1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
86 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
87 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
88 #define Undefined (1<<25) /* No Such Instruction */
89 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
90 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
92 /* Source 2 operand type */
93 #define Src2None (0<<29)
94 #define Src2CL (1<<29)
95 #define Src2ImmByte (2<<29)
96 #define Src2One (3<<29)
97 #define Src2Mask (7<<29)
100 #define X3(x...) X2(x), x
101 #define X4(x...) X2(x), X2(x)
102 #define X5(x...) X4(x), x
103 #define X6(x...) X4(x), X2(x)
104 #define X7(x...) X4(x), X3(x)
105 #define X8(x...) X4(x), X4(x)
106 #define X16(x...) X8(x), X8(x)
111 int (*execute)(struct x86_emulate_ctxt *ctxt);
112 struct opcode *group;
113 struct group_dual *gdual;
118 struct opcode mod012[8];
119 struct opcode mod3[8];
122 /* EFLAGS bit definitions. */
123 #define EFLG_ID (1<<21)
124 #define EFLG_VIP (1<<20)
125 #define EFLG_VIF (1<<19)
126 #define EFLG_AC (1<<18)
127 #define EFLG_VM (1<<17)
128 #define EFLG_RF (1<<16)
129 #define EFLG_IOPL (3<<12)
130 #define EFLG_NT (1<<14)
131 #define EFLG_OF (1<<11)
132 #define EFLG_DF (1<<10)
133 #define EFLG_IF (1<<9)
134 #define EFLG_TF (1<<8)
135 #define EFLG_SF (1<<7)
136 #define EFLG_ZF (1<<6)
137 #define EFLG_AF (1<<4)
138 #define EFLG_PF (1<<2)
139 #define EFLG_CF (1<<0)
141 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
142 #define EFLG_RESERVED_ONE_MASK 2
145 * Instruction emulation:
146 * Most instructions are emulated directly via a fragment of inline assembly
147 * code. This allows us to save/restore EFLAGS and thus very easily pick up
148 * any modified flags.
151 #if defined(CONFIG_X86_64)
152 #define _LO32 "k" /* force 32-bit operand */
153 #define _STK "%%rsp" /* stack pointer */
154 #elif defined(__i386__)
155 #define _LO32 "" /* force 32-bit operand */
156 #define _STK "%%esp" /* stack pointer */
160 * These EFLAGS bits are restored from saved value during emulation, and
161 * any changes are written back to the saved value after emulation.
163 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
165 /* Before executing instruction: restore necessary bits in EFLAGS. */
166 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
167 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
168 "movl %"_sav",%"_LO32 _tmp"; " \
171 "movl %"_msk",%"_LO32 _tmp"; " \
172 "andl %"_LO32 _tmp",("_STK"); " \
174 "notl %"_LO32 _tmp"; " \
175 "andl %"_LO32 _tmp",("_STK"); " \
176 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
178 "orl %"_LO32 _tmp",("_STK"); " \
182 /* After executing instruction: write-back necessary bits in EFLAGS. */
183 #define _POST_EFLAGS(_sav, _msk, _tmp) \
184 /* _sav |= EFLAGS & _msk; */ \
187 "andl %"_msk",%"_LO32 _tmp"; " \
188 "orl %"_LO32 _tmp",%"_sav"; "
196 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
198 __asm__ __volatile__ ( \
199 _PRE_EFLAGS("0", "4", "2") \
200 _op _suffix " %"_x"3,%1; " \
201 _POST_EFLAGS("0", "4", "2") \
202 : "=m" (_eflags), "=m" ((_dst).val), \
204 : _y ((_src).val), "i" (EFLAGS_MASK)); \
208 /* Raw emulation: instruction has two explicit operands. */
209 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
211 unsigned long _tmp; \
213 switch ((_dst).bytes) { \
215 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
218 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
221 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
226 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
228 unsigned long _tmp; \
229 switch ((_dst).bytes) { \
231 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
234 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
235 _wx, _wy, _lx, _ly, _qx, _qy); \
240 /* Source operand is byte-sized and may be restricted to just %cl. */
241 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
242 __emulate_2op(_op, _src, _dst, _eflags, \
243 "b", "c", "b", "c", "b", "c", "b", "c")
245 /* Source operand is byte, word, long or quad sized. */
246 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
247 __emulate_2op(_op, _src, _dst, _eflags, \
248 "b", "q", "w", "r", _LO32, "r", "", "r")
250 /* Source operand is word, long or quad sized. */
251 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
252 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
253 "w", "r", _LO32, "r", "", "r")
255 /* Instruction has three operands and one operand is stored in ECX register */
256 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
258 unsigned long _tmp; \
259 _type _clv = (_cl).val; \
260 _type _srcv = (_src).val; \
261 _type _dstv = (_dst).val; \
263 __asm__ __volatile__ ( \
264 _PRE_EFLAGS("0", "5", "2") \
265 _op _suffix " %4,%1 \n" \
266 _POST_EFLAGS("0", "5", "2") \
267 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
268 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
271 (_cl).val = (unsigned long) _clv; \
272 (_src).val = (unsigned long) _srcv; \
273 (_dst).val = (unsigned long) _dstv; \
276 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
278 switch ((_dst).bytes) { \
280 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
281 "w", unsigned short); \
284 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
285 "l", unsigned int); \
288 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
289 "q", unsigned long)); \
294 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
296 unsigned long _tmp; \
298 __asm__ __volatile__ ( \
299 _PRE_EFLAGS("0", "3", "2") \
300 _op _suffix " %1; " \
301 _POST_EFLAGS("0", "3", "2") \
302 : "=m" (_eflags), "+m" ((_dst).val), \
304 : "i" (EFLAGS_MASK)); \
307 /* Instruction has only one explicit operand (no source operand). */
308 #define emulate_1op(_op, _dst, _eflags) \
310 switch ((_dst).bytes) { \
311 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
312 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
313 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
314 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
318 /* Fetch next part of the instruction being emulated. */
319 #define insn_fetch(_type, _size, _eip) \
320 ({ unsigned long _x; \
321 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
322 if (rc != X86EMUL_CONTINUE) \
328 #define insn_fetch_arr(_arr, _size, _eip) \
329 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
330 if (rc != X86EMUL_CONTINUE) \
335 static inline unsigned long ad_mask(struct decode_cache *c)
337 return (1UL << (c->ad_bytes << 3)) - 1;
340 /* Access/update address held in a register, based on addressing mode. */
341 static inline unsigned long
342 address_mask(struct decode_cache *c, unsigned long reg)
344 if (c->ad_bytes == sizeof(unsigned long))
347 return reg & ad_mask(c);
350 static inline unsigned long
351 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
353 return base + address_mask(c, reg);
357 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
359 if (c->ad_bytes == sizeof(unsigned long))
362 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
365 static inline void jmp_rel(struct decode_cache *c, int rel)
367 register_address_increment(c, &c->eip, rel);
370 static void set_seg_override(struct decode_cache *c, int seg)
372 c->has_seg_override = true;
373 c->seg_override = seg;
376 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
377 struct x86_emulate_ops *ops, int seg)
379 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
382 return ops->get_cached_segment_base(seg, ctxt->vcpu);
385 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
386 struct x86_emulate_ops *ops,
387 struct decode_cache *c)
389 if (!c->has_seg_override)
392 return seg_base(ctxt, ops, c->seg_override);
395 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
396 struct x86_emulate_ops *ops)
398 return seg_base(ctxt, ops, VCPU_SREG_ES);
401 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
402 struct x86_emulate_ops *ops)
404 return seg_base(ctxt, ops, VCPU_SREG_SS);
407 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
408 u32 error, bool valid)
410 ctxt->exception = vec;
411 ctxt->error_code = error;
412 ctxt->error_code_valid = valid;
413 ctxt->restart = false;
416 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
418 emulate_exception(ctxt, GP_VECTOR, err, true);
421 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
425 emulate_exception(ctxt, PF_VECTOR, err, true);
428 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
430 emulate_exception(ctxt, UD_VECTOR, 0, false);
433 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
435 emulate_exception(ctxt, TS_VECTOR, err, true);
438 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
439 struct x86_emulate_ops *ops,
440 unsigned long eip, u8 *dest)
442 struct fetch_cache *fc = &ctxt->decode.fetch;
446 if (eip == fc->end) {
447 cur_size = fc->end - fc->start;
448 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
449 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
450 size, ctxt->vcpu, NULL);
451 if (rc != X86EMUL_CONTINUE)
455 *dest = fc->data[eip - fc->start];
456 return X86EMUL_CONTINUE;
459 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
460 struct x86_emulate_ops *ops,
461 unsigned long eip, void *dest, unsigned size)
465 /* x86 instructions are limited to 15 bytes. */
466 if (eip + size - ctxt->eip > 15)
467 return X86EMUL_UNHANDLEABLE;
469 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
470 if (rc != X86EMUL_CONTINUE)
473 return X86EMUL_CONTINUE;
477 * Given the 'reg' portion of a ModRM byte, and a register block, return a
478 * pointer into the block that addresses the relevant register.
479 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
481 static void *decode_register(u8 modrm_reg, unsigned long *regs,
486 p = ®s[modrm_reg];
487 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
488 p = (unsigned char *)®s[modrm_reg & 3] + 1;
492 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
493 struct x86_emulate_ops *ops,
495 u16 *size, unsigned long *address, int op_bytes)
502 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
503 if (rc != X86EMUL_CONTINUE)
505 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
509 static int test_cc(unsigned int condition, unsigned int flags)
513 switch ((condition & 15) >> 1) {
515 rc |= (flags & EFLG_OF);
517 case 1: /* b/c/nae */
518 rc |= (flags & EFLG_CF);
521 rc |= (flags & EFLG_ZF);
524 rc |= (flags & (EFLG_CF|EFLG_ZF));
527 rc |= (flags & EFLG_SF);
530 rc |= (flags & EFLG_PF);
533 rc |= (flags & EFLG_ZF);
536 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
540 /* Odd condition identifiers (lsb == 1) have inverted sense. */
541 return (!!rc ^ (condition & 1));
544 static void fetch_register_operand(struct operand *op)
548 op->val = *(u8 *)op->addr.reg;
551 op->val = *(u16 *)op->addr.reg;
554 op->val = *(u32 *)op->addr.reg;
557 op->val = *(u64 *)op->addr.reg;
562 static void decode_register_operand(struct operand *op,
563 struct decode_cache *c,
566 unsigned reg = c->modrm_reg;
567 int highbyte_regs = c->rex_prefix == 0;
570 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
572 if ((c->d & ByteOp) && !inhibit_bytereg) {
573 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
576 op->addr.reg = decode_register(reg, c->regs, 0);
577 op->bytes = c->op_bytes;
579 fetch_register_operand(op);
580 op->orig_val = op->val;
583 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
584 struct x86_emulate_ops *ops,
587 struct decode_cache *c = &ctxt->decode;
589 int index_reg = 0, base_reg = 0, scale;
590 int rc = X86EMUL_CONTINUE;
594 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
595 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
596 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
599 c->modrm = insn_fetch(u8, 1, c->eip);
600 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
601 c->modrm_reg |= (c->modrm & 0x38) >> 3;
602 c->modrm_rm |= (c->modrm & 0x07);
603 c->modrm_seg = VCPU_SREG_DS;
605 if (c->modrm_mod == 3) {
607 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
608 op->addr.reg = decode_register(c->modrm_rm,
609 c->regs, c->d & ByteOp);
610 fetch_register_operand(op);
616 if (c->ad_bytes == 2) {
617 unsigned bx = c->regs[VCPU_REGS_RBX];
618 unsigned bp = c->regs[VCPU_REGS_RBP];
619 unsigned si = c->regs[VCPU_REGS_RSI];
620 unsigned di = c->regs[VCPU_REGS_RDI];
622 /* 16-bit ModR/M decode. */
623 switch (c->modrm_mod) {
625 if (c->modrm_rm == 6)
626 modrm_ea += insn_fetch(u16, 2, c->eip);
629 modrm_ea += insn_fetch(s8, 1, c->eip);
632 modrm_ea += insn_fetch(u16, 2, c->eip);
635 switch (c->modrm_rm) {
655 if (c->modrm_mod != 0)
662 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
663 (c->modrm_rm == 6 && c->modrm_mod != 0))
664 c->modrm_seg = VCPU_SREG_SS;
665 modrm_ea = (u16)modrm_ea;
667 /* 32/64-bit ModR/M decode. */
668 if ((c->modrm_rm & 7) == 4) {
669 sib = insn_fetch(u8, 1, c->eip);
670 index_reg |= (sib >> 3) & 7;
674 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
675 modrm_ea += insn_fetch(s32, 4, c->eip);
677 modrm_ea += c->regs[base_reg];
679 modrm_ea += c->regs[index_reg] << scale;
680 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
681 if (ctxt->mode == X86EMUL_MODE_PROT64)
684 modrm_ea += c->regs[c->modrm_rm];
685 switch (c->modrm_mod) {
687 if (c->modrm_rm == 5)
688 modrm_ea += insn_fetch(s32, 4, c->eip);
691 modrm_ea += insn_fetch(s8, 1, c->eip);
694 modrm_ea += insn_fetch(s32, 4, c->eip);
698 op->addr.mem = modrm_ea;
703 static int decode_abs(struct x86_emulate_ctxt *ctxt,
704 struct x86_emulate_ops *ops,
707 struct decode_cache *c = &ctxt->decode;
708 int rc = X86EMUL_CONTINUE;
711 switch (c->ad_bytes) {
713 op->addr.mem = insn_fetch(u16, 2, c->eip);
716 op->addr.mem = insn_fetch(u32, 4, c->eip);
719 op->addr.mem = insn_fetch(u64, 8, c->eip);
726 static void fetch_bit_operand(struct decode_cache *c)
730 if (c->dst.type == OP_MEM) {
731 mask = ~(c->dst.bytes * 8 - 1);
733 if (c->src.bytes == 2)
734 sv = (s16)c->src.val & (s16)mask;
735 else if (c->src.bytes == 4)
736 sv = (s32)c->src.val & (s32)mask;
738 c->dst.addr.mem += (sv >> 3);
742 static int read_emulated(struct x86_emulate_ctxt *ctxt,
743 struct x86_emulate_ops *ops,
744 unsigned long addr, void *dest, unsigned size)
747 struct read_cache *mc = &ctxt->decode.mem_read;
751 int n = min(size, 8u);
753 if (mc->pos < mc->end)
756 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
758 if (rc == X86EMUL_PROPAGATE_FAULT)
759 emulate_pf(ctxt, addr, err);
760 if (rc != X86EMUL_CONTINUE)
765 memcpy(dest, mc->data + mc->pos, n);
770 return X86EMUL_CONTINUE;
773 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
774 struct x86_emulate_ops *ops,
775 unsigned int size, unsigned short port,
778 struct read_cache *rc = &ctxt->decode.io_read;
780 if (rc->pos == rc->end) { /* refill pio read ahead */
781 struct decode_cache *c = &ctxt->decode;
782 unsigned int in_page, n;
783 unsigned int count = c->rep_prefix ?
784 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
785 in_page = (ctxt->eflags & EFLG_DF) ?
786 offset_in_page(c->regs[VCPU_REGS_RDI]) :
787 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
788 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
792 rc->pos = rc->end = 0;
793 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
798 memcpy(dest, rc->data + rc->pos, size);
803 static u32 desc_limit_scaled(struct desc_struct *desc)
805 u32 limit = get_desc_limit(desc);
807 return desc->g ? (limit << 12) | 0xfff : limit;
810 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
811 struct x86_emulate_ops *ops,
812 u16 selector, struct desc_ptr *dt)
814 if (selector & 1 << 2) {
815 struct desc_struct desc;
816 memset (dt, 0, sizeof *dt);
817 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
820 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
821 dt->address = get_desc_base(&desc);
823 ops->get_gdt(dt, ctxt->vcpu);
826 /* allowed just for 8 bytes segments */
827 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
828 struct x86_emulate_ops *ops,
829 u16 selector, struct desc_struct *desc)
832 u16 index = selector >> 3;
837 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
839 if (dt.size < index * 8 + 7) {
840 emulate_gp(ctxt, selector & 0xfffc);
841 return X86EMUL_PROPAGATE_FAULT;
843 addr = dt.address + index * 8;
844 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
845 if (ret == X86EMUL_PROPAGATE_FAULT)
846 emulate_pf(ctxt, addr, err);
851 /* allowed just for 8 bytes segments */
852 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
853 struct x86_emulate_ops *ops,
854 u16 selector, struct desc_struct *desc)
857 u16 index = selector >> 3;
862 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
864 if (dt.size < index * 8 + 7) {
865 emulate_gp(ctxt, selector & 0xfffc);
866 return X86EMUL_PROPAGATE_FAULT;
869 addr = dt.address + index * 8;
870 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
871 if (ret == X86EMUL_PROPAGATE_FAULT)
872 emulate_pf(ctxt, addr, err);
877 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
878 struct x86_emulate_ops *ops,
879 u16 selector, int seg)
881 struct desc_struct seg_desc;
883 unsigned err_vec = GP_VECTOR;
885 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
888 memset(&seg_desc, 0, sizeof seg_desc);
890 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
891 || ctxt->mode == X86EMUL_MODE_REAL) {
892 /* set real mode segment descriptor */
893 set_desc_base(&seg_desc, selector << 4);
894 set_desc_limit(&seg_desc, 0xffff);
901 /* NULL selector is not valid for TR, CS and SS */
902 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
906 /* TR should be in GDT only */
907 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
910 if (null_selector) /* for NULL selector skip all following checks */
913 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
914 if (ret != X86EMUL_CONTINUE)
917 err_code = selector & 0xfffc;
920 /* can't load system descriptor into segment selecor */
921 if (seg <= VCPU_SREG_GS && !seg_desc.s)
925 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
931 cpl = ops->cpl(ctxt->vcpu);
936 * segment is not a writable data segment or segment
937 * selector's RPL != CPL or segment selector's RPL != CPL
939 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
943 if (!(seg_desc.type & 8))
946 if (seg_desc.type & 4) {
952 if (rpl > cpl || dpl != cpl)
956 selector = (selector & 0xfffc) | cpl;
959 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
963 if (seg_desc.s || seg_desc.type != 2)
966 default: /* DS, ES, FS, or GS */
968 * segment is not a data or readable code segment or
969 * ((segment is a data or nonconforming code segment)
970 * and (both RPL and CPL > DPL))
972 if ((seg_desc.type & 0xa) == 0x8 ||
973 (((seg_desc.type & 0xc) != 0xc) &&
974 (rpl > dpl && cpl > dpl)))
980 /* mark segment as accessed */
982 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
983 if (ret != X86EMUL_CONTINUE)
987 ops->set_segment_selector(selector, seg, ctxt->vcpu);
988 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
989 return X86EMUL_CONTINUE;
991 emulate_exception(ctxt, err_vec, err_code, true);
992 return X86EMUL_PROPAGATE_FAULT;
995 static inline int writeback(struct x86_emulate_ctxt *ctxt,
996 struct x86_emulate_ops *ops)
999 struct decode_cache *c = &ctxt->decode;
1002 switch (c->dst.type) {
1004 /* The 4-byte case *is* correct:
1005 * in 64-bit mode we zero-extend.
1007 switch (c->dst.bytes) {
1009 *(u8 *)c->dst.addr.reg = (u8)c->dst.val;
1012 *(u16 *)c->dst.addr.reg = (u16)c->dst.val;
1015 *c->dst.addr.reg = (u32)c->dst.val;
1016 break; /* 64b: zero-ext */
1018 *c->dst.addr.reg = c->dst.val;
1024 rc = ops->cmpxchg_emulated(
1032 rc = ops->write_emulated(
1038 if (rc == X86EMUL_PROPAGATE_FAULT)
1039 emulate_pf(ctxt, c->dst.addr.mem, err);
1040 if (rc != X86EMUL_CONTINUE)
1049 return X86EMUL_CONTINUE;
1052 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1053 struct x86_emulate_ops *ops)
1055 struct decode_cache *c = &ctxt->decode;
1057 c->dst.type = OP_MEM;
1058 c->dst.bytes = c->op_bytes;
1059 c->dst.val = c->src.val;
1060 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1061 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1062 c->regs[VCPU_REGS_RSP]);
1065 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1066 struct x86_emulate_ops *ops,
1067 void *dest, int len)
1069 struct decode_cache *c = &ctxt->decode;
1072 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1073 c->regs[VCPU_REGS_RSP]),
1075 if (rc != X86EMUL_CONTINUE)
1078 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1082 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1083 struct x86_emulate_ops *ops,
1084 void *dest, int len)
1087 unsigned long val, change_mask;
1088 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1089 int cpl = ops->cpl(ctxt->vcpu);
1091 rc = emulate_pop(ctxt, ops, &val, len);
1092 if (rc != X86EMUL_CONTINUE)
1095 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1096 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1098 switch(ctxt->mode) {
1099 case X86EMUL_MODE_PROT64:
1100 case X86EMUL_MODE_PROT32:
1101 case X86EMUL_MODE_PROT16:
1103 change_mask |= EFLG_IOPL;
1105 change_mask |= EFLG_IF;
1107 case X86EMUL_MODE_VM86:
1109 emulate_gp(ctxt, 0);
1110 return X86EMUL_PROPAGATE_FAULT;
1112 change_mask |= EFLG_IF;
1114 default: /* real mode */
1115 change_mask |= (EFLG_IOPL | EFLG_IF);
1119 *(unsigned long *)dest =
1120 (ctxt->eflags & ~change_mask) | (val & change_mask);
1125 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1126 struct x86_emulate_ops *ops, int seg)
1128 struct decode_cache *c = &ctxt->decode;
1130 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1132 emulate_push(ctxt, ops);
1135 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1136 struct x86_emulate_ops *ops, int seg)
1138 struct decode_cache *c = &ctxt->decode;
1139 unsigned long selector;
1142 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1143 if (rc != X86EMUL_CONTINUE)
1146 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1150 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1151 struct x86_emulate_ops *ops)
1153 struct decode_cache *c = &ctxt->decode;
1154 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1155 int rc = X86EMUL_CONTINUE;
1156 int reg = VCPU_REGS_RAX;
1158 while (reg <= VCPU_REGS_RDI) {
1159 (reg == VCPU_REGS_RSP) ?
1160 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1162 emulate_push(ctxt, ops);
1164 rc = writeback(ctxt, ops);
1165 if (rc != X86EMUL_CONTINUE)
1171 /* Disable writeback. */
1172 c->dst.type = OP_NONE;
1177 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1178 struct x86_emulate_ops *ops)
1180 struct decode_cache *c = &ctxt->decode;
1181 int rc = X86EMUL_CONTINUE;
1182 int reg = VCPU_REGS_RDI;
1184 while (reg >= VCPU_REGS_RAX) {
1185 if (reg == VCPU_REGS_RSP) {
1186 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1191 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1192 if (rc != X86EMUL_CONTINUE)
1199 int emulate_int_real(struct x86_emulate_ctxt *ctxt,
1200 struct x86_emulate_ops *ops, int irq)
1202 struct decode_cache *c = &ctxt->decode;
1203 int rc = X86EMUL_CONTINUE;
1210 /* TODO: Add limit checks */
1211 c->src.val = ctxt->eflags;
1212 emulate_push(ctxt, ops);
1214 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1216 c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1217 emulate_push(ctxt, ops);
1219 c->src.val = c->eip;
1220 emulate_push(ctxt, ops);
1222 ops->get_idt(&dt, ctxt->vcpu);
1224 eip_addr = dt.address + (irq << 2);
1225 cs_addr = dt.address + (irq << 2) + 2;
1227 rc = ops->read_std(cs_addr, &cs, 2, ctxt->vcpu, &err);
1228 if (rc != X86EMUL_CONTINUE)
1231 rc = ops->read_std(eip_addr, &eip, 2, ctxt->vcpu, &err);
1232 if (rc != X86EMUL_CONTINUE)
1235 rc = load_segment_descriptor(ctxt, ops, cs, VCPU_SREG_CS);
1236 if (rc != X86EMUL_CONTINUE)
1244 static int emulate_int(struct x86_emulate_ctxt *ctxt,
1245 struct x86_emulate_ops *ops, int irq)
1247 switch(ctxt->mode) {
1248 case X86EMUL_MODE_REAL:
1249 return emulate_int_real(ctxt, ops, irq);
1250 case X86EMUL_MODE_VM86:
1251 case X86EMUL_MODE_PROT16:
1252 case X86EMUL_MODE_PROT32:
1253 case X86EMUL_MODE_PROT64:
1255 /* Protected mode interrupts unimplemented yet */
1256 return X86EMUL_UNHANDLEABLE;
1260 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1261 struct x86_emulate_ops *ops)
1263 struct decode_cache *c = &ctxt->decode;
1264 int rc = X86EMUL_CONTINUE;
1265 unsigned long temp_eip = 0;
1266 unsigned long temp_eflags = 0;
1267 unsigned long cs = 0;
1268 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1269 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1270 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1271 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1273 /* TODO: Add stack limit check */
1275 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1277 if (rc != X86EMUL_CONTINUE)
1280 if (temp_eip & ~0xffff) {
1281 emulate_gp(ctxt, 0);
1282 return X86EMUL_PROPAGATE_FAULT;
1285 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1287 if (rc != X86EMUL_CONTINUE)
1290 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1292 if (rc != X86EMUL_CONTINUE)
1295 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1297 if (rc != X86EMUL_CONTINUE)
1303 if (c->op_bytes == 4)
1304 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1305 else if (c->op_bytes == 2) {
1306 ctxt->eflags &= ~0xffff;
1307 ctxt->eflags |= temp_eflags;
1310 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1311 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1316 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1317 struct x86_emulate_ops* ops)
1319 switch(ctxt->mode) {
1320 case X86EMUL_MODE_REAL:
1321 return emulate_iret_real(ctxt, ops);
1322 case X86EMUL_MODE_VM86:
1323 case X86EMUL_MODE_PROT16:
1324 case X86EMUL_MODE_PROT32:
1325 case X86EMUL_MODE_PROT64:
1327 /* iret from protected mode unimplemented yet */
1328 return X86EMUL_UNHANDLEABLE;
1332 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1333 struct x86_emulate_ops *ops)
1335 struct decode_cache *c = &ctxt->decode;
1337 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1340 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1342 struct decode_cache *c = &ctxt->decode;
1343 switch (c->modrm_reg) {
1345 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1348 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1351 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1354 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1356 case 4: /* sal/shl */
1357 case 6: /* sal/shl */
1358 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1361 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1364 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1369 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1370 struct x86_emulate_ops *ops)
1372 struct decode_cache *c = &ctxt->decode;
1374 switch (c->modrm_reg) {
1375 case 0 ... 1: /* test */
1376 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1379 c->dst.val = ~c->dst.val;
1382 emulate_1op("neg", c->dst, ctxt->eflags);
1390 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1391 struct x86_emulate_ops *ops)
1393 struct decode_cache *c = &ctxt->decode;
1395 switch (c->modrm_reg) {
1397 emulate_1op("inc", c->dst, ctxt->eflags);
1400 emulate_1op("dec", c->dst, ctxt->eflags);
1402 case 2: /* call near abs */ {
1405 c->eip = c->src.val;
1406 c->src.val = old_eip;
1407 emulate_push(ctxt, ops);
1410 case 4: /* jmp abs */
1411 c->eip = c->src.val;
1414 emulate_push(ctxt, ops);
1417 return X86EMUL_CONTINUE;
1420 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1421 struct x86_emulate_ops *ops)
1423 struct decode_cache *c = &ctxt->decode;
1424 u64 old = c->dst.orig_val64;
1426 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1427 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1428 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1429 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1430 ctxt->eflags &= ~EFLG_ZF;
1432 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1433 (u32) c->regs[VCPU_REGS_RBX];
1435 ctxt->eflags |= EFLG_ZF;
1437 return X86EMUL_CONTINUE;
1440 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1441 struct x86_emulate_ops *ops)
1443 struct decode_cache *c = &ctxt->decode;
1447 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1448 if (rc != X86EMUL_CONTINUE)
1450 if (c->op_bytes == 4)
1451 c->eip = (u32)c->eip;
1452 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1453 if (rc != X86EMUL_CONTINUE)
1455 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1460 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1461 struct x86_emulate_ops *ops, struct desc_struct *cs,
1462 struct desc_struct *ss)
1464 memset(cs, 0, sizeof(struct desc_struct));
1465 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1466 memset(ss, 0, sizeof(struct desc_struct));
1468 cs->l = 0; /* will be adjusted later */
1469 set_desc_base(cs, 0); /* flat segment */
1470 cs->g = 1; /* 4kb granularity */
1471 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1472 cs->type = 0x0b; /* Read, Execute, Accessed */
1474 cs->dpl = 0; /* will be adjusted later */
1478 set_desc_base(ss, 0); /* flat segment */
1479 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1480 ss->g = 1; /* 4kb granularity */
1482 ss->type = 0x03; /* Read/Write, Accessed */
1483 ss->d = 1; /* 32bit stack segment */
1489 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1491 struct decode_cache *c = &ctxt->decode;
1492 struct desc_struct cs, ss;
1496 /* syscall is not available in real mode */
1497 if (ctxt->mode == X86EMUL_MODE_REAL ||
1498 ctxt->mode == X86EMUL_MODE_VM86) {
1500 return X86EMUL_PROPAGATE_FAULT;
1503 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1505 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1507 cs_sel = (u16)(msr_data & 0xfffc);
1508 ss_sel = (u16)(msr_data + 8);
1510 if (is_long_mode(ctxt->vcpu)) {
1514 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1515 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1516 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1517 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1519 c->regs[VCPU_REGS_RCX] = c->eip;
1520 if (is_long_mode(ctxt->vcpu)) {
1521 #ifdef CONFIG_X86_64
1522 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1524 ops->get_msr(ctxt->vcpu,
1525 ctxt->mode == X86EMUL_MODE_PROT64 ?
1526 MSR_LSTAR : MSR_CSTAR, &msr_data);
1529 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1530 ctxt->eflags &= ~(msr_data | EFLG_RF);
1534 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1535 c->eip = (u32)msr_data;
1537 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1540 return X86EMUL_CONTINUE;
1544 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1546 struct decode_cache *c = &ctxt->decode;
1547 struct desc_struct cs, ss;
1551 /* inject #GP if in real mode */
1552 if (ctxt->mode == X86EMUL_MODE_REAL) {
1553 emulate_gp(ctxt, 0);
1554 return X86EMUL_PROPAGATE_FAULT;
1557 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1558 * Therefore, we inject an #UD.
1560 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1562 return X86EMUL_PROPAGATE_FAULT;
1565 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1567 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1568 switch (ctxt->mode) {
1569 case X86EMUL_MODE_PROT32:
1570 if ((msr_data & 0xfffc) == 0x0) {
1571 emulate_gp(ctxt, 0);
1572 return X86EMUL_PROPAGATE_FAULT;
1575 case X86EMUL_MODE_PROT64:
1576 if (msr_data == 0x0) {
1577 emulate_gp(ctxt, 0);
1578 return X86EMUL_PROPAGATE_FAULT;
1583 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1584 cs_sel = (u16)msr_data;
1585 cs_sel &= ~SELECTOR_RPL_MASK;
1586 ss_sel = cs_sel + 8;
1587 ss_sel &= ~SELECTOR_RPL_MASK;
1588 if (ctxt->mode == X86EMUL_MODE_PROT64
1589 || is_long_mode(ctxt->vcpu)) {
1594 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1595 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1596 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1597 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1599 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1602 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1603 c->regs[VCPU_REGS_RSP] = msr_data;
1605 return X86EMUL_CONTINUE;
1609 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1611 struct decode_cache *c = &ctxt->decode;
1612 struct desc_struct cs, ss;
1617 /* inject #GP if in real mode or Virtual 8086 mode */
1618 if (ctxt->mode == X86EMUL_MODE_REAL ||
1619 ctxt->mode == X86EMUL_MODE_VM86) {
1620 emulate_gp(ctxt, 0);
1621 return X86EMUL_PROPAGATE_FAULT;
1624 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1626 if ((c->rex_prefix & 0x8) != 0x0)
1627 usermode = X86EMUL_MODE_PROT64;
1629 usermode = X86EMUL_MODE_PROT32;
1633 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1635 case X86EMUL_MODE_PROT32:
1636 cs_sel = (u16)(msr_data + 16);
1637 if ((msr_data & 0xfffc) == 0x0) {
1638 emulate_gp(ctxt, 0);
1639 return X86EMUL_PROPAGATE_FAULT;
1641 ss_sel = (u16)(msr_data + 24);
1643 case X86EMUL_MODE_PROT64:
1644 cs_sel = (u16)(msr_data + 32);
1645 if (msr_data == 0x0) {
1646 emulate_gp(ctxt, 0);
1647 return X86EMUL_PROPAGATE_FAULT;
1649 ss_sel = cs_sel + 8;
1654 cs_sel |= SELECTOR_RPL_MASK;
1655 ss_sel |= SELECTOR_RPL_MASK;
1657 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1658 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1659 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1660 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1662 c->eip = c->regs[VCPU_REGS_RDX];
1663 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1665 return X86EMUL_CONTINUE;
1668 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1669 struct x86_emulate_ops *ops)
1672 if (ctxt->mode == X86EMUL_MODE_REAL)
1674 if (ctxt->mode == X86EMUL_MODE_VM86)
1676 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1677 return ops->cpl(ctxt->vcpu) > iopl;
1680 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1681 struct x86_emulate_ops *ops,
1684 struct desc_struct tr_seg;
1687 u8 perm, bit_idx = port & 0x7;
1688 unsigned mask = (1 << len) - 1;
1690 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1693 if (desc_limit_scaled(&tr_seg) < 103)
1695 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1697 if (r != X86EMUL_CONTINUE)
1699 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1701 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1702 &perm, 1, ctxt->vcpu, NULL);
1703 if (r != X86EMUL_CONTINUE)
1705 if ((perm >> bit_idx) & mask)
1710 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1711 struct x86_emulate_ops *ops,
1717 if (emulator_bad_iopl(ctxt, ops))
1718 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1721 ctxt->perm_ok = true;
1726 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1727 struct x86_emulate_ops *ops,
1728 struct tss_segment_16 *tss)
1730 struct decode_cache *c = &ctxt->decode;
1733 tss->flag = ctxt->eflags;
1734 tss->ax = c->regs[VCPU_REGS_RAX];
1735 tss->cx = c->regs[VCPU_REGS_RCX];
1736 tss->dx = c->regs[VCPU_REGS_RDX];
1737 tss->bx = c->regs[VCPU_REGS_RBX];
1738 tss->sp = c->regs[VCPU_REGS_RSP];
1739 tss->bp = c->regs[VCPU_REGS_RBP];
1740 tss->si = c->regs[VCPU_REGS_RSI];
1741 tss->di = c->regs[VCPU_REGS_RDI];
1743 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1744 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1745 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1746 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1747 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1750 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1751 struct x86_emulate_ops *ops,
1752 struct tss_segment_16 *tss)
1754 struct decode_cache *c = &ctxt->decode;
1758 ctxt->eflags = tss->flag | 2;
1759 c->regs[VCPU_REGS_RAX] = tss->ax;
1760 c->regs[VCPU_REGS_RCX] = tss->cx;
1761 c->regs[VCPU_REGS_RDX] = tss->dx;
1762 c->regs[VCPU_REGS_RBX] = tss->bx;
1763 c->regs[VCPU_REGS_RSP] = tss->sp;
1764 c->regs[VCPU_REGS_RBP] = tss->bp;
1765 c->regs[VCPU_REGS_RSI] = tss->si;
1766 c->regs[VCPU_REGS_RDI] = tss->di;
1769 * SDM says that segment selectors are loaded before segment
1772 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1773 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1774 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1775 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1776 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1779 * Now load segment descriptors. If fault happenes at this stage
1780 * it is handled in a context of new task
1782 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1783 if (ret != X86EMUL_CONTINUE)
1785 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1786 if (ret != X86EMUL_CONTINUE)
1788 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1789 if (ret != X86EMUL_CONTINUE)
1791 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1792 if (ret != X86EMUL_CONTINUE)
1794 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1795 if (ret != X86EMUL_CONTINUE)
1798 return X86EMUL_CONTINUE;
1801 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1802 struct x86_emulate_ops *ops,
1803 u16 tss_selector, u16 old_tss_sel,
1804 ulong old_tss_base, struct desc_struct *new_desc)
1806 struct tss_segment_16 tss_seg;
1808 u32 err, new_tss_base = get_desc_base(new_desc);
1810 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1812 if (ret == X86EMUL_PROPAGATE_FAULT) {
1813 /* FIXME: need to provide precise fault address */
1814 emulate_pf(ctxt, old_tss_base, err);
1818 save_state_to_tss16(ctxt, ops, &tss_seg);
1820 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1822 if (ret == X86EMUL_PROPAGATE_FAULT) {
1823 /* FIXME: need to provide precise fault address */
1824 emulate_pf(ctxt, old_tss_base, err);
1828 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1830 if (ret == X86EMUL_PROPAGATE_FAULT) {
1831 /* FIXME: need to provide precise fault address */
1832 emulate_pf(ctxt, new_tss_base, err);
1836 if (old_tss_sel != 0xffff) {
1837 tss_seg.prev_task_link = old_tss_sel;
1839 ret = ops->write_std(new_tss_base,
1840 &tss_seg.prev_task_link,
1841 sizeof tss_seg.prev_task_link,
1843 if (ret == X86EMUL_PROPAGATE_FAULT) {
1844 /* FIXME: need to provide precise fault address */
1845 emulate_pf(ctxt, new_tss_base, err);
1850 return load_state_from_tss16(ctxt, ops, &tss_seg);
1853 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1854 struct x86_emulate_ops *ops,
1855 struct tss_segment_32 *tss)
1857 struct decode_cache *c = &ctxt->decode;
1859 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1861 tss->eflags = ctxt->eflags;
1862 tss->eax = c->regs[VCPU_REGS_RAX];
1863 tss->ecx = c->regs[VCPU_REGS_RCX];
1864 tss->edx = c->regs[VCPU_REGS_RDX];
1865 tss->ebx = c->regs[VCPU_REGS_RBX];
1866 tss->esp = c->regs[VCPU_REGS_RSP];
1867 tss->ebp = c->regs[VCPU_REGS_RBP];
1868 tss->esi = c->regs[VCPU_REGS_RSI];
1869 tss->edi = c->regs[VCPU_REGS_RDI];
1871 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1872 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1873 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1874 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1875 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1876 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1877 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1880 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1881 struct x86_emulate_ops *ops,
1882 struct tss_segment_32 *tss)
1884 struct decode_cache *c = &ctxt->decode;
1887 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1888 emulate_gp(ctxt, 0);
1889 return X86EMUL_PROPAGATE_FAULT;
1892 ctxt->eflags = tss->eflags | 2;
1893 c->regs[VCPU_REGS_RAX] = tss->eax;
1894 c->regs[VCPU_REGS_RCX] = tss->ecx;
1895 c->regs[VCPU_REGS_RDX] = tss->edx;
1896 c->regs[VCPU_REGS_RBX] = tss->ebx;
1897 c->regs[VCPU_REGS_RSP] = tss->esp;
1898 c->regs[VCPU_REGS_RBP] = tss->ebp;
1899 c->regs[VCPU_REGS_RSI] = tss->esi;
1900 c->regs[VCPU_REGS_RDI] = tss->edi;
1903 * SDM says that segment selectors are loaded before segment
1906 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1907 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1908 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1909 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1910 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1911 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1912 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1915 * Now load segment descriptors. If fault happenes at this stage
1916 * it is handled in a context of new task
1918 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1919 if (ret != X86EMUL_CONTINUE)
1921 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1922 if (ret != X86EMUL_CONTINUE)
1924 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1925 if (ret != X86EMUL_CONTINUE)
1927 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1928 if (ret != X86EMUL_CONTINUE)
1930 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1931 if (ret != X86EMUL_CONTINUE)
1933 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1934 if (ret != X86EMUL_CONTINUE)
1936 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1937 if (ret != X86EMUL_CONTINUE)
1940 return X86EMUL_CONTINUE;
1943 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
1944 struct x86_emulate_ops *ops,
1945 u16 tss_selector, u16 old_tss_sel,
1946 ulong old_tss_base, struct desc_struct *new_desc)
1948 struct tss_segment_32 tss_seg;
1950 u32 err, new_tss_base = get_desc_base(new_desc);
1952 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1954 if (ret == X86EMUL_PROPAGATE_FAULT) {
1955 /* FIXME: need to provide precise fault address */
1956 emulate_pf(ctxt, old_tss_base, err);
1960 save_state_to_tss32(ctxt, ops, &tss_seg);
1962 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1964 if (ret == X86EMUL_PROPAGATE_FAULT) {
1965 /* FIXME: need to provide precise fault address */
1966 emulate_pf(ctxt, old_tss_base, err);
1970 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1972 if (ret == X86EMUL_PROPAGATE_FAULT) {
1973 /* FIXME: need to provide precise fault address */
1974 emulate_pf(ctxt, new_tss_base, err);
1978 if (old_tss_sel != 0xffff) {
1979 tss_seg.prev_task_link = old_tss_sel;
1981 ret = ops->write_std(new_tss_base,
1982 &tss_seg.prev_task_link,
1983 sizeof tss_seg.prev_task_link,
1985 if (ret == X86EMUL_PROPAGATE_FAULT) {
1986 /* FIXME: need to provide precise fault address */
1987 emulate_pf(ctxt, new_tss_base, err);
1992 return load_state_from_tss32(ctxt, ops, &tss_seg);
1995 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
1996 struct x86_emulate_ops *ops,
1997 u16 tss_selector, int reason,
1998 bool has_error_code, u32 error_code)
2000 struct desc_struct curr_tss_desc, next_tss_desc;
2002 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2003 ulong old_tss_base =
2004 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2007 /* FIXME: old_tss_base == ~0 ? */
2009 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2010 if (ret != X86EMUL_CONTINUE)
2012 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2013 if (ret != X86EMUL_CONTINUE)
2016 /* FIXME: check that next_tss_desc is tss */
2018 if (reason != TASK_SWITCH_IRET) {
2019 if ((tss_selector & 3) > next_tss_desc.dpl ||
2020 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2021 emulate_gp(ctxt, 0);
2022 return X86EMUL_PROPAGATE_FAULT;
2026 desc_limit = desc_limit_scaled(&next_tss_desc);
2027 if (!next_tss_desc.p ||
2028 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2029 desc_limit < 0x2b)) {
2030 emulate_ts(ctxt, tss_selector & 0xfffc);
2031 return X86EMUL_PROPAGATE_FAULT;
2034 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2035 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2036 write_segment_descriptor(ctxt, ops, old_tss_sel,
2040 if (reason == TASK_SWITCH_IRET)
2041 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2043 /* set back link to prev task only if NT bit is set in eflags
2044 note that old_tss_sel is not used afetr this point */
2045 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2046 old_tss_sel = 0xffff;
2048 if (next_tss_desc.type & 8)
2049 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2050 old_tss_base, &next_tss_desc);
2052 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2053 old_tss_base, &next_tss_desc);
2054 if (ret != X86EMUL_CONTINUE)
2057 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2058 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2060 if (reason != TASK_SWITCH_IRET) {
2061 next_tss_desc.type |= (1 << 1); /* set busy flag */
2062 write_segment_descriptor(ctxt, ops, tss_selector,
2066 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2067 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2068 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2070 if (has_error_code) {
2071 struct decode_cache *c = &ctxt->decode;
2073 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2075 c->src.val = (unsigned long) error_code;
2076 emulate_push(ctxt, ops);
2082 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2083 u16 tss_selector, int reason,
2084 bool has_error_code, u32 error_code)
2086 struct x86_emulate_ops *ops = ctxt->ops;
2087 struct decode_cache *c = &ctxt->decode;
2091 c->dst.type = OP_NONE;
2093 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2094 has_error_code, error_code);
2096 if (rc == X86EMUL_CONTINUE) {
2097 rc = writeback(ctxt, ops);
2098 if (rc == X86EMUL_CONTINUE)
2102 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2105 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2106 int reg, struct operand *op)
2108 struct decode_cache *c = &ctxt->decode;
2109 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2111 register_address_increment(c, &c->regs[reg], df * op->bytes);
2112 op->addr.mem = register_address(c, base, c->regs[reg]);
2115 static int em_push(struct x86_emulate_ctxt *ctxt)
2117 emulate_push(ctxt, ctxt->ops);
2118 return X86EMUL_CONTINUE;
2121 #define D(_y) { .flags = (_y) }
2123 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2124 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2125 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2127 static struct opcode group1[] = {
2131 static struct opcode group1A[] = {
2132 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2135 static struct opcode group3[] = {
2136 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2137 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2141 static struct opcode group4[] = {
2142 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2146 static struct opcode group5[] = {
2147 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2148 D(SrcMem | ModRM | Stack), N,
2149 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2150 D(SrcMem | ModRM | Stack), N,
2153 static struct group_dual group7 = { {
2154 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2155 D(SrcNone | ModRM | DstMem | Mov), N,
2156 D(SrcMem16 | ModRM | Mov | Priv),
2157 D(SrcMem | ModRM | ByteOp | Priv | NoAccess),
2159 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2160 D(SrcNone | ModRM | DstMem | Mov), N,
2161 D(SrcMem16 | ModRM | Mov | Priv), N,
2164 static struct opcode group8[] = {
2166 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2167 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2170 static struct group_dual group9 = { {
2171 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2173 N, N, N, N, N, N, N, N,
2176 static struct opcode opcode_table[256] = {
2178 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2179 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2180 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2181 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2183 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2184 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2185 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2186 D(ImplicitOps | Stack | No64), N,
2188 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2189 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2190 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2191 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2193 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2194 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2195 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2196 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2198 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2199 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2200 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2202 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2203 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2204 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2206 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2207 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2208 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2210 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2211 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2212 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2217 X8(I(SrcReg | Stack, em_push)),
2219 X8(D(DstReg | Stack)),
2221 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2222 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2225 I(SrcImm | Mov | Stack, em_push), N,
2226 I(SrcImmByte | Mov | Stack, em_push), N,
2227 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2228 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2232 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2233 G(DstMem | SrcImm | ModRM | Group, group1),
2234 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2235 G(DstMem | SrcImmByte | ModRM | Group, group1),
2236 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2237 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2239 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2240 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2241 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2242 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2244 X8(D(SrcAcc | DstReg)),
2246 N, N, D(SrcImmFAddr | No64), N,
2247 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2249 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2250 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2251 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2252 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2254 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm),
2255 D(ByteOp | SrcAcc | DstDI | Mov | String), D(SrcAcc | DstDI | Mov | String),
2256 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2257 D(ByteOp | DstDI | String), D(DstDI | String),
2259 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2261 X8(D(DstReg | SrcImm | Mov)),
2263 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2264 N, D(ImplicitOps | Stack), N, N,
2265 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2267 N, N, N, D(ImplicitOps | Stack),
2268 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2270 D(ByteOp | DstMem | SrcOne | ModRM), D(DstMem | SrcOne | ModRM),
2271 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2274 N, N, N, N, N, N, N, N,
2277 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2278 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2280 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2281 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2282 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2283 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2286 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2288 D(ImplicitOps), D(ImplicitOps), D(ImplicitOps), D(ImplicitOps),
2289 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2292 static struct opcode twobyte_table[256] = {
2294 N, GD(0, &group7), N, N,
2295 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2296 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2297 N, D(ImplicitOps | ModRM), N, N,
2299 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2301 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2302 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2304 N, N, N, N, N, N, N, N,
2306 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
2307 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2308 N, N, N, N, N, N, N, N,
2310 X16(D(DstReg | SrcMem | ModRM | Mov)),
2312 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2314 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2316 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2320 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2322 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2323 N, D(DstMem | SrcReg | ModRM | BitOp),
2324 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2325 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2327 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2328 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2329 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2330 D(DstMem | SrcReg | Src2CL | ModRM),
2333 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2334 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2335 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2336 D(DstReg | SrcMem16 | ModRM | Mov),
2339 G(0, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2340 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2341 D(DstReg | SrcMem16 | ModRM | Mov),
2343 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
2344 N, N, N, GD(0, &group9),
2345 N, N, N, N, N, N, N, N,
2347 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2349 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2351 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2361 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2363 struct x86_emulate_ops *ops = ctxt->ops;
2364 struct decode_cache *c = &ctxt->decode;
2365 int rc = X86EMUL_CONTINUE;
2366 int mode = ctxt->mode;
2367 int def_op_bytes, def_ad_bytes, dual, goffset;
2368 struct opcode opcode, *g_mod012, *g_mod3;
2369 struct operand memop = { .type = OP_NONE };
2371 /* we cannot decode insn before we complete previous rep insn */
2372 WARN_ON(ctxt->restart);
2375 c->fetch.start = c->fetch.end = c->eip;
2376 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2379 case X86EMUL_MODE_REAL:
2380 case X86EMUL_MODE_VM86:
2381 case X86EMUL_MODE_PROT16:
2382 def_op_bytes = def_ad_bytes = 2;
2384 case X86EMUL_MODE_PROT32:
2385 def_op_bytes = def_ad_bytes = 4;
2387 #ifdef CONFIG_X86_64
2388 case X86EMUL_MODE_PROT64:
2397 c->op_bytes = def_op_bytes;
2398 c->ad_bytes = def_ad_bytes;
2400 /* Legacy prefixes. */
2402 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2403 case 0x66: /* operand-size override */
2404 /* switch between 2/4 bytes */
2405 c->op_bytes = def_op_bytes ^ 6;
2407 case 0x67: /* address-size override */
2408 if (mode == X86EMUL_MODE_PROT64)
2409 /* switch between 4/8 bytes */
2410 c->ad_bytes = def_ad_bytes ^ 12;
2412 /* switch between 2/4 bytes */
2413 c->ad_bytes = def_ad_bytes ^ 6;
2415 case 0x26: /* ES override */
2416 case 0x2e: /* CS override */
2417 case 0x36: /* SS override */
2418 case 0x3e: /* DS override */
2419 set_seg_override(c, (c->b >> 3) & 3);
2421 case 0x64: /* FS override */
2422 case 0x65: /* GS override */
2423 set_seg_override(c, c->b & 7);
2425 case 0x40 ... 0x4f: /* REX */
2426 if (mode != X86EMUL_MODE_PROT64)
2428 c->rex_prefix = c->b;
2430 case 0xf0: /* LOCK */
2433 case 0xf2: /* REPNE/REPNZ */
2434 c->rep_prefix = REPNE_PREFIX;
2436 case 0xf3: /* REP/REPE/REPZ */
2437 c->rep_prefix = REPE_PREFIX;
2443 /* Any legacy prefix after a REX prefix nullifies its effect. */
2451 if (c->rex_prefix & 8)
2452 c->op_bytes = 8; /* REX.W */
2454 /* Opcode byte(s). */
2455 opcode = opcode_table[c->b];
2456 /* Two-byte opcode? */
2459 c->b = insn_fetch(u8, 1, c->eip);
2460 opcode = twobyte_table[c->b];
2462 c->d = opcode.flags;
2465 dual = c->d & GroupDual;
2466 c->modrm = insn_fetch(u8, 1, c->eip);
2469 if (c->d & GroupDual) {
2470 g_mod012 = opcode.u.gdual->mod012;
2471 g_mod3 = opcode.u.gdual->mod3;
2473 g_mod012 = g_mod3 = opcode.u.group;
2475 c->d &= ~(Group | GroupDual);
2477 goffset = (c->modrm >> 3) & 7;
2479 if ((c->modrm >> 6) == 3)
2480 opcode = g_mod3[goffset];
2482 opcode = g_mod012[goffset];
2483 c->d |= opcode.flags;
2486 c->execute = opcode.u.execute;
2489 if (c->d == 0 || (c->d & Undefined)) {
2490 DPRINTF("Cannot emulate %02x\n", c->b);
2494 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2497 if (c->d & Op3264) {
2498 if (mode == X86EMUL_MODE_PROT64)
2504 /* ModRM and SIB bytes. */
2506 rc = decode_modrm(ctxt, ops, &memop);
2507 if (!c->has_seg_override)
2508 set_seg_override(c, c->modrm_seg);
2509 } else if (c->d & MemAbs)
2510 rc = decode_abs(ctxt, ops, &memop);
2511 if (rc != X86EMUL_CONTINUE)
2514 if (!c->has_seg_override)
2515 set_seg_override(c, VCPU_SREG_DS);
2517 if (memop.type == OP_MEM && !(!c->twobyte && c->b == 0x8d))
2518 memop.addr.mem += seg_override_base(ctxt, ops, c);
2520 if (memop.type == OP_MEM && c->ad_bytes != 8)
2521 memop.addr.mem = (u32)memop.addr.mem;
2523 if (memop.type == OP_MEM && c->rip_relative)
2524 memop.addr.mem += c->eip;
2527 * Decode and fetch the source operand: register, memory
2530 switch (c->d & SrcMask) {
2534 decode_register_operand(&c->src, c, 0);
2543 memop.bytes = (c->d & ByteOp) ? 1 :
2550 c->src.type = OP_IMM;
2551 c->src.addr.mem = c->eip;
2552 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2553 if (c->src.bytes == 8)
2555 /* NB. Immediates are sign-extended as necessary. */
2556 switch (c->src.bytes) {
2558 c->src.val = insn_fetch(s8, 1, c->eip);
2561 c->src.val = insn_fetch(s16, 2, c->eip);
2564 c->src.val = insn_fetch(s32, 4, c->eip);
2567 if ((c->d & SrcMask) == SrcImmU) {
2568 switch (c->src.bytes) {
2573 c->src.val &= 0xffff;
2576 c->src.val &= 0xffffffff;
2583 c->src.type = OP_IMM;
2584 c->src.addr.mem = c->eip;
2586 if ((c->d & SrcMask) == SrcImmByte)
2587 c->src.val = insn_fetch(s8, 1, c->eip);
2589 c->src.val = insn_fetch(u8, 1, c->eip);
2592 c->src.type = OP_REG;
2593 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2594 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2595 fetch_register_operand(&c->src);
2602 c->src.type = OP_MEM;
2603 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2605 register_address(c, seg_override_base(ctxt, ops, c),
2606 c->regs[VCPU_REGS_RSI]);
2610 c->src.type = OP_IMM;
2611 c->src.addr.mem = c->eip;
2612 c->src.bytes = c->op_bytes + 2;
2613 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2616 memop.bytes = c->op_bytes + 2;
2622 * Decode and fetch the second source operand: register, memory
2625 switch (c->d & Src2Mask) {
2630 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2633 c->src2.type = OP_IMM;
2634 c->src2.addr.mem = c->eip;
2636 c->src2.val = insn_fetch(u8, 1, c->eip);
2644 /* Decode and fetch the destination operand: register or memory. */
2645 switch (c->d & DstMask) {
2647 decode_register_operand(&c->dst, c,
2648 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2653 if ((c->d & DstMask) == DstMem64)
2656 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2658 fetch_bit_operand(c);
2659 c->dst.orig_val = c->dst.val;
2662 c->dst.type = OP_REG;
2663 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2664 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2665 fetch_register_operand(&c->dst);
2666 c->dst.orig_val = c->dst.val;
2669 c->dst.type = OP_MEM;
2670 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2672 register_address(c, es_base(ctxt, ops),
2673 c->regs[VCPU_REGS_RDI]);
2677 /* Special instructions do their own operand decoding. */
2679 c->dst.type = OP_NONE; /* Disable writeback. */
2684 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2688 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2690 struct x86_emulate_ops *ops = ctxt->ops;
2692 struct decode_cache *c = &ctxt->decode;
2693 int rc = X86EMUL_CONTINUE;
2694 int saved_dst_type = c->dst.type;
2695 int irq; /* Used for int 3, int, and into */
2697 ctxt->decode.mem_read.pos = 0;
2699 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2704 /* LOCK prefix is allowed only with some instructions */
2705 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2710 /* Privileged instruction can be executed only in CPL=0 */
2711 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2712 emulate_gp(ctxt, 0);
2716 if (c->rep_prefix && (c->d & String)) {
2717 ctxt->restart = true;
2718 /* All REP prefixes have the same first termination condition */
2719 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2721 ctxt->restart = false;
2725 /* The second termination condition only applies for REPE
2726 * and REPNE. Test if the repeat string operation prefix is
2727 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2728 * corresponding termination condition according to:
2729 * - if REPE/REPZ and ZF = 0 then done
2730 * - if REPNE/REPNZ and ZF = 1 then done
2732 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2733 (c->b == 0xae) || (c->b == 0xaf)) {
2734 if ((c->rep_prefix == REPE_PREFIX) &&
2735 ((ctxt->eflags & EFLG_ZF) == 0))
2737 if ((c->rep_prefix == REPNE_PREFIX) &&
2738 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2744 if (c->src.type == OP_MEM) {
2745 if (c->d & NoAccess)
2747 rc = read_emulated(ctxt, ops, c->src.addr.mem,
2748 c->src.valptr, c->src.bytes);
2749 if (rc != X86EMUL_CONTINUE)
2751 c->src.orig_val64 = c->src.val64;
2756 if (c->src2.type == OP_MEM) {
2757 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
2758 &c->src2.val, c->src2.bytes);
2759 if (rc != X86EMUL_CONTINUE)
2763 if ((c->d & DstMask) == ImplicitOps)
2767 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2768 /* optimisation - avoid slow emulated read if Mov */
2769 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
2770 &c->dst.val, c->dst.bytes);
2771 if (rc != X86EMUL_CONTINUE)
2774 c->dst.orig_val = c->dst.val;
2779 rc = c->execute(ctxt);
2780 if (rc != X86EMUL_CONTINUE)
2791 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2793 case 0x06: /* push es */
2794 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2796 case 0x07: /* pop es */
2797 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2798 if (rc != X86EMUL_CONTINUE)
2803 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2805 case 0x0e: /* push cs */
2806 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2810 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2812 case 0x16: /* push ss */
2813 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2815 case 0x17: /* pop ss */
2816 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2817 if (rc != X86EMUL_CONTINUE)
2822 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2824 case 0x1e: /* push ds */
2825 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2827 case 0x1f: /* pop ds */
2828 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2829 if (rc != X86EMUL_CONTINUE)
2834 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2838 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2842 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2846 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2848 case 0x40 ... 0x47: /* inc r16/r32 */
2849 emulate_1op("inc", c->dst, ctxt->eflags);
2851 case 0x48 ... 0x4f: /* dec r16/r32 */
2852 emulate_1op("dec", c->dst, ctxt->eflags);
2854 case 0x58 ... 0x5f: /* pop reg */
2856 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2857 if (rc != X86EMUL_CONTINUE)
2860 case 0x60: /* pusha */
2861 rc = emulate_pusha(ctxt, ops);
2862 if (rc != X86EMUL_CONTINUE)
2865 case 0x61: /* popa */
2866 rc = emulate_popa(ctxt, ops);
2867 if (rc != X86EMUL_CONTINUE)
2870 case 0x63: /* movsxd */
2871 if (ctxt->mode != X86EMUL_MODE_PROT64)
2872 goto cannot_emulate;
2873 c->dst.val = (s32) c->src.val;
2875 case 0x6c: /* insb */
2876 case 0x6d: /* insw/insd */
2877 c->dst.bytes = min(c->dst.bytes, 4u);
2878 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2880 emulate_gp(ctxt, 0);
2883 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2884 c->regs[VCPU_REGS_RDX], &c->dst.val))
2885 goto done; /* IO is needed, skip writeback */
2887 case 0x6e: /* outsb */
2888 case 0x6f: /* outsw/outsd */
2889 c->src.bytes = min(c->src.bytes, 4u);
2890 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2892 emulate_gp(ctxt, 0);
2895 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2896 &c->src.val, 1, ctxt->vcpu);
2898 c->dst.type = OP_NONE; /* nothing to writeback */
2900 case 0x70 ... 0x7f: /* jcc (short) */
2901 if (test_cc(c->b, ctxt->eflags))
2902 jmp_rel(c, c->src.val);
2904 case 0x80 ... 0x83: /* Grp1 */
2905 switch (c->modrm_reg) {
2926 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2928 case 0x86 ... 0x87: /* xchg */
2930 /* Write back the register source. */
2931 switch (c->dst.bytes) {
2933 *(u8 *) c->src.addr.reg = (u8) c->dst.val;
2936 *(u16 *) c->src.addr.reg = (u16) c->dst.val;
2939 *c->src.addr.reg = (u32) c->dst.val;
2940 break; /* 64b reg: zero-extend */
2942 *c->src.addr.reg = c->dst.val;
2946 * Write back the memory destination with implicit LOCK
2949 c->dst.val = c->src.val;
2952 case 0x88 ... 0x8b: /* mov */
2954 case 0x8c: /* mov r/m, sreg */
2955 if (c->modrm_reg > VCPU_SREG_GS) {
2959 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2961 case 0x8d: /* lea r16/r32, m */
2962 c->dst.val = c->src.addr.mem;
2964 case 0x8e: { /* mov seg, r/m16 */
2969 if (c->modrm_reg == VCPU_SREG_CS ||
2970 c->modrm_reg > VCPU_SREG_GS) {
2975 if (c->modrm_reg == VCPU_SREG_SS)
2976 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2978 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2980 c->dst.type = OP_NONE; /* Disable writeback. */
2983 case 0x8f: /* pop (sole member of Grp1a) */
2984 rc = emulate_grp1a(ctxt, ops);
2985 if (rc != X86EMUL_CONTINUE)
2988 case 0x90 ... 0x97: /* nop / xchg reg, rax */
2989 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
2992 case 0x9c: /* pushf */
2993 c->src.val = (unsigned long) ctxt->eflags;
2994 emulate_push(ctxt, ops);
2996 case 0x9d: /* popf */
2997 c->dst.type = OP_REG;
2998 c->dst.addr.reg = &ctxt->eflags;
2999 c->dst.bytes = c->op_bytes;
3000 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
3001 if (rc != X86EMUL_CONTINUE)
3004 case 0xa0 ... 0xa3: /* mov */
3005 case 0xa4 ... 0xa5: /* movs */
3007 case 0xa6 ... 0xa7: /* cmps */
3008 c->dst.type = OP_NONE; /* Disable writeback. */
3009 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
3011 case 0xa8 ... 0xa9: /* test ax, imm */
3013 case 0xaa ... 0xab: /* stos */
3014 case 0xac ... 0xad: /* lods */
3016 case 0xae ... 0xaf: /* scas */
3017 DPRINTF("Urk! I don't handle SCAS.\n");
3018 goto cannot_emulate;
3019 case 0xb0 ... 0xbf: /* mov r, imm */
3024 case 0xc3: /* ret */
3025 c->dst.type = OP_REG;
3026 c->dst.addr.reg = &c->eip;
3027 c->dst.bytes = c->op_bytes;
3028 goto pop_instruction;
3029 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
3031 c->dst.val = c->src.val;
3033 case 0xcb: /* ret far */
3034 rc = emulate_ret_far(ctxt, ops);
3035 if (rc != X86EMUL_CONTINUE)
3038 case 0xcc: /* int3 */
3041 case 0xcd: /* int n */
3044 rc = emulate_int(ctxt, ops, irq);
3045 if (rc != X86EMUL_CONTINUE)
3048 case 0xce: /* into */
3049 if (ctxt->eflags & EFLG_OF) {
3054 case 0xcf: /* iret */
3055 rc = emulate_iret(ctxt, ops);
3057 if (rc != X86EMUL_CONTINUE)
3060 case 0xd0 ... 0xd1: /* Grp2 */
3063 case 0xd2 ... 0xd3: /* Grp2 */
3064 c->src.val = c->regs[VCPU_REGS_RCX];
3067 case 0xe4: /* inb */
3070 case 0xe6: /* outb */
3071 case 0xe7: /* out */
3073 case 0xe8: /* call (near) */ {
3074 long int rel = c->src.val;
3075 c->src.val = (unsigned long) c->eip;
3077 emulate_push(ctxt, ops);
3080 case 0xe9: /* jmp rel */
3082 case 0xea: { /* jmp far */
3085 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3087 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3091 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3095 jmp: /* jmp rel short */
3096 jmp_rel(c, c->src.val);
3097 c->dst.type = OP_NONE; /* Disable writeback. */
3099 case 0xec: /* in al,dx */
3100 case 0xed: /* in (e/r)ax,dx */
3101 c->src.val = c->regs[VCPU_REGS_RDX];
3103 c->dst.bytes = min(c->dst.bytes, 4u);
3104 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3105 emulate_gp(ctxt, 0);
3108 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3110 goto done; /* IO is needed */
3112 case 0xee: /* out dx,al */
3113 case 0xef: /* out dx,(e/r)ax */
3114 c->src.val = c->regs[VCPU_REGS_RDX];
3116 c->dst.bytes = min(c->dst.bytes, 4u);
3117 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3118 emulate_gp(ctxt, 0);
3121 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3123 c->dst.type = OP_NONE; /* Disable writeback. */
3125 case 0xf4: /* hlt */
3126 ctxt->vcpu->arch.halt_request = 1;
3128 case 0xf5: /* cmc */
3129 /* complement carry flag from eflags reg */
3130 ctxt->eflags ^= EFLG_CF;
3132 case 0xf6 ... 0xf7: /* Grp3 */
3133 if (!emulate_grp3(ctxt, ops))
3134 goto cannot_emulate;
3136 case 0xf8: /* clc */
3137 ctxt->eflags &= ~EFLG_CF;
3139 case 0xf9: /* stc */
3140 ctxt->eflags |= EFLG_CF;
3142 case 0xfa: /* cli */
3143 if (emulator_bad_iopl(ctxt, ops)) {
3144 emulate_gp(ctxt, 0);
3147 ctxt->eflags &= ~X86_EFLAGS_IF;
3149 case 0xfb: /* sti */
3150 if (emulator_bad_iopl(ctxt, ops)) {
3151 emulate_gp(ctxt, 0);
3154 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3155 ctxt->eflags |= X86_EFLAGS_IF;
3158 case 0xfc: /* cld */
3159 ctxt->eflags &= ~EFLG_DF;
3161 case 0xfd: /* std */
3162 ctxt->eflags |= EFLG_DF;
3164 case 0xfe: /* Grp4 */
3166 rc = emulate_grp45(ctxt, ops);
3167 if (rc != X86EMUL_CONTINUE)
3170 case 0xff: /* Grp5 */
3171 if (c->modrm_reg == 5)
3175 goto cannot_emulate;
3179 rc = writeback(ctxt, ops);
3180 if (rc != X86EMUL_CONTINUE)
3184 * restore dst type in case the decoding will be reused
3185 * (happens for string instruction )
3187 c->dst.type = saved_dst_type;
3189 if ((c->d & SrcMask) == SrcSI)
3190 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3191 VCPU_REGS_RSI, &c->src);
3193 if ((c->d & DstMask) == DstDI)
3194 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3197 if (c->rep_prefix && (c->d & String)) {
3198 struct read_cache *rc = &ctxt->decode.io_read;
3199 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3201 * Re-enter guest when pio read ahead buffer is empty or,
3202 * if it is not used, after each 1024 iteration.
3204 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3205 (rc->end != 0 && rc->end == rc->pos))
3206 ctxt->restart = false;
3209 * reset read cache here in case string instruction is restared
3212 ctxt->decode.mem_read.end = 0;
3216 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3220 case 0x01: /* lgdt, lidt, lmsw */
3221 switch (c->modrm_reg) {
3223 unsigned long address;
3225 case 0: /* vmcall */
3226 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3227 goto cannot_emulate;
3229 rc = kvm_fix_hypercall(ctxt->vcpu);
3230 if (rc != X86EMUL_CONTINUE)
3233 /* Let the processor re-execute the fixed hypercall */
3235 /* Disable writeback. */
3236 c->dst.type = OP_NONE;
3239 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3240 &size, &address, c->op_bytes);
3241 if (rc != X86EMUL_CONTINUE)
3243 realmode_lgdt(ctxt->vcpu, size, address);
3244 /* Disable writeback. */
3245 c->dst.type = OP_NONE;
3247 case 3: /* lidt/vmmcall */
3248 if (c->modrm_mod == 3) {
3249 switch (c->modrm_rm) {
3251 rc = kvm_fix_hypercall(ctxt->vcpu);
3252 if (rc != X86EMUL_CONTINUE)
3256 goto cannot_emulate;
3259 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3262 if (rc != X86EMUL_CONTINUE)
3264 realmode_lidt(ctxt->vcpu, size, address);
3266 /* Disable writeback. */
3267 c->dst.type = OP_NONE;
3271 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3274 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3275 (c->src.val & 0x0f), ctxt->vcpu);
3276 c->dst.type = OP_NONE;
3278 case 5: /* not defined */
3282 emulate_invlpg(ctxt->vcpu, c->src.addr.mem);
3283 /* Disable writeback. */
3284 c->dst.type = OP_NONE;
3287 goto cannot_emulate;
3290 case 0x05: /* syscall */
3291 rc = emulate_syscall(ctxt, ops);
3292 if (rc != X86EMUL_CONTINUE)
3298 emulate_clts(ctxt->vcpu);
3300 case 0x09: /* wbinvd */
3301 kvm_emulate_wbinvd(ctxt->vcpu);
3303 case 0x08: /* invd */
3304 case 0x0d: /* GrpP (prefetch) */
3305 case 0x18: /* Grp16 (prefetch/nop) */
3307 case 0x20: /* mov cr, reg */
3308 switch (c->modrm_reg) {
3315 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3317 case 0x21: /* mov from dr to reg */
3318 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3319 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3323 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3325 case 0x22: /* mov reg, cr */
3326 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3327 emulate_gp(ctxt, 0);
3330 c->dst.type = OP_NONE;
3332 case 0x23: /* mov from reg to dr */
3333 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3334 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3339 if (ops->set_dr(c->modrm_reg, c->src.val &
3340 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3341 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3342 /* #UD condition is already handled by the code above */
3343 emulate_gp(ctxt, 0);
3347 c->dst.type = OP_NONE; /* no writeback */
3351 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3352 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3353 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3354 emulate_gp(ctxt, 0);
3357 rc = X86EMUL_CONTINUE;
3361 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3362 emulate_gp(ctxt, 0);
3365 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3366 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3368 rc = X86EMUL_CONTINUE;
3370 case 0x34: /* sysenter */
3371 rc = emulate_sysenter(ctxt, ops);
3372 if (rc != X86EMUL_CONTINUE)
3377 case 0x35: /* sysexit */
3378 rc = emulate_sysexit(ctxt, ops);
3379 if (rc != X86EMUL_CONTINUE)
3384 case 0x40 ... 0x4f: /* cmov */
3385 c->dst.val = c->dst.orig_val = c->src.val;
3386 if (!test_cc(c->b, ctxt->eflags))
3387 c->dst.type = OP_NONE; /* no writeback */
3389 case 0x80 ... 0x8f: /* jnz rel, etc*/
3390 if (test_cc(c->b, ctxt->eflags))
3391 jmp_rel(c, c->src.val);
3393 case 0xa0: /* push fs */
3394 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3396 case 0xa1: /* pop fs */
3397 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3398 if (rc != X86EMUL_CONTINUE)
3403 c->dst.type = OP_NONE;
3404 /* only subword offset */
3405 c->src.val &= (c->dst.bytes << 3) - 1;
3406 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3408 case 0xa4: /* shld imm8, r, r/m */
3409 case 0xa5: /* shld cl, r, r/m */
3410 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3412 case 0xa8: /* push gs */
3413 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3415 case 0xa9: /* pop gs */
3416 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3417 if (rc != X86EMUL_CONTINUE)
3422 /* only subword offset */
3423 c->src.val &= (c->dst.bytes << 3) - 1;
3424 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3426 case 0xac: /* shrd imm8, r, r/m */
3427 case 0xad: /* shrd cl, r, r/m */
3428 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3430 case 0xae: /* clflush */
3432 case 0xb0 ... 0xb1: /* cmpxchg */
3434 * Save real source value, then compare EAX against
3437 c->src.orig_val = c->src.val;
3438 c->src.val = c->regs[VCPU_REGS_RAX];
3439 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3440 if (ctxt->eflags & EFLG_ZF) {
3441 /* Success: write back to memory. */
3442 c->dst.val = c->src.orig_val;
3444 /* Failure: write the value we saw to EAX. */
3445 c->dst.type = OP_REG;
3446 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3451 /* only subword offset */
3452 c->src.val &= (c->dst.bytes << 3) - 1;
3453 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3455 case 0xb6 ... 0xb7: /* movzx */
3456 c->dst.bytes = c->op_bytes;
3457 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3460 case 0xba: /* Grp8 */
3461 switch (c->modrm_reg & 3) {
3474 /* only subword offset */
3475 c->src.val &= (c->dst.bytes << 3) - 1;
3476 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3478 case 0xbe ... 0xbf: /* movsx */
3479 c->dst.bytes = c->op_bytes;
3480 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3483 case 0xc3: /* movnti */
3484 c->dst.bytes = c->op_bytes;
3485 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3488 case 0xc7: /* Grp9 (cmpxchg8b) */
3489 rc = emulate_grp9(ctxt, ops);
3490 if (rc != X86EMUL_CONTINUE)
3494 goto cannot_emulate;
3499 DPRINTF("Cannot emulate %02x\n", c->b);
git.openpandora.org / pandora-kernel.git / blob