1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
86 #define Undefined (1<<25) /* No Such Instruction */
87 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
88 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
90 /* Source 2 operand type */
91 #define Src2None (0<<29)
92 #define Src2CL (1<<29)
93 #define Src2ImmByte (2<<29)
94 #define Src2One (3<<29)
95 #define Src2Mask (7<<29)
98 #define X3(x) X2(x), x
99 #define X4(x) X2(x), X2(x)
100 #define X5(x) X4(x), x
101 #define X6(x) X4(x), X2(x)
102 #define X7(x) X4(x), X3(x)
103 #define X8(x) X4(x), X4(x)
104 #define X16(x) X8(x), X8(x)
109 int (*execute)(struct x86_emulate_ctxt *ctxt);
110 struct opcode *group;
111 struct group_dual *gdual;
116 struct opcode mod012[8];
117 struct opcode mod3[8];
120 #define D(_y) { .flags = (_y) }
122 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
123 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
124 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
126 static struct opcode group1[] = {
130 static struct opcode group1A[] = {
131 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
134 static struct opcode group3[] = {
135 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
136 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
140 static struct opcode group4[] = {
141 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
145 static struct opcode group5[] = {
146 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
147 D(SrcMem | ModRM | Stack), N,
148 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
149 D(SrcMem | ModRM | Stack), N,
152 static struct group_dual group7 = { {
153 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
154 D(SrcNone | ModRM | DstMem | Mov), N,
155 D(SrcMem16 | ModRM | Mov | Priv), D(SrcMem | ModRM | ByteOp | Priv),
157 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
158 D(SrcNone | ModRM | DstMem | Mov), N,
159 D(SrcMem16 | ModRM | Mov | Priv), N,
162 static struct opcode group8[] = {
164 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
165 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
168 static struct group_dual group9 = { {
169 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
171 N, N, N, N, N, N, N, N,
174 static struct opcode opcode_table[256] = {
176 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
177 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
178 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
179 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
181 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
182 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
183 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
184 D(ImplicitOps | Stack | No64), N,
186 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
187 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
188 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
189 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
191 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
192 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
193 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
194 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
196 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
197 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
198 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
200 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
201 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
202 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
204 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
205 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
206 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
208 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
209 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
210 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
215 X8(D(SrcReg | Stack)),
217 X8(D(DstReg | Stack)),
219 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
220 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
223 D(SrcImm | Mov | Stack), N, D(SrcImmByte | Mov | Stack), N,
224 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
225 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
229 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
230 G(DstMem | SrcImm | ModRM | Group, group1),
231 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
232 G(DstMem | SrcImmByte | ModRM | Group, group1),
233 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
234 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
236 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
237 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
238 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | DstReg),
239 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
241 D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg),
243 N, N, D(SrcImmFAddr | No64), N,
244 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
246 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
247 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
248 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
249 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
251 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm), D(ByteOp | DstDI | Mov | String), D(DstDI | Mov | String),
252 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
253 D(ByteOp | DstDI | String), D(DstDI | String),
255 X8(D(ByteOp | DstReg | SrcImm | Mov)),
257 X8(D(DstReg | SrcImm | Mov)),
259 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
260 N, D(ImplicitOps | Stack), N, N,
261 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
263 N, N, N, D(ImplicitOps | Stack),
264 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
266 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
267 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
270 N, N, N, N, N, N, N, N,
273 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
274 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
276 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
277 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
278 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
279 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
282 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
284 D(ImplicitOps), N, D(ImplicitOps), D(ImplicitOps),
285 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
288 static struct opcode twobyte_table[256] = {
290 N, GD(0, &group7), N, N,
291 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
292 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
293 N, D(ImplicitOps | ModRM), N, N,
295 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
297 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
298 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
300 N, N, N, N, N, N, N, N,
302 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
303 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
304 N, N, N, N, N, N, N, N,
306 X16(D(DstReg | SrcMem | ModRM | Mov)),
308 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
310 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
312 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
316 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
318 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
319 N, D(DstMem | SrcReg | ModRM | BitOp),
320 D(DstMem | SrcReg | Src2ImmByte | ModRM),
321 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
323 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
324 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
325 D(DstMem | SrcReg | Src2ImmByte | ModRM),
326 D(DstMem | SrcReg | Src2CL | ModRM),
329 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
330 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
331 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
332 D(DstReg | SrcMem16 | ModRM | Mov),
335 G(0, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
336 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
337 D(DstReg | SrcMem16 | ModRM | Mov),
339 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
340 N, N, N, GD(0, &group9),
341 N, N, N, N, N, N, N, N,
343 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
345 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
347 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
356 /* EFLAGS bit definitions. */
357 #define EFLG_ID (1<<21)
358 #define EFLG_VIP (1<<20)
359 #define EFLG_VIF (1<<19)
360 #define EFLG_AC (1<<18)
361 #define EFLG_VM (1<<17)
362 #define EFLG_RF (1<<16)
363 #define EFLG_IOPL (3<<12)
364 #define EFLG_NT (1<<14)
365 #define EFLG_OF (1<<11)
366 #define EFLG_DF (1<<10)
367 #define EFLG_IF (1<<9)
368 #define EFLG_TF (1<<8)
369 #define EFLG_SF (1<<7)
370 #define EFLG_ZF (1<<6)
371 #define EFLG_AF (1<<4)
372 #define EFLG_PF (1<<2)
373 #define EFLG_CF (1<<0)
375 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
376 #define EFLG_RESERVED_ONE_MASK 2
379 * Instruction emulation:
380 * Most instructions are emulated directly via a fragment of inline assembly
381 * code. This allows us to save/restore EFLAGS and thus very easily pick up
382 * any modified flags.
385 #if defined(CONFIG_X86_64)
386 #define _LO32 "k" /* force 32-bit operand */
387 #define _STK "%%rsp" /* stack pointer */
388 #elif defined(__i386__)
389 #define _LO32 "" /* force 32-bit operand */
390 #define _STK "%%esp" /* stack pointer */
394 * These EFLAGS bits are restored from saved value during emulation, and
395 * any changes are written back to the saved value after emulation.
397 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
399 /* Before executing instruction: restore necessary bits in EFLAGS. */
400 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
401 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
402 "movl %"_sav",%"_LO32 _tmp"; " \
405 "movl %"_msk",%"_LO32 _tmp"; " \
406 "andl %"_LO32 _tmp",("_STK"); " \
408 "notl %"_LO32 _tmp"; " \
409 "andl %"_LO32 _tmp",("_STK"); " \
410 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
412 "orl %"_LO32 _tmp",("_STK"); " \
416 /* After executing instruction: write-back necessary bits in EFLAGS. */
417 #define _POST_EFLAGS(_sav, _msk, _tmp) \
418 /* _sav |= EFLAGS & _msk; */ \
421 "andl %"_msk",%"_LO32 _tmp"; " \
422 "orl %"_LO32 _tmp",%"_sav"; "
430 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
432 __asm__ __volatile__ ( \
433 _PRE_EFLAGS("0", "4", "2") \
434 _op _suffix " %"_x"3,%1; " \
435 _POST_EFLAGS("0", "4", "2") \
436 : "=m" (_eflags), "=m" ((_dst).val), \
438 : _y ((_src).val), "i" (EFLAGS_MASK)); \
442 /* Raw emulation: instruction has two explicit operands. */
443 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
445 unsigned long _tmp; \
447 switch ((_dst).bytes) { \
449 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
452 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
455 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
460 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
462 unsigned long _tmp; \
463 switch ((_dst).bytes) { \
465 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
468 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
469 _wx, _wy, _lx, _ly, _qx, _qy); \
474 /* Source operand is byte-sized and may be restricted to just %cl. */
475 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
476 __emulate_2op(_op, _src, _dst, _eflags, \
477 "b", "c", "b", "c", "b", "c", "b", "c")
479 /* Source operand is byte, word, long or quad sized. */
480 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
481 __emulate_2op(_op, _src, _dst, _eflags, \
482 "b", "q", "w", "r", _LO32, "r", "", "r")
484 /* Source operand is word, long or quad sized. */
485 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
486 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
487 "w", "r", _LO32, "r", "", "r")
489 /* Instruction has three operands and one operand is stored in ECX register */
490 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
492 unsigned long _tmp; \
493 _type _clv = (_cl).val; \
494 _type _srcv = (_src).val; \
495 _type _dstv = (_dst).val; \
497 __asm__ __volatile__ ( \
498 _PRE_EFLAGS("0", "5", "2") \
499 _op _suffix " %4,%1 \n" \
500 _POST_EFLAGS("0", "5", "2") \
501 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
502 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
505 (_cl).val = (unsigned long) _clv; \
506 (_src).val = (unsigned long) _srcv; \
507 (_dst).val = (unsigned long) _dstv; \
510 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
512 switch ((_dst).bytes) { \
514 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
515 "w", unsigned short); \
518 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
519 "l", unsigned int); \
522 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
523 "q", unsigned long)); \
528 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
530 unsigned long _tmp; \
532 __asm__ __volatile__ ( \
533 _PRE_EFLAGS("0", "3", "2") \
534 _op _suffix " %1; " \
535 _POST_EFLAGS("0", "3", "2") \
536 : "=m" (_eflags), "+m" ((_dst).val), \
538 : "i" (EFLAGS_MASK)); \
541 /* Instruction has only one explicit operand (no source operand). */
542 #define emulate_1op(_op, _dst, _eflags) \
544 switch ((_dst).bytes) { \
545 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
546 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
547 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
548 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
552 /* Fetch next part of the instruction being emulated. */
553 #define insn_fetch(_type, _size, _eip) \
554 ({ unsigned long _x; \
555 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
556 if (rc != X86EMUL_CONTINUE) \
562 #define insn_fetch_arr(_arr, _size, _eip) \
563 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
564 if (rc != X86EMUL_CONTINUE) \
569 static inline unsigned long ad_mask(struct decode_cache *c)
571 return (1UL << (c->ad_bytes << 3)) - 1;
574 /* Access/update address held in a register, based on addressing mode. */
575 static inline unsigned long
576 address_mask(struct decode_cache *c, unsigned long reg)
578 if (c->ad_bytes == sizeof(unsigned long))
581 return reg & ad_mask(c);
584 static inline unsigned long
585 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
587 return base + address_mask(c, reg);
591 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
593 if (c->ad_bytes == sizeof(unsigned long))
596 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
599 static inline void jmp_rel(struct decode_cache *c, int rel)
601 register_address_increment(c, &c->eip, rel);
604 static void set_seg_override(struct decode_cache *c, int seg)
606 c->has_seg_override = true;
607 c->seg_override = seg;
610 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
611 struct x86_emulate_ops *ops, int seg)
613 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
616 return ops->get_cached_segment_base(seg, ctxt->vcpu);
619 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
620 struct x86_emulate_ops *ops,
621 struct decode_cache *c)
623 if (!c->has_seg_override)
626 return seg_base(ctxt, ops, c->seg_override);
629 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
630 struct x86_emulate_ops *ops)
632 return seg_base(ctxt, ops, VCPU_SREG_ES);
635 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
636 struct x86_emulate_ops *ops)
638 return seg_base(ctxt, ops, VCPU_SREG_SS);
641 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
642 u32 error, bool valid)
644 ctxt->exception = vec;
645 ctxt->error_code = error;
646 ctxt->error_code_valid = valid;
647 ctxt->restart = false;
650 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
652 emulate_exception(ctxt, GP_VECTOR, err, true);
655 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
659 emulate_exception(ctxt, PF_VECTOR, err, true);
662 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
664 emulate_exception(ctxt, UD_VECTOR, 0, false);
667 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
669 emulate_exception(ctxt, TS_VECTOR, err, true);
672 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
673 struct x86_emulate_ops *ops,
674 unsigned long eip, u8 *dest)
676 struct fetch_cache *fc = &ctxt->decode.fetch;
680 if (eip == fc->end) {
681 cur_size = fc->end - fc->start;
682 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
683 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
684 size, ctxt->vcpu, NULL);
685 if (rc != X86EMUL_CONTINUE)
689 *dest = fc->data[eip - fc->start];
690 return X86EMUL_CONTINUE;
693 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
694 struct x86_emulate_ops *ops,
695 unsigned long eip, void *dest, unsigned size)
699 /* x86 instructions are limited to 15 bytes. */
700 if (eip + size - ctxt->eip > 15)
701 return X86EMUL_UNHANDLEABLE;
703 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
704 if (rc != X86EMUL_CONTINUE)
707 return X86EMUL_CONTINUE;
711 * Given the 'reg' portion of a ModRM byte, and a register block, return a
712 * pointer into the block that addresses the relevant register.
713 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
715 static void *decode_register(u8 modrm_reg, unsigned long *regs,
720 p = ®s[modrm_reg];
721 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
722 p = (unsigned char *)®s[modrm_reg & 3] + 1;
726 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
727 struct x86_emulate_ops *ops,
729 u16 *size, unsigned long *address, int op_bytes)
736 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
738 if (rc != X86EMUL_CONTINUE)
740 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
745 static int test_cc(unsigned int condition, unsigned int flags)
749 switch ((condition & 15) >> 1) {
751 rc |= (flags & EFLG_OF);
753 case 1: /* b/c/nae */
754 rc |= (flags & EFLG_CF);
757 rc |= (flags & EFLG_ZF);
760 rc |= (flags & (EFLG_CF|EFLG_ZF));
763 rc |= (flags & EFLG_SF);
766 rc |= (flags & EFLG_PF);
769 rc |= (flags & EFLG_ZF);
772 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
776 /* Odd condition identifiers (lsb == 1) have inverted sense. */
777 return (!!rc ^ (condition & 1));
780 static void decode_register_operand(struct operand *op,
781 struct decode_cache *c,
784 unsigned reg = c->modrm_reg;
785 int highbyte_regs = c->rex_prefix == 0;
788 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
790 if ((c->d & ByteOp) && !inhibit_bytereg) {
791 op->ptr = decode_register(reg, c->regs, highbyte_regs);
792 op->val = *(u8 *)op->ptr;
795 op->ptr = decode_register(reg, c->regs, 0);
796 op->bytes = c->op_bytes;
799 op->val = *(u16 *)op->ptr;
802 op->val = *(u32 *)op->ptr;
805 op->val = *(u64 *) op->ptr;
809 op->orig_val = op->val;
812 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
813 struct x86_emulate_ops *ops)
815 struct decode_cache *c = &ctxt->decode;
817 int index_reg = 0, base_reg = 0, scale;
818 int rc = X86EMUL_CONTINUE;
821 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
822 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
823 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
826 c->modrm = insn_fetch(u8, 1, c->eip);
827 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
828 c->modrm_reg |= (c->modrm & 0x38) >> 3;
829 c->modrm_rm |= (c->modrm & 0x07);
833 if (c->modrm_mod == 3) {
834 c->modrm_ptr = decode_register(c->modrm_rm,
835 c->regs, c->d & ByteOp);
836 c->modrm_val = *(unsigned long *)c->modrm_ptr;
840 if (c->ad_bytes == 2) {
841 unsigned bx = c->regs[VCPU_REGS_RBX];
842 unsigned bp = c->regs[VCPU_REGS_RBP];
843 unsigned si = c->regs[VCPU_REGS_RSI];
844 unsigned di = c->regs[VCPU_REGS_RDI];
846 /* 16-bit ModR/M decode. */
847 switch (c->modrm_mod) {
849 if (c->modrm_rm == 6)
850 c->modrm_ea += insn_fetch(u16, 2, c->eip);
853 c->modrm_ea += insn_fetch(s8, 1, c->eip);
856 c->modrm_ea += insn_fetch(u16, 2, c->eip);
859 switch (c->modrm_rm) {
861 c->modrm_ea += bx + si;
864 c->modrm_ea += bx + di;
867 c->modrm_ea += bp + si;
870 c->modrm_ea += bp + di;
879 if (c->modrm_mod != 0)
886 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
887 (c->modrm_rm == 6 && c->modrm_mod != 0))
888 if (!c->has_seg_override)
889 set_seg_override(c, VCPU_SREG_SS);
890 c->modrm_ea = (u16)c->modrm_ea;
892 /* 32/64-bit ModR/M decode. */
893 if ((c->modrm_rm & 7) == 4) {
894 sib = insn_fetch(u8, 1, c->eip);
895 index_reg |= (sib >> 3) & 7;
899 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
900 c->modrm_ea += insn_fetch(s32, 4, c->eip);
902 c->modrm_ea += c->regs[base_reg];
904 c->modrm_ea += c->regs[index_reg] << scale;
905 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
906 if (ctxt->mode == X86EMUL_MODE_PROT64)
909 c->modrm_ea += c->regs[c->modrm_rm];
910 switch (c->modrm_mod) {
912 if (c->modrm_rm == 5)
913 c->modrm_ea += insn_fetch(s32, 4, c->eip);
916 c->modrm_ea += insn_fetch(s8, 1, c->eip);
919 c->modrm_ea += insn_fetch(s32, 4, c->eip);
927 static int decode_abs(struct x86_emulate_ctxt *ctxt,
928 struct x86_emulate_ops *ops)
930 struct decode_cache *c = &ctxt->decode;
931 int rc = X86EMUL_CONTINUE;
933 switch (c->ad_bytes) {
935 c->modrm_ea = insn_fetch(u16, 2, c->eip);
938 c->modrm_ea = insn_fetch(u32, 4, c->eip);
941 c->modrm_ea = insn_fetch(u64, 8, c->eip);
948 static int read_emulated(struct x86_emulate_ctxt *ctxt,
949 struct x86_emulate_ops *ops,
950 unsigned long addr, void *dest, unsigned size)
953 struct read_cache *mc = &ctxt->decode.mem_read;
957 int n = min(size, 8u);
959 if (mc->pos < mc->end)
962 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
964 if (rc == X86EMUL_PROPAGATE_FAULT)
965 emulate_pf(ctxt, addr, err);
966 if (rc != X86EMUL_CONTINUE)
971 memcpy(dest, mc->data + mc->pos, n);
976 return X86EMUL_CONTINUE;
979 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
980 struct x86_emulate_ops *ops,
981 unsigned int size, unsigned short port,
984 struct read_cache *rc = &ctxt->decode.io_read;
986 if (rc->pos == rc->end) { /* refill pio read ahead */
987 struct decode_cache *c = &ctxt->decode;
988 unsigned int in_page, n;
989 unsigned int count = c->rep_prefix ?
990 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
991 in_page = (ctxt->eflags & EFLG_DF) ?
992 offset_in_page(c->regs[VCPU_REGS_RDI]) :
993 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
994 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
998 rc->pos = rc->end = 0;
999 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
1004 memcpy(dest, rc->data + rc->pos, size);
1009 static u32 desc_limit_scaled(struct desc_struct *desc)
1011 u32 limit = get_desc_limit(desc);
1013 return desc->g ? (limit << 12) | 0xfff : limit;
1016 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1017 struct x86_emulate_ops *ops,
1018 u16 selector, struct desc_ptr *dt)
1020 if (selector & 1 << 2) {
1021 struct desc_struct desc;
1022 memset (dt, 0, sizeof *dt);
1023 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1026 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1027 dt->address = get_desc_base(&desc);
1029 ops->get_gdt(dt, ctxt->vcpu);
1032 /* allowed just for 8 bytes segments */
1033 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1034 struct x86_emulate_ops *ops,
1035 u16 selector, struct desc_struct *desc)
1038 u16 index = selector >> 3;
1043 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1045 if (dt.size < index * 8 + 7) {
1046 emulate_gp(ctxt, selector & 0xfffc);
1047 return X86EMUL_PROPAGATE_FAULT;
1049 addr = dt.address + index * 8;
1050 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1051 if (ret == X86EMUL_PROPAGATE_FAULT)
1052 emulate_pf(ctxt, addr, err);
1057 /* allowed just for 8 bytes segments */
1058 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1059 struct x86_emulate_ops *ops,
1060 u16 selector, struct desc_struct *desc)
1063 u16 index = selector >> 3;
1068 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1070 if (dt.size < index * 8 + 7) {
1071 emulate_gp(ctxt, selector & 0xfffc);
1072 return X86EMUL_PROPAGATE_FAULT;
1075 addr = dt.address + index * 8;
1076 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1077 if (ret == X86EMUL_PROPAGATE_FAULT)
1078 emulate_pf(ctxt, addr, err);
1083 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1084 struct x86_emulate_ops *ops,
1085 u16 selector, int seg)
1087 struct desc_struct seg_desc;
1089 unsigned err_vec = GP_VECTOR;
1091 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1094 memset(&seg_desc, 0, sizeof seg_desc);
1096 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1097 || ctxt->mode == X86EMUL_MODE_REAL) {
1098 /* set real mode segment descriptor */
1099 set_desc_base(&seg_desc, selector << 4);
1100 set_desc_limit(&seg_desc, 0xffff);
1107 /* NULL selector is not valid for TR, CS and SS */
1108 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1112 /* TR should be in GDT only */
1113 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1116 if (null_selector) /* for NULL selector skip all following checks */
1119 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1120 if (ret != X86EMUL_CONTINUE)
1123 err_code = selector & 0xfffc;
1124 err_vec = GP_VECTOR;
1126 /* can't load system descriptor into segment selecor */
1127 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1131 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1137 cpl = ops->cpl(ctxt->vcpu);
1142 * segment is not a writable data segment or segment
1143 * selector's RPL != CPL or segment selector's RPL != CPL
1145 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1149 if (!(seg_desc.type & 8))
1152 if (seg_desc.type & 4) {
1158 if (rpl > cpl || dpl != cpl)
1161 /* CS(RPL) <- CPL */
1162 selector = (selector & 0xfffc) | cpl;
1165 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1168 case VCPU_SREG_LDTR:
1169 if (seg_desc.s || seg_desc.type != 2)
1172 default: /* DS, ES, FS, or GS */
1174 * segment is not a data or readable code segment or
1175 * ((segment is a data or nonconforming code segment)
1176 * and (both RPL and CPL > DPL))
1178 if ((seg_desc.type & 0xa) == 0x8 ||
1179 (((seg_desc.type & 0xc) != 0xc) &&
1180 (rpl > dpl && cpl > dpl)))
1186 /* mark segment as accessed */
1188 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1189 if (ret != X86EMUL_CONTINUE)
1193 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1194 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1195 return X86EMUL_CONTINUE;
1197 emulate_exception(ctxt, err_vec, err_code, true);
1198 return X86EMUL_PROPAGATE_FAULT;
1201 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1202 struct x86_emulate_ops *ops)
1205 struct decode_cache *c = &ctxt->decode;
1208 switch (c->dst.type) {
1210 /* The 4-byte case *is* correct:
1211 * in 64-bit mode we zero-extend.
1213 switch (c->dst.bytes) {
1215 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1218 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1221 *c->dst.ptr = (u32)c->dst.val;
1222 break; /* 64b: zero-ext */
1224 *c->dst.ptr = c->dst.val;
1230 rc = ops->cmpxchg_emulated(
1231 (unsigned long)c->dst.ptr,
1238 rc = ops->write_emulated(
1239 (unsigned long)c->dst.ptr,
1244 if (rc == X86EMUL_PROPAGATE_FAULT)
1246 (unsigned long)c->dst.ptr, err);
1247 if (rc != X86EMUL_CONTINUE)
1256 return X86EMUL_CONTINUE;
1259 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1260 struct x86_emulate_ops *ops)
1262 struct decode_cache *c = &ctxt->decode;
1264 c->dst.type = OP_MEM;
1265 c->dst.bytes = c->op_bytes;
1266 c->dst.val = c->src.val;
1267 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1268 c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1269 c->regs[VCPU_REGS_RSP]);
1272 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1273 struct x86_emulate_ops *ops,
1274 void *dest, int len)
1276 struct decode_cache *c = &ctxt->decode;
1279 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1280 c->regs[VCPU_REGS_RSP]),
1282 if (rc != X86EMUL_CONTINUE)
1285 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1289 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1290 struct x86_emulate_ops *ops,
1291 void *dest, int len)
1294 unsigned long val, change_mask;
1295 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1296 int cpl = ops->cpl(ctxt->vcpu);
1298 rc = emulate_pop(ctxt, ops, &val, len);
1299 if (rc != X86EMUL_CONTINUE)
1302 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1303 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1305 switch(ctxt->mode) {
1306 case X86EMUL_MODE_PROT64:
1307 case X86EMUL_MODE_PROT32:
1308 case X86EMUL_MODE_PROT16:
1310 change_mask |= EFLG_IOPL;
1312 change_mask |= EFLG_IF;
1314 case X86EMUL_MODE_VM86:
1316 emulate_gp(ctxt, 0);
1317 return X86EMUL_PROPAGATE_FAULT;
1319 change_mask |= EFLG_IF;
1321 default: /* real mode */
1322 change_mask |= (EFLG_IOPL | EFLG_IF);
1326 *(unsigned long *)dest =
1327 (ctxt->eflags & ~change_mask) | (val & change_mask);
1332 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1333 struct x86_emulate_ops *ops, int seg)
1335 struct decode_cache *c = &ctxt->decode;
1337 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1339 emulate_push(ctxt, ops);
1342 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1343 struct x86_emulate_ops *ops, int seg)
1345 struct decode_cache *c = &ctxt->decode;
1346 unsigned long selector;
1349 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1350 if (rc != X86EMUL_CONTINUE)
1353 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1357 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1358 struct x86_emulate_ops *ops)
1360 struct decode_cache *c = &ctxt->decode;
1361 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1362 int rc = X86EMUL_CONTINUE;
1363 int reg = VCPU_REGS_RAX;
1365 while (reg <= VCPU_REGS_RDI) {
1366 (reg == VCPU_REGS_RSP) ?
1367 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1369 emulate_push(ctxt, ops);
1371 rc = writeback(ctxt, ops);
1372 if (rc != X86EMUL_CONTINUE)
1378 /* Disable writeback. */
1379 c->dst.type = OP_NONE;
1384 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1385 struct x86_emulate_ops *ops)
1387 struct decode_cache *c = &ctxt->decode;
1388 int rc = X86EMUL_CONTINUE;
1389 int reg = VCPU_REGS_RDI;
1391 while (reg >= VCPU_REGS_RAX) {
1392 if (reg == VCPU_REGS_RSP) {
1393 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1398 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1399 if (rc != X86EMUL_CONTINUE)
1406 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1407 struct x86_emulate_ops *ops)
1409 struct decode_cache *c = &ctxt->decode;
1410 int rc = X86EMUL_CONTINUE;
1411 unsigned long temp_eip = 0;
1412 unsigned long temp_eflags = 0;
1413 unsigned long cs = 0;
1414 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1415 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1416 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1417 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1419 /* TODO: Add stack limit check */
1421 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1423 if (rc != X86EMUL_CONTINUE)
1426 if (temp_eip & ~0xffff) {
1427 emulate_gp(ctxt, 0);
1428 return X86EMUL_PROPAGATE_FAULT;
1431 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1433 if (rc != X86EMUL_CONTINUE)
1436 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1438 if (rc != X86EMUL_CONTINUE)
1441 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1443 if (rc != X86EMUL_CONTINUE)
1449 if (c->op_bytes == 4)
1450 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1451 else if (c->op_bytes == 2) {
1452 ctxt->eflags &= ~0xffff;
1453 ctxt->eflags |= temp_eflags;
1456 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1457 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1462 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1463 struct x86_emulate_ops* ops)
1465 switch(ctxt->mode) {
1466 case X86EMUL_MODE_REAL:
1467 return emulate_iret_real(ctxt, ops);
1468 case X86EMUL_MODE_VM86:
1469 case X86EMUL_MODE_PROT16:
1470 case X86EMUL_MODE_PROT32:
1471 case X86EMUL_MODE_PROT64:
1473 /* iret from protected mode unimplemented yet */
1474 return X86EMUL_UNHANDLEABLE;
1478 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1479 struct x86_emulate_ops *ops)
1481 struct decode_cache *c = &ctxt->decode;
1483 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1486 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1488 struct decode_cache *c = &ctxt->decode;
1489 switch (c->modrm_reg) {
1491 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1494 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1497 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1500 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1502 case 4: /* sal/shl */
1503 case 6: /* sal/shl */
1504 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1507 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1510 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1515 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1516 struct x86_emulate_ops *ops)
1518 struct decode_cache *c = &ctxt->decode;
1520 switch (c->modrm_reg) {
1521 case 0 ... 1: /* test */
1522 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1525 c->dst.val = ~c->dst.val;
1528 emulate_1op("neg", c->dst, ctxt->eflags);
1536 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1537 struct x86_emulate_ops *ops)
1539 struct decode_cache *c = &ctxt->decode;
1541 switch (c->modrm_reg) {
1543 emulate_1op("inc", c->dst, ctxt->eflags);
1546 emulate_1op("dec", c->dst, ctxt->eflags);
1548 case 2: /* call near abs */ {
1551 c->eip = c->src.val;
1552 c->src.val = old_eip;
1553 emulate_push(ctxt, ops);
1556 case 4: /* jmp abs */
1557 c->eip = c->src.val;
1560 emulate_push(ctxt, ops);
1563 return X86EMUL_CONTINUE;
1566 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1567 struct x86_emulate_ops *ops)
1569 struct decode_cache *c = &ctxt->decode;
1570 u64 old = c->dst.orig_val64;
1572 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1573 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1574 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1575 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1576 ctxt->eflags &= ~EFLG_ZF;
1578 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1579 (u32) c->regs[VCPU_REGS_RBX];
1581 ctxt->eflags |= EFLG_ZF;
1583 return X86EMUL_CONTINUE;
1586 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1587 struct x86_emulate_ops *ops)
1589 struct decode_cache *c = &ctxt->decode;
1593 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1594 if (rc != X86EMUL_CONTINUE)
1596 if (c->op_bytes == 4)
1597 c->eip = (u32)c->eip;
1598 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1599 if (rc != X86EMUL_CONTINUE)
1601 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1606 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1607 struct x86_emulate_ops *ops, struct desc_struct *cs,
1608 struct desc_struct *ss)
1610 memset(cs, 0, sizeof(struct desc_struct));
1611 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1612 memset(ss, 0, sizeof(struct desc_struct));
1614 cs->l = 0; /* will be adjusted later */
1615 set_desc_base(cs, 0); /* flat segment */
1616 cs->g = 1; /* 4kb granularity */
1617 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1618 cs->type = 0x0b; /* Read, Execute, Accessed */
1620 cs->dpl = 0; /* will be adjusted later */
1624 set_desc_base(ss, 0); /* flat segment */
1625 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1626 ss->g = 1; /* 4kb granularity */
1628 ss->type = 0x03; /* Read/Write, Accessed */
1629 ss->d = 1; /* 32bit stack segment */
1635 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1637 struct decode_cache *c = &ctxt->decode;
1638 struct desc_struct cs, ss;
1642 /* syscall is not available in real mode */
1643 if (ctxt->mode == X86EMUL_MODE_REAL ||
1644 ctxt->mode == X86EMUL_MODE_VM86) {
1646 return X86EMUL_PROPAGATE_FAULT;
1649 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1651 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1653 cs_sel = (u16)(msr_data & 0xfffc);
1654 ss_sel = (u16)(msr_data + 8);
1656 if (is_long_mode(ctxt->vcpu)) {
1660 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1661 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1662 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1663 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1665 c->regs[VCPU_REGS_RCX] = c->eip;
1666 if (is_long_mode(ctxt->vcpu)) {
1667 #ifdef CONFIG_X86_64
1668 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1670 ops->get_msr(ctxt->vcpu,
1671 ctxt->mode == X86EMUL_MODE_PROT64 ?
1672 MSR_LSTAR : MSR_CSTAR, &msr_data);
1675 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1676 ctxt->eflags &= ~(msr_data | EFLG_RF);
1680 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1681 c->eip = (u32)msr_data;
1683 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1686 return X86EMUL_CONTINUE;
1690 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1692 struct decode_cache *c = &ctxt->decode;
1693 struct desc_struct cs, ss;
1697 /* inject #GP if in real mode */
1698 if (ctxt->mode == X86EMUL_MODE_REAL) {
1699 emulate_gp(ctxt, 0);
1700 return X86EMUL_PROPAGATE_FAULT;
1703 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1704 * Therefore, we inject an #UD.
1706 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1708 return X86EMUL_PROPAGATE_FAULT;
1711 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1713 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1714 switch (ctxt->mode) {
1715 case X86EMUL_MODE_PROT32:
1716 if ((msr_data & 0xfffc) == 0x0) {
1717 emulate_gp(ctxt, 0);
1718 return X86EMUL_PROPAGATE_FAULT;
1721 case X86EMUL_MODE_PROT64:
1722 if (msr_data == 0x0) {
1723 emulate_gp(ctxt, 0);
1724 return X86EMUL_PROPAGATE_FAULT;
1729 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1730 cs_sel = (u16)msr_data;
1731 cs_sel &= ~SELECTOR_RPL_MASK;
1732 ss_sel = cs_sel + 8;
1733 ss_sel &= ~SELECTOR_RPL_MASK;
1734 if (ctxt->mode == X86EMUL_MODE_PROT64
1735 || is_long_mode(ctxt->vcpu)) {
1740 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1741 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1742 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1743 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1745 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1748 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1749 c->regs[VCPU_REGS_RSP] = msr_data;
1751 return X86EMUL_CONTINUE;
1755 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1757 struct decode_cache *c = &ctxt->decode;
1758 struct desc_struct cs, ss;
1763 /* inject #GP if in real mode or Virtual 8086 mode */
1764 if (ctxt->mode == X86EMUL_MODE_REAL ||
1765 ctxt->mode == X86EMUL_MODE_VM86) {
1766 emulate_gp(ctxt, 0);
1767 return X86EMUL_PROPAGATE_FAULT;
1770 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1772 if ((c->rex_prefix & 0x8) != 0x0)
1773 usermode = X86EMUL_MODE_PROT64;
1775 usermode = X86EMUL_MODE_PROT32;
1779 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1781 case X86EMUL_MODE_PROT32:
1782 cs_sel = (u16)(msr_data + 16);
1783 if ((msr_data & 0xfffc) == 0x0) {
1784 emulate_gp(ctxt, 0);
1785 return X86EMUL_PROPAGATE_FAULT;
1787 ss_sel = (u16)(msr_data + 24);
1789 case X86EMUL_MODE_PROT64:
1790 cs_sel = (u16)(msr_data + 32);
1791 if (msr_data == 0x0) {
1792 emulate_gp(ctxt, 0);
1793 return X86EMUL_PROPAGATE_FAULT;
1795 ss_sel = cs_sel + 8;
1800 cs_sel |= SELECTOR_RPL_MASK;
1801 ss_sel |= SELECTOR_RPL_MASK;
1803 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1804 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1805 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1806 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1808 c->eip = c->regs[VCPU_REGS_RDX];
1809 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1811 return X86EMUL_CONTINUE;
1814 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1815 struct x86_emulate_ops *ops)
1818 if (ctxt->mode == X86EMUL_MODE_REAL)
1820 if (ctxt->mode == X86EMUL_MODE_VM86)
1822 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1823 return ops->cpl(ctxt->vcpu) > iopl;
1826 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1827 struct x86_emulate_ops *ops,
1830 struct desc_struct tr_seg;
1833 u8 perm, bit_idx = port & 0x7;
1834 unsigned mask = (1 << len) - 1;
1836 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1839 if (desc_limit_scaled(&tr_seg) < 103)
1841 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1843 if (r != X86EMUL_CONTINUE)
1845 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1847 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1848 &perm, 1, ctxt->vcpu, NULL);
1849 if (r != X86EMUL_CONTINUE)
1851 if ((perm >> bit_idx) & mask)
1856 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1857 struct x86_emulate_ops *ops,
1860 if (emulator_bad_iopl(ctxt, ops))
1861 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1866 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1867 struct x86_emulate_ops *ops,
1868 struct tss_segment_16 *tss)
1870 struct decode_cache *c = &ctxt->decode;
1873 tss->flag = ctxt->eflags;
1874 tss->ax = c->regs[VCPU_REGS_RAX];
1875 tss->cx = c->regs[VCPU_REGS_RCX];
1876 tss->dx = c->regs[VCPU_REGS_RDX];
1877 tss->bx = c->regs[VCPU_REGS_RBX];
1878 tss->sp = c->regs[VCPU_REGS_RSP];
1879 tss->bp = c->regs[VCPU_REGS_RBP];
1880 tss->si = c->regs[VCPU_REGS_RSI];
1881 tss->di = c->regs[VCPU_REGS_RDI];
1883 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1884 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1885 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1886 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1887 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1890 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1891 struct x86_emulate_ops *ops,
1892 struct tss_segment_16 *tss)
1894 struct decode_cache *c = &ctxt->decode;
1898 ctxt->eflags = tss->flag | 2;
1899 c->regs[VCPU_REGS_RAX] = tss->ax;
1900 c->regs[VCPU_REGS_RCX] = tss->cx;
1901 c->regs[VCPU_REGS_RDX] = tss->dx;
1902 c->regs[VCPU_REGS_RBX] = tss->bx;
1903 c->regs[VCPU_REGS_RSP] = tss->sp;
1904 c->regs[VCPU_REGS_RBP] = tss->bp;
1905 c->regs[VCPU_REGS_RSI] = tss->si;
1906 c->regs[VCPU_REGS_RDI] = tss->di;
1909 * SDM says that segment selectors are loaded before segment
1912 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1913 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1914 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1915 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1916 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1919 * Now load segment descriptors. If fault happenes at this stage
1920 * it is handled in a context of new task
1922 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1923 if (ret != X86EMUL_CONTINUE)
1925 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1926 if (ret != X86EMUL_CONTINUE)
1928 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1929 if (ret != X86EMUL_CONTINUE)
1931 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1932 if (ret != X86EMUL_CONTINUE)
1934 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1935 if (ret != X86EMUL_CONTINUE)
1938 return X86EMUL_CONTINUE;
1941 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1942 struct x86_emulate_ops *ops,
1943 u16 tss_selector, u16 old_tss_sel,
1944 ulong old_tss_base, struct desc_struct *new_desc)
1946 struct tss_segment_16 tss_seg;
1948 u32 err, new_tss_base = get_desc_base(new_desc);
1950 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1952 if (ret == X86EMUL_PROPAGATE_FAULT) {
1953 /* FIXME: need to provide precise fault address */
1954 emulate_pf(ctxt, old_tss_base, err);
1958 save_state_to_tss16(ctxt, ops, &tss_seg);
1960 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1962 if (ret == X86EMUL_PROPAGATE_FAULT) {
1963 /* FIXME: need to provide precise fault address */
1964 emulate_pf(ctxt, old_tss_base, err);
1968 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1970 if (ret == X86EMUL_PROPAGATE_FAULT) {
1971 /* FIXME: need to provide precise fault address */
1972 emulate_pf(ctxt, new_tss_base, err);
1976 if (old_tss_sel != 0xffff) {
1977 tss_seg.prev_task_link = old_tss_sel;
1979 ret = ops->write_std(new_tss_base,
1980 &tss_seg.prev_task_link,
1981 sizeof tss_seg.prev_task_link,
1983 if (ret == X86EMUL_PROPAGATE_FAULT) {
1984 /* FIXME: need to provide precise fault address */
1985 emulate_pf(ctxt, new_tss_base, err);
1990 return load_state_from_tss16(ctxt, ops, &tss_seg);
1993 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1994 struct x86_emulate_ops *ops,
1995 struct tss_segment_32 *tss)
1997 struct decode_cache *c = &ctxt->decode;
1999 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2001 tss->eflags = ctxt->eflags;
2002 tss->eax = c->regs[VCPU_REGS_RAX];
2003 tss->ecx = c->regs[VCPU_REGS_RCX];
2004 tss->edx = c->regs[VCPU_REGS_RDX];
2005 tss->ebx = c->regs[VCPU_REGS_RBX];
2006 tss->esp = c->regs[VCPU_REGS_RSP];
2007 tss->ebp = c->regs[VCPU_REGS_RBP];
2008 tss->esi = c->regs[VCPU_REGS_RSI];
2009 tss->edi = c->regs[VCPU_REGS_RDI];
2011 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2012 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2013 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2014 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2015 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2016 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2017 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2020 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2021 struct x86_emulate_ops *ops,
2022 struct tss_segment_32 *tss)
2024 struct decode_cache *c = &ctxt->decode;
2027 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
2028 emulate_gp(ctxt, 0);
2029 return X86EMUL_PROPAGATE_FAULT;
2032 ctxt->eflags = tss->eflags | 2;
2033 c->regs[VCPU_REGS_RAX] = tss->eax;
2034 c->regs[VCPU_REGS_RCX] = tss->ecx;
2035 c->regs[VCPU_REGS_RDX] = tss->edx;
2036 c->regs[VCPU_REGS_RBX] = tss->ebx;
2037 c->regs[VCPU_REGS_RSP] = tss->esp;
2038 c->regs[VCPU_REGS_RBP] = tss->ebp;
2039 c->regs[VCPU_REGS_RSI] = tss->esi;
2040 c->regs[VCPU_REGS_RDI] = tss->edi;
2043 * SDM says that segment selectors are loaded before segment
2046 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2047 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2048 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2049 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2050 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2051 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2052 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2055 * Now load segment descriptors. If fault happenes at this stage
2056 * it is handled in a context of new task
2058 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2059 if (ret != X86EMUL_CONTINUE)
2061 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2062 if (ret != X86EMUL_CONTINUE)
2064 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2065 if (ret != X86EMUL_CONTINUE)
2067 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2068 if (ret != X86EMUL_CONTINUE)
2070 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2071 if (ret != X86EMUL_CONTINUE)
2073 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2074 if (ret != X86EMUL_CONTINUE)
2076 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2077 if (ret != X86EMUL_CONTINUE)
2080 return X86EMUL_CONTINUE;
2083 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2084 struct x86_emulate_ops *ops,
2085 u16 tss_selector, u16 old_tss_sel,
2086 ulong old_tss_base, struct desc_struct *new_desc)
2088 struct tss_segment_32 tss_seg;
2090 u32 err, new_tss_base = get_desc_base(new_desc);
2092 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2094 if (ret == X86EMUL_PROPAGATE_FAULT) {
2095 /* FIXME: need to provide precise fault address */
2096 emulate_pf(ctxt, old_tss_base, err);
2100 save_state_to_tss32(ctxt, ops, &tss_seg);
2102 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2104 if (ret == X86EMUL_PROPAGATE_FAULT) {
2105 /* FIXME: need to provide precise fault address */
2106 emulate_pf(ctxt, old_tss_base, err);
2110 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2112 if (ret == X86EMUL_PROPAGATE_FAULT) {
2113 /* FIXME: need to provide precise fault address */
2114 emulate_pf(ctxt, new_tss_base, err);
2118 if (old_tss_sel != 0xffff) {
2119 tss_seg.prev_task_link = old_tss_sel;
2121 ret = ops->write_std(new_tss_base,
2122 &tss_seg.prev_task_link,
2123 sizeof tss_seg.prev_task_link,
2125 if (ret == X86EMUL_PROPAGATE_FAULT) {
2126 /* FIXME: need to provide precise fault address */
2127 emulate_pf(ctxt, new_tss_base, err);
2132 return load_state_from_tss32(ctxt, ops, &tss_seg);
2135 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2136 struct x86_emulate_ops *ops,
2137 u16 tss_selector, int reason,
2138 bool has_error_code, u32 error_code)
2140 struct desc_struct curr_tss_desc, next_tss_desc;
2142 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2143 ulong old_tss_base =
2144 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2147 /* FIXME: old_tss_base == ~0 ? */
2149 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2150 if (ret != X86EMUL_CONTINUE)
2152 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2153 if (ret != X86EMUL_CONTINUE)
2156 /* FIXME: check that next_tss_desc is tss */
2158 if (reason != TASK_SWITCH_IRET) {
2159 if ((tss_selector & 3) > next_tss_desc.dpl ||
2160 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2161 emulate_gp(ctxt, 0);
2162 return X86EMUL_PROPAGATE_FAULT;
2166 desc_limit = desc_limit_scaled(&next_tss_desc);
2167 if (!next_tss_desc.p ||
2168 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2169 desc_limit < 0x2b)) {
2170 emulate_ts(ctxt, tss_selector & 0xfffc);
2171 return X86EMUL_PROPAGATE_FAULT;
2174 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2175 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2176 write_segment_descriptor(ctxt, ops, old_tss_sel,
2180 if (reason == TASK_SWITCH_IRET)
2181 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2183 /* set back link to prev task only if NT bit is set in eflags
2184 note that old_tss_sel is not used afetr this point */
2185 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2186 old_tss_sel = 0xffff;
2188 if (next_tss_desc.type & 8)
2189 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2190 old_tss_base, &next_tss_desc);
2192 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2193 old_tss_base, &next_tss_desc);
2194 if (ret != X86EMUL_CONTINUE)
2197 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2198 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2200 if (reason != TASK_SWITCH_IRET) {
2201 next_tss_desc.type |= (1 << 1); /* set busy flag */
2202 write_segment_descriptor(ctxt, ops, tss_selector,
2206 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2207 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2208 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2210 if (has_error_code) {
2211 struct decode_cache *c = &ctxt->decode;
2213 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2215 c->src.val = (unsigned long) error_code;
2216 emulate_push(ctxt, ops);
2222 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2223 u16 tss_selector, int reason,
2224 bool has_error_code, u32 error_code)
2226 struct x86_emulate_ops *ops = ctxt->ops;
2227 struct decode_cache *c = &ctxt->decode;
2231 c->dst.type = OP_NONE;
2233 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2234 has_error_code, error_code);
2236 if (rc == X86EMUL_CONTINUE) {
2237 rc = writeback(ctxt, ops);
2238 if (rc == X86EMUL_CONTINUE)
2242 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2245 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2246 int reg, struct operand *op)
2248 struct decode_cache *c = &ctxt->decode;
2249 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2251 register_address_increment(c, &c->regs[reg], df * op->bytes);
2252 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2256 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2258 struct x86_emulate_ops *ops = ctxt->ops;
2259 struct decode_cache *c = &ctxt->decode;
2260 int rc = X86EMUL_CONTINUE;
2261 int mode = ctxt->mode;
2262 int def_op_bytes, def_ad_bytes, dual, goffset;
2263 struct opcode opcode, *g_mod012, *g_mod3;
2265 /* we cannot decode insn before we complete previous rep insn */
2266 WARN_ON(ctxt->restart);
2269 c->fetch.start = c->fetch.end = c->eip;
2270 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2273 case X86EMUL_MODE_REAL:
2274 case X86EMUL_MODE_VM86:
2275 case X86EMUL_MODE_PROT16:
2276 def_op_bytes = def_ad_bytes = 2;
2278 case X86EMUL_MODE_PROT32:
2279 def_op_bytes = def_ad_bytes = 4;
2281 #ifdef CONFIG_X86_64
2282 case X86EMUL_MODE_PROT64:
2291 c->op_bytes = def_op_bytes;
2292 c->ad_bytes = def_ad_bytes;
2294 /* Legacy prefixes. */
2296 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2297 case 0x66: /* operand-size override */
2298 /* switch between 2/4 bytes */
2299 c->op_bytes = def_op_bytes ^ 6;
2301 case 0x67: /* address-size override */
2302 if (mode == X86EMUL_MODE_PROT64)
2303 /* switch between 4/8 bytes */
2304 c->ad_bytes = def_ad_bytes ^ 12;
2306 /* switch between 2/4 bytes */
2307 c->ad_bytes = def_ad_bytes ^ 6;
2309 case 0x26: /* ES override */
2310 case 0x2e: /* CS override */
2311 case 0x36: /* SS override */
2312 case 0x3e: /* DS override */
2313 set_seg_override(c, (c->b >> 3) & 3);
2315 case 0x64: /* FS override */
2316 case 0x65: /* GS override */
2317 set_seg_override(c, c->b & 7);
2319 case 0x40 ... 0x4f: /* REX */
2320 if (mode != X86EMUL_MODE_PROT64)
2322 c->rex_prefix = c->b;
2324 case 0xf0: /* LOCK */
2327 case 0xf2: /* REPNE/REPNZ */
2328 c->rep_prefix = REPNE_PREFIX;
2330 case 0xf3: /* REP/REPE/REPZ */
2331 c->rep_prefix = REPE_PREFIX;
2337 /* Any legacy prefix after a REX prefix nullifies its effect. */
2346 if (c->rex_prefix & 8)
2347 c->op_bytes = 8; /* REX.W */
2349 /* Opcode byte(s). */
2350 opcode = opcode_table[c->b];
2351 if (opcode.flags == 0) {
2352 /* Two-byte opcode? */
2355 c->b = insn_fetch(u8, 1, c->eip);
2356 opcode = twobyte_table[c->b];
2359 c->d = opcode.flags;
2362 dual = c->d & GroupDual;
2363 c->modrm = insn_fetch(u8, 1, c->eip);
2366 if (c->d & GroupDual) {
2367 g_mod012 = opcode.u.gdual->mod012;
2368 g_mod3 = opcode.u.gdual->mod3;
2370 g_mod012 = g_mod3 = opcode.u.group;
2372 c->d &= ~(Group | GroupDual);
2374 goffset = (c->modrm >> 3) & 7;
2376 if ((c->modrm >> 6) == 3)
2377 opcode = g_mod3[goffset];
2379 opcode = g_mod012[goffset];
2380 c->d |= opcode.flags;
2383 c->execute = opcode.u.execute;
2386 if (c->d == 0 || (c->d & Undefined)) {
2387 DPRINTF("Cannot emulate %02x\n", c->b);
2391 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2394 /* ModRM and SIB bytes. */
2396 rc = decode_modrm(ctxt, ops);
2397 else if (c->d & MemAbs)
2398 rc = decode_abs(ctxt, ops);
2399 if (rc != X86EMUL_CONTINUE)
2402 if (!c->has_seg_override)
2403 set_seg_override(c, VCPU_SREG_DS);
2405 if (!(!c->twobyte && c->b == 0x8d))
2406 c->modrm_ea += seg_override_base(ctxt, ops, c);
2408 if (c->ad_bytes != 8)
2409 c->modrm_ea = (u32)c->modrm_ea;
2411 if (c->rip_relative)
2412 c->modrm_ea += c->eip;
2415 * Decode and fetch the source operand: register, memory
2418 switch (c->d & SrcMask) {
2422 decode_register_operand(&c->src, c, 0);
2431 c->src.bytes = (c->d & ByteOp) ? 1 :
2433 /* Don't fetch the address for invlpg: it could be unmapped. */
2434 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
2438 * For instructions with a ModR/M byte, switch to register
2439 * access if Mod = 3.
2441 if ((c->d & ModRM) && c->modrm_mod == 3) {
2442 c->src.type = OP_REG;
2443 c->src.val = c->modrm_val;
2444 c->src.ptr = c->modrm_ptr;
2447 c->src.type = OP_MEM;
2448 c->src.ptr = (unsigned long *)c->modrm_ea;
2453 c->src.type = OP_IMM;
2454 c->src.ptr = (unsigned long *)c->eip;
2455 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2456 if (c->src.bytes == 8)
2458 /* NB. Immediates are sign-extended as necessary. */
2459 switch (c->src.bytes) {
2461 c->src.val = insn_fetch(s8, 1, c->eip);
2464 c->src.val = insn_fetch(s16, 2, c->eip);
2467 c->src.val = insn_fetch(s32, 4, c->eip);
2470 if ((c->d & SrcMask) == SrcImmU) {
2471 switch (c->src.bytes) {
2476 c->src.val &= 0xffff;
2479 c->src.val &= 0xffffffff;
2486 c->src.type = OP_IMM;
2487 c->src.ptr = (unsigned long *)c->eip;
2489 if ((c->d & SrcMask) == SrcImmByte)
2490 c->src.val = insn_fetch(s8, 1, c->eip);
2492 c->src.val = insn_fetch(u8, 1, c->eip);
2495 c->src.type = OP_REG;
2496 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2497 c->src.ptr = &c->regs[VCPU_REGS_RAX];
2498 switch (c->src.bytes) {
2500 c->src.val = *(u8 *)c->src.ptr;
2503 c->src.val = *(u16 *)c->src.ptr;
2506 c->src.val = *(u32 *)c->src.ptr;
2509 c->src.val = *(u64 *)c->src.ptr;
2518 c->src.type = OP_MEM;
2519 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2520 c->src.ptr = (unsigned long *)
2521 register_address(c, seg_override_base(ctxt, ops, c),
2522 c->regs[VCPU_REGS_RSI]);
2526 c->src.type = OP_IMM;
2527 c->src.ptr = (unsigned long *)c->eip;
2528 c->src.bytes = c->op_bytes + 2;
2529 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2532 c->src.type = OP_MEM;
2533 c->src.ptr = (unsigned long *)c->modrm_ea;
2534 c->src.bytes = c->op_bytes + 2;
2539 * Decode and fetch the second source operand: register, memory
2542 switch (c->d & Src2Mask) {
2547 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2550 c->src2.type = OP_IMM;
2551 c->src2.ptr = (unsigned long *)c->eip;
2553 c->src2.val = insn_fetch(u8, 1, c->eip);
2561 /* Decode and fetch the destination operand: register or memory. */
2562 switch (c->d & DstMask) {
2564 /* Special instructions do their own operand decoding. */
2567 decode_register_operand(&c->dst, c,
2568 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2572 if ((c->d & ModRM) && c->modrm_mod == 3) {
2573 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2574 c->dst.type = OP_REG;
2575 c->dst.val = c->dst.orig_val = c->modrm_val;
2576 c->dst.ptr = c->modrm_ptr;
2579 c->dst.type = OP_MEM;
2580 c->dst.ptr = (unsigned long *)c->modrm_ea;
2581 if ((c->d & DstMask) == DstMem64)
2584 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2587 unsigned long mask = ~(c->dst.bytes * 8 - 1);
2589 c->dst.ptr = (void *)c->dst.ptr +
2590 (c->src.val & mask) / 8;
2594 c->dst.type = OP_REG;
2595 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2596 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
2597 switch (c->dst.bytes) {
2599 c->dst.val = *(u8 *)c->dst.ptr;
2602 c->dst.val = *(u16 *)c->dst.ptr;
2605 c->dst.val = *(u32 *)c->dst.ptr;
2608 c->dst.val = *(u64 *)c->dst.ptr;
2611 c->dst.orig_val = c->dst.val;
2614 c->dst.type = OP_MEM;
2615 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2616 c->dst.ptr = (unsigned long *)
2617 register_address(c, es_base(ctxt, ops),
2618 c->regs[VCPU_REGS_RDI]);
2624 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2628 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2630 struct x86_emulate_ops *ops = ctxt->ops;
2632 struct decode_cache *c = &ctxt->decode;
2633 int rc = X86EMUL_CONTINUE;
2634 int saved_dst_type = c->dst.type;
2636 ctxt->decode.mem_read.pos = 0;
2638 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2643 /* LOCK prefix is allowed only with some instructions */
2644 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2649 /* Privileged instruction can be executed only in CPL=0 */
2650 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2651 emulate_gp(ctxt, 0);
2655 if (c->rep_prefix && (c->d & String)) {
2656 ctxt->restart = true;
2657 /* All REP prefixes have the same first termination condition */
2658 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2660 ctxt->restart = false;
2664 /* The second termination condition only applies for REPE
2665 * and REPNE. Test if the repeat string operation prefix is
2666 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2667 * corresponding termination condition according to:
2668 * - if REPE/REPZ and ZF = 0 then done
2669 * - if REPNE/REPNZ and ZF = 1 then done
2671 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2672 (c->b == 0xae) || (c->b == 0xaf)) {
2673 if ((c->rep_prefix == REPE_PREFIX) &&
2674 ((ctxt->eflags & EFLG_ZF) == 0))
2676 if ((c->rep_prefix == REPNE_PREFIX) &&
2677 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2683 if (c->src.type == OP_MEM) {
2684 rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2685 c->src.valptr, c->src.bytes);
2686 if (rc != X86EMUL_CONTINUE)
2688 c->src.orig_val64 = c->src.val64;
2691 if (c->src2.type == OP_MEM) {
2692 rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
2693 &c->src2.val, c->src2.bytes);
2694 if (rc != X86EMUL_CONTINUE)
2698 if ((c->d & DstMask) == ImplicitOps)
2702 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2703 /* optimisation - avoid slow emulated read if Mov */
2704 rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
2705 &c->dst.val, c->dst.bytes);
2706 if (rc != X86EMUL_CONTINUE)
2709 c->dst.orig_val = c->dst.val;
2714 rc = c->execute(ctxt);
2715 if (rc != X86EMUL_CONTINUE)
2726 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2728 case 0x06: /* push es */
2729 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2731 case 0x07: /* pop es */
2732 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2733 if (rc != X86EMUL_CONTINUE)
2738 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2740 case 0x0e: /* push cs */
2741 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2745 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2747 case 0x16: /* push ss */
2748 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2750 case 0x17: /* pop ss */
2751 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2752 if (rc != X86EMUL_CONTINUE)
2757 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2759 case 0x1e: /* push ds */
2760 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2762 case 0x1f: /* pop ds */
2763 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2764 if (rc != X86EMUL_CONTINUE)
2769 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2773 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2777 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2781 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2783 case 0x40 ... 0x47: /* inc r16/r32 */
2784 emulate_1op("inc", c->dst, ctxt->eflags);
2786 case 0x48 ... 0x4f: /* dec r16/r32 */
2787 emulate_1op("dec", c->dst, ctxt->eflags);
2789 case 0x50 ... 0x57: /* push reg */
2790 emulate_push(ctxt, ops);
2792 case 0x58 ... 0x5f: /* pop reg */
2794 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2795 if (rc != X86EMUL_CONTINUE)
2798 case 0x60: /* pusha */
2799 rc = emulate_pusha(ctxt, ops);
2800 if (rc != X86EMUL_CONTINUE)
2803 case 0x61: /* popa */
2804 rc = emulate_popa(ctxt, ops);
2805 if (rc != X86EMUL_CONTINUE)
2808 case 0x63: /* movsxd */
2809 if (ctxt->mode != X86EMUL_MODE_PROT64)
2810 goto cannot_emulate;
2811 c->dst.val = (s32) c->src.val;
2813 case 0x68: /* push imm */
2814 case 0x6a: /* push imm8 */
2815 emulate_push(ctxt, ops);
2817 case 0x6c: /* insb */
2818 case 0x6d: /* insw/insd */
2819 c->dst.bytes = min(c->dst.bytes, 4u);
2820 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2822 emulate_gp(ctxt, 0);
2825 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2826 c->regs[VCPU_REGS_RDX], &c->dst.val))
2827 goto done; /* IO is needed, skip writeback */
2829 case 0x6e: /* outsb */
2830 case 0x6f: /* outsw/outsd */
2831 c->src.bytes = min(c->src.bytes, 4u);
2832 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2834 emulate_gp(ctxt, 0);
2837 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2838 &c->src.val, 1, ctxt->vcpu);
2840 c->dst.type = OP_NONE; /* nothing to writeback */
2842 case 0x70 ... 0x7f: /* jcc (short) */
2843 if (test_cc(c->b, ctxt->eflags))
2844 jmp_rel(c, c->src.val);
2846 case 0x80 ... 0x83: /* Grp1 */
2847 switch (c->modrm_reg) {
2868 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2870 case 0x86 ... 0x87: /* xchg */
2872 /* Write back the register source. */
2873 switch (c->dst.bytes) {
2875 *(u8 *) c->src.ptr = (u8) c->dst.val;
2878 *(u16 *) c->src.ptr = (u16) c->dst.val;
2881 *c->src.ptr = (u32) c->dst.val;
2882 break; /* 64b reg: zero-extend */
2884 *c->src.ptr = c->dst.val;
2888 * Write back the memory destination with implicit LOCK
2891 c->dst.val = c->src.val;
2894 case 0x88 ... 0x8b: /* mov */
2896 case 0x8c: /* mov r/m, sreg */
2897 if (c->modrm_reg > VCPU_SREG_GS) {
2901 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2903 case 0x8d: /* lea r16/r32, m */
2904 c->dst.val = c->modrm_ea;
2906 case 0x8e: { /* mov seg, r/m16 */
2911 if (c->modrm_reg == VCPU_SREG_CS ||
2912 c->modrm_reg > VCPU_SREG_GS) {
2917 if (c->modrm_reg == VCPU_SREG_SS)
2918 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2920 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2922 c->dst.type = OP_NONE; /* Disable writeback. */
2925 case 0x8f: /* pop (sole member of Grp1a) */
2926 rc = emulate_grp1a(ctxt, ops);
2927 if (rc != X86EMUL_CONTINUE)
2930 case 0x90: /* nop / xchg r8,rax */
2931 if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
2932 c->dst.type = OP_NONE; /* nop */
2935 case 0x91 ... 0x97: /* xchg reg,rax */
2936 c->src.type = OP_REG;
2937 c->src.bytes = c->op_bytes;
2938 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2939 c->src.val = *(c->src.ptr);
2941 case 0x9c: /* pushf */
2942 c->src.val = (unsigned long) ctxt->eflags;
2943 emulate_push(ctxt, ops);
2945 case 0x9d: /* popf */
2946 c->dst.type = OP_REG;
2947 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2948 c->dst.bytes = c->op_bytes;
2949 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2950 if (rc != X86EMUL_CONTINUE)
2953 case 0xa0 ... 0xa3: /* mov */
2954 case 0xa4 ... 0xa5: /* movs */
2956 case 0xa6 ... 0xa7: /* cmps */
2957 c->dst.type = OP_NONE; /* Disable writeback. */
2958 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2960 case 0xa8 ... 0xa9: /* test ax, imm */
2962 case 0xaa ... 0xab: /* stos */
2963 c->dst.val = c->regs[VCPU_REGS_RAX];
2965 case 0xac ... 0xad: /* lods */
2967 case 0xae ... 0xaf: /* scas */
2968 DPRINTF("Urk! I don't handle SCAS.\n");
2969 goto cannot_emulate;
2970 case 0xb0 ... 0xbf: /* mov r, imm */
2975 case 0xc3: /* ret */
2976 c->dst.type = OP_REG;
2977 c->dst.ptr = &c->eip;
2978 c->dst.bytes = c->op_bytes;
2979 goto pop_instruction;
2980 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2982 c->dst.val = c->src.val;
2984 case 0xcb: /* ret far */
2985 rc = emulate_ret_far(ctxt, ops);
2986 if (rc != X86EMUL_CONTINUE)
2989 case 0xcf: /* iret */
2990 rc = emulate_iret(ctxt, ops);
2992 if (rc != X86EMUL_CONTINUE)
2995 case 0xd0 ... 0xd1: /* Grp2 */
2999 case 0xd2 ... 0xd3: /* Grp2 */
3000 c->src.val = c->regs[VCPU_REGS_RCX];
3003 case 0xe4: /* inb */
3006 case 0xe6: /* outb */
3007 case 0xe7: /* out */
3009 case 0xe8: /* call (near) */ {
3010 long int rel = c->src.val;
3011 c->src.val = (unsigned long) c->eip;
3013 emulate_push(ctxt, ops);
3016 case 0xe9: /* jmp rel */
3018 case 0xea: { /* jmp far */
3021 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3023 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3027 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3031 jmp: /* jmp rel short */
3032 jmp_rel(c, c->src.val);
3033 c->dst.type = OP_NONE; /* Disable writeback. */
3035 case 0xec: /* in al,dx */
3036 case 0xed: /* in (e/r)ax,dx */
3037 c->src.val = c->regs[VCPU_REGS_RDX];
3039 c->dst.bytes = min(c->dst.bytes, 4u);
3040 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3041 emulate_gp(ctxt, 0);
3044 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3046 goto done; /* IO is needed */
3048 case 0xee: /* out dx,al */
3049 case 0xef: /* out dx,(e/r)ax */
3050 c->src.val = c->regs[VCPU_REGS_RDX];
3052 c->dst.bytes = min(c->dst.bytes, 4u);
3053 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3054 emulate_gp(ctxt, 0);
3057 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3059 c->dst.type = OP_NONE; /* Disable writeback. */
3061 case 0xf4: /* hlt */
3062 ctxt->vcpu->arch.halt_request = 1;
3064 case 0xf5: /* cmc */
3065 /* complement carry flag from eflags reg */
3066 ctxt->eflags ^= EFLG_CF;
3067 c->dst.type = OP_NONE; /* Disable writeback. */
3069 case 0xf6 ... 0xf7: /* Grp3 */
3070 if (!emulate_grp3(ctxt, ops))
3071 goto cannot_emulate;
3073 case 0xf8: /* clc */
3074 ctxt->eflags &= ~EFLG_CF;
3075 c->dst.type = OP_NONE; /* Disable writeback. */
3077 case 0xfa: /* cli */
3078 if (emulator_bad_iopl(ctxt, ops)) {
3079 emulate_gp(ctxt, 0);
3082 ctxt->eflags &= ~X86_EFLAGS_IF;
3083 c->dst.type = OP_NONE; /* Disable writeback. */
3086 case 0xfb: /* sti */
3087 if (emulator_bad_iopl(ctxt, ops)) {
3088 emulate_gp(ctxt, 0);
3091 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3092 ctxt->eflags |= X86_EFLAGS_IF;
3093 c->dst.type = OP_NONE; /* Disable writeback. */
3096 case 0xfc: /* cld */
3097 ctxt->eflags &= ~EFLG_DF;
3098 c->dst.type = OP_NONE; /* Disable writeback. */
3100 case 0xfd: /* std */
3101 ctxt->eflags |= EFLG_DF;
3102 c->dst.type = OP_NONE; /* Disable writeback. */
3104 case 0xfe: /* Grp4 */
3106 rc = emulate_grp45(ctxt, ops);
3107 if (rc != X86EMUL_CONTINUE)
3110 case 0xff: /* Grp5 */
3111 if (c->modrm_reg == 5)
3115 goto cannot_emulate;
3119 rc = writeback(ctxt, ops);
3120 if (rc != X86EMUL_CONTINUE)
3124 * restore dst type in case the decoding will be reused
3125 * (happens for string instruction )
3127 c->dst.type = saved_dst_type;
3129 if ((c->d & SrcMask) == SrcSI)
3130 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3131 VCPU_REGS_RSI, &c->src);
3133 if ((c->d & DstMask) == DstDI)
3134 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3137 if (c->rep_prefix && (c->d & String)) {
3138 struct read_cache *rc = &ctxt->decode.io_read;
3139 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3141 * Re-enter guest when pio read ahead buffer is empty or,
3142 * if it is not used, after each 1024 iteration.
3144 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3145 (rc->end != 0 && rc->end == rc->pos))
3146 ctxt->restart = false;
3149 * reset read cache here in case string instruction is restared
3152 ctxt->decode.mem_read.end = 0;
3156 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3160 case 0x01: /* lgdt, lidt, lmsw */
3161 switch (c->modrm_reg) {
3163 unsigned long address;
3165 case 0: /* vmcall */
3166 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3167 goto cannot_emulate;
3169 rc = kvm_fix_hypercall(ctxt->vcpu);
3170 if (rc != X86EMUL_CONTINUE)
3173 /* Let the processor re-execute the fixed hypercall */
3175 /* Disable writeback. */
3176 c->dst.type = OP_NONE;
3179 rc = read_descriptor(ctxt, ops, c->src.ptr,
3180 &size, &address, c->op_bytes);
3181 if (rc != X86EMUL_CONTINUE)
3183 realmode_lgdt(ctxt->vcpu, size, address);
3184 /* Disable writeback. */
3185 c->dst.type = OP_NONE;
3187 case 3: /* lidt/vmmcall */
3188 if (c->modrm_mod == 3) {
3189 switch (c->modrm_rm) {
3191 rc = kvm_fix_hypercall(ctxt->vcpu);
3192 if (rc != X86EMUL_CONTINUE)
3196 goto cannot_emulate;
3199 rc = read_descriptor(ctxt, ops, c->src.ptr,
3202 if (rc != X86EMUL_CONTINUE)
3204 realmode_lidt(ctxt->vcpu, size, address);
3206 /* Disable writeback. */
3207 c->dst.type = OP_NONE;
3211 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3214 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3215 (c->src.val & 0x0f), ctxt->vcpu);
3216 c->dst.type = OP_NONE;
3218 case 5: /* not defined */
3222 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3223 /* Disable writeback. */
3224 c->dst.type = OP_NONE;
3227 goto cannot_emulate;
3230 case 0x05: /* syscall */
3231 rc = emulate_syscall(ctxt, ops);
3232 if (rc != X86EMUL_CONTINUE)
3238 emulate_clts(ctxt->vcpu);
3239 c->dst.type = OP_NONE;
3241 case 0x09: /* wbinvd */
3242 kvm_emulate_wbinvd(ctxt->vcpu);
3243 c->dst.type = OP_NONE;
3245 case 0x08: /* invd */
3246 case 0x0d: /* GrpP (prefetch) */
3247 case 0x18: /* Grp16 (prefetch/nop) */
3248 c->dst.type = OP_NONE;
3250 case 0x20: /* mov cr, reg */
3251 switch (c->modrm_reg) {
3258 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3259 c->dst.type = OP_NONE; /* no writeback */
3261 case 0x21: /* mov from dr to reg */
3262 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3263 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3267 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3268 c->dst.type = OP_NONE; /* no writeback */
3270 case 0x22: /* mov reg, cr */
3271 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3272 emulate_gp(ctxt, 0);
3275 c->dst.type = OP_NONE;
3277 case 0x23: /* mov from reg to dr */
3278 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3279 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3284 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3285 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3286 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3287 /* #UD condition is already handled by the code above */
3288 emulate_gp(ctxt, 0);
3292 c->dst.type = OP_NONE; /* no writeback */
3296 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3297 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3298 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3299 emulate_gp(ctxt, 0);
3302 rc = X86EMUL_CONTINUE;
3303 c->dst.type = OP_NONE;
3307 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3308 emulate_gp(ctxt, 0);
3311 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3312 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3314 rc = X86EMUL_CONTINUE;
3315 c->dst.type = OP_NONE;
3317 case 0x34: /* sysenter */
3318 rc = emulate_sysenter(ctxt, ops);
3319 if (rc != X86EMUL_CONTINUE)
3324 case 0x35: /* sysexit */
3325 rc = emulate_sysexit(ctxt, ops);
3326 if (rc != X86EMUL_CONTINUE)
3331 case 0x40 ... 0x4f: /* cmov */
3332 c->dst.val = c->dst.orig_val = c->src.val;
3333 if (!test_cc(c->b, ctxt->eflags))
3334 c->dst.type = OP_NONE; /* no writeback */
3336 case 0x80 ... 0x8f: /* jnz rel, etc*/
3337 if (test_cc(c->b, ctxt->eflags))
3338 jmp_rel(c, c->src.val);
3339 c->dst.type = OP_NONE;
3341 case 0xa0: /* push fs */
3342 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3344 case 0xa1: /* pop fs */
3345 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3346 if (rc != X86EMUL_CONTINUE)
3351 c->dst.type = OP_NONE;
3352 /* only subword offset */
3353 c->src.val &= (c->dst.bytes << 3) - 1;
3354 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3356 case 0xa4: /* shld imm8, r, r/m */
3357 case 0xa5: /* shld cl, r, r/m */
3358 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3360 case 0xa8: /* push gs */
3361 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3363 case 0xa9: /* pop gs */
3364 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3365 if (rc != X86EMUL_CONTINUE)
3370 /* only subword offset */
3371 c->src.val &= (c->dst.bytes << 3) - 1;
3372 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3374 case 0xac: /* shrd imm8, r, r/m */
3375 case 0xad: /* shrd cl, r, r/m */
3376 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3378 case 0xae: /* clflush */
3380 case 0xb0 ... 0xb1: /* cmpxchg */
3382 * Save real source value, then compare EAX against
3385 c->src.orig_val = c->src.val;
3386 c->src.val = c->regs[VCPU_REGS_RAX];
3387 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3388 if (ctxt->eflags & EFLG_ZF) {
3389 /* Success: write back to memory. */
3390 c->dst.val = c->src.orig_val;
3392 /* Failure: write the value we saw to EAX. */
3393 c->dst.type = OP_REG;
3394 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3399 /* only subword offset */
3400 c->src.val &= (c->dst.bytes << 3) - 1;
3401 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3403 case 0xb6 ... 0xb7: /* movzx */
3404 c->dst.bytes = c->op_bytes;
3405 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3408 case 0xba: /* Grp8 */
3409 switch (c->modrm_reg & 3) {
3422 /* only subword offset */
3423 c->src.val &= (c->dst.bytes << 3) - 1;
3424 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3426 case 0xbe ... 0xbf: /* movsx */
3427 c->dst.bytes = c->op_bytes;
3428 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3431 case 0xc3: /* movnti */
3432 c->dst.bytes = c->op_bytes;
3433 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3436 case 0xc7: /* Grp9 (cmpxchg8b) */
3437 rc = emulate_grp9(ctxt, ops);
3438 if (rc != X86EMUL_CONTINUE)
3442 goto cannot_emulate;
3447 DPRINTF("Cannot emulate %02x\n", c->b);
projects / linux.git / blob