1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <linux/module.h>
26 #include <asm/kvm_emulate.h>
27 #include <linux/stringify.h>
36 #define OpImplicit 1ull /* No generic decode */
37 #define OpReg 2ull /* Register */
38 #define OpMem 3ull /* Memory */
39 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
40 #define OpDI 5ull /* ES:DI/EDI/RDI */
41 #define OpMem64 6ull /* Memory, 64-bit */
42 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
43 #define OpDX 8ull /* DX register */
44 #define OpCL 9ull /* CL register (for shifts) */
45 #define OpImmByte 10ull /* 8-bit sign extended immediate */
46 #define OpOne 11ull /* Implied 1 */
47 #define OpImm 12ull /* Sign extended up to 32-bit immediate */
48 #define OpMem16 13ull /* Memory operand (16-bit). */
49 #define OpMem32 14ull /* Memory operand (32-bit). */
50 #define OpImmU 15ull /* Immediate operand, zero extended */
51 #define OpSI 16ull /* SI/ESI/RSI */
52 #define OpImmFAddr 17ull /* Immediate far address */
53 #define OpMemFAddr 18ull /* Far address in memory */
54 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
55 #define OpES 20ull /* ES */
56 #define OpCS 21ull /* CS */
57 #define OpSS 22ull /* SS */
58 #define OpDS 23ull /* DS */
59 #define OpFS 24ull /* FS */
60 #define OpGS 25ull /* GS */
61 #define OpMem8 26ull /* 8-bit zero extended memory operand */
62 #define OpImm64 27ull /* Sign extended 16/32/64-bit immediate */
63 #define OpXLat 28ull /* memory at BX/EBX/RBX + zero-extended AL */
64 #define OpAccLo 29ull /* Low part of extended acc (AX/AX/EAX/RAX) */
65 #define OpAccHi 30ull /* High part of extended acc (-/DX/EDX/RDX) */
67 #define OpBits 5 /* Width of operand field */
68 #define OpMask ((1ull << OpBits) - 1)
71 * Opcode effective-address decode tables.
72 * Note that we only emulate instructions that have at least one memory
73 * operand (excluding implicit stack references). We assume that stack
74 * references and instruction fetches will never occur in special memory
75 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
79 /* Operand sizes: 8-bit operands or specified/overridden size. */
80 #define ByteOp (1<<0) /* 8-bit operands. */
81 /* Destination operand type. */
83 #define ImplicitOps (OpImplicit << DstShift)
84 #define DstReg (OpReg << DstShift)
85 #define DstMem (OpMem << DstShift)
86 #define DstAcc (OpAcc << DstShift)
87 #define DstDI (OpDI << DstShift)
88 #define DstMem64 (OpMem64 << DstShift)
89 #define DstImmUByte (OpImmUByte << DstShift)
90 #define DstDX (OpDX << DstShift)
91 #define DstAccLo (OpAccLo << DstShift)
92 #define DstMask (OpMask << DstShift)
93 /* Source operand type. */
95 #define SrcNone (OpNone << SrcShift)
96 #define SrcReg (OpReg << SrcShift)
97 #define SrcMem (OpMem << SrcShift)
98 #define SrcMem16 (OpMem16 << SrcShift)
99 #define SrcMem32 (OpMem32 << SrcShift)
100 #define SrcImm (OpImm << SrcShift)
101 #define SrcImmByte (OpImmByte << SrcShift)
102 #define SrcOne (OpOne << SrcShift)
103 #define SrcImmUByte (OpImmUByte << SrcShift)
104 #define SrcImmU (OpImmU << SrcShift)
105 #define SrcSI (OpSI << SrcShift)
106 #define SrcXLat (OpXLat << SrcShift)
107 #define SrcImmFAddr (OpImmFAddr << SrcShift)
108 #define SrcMemFAddr (OpMemFAddr << SrcShift)
109 #define SrcAcc (OpAcc << SrcShift)
110 #define SrcImmU16 (OpImmU16 << SrcShift)
111 #define SrcImm64 (OpImm64 << SrcShift)
112 #define SrcDX (OpDX << SrcShift)
113 #define SrcMem8 (OpMem8 << SrcShift)
114 #define SrcAccHi (OpAccHi << SrcShift)
115 #define SrcMask (OpMask << SrcShift)
116 #define BitOp (1<<11)
117 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
118 #define String (1<<13) /* String instruction (rep capable) */
119 #define Stack (1<<14) /* Stack instruction (push/pop) */
120 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
121 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
122 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
123 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
124 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
125 #define Escape (5<<15) /* Escape to coprocessor instruction */
126 #define Sse (1<<18) /* SSE Vector instruction */
127 /* Generic ModRM decode. */
128 #define ModRM (1<<19)
129 /* Destination is only written; never read. */
132 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
133 #define EmulateOnUD (1<<22) /* Emulate if unsupported by the host */
134 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
135 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
136 #define Undefined (1<<25) /* No Such Instruction */
137 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
138 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
140 #define PageTable (1 << 29) /* instruction used to write page table */
141 #define NotImpl (1 << 30) /* instruction is not implemented */
142 /* Source 2 operand type */
143 #define Src2Shift (31)
144 #define Src2None (OpNone << Src2Shift)
145 #define Src2Mem (OpMem << Src2Shift)
146 #define Src2CL (OpCL << Src2Shift)
147 #define Src2ImmByte (OpImmByte << Src2Shift)
148 #define Src2One (OpOne << Src2Shift)
149 #define Src2Imm (OpImm << Src2Shift)
150 #define Src2ES (OpES << Src2Shift)
151 #define Src2CS (OpCS << Src2Shift)
152 #define Src2SS (OpSS << Src2Shift)
153 #define Src2DS (OpDS << Src2Shift)
154 #define Src2FS (OpFS << Src2Shift)
155 #define Src2GS (OpGS << Src2Shift)
156 #define Src2Mask (OpMask << Src2Shift)
157 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
158 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
159 #define Unaligned ((u64)1 << 42) /* Explicitly unaligned (e.g. MOVDQU) */
160 #define Avx ((u64)1 << 43) /* Advanced Vector Extensions */
161 #define Fastop ((u64)1 << 44) /* Use opcode::u.fastop */
162 #define NoWrite ((u64)1 << 45) /* No writeback */
163 #define SrcWrite ((u64)1 << 46) /* Write back src operand */
165 #define DstXacc (DstAccLo | SrcAccHi | SrcWrite)
167 #define X2(x...) x, x
168 #define X3(x...) X2(x), x
169 #define X4(x...) X2(x), X2(x)
170 #define X5(x...) X4(x), x
171 #define X6(x...) X4(x), X2(x)
172 #define X7(x...) X4(x), X3(x)
173 #define X8(x...) X4(x), X4(x)
174 #define X16(x...) X8(x), X8(x)
176 #define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
177 #define FASTOP_SIZE 8
180 * fastop functions have a special calling convention:
185 * flags: rflags (in/out)
186 * ex: rsi (in:fastop pointer, out:zero if exception)
188 * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
189 * different operand sizes can be reached by calculation, rather than a jump
190 * table (which would be bigger than the code).
192 * fastop functions are declared as taking a never-defined fastop parameter,
193 * so they can't be called from C directly.
202 int (*execute)(struct x86_emulate_ctxt *ctxt);
203 const struct opcode *group;
204 const struct group_dual *gdual;
205 const struct gprefix *gprefix;
206 const struct escape *esc;
207 void (*fastop)(struct fastop *fake);
209 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
213 struct opcode mod012[8];
214 struct opcode mod3[8];
218 struct opcode pfx_no;
219 struct opcode pfx_66;
220 struct opcode pfx_f2;
221 struct opcode pfx_f3;
226 struct opcode high[64];
229 /* EFLAGS bit definitions. */
230 #define EFLG_ID (1<<21)
231 #define EFLG_VIP (1<<20)
232 #define EFLG_VIF (1<<19)
233 #define EFLG_AC (1<<18)
234 #define EFLG_VM (1<<17)
235 #define EFLG_RF (1<<16)
236 #define EFLG_IOPL (3<<12)
237 #define EFLG_NT (1<<14)
238 #define EFLG_OF (1<<11)
239 #define EFLG_DF (1<<10)
240 #define EFLG_IF (1<<9)
241 #define EFLG_TF (1<<8)
242 #define EFLG_SF (1<<7)
243 #define EFLG_ZF (1<<6)
244 #define EFLG_AF (1<<4)
245 #define EFLG_PF (1<<2)
246 #define EFLG_CF (1<<0)
248 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
249 #define EFLG_RESERVED_ONE_MASK 2
251 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
253 if (!(ctxt->regs_valid & (1 << nr))) {
254 ctxt->regs_valid |= 1 << nr;
255 ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
257 return ctxt->_regs[nr];
260 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
262 ctxt->regs_valid |= 1 << nr;
263 ctxt->regs_dirty |= 1 << nr;
264 return &ctxt->_regs[nr];
267 static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
270 return reg_write(ctxt, nr);
273 static void writeback_registers(struct x86_emulate_ctxt *ctxt)
277 for_each_set_bit(reg, (ulong *)&ctxt->regs_dirty, 16)
278 ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
281 static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
283 ctxt->regs_dirty = 0;
284 ctxt->regs_valid = 0;
288 * These EFLAGS bits are restored from saved value during emulation, and
289 * any changes are written back to the saved value after emulation.
291 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
299 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *));
301 #define FOP_ALIGN ".align " __stringify(FASTOP_SIZE) " \n\t"
302 #define FOP_RET "ret \n\t"
304 #define FOP_START(op) \
305 extern void em_##op(struct fastop *fake); \
306 asm(".pushsection .text, \"ax\" \n\t" \
307 ".global em_" #op " \n\t" \
314 #define FOPNOP() FOP_ALIGN FOP_RET
316 #define FOP1E(op, dst) \
317 FOP_ALIGN "10: " #op " %" #dst " \n\t" FOP_RET
319 #define FOP1EEX(op, dst) \
320 FOP1E(op, dst) _ASM_EXTABLE(10b, kvm_fastop_exception)
322 #define FASTOP1(op) \
327 ON64(FOP1E(op##q, rax)) \
330 /* 1-operand, using src2 (for MUL/DIV r/m) */
331 #define FASTOP1SRC2(op, name) \
336 ON64(FOP1E(op, rcx)) \
339 /* 1-operand, using src2 (for MUL/DIV r/m), with exceptions */
340 #define FASTOP1SRC2EX(op, name) \
345 ON64(FOP1EEX(op, rcx)) \
348 #define FOP2E(op, dst, src) \
349 FOP_ALIGN #op " %" #src ", %" #dst " \n\t" FOP_RET
351 #define FASTOP2(op) \
353 FOP2E(op##b, al, dl) \
354 FOP2E(op##w, ax, dx) \
355 FOP2E(op##l, eax, edx) \
356 ON64(FOP2E(op##q, rax, rdx)) \
359 /* 2 operand, word only */
360 #define FASTOP2W(op) \
363 FOP2E(op##w, ax, dx) \
364 FOP2E(op##l, eax, edx) \
365 ON64(FOP2E(op##q, rax, rdx)) \
368 /* 2 operand, src is CL */
369 #define FASTOP2CL(op) \
371 FOP2E(op##b, al, cl) \
372 FOP2E(op##w, ax, cl) \
373 FOP2E(op##l, eax, cl) \
374 ON64(FOP2E(op##q, rax, cl)) \
377 #define FOP3E(op, dst, src, src2) \
378 FOP_ALIGN #op " %" #src2 ", %" #src ", %" #dst " \n\t" FOP_RET
380 /* 3-operand, word-only, src2=cl */
381 #define FASTOP3WCL(op) \
384 FOP3E(op##w, ax, dx, cl) \
385 FOP3E(op##l, eax, edx, cl) \
386 ON64(FOP3E(op##q, rax, rdx, cl)) \
389 /* Special case for SETcc - 1 instruction per cc */
390 #define FOP_SETCC(op) ".align 4; " #op " %al; ret \n\t"
392 asm(".global kvm_fastop_exception \n"
393 "kvm_fastop_exception: xor %esi, %esi; ret");
414 FOP_START(salc) "pushf; sbb %al, %al; popf \n\t" FOP_RET
417 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
418 enum x86_intercept intercept,
419 enum x86_intercept_stage stage)
421 struct x86_instruction_info info = {
422 .intercept = intercept,
423 .rep_prefix = ctxt->rep_prefix,
424 .modrm_mod = ctxt->modrm_mod,
425 .modrm_reg = ctxt->modrm_reg,
426 .modrm_rm = ctxt->modrm_rm,
427 .src_val = ctxt->src.val64,
428 .src_bytes = ctxt->src.bytes,
429 .dst_bytes = ctxt->dst.bytes,
430 .ad_bytes = ctxt->ad_bytes,
431 .next_rip = ctxt->eip,
434 return ctxt->ops->intercept(ctxt, &info, stage);
437 static void assign_masked(ulong *dest, ulong src, ulong mask)
439 *dest = (*dest & ~mask) | (src & mask);
442 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
444 return (1UL << (ctxt->ad_bytes << 3)) - 1;
447 static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
450 struct desc_struct ss;
452 if (ctxt->mode == X86EMUL_MODE_PROT64)
454 ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
455 return ~0U >> ((ss.d ^ 1) * 16); /* d=0: 0xffff; d=1: 0xffffffff */
458 static int stack_size(struct x86_emulate_ctxt *ctxt)
460 return (__fls(stack_mask(ctxt)) + 1) >> 3;
463 /* Access/update address held in a register, based on addressing mode. */
464 static inline unsigned long
465 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
467 if (ctxt->ad_bytes == sizeof(unsigned long))
470 return reg & ad_mask(ctxt);
473 static inline unsigned long
474 register_address(struct x86_emulate_ctxt *ctxt, unsigned long reg)
476 return address_mask(ctxt, reg);
479 static void masked_increment(ulong *reg, ulong mask, int inc)
481 assign_masked(reg, *reg + inc, mask);
485 register_address_increment(struct x86_emulate_ctxt *ctxt, unsigned long *reg, int inc)
489 if (ctxt->ad_bytes == sizeof(unsigned long))
492 mask = ad_mask(ctxt);
493 masked_increment(reg, mask, inc);
496 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
498 masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
501 static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
503 register_address_increment(ctxt, &ctxt->_eip, rel);
506 static u32 desc_limit_scaled(struct desc_struct *desc)
508 u32 limit = get_desc_limit(desc);
510 return desc->g ? (limit << 12) | 0xfff : limit;
513 static void set_seg_override(struct x86_emulate_ctxt *ctxt, int seg)
515 ctxt->has_seg_override = true;
516 ctxt->seg_override = seg;
519 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
521 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
524 return ctxt->ops->get_cached_segment_base(ctxt, seg);
527 static unsigned seg_override(struct x86_emulate_ctxt *ctxt)
529 if (!ctxt->has_seg_override)
532 return ctxt->seg_override;
535 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
536 u32 error, bool valid)
538 ctxt->exception.vector = vec;
539 ctxt->exception.error_code = error;
540 ctxt->exception.error_code_valid = valid;
541 return X86EMUL_PROPAGATE_FAULT;
544 static int emulate_db(struct x86_emulate_ctxt *ctxt)
546 return emulate_exception(ctxt, DB_VECTOR, 0, false);
549 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
551 return emulate_exception(ctxt, GP_VECTOR, err, true);
554 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
556 return emulate_exception(ctxt, SS_VECTOR, err, true);
559 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
561 return emulate_exception(ctxt, UD_VECTOR, 0, false);
564 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
566 return emulate_exception(ctxt, TS_VECTOR, err, true);
569 static int emulate_de(struct x86_emulate_ctxt *ctxt)
571 return emulate_exception(ctxt, DE_VECTOR, 0, false);
574 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
576 return emulate_exception(ctxt, NM_VECTOR, 0, false);
579 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
582 struct desc_struct desc;
584 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
588 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
593 struct desc_struct desc;
595 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
596 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
600 * x86 defines three classes of vector instructions: explicitly
601 * aligned, explicitly unaligned, and the rest, which change behaviour
602 * depending on whether they're AVX encoded or not.
604 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
605 * subject to the same check.
607 static bool insn_aligned(struct x86_emulate_ctxt *ctxt, unsigned size)
609 if (likely(size < 16))
612 if (ctxt->d & Aligned)
614 else if (ctxt->d & Unaligned)
616 else if (ctxt->d & Avx)
622 static int __linearize(struct x86_emulate_ctxt *ctxt,
623 struct segmented_address addr,
624 unsigned size, bool write, bool fetch,
627 struct desc_struct desc;
634 la = seg_base(ctxt, addr.seg) + addr.ea;
635 switch (ctxt->mode) {
636 case X86EMUL_MODE_PROT64:
637 if (((signed long)la << 16) >> 16 != la)
638 return emulate_gp(ctxt, 0);
641 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
645 /* code segment in protected mode or read-only data segment */
646 if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8))
647 || !(desc.type & 2)) && write)
649 /* unreadable code segment */
650 if (!fetch && (desc.type & 8) && !(desc.type & 2))
652 lim = desc_limit_scaled(&desc);
653 if ((desc.type & 8) || !(desc.type & 4)) {
654 /* expand-up segment */
655 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
658 /* expand-down segment */
659 if (addr.ea <= lim || (u32)(addr.ea + size - 1) <= lim)
661 lim = desc.d ? 0xffffffff : 0xffff;
662 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
665 cpl = ctxt->ops->cpl(ctxt);
666 if (!(desc.type & 8)) {
670 } else if ((desc.type & 8) && !(desc.type & 4)) {
671 /* nonconforming code segment */
674 } else if ((desc.type & 8) && (desc.type & 4)) {
675 /* conforming code segment */
681 if (fetch ? ctxt->mode != X86EMUL_MODE_PROT64 : ctxt->ad_bytes != 8)
683 if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0))
684 return emulate_gp(ctxt, 0);
686 return X86EMUL_CONTINUE;
688 if (addr.seg == VCPU_SREG_SS)
689 return emulate_ss(ctxt, sel);
691 return emulate_gp(ctxt, sel);
694 static int linearize(struct x86_emulate_ctxt *ctxt,
695 struct segmented_address addr,
696 unsigned size, bool write,
699 return __linearize(ctxt, addr, size, write, false, linear);
703 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
704 struct segmented_address addr,
711 rc = linearize(ctxt, addr, size, false, &linear);
712 if (rc != X86EMUL_CONTINUE)
714 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
718 * Fetch the next byte of the instruction being emulated which is pointed to
719 * by ctxt->_eip, then increment ctxt->_eip.
721 * Also prefetch the remaining bytes of the instruction without crossing page
722 * boundary if they are not in fetch_cache yet.
724 static int do_insn_fetch_byte(struct x86_emulate_ctxt *ctxt, u8 *dest)
726 struct fetch_cache *fc = &ctxt->fetch;
730 if (ctxt->_eip == fc->end) {
731 unsigned long linear;
732 struct segmented_address addr = { .seg = VCPU_SREG_CS,
734 cur_size = fc->end - fc->start;
735 size = min(15UL - cur_size,
736 PAGE_SIZE - offset_in_page(ctxt->_eip));
737 rc = __linearize(ctxt, addr, size, false, true, &linear);
738 if (unlikely(rc != X86EMUL_CONTINUE))
740 rc = ctxt->ops->fetch(ctxt, linear, fc->data + cur_size,
741 size, &ctxt->exception);
742 if (unlikely(rc != X86EMUL_CONTINUE))
746 *dest = fc->data[ctxt->_eip - fc->start];
748 return X86EMUL_CONTINUE;
751 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
752 void *dest, unsigned size)
756 /* x86 instructions are limited to 15 bytes. */
757 if (unlikely(ctxt->_eip + size - ctxt->eip > 15))
758 return X86EMUL_UNHANDLEABLE;
760 rc = do_insn_fetch_byte(ctxt, dest++);
761 if (rc != X86EMUL_CONTINUE)
764 return X86EMUL_CONTINUE;
767 /* Fetch next part of the instruction being emulated. */
768 #define insn_fetch(_type, _ctxt) \
769 ({ unsigned long _x; \
770 rc = do_insn_fetch(_ctxt, &_x, sizeof(_type)); \
771 if (rc != X86EMUL_CONTINUE) \
776 #define insn_fetch_arr(_arr, _size, _ctxt) \
777 ({ rc = do_insn_fetch(_ctxt, _arr, (_size)); \
778 if (rc != X86EMUL_CONTINUE) \
783 * Given the 'reg' portion of a ModRM byte, and a register block, return a
784 * pointer into the block that addresses the relevant register.
785 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
787 static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
791 int highbyte_regs = (ctxt->rex_prefix == 0) && byteop;
793 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
794 p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
796 p = reg_rmw(ctxt, modrm_reg);
800 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
801 struct segmented_address addr,
802 u16 *size, unsigned long *address, int op_bytes)
809 rc = segmented_read_std(ctxt, addr, size, 2);
810 if (rc != X86EMUL_CONTINUE)
813 rc = segmented_read_std(ctxt, addr, address, op_bytes);
827 FASTOP1SRC2(mul, mul_ex);
828 FASTOP1SRC2(imul, imul_ex);
829 FASTOP1SRC2EX(div, div_ex);
830 FASTOP1SRC2EX(idiv, idiv_ex);
859 static u8 test_cc(unsigned int condition, unsigned long flags)
862 void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf);
864 flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
865 asm("push %[flags]; popf; call *%[fastop]"
866 : "=a"(rc) : [fastop]"r"(fop), [flags]"r"(flags));
870 static void fetch_register_operand(struct operand *op)
874 op->val = *(u8 *)op->addr.reg;
877 op->val = *(u16 *)op->addr.reg;
880 op->val = *(u32 *)op->addr.reg;
883 op->val = *(u64 *)op->addr.reg;
888 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
890 ctxt->ops->get_fpu(ctxt);
892 case 0: asm("movdqa %%xmm0, %0" : "=m"(*data)); break;
893 case 1: asm("movdqa %%xmm1, %0" : "=m"(*data)); break;
894 case 2: asm("movdqa %%xmm2, %0" : "=m"(*data)); break;
895 case 3: asm("movdqa %%xmm3, %0" : "=m"(*data)); break;
896 case 4: asm("movdqa %%xmm4, %0" : "=m"(*data)); break;
897 case 5: asm("movdqa %%xmm5, %0" : "=m"(*data)); break;
898 case 6: asm("movdqa %%xmm6, %0" : "=m"(*data)); break;
899 case 7: asm("movdqa %%xmm7, %0" : "=m"(*data)); break;
901 case 8: asm("movdqa %%xmm8, %0" : "=m"(*data)); break;
902 case 9: asm("movdqa %%xmm9, %0" : "=m"(*data)); break;
903 case 10: asm("movdqa %%xmm10, %0" : "=m"(*data)); break;
904 case 11: asm("movdqa %%xmm11, %0" : "=m"(*data)); break;
905 case 12: asm("movdqa %%xmm12, %0" : "=m"(*data)); break;
906 case 13: asm("movdqa %%xmm13, %0" : "=m"(*data)); break;
907 case 14: asm("movdqa %%xmm14, %0" : "=m"(*data)); break;
908 case 15: asm("movdqa %%xmm15, %0" : "=m"(*data)); break;
912 ctxt->ops->put_fpu(ctxt);
915 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
918 ctxt->ops->get_fpu(ctxt);
920 case 0: asm("movdqa %0, %%xmm0" : : "m"(*data)); break;
921 case 1: asm("movdqa %0, %%xmm1" : : "m"(*data)); break;
922 case 2: asm("movdqa %0, %%xmm2" : : "m"(*data)); break;
923 case 3: asm("movdqa %0, %%xmm3" : : "m"(*data)); break;
924 case 4: asm("movdqa %0, %%xmm4" : : "m"(*data)); break;
925 case 5: asm("movdqa %0, %%xmm5" : : "m"(*data)); break;
926 case 6: asm("movdqa %0, %%xmm6" : : "m"(*data)); break;
927 case 7: asm("movdqa %0, %%xmm7" : : "m"(*data)); break;
929 case 8: asm("movdqa %0, %%xmm8" : : "m"(*data)); break;
930 case 9: asm("movdqa %0, %%xmm9" : : "m"(*data)); break;
931 case 10: asm("movdqa %0, %%xmm10" : : "m"(*data)); break;
932 case 11: asm("movdqa %0, %%xmm11" : : "m"(*data)); break;
933 case 12: asm("movdqa %0, %%xmm12" : : "m"(*data)); break;
934 case 13: asm("movdqa %0, %%xmm13" : : "m"(*data)); break;
935 case 14: asm("movdqa %0, %%xmm14" : : "m"(*data)); break;
936 case 15: asm("movdqa %0, %%xmm15" : : "m"(*data)); break;
940 ctxt->ops->put_fpu(ctxt);
943 static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
945 ctxt->ops->get_fpu(ctxt);
947 case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
948 case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
949 case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
950 case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
951 case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
952 case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
953 case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
954 case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
957 ctxt->ops->put_fpu(ctxt);
960 static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
962 ctxt->ops->get_fpu(ctxt);
964 case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
965 case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
966 case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
967 case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
968 case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
969 case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
970 case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
971 case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
974 ctxt->ops->put_fpu(ctxt);
977 static int em_fninit(struct x86_emulate_ctxt *ctxt)
979 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
980 return emulate_nm(ctxt);
982 ctxt->ops->get_fpu(ctxt);
983 asm volatile("fninit");
984 ctxt->ops->put_fpu(ctxt);
985 return X86EMUL_CONTINUE;
988 static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
992 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
993 return emulate_nm(ctxt);
995 ctxt->ops->get_fpu(ctxt);
996 asm volatile("fnstcw %0": "+m"(fcw));
997 ctxt->ops->put_fpu(ctxt);
999 /* force 2 byte destination */
1000 ctxt->dst.bytes = 2;
1001 ctxt->dst.val = fcw;
1003 return X86EMUL_CONTINUE;
1006 static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
1010 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1011 return emulate_nm(ctxt);
1013 ctxt->ops->get_fpu(ctxt);
1014 asm volatile("fnstsw %0": "+m"(fsw));
1015 ctxt->ops->put_fpu(ctxt);
1017 /* force 2 byte destination */
1018 ctxt->dst.bytes = 2;
1019 ctxt->dst.val = fsw;
1021 return X86EMUL_CONTINUE;
1024 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
1027 unsigned reg = ctxt->modrm_reg;
1029 if (!(ctxt->d & ModRM))
1030 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1032 if (ctxt->d & Sse) {
1036 read_sse_reg(ctxt, &op->vec_val, reg);
1039 if (ctxt->d & Mmx) {
1048 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1049 op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
1051 fetch_register_operand(op);
1052 op->orig_val = op->val;
1055 static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1057 if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1058 ctxt->modrm_seg = VCPU_SREG_SS;
1061 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1065 int index_reg = 0, base_reg = 0, scale;
1066 int rc = X86EMUL_CONTINUE;
1069 if (ctxt->rex_prefix) {
1070 ctxt->modrm_reg = (ctxt->rex_prefix & 4) << 1; /* REX.R */
1071 index_reg = (ctxt->rex_prefix & 2) << 2; /* REX.X */
1072 ctxt->modrm_rm = base_reg = (ctxt->rex_prefix & 1) << 3; /* REG.B */
1075 ctxt->modrm_mod |= (ctxt->modrm & 0xc0) >> 6;
1076 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1077 ctxt->modrm_rm |= (ctxt->modrm & 0x07);
1078 ctxt->modrm_seg = VCPU_SREG_DS;
1080 if (ctxt->modrm_mod == 3) {
1082 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1083 op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
1085 if (ctxt->d & Sse) {
1088 op->addr.xmm = ctxt->modrm_rm;
1089 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
1092 if (ctxt->d & Mmx) {
1095 op->addr.xmm = ctxt->modrm_rm & 7;
1098 fetch_register_operand(op);
1104 if (ctxt->ad_bytes == 2) {
1105 unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1106 unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1107 unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1108 unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1110 /* 16-bit ModR/M decode. */
1111 switch (ctxt->modrm_mod) {
1113 if (ctxt->modrm_rm == 6)
1114 modrm_ea += insn_fetch(u16, ctxt);
1117 modrm_ea += insn_fetch(s8, ctxt);
1120 modrm_ea += insn_fetch(u16, ctxt);
1123 switch (ctxt->modrm_rm) {
1125 modrm_ea += bx + si;
1128 modrm_ea += bx + di;
1131 modrm_ea += bp + si;
1134 modrm_ea += bp + di;
1143 if (ctxt->modrm_mod != 0)
1150 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1151 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1152 ctxt->modrm_seg = VCPU_SREG_SS;
1153 modrm_ea = (u16)modrm_ea;
1155 /* 32/64-bit ModR/M decode. */
1156 if ((ctxt->modrm_rm & 7) == 4) {
1157 sib = insn_fetch(u8, ctxt);
1158 index_reg |= (sib >> 3) & 7;
1159 base_reg |= sib & 7;
1162 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1163 modrm_ea += insn_fetch(s32, ctxt);
1165 modrm_ea += reg_read(ctxt, base_reg);
1166 adjust_modrm_seg(ctxt, base_reg);
1169 modrm_ea += reg_read(ctxt, index_reg) << scale;
1170 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1171 if (ctxt->mode == X86EMUL_MODE_PROT64)
1172 ctxt->rip_relative = 1;
1174 base_reg = ctxt->modrm_rm;
1175 modrm_ea += reg_read(ctxt, base_reg);
1176 adjust_modrm_seg(ctxt, base_reg);
1178 switch (ctxt->modrm_mod) {
1180 if (ctxt->modrm_rm == 5)
1181 modrm_ea += insn_fetch(s32, ctxt);
1184 modrm_ea += insn_fetch(s8, ctxt);
1187 modrm_ea += insn_fetch(s32, ctxt);
1191 op->addr.mem.ea = modrm_ea;
1196 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1199 int rc = X86EMUL_CONTINUE;
1202 switch (ctxt->ad_bytes) {
1204 op->addr.mem.ea = insn_fetch(u16, ctxt);
1207 op->addr.mem.ea = insn_fetch(u32, ctxt);
1210 op->addr.mem.ea = insn_fetch(u64, ctxt);
1217 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1221 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1222 mask = ~(ctxt->dst.bytes * 8 - 1);
1224 if (ctxt->src.bytes == 2)
1225 sv = (s16)ctxt->src.val & (s16)mask;
1226 else if (ctxt->src.bytes == 4)
1227 sv = (s32)ctxt->src.val & (s32)mask;
1229 ctxt->dst.addr.mem.ea += (sv >> 3);
1232 /* only subword offset */
1233 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1236 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1237 unsigned long addr, void *dest, unsigned size)
1240 struct read_cache *mc = &ctxt->mem_read;
1242 if (mc->pos < mc->end)
1245 WARN_ON((mc->end + size) >= sizeof(mc->data));
1247 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1249 if (rc != X86EMUL_CONTINUE)
1255 memcpy(dest, mc->data + mc->pos, size);
1257 return X86EMUL_CONTINUE;
1260 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1261 struct segmented_address addr,
1268 rc = linearize(ctxt, addr, size, false, &linear);
1269 if (rc != X86EMUL_CONTINUE)
1271 return read_emulated(ctxt, linear, data, size);
1274 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1275 struct segmented_address addr,
1282 rc = linearize(ctxt, addr, size, true, &linear);
1283 if (rc != X86EMUL_CONTINUE)
1285 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1289 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1290 struct segmented_address addr,
1291 const void *orig_data, const void *data,
1297 rc = linearize(ctxt, addr, size, true, &linear);
1298 if (rc != X86EMUL_CONTINUE)
1300 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1301 size, &ctxt->exception);
1304 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1305 unsigned int size, unsigned short port,
1308 struct read_cache *rc = &ctxt->io_read;
1310 if (rc->pos == rc->end) { /* refill pio read ahead */
1311 unsigned int in_page, n;
1312 unsigned int count = ctxt->rep_prefix ?
1313 address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1314 in_page = (ctxt->eflags & EFLG_DF) ?
1315 offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1316 PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1317 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1321 rc->pos = rc->end = 0;
1322 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1327 if (ctxt->rep_prefix && (ctxt->d & String) &&
1328 !(ctxt->eflags & EFLG_DF)) {
1329 ctxt->dst.data = rc->data + rc->pos;
1330 ctxt->dst.type = OP_MEM_STR;
1331 ctxt->dst.count = (rc->end - rc->pos) / size;
1334 memcpy(dest, rc->data + rc->pos, size);
1340 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1341 u16 index, struct desc_struct *desc)
1346 ctxt->ops->get_idt(ctxt, &dt);
1348 if (dt.size < index * 8 + 7)
1349 return emulate_gp(ctxt, index << 3 | 0x2);
1351 addr = dt.address + index * 8;
1352 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1356 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1357 u16 selector, struct desc_ptr *dt)
1359 const struct x86_emulate_ops *ops = ctxt->ops;
1361 if (selector & 1 << 2) {
1362 struct desc_struct desc;
1365 memset (dt, 0, sizeof *dt);
1366 if (!ops->get_segment(ctxt, &sel, &desc, NULL, VCPU_SREG_LDTR))
1369 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1370 dt->address = get_desc_base(&desc);
1372 ops->get_gdt(ctxt, dt);
1375 /* allowed just for 8 bytes segments */
1376 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1377 u16 selector, struct desc_struct *desc,
1381 u16 index = selector >> 3;
1384 get_descriptor_table_ptr(ctxt, selector, &dt);
1386 if (dt.size < index * 8 + 7)
1387 return emulate_gp(ctxt, selector & 0xfffc);
1389 *desc_addr_p = addr = dt.address + index * 8;
1390 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1394 /* allowed just for 8 bytes segments */
1395 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1396 u16 selector, struct desc_struct *desc)
1399 u16 index = selector >> 3;
1402 get_descriptor_table_ptr(ctxt, selector, &dt);
1404 if (dt.size < index * 8 + 7)
1405 return emulate_gp(ctxt, selector & 0xfffc);
1407 addr = dt.address + index * 8;
1408 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1412 /* Does not support long mode */
1413 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1414 u16 selector, int seg, u8 cpl, bool in_task_switch)
1416 struct desc_struct seg_desc, old_desc;
1418 unsigned err_vec = GP_VECTOR;
1420 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1425 memset(&seg_desc, 0, sizeof seg_desc);
1427 if (ctxt->mode == X86EMUL_MODE_REAL) {
1428 /* set real mode segment descriptor (keep limit etc. for
1430 ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1431 set_desc_base(&seg_desc, selector << 4);
1433 } else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
1434 /* VM86 needs a clean new segment descriptor */
1435 set_desc_base(&seg_desc, selector << 4);
1436 set_desc_limit(&seg_desc, 0xffff);
1446 /* NULL selector is not valid for TR, CS and SS (except for long mode) */
1447 if ((seg == VCPU_SREG_CS
1448 || (seg == VCPU_SREG_SS
1449 && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
1450 || seg == VCPU_SREG_TR)
1454 /* TR should be in GDT only */
1455 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1458 if (null_selector) /* for NULL selector skip all following checks */
1461 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1462 if (ret != X86EMUL_CONTINUE)
1465 err_code = selector & 0xfffc;
1466 err_vec = GP_VECTOR;
1468 /* can't load system descriptor into segment selector */
1469 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1473 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1482 * segment is not a writable data segment or segment
1483 * selector's RPL != CPL or segment selector's RPL != CPL
1485 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1489 if (in_task_switch && rpl != dpl)
1492 if (!(seg_desc.type & 8))
1495 if (seg_desc.type & 4) {
1501 if (rpl > cpl || dpl != cpl)
1504 /* CS(RPL) <- CPL */
1505 selector = (selector & 0xfffc) | cpl;
1508 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1510 old_desc = seg_desc;
1511 seg_desc.type |= 2; /* busy */
1512 ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1513 sizeof(seg_desc), &ctxt->exception);
1514 if (ret != X86EMUL_CONTINUE)
1517 case VCPU_SREG_LDTR:
1518 if (seg_desc.s || seg_desc.type != 2)
1521 default: /* DS, ES, FS, or GS */
1523 * segment is not a data or readable code segment or
1524 * ((segment is a data or nonconforming code segment)
1525 * and (both RPL and CPL > DPL))
1527 if ((seg_desc.type & 0xa) == 0x8 ||
1528 (((seg_desc.type & 0xc) != 0xc) &&
1529 (rpl > dpl && cpl > dpl)))
1535 /* mark segment as accessed */
1537 ret = write_segment_descriptor(ctxt, selector, &seg_desc);
1538 if (ret != X86EMUL_CONTINUE)
1542 ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg);
1543 return X86EMUL_CONTINUE;
1545 emulate_exception(ctxt, err_vec, err_code, true);
1546 return X86EMUL_PROPAGATE_FAULT;
1549 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1550 u16 selector, int seg)
1552 u8 cpl = ctxt->ops->cpl(ctxt);
1553 return __load_segment_descriptor(ctxt, selector, seg, cpl, false);
1556 static void write_register_operand(struct operand *op)
1558 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1559 switch (op->bytes) {
1561 *(u8 *)op->addr.reg = (u8)op->val;
1564 *(u16 *)op->addr.reg = (u16)op->val;
1567 *op->addr.reg = (u32)op->val;
1568 break; /* 64b: zero-extend */
1570 *op->addr.reg = op->val;
1575 static int writeback(struct x86_emulate_ctxt *ctxt, struct operand *op)
1581 write_register_operand(op);
1584 if (ctxt->lock_prefix)
1585 rc = segmented_cmpxchg(ctxt,
1591 rc = segmented_write(ctxt,
1595 if (rc != X86EMUL_CONTINUE)
1599 rc = segmented_write(ctxt,
1602 op->bytes * op->count);
1603 if (rc != X86EMUL_CONTINUE)
1607 write_sse_reg(ctxt, &op->vec_val, op->addr.xmm);
1610 write_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
1618 return X86EMUL_CONTINUE;
1621 static int push(struct x86_emulate_ctxt *ctxt, void *data, int bytes)
1623 struct segmented_address addr;
1625 rsp_increment(ctxt, -bytes);
1626 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1627 addr.seg = VCPU_SREG_SS;
1629 return segmented_write(ctxt, addr, data, bytes);
1632 static int em_push(struct x86_emulate_ctxt *ctxt)
1634 /* Disable writeback. */
1635 ctxt->dst.type = OP_NONE;
1636 return push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1639 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1640 void *dest, int len)
1643 struct segmented_address addr;
1645 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1646 addr.seg = VCPU_SREG_SS;
1647 rc = segmented_read(ctxt, addr, dest, len);
1648 if (rc != X86EMUL_CONTINUE)
1651 rsp_increment(ctxt, len);
1655 static int em_pop(struct x86_emulate_ctxt *ctxt)
1657 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1660 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1661 void *dest, int len)
1664 unsigned long val, change_mask;
1665 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1666 int cpl = ctxt->ops->cpl(ctxt);
1668 rc = emulate_pop(ctxt, &val, len);
1669 if (rc != X86EMUL_CONTINUE)
1672 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1673 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1675 switch(ctxt->mode) {
1676 case X86EMUL_MODE_PROT64:
1677 case X86EMUL_MODE_PROT32:
1678 case X86EMUL_MODE_PROT16:
1680 change_mask |= EFLG_IOPL;
1682 change_mask |= EFLG_IF;
1684 case X86EMUL_MODE_VM86:
1686 return emulate_gp(ctxt, 0);
1687 change_mask |= EFLG_IF;
1689 default: /* real mode */
1690 change_mask |= (EFLG_IOPL | EFLG_IF);
1694 *(unsigned long *)dest =
1695 (ctxt->eflags & ~change_mask) | (val & change_mask);
1700 static int em_popf(struct x86_emulate_ctxt *ctxt)
1702 ctxt->dst.type = OP_REG;
1703 ctxt->dst.addr.reg = &ctxt->eflags;
1704 ctxt->dst.bytes = ctxt->op_bytes;
1705 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1708 static int em_enter(struct x86_emulate_ctxt *ctxt)
1711 unsigned frame_size = ctxt->src.val;
1712 unsigned nesting_level = ctxt->src2.val & 31;
1716 return X86EMUL_UNHANDLEABLE;
1718 rbp = reg_read(ctxt, VCPU_REGS_RBP);
1719 rc = push(ctxt, &rbp, stack_size(ctxt));
1720 if (rc != X86EMUL_CONTINUE)
1722 assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1724 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1725 reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1727 return X86EMUL_CONTINUE;
1730 static int em_leave(struct x86_emulate_ctxt *ctxt)
1732 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1734 return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1737 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1739 int seg = ctxt->src2.val;
1741 ctxt->src.val = get_segment_selector(ctxt, seg);
1743 return em_push(ctxt);
1746 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1748 int seg = ctxt->src2.val;
1749 unsigned long selector;
1752 rc = emulate_pop(ctxt, &selector, ctxt->op_bytes);
1753 if (rc != X86EMUL_CONTINUE)
1756 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1760 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1762 unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
1763 int rc = X86EMUL_CONTINUE;
1764 int reg = VCPU_REGS_RAX;
1766 while (reg <= VCPU_REGS_RDI) {
1767 (reg == VCPU_REGS_RSP) ?
1768 (ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
1771 if (rc != X86EMUL_CONTINUE)
1780 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1782 ctxt->src.val = (unsigned long)ctxt->eflags;
1783 return em_push(ctxt);
1786 static int em_popa(struct x86_emulate_ctxt *ctxt)
1788 int rc = X86EMUL_CONTINUE;
1789 int reg = VCPU_REGS_RDI;
1791 while (reg >= VCPU_REGS_RAX) {
1792 if (reg == VCPU_REGS_RSP) {
1793 rsp_increment(ctxt, ctxt->op_bytes);
1797 rc = emulate_pop(ctxt, reg_rmw(ctxt, reg), ctxt->op_bytes);
1798 if (rc != X86EMUL_CONTINUE)
1805 static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1807 const struct x86_emulate_ops *ops = ctxt->ops;
1814 /* TODO: Add limit checks */
1815 ctxt->src.val = ctxt->eflags;
1817 if (rc != X86EMUL_CONTINUE)
1820 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1822 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
1824 if (rc != X86EMUL_CONTINUE)
1827 ctxt->src.val = ctxt->_eip;
1829 if (rc != X86EMUL_CONTINUE)
1832 ops->get_idt(ctxt, &dt);
1834 eip_addr = dt.address + (irq << 2);
1835 cs_addr = dt.address + (irq << 2) + 2;
1837 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
1838 if (rc != X86EMUL_CONTINUE)
1841 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
1842 if (rc != X86EMUL_CONTINUE)
1845 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
1846 if (rc != X86EMUL_CONTINUE)
1854 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1858 invalidate_registers(ctxt);
1859 rc = __emulate_int_real(ctxt, irq);
1860 if (rc == X86EMUL_CONTINUE)
1861 writeback_registers(ctxt);
1865 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
1867 switch(ctxt->mode) {
1868 case X86EMUL_MODE_REAL:
1869 return __emulate_int_real(ctxt, irq);
1870 case X86EMUL_MODE_VM86:
1871 case X86EMUL_MODE_PROT16:
1872 case X86EMUL_MODE_PROT32:
1873 case X86EMUL_MODE_PROT64:
1875 /* Protected mode interrupts unimplemented yet */
1876 return X86EMUL_UNHANDLEABLE;
1880 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
1882 int rc = X86EMUL_CONTINUE;
1883 unsigned long temp_eip = 0;
1884 unsigned long temp_eflags = 0;
1885 unsigned long cs = 0;
1886 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1887 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1888 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1889 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1891 /* TODO: Add stack limit check */
1893 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
1895 if (rc != X86EMUL_CONTINUE)
1898 if (temp_eip & ~0xffff)
1899 return emulate_gp(ctxt, 0);
1901 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1903 if (rc != X86EMUL_CONTINUE)
1906 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
1908 if (rc != X86EMUL_CONTINUE)
1911 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1913 if (rc != X86EMUL_CONTINUE)
1916 ctxt->_eip = temp_eip;
1919 if (ctxt->op_bytes == 4)
1920 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1921 else if (ctxt->op_bytes == 2) {
1922 ctxt->eflags &= ~0xffff;
1923 ctxt->eflags |= temp_eflags;
1926 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1927 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1932 static int em_iret(struct x86_emulate_ctxt *ctxt)
1934 switch(ctxt->mode) {
1935 case X86EMUL_MODE_REAL:
1936 return emulate_iret_real(ctxt);
1937 case X86EMUL_MODE_VM86:
1938 case X86EMUL_MODE_PROT16:
1939 case X86EMUL_MODE_PROT32:
1940 case X86EMUL_MODE_PROT64:
1942 /* iret from protected mode unimplemented yet */
1943 return X86EMUL_UNHANDLEABLE;
1947 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
1952 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1954 rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
1955 if (rc != X86EMUL_CONTINUE)
1959 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
1960 return X86EMUL_CONTINUE;
1963 static int em_grp45(struct x86_emulate_ctxt *ctxt)
1965 int rc = X86EMUL_CONTINUE;
1967 switch (ctxt->modrm_reg) {
1968 case 2: /* call near abs */ {
1970 old_eip = ctxt->_eip;
1971 ctxt->_eip = ctxt->src.val;
1972 ctxt->src.val = old_eip;
1976 case 4: /* jmp abs */
1977 ctxt->_eip = ctxt->src.val;
1979 case 5: /* jmp far */
1980 rc = em_jmp_far(ctxt);
1989 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
1991 u64 old = ctxt->dst.orig_val64;
1993 if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
1994 ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
1995 *reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
1996 *reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
1997 ctxt->eflags &= ~EFLG_ZF;
1999 ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2000 (u32) reg_read(ctxt, VCPU_REGS_RBX);
2002 ctxt->eflags |= EFLG_ZF;
2004 return X86EMUL_CONTINUE;
2007 static int em_ret(struct x86_emulate_ctxt *ctxt)
2009 ctxt->dst.type = OP_REG;
2010 ctxt->dst.addr.reg = &ctxt->_eip;
2011 ctxt->dst.bytes = ctxt->op_bytes;
2012 return em_pop(ctxt);
2015 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2020 rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes);
2021 if (rc != X86EMUL_CONTINUE)
2023 if (ctxt->op_bytes == 4)
2024 ctxt->_eip = (u32)ctxt->_eip;
2025 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2026 if (rc != X86EMUL_CONTINUE)
2028 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2032 static int em_ret_far_imm(struct x86_emulate_ctxt *ctxt)
2036 rc = em_ret_far(ctxt);
2037 if (rc != X86EMUL_CONTINUE)
2039 rsp_increment(ctxt, ctxt->src.val);
2040 return X86EMUL_CONTINUE;
2043 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2045 /* Save real source value, then compare EAX against destination. */
2046 ctxt->src.orig_val = ctxt->src.val;
2047 ctxt->src.val = reg_read(ctxt, VCPU_REGS_RAX);
2048 fastop(ctxt, em_cmp);
2050 if (ctxt->eflags & EFLG_ZF) {
2051 /* Success: write back to memory. */
2052 ctxt->dst.val = ctxt->src.orig_val;
2054 /* Failure: write the value we saw to EAX. */
2055 ctxt->dst.type = OP_REG;
2056 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2058 return X86EMUL_CONTINUE;
2061 static int em_lseg(struct x86_emulate_ctxt *ctxt)
2063 int seg = ctxt->src2.val;
2067 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2069 rc = load_segment_descriptor(ctxt, sel, seg);
2070 if (rc != X86EMUL_CONTINUE)
2073 ctxt->dst.val = ctxt->src.val;
2078 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
2079 struct desc_struct *cs, struct desc_struct *ss)
2081 cs->l = 0; /* will be adjusted later */
2082 set_desc_base(cs, 0); /* flat segment */
2083 cs->g = 1; /* 4kb granularity */
2084 set_desc_limit(cs, 0xfffff); /* 4GB limit */
2085 cs->type = 0x0b; /* Read, Execute, Accessed */
2087 cs->dpl = 0; /* will be adjusted later */
2092 set_desc_base(ss, 0); /* flat segment */
2093 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2094 ss->g = 1; /* 4kb granularity */
2096 ss->type = 0x03; /* Read/Write, Accessed */
2097 ss->d = 1; /* 32bit stack segment */
2104 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
2106 u32 eax, ebx, ecx, edx;
2109 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2110 return ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
2111 && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
2112 && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
2115 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2117 const struct x86_emulate_ops *ops = ctxt->ops;
2118 u32 eax, ebx, ecx, edx;
2121 * syscall should always be enabled in longmode - so only become
2122 * vendor specific (cpuid) if other modes are active...
2124 if (ctxt->mode == X86EMUL_MODE_PROT64)
2129 ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2131 * Intel ("GenuineIntel")
2132 * remark: Intel CPUs only support "syscall" in 64bit
2133 * longmode. Also an 64bit guest with a
2134 * 32bit compat-app running will #UD !! While this
2135 * behaviour can be fixed (by emulating) into AMD
2136 * response - CPUs of AMD can't behave like Intel.
2138 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
2139 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
2140 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
2143 /* AMD ("AuthenticAMD") */
2144 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
2145 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
2146 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
2149 /* AMD ("AMDisbetter!") */
2150 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
2151 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
2152 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
2155 /* default: (not Intel, not AMD), apply Intel's stricter rules... */
2159 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2161 const struct x86_emulate_ops *ops = ctxt->ops;
2162 struct desc_struct cs, ss;
2167 /* syscall is not available in real mode */
2168 if (ctxt->mode == X86EMUL_MODE_REAL ||
2169 ctxt->mode == X86EMUL_MODE_VM86)
2170 return emulate_ud(ctxt);
2172 if (!(em_syscall_is_enabled(ctxt)))
2173 return emulate_ud(ctxt);
2175 ops->get_msr(ctxt, MSR_EFER, &efer);
2176 setup_syscalls_segments(ctxt, &cs, &ss);
2178 if (!(efer & EFER_SCE))
2179 return emulate_ud(ctxt);
2181 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2183 cs_sel = (u16)(msr_data & 0xfffc);
2184 ss_sel = (u16)(msr_data + 8);
2186 if (efer & EFER_LMA) {
2190 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2191 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2193 *reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2194 if (efer & EFER_LMA) {
2195 #ifdef CONFIG_X86_64
2196 *reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags & ~EFLG_RF;
2199 ctxt->mode == X86EMUL_MODE_PROT64 ?
2200 MSR_LSTAR : MSR_CSTAR, &msr_data);
2201 ctxt->_eip = msr_data;
2203 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2204 ctxt->eflags &= ~(msr_data | EFLG_RF);
2208 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2209 ctxt->_eip = (u32)msr_data;
2211 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2214 return X86EMUL_CONTINUE;
2217 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2219 const struct x86_emulate_ops *ops = ctxt->ops;
2220 struct desc_struct cs, ss;
2225 ops->get_msr(ctxt, MSR_EFER, &efer);
2226 /* inject #GP if in real mode */
2227 if (ctxt->mode == X86EMUL_MODE_REAL)
2228 return emulate_gp(ctxt, 0);
2231 * Not recognized on AMD in compat mode (but is recognized in legacy
2234 if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
2235 && !vendor_intel(ctxt))
2236 return emulate_ud(ctxt);
2238 /* XXX sysenter/sysexit have not been tested in 64bit mode.
2239 * Therefore, we inject an #UD.
2241 if (ctxt->mode == X86EMUL_MODE_PROT64)
2242 return emulate_ud(ctxt);
2244 setup_syscalls_segments(ctxt, &cs, &ss);
2246 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2247 switch (ctxt->mode) {
2248 case X86EMUL_MODE_PROT32:
2249 if ((msr_data & 0xfffc) == 0x0)
2250 return emulate_gp(ctxt, 0);
2252 case X86EMUL_MODE_PROT64:
2253 if (msr_data == 0x0)
2254 return emulate_gp(ctxt, 0);
2260 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2261 cs_sel = (u16)msr_data;
2262 cs_sel &= ~SELECTOR_RPL_MASK;
2263 ss_sel = cs_sel + 8;
2264 ss_sel &= ~SELECTOR_RPL_MASK;
2265 if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
2270 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2271 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2273 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2274 ctxt->_eip = msr_data;
2276 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2277 *reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
2279 return X86EMUL_CONTINUE;
2282 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2284 const struct x86_emulate_ops *ops = ctxt->ops;
2285 struct desc_struct cs, ss;
2288 u16 cs_sel = 0, ss_sel = 0;
2290 /* inject #GP if in real mode or Virtual 8086 mode */
2291 if (ctxt->mode == X86EMUL_MODE_REAL ||
2292 ctxt->mode == X86EMUL_MODE_VM86)
2293 return emulate_gp(ctxt, 0);
2295 setup_syscalls_segments(ctxt, &cs, &ss);
2297 if ((ctxt->rex_prefix & 0x8) != 0x0)
2298 usermode = X86EMUL_MODE_PROT64;
2300 usermode = X86EMUL_MODE_PROT32;
2304 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2306 case X86EMUL_MODE_PROT32:
2307 cs_sel = (u16)(msr_data + 16);
2308 if ((msr_data & 0xfffc) == 0x0)
2309 return emulate_gp(ctxt, 0);
2310 ss_sel = (u16)(msr_data + 24);
2312 case X86EMUL_MODE_PROT64:
2313 cs_sel = (u16)(msr_data + 32);
2314 if (msr_data == 0x0)
2315 return emulate_gp(ctxt, 0);
2316 ss_sel = cs_sel + 8;
2321 cs_sel |= SELECTOR_RPL_MASK;
2322 ss_sel |= SELECTOR_RPL_MASK;
2324 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2325 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2327 ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX);
2328 *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX);
2330 return X86EMUL_CONTINUE;
2333 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2336 if (ctxt->mode == X86EMUL_MODE_REAL)
2338 if (ctxt->mode == X86EMUL_MODE_VM86)
2340 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2341 return ctxt->ops->cpl(ctxt) > iopl;
2344 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2347 const struct x86_emulate_ops *ops = ctxt->ops;
2348 struct desc_struct tr_seg;
2351 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2352 unsigned mask = (1 << len) - 1;
2355 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2358 if (desc_limit_scaled(&tr_seg) < 103)
2360 base = get_desc_base(&tr_seg);
2361 #ifdef CONFIG_X86_64
2362 base |= ((u64)base3) << 32;
2364 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2365 if (r != X86EMUL_CONTINUE)
2367 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2369 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2370 if (r != X86EMUL_CONTINUE)
2372 if ((perm >> bit_idx) & mask)
2377 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2383 if (emulator_bad_iopl(ctxt))
2384 if (!emulator_io_port_access_allowed(ctxt, port, len))
2387 ctxt->perm_ok = true;
2392 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2393 struct tss_segment_16 *tss)
2395 tss->ip = ctxt->_eip;
2396 tss->flag = ctxt->eflags;
2397 tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
2398 tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
2399 tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
2400 tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
2401 tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
2402 tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
2403 tss->si = reg_read(ctxt, VCPU_REGS_RSI);
2404 tss->di = reg_read(ctxt, VCPU_REGS_RDI);
2406 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2407 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2408 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2409 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2410 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2413 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2414 struct tss_segment_16 *tss)
2419 ctxt->_eip = tss->ip;
2420 ctxt->eflags = tss->flag | 2;
2421 *reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
2422 *reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
2423 *reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
2424 *reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
2425 *reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
2426 *reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
2427 *reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
2428 *reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
2431 * SDM says that segment selectors are loaded before segment
2434 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2435 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2436 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2437 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2438 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2443 * Now load segment descriptors. If fault happens at this stage
2444 * it is handled in a context of new task
2446 ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl, true);
2447 if (ret != X86EMUL_CONTINUE)
2449 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, true);
2450 if (ret != X86EMUL_CONTINUE)
2452 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, true);
2453 if (ret != X86EMUL_CONTINUE)
2455 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, true);
2456 if (ret != X86EMUL_CONTINUE)
2458 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, true);
2459 if (ret != X86EMUL_CONTINUE)
2462 return X86EMUL_CONTINUE;
2465 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2466 u16 tss_selector, u16 old_tss_sel,
2467 ulong old_tss_base, struct desc_struct *new_desc)
2469 const struct x86_emulate_ops *ops = ctxt->ops;
2470 struct tss_segment_16 tss_seg;
2472 u32 new_tss_base = get_desc_base(new_desc);
2474 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2476 if (ret != X86EMUL_CONTINUE)
2477 /* FIXME: need to provide precise fault address */
2480 save_state_to_tss16(ctxt, &tss_seg);
2482 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2484 if (ret != X86EMUL_CONTINUE)
2485 /* FIXME: need to provide precise fault address */
2488 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2490 if (ret != X86EMUL_CONTINUE)
2491 /* FIXME: need to provide precise fault address */
2494 if (old_tss_sel != 0xffff) {
2495 tss_seg.prev_task_link = old_tss_sel;
2497 ret = ops->write_std(ctxt, new_tss_base,
2498 &tss_seg.prev_task_link,
2499 sizeof tss_seg.prev_task_link,
2501 if (ret != X86EMUL_CONTINUE)
2502 /* FIXME: need to provide precise fault address */
2506 return load_state_from_tss16(ctxt, &tss_seg);
2509 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2510 struct tss_segment_32 *tss)
2512 /* CR3 and ldt selector are not saved intentionally */
2513 tss->eip = ctxt->_eip;
2514 tss->eflags = ctxt->eflags;
2515 tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
2516 tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
2517 tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
2518 tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
2519 tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
2520 tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
2521 tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
2522 tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
2524 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2525 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2526 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2527 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2528 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
2529 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
2532 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2533 struct tss_segment_32 *tss)
2538 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
2539 return emulate_gp(ctxt, 0);
2540 ctxt->_eip = tss->eip;
2541 ctxt->eflags = tss->eflags | 2;
2543 /* General purpose registers */
2544 *reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
2545 *reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
2546 *reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
2547 *reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
2548 *reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
2549 *reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
2550 *reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
2551 *reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
2554 * SDM says that segment selectors are loaded before segment
2555 * descriptors. This is important because CPL checks will
2558 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2559 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2560 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2561 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2562 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2563 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
2564 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
2567 * If we're switching between Protected Mode and VM86, we need to make
2568 * sure to update the mode before loading the segment descriptors so
2569 * that the selectors are interpreted correctly.
2571 if (ctxt->eflags & X86_EFLAGS_VM) {
2572 ctxt->mode = X86EMUL_MODE_VM86;
2575 ctxt->mode = X86EMUL_MODE_PROT32;
2580 * Now load segment descriptors. If fault happenes at this stage
2581 * it is handled in a context of new task
2583 ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR, cpl, true);
2584 if (ret != X86EMUL_CONTINUE)
2586 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, true);
2587 if (ret != X86EMUL_CONTINUE)
2589 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, true);
2590 if (ret != X86EMUL_CONTINUE)
2592 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, true);
2593 if (ret != X86EMUL_CONTINUE)
2595 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, true);
2596 if (ret != X86EMUL_CONTINUE)
2598 ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl, true);
2599 if (ret != X86EMUL_CONTINUE)
2601 ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl, true);
2602 if (ret != X86EMUL_CONTINUE)
2605 return X86EMUL_CONTINUE;
2608 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2609 u16 tss_selector, u16 old_tss_sel,
2610 ulong old_tss_base, struct desc_struct *new_desc)
2612 const struct x86_emulate_ops *ops = ctxt->ops;
2613 struct tss_segment_32 tss_seg;
2615 u32 new_tss_base = get_desc_base(new_desc);
2616 u32 eip_offset = offsetof(struct tss_segment_32, eip);
2617 u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
2619 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2621 if (ret != X86EMUL_CONTINUE)
2622 /* FIXME: need to provide precise fault address */
2625 save_state_to_tss32(ctxt, &tss_seg);
2627 /* Only GP registers and segment selectors are saved */
2628 ret = ops->write_std(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
2629 ldt_sel_offset - eip_offset, &ctxt->exception);
2630 if (ret != X86EMUL_CONTINUE)
2631 /* FIXME: need to provide precise fault address */
2634 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2636 if (ret != X86EMUL_CONTINUE)
2637 /* FIXME: need to provide precise fault address */
2640 if (old_tss_sel != 0xffff) {
2641 tss_seg.prev_task_link = old_tss_sel;
2643 ret = ops->write_std(ctxt, new_tss_base,
2644 &tss_seg.prev_task_link,
2645 sizeof tss_seg.prev_task_link,
2647 if (ret != X86EMUL_CONTINUE)
2648 /* FIXME: need to provide precise fault address */
2652 return load_state_from_tss32(ctxt, &tss_seg);
2655 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2656 u16 tss_selector, int idt_index, int reason,
2657 bool has_error_code, u32 error_code)
2659 const struct x86_emulate_ops *ops = ctxt->ops;
2660 struct desc_struct curr_tss_desc, next_tss_desc;
2662 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
2663 ulong old_tss_base =
2664 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
2668 /* FIXME: old_tss_base == ~0 ? */
2670 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
2671 if (ret != X86EMUL_CONTINUE)
2673 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
2674 if (ret != X86EMUL_CONTINUE)
2677 /* FIXME: check that next_tss_desc is tss */
2680 * Check privileges. The three cases are task switch caused by...
2682 * 1. jmp/call/int to task gate: Check against DPL of the task gate
2683 * 2. Exception/IRQ/iret: No check is performed
2684 * 3. jmp/call to TSS: Check against DPL of the TSS
2686 if (reason == TASK_SWITCH_GATE) {
2687 if (idt_index != -1) {
2688 /* Software interrupts */
2689 struct desc_struct task_gate_desc;
2692 ret = read_interrupt_descriptor(ctxt, idt_index,
2694 if (ret != X86EMUL_CONTINUE)
2697 dpl = task_gate_desc.dpl;
2698 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2699 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
2701 } else if (reason != TASK_SWITCH_IRET) {
2702 int dpl = next_tss_desc.dpl;
2703 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2704 return emulate_gp(ctxt, tss_selector);
2708 desc_limit = desc_limit_scaled(&next_tss_desc);
2709 if (!next_tss_desc.p ||
2710 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2711 desc_limit < 0x2b)) {
2712 emulate_ts(ctxt, tss_selector & 0xfffc);
2713 return X86EMUL_PROPAGATE_FAULT;
2716 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2717 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2718 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2721 if (reason == TASK_SWITCH_IRET)
2722 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2724 /* set back link to prev task only if NT bit is set in eflags
2725 note that old_tss_sel is not used after this point */
2726 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2727 old_tss_sel = 0xffff;
2729 if (next_tss_desc.type & 8)
2730 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
2731 old_tss_base, &next_tss_desc);
2733 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
2734 old_tss_base, &next_tss_desc);
2735 if (ret != X86EMUL_CONTINUE)
2738 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2739 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2741 if (reason != TASK_SWITCH_IRET) {
2742 next_tss_desc.type |= (1 << 1); /* set busy flag */
2743 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2746 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
2747 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
2749 if (has_error_code) {
2750 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2751 ctxt->lock_prefix = 0;
2752 ctxt->src.val = (unsigned long) error_code;
2753 ret = em_push(ctxt);
2759 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2760 u16 tss_selector, int idt_index, int reason,
2761 bool has_error_code, u32 error_code)
2765 invalidate_registers(ctxt);
2766 ctxt->_eip = ctxt->eip;
2767 ctxt->dst.type = OP_NONE;
2769 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
2770 has_error_code, error_code);
2772 if (rc == X86EMUL_CONTINUE) {
2773 ctxt->eip = ctxt->_eip;
2774 writeback_registers(ctxt);
2777 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
2780 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
2783 int df = (ctxt->eflags & EFLG_DF) ? -op->count : op->count;
2785 register_address_increment(ctxt, reg_rmw(ctxt, reg), df * op->bytes);
2786 op->addr.mem.ea = register_address(ctxt, reg_read(ctxt, reg));
2789 static int em_das(struct x86_emulate_ctxt *ctxt)
2792 bool af, cf, old_cf;
2794 cf = ctxt->eflags & X86_EFLAGS_CF;
2800 af = ctxt->eflags & X86_EFLAGS_AF;
2801 if ((al & 0x0f) > 9 || af) {
2803 cf = old_cf | (al >= 250);
2808 if (old_al > 0x99 || old_cf) {
2814 /* Set PF, ZF, SF */
2815 ctxt->src.type = OP_IMM;
2817 ctxt->src.bytes = 1;
2818 fastop(ctxt, em_or);
2819 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2821 ctxt->eflags |= X86_EFLAGS_CF;
2823 ctxt->eflags |= X86_EFLAGS_AF;
2824 return X86EMUL_CONTINUE;
2827 static int em_aam(struct x86_emulate_ctxt *ctxt)
2831 if (ctxt->src.val == 0)
2832 return emulate_de(ctxt);
2834 al = ctxt->dst.val & 0xff;
2835 ah = al / ctxt->src.val;
2836 al %= ctxt->src.val;
2838 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al | (ah << 8);
2840 /* Set PF, ZF, SF */
2841 ctxt->src.type = OP_IMM;
2843 ctxt->src.bytes = 1;
2844 fastop(ctxt, em_or);
2846 return X86EMUL_CONTINUE;
2849 static int em_aad(struct x86_emulate_ctxt *ctxt)
2851 u8 al = ctxt->dst.val & 0xff;
2852 u8 ah = (ctxt->dst.val >> 8) & 0xff;
2854 al = (al + (ah * ctxt->src.val)) & 0xff;
2856 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
2858 /* Set PF, ZF, SF */
2859 ctxt->src.type = OP_IMM;
2861 ctxt->src.bytes = 1;
2862 fastop(ctxt, em_or);
2864 return X86EMUL_CONTINUE;
2867 static int em_call(struct x86_emulate_ctxt *ctxt)
2869 long rel = ctxt->src.val;
2871 ctxt->src.val = (unsigned long)ctxt->_eip;
2873 return em_push(ctxt);
2876 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2882 old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2883 old_eip = ctxt->_eip;
2885 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2886 if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
2887 return X86EMUL_CONTINUE;
2890 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
2892 ctxt->src.val = old_cs;
2894 if (rc != X86EMUL_CONTINUE)
2897 ctxt->src.val = old_eip;
2898 return em_push(ctxt);
2901 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2905 ctxt->dst.type = OP_REG;
2906 ctxt->dst.addr.reg = &ctxt->_eip;
2907 ctxt->dst.bytes = ctxt->op_bytes;
2908 rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
2909 if (rc != X86EMUL_CONTINUE)
2911 rsp_increment(ctxt, ctxt->src.val);
2912 return X86EMUL_CONTINUE;
2915 static int em_xchg(struct x86_emulate_ctxt *ctxt)
2917 /* Write back the register source. */
2918 ctxt->src.val = ctxt->dst.val;
2919 write_register_operand(&ctxt->src);
2921 /* Write back the memory destination with implicit LOCK prefix. */
2922 ctxt->dst.val = ctxt->src.orig_val;
2923 ctxt->lock_prefix = 1;
2924 return X86EMUL_CONTINUE;
2927 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2929 ctxt->dst.val = ctxt->src2.val;
2930 return fastop(ctxt, em_imul);
2933 static int em_cwd(struct x86_emulate_ctxt *ctxt)
2935 ctxt->dst.type = OP_REG;
2936 ctxt->dst.bytes = ctxt->src.bytes;
2937 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
2938 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
2940 return X86EMUL_CONTINUE;
2943 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2947 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
2948 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
2949 *reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
2950 return X86EMUL_CONTINUE;
2953 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
2957 if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
2958 return emulate_gp(ctxt, 0);
2959 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
2960 *reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
2961 return X86EMUL_CONTINUE;
2964 static int em_mov(struct x86_emulate_ctxt *ctxt)
2966 memcpy(ctxt->dst.valptr, ctxt->src.valptr, ctxt->op_bytes);
2967 return X86EMUL_CONTINUE;
2970 #define FFL(x) bit(X86_FEATURE_##x)
2972 static int em_movbe(struct x86_emulate_ctxt *ctxt)
2974 u32 ebx, ecx, edx, eax = 1;
2978 * Check MOVBE is set in the guest-visible CPUID leaf.
2980 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2981 if (!(ecx & FFL(MOVBE)))
2982 return emulate_ud(ctxt);
2984 switch (ctxt->op_bytes) {
2987 * From MOVBE definition: "...When the operand size is 16 bits,
2988 * the upper word of the destination register remains unchanged
2991 * Both casting ->valptr and ->val to u16 breaks strict aliasing
2992 * rules so we have to do the operation almost per hand.
2994 tmp = (u16)ctxt->src.val;
2995 ctxt->dst.val &= ~0xffffUL;
2996 ctxt->dst.val |= (unsigned long)swab16(tmp);
2999 ctxt->dst.val = swab32((u32)ctxt->src.val);
3002 ctxt->dst.val = swab64(ctxt->src.val);
3005 return X86EMUL_PROPAGATE_FAULT;
3007 return X86EMUL_CONTINUE;
3010 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3012 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
3013 return emulate_gp(ctxt, 0);
3015 /* Disable writeback. */
3016 ctxt->dst.type = OP_NONE;
3017 return X86EMUL_CONTINUE;
3020 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3024 if (ctxt->mode == X86EMUL_MODE_PROT64)
3025 val = ctxt->src.val & ~0ULL;
3027 val = ctxt->src.val & ~0U;
3029 /* #UD condition is already handled. */
3030 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3031 return emulate_gp(ctxt, 0);
3033 /* Disable writeback. */
3034 ctxt->dst.type = OP_NONE;
3035 return X86EMUL_CONTINUE;
3038 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3042 msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3043 | ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3044 if (ctxt->ops->set_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), msr_data))
3045 return emulate_gp(ctxt, 0);
3047 return X86EMUL_CONTINUE;
3050 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3054 if (ctxt->ops->get_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &msr_data))
3055 return emulate_gp(ctxt, 0);
3057 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3058 *reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3059 return X86EMUL_CONTINUE;
3062 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3064 if (ctxt->modrm_reg > VCPU_SREG_GS)
3065 return emulate_ud(ctxt);
3067 ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
3068 return X86EMUL_CONTINUE;
3071 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3073 u16 sel = ctxt->src.val;
3075 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3076 return emulate_ud(ctxt);
3078 if (ctxt->modrm_reg == VCPU_SREG_SS)
3079 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3081 /* Disable writeback. */
3082 ctxt->dst.type = OP_NONE;
3083 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3086 static int em_lldt(struct x86_emulate_ctxt *ctxt)
3088 u16 sel = ctxt->src.val;
3090 /* Disable writeback. */
3091 ctxt->dst.type = OP_NONE;
3092 return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3095 static int em_ltr(struct x86_emulate_ctxt *ctxt)
3097 u16 sel = ctxt->src.val;
3099 /* Disable writeback. */
3100 ctxt->dst.type = OP_NONE;
3101 return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3104 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3109 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
3110 if (rc == X86EMUL_CONTINUE)
3111 ctxt->ops->invlpg(ctxt, linear);
3112 /* Disable writeback. */
3113 ctxt->dst.type = OP_NONE;
3114 return X86EMUL_CONTINUE;
3117 static int em_clts(struct x86_emulate_ctxt *ctxt)
3121 cr0 = ctxt->ops->get_cr(ctxt, 0);
3123 ctxt->ops->set_cr(ctxt, 0, cr0);
3124 return X86EMUL_CONTINUE;
3127 static int em_vmcall(struct x86_emulate_ctxt *ctxt)
3131 if (ctxt->modrm_mod != 3 || ctxt->modrm_rm != 1)
3132 return X86EMUL_UNHANDLEABLE;
3134 rc = ctxt->ops->fix_hypercall(ctxt);
3135 if (rc != X86EMUL_CONTINUE)
3138 /* Let the processor re-execute the fixed hypercall */
3139 ctxt->_eip = ctxt->eip;
3140 /* Disable writeback. */
3141 ctxt->dst.type = OP_NONE;
3142 return X86EMUL_CONTINUE;
3145 static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3146 void (*get)(struct x86_emulate_ctxt *ctxt,
3147 struct desc_ptr *ptr))
3149 struct desc_ptr desc_ptr;
3151 if (ctxt->mode == X86EMUL_MODE_PROT64)
3153 get(ctxt, &desc_ptr);
3154 if (ctxt->op_bytes == 2) {
3156 desc_ptr.address &= 0x00ffffff;
3158 /* Disable writeback. */
3159 ctxt->dst.type = OP_NONE;
3160 return segmented_write(ctxt, ctxt->dst.addr.mem,
3161 &desc_ptr, 2 + ctxt->op_bytes);
3164 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3166 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3169 static int em_sidt(struct x86_emulate_ctxt *ctxt)
3171 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3174 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3176 struct desc_ptr desc_ptr;
3179 if (ctxt->mode == X86EMUL_MODE_PROT64)
3181 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3182 &desc_ptr.size, &desc_ptr.address,
3184 if (rc != X86EMUL_CONTINUE)
3186 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3187 /* Disable writeback. */
3188 ctxt->dst.type = OP_NONE;
3189 return X86EMUL_CONTINUE;
3192 static int em_vmmcall(struct x86_emulate_ctxt *ctxt)
3196 rc = ctxt->ops->fix_hypercall(ctxt);
3198 /* Disable writeback. */
3199 ctxt->dst.type = OP_NONE;
3203 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3205 struct desc_ptr desc_ptr;
3208 if (ctxt->mode == X86EMUL_MODE_PROT64)
3210 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3211 &desc_ptr.size, &desc_ptr.address,
3213 if (rc != X86EMUL_CONTINUE)
3215 ctxt->ops->set_idt(ctxt, &desc_ptr);
3216 /* Disable writeback. */
3217 ctxt->dst.type = OP_NONE;
3218 return X86EMUL_CONTINUE;
3221 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3223 ctxt->dst.bytes = 2;
3224 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3225 return X86EMUL_CONTINUE;
3228 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3230 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3231 | (ctxt->src.val & 0x0f));
3232 ctxt->dst.type = OP_NONE;
3233 return X86EMUL_CONTINUE;
3236 static int em_loop(struct x86_emulate_ctxt *ctxt)
3238 register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1);
3239 if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3240 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3241 jmp_rel(ctxt, ctxt->src.val);
3243 return X86EMUL_CONTINUE;
3246 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3248 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3249 jmp_rel(ctxt, ctxt->src.val);
3251 return X86EMUL_CONTINUE;
3254 static int em_in(struct x86_emulate_ctxt *ctxt)
3256 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3258 return X86EMUL_IO_NEEDED;
3260 return X86EMUL_CONTINUE;
3263 static int em_out(struct x86_emulate_ctxt *ctxt)
3265 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3267 /* Disable writeback. */
3268 ctxt->dst.type = OP_NONE;
3269 return X86EMUL_CONTINUE;
3272 static int em_cli(struct x86_emulate_ctxt *ctxt)
3274 if (emulator_bad_iopl(ctxt))
3275 return emulate_gp(ctxt, 0);
3277 ctxt->eflags &= ~X86_EFLAGS_IF;
3278 return X86EMUL_CONTINUE;
3281 static int em_sti(struct x86_emulate_ctxt *ctxt)
3283 if (emulator_bad_iopl(ctxt))
3284 return emulate_gp(ctxt, 0);
3286 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3287 ctxt->eflags |= X86_EFLAGS_IF;
3288 return X86EMUL_CONTINUE;
3291 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3293 u32 eax, ebx, ecx, edx;
3295 eax = reg_read(ctxt, VCPU_REGS_RAX);
3296 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3297 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
3298 *reg_write(ctxt, VCPU_REGS_RAX) = eax;
3299 *reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3300 *reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3301 *reg_write(ctxt, VCPU_REGS_RDX) = edx;
3302 return X86EMUL_CONTINUE;
3305 static int em_sahf(struct x86_emulate_ctxt *ctxt)
3309 flags = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF;
3310 flags &= *reg_rmw(ctxt, VCPU_REGS_RAX) >> 8;
3312 ctxt->eflags &= ~0xffUL;
3313 ctxt->eflags |= flags | X86_EFLAGS_FIXED;
3314 return X86EMUL_CONTINUE;
3317 static int em_lahf(struct x86_emulate_ctxt *ctxt)
3319 *reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
3320 *reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
3321 return X86EMUL_CONTINUE;
3324 static int em_bswap(struct x86_emulate_ctxt *ctxt)
3326 switch (ctxt->op_bytes) {
3327 #ifdef CONFIG_X86_64
3329 asm("bswap %0" : "+r"(ctxt->dst.val));
3333 asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
3336 return X86EMUL_CONTINUE;
3339 static bool valid_cr(int nr)
3351 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
3353 if (!valid_cr(ctxt->modrm_reg))
3354 return emulate_ud(ctxt);
3356 return X86EMUL_CONTINUE;
3359 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
3361 u64 new_val = ctxt->src.val64;
3362 int cr = ctxt->modrm_reg;
3365 static u64 cr_reserved_bits[] = {
3366 0xffffffff00000000ULL,
3367 0, 0, 0, /* CR3 checked later */
3374 return emulate_ud(ctxt);
3376 if (new_val & cr_reserved_bits[cr])
3377 return emulate_gp(ctxt, 0);
3382 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
3383 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
3384 return emulate_gp(ctxt, 0);
3386 cr4 = ctxt->ops->get_cr(ctxt, 4);
3387 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3389 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
3390 !(cr4 & X86_CR4_PAE))
3391 return emulate_gp(ctxt, 0);
3398 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3399 if (efer & EFER_LMA)
3400 rsvd = CR3_L_MODE_RESERVED_BITS;
3403 return emulate_gp(ctxt, 0);
3408 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3410 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
3411 return emulate_gp(ctxt, 0);
3417 return X86EMUL_CONTINUE;
3420 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
3424 ctxt->ops->get_dr(ctxt, 7, &dr7);
3426 /* Check if DR7.Global_Enable is set */
3427 return dr7 & (1 << 13);
3430 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
3432 int dr = ctxt->modrm_reg;
3436 return emulate_ud(ctxt);
3438 cr4 = ctxt->ops->get_cr(ctxt, 4);
3439 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
3440 return emulate_ud(ctxt);
3442 if (check_dr7_gd(ctxt))
3443 return emulate_db(ctxt);
3445 return X86EMUL_CONTINUE;
3448 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
3450 u64 new_val = ctxt->src.val64;
3451 int dr = ctxt->modrm_reg;
3453 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
3454 return emulate_gp(ctxt, 0);
3456 return check_dr_read(ctxt);
3459 static int check_svme(struct x86_emulate_ctxt *ctxt)
3463 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3465 if (!(efer & EFER_SVME))
3466 return emulate_ud(ctxt);
3468 return X86EMUL_CONTINUE;
3471 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
3473 u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
3475 /* Valid physical address? */
3476 if (rax & 0xffff000000000000ULL)
3477 return emulate_gp(ctxt, 0);
3479 return check_svme(ctxt);
3482 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
3484 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3486 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
3487 return emulate_ud(ctxt);
3489 return X86EMUL_CONTINUE;
3492 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
3494 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3495 u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
3497 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
3499 return emulate_gp(ctxt, 0);
3501 return X86EMUL_CONTINUE;
3504 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
3506 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
3507 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
3508 return emulate_gp(ctxt, 0);
3510 return X86EMUL_CONTINUE;
3513 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
3515 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
3516 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
3517 return emulate_gp(ctxt, 0);
3519 return X86EMUL_CONTINUE;
3522 #define D(_y) { .flags = (_y) }
3523 #define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
3524 #define DIP(_y, _i, _p) { .flags = (_y), .intercept = x86_intercept_##_i, \
3525 .check_perm = (_p) }
3526 #define N D(NotImpl)
3527 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
3528 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
3529 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
3530 #define E(_f, _e) { .flags = ((_f) | Escape | ModRM), .u.esc = (_e) }
3531 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
3532 #define F(_f, _e) { .flags = (_f) | Fastop, .u.fastop = (_e) }
3533 #define II(_f, _e, _i) \
3534 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
3535 #define IIP(_f, _e, _i, _p) \
3536 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i, \
3537 .check_perm = (_p) }
3538 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
3540 #define D2bv(_f) D((_f) | ByteOp), D(_f)
3541 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
3542 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
3543 #define F2bv(_f, _e) F((_f) | ByteOp, _e), F(_f, _e)
3544 #define I2bvIP(_f, _e, _i, _p) \
3545 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
3547 #define F6ALU(_f, _e) F2bv((_f) | DstMem | SrcReg | ModRM, _e), \
3548 F2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
3549 F2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
3551 static const struct opcode group7_rm1[] = {
3552 DI(SrcNone | Priv, monitor),
3553 DI(SrcNone | Priv, mwait),
3557 static const struct opcode group7_rm3[] = {
3558 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
3559 II(SrcNone | Prot | EmulateOnUD, em_vmmcall, vmmcall),
3560 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
3561 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
3562 DIP(SrcNone | Prot | Priv, stgi, check_svme),
3563 DIP(SrcNone | Prot | Priv, clgi, check_svme),
3564 DIP(SrcNone | Prot | Priv, skinit, check_svme),
3565 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
3568 static const struct opcode group7_rm7[] = {
3570 DIP(SrcNone, rdtscp, check_rdtsc),
3574 static const struct opcode group1[] = {
3576 F(Lock | PageTable, em_or),
3579 F(Lock | PageTable, em_and),
3585 static const struct opcode group1A[] = {
3586 I(DstMem | SrcNone | Mov | Stack, em_pop), N, N, N, N, N, N, N,
3589 static const struct opcode group2[] = {
3590 F(DstMem | ModRM, em_rol),
3591 F(DstMem | ModRM, em_ror),
3592 F(DstMem | ModRM, em_rcl),
3593 F(DstMem | ModRM, em_rcr),
3594 F(DstMem | ModRM, em_shl),
3595 F(DstMem | ModRM, em_shr),
3596 F(DstMem | ModRM, em_shl),
3597 F(DstMem | ModRM, em_sar),
3600 static const struct opcode group3[] = {
3601 F(DstMem | SrcImm | NoWrite, em_test),
3602 F(DstMem | SrcImm | NoWrite, em_test),
3603 F(DstMem | SrcNone | Lock, em_not),
3604 F(DstMem | SrcNone | Lock, em_neg),
3605 F(DstXacc | Src2Mem, em_mul_ex),
3606 F(DstXacc | Src2Mem, em_imul_ex),
3607 F(DstXacc | Src2Mem, em_div_ex),
3608 F(DstXacc | Src2Mem, em_idiv_ex),
3611 static const struct opcode group4[] = {
3612 F(ByteOp | DstMem | SrcNone | Lock, em_inc),
3613 F(ByteOp | DstMem | SrcNone | Lock, em_dec),
3617 static const struct opcode group5[] = {
3618 F(DstMem | SrcNone | Lock, em_inc),
3619 F(DstMem | SrcNone | Lock, em_dec),
3620 I(SrcMem | Stack, em_grp45),
3621 I(SrcMemFAddr | ImplicitOps | Stack, em_call_far),
3622 I(SrcMem | Stack, em_grp45),
3623 I(SrcMemFAddr | ImplicitOps, em_grp45),
3624 I(SrcMem | Stack, em_grp45), D(Undefined),
3627 static const struct opcode group6[] = {
3630 II(Prot | Priv | SrcMem16, em_lldt, lldt),
3631 II(Prot | Priv | SrcMem16, em_ltr, ltr),
3635 static const struct group_dual group7 = { {
3636 II(Mov | DstMem | Priv, em_sgdt, sgdt),
3637 II(Mov | DstMem | Priv, em_sidt, sidt),
3638 II(SrcMem | Priv, em_lgdt, lgdt),
3639 II(SrcMem | Priv, em_lidt, lidt),
3640 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
3641 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
3642 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
3644 I(SrcNone | Priv | EmulateOnUD, em_vmcall),
3646 N, EXT(0, group7_rm3),
3647 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
3648 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
3652 static const struct opcode group8[] = {
3654 F(DstMem | SrcImmByte | NoWrite, em_bt),
3655 F(DstMem | SrcImmByte | Lock | PageTable, em_bts),
3656 F(DstMem | SrcImmByte | Lock, em_btr),
3657 F(DstMem | SrcImmByte | Lock | PageTable, em_btc),
3660 static const struct group_dual group9 = { {
3661 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
3663 N, N, N, N, N, N, N, N,
3666 static const struct opcode group11[] = {
3667 I(DstMem | SrcImm | Mov | PageTable, em_mov),
3671 static const struct gprefix pfx_0f_6f_0f_7f = {
3672 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
3675 static const struct gprefix pfx_vmovntpx = {
3676 I(0, em_mov), N, N, N,
3679 static const struct gprefix pfx_0f_28_0f_29 = {
3680 I(Aligned, em_mov), I(Aligned, em_mov), N, N,
3683 static const struct escape escape_d9 = { {
3684 N, N, N, N, N, N, N, I(DstMem, em_fnstcw),
3687 N, N, N, N, N, N, N, N,
3689 N, N, N, N, N, N, N, N,
3691 N, N, N, N, N, N, N, N,
3693 N, N, N, N, N, N, N, N,
3695 N, N, N, N, N, N, N, N,
3697 N, N, N, N, N, N, N, N,
3699 N, N, N, N, N, N, N, N,
3701 N, N, N, N, N, N, N, N,
3704 static const struct escape escape_db = { {
3705 N, N, N, N, N, N, N, N,
3708 N, N, N, N, N, N, N, N,
3710 N, N, N, N, N, N, N, N,
3712 N, N, N, N, N, N, N, N,
3714 N, N, N, N, N, N, N, N,
3716 N, N, N, I(ImplicitOps, em_fninit), N, N, N, N,
3718 N, N, N, N, N, N, N, N,
3720 N, N, N, N, N, N, N, N,
3722 N, N, N, N, N, N, N, N,
3725 static const struct escape escape_dd = { {
3726 N, N, N, N, N, N, N, I(DstMem, em_fnstsw),
3729 N, N, N, N, N, N, N, N,
3731 N, N, N, N, N, N, N, N,
3733 N, N, N, N, N, N, N, N,
3735 N, N, N, N, N, N, N, N,
3737 N, N, N, N, N, N, N, N,
3739 N, N, N, N, N, N, N, N,
3741 N, N, N, N, N, N, N, N,
3743 N, N, N, N, N, N, N, N,
3746 static const struct opcode opcode_table[256] = {
3748 F6ALU(Lock, em_add),
3749 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
3750 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
3752 F6ALU(Lock | PageTable, em_or),
3753 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
3756 F6ALU(Lock, em_adc),
3757 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
3758 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
3760 F6ALU(Lock, em_sbb),
3761 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
3762 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
3764 F6ALU(Lock | PageTable, em_and), N, N,
3766 F6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
3768 F6ALU(Lock, em_xor), N, N,
3770 F6ALU(NoWrite, em_cmp), N, N,
3772 X8(F(DstReg, em_inc)), X8(F(DstReg, em_dec)),
3774 X8(I(SrcReg | Stack, em_push)),
3776 X8(I(DstReg | Stack, em_pop)),
3778 I(ImplicitOps | Stack | No64, em_pusha),
3779 I(ImplicitOps | Stack | No64, em_popa),
3780 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
3783 I(SrcImm | Mov | Stack, em_push),
3784 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
3785 I(SrcImmByte | Mov | Stack, em_push),
3786 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
3787 I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
3788 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
3792 G(ByteOp | DstMem | SrcImm, group1),
3793 G(DstMem | SrcImm, group1),
3794 G(ByteOp | DstMem | SrcImm | No64, group1),
3795 G(DstMem | SrcImmByte, group1),
3796 F2bv(DstMem | SrcReg | ModRM | NoWrite, em_test),
3797 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
3799 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
3800 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
3801 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
3802 D(ModRM | SrcMem | NoAccess | DstReg),
3803 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
3806 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
3808 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
3809 I(SrcImmFAddr | No64, em_call_far), N,
3810 II(ImplicitOps | Stack, em_pushf, pushf),
3811 II(ImplicitOps | Stack, em_popf, popf),
3812 I(ImplicitOps, em_sahf), I(ImplicitOps, em_lahf),
3814 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
3815 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
3816 I2bv(SrcSI | DstDI | Mov | String, em_mov),
3817 F2bv(SrcSI | DstDI | String | NoWrite, em_cmp),
3819 F2bv(DstAcc | SrcImm | NoWrite, em_test),
3820 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
3821 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
3822 F2bv(SrcAcc | DstDI | String | NoWrite, em_cmp),
3824 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
3826 X8(I(DstReg | SrcImm64 | Mov, em_mov)),
3828 G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
3829 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
3830 I(ImplicitOps | Stack, em_ret),
3831 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
3832 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
3833 G(ByteOp, group11), G(0, group11),
3835 I(Stack | SrcImmU16 | Src2ImmByte, em_enter), I(Stack, em_leave),
3836 I(ImplicitOps | Stack | SrcImmU16, em_ret_far_imm),
3837 I(ImplicitOps | Stack, em_ret_far),
3838 D(ImplicitOps), DI(SrcImmByte, intn),
3839 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
3841 G(Src2One | ByteOp, group2), G(Src2One, group2),
3842 G(Src2CL | ByteOp, group2), G(Src2CL, group2),
3843 I(DstAcc | SrcImmUByte | No64, em_aam),
3844 I(DstAcc | SrcImmUByte | No64, em_aad),
3845 F(DstAcc | ByteOp | No64, em_salc),
3846 I(DstAcc | SrcXLat | ByteOp, em_mov),
3848 N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
3850 X3(I(SrcImmByte, em_loop)),
3851 I(SrcImmByte, em_jcxz),
3852 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
3853 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
3855 I(SrcImm | Stack, em_call), D(SrcImm | ImplicitOps),
3856 I(SrcImmFAddr | No64, em_jmp_far), D(SrcImmByte | ImplicitOps),
3857 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
3858 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
3860 N, DI(ImplicitOps, icebp), N, N,
3861 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
3862 G(ByteOp, group3), G(0, group3),
3864 D(ImplicitOps), D(ImplicitOps),
3865 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
3866 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
3869 static const struct opcode twobyte_table[256] = {
3871 G(0, group6), GD(0, &group7), N, N,
3872 N, I(ImplicitOps | EmulateOnUD, em_syscall),
3873 II(ImplicitOps | Priv, em_clts, clts), N,
3874 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
3875 N, D(ImplicitOps | ModRM), N, N,
3877 N, N, N, N, N, N, N, N,
3878 D(ImplicitOps | ModRM), N, N, N, N, N, N, D(ImplicitOps | ModRM),
3880 DIP(ModRM | DstMem | Priv | Op3264, cr_read, check_cr_read),
3881 DIP(ModRM | DstMem | Priv | Op3264, dr_read, check_dr_read),
3882 IIP(ModRM | SrcMem | Priv | Op3264, em_cr_write, cr_write, check_cr_write),
3883 IIP(ModRM | SrcMem | Priv | Op3264, em_dr_write, dr_write, check_dr_write),
3885 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_28_0f_29),
3886 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_28_0f_29),
3887 N, GP(ModRM | DstMem | SrcReg | Sse | Mov | Aligned, &pfx_vmovntpx),
3890 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
3891 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
3892 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
3893 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
3894 I(ImplicitOps | EmulateOnUD, em_sysenter),
3895 I(ImplicitOps | Priv | EmulateOnUD, em_sysexit),
3897 N, N, N, N, N, N, N, N,
3899 X16(D(DstReg | SrcMem | ModRM | Mov)),
3901 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3906 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
3911 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
3915 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
3917 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
3918 II(ImplicitOps, em_cpuid, cpuid),
3919 F(DstMem | SrcReg | ModRM | BitOp | NoWrite, em_bt),
3920 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shld),
3921 F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
3923 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
3924 DI(ImplicitOps, rsm),
3925 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
3926 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
3927 F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
3928 D(ModRM), F(DstReg | SrcMem | ModRM, em_imul),
3930 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_cmpxchg),
3931 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
3932 F(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
3933 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
3934 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
3935 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3939 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
3940 F(DstReg | SrcMem | ModRM, em_bsf), F(DstReg | SrcMem | ModRM, em_bsr),
3941 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3943 F2bv(DstMem | SrcReg | ModRM | SrcWrite | Lock, em_xadd),
3944 N, D(DstMem | SrcReg | ModRM | Mov),
3945 N, N, N, GD(0, &group9),
3947 X8(I(DstReg, em_bswap)),
3949 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3951 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3953 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
3956 static const struct gprefix three_byte_0f_38_f0 = {
3957 I(DstReg | SrcMem | Mov, em_movbe), N, N, N
3960 static const struct gprefix three_byte_0f_38_f1 = {
3961 I(DstMem | SrcReg | Mov, em_movbe), N, N, N
3965 * Insns below are selected by the prefix which indexed by the third opcode
3968 static const struct opcode opcode_map_0f_38[256] = {
3970 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
3972 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
3974 GP(EmulateOnUD | ModRM | Prefix, &three_byte_0f_38_f0),
3975 GP(EmulateOnUD | ModRM | Prefix, &three_byte_0f_38_f1),
3994 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
3998 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4004 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
4005 unsigned size, bool sign_extension)
4007 int rc = X86EMUL_CONTINUE;
4011 op->addr.mem.ea = ctxt->_eip;
4012 /* NB. Immediates are sign-extended as necessary. */
4013 switch (op->bytes) {
4015 op->val = insn_fetch(s8, ctxt);
4018 op->val = insn_fetch(s16, ctxt);
4021 op->val = insn_fetch(s32, ctxt);
4024 op->val = insn_fetch(s64, ctxt);
4027 if (!sign_extension) {
4028 switch (op->bytes) {
4036 op->val &= 0xffffffff;
4044 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
4047 int rc = X86EMUL_CONTINUE;
4051 decode_register_operand(ctxt, op);
4054 rc = decode_imm(ctxt, op, 1, false);
4057 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4061 if ((ctxt->d & BitOp) && op == &ctxt->dst)
4062 fetch_bit_operand(ctxt);
4063 op->orig_val = op->val;
4066 ctxt->memop.bytes = 8;
4070 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4071 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4072 fetch_register_operand(op);
4073 op->orig_val = op->val;
4077 op->bytes = (ctxt->d & ByteOp) ? 2 : ctxt->op_bytes;
4078 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4079 fetch_register_operand(op);
4080 op->orig_val = op->val;
4083 if (ctxt->d & ByteOp) {
4088 op->bytes = ctxt->op_bytes;
4089 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4090 fetch_register_operand(op);
4091 op->orig_val = op->val;
4095 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4097 register_address(ctxt, reg_read(ctxt, VCPU_REGS_RDI));
4098 op->addr.mem.seg = VCPU_SREG_ES;
4105 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4106 fetch_register_operand(op);
4110 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
4113 rc = decode_imm(ctxt, op, 1, true);
4120 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
4123 rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
4126 ctxt->memop.bytes = 1;
4127 if (ctxt->memop.type == OP_REG) {
4128 ctxt->memop.addr.reg = decode_register(ctxt,
4129 ctxt->modrm_rm, true);
4130 fetch_register_operand(&ctxt->memop);
4134 ctxt->memop.bytes = 2;
4137 ctxt->memop.bytes = 4;
4140 rc = decode_imm(ctxt, op, 2, false);
4143 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
4147 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4149 register_address(ctxt, reg_read(ctxt, VCPU_REGS_RSI));
4150 op->addr.mem.seg = seg_override(ctxt);
4156 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4158 register_address(ctxt,
4159 reg_read(ctxt, VCPU_REGS_RBX) +
4160 (reg_read(ctxt, VCPU_REGS_RAX) & 0xff));
4161 op->addr.mem.seg = seg_override(ctxt);
4166 op->addr.mem.ea = ctxt->_eip;
4167 op->bytes = ctxt->op_bytes + 2;
4168 insn_fetch_arr(op->valptr, op->bytes, ctxt);
4171 ctxt->memop.bytes = ctxt->op_bytes + 2;
4174 op->val = VCPU_SREG_ES;
4177 op->val = VCPU_SREG_CS;
4180 op->val = VCPU_SREG_SS;
4183 op->val = VCPU_SREG_DS;
4186 op->val = VCPU_SREG_FS;
4189 op->val = VCPU_SREG_GS;
4192 /* Special instructions do their own operand decoding. */
4194 op->type = OP_NONE; /* Disable writeback. */
4202 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
4204 int rc = X86EMUL_CONTINUE;
4205 int mode = ctxt->mode;
4206 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
4207 bool op_prefix = false;
4208 struct opcode opcode;
4210 ctxt->memop.type = OP_NONE;
4211 ctxt->memopp = NULL;
4212 ctxt->_eip = ctxt->eip;
4213 ctxt->fetch.start = ctxt->_eip;
4214 ctxt->fetch.end = ctxt->fetch.start + insn_len;
4215 ctxt->opcode_len = 1;
4217 memcpy(ctxt->fetch.data, insn, insn_len);
4220 case X86EMUL_MODE_REAL:
4221 case X86EMUL_MODE_VM86:
4222 case X86EMUL_MODE_PROT16:
4223 def_op_bytes = def_ad_bytes = 2;
4225 case X86EMUL_MODE_PROT32:
4226 def_op_bytes = def_ad_bytes = 4;
4228 #ifdef CONFIG_X86_64
4229 case X86EMUL_MODE_PROT64:
4235 return EMULATION_FAILED;
4238 ctxt->op_bytes = def_op_bytes;
4239 ctxt->ad_bytes = def_ad_bytes;
4241 /* Legacy prefixes. */
4243 switch (ctxt->b = insn_fetch(u8, ctxt)) {
4244 case 0x66: /* operand-size override */
4246 /* switch between 2/4 bytes */
4247 ctxt->op_bytes = def_op_bytes ^ 6;
4249 case 0x67: /* address-size override */
4250 if (mode == X86EMUL_MODE_PROT64)
4251 /* switch between 4/8 bytes */
4252 ctxt->ad_bytes = def_ad_bytes ^ 12;
4254 /* switch between 2/4 bytes */
4255 ctxt->ad_bytes = def_ad_bytes ^ 6;
4257 case 0x26: /* ES override */
4258 case 0x2e: /* CS override */
4259 case 0x36: /* SS override */
4260 case 0x3e: /* DS override */
4261 set_seg_override(ctxt, (ctxt->b >> 3) & 3);
4263 case 0x64: /* FS override */
4264 case 0x65: /* GS override */
4265 set_seg_override(ctxt, ctxt->b & 7);
4267 case 0x40 ... 0x4f: /* REX */
4268 if (mode != X86EMUL_MODE_PROT64)
4270 ctxt->rex_prefix = ctxt->b;
4272 case 0xf0: /* LOCK */
4273 ctxt->lock_prefix = 1;
4275 case 0xf2: /* REPNE/REPNZ */
4276 case 0xf3: /* REP/REPE/REPZ */
4277 ctxt->rep_prefix = ctxt->b;
4283 /* Any legacy prefix after a REX prefix nullifies its effect. */
4285 ctxt->rex_prefix = 0;
4291 if (ctxt->rex_prefix & 8)
4292 ctxt->op_bytes = 8; /* REX.W */
4294 /* Opcode byte(s). */
4295 opcode = opcode_table[ctxt->b];
4296 /* Two-byte opcode? */
4297 if (ctxt->b == 0x0f) {
4298 ctxt->opcode_len = 2;
4299 ctxt->b = insn_fetch(u8, ctxt);
4300 opcode = twobyte_table[ctxt->b];
4302 /* 0F_38 opcode map */
4303 if (ctxt->b == 0x38) {
4304 ctxt->opcode_len = 3;
4305 ctxt->b = insn_fetch(u8, ctxt);
4306 opcode = opcode_map_0f_38[ctxt->b];
4309 ctxt->d = opcode.flags;
4311 if (ctxt->d & ModRM)
4312 ctxt->modrm = insn_fetch(u8, ctxt);
4314 while (ctxt->d & GroupMask) {
4315 switch (ctxt->d & GroupMask) {
4317 goffset = (ctxt->modrm >> 3) & 7;
4318 opcode = opcode.u.group[goffset];
4321 goffset = (ctxt->modrm >> 3) & 7;
4322 if ((ctxt->modrm >> 6) == 3)
4323 opcode = opcode.u.gdual->mod3[goffset];
4325 opcode = opcode.u.gdual->mod012[goffset];
4328 goffset = ctxt->modrm & 7;
4329 opcode = opcode.u.group[goffset];
4332 if (ctxt->rep_prefix && op_prefix)
4333 return EMULATION_FAILED;
4334 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
4335 switch (simd_prefix) {
4336 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
4337 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
4338 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
4339 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
4343 if (ctxt->modrm > 0xbf)
4344 opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
4346 opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
4349 return EMULATION_FAILED;
4352 ctxt->d &= ~(u64)GroupMask;
4353 ctxt->d |= opcode.flags;
4356 ctxt->execute = opcode.u.execute;
4357 ctxt->check_perm = opcode.check_perm;
4358 ctxt->intercept = opcode.intercept;
4361 if (ctxt->d == 0 || (ctxt->d & NotImpl))
4362 return EMULATION_FAILED;
4364 if (!(ctxt->d & EmulateOnUD) && ctxt->ud)
4365 return EMULATION_FAILED;
4367 if (mode == X86EMUL_MODE_PROT64 && (ctxt->d & Stack))
4370 if (ctxt->d & Op3264) {
4371 if (mode == X86EMUL_MODE_PROT64)
4378 ctxt->op_bytes = 16;
4379 else if (ctxt->d & Mmx)
4382 /* ModRM and SIB bytes. */
4383 if (ctxt->d & ModRM) {
4384 rc = decode_modrm(ctxt, &ctxt->memop);
4385 if (!ctxt->has_seg_override)
4386 set_seg_override(ctxt, ctxt->modrm_seg);
4387 } else if (ctxt->d & MemAbs)
4388 rc = decode_abs(ctxt, &ctxt->memop);
4389 if (rc != X86EMUL_CONTINUE)
4392 if (!ctxt->has_seg_override)
4393 set_seg_override(ctxt, VCPU_SREG_DS);
4395 ctxt->memop.addr.mem.seg = seg_override(ctxt);
4397 if (ctxt->memop.type == OP_MEM && ctxt->ad_bytes != 8)
4398 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
4401 * Decode and fetch the source operand: register, memory
4404 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
4405 if (rc != X86EMUL_CONTINUE)
4409 * Decode and fetch the second source operand: register, memory
4412 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
4413 if (rc != X86EMUL_CONTINUE)
4416 /* Decode and fetch the destination operand: register or memory. */
4417 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
4420 if (ctxt->memopp && ctxt->memopp->type == OP_MEM && ctxt->rip_relative)
4421 ctxt->memopp->addr.mem.ea += ctxt->_eip;
4423 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
4426 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
4428 return ctxt->d & PageTable;
4431 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
4433 /* The second termination condition only applies for REPE
4434 * and REPNE. Test if the repeat string operation prefix is
4435 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
4436 * corresponding termination condition according to:
4437 * - if REPE/REPZ and ZF = 0 then done
4438 * - if REPNE/REPNZ and ZF = 1 then done
4440 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
4441 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
4442 && (((ctxt->rep_prefix == REPE_PREFIX) &&
4443 ((ctxt->eflags & EFLG_ZF) == 0))
4444 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
4445 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
4451 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
4455 ctxt->ops->get_fpu(ctxt);
4456 asm volatile("1: fwait \n\t"
4458 ".pushsection .fixup,\"ax\" \n\t"
4460 "movb $1, %[fault] \n\t"
4463 _ASM_EXTABLE(1b, 3b)
4464 : [fault]"+qm"(fault));
4465 ctxt->ops->put_fpu(ctxt);
4467 if (unlikely(fault))
4468 return emulate_exception(ctxt, MF_VECTOR, 0, false);
4470 return X86EMUL_CONTINUE;
4473 static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
4476 if (op->type == OP_MM)
4477 read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
4480 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *))
4482 ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
4483 if (!(ctxt->d & ByteOp))
4484 fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
4485 asm("push %[flags]; popf; call *%[fastop]; pushf; pop %[flags]\n"
4486 : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
4488 : "c"(ctxt->src2.val));
4489 ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
4490 if (!fop) /* exception is returned in fop variable */
4491 return emulate_de(ctxt);
4492 return X86EMUL_CONTINUE;
4495 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
4497 const struct x86_emulate_ops *ops = ctxt->ops;
4498 int rc = X86EMUL_CONTINUE;
4499 int saved_dst_type = ctxt->dst.type;
4501 ctxt->mem_read.pos = 0;
4503 if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
4504 (ctxt->d & Undefined)) {
4505 rc = emulate_ud(ctxt);
4509 /* LOCK prefix is allowed only with some instructions */
4510 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
4511 rc = emulate_ud(ctxt);
4515 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
4516 rc = emulate_ud(ctxt);
4520 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
4521 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
4522 rc = emulate_ud(ctxt);
4526 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
4527 rc = emulate_nm(ctxt);
4531 if (ctxt->d & Mmx) {
4532 rc = flush_pending_x87_faults(ctxt);
4533 if (rc != X86EMUL_CONTINUE)
4536 * Now that we know the fpu is exception safe, we can fetch
4539 fetch_possible_mmx_operand(ctxt, &ctxt->src);
4540 fetch_possible_mmx_operand(ctxt, &ctxt->src2);
4541 if (!(ctxt->d & Mov))
4542 fetch_possible_mmx_operand(ctxt, &ctxt->dst);
4545 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4546 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4547 X86_ICPT_PRE_EXCEPT);
4548 if (rc != X86EMUL_CONTINUE)
4552 /* Privileged instruction can be executed only in CPL=0 */
4553 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
4554 rc = emulate_gp(ctxt, 0);
4558 /* Instruction can only be executed in protected mode */
4559 if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
4560 rc = emulate_ud(ctxt);
4564 /* Do instruction specific permission checks */
4565 if (ctxt->check_perm) {
4566 rc = ctxt->check_perm(ctxt);
4567 if (rc != X86EMUL_CONTINUE)
4571 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4572 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4573 X86_ICPT_POST_EXCEPT);
4574 if (rc != X86EMUL_CONTINUE)
4578 if (ctxt->rep_prefix && (ctxt->d & String)) {
4579 /* All REP prefixes have the same first termination condition */
4580 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
4581 ctxt->eip = ctxt->_eip;
4586 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
4587 rc = segmented_read(ctxt, ctxt->src.addr.mem,
4588 ctxt->src.valptr, ctxt->src.bytes);
4589 if (rc != X86EMUL_CONTINUE)
4591 ctxt->src.orig_val64 = ctxt->src.val64;
4594 if (ctxt->src2.type == OP_MEM) {
4595 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
4596 &ctxt->src2.val, ctxt->src2.bytes);
4597 if (rc != X86EMUL_CONTINUE)
4601 if ((ctxt->d & DstMask) == ImplicitOps)
4605 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
4606 /* optimisation - avoid slow emulated read if Mov */
4607 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
4608 &ctxt->dst.val, ctxt->dst.bytes);
4609 if (rc != X86EMUL_CONTINUE)
4612 ctxt->dst.orig_val = ctxt->dst.val;
4616 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4617 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4618 X86_ICPT_POST_MEMACCESS);
4619 if (rc != X86EMUL_CONTINUE)
4623 if (ctxt->execute) {
4624 if (ctxt->d & Fastop) {
4625 void (*fop)(struct fastop *) = (void *)ctxt->execute;
4626 rc = fastop(ctxt, fop);
4627 if (rc != X86EMUL_CONTINUE)
4631 rc = ctxt->execute(ctxt);
4632 if (rc != X86EMUL_CONTINUE)
4637 if (ctxt->opcode_len == 2)
4639 else if (ctxt->opcode_len == 3)
4640 goto threebyte_insn;
4643 case 0x63: /* movsxd */
4644 if (ctxt->mode != X86EMUL_MODE_PROT64)
4645 goto cannot_emulate;
4646 ctxt->dst.val = (s32) ctxt->src.val;
4648 case 0x70 ... 0x7f: /* jcc (short) */
4649 if (test_cc(ctxt->b, ctxt->eflags))
4650 jmp_rel(ctxt, ctxt->src.val);
4652 case 0x8d: /* lea r16/r32, m */
4653 ctxt->dst.val = ctxt->src.addr.mem.ea;
4655 case 0x90 ... 0x97: /* nop / xchg reg, rax */
4656 if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
4660 case 0x98: /* cbw/cwde/cdqe */
4661 switch (ctxt->op_bytes) {
4662 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
4663 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
4664 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
4667 case 0xcc: /* int3 */
4668 rc = emulate_int(ctxt, 3);
4670 case 0xcd: /* int n */
4671 rc = emulate_int(ctxt, ctxt->src.val);
4673 case 0xce: /* into */
4674 if (ctxt->eflags & EFLG_OF)
4675 rc = emulate_int(ctxt, 4);
4677 case 0xe9: /* jmp rel */
4678 case 0xeb: /* jmp rel short */
4679 jmp_rel(ctxt, ctxt->src.val);
4680 ctxt->dst.type = OP_NONE; /* Disable writeback. */
4682 case 0xf4: /* hlt */
4683 ctxt->ops->halt(ctxt);
4685 case 0xf5: /* cmc */
4686 /* complement carry flag from eflags reg */
4687 ctxt->eflags ^= EFLG_CF;
4689 case 0xf8: /* clc */
4690 ctxt->eflags &= ~EFLG_CF;
4692 case 0xf9: /* stc */
4693 ctxt->eflags |= EFLG_CF;
4695 case 0xfc: /* cld */
4696 ctxt->eflags &= ~EFLG_DF;
4698 case 0xfd: /* std */
4699 ctxt->eflags |= EFLG_DF;
4702 goto cannot_emulate;
4705 if (rc != X86EMUL_CONTINUE)
4709 if (!(ctxt->d & NoWrite)) {
4710 rc = writeback(ctxt, &ctxt->dst);
4711 if (rc != X86EMUL_CONTINUE)
4714 if (ctxt->d & SrcWrite) {
4715 BUG_ON(ctxt->src.type == OP_MEM || ctxt->src.type == OP_MEM_STR);
4716 rc = writeback(ctxt, &ctxt->src);
4717 if (rc != X86EMUL_CONTINUE)
4722 * restore dst type in case the decoding will be reused
4723 * (happens for string instruction )
4725 ctxt->dst.type = saved_dst_type;
4727 if ((ctxt->d & SrcMask) == SrcSI)
4728 string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
4730 if ((ctxt->d & DstMask) == DstDI)
4731 string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
4733 if (ctxt->rep_prefix && (ctxt->d & String)) {
4735 struct read_cache *r = &ctxt->io_read;
4736 if ((ctxt->d & SrcMask) == SrcSI)
4737 count = ctxt->src.count;
4739 count = ctxt->dst.count;
4740 register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX),
4743 if (!string_insn_completed(ctxt)) {
4745 * Re-enter guest when pio read ahead buffer is empty
4746 * or, if it is not used, after each 1024 iteration.
4748 if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
4749 (r->end == 0 || r->end != r->pos)) {
4751 * Reset read cache. Usually happens before
4752 * decode, but since instruction is restarted
4753 * we have to do it here.
4755 ctxt->mem_read.end = 0;
4756 writeback_registers(ctxt);
4757 return EMULATION_RESTART;
4759 goto done; /* skip rip writeback */
4763 ctxt->eip = ctxt->_eip;
4766 if (rc == X86EMUL_PROPAGATE_FAULT)
4767 ctxt->have_exception = true;
4768 if (rc == X86EMUL_INTERCEPTED)
4769 return EMULATION_INTERCEPTED;
4771 if (rc == X86EMUL_CONTINUE)
4772 writeback_registers(ctxt);
4774 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
4778 case 0x09: /* wbinvd */
4779 (ctxt->ops->wbinvd)(ctxt);
4781 case 0x08: /* invd */
4782 case 0x0d: /* GrpP (prefetch) */
4783 case 0x18: /* Grp16 (prefetch/nop) */
4784 case 0x1f: /* nop */
4786 case 0x20: /* mov cr, reg */
4787 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
4789 case 0x21: /* mov from dr to reg */
4790 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
4792 case 0x40 ... 0x4f: /* cmov */
4793 ctxt->dst.val = ctxt->dst.orig_val = ctxt->src.val;
4794 if (!test_cc(ctxt->b, ctxt->eflags))
4795 ctxt->dst.type = OP_NONE; /* no writeback */
4797 case 0x80 ... 0x8f: /* jnz rel, etc*/
4798 if (test_cc(ctxt->b, ctxt->eflags))
4799 jmp_rel(ctxt, ctxt->src.val);
4801 case 0x90 ... 0x9f: /* setcc r/m8 */
4802 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
4804 case 0xae: /* clflush */
4806 case 0xb6 ... 0xb7: /* movzx */
4807 ctxt->dst.bytes = ctxt->op_bytes;
4808 ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
4809 : (u16) ctxt->src.val;
4811 case 0xbe ... 0xbf: /* movsx */
4812 ctxt->dst.bytes = ctxt->op_bytes;
4813 ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
4814 (s16) ctxt->src.val;
4816 case 0xc3: /* movnti */
4817 ctxt->dst.bytes = ctxt->op_bytes;
4818 ctxt->dst.val = (ctxt->op_bytes == 4) ? (u32) ctxt->src.val :
4819 (u64) ctxt->src.val;
4822 goto cannot_emulate;
4827 if (rc != X86EMUL_CONTINUE)
4833 return EMULATION_FAILED;
4836 void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
4838 invalidate_registers(ctxt);
4841 void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
4843 writeback_registers(ctxt);
projects / linux.git / blob