
2494 c->op_bytes = 8; /* REX.W */
2496 /* Opcode byte(s). */
2497 opcode = opcode_table[c->b];
2498 /* Two-byte opcode? */
2501 c->b = insn_fetch(u8, 1, c->eip);
2502 opcode = twobyte_table[c->b];
2504 c->d = opcode.flags;
2507 dual = c->d & GroupDual;
2508 c->modrm = insn_fetch(u8, 1, c->eip);
2511 if (c->d & GroupDual) {
2512 g_mod012 = opcode.u.gdual->mod012;
2513 g_mod3 = opcode.u.gdual->mod3;
2515 g_mod012 = g_mod3 = opcode.u.group;
2517 c->d &= ~(Group | GroupDual);
2519 goffset = (c->modrm >> 3) & 7;
2521 if ((c->modrm >> 6) == 3)
2522 opcode = g_mod3[goffset];
2524 opcode = g_mod012[goffset];
2525 c->d |= opcode.flags;
2528 c->execute = opcode.u.execute;
2531 if (c->d == 0 || (c->d & Undefined)) {
2532 DPRINTF("Cannot emulate %02x\n", c->b);
2536 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2539 if (c->d & Op3264) {
2540 if (mode == X86EMUL_MODE_PROT64)
2546 /* ModRM and SIB bytes. */
2548 rc = decode_modrm(ctxt, ops, &memop);
2549 if (!c->has_seg_override)
2550 set_seg_override(c, c->modrm_seg);
2551 } else if (c->d & MemAbs)
2552 rc = decode_abs(ctxt, ops, &memop);
2553 if (rc != X86EMUL_CONTINUE)
2556 if (!c->has_seg_override)
2557 set_seg_override(c, VCPU_SREG_DS);
2559 if (memop.type == OP_MEM && !(!c->twobyte && c->b == 0x8d))
2560 memop.addr.mem += seg_override_base(ctxt, ops, c);
2562 if (memop.type == OP_MEM && c->ad_bytes != 8)
2563 memop.addr.mem = (u32)memop.addr.mem;
2565 if (memop.type == OP_MEM && c->rip_relative)
2566 memop.addr.mem += c->eip;
2569 * Decode and fetch the source operand: register, memory
2572 switch (c->d & SrcMask) {
2576 decode_register_operand(&c->src, c, 0);
2585 memop.bytes = (c->d & ByteOp) ? 1 :
2592 c->src.type = OP_IMM;
2593 c->src.addr.mem = c->eip;
2594 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2595 if (c->src.bytes == 8)
2597 /* NB. Immediates are sign-extended as necessary. */
2598 switch (c->src.bytes) {
2600 c->src.val = insn_fetch(s8, 1, c->eip);
2603 c->src.val = insn_fetch(s16, 2, c->eip);
2606 c->src.val = insn_fetch(s32, 4, c->eip);
2609 if ((c->d & SrcMask) == SrcImmU) {
2610 switch (c->src.bytes) {
2615 c->src.val &= 0xffff;
2618 c->src.val &= 0xffffffff;
2625 c->src.type = OP_IMM;
2626 c->src.addr.mem = c->eip;
2628 if ((c->d & SrcMask) == SrcImmByte)
2629 c->src.val = insn_fetch(s8, 1, c->eip);
2631 c->src.val = insn_fetch(u8, 1, c->eip);
2634 c->src.type = OP_REG;
2635 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2636 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2637 fetch_register_operand(&c->src);
2644 c->src.type = OP_MEM;
2645 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2647 register_address(c, seg_override_base(ctxt, ops, c),
2648 c->regs[VCPU_REGS_RSI]);
2652 c->src.type = OP_IMM;
2653 c->src.addr.mem = c->eip;
2654 c->src.bytes = c->op_bytes + 2;
2655 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2658 memop.bytes = c->op_bytes + 2;
2664 * Decode and fetch the second source operand: register, memory
2667 switch (c->d & Src2Mask) {
2672 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2675 c->src2.type = OP_IMM;
2676 c->src2.addr.mem = c->eip;
2678 c->src2.val = insn_fetch(u8, 1, c->eip);
2686 /* Decode and fetch the destination operand: register or memory. */
2687 switch (c->d & DstMask) {
2689 decode_register_operand(&c->dst, c,
2690 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2695 if ((c->d & DstMask) == DstMem64)
2698 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2700 fetch_bit_operand(c);
2701 c->dst.orig_val = c->dst.val;
2704 c->dst.type = OP_REG;
2705 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2706 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2707 fetch_register_operand(&c->dst);
2708 c->dst.orig_val = c->dst.val;
2711 c->dst.type = OP_MEM;
2712 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2714 register_address(c, es_base(ctxt, ops),
2715 c->regs[VCPU_REGS_RDI]);
2719 /* Special instructions do their own operand decoding. */
2721 c->dst.type = OP_NONE; /* Disable writeback. */
2726 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2730 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2732 struct x86_emulate_ops *ops = ctxt->ops;
2734 struct decode_cache *c = &ctxt->decode;
2735 int rc = X86EMUL_CONTINUE;
2736 int saved_dst_type = c->dst.type;
2737 int irq; /* Used for int 3, int, and into */
2739 ctxt->decode.mem_read.pos = 0;
2741 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2746 /* LOCK prefix is allowed only with some instructions */
2747 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2752 /* Privileged instruction can be executed only in CPL=0 */
2753 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2754 emulate_gp(ctxt, 0);
2758 if (c->rep_prefix && (c->d & String)) {
2759 ctxt->restart = true;
2760 /* All REP prefixes have the same first termination condition */
2761 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2763 ctxt->restart = false;
2767 /* The second termination condition only applies for REPE
2768 * and REPNE. Test if the repeat string operation prefix is
2769 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2770 * corresponding termination condition according to:
2771 * - if REPE/REPZ and ZF = 0 then done
2772 * - if REPNE/REPNZ and ZF = 1 then done
2774 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2775 (c->b == 0xae) || (c->b == 0xaf)) {
2776 if ((c->rep_prefix == REPE_PREFIX) &&
2777 ((ctxt->eflags & EFLG_ZF) == 0))
2779 if ((c->rep_prefix == REPNE_PREFIX) &&
2780 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2786 if (c->src.type == OP_MEM) {
2787 if (c->d & NoAccess)
2789 rc = read_emulated(ctxt, ops, c->src.addr.mem,
2790 c->src.valptr, c->src.bytes);
2791 if (rc != X86EMUL_CONTINUE)
2793 c->src.orig_val64 = c->src.val64;
2798 if (c->src2.type == OP_MEM) {
2799 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
2800 &c->src2.val, c->src2.bytes);
2801 if (rc != X86EMUL_CONTINUE)
2805 if ((c->d & DstMask) == ImplicitOps)
2809 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2810 /* optimisation - avoid slow emulated read if Mov */
2811 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
2812 &c->dst.val, c->dst.bytes);
2813 if (rc != X86EMUL_CONTINUE)
2816 c->dst.orig_val = c->dst.val;
2821 rc = c->execute(ctxt);
2822 if (rc != X86EMUL_CONTINUE)
2833 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2835 case 0x06: /* push es */
2836 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2838 case 0x07: /* pop es */
2839 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2840 if (rc != X86EMUL_CONTINUE)
2845 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2847 case 0x0e: /* push cs */
2848 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2852 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2854 case 0x16: /* push ss */
2855 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2857 case 0x17: /* pop ss */
2858 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2859 if (rc != X86EMUL_CONTINUE)
2864 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2866 case 0x1e: /* push ds */
2867 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2869 case 0x1f: /* pop ds */
2870 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2871 if (rc != X86EMUL_CONTINUE)
2876 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2880 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2884 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2888 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2890 case 0x40 ... 0x47: /* inc r16/r32 */
2891 emulate_1op("inc", c->dst, ctxt->eflags);
2893 case 0x48 ... 0x4f: /* dec r16/r32 */
2894 emulate_1op("dec", c->dst, ctxt->eflags);
2896 case 0x58 ... 0x5f: /* pop reg */
2898 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2899 if (rc != X86EMUL_CONTINUE)
2902 case 0x60: /* pusha */
2903 rc = emulate_pusha(ctxt, ops);
2904 if (rc != X86EMUL_CONTINUE)
2907 case 0x61: /* popa */
2908 rc = emulate_popa(ctxt, ops);
2909 if (rc != X86EMUL_CONTINUE)
2912 case 0x63: /* movsxd */
2913 if (ctxt->mode != X86EMUL_MODE_PROT64)
2914 goto cannot_emulate;
2915 c->dst.val = (s32) c->src.val;
2917 case 0x6c: /* insb */
2918 case 0x6d: /* insw/insd */
2919 c->dst.bytes = min(c->dst.bytes, 4u);
2920 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2922 emulate_gp(ctxt, 0);
2925 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2926 c->regs[VCPU_REGS_RDX], &c->dst.val))
2927 goto done; /* IO is needed, skip writeback */
2929 case 0x6e: /* outsb */
2930 case 0x6f: /* outsw/outsd */
2931 c->src.bytes = min(c->src.bytes, 4u);
2932 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2934 emulate_gp(ctxt, 0);
2937 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2938 &c->src.val, 1, ctxt->vcpu);
2940 c->dst.type = OP_NONE; /* nothing to writeback */
2942 case 0x70 ... 0x7f: /* jcc (short) */
2943 if (test_cc(c->b, ctxt->eflags))
2944 jmp_rel(c, c->src.val);
2946 case 0x80 ... 0x83: /* Grp1 */
2947 switch (c->modrm_reg) {
2968 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2970 case 0x86 ... 0x87: /* xchg */
2972 /* Write back the register source. */
2973 switch (c->dst.bytes) {
2975 *(u8 *) c->src.addr.reg = (u8) c->dst.val;
2978 *(u16 *) c->src.addr.reg = (u16) c->dst.val;
2981 *c->src.addr.reg = (u32) c->dst.val;
2982 break; /* 64b reg: zero-extend */
2984 *c->src.addr.reg = c->dst.val;
2988 * Write back the memory destination with implicit LOCK
2991 c->dst.val = c->src.val;
2994 case 0x88 ... 0x8b: /* mov */
2996 case 0x8c: /* mov r/m, sreg */
2997 if (c->modrm_reg > VCPU_SREG_GS) {
3001 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
3003 case 0x8d: /* lea r16/r32, m */
3004 c->dst.val = c->src.addr.mem;
3006 case 0x8e: { /* mov seg, r/m16 */
3011 if (c->modrm_reg == VCPU_SREG_CS ||
3012 c->modrm_reg > VCPU_SREG_GS) {
3017 if (c->modrm_reg == VCPU_SREG_SS)
3018 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3020 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
3022 c->dst.type = OP_NONE; /* Disable writeback. */
3025 case 0x8f: /* pop (sole member of Grp1a) */
3026 rc = emulate_grp1a(ctxt, ops);
3027 if (rc != X86EMUL_CONTINUE)
3030 case 0x90 ... 0x97: /* nop / xchg reg, rax */
3031 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
3034 case 0x9c: /* pushf */
3035 c->src.val = (unsigned long) ctxt->eflags;
3036 emulate_push(ctxt, ops);
3038 case 0x9d: /* popf */
3039 c->dst.type = OP_REG;
3040 c->dst.addr.reg = &ctxt->eflags;
3041 c->dst.bytes = c->op_bytes;
3042 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
3043 if (rc != X86EMUL_CONTINUE)
3046 case 0xa0 ... 0xa3: /* mov */
3047 case 0xa4 ... 0xa5: /* movs */
3049 case 0xa6 ... 0xa7: /* cmps */
3050 c->dst.type = OP_NONE; /* Disable writeback. */
3051 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
3053 case 0xa8 ... 0xa9: /* test ax, imm */
3055 case 0xaa ... 0xab: /* stos */
3056 case 0xac ... 0xad: /* lods */
3058 case 0xae ... 0xaf: /* scas */
3059 DPRINTF("Urk! I don't handle SCAS.\n");
3060 goto cannot_emulate;
3061 case 0xb0 ... 0xbf: /* mov r, imm */
3066 case 0xc3: /* ret */
3067 c->dst.type = OP_REG;
3068 c->dst.addr.reg = &c->eip;
3069 c->dst.bytes = c->op_bytes;
3070 goto pop_instruction;
3071 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
3073 c->dst.val = c->src.val;
3075 case 0xcb: /* ret far */
3076 rc = emulate_ret_far(ctxt, ops);
3077 if (rc != X86EMUL_CONTINUE)
3080 case 0xcc: /* int3 */
3083 case 0xcd: /* int n */
3086 rc = emulate_int(ctxt, ops, irq);
3087 if (rc != X86EMUL_CONTINUE)
3090 case 0xce: /* into */
3091 if (ctxt->eflags & EFLG_OF) {
3096 case 0xcf: /* iret */
3097 rc = emulate_iret(ctxt, ops);
3099 if (rc != X86EMUL_CONTINUE)
3102 case 0xd0 ... 0xd1: /* Grp2 */
3105 case 0xd2 ... 0xd3: /* Grp2 */
3106 c->src.val = c->regs[VCPU_REGS_RCX];
3109 case 0xe4: /* inb */
3112 case 0xe6: /* outb */
3113 case 0xe7: /* out */
3115 case 0xe8: /* call (near) */ {
3116 long int rel = c->src.val;
3117 c->src.val = (unsigned long) c->eip;
3119 emulate_push(ctxt, ops);
3122 case 0xe9: /* jmp rel */
3124 case 0xea: { /* jmp far */
3127 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3129 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3133 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3137 jmp: /* jmp rel short */
3138 jmp_rel(c, c->src.val);
3139 c->dst.type = OP_NONE; /* Disable writeback. */
3141 case 0xec: /* in al,dx */
3142 case 0xed: /* in (e/r)ax,dx */
3143 c->src.val = c->regs[VCPU_REGS_RDX];
3145 c->dst.bytes = min(c->dst.bytes, 4u);
3146 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3147 emulate_gp(ctxt, 0);
3150 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3152 goto done; /* IO is needed */
3154 case 0xee: /* out dx,al */
3155 case 0xef: /* out dx,(e/r)ax */
3156 c->src.val = c->regs[VCPU_REGS_RDX];
3158 c->dst.bytes = min(c->dst.bytes, 4u);
3159 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3160 emulate_gp(ctxt, 0);
3163 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3165 c->dst.type = OP_NONE; /* Disable writeback. */
3167 case 0xf4: /* hlt */
3168 ctxt->vcpu->arch.halt_request = 1;
3170 case 0xf5: /* cmc */
3171 /* complement carry flag from eflags reg */
3172 ctxt->eflags ^= EFLG_CF;
3174 case 0xf6 ... 0xf7: /* Grp3 */
3175 if (!emulate_grp3(ctxt, ops))
3176 goto cannot_emulate;
3178 case 0xf8: /* clc */
3179 ctxt->eflags &= ~EFLG_CF;
3181 case 0xf9: /* stc */
3182 ctxt->eflags |= EFLG_CF;
3184 case 0xfa: /* cli */
3185 if (emulator_bad_iopl(ctxt, ops)) {
3186 emulate_gp(ctxt, 0);
3189 ctxt->eflags &= ~X86_EFLAGS_IF;
3191 case 0xfb: /* sti */
3192 if (emulator_bad_iopl(ctxt, ops)) {
3193 emulate_gp(ctxt, 0);
3196 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3197 ctxt->eflags |= X86_EFLAGS_IF;
3200 case 0xfc: /* cld */
3201 ctxt->eflags &= ~EFLG_DF;
3203 case 0xfd: /* std */
3204 ctxt->eflags |= EFLG_DF;
3206 case 0xfe: /* Grp4 */
3208 rc = emulate_grp45(ctxt, ops);
3209 if (rc != X86EMUL_CONTINUE)
3212 case 0xff: /* Grp5 */
3213 if (c->modrm_reg == 5)
3217 goto cannot_emulate;
3221 rc = writeback(ctxt, ops);
3222 if (rc != X86EMUL_CONTINUE)
3226 * restore dst type in case the decoding will be reused
3227 * (happens for string instruction )
3229 c->dst.type = saved_dst_type;
3231 if ((c->d & SrcMask) == SrcSI)
3232 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3233 VCPU_REGS_RSI, &c->src);
3235 if ((c->d & DstMask) == DstDI)
3236 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3239 if (c->rep_prefix && (c->d & String)) {
3240 struct read_cache *rc = &ctxt->decode.io_read;
3241 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3243 * Re-enter guest when pio read ahead buffer is empty or,
3244 * if it is not used, after each 1024 iteration.
3246 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3247 (rc->end != 0 && rc->end == rc->pos))
3248 ctxt->restart = false;
3251 * reset read cache here in case string instruction is restared
3254 ctxt->decode.mem_read.end = 0;
3258 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3262 case 0x01: /* lgdt, lidt, lmsw */
3263 switch (c->modrm_reg) {
3265 unsigned long address;
3267 case 0: /* vmcall */
3268 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3269 goto cannot_emulate;
3271 rc = kvm_fix_hypercall(ctxt->vcpu);
3272 if (rc != X86EMUL_CONTINUE)
3275 /* Let the processor re-execute the fixed hypercall */
3277 /* Disable writeback. */
3278 c->dst.type = OP_NONE;
3281 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3282 &size, &address, c->op_bytes);
3283 if (rc != X86EMUL_CONTINUE)
3285 realmode_lgdt(ctxt->vcpu, size, address);
3286 /* Disable writeback. */
3287 c->dst.type = OP_NONE;
3289 case 3: /* lidt/vmmcall */
3290 if (c->modrm_mod == 3) {
3291 switch (c->modrm_rm) {
3293 rc = kvm_fix_hypercall(ctxt->vcpu);
3294 if (rc != X86EMUL_CONTINUE)
3298 goto cannot_emulate;
3301 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3304 if (rc != X86EMUL_CONTINUE)
3306 realmode_lidt(ctxt->vcpu, size, address);
3308 /* Disable writeback. */
3309 c->dst.type = OP_NONE;
3313 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3316 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3317 (c->src.val & 0x0f), ctxt->vcpu);
3318 c->dst.type = OP_NONE;
3320 case 5: /* not defined */
3324 emulate_invlpg(ctxt->vcpu, c->src.addr.mem);
3325 /* Disable writeback. */
3326 c->dst.type = OP_NONE;
3329 goto cannot_emulate;
3332 case 0x05: /* syscall */
3333 rc = emulate_syscall(ctxt, ops);
3334 if (rc != X86EMUL_CONTINUE)
3340 emulate_clts(ctxt->vcpu);
3342 case 0x09: /* wbinvd */
3343 kvm_emulate_wbinvd(ctxt->vcpu);
3345 case 0x08: /* invd */
3346 case 0x0d: /* GrpP (prefetch) */
3347 case 0x18: /* Grp16 (prefetch/nop) */
3349 case 0x20: /* mov cr, reg */
3350 switch (c->modrm_reg) {
3357 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3359 case 0x21: /* mov from dr to reg */
3360 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3361 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3365 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3367 case 0x22: /* mov reg, cr */
3368 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3369 emulate_gp(ctxt, 0);
3372 c->dst.type = OP_NONE;
3374 case 0x23: /* mov from reg to dr */
3375 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3376 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3381 if (ops->set_dr(c->modrm_reg, c->src.val &
3382 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3383 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3384 /* #UD condition is already handled by the code above */
3385 emulate_gp(ctxt, 0);
3389 c->dst.type = OP_NONE; /* no writeback */
3393 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3394 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3395 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3396 emulate_gp(ctxt, 0);
3399 rc = X86EMUL_CONTINUE;
3403 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3404 emulate_gp(ctxt, 0);
3407 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3408 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3410 rc = X86EMUL_CONTINUE;
3412 case 0x34: /* sysenter */
3413 rc = emulate_sysenter(ctxt, ops);
3414 if (rc != X86EMUL_CONTINUE)
3419 case 0x35: /* sysexit */
3420 rc = emulate_sysexit(ctxt, ops);
3421 if (rc != X86EMUL_CONTINUE)
3426 case 0x40 ... 0x4f: /* cmov */
3427 c->dst.val = c->dst.orig_val = c->src.val;
3428 if (!test_cc(c->b, ctxt->eflags))
3429 c->dst.type = OP_NONE; /* no writeback */
3431 case 0x80 ... 0x8f: /* jnz rel, etc*/
3432 if (test_cc(c->b, ctxt->eflags))
3433 jmp_rel(c, c->src.val);
3435 case 0xa0: /* push fs */
3436 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3438 case 0xa1: /* pop fs */
3439 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3440 if (rc != X86EMUL_CONTINUE)
3445 c->dst.type = OP_NONE;
3446 /* only subword offset */
3447 c->src.val &= (c->dst.bytes << 3) - 1;
3448 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3450 case 0xa4: /* shld imm8, r, r/m */
3451 case 0xa5: /* shld cl, r, r/m */
3452 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3454 case 0xa8: /* push gs */
3455 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3457 case 0xa9: /* pop gs */
3458 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3459 if (rc != X86EMUL_CONTINUE)
3464 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3466 case 0xac: /* shrd imm8, r, r/m */
3467 case 0xad: /* shrd cl, r, r/m */
3468 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3470 case 0xae: /* clflush */
3472 case 0xb0 ... 0xb1: /* cmpxchg */
3474 * Save real source value, then compare EAX against
3477 c->src.orig_val = c->src.val;
3478 c->src.val = c->regs[VCPU_REGS_RAX];
3479 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3480 if (ctxt->eflags & EFLG_ZF) {
3481 /* Success: write back to memory. */
3482 c->dst.val = c->src.orig_val;
3484 /* Failure: write the value we saw to EAX. */
3485 c->dst.type = OP_REG;
3486 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3491 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3493 case 0xb6 ... 0xb7: /* movzx */
3494 c->dst.bytes = c->op_bytes;
3495 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3498 case 0xba: /* Grp8 */
3499 switch (c->modrm_reg & 3) {
3512 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3514 case 0xbe ... 0xbf: /* movsx */
3515 c->dst.bytes = c->op_bytes;
3516 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3519 case 0xc3: /* movnti */
3520 c->dst.bytes = c->op_bytes;
3521 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3524 case 0xc7: /* Grp9 (cmpxchg8b) */
3525 rc = emulate_grp9(ctxt, ops);
3526 if (rc != X86EMUL_CONTINUE)
3530 goto cannot_emulate;
3535 DPRINTF("Cannot emulate %02x\n", c->b);