1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <linux/module.h>
26 #include <asm/kvm_emulate.h>
32 * Opcode effective-address decode tables.
33 * Note that we only emulate instructions that have at least one memory
34 * operand (excluding implicit stack references). We assume that stack
35 * references and instruction fetches will never occur in special memory
36 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
40 /* Operand sizes: 8-bit operands or specified/overridden size. */
41 #define ByteOp (1<<0) /* 8-bit operands. */
42 /* Destination operand type. */
43 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
44 #define DstReg (2<<1) /* Register operand. */
45 #define DstMem (3<<1) /* Memory operand. */
46 #define DstAcc (4<<1) /* Destination Accumulator */
47 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
48 #define DstMem64 (6<<1) /* 64bit memory operand */
49 #define DstImmUByte (7<<1) /* 8-bit unsigned immediate operand */
50 #define DstMask (7<<1)
51 /* Source operand type. */
52 #define SrcNone (0<<4) /* No source operand. */
53 #define SrcReg (1<<4) /* Register operand. */
54 #define SrcMem (2<<4) /* Memory operand. */
55 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
56 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
57 #define SrcImm (5<<4) /* Immediate operand. */
58 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
59 #define SrcOne (7<<4) /* Implied '1' */
60 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
61 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
62 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
63 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
64 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
65 #define SrcAcc (0xd<<4) /* Source Accumulator */
66 #define SrcImmU16 (0xe<<4) /* Immediate operand, unsigned, 16 bits */
67 #define SrcMask (0xf<<4)
68 /* Generic ModRM decode. */
70 /* Destination is only written; never read. */
73 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
74 #define String (1<<12) /* String instruction (rep capable) */
75 #define Stack (1<<13) /* Stack instruction (push/pop) */
76 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
77 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
79 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
80 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
81 #define Undefined (1<<25) /* No Such Instruction */
82 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
83 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
85 /* Source 2 operand type */
86 #define Src2None (0<<29)
87 #define Src2CL (1<<29)
88 #define Src2ImmByte (2<<29)
89 #define Src2One (3<<29)
90 #define Src2Imm (4<<29)
91 #define Src2Mask (7<<29)
94 #define X3(x...) X2(x), x
95 #define X4(x...) X2(x), X2(x)
96 #define X5(x...) X4(x), x
97 #define X6(x...) X4(x), X2(x)
98 #define X7(x...) X4(x), X3(x)
99 #define X8(x...) X4(x), X4(x)
100 #define X16(x...) X8(x), X8(x)
105 int (*execute)(struct x86_emulate_ctxt *ctxt);
106 struct opcode *group;
107 struct group_dual *gdual;
112 struct opcode mod012[8];
113 struct opcode mod3[8];
116 /* EFLAGS bit definitions. */
117 #define EFLG_ID (1<<21)
118 #define EFLG_VIP (1<<20)
119 #define EFLG_VIF (1<<19)
120 #define EFLG_AC (1<<18)
121 #define EFLG_VM (1<<17)
122 #define EFLG_RF (1<<16)
123 #define EFLG_IOPL (3<<12)
124 #define EFLG_NT (1<<14)
125 #define EFLG_OF (1<<11)
126 #define EFLG_DF (1<<10)
127 #define EFLG_IF (1<<9)
128 #define EFLG_TF (1<<8)
129 #define EFLG_SF (1<<7)
130 #define EFLG_ZF (1<<6)
131 #define EFLG_AF (1<<4)
132 #define EFLG_PF (1<<2)
133 #define EFLG_CF (1<<0)
135 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
136 #define EFLG_RESERVED_ONE_MASK 2
139 * Instruction emulation:
140 * Most instructions are emulated directly via a fragment of inline assembly
141 * code. This allows us to save/restore EFLAGS and thus very easily pick up
142 * any modified flags.
145 #if defined(CONFIG_X86_64)
146 #define _LO32 "k" /* force 32-bit operand */
147 #define _STK "%%rsp" /* stack pointer */
148 #elif defined(__i386__)
149 #define _LO32 "" /* force 32-bit operand */
150 #define _STK "%%esp" /* stack pointer */
154 * These EFLAGS bits are restored from saved value during emulation, and
155 * any changes are written back to the saved value after emulation.
157 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
159 /* Before executing instruction: restore necessary bits in EFLAGS. */
160 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
161 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
162 "movl %"_sav",%"_LO32 _tmp"; " \
165 "movl %"_msk",%"_LO32 _tmp"; " \
166 "andl %"_LO32 _tmp",("_STK"); " \
168 "notl %"_LO32 _tmp"; " \
169 "andl %"_LO32 _tmp",("_STK"); " \
170 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
172 "orl %"_LO32 _tmp",("_STK"); " \
176 /* After executing instruction: write-back necessary bits in EFLAGS. */
177 #define _POST_EFLAGS(_sav, _msk, _tmp) \
178 /* _sav |= EFLAGS & _msk; */ \
181 "andl %"_msk",%"_LO32 _tmp"; " \
182 "orl %"_LO32 _tmp",%"_sav"; "
190 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
192 __asm__ __volatile__ ( \
193 _PRE_EFLAGS("0", "4", "2") \
194 _op _suffix " %"_x"3,%1; " \
195 _POST_EFLAGS("0", "4", "2") \
196 : "=m" (_eflags), "+q" (*(_dsttype*)&(_dst).val),\
198 : _y ((_src).val), "i" (EFLAGS_MASK)); \
202 /* Raw emulation: instruction has two explicit operands. */
203 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
205 unsigned long _tmp; \
207 switch ((_dst).bytes) { \
209 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
212 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l",u32);\
215 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q",u64)); \
220 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
222 unsigned long _tmp; \
223 switch ((_dst).bytes) { \
225 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
228 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
229 _wx, _wy, _lx, _ly, _qx, _qy); \
234 /* Source operand is byte-sized and may be restricted to just %cl. */
235 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
236 __emulate_2op(_op, _src, _dst, _eflags, \
237 "b", "c", "b", "c", "b", "c", "b", "c")
239 /* Source operand is byte, word, long or quad sized. */
240 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
241 __emulate_2op(_op, _src, _dst, _eflags, \
242 "b", "q", "w", "r", _LO32, "r", "", "r")
244 /* Source operand is word, long or quad sized. */
245 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
246 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
247 "w", "r", _LO32, "r", "", "r")
249 /* Instruction has three operands and one operand is stored in ECX register */
250 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
252 unsigned long _tmp; \
253 _type _clv = (_cl).val; \
254 _type _srcv = (_src).val; \
255 _type _dstv = (_dst).val; \
257 __asm__ __volatile__ ( \
258 _PRE_EFLAGS("0", "5", "2") \
259 _op _suffix " %4,%1 \n" \
260 _POST_EFLAGS("0", "5", "2") \
261 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
262 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
265 (_cl).val = (unsigned long) _clv; \
266 (_src).val = (unsigned long) _srcv; \
267 (_dst).val = (unsigned long) _dstv; \
270 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
272 switch ((_dst).bytes) { \
274 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
275 "w", unsigned short); \
278 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
279 "l", unsigned int); \
282 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
283 "q", unsigned long)); \
288 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
290 unsigned long _tmp; \
292 __asm__ __volatile__ ( \
293 _PRE_EFLAGS("0", "3", "2") \
294 _op _suffix " %1; " \
295 _POST_EFLAGS("0", "3", "2") \
296 : "=m" (_eflags), "+m" ((_dst).val), \
298 : "i" (EFLAGS_MASK)); \
301 /* Instruction has only one explicit operand (no source operand). */
302 #define emulate_1op(_op, _dst, _eflags) \
304 switch ((_dst).bytes) { \
305 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
306 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
307 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
308 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
312 #define __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, _suffix) \
314 unsigned long _tmp; \
316 __asm__ __volatile__ ( \
317 _PRE_EFLAGS("0", "4", "1") \
318 _op _suffix " %5; " \
319 _POST_EFLAGS("0", "4", "1") \
320 : "=m" (_eflags), "=&r" (_tmp), \
321 "+a" (_rax), "+d" (_rdx) \
322 : "i" (EFLAGS_MASK), "m" ((_src).val), \
323 "a" (_rax), "d" (_rdx)); \
326 #define __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _suffix, _ex) \
328 unsigned long _tmp; \
330 __asm__ __volatile__ ( \
331 _PRE_EFLAGS("0", "5", "1") \
333 _op _suffix " %6; " \
335 _POST_EFLAGS("0", "5", "1") \
336 ".pushsection .fixup,\"ax\" \n\t" \
337 "3: movb $1, %4 \n\t" \
340 _ASM_EXTABLE(1b, 3b) \
341 : "=m" (_eflags), "=&r" (_tmp), \
342 "+a" (_rax), "+d" (_rdx), "+qm"(_ex) \
343 : "i" (EFLAGS_MASK), "m" ((_src).val), \
344 "a" (_rax), "d" (_rdx)); \
347 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
348 #define emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags) \
350 switch((_src).bytes) { \
351 case 1: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "b"); break; \
352 case 2: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "w"); break; \
353 case 4: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "l"); break; \
354 case 8: ON64(__emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "q")); break; \
358 #define emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _ex) \
360 switch((_src).bytes) { \
362 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
363 _eflags, "b", _ex); \
366 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
367 _eflags, "w", _ex); \
370 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
371 _eflags, "l", _ex); \
374 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
375 _eflags, "q", _ex)); \
380 /* Fetch next part of the instruction being emulated. */
381 #define insn_fetch(_type, _size, _eip) \
382 ({ unsigned long _x; \
383 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
384 if (rc != X86EMUL_CONTINUE) \
390 #define insn_fetch_arr(_arr, _size, _eip) \
391 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
392 if (rc != X86EMUL_CONTINUE) \
397 static inline unsigned long ad_mask(struct decode_cache *c)
399 return (1UL << (c->ad_bytes << 3)) - 1;
402 /* Access/update address held in a register, based on addressing mode. */
403 static inline unsigned long
404 address_mask(struct decode_cache *c, unsigned long reg)
406 if (c->ad_bytes == sizeof(unsigned long))
409 return reg & ad_mask(c);
412 static inline unsigned long
413 register_address(struct decode_cache *c, unsigned long reg)
415 return address_mask(c, reg);
419 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
421 if (c->ad_bytes == sizeof(unsigned long))
424 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
427 static inline void jmp_rel(struct decode_cache *c, int rel)
429 register_address_increment(c, &c->eip, rel);
432 static void set_seg_override(struct decode_cache *c, int seg)
434 c->has_seg_override = true;
435 c->seg_override = seg;
438 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
439 struct x86_emulate_ops *ops, int seg)
441 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
444 return ops->get_cached_segment_base(seg, ctxt->vcpu);
447 static unsigned seg_override(struct x86_emulate_ctxt *ctxt,
448 struct x86_emulate_ops *ops,
449 struct decode_cache *c)
451 if (!c->has_seg_override)
454 return c->seg_override;
457 static ulong linear(struct x86_emulate_ctxt *ctxt,
458 struct segmented_address addr)
460 struct decode_cache *c = &ctxt->decode;
463 la = seg_base(ctxt, ctxt->ops, addr.seg) + addr.ea;
464 if (c->ad_bytes != 8)
469 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
470 u32 error, bool valid)
472 ctxt->exception.vector = vec;
473 ctxt->exception.error_code = error;
474 ctxt->exception.error_code_valid = valid;
475 return X86EMUL_PROPAGATE_FAULT;
478 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
480 return emulate_exception(ctxt, GP_VECTOR, err, true);
483 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
485 return emulate_exception(ctxt, UD_VECTOR, 0, false);
488 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
490 return emulate_exception(ctxt, TS_VECTOR, err, true);
493 static int emulate_de(struct x86_emulate_ctxt *ctxt)
495 return emulate_exception(ctxt, DE_VECTOR, 0, false);
498 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
499 struct x86_emulate_ops *ops,
500 unsigned long eip, u8 *dest)
502 struct fetch_cache *fc = &ctxt->decode.fetch;
506 if (eip == fc->end) {
507 cur_size = fc->end - fc->start;
508 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
509 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
510 size, ctxt->vcpu, &ctxt->exception);
511 if (rc != X86EMUL_CONTINUE)
515 *dest = fc->data[eip - fc->start];
516 return X86EMUL_CONTINUE;
519 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
520 struct x86_emulate_ops *ops,
521 unsigned long eip, void *dest, unsigned size)
525 /* x86 instructions are limited to 15 bytes. */
526 if (eip + size - ctxt->eip > 15)
527 return X86EMUL_UNHANDLEABLE;
529 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
530 if (rc != X86EMUL_CONTINUE)
533 return X86EMUL_CONTINUE;
537 * Given the 'reg' portion of a ModRM byte, and a register block, return a
538 * pointer into the block that addresses the relevant register.
539 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
541 static void *decode_register(u8 modrm_reg, unsigned long *regs,
546 p = ®s[modrm_reg];
547 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
548 p = (unsigned char *)®s[modrm_reg & 3] + 1;
552 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
553 struct x86_emulate_ops *ops,
554 struct segmented_address addr,
555 u16 *size, unsigned long *address, int op_bytes)
562 rc = ops->read_std(linear(ctxt, addr), (unsigned long *)size, 2,
563 ctxt->vcpu, &ctxt->exception);
564 if (rc != X86EMUL_CONTINUE)
567 rc = ops->read_std(linear(ctxt, addr), address, op_bytes,
568 ctxt->vcpu, &ctxt->exception);
572 static int test_cc(unsigned int condition, unsigned int flags)
576 switch ((condition & 15) >> 1) {
578 rc |= (flags & EFLG_OF);
580 case 1: /* b/c/nae */
581 rc |= (flags & EFLG_CF);
584 rc |= (flags & EFLG_ZF);
587 rc |= (flags & (EFLG_CF|EFLG_ZF));
590 rc |= (flags & EFLG_SF);
593 rc |= (flags & EFLG_PF);
596 rc |= (flags & EFLG_ZF);
599 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
603 /* Odd condition identifiers (lsb == 1) have inverted sense. */
604 return (!!rc ^ (condition & 1));
607 static void fetch_register_operand(struct operand *op)
611 op->val = *(u8 *)op->addr.reg;
614 op->val = *(u16 *)op->addr.reg;
617 op->val = *(u32 *)op->addr.reg;
620 op->val = *(u64 *)op->addr.reg;
625 static void decode_register_operand(struct operand *op,
626 struct decode_cache *c,
629 unsigned reg = c->modrm_reg;
630 int highbyte_regs = c->rex_prefix == 0;
633 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
635 if ((c->d & ByteOp) && !inhibit_bytereg) {
636 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
639 op->addr.reg = decode_register(reg, c->regs, 0);
640 op->bytes = c->op_bytes;
642 fetch_register_operand(op);
643 op->orig_val = op->val;
646 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
647 struct x86_emulate_ops *ops,
650 struct decode_cache *c = &ctxt->decode;
652 int index_reg = 0, base_reg = 0, scale;
653 int rc = X86EMUL_CONTINUE;
657 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
658 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
659 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
662 c->modrm = insn_fetch(u8, 1, c->eip);
663 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
664 c->modrm_reg |= (c->modrm & 0x38) >> 3;
665 c->modrm_rm |= (c->modrm & 0x07);
666 c->modrm_seg = VCPU_SREG_DS;
668 if (c->modrm_mod == 3) {
670 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
671 op->addr.reg = decode_register(c->modrm_rm,
672 c->regs, c->d & ByteOp);
673 fetch_register_operand(op);
679 if (c->ad_bytes == 2) {
680 unsigned bx = c->regs[VCPU_REGS_RBX];
681 unsigned bp = c->regs[VCPU_REGS_RBP];
682 unsigned si = c->regs[VCPU_REGS_RSI];
683 unsigned di = c->regs[VCPU_REGS_RDI];
685 /* 16-bit ModR/M decode. */
686 switch (c->modrm_mod) {
688 if (c->modrm_rm == 6)
689 modrm_ea += insn_fetch(u16, 2, c->eip);
692 modrm_ea += insn_fetch(s8, 1, c->eip);
695 modrm_ea += insn_fetch(u16, 2, c->eip);
698 switch (c->modrm_rm) {
718 if (c->modrm_mod != 0)
725 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
726 (c->modrm_rm == 6 && c->modrm_mod != 0))
727 c->modrm_seg = VCPU_SREG_SS;
728 modrm_ea = (u16)modrm_ea;
730 /* 32/64-bit ModR/M decode. */
731 if ((c->modrm_rm & 7) == 4) {
732 sib = insn_fetch(u8, 1, c->eip);
733 index_reg |= (sib >> 3) & 7;
737 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
738 modrm_ea += insn_fetch(s32, 4, c->eip);
740 modrm_ea += c->regs[base_reg];
742 modrm_ea += c->regs[index_reg] << scale;
743 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
744 if (ctxt->mode == X86EMUL_MODE_PROT64)
747 modrm_ea += c->regs[c->modrm_rm];
748 switch (c->modrm_mod) {
750 if (c->modrm_rm == 5)
751 modrm_ea += insn_fetch(s32, 4, c->eip);
754 modrm_ea += insn_fetch(s8, 1, c->eip);
757 modrm_ea += insn_fetch(s32, 4, c->eip);
761 op->addr.mem.ea = modrm_ea;
766 static int decode_abs(struct x86_emulate_ctxt *ctxt,
767 struct x86_emulate_ops *ops,
770 struct decode_cache *c = &ctxt->decode;
771 int rc = X86EMUL_CONTINUE;
774 switch (c->ad_bytes) {
776 op->addr.mem.ea = insn_fetch(u16, 2, c->eip);
779 op->addr.mem.ea = insn_fetch(u32, 4, c->eip);
782 op->addr.mem.ea = insn_fetch(u64, 8, c->eip);
789 static void fetch_bit_operand(struct decode_cache *c)
793 if (c->dst.type == OP_MEM && c->src.type == OP_REG) {
794 mask = ~(c->dst.bytes * 8 - 1);
796 if (c->src.bytes == 2)
797 sv = (s16)c->src.val & (s16)mask;
798 else if (c->src.bytes == 4)
799 sv = (s32)c->src.val & (s32)mask;
801 c->dst.addr.mem.ea += (sv >> 3);
804 /* only subword offset */
805 c->src.val &= (c->dst.bytes << 3) - 1;
808 static int read_emulated(struct x86_emulate_ctxt *ctxt,
809 struct x86_emulate_ops *ops,
810 unsigned long addr, void *dest, unsigned size)
813 struct read_cache *mc = &ctxt->decode.mem_read;
816 int n = min(size, 8u);
818 if (mc->pos < mc->end)
821 rc = ops->read_emulated(addr, mc->data + mc->end, n,
822 &ctxt->exception, ctxt->vcpu);
823 if (rc != X86EMUL_CONTINUE)
828 memcpy(dest, mc->data + mc->pos, n);
833 return X86EMUL_CONTINUE;
836 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
837 struct x86_emulate_ops *ops,
838 unsigned int size, unsigned short port,
841 struct read_cache *rc = &ctxt->decode.io_read;
843 if (rc->pos == rc->end) { /* refill pio read ahead */
844 struct decode_cache *c = &ctxt->decode;
845 unsigned int in_page, n;
846 unsigned int count = c->rep_prefix ?
847 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
848 in_page = (ctxt->eflags & EFLG_DF) ?
849 offset_in_page(c->regs[VCPU_REGS_RDI]) :
850 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
851 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
855 rc->pos = rc->end = 0;
856 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
861 memcpy(dest, rc->data + rc->pos, size);
866 static u32 desc_limit_scaled(struct desc_struct *desc)
868 u32 limit = get_desc_limit(desc);
870 return desc->g ? (limit << 12) | 0xfff : limit;
873 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
874 struct x86_emulate_ops *ops,
875 u16 selector, struct desc_ptr *dt)
877 if (selector & 1 << 2) {
878 struct desc_struct desc;
879 memset (dt, 0, sizeof *dt);
880 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
883 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
884 dt->address = get_desc_base(&desc);
886 ops->get_gdt(dt, ctxt->vcpu);
889 /* allowed just for 8 bytes segments */
890 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
891 struct x86_emulate_ops *ops,
892 u16 selector, struct desc_struct *desc)
895 u16 index = selector >> 3;
899 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
901 if (dt.size < index * 8 + 7)
902 return emulate_gp(ctxt, selector & 0xfffc);
903 addr = dt.address + index * 8;
904 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu,
910 /* allowed just for 8 bytes segments */
911 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
912 struct x86_emulate_ops *ops,
913 u16 selector, struct desc_struct *desc)
916 u16 index = selector >> 3;
920 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
922 if (dt.size < index * 8 + 7)
923 return emulate_gp(ctxt, selector & 0xfffc);
925 addr = dt.address + index * 8;
926 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu,
932 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
933 struct x86_emulate_ops *ops,
934 u16 selector, int seg)
936 struct desc_struct seg_desc;
938 unsigned err_vec = GP_VECTOR;
940 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
943 memset(&seg_desc, 0, sizeof seg_desc);
945 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
946 || ctxt->mode == X86EMUL_MODE_REAL) {
947 /* set real mode segment descriptor */
948 set_desc_base(&seg_desc, selector << 4);
949 set_desc_limit(&seg_desc, 0xffff);
956 /* NULL selector is not valid for TR, CS and SS */
957 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
961 /* TR should be in GDT only */
962 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
965 if (null_selector) /* for NULL selector skip all following checks */
968 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
969 if (ret != X86EMUL_CONTINUE)
972 err_code = selector & 0xfffc;
975 /* can't load system descriptor into segment selecor */
976 if (seg <= VCPU_SREG_GS && !seg_desc.s)
980 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
986 cpl = ops->cpl(ctxt->vcpu);
991 * segment is not a writable data segment or segment
992 * selector's RPL != CPL or segment selector's RPL != CPL
994 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
998 if (!(seg_desc.type & 8))
1001 if (seg_desc.type & 4) {
1007 if (rpl > cpl || dpl != cpl)
1010 /* CS(RPL) <- CPL */
1011 selector = (selector & 0xfffc) | cpl;
1014 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1017 case VCPU_SREG_LDTR:
1018 if (seg_desc.s || seg_desc.type != 2)
1021 default: /* DS, ES, FS, or GS */
1023 * segment is not a data or readable code segment or
1024 * ((segment is a data or nonconforming code segment)
1025 * and (both RPL and CPL > DPL))
1027 if ((seg_desc.type & 0xa) == 0x8 ||
1028 (((seg_desc.type & 0xc) != 0xc) &&
1029 (rpl > dpl && cpl > dpl)))
1035 /* mark segment as accessed */
1037 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1038 if (ret != X86EMUL_CONTINUE)
1042 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1043 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1044 return X86EMUL_CONTINUE;
1046 emulate_exception(ctxt, err_vec, err_code, true);
1047 return X86EMUL_PROPAGATE_FAULT;
1050 static void write_register_operand(struct operand *op)
1052 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1053 switch (op->bytes) {
1055 *(u8 *)op->addr.reg = (u8)op->val;
1058 *(u16 *)op->addr.reg = (u16)op->val;
1061 *op->addr.reg = (u32)op->val;
1062 break; /* 64b: zero-extend */
1064 *op->addr.reg = op->val;
1069 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1070 struct x86_emulate_ops *ops)
1073 struct decode_cache *c = &ctxt->decode;
1075 switch (c->dst.type) {
1077 write_register_operand(&c->dst);
1081 rc = ops->cmpxchg_emulated(
1082 linear(ctxt, c->dst.addr.mem),
1089 rc = ops->write_emulated(
1090 linear(ctxt, c->dst.addr.mem),
1095 if (rc != X86EMUL_CONTINUE)
1104 return X86EMUL_CONTINUE;
1107 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1108 struct x86_emulate_ops *ops)
1110 struct decode_cache *c = &ctxt->decode;
1112 c->dst.type = OP_MEM;
1113 c->dst.bytes = c->op_bytes;
1114 c->dst.val = c->src.val;
1115 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1116 c->dst.addr.mem.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
1117 c->dst.addr.mem.seg = VCPU_SREG_SS;
1120 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1121 struct x86_emulate_ops *ops,
1122 void *dest, int len)
1124 struct decode_cache *c = &ctxt->decode;
1126 struct segmented_address addr;
1128 addr.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
1129 addr.seg = VCPU_SREG_SS;
1130 rc = read_emulated(ctxt, ops, linear(ctxt, addr), dest, len);
1131 if (rc != X86EMUL_CONTINUE)
1134 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1138 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1139 struct x86_emulate_ops *ops,
1140 void *dest, int len)
1143 unsigned long val, change_mask;
1144 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1145 int cpl = ops->cpl(ctxt->vcpu);
1147 rc = emulate_pop(ctxt, ops, &val, len);
1148 if (rc != X86EMUL_CONTINUE)
1151 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1152 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1154 switch(ctxt->mode) {
1155 case X86EMUL_MODE_PROT64:
1156 case X86EMUL_MODE_PROT32:
1157 case X86EMUL_MODE_PROT16:
1159 change_mask |= EFLG_IOPL;
1161 change_mask |= EFLG_IF;
1163 case X86EMUL_MODE_VM86:
1165 return emulate_gp(ctxt, 0);
1166 change_mask |= EFLG_IF;
1168 default: /* real mode */
1169 change_mask |= (EFLG_IOPL | EFLG_IF);
1173 *(unsigned long *)dest =
1174 (ctxt->eflags & ~change_mask) | (val & change_mask);
1179 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1180 struct x86_emulate_ops *ops, int seg)
1182 struct decode_cache *c = &ctxt->decode;
1184 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1186 emulate_push(ctxt, ops);
1189 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1190 struct x86_emulate_ops *ops, int seg)
1192 struct decode_cache *c = &ctxt->decode;
1193 unsigned long selector;
1196 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1197 if (rc != X86EMUL_CONTINUE)
1200 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1204 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1205 struct x86_emulate_ops *ops)
1207 struct decode_cache *c = &ctxt->decode;
1208 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1209 int rc = X86EMUL_CONTINUE;
1210 int reg = VCPU_REGS_RAX;
1212 while (reg <= VCPU_REGS_RDI) {
1213 (reg == VCPU_REGS_RSP) ?
1214 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1216 emulate_push(ctxt, ops);
1218 rc = writeback(ctxt, ops);
1219 if (rc != X86EMUL_CONTINUE)
1225 /* Disable writeback. */
1226 c->dst.type = OP_NONE;
1231 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1232 struct x86_emulate_ops *ops)
1234 struct decode_cache *c = &ctxt->decode;
1235 int rc = X86EMUL_CONTINUE;
1236 int reg = VCPU_REGS_RDI;
1238 while (reg >= VCPU_REGS_RAX) {
1239 if (reg == VCPU_REGS_RSP) {
1240 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1245 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1246 if (rc != X86EMUL_CONTINUE)
1253 int emulate_int_real(struct x86_emulate_ctxt *ctxt,
1254 struct x86_emulate_ops *ops, int irq)
1256 struct decode_cache *c = &ctxt->decode;
1263 /* TODO: Add limit checks */
1264 c->src.val = ctxt->eflags;
1265 emulate_push(ctxt, ops);
1266 rc = writeback(ctxt, ops);
1267 if (rc != X86EMUL_CONTINUE)
1270 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1272 c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1273 emulate_push(ctxt, ops);
1274 rc = writeback(ctxt, ops);
1275 if (rc != X86EMUL_CONTINUE)
1278 c->src.val = c->eip;
1279 emulate_push(ctxt, ops);
1280 rc = writeback(ctxt, ops);
1281 if (rc != X86EMUL_CONTINUE)
1284 c->dst.type = OP_NONE;
1286 ops->get_idt(&dt, ctxt->vcpu);
1288 eip_addr = dt.address + (irq << 2);
1289 cs_addr = dt.address + (irq << 2) + 2;
1291 rc = ops->read_std(cs_addr, &cs, 2, ctxt->vcpu, &ctxt->exception);
1292 if (rc != X86EMUL_CONTINUE)
1295 rc = ops->read_std(eip_addr, &eip, 2, ctxt->vcpu, &ctxt->exception);
1296 if (rc != X86EMUL_CONTINUE)
1299 rc = load_segment_descriptor(ctxt, ops, cs, VCPU_SREG_CS);
1300 if (rc != X86EMUL_CONTINUE)
1308 static int emulate_int(struct x86_emulate_ctxt *ctxt,
1309 struct x86_emulate_ops *ops, int irq)
1311 switch(ctxt->mode) {
1312 case X86EMUL_MODE_REAL:
1313 return emulate_int_real(ctxt, ops, irq);
1314 case X86EMUL_MODE_VM86:
1315 case X86EMUL_MODE_PROT16:
1316 case X86EMUL_MODE_PROT32:
1317 case X86EMUL_MODE_PROT64:
1319 /* Protected mode interrupts unimplemented yet */
1320 return X86EMUL_UNHANDLEABLE;
1324 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1325 struct x86_emulate_ops *ops)
1327 struct decode_cache *c = &ctxt->decode;
1328 int rc = X86EMUL_CONTINUE;
1329 unsigned long temp_eip = 0;
1330 unsigned long temp_eflags = 0;
1331 unsigned long cs = 0;
1332 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1333 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1334 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1335 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1337 /* TODO: Add stack limit check */
1339 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1341 if (rc != X86EMUL_CONTINUE)
1344 if (temp_eip & ~0xffff)
1345 return emulate_gp(ctxt, 0);
1347 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1349 if (rc != X86EMUL_CONTINUE)
1352 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1354 if (rc != X86EMUL_CONTINUE)
1357 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1359 if (rc != X86EMUL_CONTINUE)
1365 if (c->op_bytes == 4)
1366 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1367 else if (c->op_bytes == 2) {
1368 ctxt->eflags &= ~0xffff;
1369 ctxt->eflags |= temp_eflags;
1372 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1373 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1378 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1379 struct x86_emulate_ops* ops)
1381 switch(ctxt->mode) {
1382 case X86EMUL_MODE_REAL:
1383 return emulate_iret_real(ctxt, ops);
1384 case X86EMUL_MODE_VM86:
1385 case X86EMUL_MODE_PROT16:
1386 case X86EMUL_MODE_PROT32:
1387 case X86EMUL_MODE_PROT64:
1389 /* iret from protected mode unimplemented yet */
1390 return X86EMUL_UNHANDLEABLE;
1394 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1395 struct x86_emulate_ops *ops)
1397 struct decode_cache *c = &ctxt->decode;
1399 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1402 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1404 struct decode_cache *c = &ctxt->decode;
1405 switch (c->modrm_reg) {
1407 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1410 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1413 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1416 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1418 case 4: /* sal/shl */
1419 case 6: /* sal/shl */
1420 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1423 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1426 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1431 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1432 struct x86_emulate_ops *ops)
1434 struct decode_cache *c = &ctxt->decode;
1435 unsigned long *rax = &c->regs[VCPU_REGS_RAX];
1436 unsigned long *rdx = &c->regs[VCPU_REGS_RDX];
1439 switch (c->modrm_reg) {
1440 case 0 ... 1: /* test */
1441 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1444 c->dst.val = ~c->dst.val;
1447 emulate_1op("neg", c->dst, ctxt->eflags);
1450 emulate_1op_rax_rdx("mul", c->src, *rax, *rdx, ctxt->eflags);
1453 emulate_1op_rax_rdx("imul", c->src, *rax, *rdx, ctxt->eflags);
1456 emulate_1op_rax_rdx_ex("div", c->src, *rax, *rdx,
1460 emulate_1op_rax_rdx_ex("idiv", c->src, *rax, *rdx,
1464 return X86EMUL_UNHANDLEABLE;
1467 return emulate_de(ctxt);
1468 return X86EMUL_CONTINUE;
1471 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1472 struct x86_emulate_ops *ops)
1474 struct decode_cache *c = &ctxt->decode;
1476 switch (c->modrm_reg) {
1478 emulate_1op("inc", c->dst, ctxt->eflags);
1481 emulate_1op("dec", c->dst, ctxt->eflags);
1483 case 2: /* call near abs */ {
1486 c->eip = c->src.val;
1487 c->src.val = old_eip;
1488 emulate_push(ctxt, ops);
1491 case 4: /* jmp abs */
1492 c->eip = c->src.val;
1495 emulate_push(ctxt, ops);
1498 return X86EMUL_CONTINUE;
1501 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1502 struct x86_emulate_ops *ops)
1504 struct decode_cache *c = &ctxt->decode;
1505 u64 old = c->dst.orig_val64;
1507 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1508 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1509 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1510 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1511 ctxt->eflags &= ~EFLG_ZF;
1513 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1514 (u32) c->regs[VCPU_REGS_RBX];
1516 ctxt->eflags |= EFLG_ZF;
1518 return X86EMUL_CONTINUE;
1521 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1522 struct x86_emulate_ops *ops)
1524 struct decode_cache *c = &ctxt->decode;
1528 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1529 if (rc != X86EMUL_CONTINUE)
1531 if (c->op_bytes == 4)
1532 c->eip = (u32)c->eip;
1533 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1534 if (rc != X86EMUL_CONTINUE)
1536 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1540 static int emulate_load_segment(struct x86_emulate_ctxt *ctxt,
1541 struct x86_emulate_ops *ops, int seg)
1543 struct decode_cache *c = &ctxt->decode;
1547 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
1549 rc = load_segment_descriptor(ctxt, ops, sel, seg);
1550 if (rc != X86EMUL_CONTINUE)
1553 c->dst.val = c->src.val;
1558 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1559 struct x86_emulate_ops *ops, struct desc_struct *cs,
1560 struct desc_struct *ss)
1562 memset(cs, 0, sizeof(struct desc_struct));
1563 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1564 memset(ss, 0, sizeof(struct desc_struct));
1566 cs->l = 0; /* will be adjusted later */
1567 set_desc_base(cs, 0); /* flat segment */
1568 cs->g = 1; /* 4kb granularity */
1569 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1570 cs->type = 0x0b; /* Read, Execute, Accessed */
1572 cs->dpl = 0; /* will be adjusted later */
1576 set_desc_base(ss, 0); /* flat segment */
1577 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1578 ss->g = 1; /* 4kb granularity */
1580 ss->type = 0x03; /* Read/Write, Accessed */
1581 ss->d = 1; /* 32bit stack segment */
1587 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1589 struct decode_cache *c = &ctxt->decode;
1590 struct desc_struct cs, ss;
1594 /* syscall is not available in real mode */
1595 if (ctxt->mode == X86EMUL_MODE_REAL ||
1596 ctxt->mode == X86EMUL_MODE_VM86)
1597 return emulate_ud(ctxt);
1599 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1601 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1603 cs_sel = (u16)(msr_data & 0xfffc);
1604 ss_sel = (u16)(msr_data + 8);
1606 if (is_long_mode(ctxt->vcpu)) {
1610 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1611 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1612 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1613 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1615 c->regs[VCPU_REGS_RCX] = c->eip;
1616 if (is_long_mode(ctxt->vcpu)) {
1617 #ifdef CONFIG_X86_64
1618 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1620 ops->get_msr(ctxt->vcpu,
1621 ctxt->mode == X86EMUL_MODE_PROT64 ?
1622 MSR_LSTAR : MSR_CSTAR, &msr_data);
1625 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1626 ctxt->eflags &= ~(msr_data | EFLG_RF);
1630 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1631 c->eip = (u32)msr_data;
1633 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1636 return X86EMUL_CONTINUE;
1640 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1642 struct decode_cache *c = &ctxt->decode;
1643 struct desc_struct cs, ss;
1647 /* inject #GP if in real mode */
1648 if (ctxt->mode == X86EMUL_MODE_REAL)
1649 return emulate_gp(ctxt, 0);
1651 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1652 * Therefore, we inject an #UD.
1654 if (ctxt->mode == X86EMUL_MODE_PROT64)
1655 return emulate_ud(ctxt);
1657 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1659 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1660 switch (ctxt->mode) {
1661 case X86EMUL_MODE_PROT32:
1662 if ((msr_data & 0xfffc) == 0x0)
1663 return emulate_gp(ctxt, 0);
1665 case X86EMUL_MODE_PROT64:
1666 if (msr_data == 0x0)
1667 return emulate_gp(ctxt, 0);
1671 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1672 cs_sel = (u16)msr_data;
1673 cs_sel &= ~SELECTOR_RPL_MASK;
1674 ss_sel = cs_sel + 8;
1675 ss_sel &= ~SELECTOR_RPL_MASK;
1676 if (ctxt->mode == X86EMUL_MODE_PROT64
1677 || is_long_mode(ctxt->vcpu)) {
1682 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1683 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1684 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1685 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1687 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1690 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1691 c->regs[VCPU_REGS_RSP] = msr_data;
1693 return X86EMUL_CONTINUE;
1697 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1699 struct decode_cache *c = &ctxt->decode;
1700 struct desc_struct cs, ss;
1705 /* inject #GP if in real mode or Virtual 8086 mode */
1706 if (ctxt->mode == X86EMUL_MODE_REAL ||
1707 ctxt->mode == X86EMUL_MODE_VM86)
1708 return emulate_gp(ctxt, 0);
1710 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1712 if ((c->rex_prefix & 0x8) != 0x0)
1713 usermode = X86EMUL_MODE_PROT64;
1715 usermode = X86EMUL_MODE_PROT32;
1719 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1721 case X86EMUL_MODE_PROT32:
1722 cs_sel = (u16)(msr_data + 16);
1723 if ((msr_data & 0xfffc) == 0x0)
1724 return emulate_gp(ctxt, 0);
1725 ss_sel = (u16)(msr_data + 24);
1727 case X86EMUL_MODE_PROT64:
1728 cs_sel = (u16)(msr_data + 32);
1729 if (msr_data == 0x0)
1730 return emulate_gp(ctxt, 0);
1731 ss_sel = cs_sel + 8;
1736 cs_sel |= SELECTOR_RPL_MASK;
1737 ss_sel |= SELECTOR_RPL_MASK;
1739 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1740 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1741 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1742 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1744 c->eip = c->regs[VCPU_REGS_RDX];
1745 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1747 return X86EMUL_CONTINUE;
1750 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1751 struct x86_emulate_ops *ops)
1754 if (ctxt->mode == X86EMUL_MODE_REAL)
1756 if (ctxt->mode == X86EMUL_MODE_VM86)
1758 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1759 return ops->cpl(ctxt->vcpu) > iopl;
1762 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1763 struct x86_emulate_ops *ops,
1766 struct desc_struct tr_seg;
1769 u8 perm, bit_idx = port & 0x7;
1770 unsigned mask = (1 << len) - 1;
1772 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1775 if (desc_limit_scaled(&tr_seg) < 103)
1777 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1779 if (r != X86EMUL_CONTINUE)
1781 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1783 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1784 &perm, 1, ctxt->vcpu, NULL);
1785 if (r != X86EMUL_CONTINUE)
1787 if ((perm >> bit_idx) & mask)
1792 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1793 struct x86_emulate_ops *ops,
1799 if (emulator_bad_iopl(ctxt, ops))
1800 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1803 ctxt->perm_ok = true;
1808 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1809 struct x86_emulate_ops *ops,
1810 struct tss_segment_16 *tss)
1812 struct decode_cache *c = &ctxt->decode;
1815 tss->flag = ctxt->eflags;
1816 tss->ax = c->regs[VCPU_REGS_RAX];
1817 tss->cx = c->regs[VCPU_REGS_RCX];
1818 tss->dx = c->regs[VCPU_REGS_RDX];
1819 tss->bx = c->regs[VCPU_REGS_RBX];
1820 tss->sp = c->regs[VCPU_REGS_RSP];
1821 tss->bp = c->regs[VCPU_REGS_RBP];
1822 tss->si = c->regs[VCPU_REGS_RSI];
1823 tss->di = c->regs[VCPU_REGS_RDI];
1825 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1826 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1827 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1828 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1829 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1832 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1833 struct x86_emulate_ops *ops,
1834 struct tss_segment_16 *tss)
1836 struct decode_cache *c = &ctxt->decode;
1840 ctxt->eflags = tss->flag | 2;
1841 c->regs[VCPU_REGS_RAX] = tss->ax;
1842 c->regs[VCPU_REGS_RCX] = tss->cx;
1843 c->regs[VCPU_REGS_RDX] = tss->dx;
1844 c->regs[VCPU_REGS_RBX] = tss->bx;
1845 c->regs[VCPU_REGS_RSP] = tss->sp;
1846 c->regs[VCPU_REGS_RBP] = tss->bp;
1847 c->regs[VCPU_REGS_RSI] = tss->si;
1848 c->regs[VCPU_REGS_RDI] = tss->di;
1851 * SDM says that segment selectors are loaded before segment
1854 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1855 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1856 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1857 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1858 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1861 * Now load segment descriptors. If fault happenes at this stage
1862 * it is handled in a context of new task
1864 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1865 if (ret != X86EMUL_CONTINUE)
1867 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1868 if (ret != X86EMUL_CONTINUE)
1870 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1871 if (ret != X86EMUL_CONTINUE)
1873 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1874 if (ret != X86EMUL_CONTINUE)
1876 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1877 if (ret != X86EMUL_CONTINUE)
1880 return X86EMUL_CONTINUE;
1883 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1884 struct x86_emulate_ops *ops,
1885 u16 tss_selector, u16 old_tss_sel,
1886 ulong old_tss_base, struct desc_struct *new_desc)
1888 struct tss_segment_16 tss_seg;
1890 u32 new_tss_base = get_desc_base(new_desc);
1892 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1894 if (ret != X86EMUL_CONTINUE)
1895 /* FIXME: need to provide precise fault address */
1898 save_state_to_tss16(ctxt, ops, &tss_seg);
1900 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1902 if (ret != X86EMUL_CONTINUE)
1903 /* FIXME: need to provide precise fault address */
1906 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1908 if (ret != X86EMUL_CONTINUE)
1909 /* FIXME: need to provide precise fault address */
1912 if (old_tss_sel != 0xffff) {
1913 tss_seg.prev_task_link = old_tss_sel;
1915 ret = ops->write_std(new_tss_base,
1916 &tss_seg.prev_task_link,
1917 sizeof tss_seg.prev_task_link,
1918 ctxt->vcpu, &ctxt->exception);
1919 if (ret != X86EMUL_CONTINUE)
1920 /* FIXME: need to provide precise fault address */
1924 return load_state_from_tss16(ctxt, ops, &tss_seg);
1927 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1928 struct x86_emulate_ops *ops,
1929 struct tss_segment_32 *tss)
1931 struct decode_cache *c = &ctxt->decode;
1933 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1935 tss->eflags = ctxt->eflags;
1936 tss->eax = c->regs[VCPU_REGS_RAX];
1937 tss->ecx = c->regs[VCPU_REGS_RCX];
1938 tss->edx = c->regs[VCPU_REGS_RDX];
1939 tss->ebx = c->regs[VCPU_REGS_RBX];
1940 tss->esp = c->regs[VCPU_REGS_RSP];
1941 tss->ebp = c->regs[VCPU_REGS_RBP];
1942 tss->esi = c->regs[VCPU_REGS_RSI];
1943 tss->edi = c->regs[VCPU_REGS_RDI];
1945 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1946 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1947 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1948 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1949 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1950 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1951 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1954 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1955 struct x86_emulate_ops *ops,
1956 struct tss_segment_32 *tss)
1958 struct decode_cache *c = &ctxt->decode;
1961 if (ops->set_cr(3, tss->cr3, ctxt->vcpu))
1962 return emulate_gp(ctxt, 0);
1964 ctxt->eflags = tss->eflags | 2;
1965 c->regs[VCPU_REGS_RAX] = tss->eax;
1966 c->regs[VCPU_REGS_RCX] = tss->ecx;
1967 c->regs[VCPU_REGS_RDX] = tss->edx;
1968 c->regs[VCPU_REGS_RBX] = tss->ebx;
1969 c->regs[VCPU_REGS_RSP] = tss->esp;
1970 c->regs[VCPU_REGS_RBP] = tss->ebp;
1971 c->regs[VCPU_REGS_RSI] = tss->esi;
1972 c->regs[VCPU_REGS_RDI] = tss->edi;
1975 * SDM says that segment selectors are loaded before segment
1978 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1979 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1980 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1981 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1982 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1983 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1984 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1987 * Now load segment descriptors. If fault happenes at this stage
1988 * it is handled in a context of new task
1990 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1991 if (ret != X86EMUL_CONTINUE)
1993 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1994 if (ret != X86EMUL_CONTINUE)
1996 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1997 if (ret != X86EMUL_CONTINUE)
1999 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2000 if (ret != X86EMUL_CONTINUE)
2002 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2003 if (ret != X86EMUL_CONTINUE)
2005 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2006 if (ret != X86EMUL_CONTINUE)
2008 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2009 if (ret != X86EMUL_CONTINUE)
2012 return X86EMUL_CONTINUE;
2015 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2016 struct x86_emulate_ops *ops,
2017 u16 tss_selector, u16 old_tss_sel,
2018 ulong old_tss_base, struct desc_struct *new_desc)
2020 struct tss_segment_32 tss_seg;
2022 u32 new_tss_base = get_desc_base(new_desc);
2024 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2026 if (ret != X86EMUL_CONTINUE)
2027 /* FIXME: need to provide precise fault address */
2030 save_state_to_tss32(ctxt, ops, &tss_seg);
2032 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2034 if (ret != X86EMUL_CONTINUE)
2035 /* FIXME: need to provide precise fault address */
2038 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2040 if (ret != X86EMUL_CONTINUE)
2041 /* FIXME: need to provide precise fault address */
2044 if (old_tss_sel != 0xffff) {
2045 tss_seg.prev_task_link = old_tss_sel;
2047 ret = ops->write_std(new_tss_base,
2048 &tss_seg.prev_task_link,
2049 sizeof tss_seg.prev_task_link,
2050 ctxt->vcpu, &ctxt->exception);
2051 if (ret != X86EMUL_CONTINUE)
2052 /* FIXME: need to provide precise fault address */
2056 return load_state_from_tss32(ctxt, ops, &tss_seg);
2059 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2060 struct x86_emulate_ops *ops,
2061 u16 tss_selector, int reason,
2062 bool has_error_code, u32 error_code)
2064 struct desc_struct curr_tss_desc, next_tss_desc;
2066 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2067 ulong old_tss_base =
2068 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2071 /* FIXME: old_tss_base == ~0 ? */
2073 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2074 if (ret != X86EMUL_CONTINUE)
2076 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2077 if (ret != X86EMUL_CONTINUE)
2080 /* FIXME: check that next_tss_desc is tss */
2082 if (reason != TASK_SWITCH_IRET) {
2083 if ((tss_selector & 3) > next_tss_desc.dpl ||
2084 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl)
2085 return emulate_gp(ctxt, 0);
2088 desc_limit = desc_limit_scaled(&next_tss_desc);
2089 if (!next_tss_desc.p ||
2090 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2091 desc_limit < 0x2b)) {
2092 emulate_ts(ctxt, tss_selector & 0xfffc);
2093 return X86EMUL_PROPAGATE_FAULT;
2096 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2097 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2098 write_segment_descriptor(ctxt, ops, old_tss_sel,
2102 if (reason == TASK_SWITCH_IRET)
2103 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2105 /* set back link to prev task only if NT bit is set in eflags
2106 note that old_tss_sel is not used afetr this point */
2107 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2108 old_tss_sel = 0xffff;
2110 if (next_tss_desc.type & 8)
2111 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2112 old_tss_base, &next_tss_desc);
2114 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2115 old_tss_base, &next_tss_desc);
2116 if (ret != X86EMUL_CONTINUE)
2119 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2120 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2122 if (reason != TASK_SWITCH_IRET) {
2123 next_tss_desc.type |= (1 << 1); /* set busy flag */
2124 write_segment_descriptor(ctxt, ops, tss_selector,
2128 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2129 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2130 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2132 if (has_error_code) {
2133 struct decode_cache *c = &ctxt->decode;
2135 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2137 c->src.val = (unsigned long) error_code;
2138 emulate_push(ctxt, ops);
2144 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2145 u16 tss_selector, int reason,
2146 bool has_error_code, u32 error_code)
2148 struct x86_emulate_ops *ops = ctxt->ops;
2149 struct decode_cache *c = &ctxt->decode;
2153 c->dst.type = OP_NONE;
2155 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2156 has_error_code, error_code);
2158 if (rc == X86EMUL_CONTINUE) {
2159 rc = writeback(ctxt, ops);
2160 if (rc == X86EMUL_CONTINUE)
2164 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2167 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned seg,
2168 int reg, struct operand *op)
2170 struct decode_cache *c = &ctxt->decode;
2171 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2173 register_address_increment(c, &c->regs[reg], df * op->bytes);
2174 op->addr.mem.ea = register_address(c, c->regs[reg]);
2175 op->addr.mem.seg = seg;
2178 static int em_push(struct x86_emulate_ctxt *ctxt)
2180 emulate_push(ctxt, ctxt->ops);
2181 return X86EMUL_CONTINUE;
2184 static int em_das(struct x86_emulate_ctxt *ctxt)
2186 struct decode_cache *c = &ctxt->decode;
2188 bool af, cf, old_cf;
2190 cf = ctxt->eflags & X86_EFLAGS_CF;
2196 af = ctxt->eflags & X86_EFLAGS_AF;
2197 if ((al & 0x0f) > 9 || af) {
2199 cf = old_cf | (al >= 250);
2204 if (old_al > 0x99 || old_cf) {
2210 /* Set PF, ZF, SF */
2211 c->src.type = OP_IMM;
2214 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2215 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2217 ctxt->eflags |= X86_EFLAGS_CF;
2219 ctxt->eflags |= X86_EFLAGS_AF;
2220 return X86EMUL_CONTINUE;
2223 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2225 struct decode_cache *c = &ctxt->decode;
2230 old_cs = ctxt->ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2233 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2234 if (load_segment_descriptor(ctxt, ctxt->ops, sel, VCPU_SREG_CS))
2235 return X86EMUL_CONTINUE;
2238 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2240 c->src.val = old_cs;
2241 emulate_push(ctxt, ctxt->ops);
2242 rc = writeback(ctxt, ctxt->ops);
2243 if (rc != X86EMUL_CONTINUE)
2246 c->src.val = old_eip;
2247 emulate_push(ctxt, ctxt->ops);
2248 rc = writeback(ctxt, ctxt->ops);
2249 if (rc != X86EMUL_CONTINUE)
2252 c->dst.type = OP_NONE;
2254 return X86EMUL_CONTINUE;
2257 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2259 struct decode_cache *c = &ctxt->decode;
2262 c->dst.type = OP_REG;
2263 c->dst.addr.reg = &c->eip;
2264 c->dst.bytes = c->op_bytes;
2265 rc = emulate_pop(ctxt, ctxt->ops, &c->dst.val, c->op_bytes);
2266 if (rc != X86EMUL_CONTINUE)
2268 register_address_increment(c, &c->regs[VCPU_REGS_RSP], c->src.val);
2269 return X86EMUL_CONTINUE;
2272 static int em_imul(struct x86_emulate_ctxt *ctxt)
2274 struct decode_cache *c = &ctxt->decode;
2276 emulate_2op_SrcV_nobyte("imul", c->src, c->dst, ctxt->eflags);
2277 return X86EMUL_CONTINUE;
2280 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2282 struct decode_cache *c = &ctxt->decode;
2284 c->dst.val = c->src2.val;
2285 return em_imul(ctxt);
2288 static int em_cwd(struct x86_emulate_ctxt *ctxt)
2290 struct decode_cache *c = &ctxt->decode;
2292 c->dst.type = OP_REG;
2293 c->dst.bytes = c->src.bytes;
2294 c->dst.addr.reg = &c->regs[VCPU_REGS_RDX];
2295 c->dst.val = ~((c->src.val >> (c->src.bytes * 8 - 1)) - 1);
2297 return X86EMUL_CONTINUE;
2300 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2302 unsigned cpl = ctxt->ops->cpl(ctxt->vcpu);
2303 struct decode_cache *c = &ctxt->decode;
2306 if (cpl > 0 && (ctxt->ops->get_cr(4, ctxt->vcpu) & X86_CR4_TSD))
2307 return emulate_gp(ctxt, 0);
2308 ctxt->ops->get_msr(ctxt->vcpu, MSR_IA32_TSC, &tsc);
2309 c->regs[VCPU_REGS_RAX] = (u32)tsc;
2310 c->regs[VCPU_REGS_RDX] = tsc >> 32;
2311 return X86EMUL_CONTINUE;
2314 static int em_mov(struct x86_emulate_ctxt *ctxt)
2316 struct decode_cache *c = &ctxt->decode;
2317 c->dst.val = c->src.val;
2318 return X86EMUL_CONTINUE;
2321 #define D(_y) { .flags = (_y) }
2323 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2324 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2325 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2327 #define D2bv(_f) D((_f) | ByteOp), D(_f)
2328 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
2330 #define D6ALU(_f) D2bv((_f) | DstMem | SrcReg | ModRM), \
2331 D2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock), \
2332 D2bv(((_f) & ~Lock) | DstAcc | SrcImm)
2335 static struct opcode group1[] = {
2339 static struct opcode group1A[] = {
2340 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2343 static struct opcode group3[] = {
2344 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2345 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2346 X4(D(SrcMem | ModRM)),
2349 static struct opcode group4[] = {
2350 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2354 static struct opcode group5[] = {
2355 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2356 D(SrcMem | ModRM | Stack),
2357 I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
2358 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2359 D(SrcMem | ModRM | Stack), N,
2362 static struct group_dual group7 = { {
2363 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2364 D(SrcNone | ModRM | DstMem | Mov), N,
2365 D(SrcMem16 | ModRM | Mov | Priv),
2366 D(SrcMem | ModRM | ByteOp | Priv | NoAccess),
2368 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2369 D(SrcNone | ModRM | DstMem | Mov), N,
2370 D(SrcMem16 | ModRM | Mov | Priv), N,
2373 static struct opcode group8[] = {
2375 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2376 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2379 static struct group_dual group9 = { {
2380 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2382 N, N, N, N, N, N, N, N,
2385 static struct opcode group11[] = {
2386 I(DstMem | SrcImm | ModRM | Mov, em_mov), X7(D(Undefined)),
2389 static struct opcode opcode_table[256] = {
2392 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2395 D(ImplicitOps | Stack | No64), N,
2398 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2401 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2405 D6ALU(Lock), N, I(ByteOp | DstAcc | No64, em_das),
2413 X8(I(SrcReg | Stack, em_push)),
2415 X8(D(DstReg | Stack)),
2417 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2418 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2421 I(SrcImm | Mov | Stack, em_push),
2422 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
2423 I(SrcImmByte | Mov | Stack, em_push),
2424 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
2425 D2bv(DstDI | Mov | String), /* insb, insw/insd */
2426 D2bv(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2430 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2431 G(DstMem | SrcImm | ModRM | Group, group1),
2432 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2433 G(DstMem | SrcImmByte | ModRM | Group, group1),
2434 D2bv(DstMem | SrcReg | ModRM), D2bv(DstMem | SrcReg | ModRM | Lock),
2436 I2bv(DstMem | SrcReg | ModRM | Mov, em_mov),
2437 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
2438 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2439 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2441 X8(D(SrcAcc | DstReg)),
2443 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
2444 I(SrcImmFAddr | No64, em_call_far), N,
2445 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2447 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
2448 I2bv(DstMem | SrcAcc | Mov | MemAbs, em_mov),
2449 I2bv(SrcSI | DstDI | Mov | String, em_mov),
2450 D2bv(SrcSI | DstDI | String),
2452 D2bv(DstAcc | SrcImm),
2453 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
2454 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
2455 D2bv(SrcAcc | DstDI | String),
2457 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
2459 X8(I(DstReg | SrcImm | Mov, em_mov)),
2461 D2bv(DstMem | SrcImmByte | ModRM),
2462 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
2463 D(ImplicitOps | Stack),
2464 D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr | ModRM | No64),
2465 G(ByteOp, group11), G(0, group11),
2467 N, N, N, D(ImplicitOps | Stack),
2468 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2470 D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
2473 N, N, N, N, N, N, N, N,
2476 D2bv(SrcImmUByte | DstAcc), D2bv(SrcAcc | DstImmUByte),
2478 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2479 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2480 D2bv(SrcNone | DstAcc), D2bv(SrcAcc | ImplicitOps),
2483 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2485 D(ImplicitOps), D(ImplicitOps), D(ImplicitOps), D(ImplicitOps),
2486 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2489 static struct opcode twobyte_table[256] = {
2491 N, GD(0, &group7), N, N,
2492 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2493 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2494 N, D(ImplicitOps | ModRM), N, N,
2496 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2498 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2499 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2501 N, N, N, N, N, N, N, N,
2503 D(ImplicitOps | Priv), I(ImplicitOps, em_rdtsc),
2504 D(ImplicitOps | Priv), N,
2505 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2506 N, N, N, N, N, N, N, N,
2508 X16(D(DstReg | SrcMem | ModRM | Mov)),
2510 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2512 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2514 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2518 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
2520 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2521 N, D(DstMem | SrcReg | ModRM | BitOp),
2522 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2523 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2525 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2526 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2527 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2528 D(DstMem | SrcReg | Src2CL | ModRM),
2529 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
2531 D2bv(DstMem | SrcReg | ModRM | Lock),
2532 D(DstReg | SrcMemFAddr | ModRM), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2533 D(DstReg | SrcMemFAddr | ModRM), D(DstReg | SrcMemFAddr | ModRM),
2534 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2537 G(BitOp, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2538 D(DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2539 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2541 D2bv(DstMem | SrcReg | ModRM | Lock),
2542 N, D(DstMem | SrcReg | ModRM | Mov),
2543 N, N, N, GD(0, &group9),
2544 N, N, N, N, N, N, N, N,
2546 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2548 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2550 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2563 static unsigned imm_size(struct decode_cache *c)
2567 size = (c->d & ByteOp) ? 1 : c->op_bytes;
2573 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
2574 unsigned size, bool sign_extension)
2576 struct decode_cache *c = &ctxt->decode;
2577 struct x86_emulate_ops *ops = ctxt->ops;
2578 int rc = X86EMUL_CONTINUE;
2582 op->addr.mem.ea = c->eip;
2583 /* NB. Immediates are sign-extended as necessary. */
2584 switch (op->bytes) {
2586 op->val = insn_fetch(s8, 1, c->eip);
2589 op->val = insn_fetch(s16, 2, c->eip);
2592 op->val = insn_fetch(s32, 4, c->eip);
2595 if (!sign_extension) {
2596 switch (op->bytes) {
2604 op->val &= 0xffffffff;
2613 x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
2615 struct x86_emulate_ops *ops = ctxt->ops;
2616 struct decode_cache *c = &ctxt->decode;
2617 int rc = X86EMUL_CONTINUE;
2618 int mode = ctxt->mode;
2619 int def_op_bytes, def_ad_bytes, dual, goffset;
2620 struct opcode opcode, *g_mod012, *g_mod3;
2621 struct operand memop = { .type = OP_NONE };
2624 c->fetch.start = c->eip;
2625 c->fetch.end = c->fetch.start + insn_len;
2627 memcpy(c->fetch.data, insn, insn_len);
2628 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2631 case X86EMUL_MODE_REAL:
2632 case X86EMUL_MODE_VM86:
2633 case X86EMUL_MODE_PROT16:
2634 def_op_bytes = def_ad_bytes = 2;
2636 case X86EMUL_MODE_PROT32:
2637 def_op_bytes = def_ad_bytes = 4;
2639 #ifdef CONFIG_X86_64
2640 case X86EMUL_MODE_PROT64:
2649 c->op_bytes = def_op_bytes;
2650 c->ad_bytes = def_ad_bytes;
2652 /* Legacy prefixes. */
2654 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2655 case 0x66: /* operand-size override */
2656 /* switch between 2/4 bytes */
2657 c->op_bytes = def_op_bytes ^ 6;
2659 case 0x67: /* address-size override */
2660 if (mode == X86EMUL_MODE_PROT64)
2661 /* switch between 4/8 bytes */
2662 c->ad_bytes = def_ad_bytes ^ 12;
2664 /* switch between 2/4 bytes */
2665 c->ad_bytes = def_ad_bytes ^ 6;
2667 case 0x26: /* ES override */
2668 case 0x2e: /* CS override */
2669 case 0x36: /* SS override */
2670 case 0x3e: /* DS override */
2671 set_seg_override(c, (c->b >> 3) & 3);
2673 case 0x64: /* FS override */
2674 case 0x65: /* GS override */
2675 set_seg_override(c, c->b & 7);
2677 case 0x40 ... 0x4f: /* REX */
2678 if (mode != X86EMUL_MODE_PROT64)
2680 c->rex_prefix = c->b;
2682 case 0xf0: /* LOCK */
2685 case 0xf2: /* REPNE/REPNZ */
2686 c->rep_prefix = REPNE_PREFIX;
2688 case 0xf3: /* REP/REPE/REPZ */
2689 c->rep_prefix = REPE_PREFIX;
2695 /* Any legacy prefix after a REX prefix nullifies its effect. */
2703 if (c->rex_prefix & 8)
2704 c->op_bytes = 8; /* REX.W */
2706 /* Opcode byte(s). */
2707 opcode = opcode_table[c->b];
2708 /* Two-byte opcode? */
2711 c->b = insn_fetch(u8, 1, c->eip);
2712 opcode = twobyte_table[c->b];
2714 c->d = opcode.flags;
2717 dual = c->d & GroupDual;
2718 c->modrm = insn_fetch(u8, 1, c->eip);
2721 if (c->d & GroupDual) {
2722 g_mod012 = opcode.u.gdual->mod012;
2723 g_mod3 = opcode.u.gdual->mod3;
2725 g_mod012 = g_mod3 = opcode.u.group;
2727 c->d &= ~(Group | GroupDual);
2729 goffset = (c->modrm >> 3) & 7;
2731 if ((c->modrm >> 6) == 3)
2732 opcode = g_mod3[goffset];
2734 opcode = g_mod012[goffset];
2735 c->d |= opcode.flags;
2738 c->execute = opcode.u.execute;
2741 if (c->d == 0 || (c->d & Undefined))
2744 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2747 if (c->d & Op3264) {
2748 if (mode == X86EMUL_MODE_PROT64)
2754 /* ModRM and SIB bytes. */
2756 rc = decode_modrm(ctxt, ops, &memop);
2757 if (!c->has_seg_override)
2758 set_seg_override(c, c->modrm_seg);
2759 } else if (c->d & MemAbs)
2760 rc = decode_abs(ctxt, ops, &memop);
2761 if (rc != X86EMUL_CONTINUE)
2764 if (!c->has_seg_override)
2765 set_seg_override(c, VCPU_SREG_DS);
2767 memop.addr.mem.seg = seg_override(ctxt, ops, c);
2769 if (memop.type == OP_MEM && c->ad_bytes != 8)
2770 memop.addr.mem.ea = (u32)memop.addr.mem.ea;
2772 if (memop.type == OP_MEM && c->rip_relative)
2773 memop.addr.mem.ea += c->eip;
2776 * Decode and fetch the source operand: register, memory
2779 switch (c->d & SrcMask) {
2783 decode_register_operand(&c->src, c, 0);
2792 memop.bytes = (c->d & ByteOp) ? 1 :
2798 rc = decode_imm(ctxt, &c->src, 2, false);
2801 rc = decode_imm(ctxt, &c->src, imm_size(c), true);
2804 rc = decode_imm(ctxt, &c->src, imm_size(c), false);
2807 rc = decode_imm(ctxt, &c->src, 1, true);
2810 rc = decode_imm(ctxt, &c->src, 1, false);
2813 c->src.type = OP_REG;
2814 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2815 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2816 fetch_register_operand(&c->src);
2823 c->src.type = OP_MEM;
2824 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2825 c->src.addr.mem.ea =
2826 register_address(c, c->regs[VCPU_REGS_RSI]);
2827 c->src.addr.mem.seg = seg_override(ctxt, ops, c),
2831 c->src.type = OP_IMM;
2832 c->src.addr.mem.ea = c->eip;
2833 c->src.bytes = c->op_bytes + 2;
2834 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2837 memop.bytes = c->op_bytes + 2;
2842 if (rc != X86EMUL_CONTINUE)
2846 * Decode and fetch the second source operand: register, memory
2849 switch (c->d & Src2Mask) {
2854 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2857 rc = decode_imm(ctxt, &c->src2, 1, true);
2864 rc = decode_imm(ctxt, &c->src2, imm_size(c), true);
2868 if (rc != X86EMUL_CONTINUE)
2871 /* Decode and fetch the destination operand: register or memory. */
2872 switch (c->d & DstMask) {
2874 decode_register_operand(&c->dst, c,
2875 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2878 c->dst.type = OP_IMM;
2879 c->dst.addr.mem.ea = c->eip;
2881 c->dst.val = insn_fetch(u8, 1, c->eip);
2886 if ((c->d & DstMask) == DstMem64)
2889 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2891 fetch_bit_operand(c);
2892 c->dst.orig_val = c->dst.val;
2895 c->dst.type = OP_REG;
2896 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2897 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2898 fetch_register_operand(&c->dst);
2899 c->dst.orig_val = c->dst.val;
2902 c->dst.type = OP_MEM;
2903 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2904 c->dst.addr.mem.ea =
2905 register_address(c, c->regs[VCPU_REGS_RDI]);
2906 c->dst.addr.mem.seg = VCPU_SREG_ES;
2910 /* Special instructions do their own operand decoding. */
2912 c->dst.type = OP_NONE; /* Disable writeback. */
2917 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2920 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
2922 struct decode_cache *c = &ctxt->decode;
2924 /* The second termination condition only applies for REPE
2925 * and REPNE. Test if the repeat string operation prefix is
2926 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2927 * corresponding termination condition according to:
2928 * - if REPE/REPZ and ZF = 0 then done
2929 * - if REPNE/REPNZ and ZF = 1 then done
2931 if (((c->b == 0xa6) || (c->b == 0xa7) ||
2932 (c->b == 0xae) || (c->b == 0xaf))
2933 && (((c->rep_prefix == REPE_PREFIX) &&
2934 ((ctxt->eflags & EFLG_ZF) == 0))
2935 || ((c->rep_prefix == REPNE_PREFIX) &&
2936 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
2943 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2945 struct x86_emulate_ops *ops = ctxt->ops;
2947 struct decode_cache *c = &ctxt->decode;
2948 int rc = X86EMUL_CONTINUE;
2949 int saved_dst_type = c->dst.type;
2950 int irq; /* Used for int 3, int, and into */
2952 ctxt->decode.mem_read.pos = 0;
2954 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2955 rc = emulate_ud(ctxt);
2959 /* LOCK prefix is allowed only with some instructions */
2960 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2961 rc = emulate_ud(ctxt);
2965 if ((c->d & SrcMask) == SrcMemFAddr && c->src.type != OP_MEM) {
2966 rc = emulate_ud(ctxt);
2970 /* Privileged instruction can be executed only in CPL=0 */
2971 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2972 rc = emulate_gp(ctxt, 0);
2976 if (c->rep_prefix && (c->d & String)) {
2977 /* All REP prefixes have the same first termination condition */
2978 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2984 if ((c->src.type == OP_MEM) && !(c->d & NoAccess)) {
2985 rc = read_emulated(ctxt, ops, linear(ctxt, c->src.addr.mem),
2986 c->src.valptr, c->src.bytes);
2987 if (rc != X86EMUL_CONTINUE)
2989 c->src.orig_val64 = c->src.val64;
2992 if (c->src2.type == OP_MEM) {
2993 rc = read_emulated(ctxt, ops, linear(ctxt, c->src2.addr.mem),
2994 &c->src2.val, c->src2.bytes);
2995 if (rc != X86EMUL_CONTINUE)
2999 if ((c->d & DstMask) == ImplicitOps)
3003 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
3004 /* optimisation - avoid slow emulated read if Mov */
3005 rc = read_emulated(ctxt, ops, linear(ctxt, c->dst.addr.mem),
3006 &c->dst.val, c->dst.bytes);
3007 if (rc != X86EMUL_CONTINUE)
3010 c->dst.orig_val = c->dst.val;
3015 rc = c->execute(ctxt);
3016 if (rc != X86EMUL_CONTINUE)
3027 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3029 case 0x06: /* push es */
3030 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
3032 case 0x07: /* pop es */
3033 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
3037 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
3039 case 0x0e: /* push cs */
3040 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
3044 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
3046 case 0x16: /* push ss */
3047 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
3049 case 0x17: /* pop ss */
3050 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
3054 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
3056 case 0x1e: /* push ds */
3057 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
3059 case 0x1f: /* pop ds */
3060 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
3064 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
3068 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
3072 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
3076 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3078 case 0x40 ... 0x47: /* inc r16/r32 */
3079 emulate_1op("inc", c->dst, ctxt->eflags);
3081 case 0x48 ... 0x4f: /* dec r16/r32 */
3082 emulate_1op("dec", c->dst, ctxt->eflags);
3084 case 0x58 ... 0x5f: /* pop reg */
3086 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
3088 case 0x60: /* pusha */
3089 rc = emulate_pusha(ctxt, ops);
3091 case 0x61: /* popa */
3092 rc = emulate_popa(ctxt, ops);
3094 case 0x63: /* movsxd */
3095 if (ctxt->mode != X86EMUL_MODE_PROT64)
3096 goto cannot_emulate;
3097 c->dst.val = (s32) c->src.val;
3099 case 0x6c: /* insb */
3100 case 0x6d: /* insw/insd */
3101 c->src.val = c->regs[VCPU_REGS_RDX];
3103 case 0x6e: /* outsb */
3104 case 0x6f: /* outsw/outsd */
3105 c->dst.val = c->regs[VCPU_REGS_RDX];
3108 case 0x70 ... 0x7f: /* jcc (short) */
3109 if (test_cc(c->b, ctxt->eflags))
3110 jmp_rel(c, c->src.val);
3112 case 0x80 ... 0x83: /* Grp1 */
3113 switch (c->modrm_reg) {
3134 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
3136 case 0x86 ... 0x87: /* xchg */
3138 /* Write back the register source. */
3139 c->src.val = c->dst.val;
3140 write_register_operand(&c->src);
3142 * Write back the memory destination with implicit LOCK
3145 c->dst.val = c->src.orig_val;
3148 case 0x8c: /* mov r/m, sreg */
3149 if (c->modrm_reg > VCPU_SREG_GS) {
3150 rc = emulate_ud(ctxt);
3153 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
3155 case 0x8d: /* lea r16/r32, m */
3156 c->dst.val = c->src.addr.mem.ea;
3158 case 0x8e: { /* mov seg, r/m16 */
3163 if (c->modrm_reg == VCPU_SREG_CS ||
3164 c->modrm_reg > VCPU_SREG_GS) {
3165 rc = emulate_ud(ctxt);
3169 if (c->modrm_reg == VCPU_SREG_SS)
3170 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3172 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
3174 c->dst.type = OP_NONE; /* Disable writeback. */
3177 case 0x8f: /* pop (sole member of Grp1a) */
3178 rc = emulate_grp1a(ctxt, ops);
3180 case 0x90 ... 0x97: /* nop / xchg reg, rax */
3181 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
3184 case 0x98: /* cbw/cwde/cdqe */
3185 switch (c->op_bytes) {
3186 case 2: c->dst.val = (s8)c->dst.val; break;
3187 case 4: c->dst.val = (s16)c->dst.val; break;
3188 case 8: c->dst.val = (s32)c->dst.val; break;
3191 case 0x9c: /* pushf */
3192 c->src.val = (unsigned long) ctxt->eflags;
3193 emulate_push(ctxt, ops);
3195 case 0x9d: /* popf */
3196 c->dst.type = OP_REG;
3197 c->dst.addr.reg = &ctxt->eflags;
3198 c->dst.bytes = c->op_bytes;
3199 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
3201 case 0xa6 ... 0xa7: /* cmps */
3202 c->dst.type = OP_NONE; /* Disable writeback. */
3204 case 0xa8 ... 0xa9: /* test ax, imm */
3206 case 0xae ... 0xaf: /* scas */
3211 case 0xc3: /* ret */
3212 c->dst.type = OP_REG;
3213 c->dst.addr.reg = &c->eip;
3214 c->dst.bytes = c->op_bytes;
3215 goto pop_instruction;
3216 case 0xc4: /* les */
3217 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_ES);
3219 case 0xc5: /* lds */
3220 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_DS);
3222 case 0xcb: /* ret far */
3223 rc = emulate_ret_far(ctxt, ops);
3225 case 0xcc: /* int3 */
3228 case 0xcd: /* int n */
3231 rc = emulate_int(ctxt, ops, irq);
3233 case 0xce: /* into */
3234 if (ctxt->eflags & EFLG_OF) {
3239 case 0xcf: /* iret */
3240 rc = emulate_iret(ctxt, ops);
3242 case 0xd0 ... 0xd1: /* Grp2 */
3245 case 0xd2 ... 0xd3: /* Grp2 */
3246 c->src.val = c->regs[VCPU_REGS_RCX];
3249 case 0xe0 ... 0xe2: /* loop/loopz/loopnz */
3250 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3251 if (address_mask(c, c->regs[VCPU_REGS_RCX]) != 0 &&
3252 (c->b == 0xe2 || test_cc(c->b ^ 0x5, ctxt->eflags)))
3253 jmp_rel(c, c->src.val);
3255 case 0xe3: /* jcxz/jecxz/jrcxz */
3256 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0)
3257 jmp_rel(c, c->src.val);
3259 case 0xe4: /* inb */
3262 case 0xe6: /* outb */
3263 case 0xe7: /* out */
3265 case 0xe8: /* call (near) */ {
3266 long int rel = c->src.val;
3267 c->src.val = (unsigned long) c->eip;
3269 emulate_push(ctxt, ops);
3272 case 0xe9: /* jmp rel */
3274 case 0xea: { /* jmp far */
3277 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3279 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3283 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3287 jmp: /* jmp rel short */
3288 jmp_rel(c, c->src.val);
3289 c->dst.type = OP_NONE; /* Disable writeback. */
3291 case 0xec: /* in al,dx */
3292 case 0xed: /* in (e/r)ax,dx */
3293 c->src.val = c->regs[VCPU_REGS_RDX];
3295 c->dst.bytes = min(c->dst.bytes, 4u);
3296 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3297 rc = emulate_gp(ctxt, 0);
3300 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3302 goto done; /* IO is needed */
3304 case 0xee: /* out dx,al */
3305 case 0xef: /* out dx,(e/r)ax */
3306 c->dst.val = c->regs[VCPU_REGS_RDX];
3308 c->src.bytes = min(c->src.bytes, 4u);
3309 if (!emulator_io_permited(ctxt, ops, c->dst.val,
3311 rc = emulate_gp(ctxt, 0);
3314 ops->pio_out_emulated(c->src.bytes, c->dst.val,
3315 &c->src.val, 1, ctxt->vcpu);
3316 c->dst.type = OP_NONE; /* Disable writeback. */
3318 case 0xf4: /* hlt */
3319 ctxt->vcpu->arch.halt_request = 1;
3321 case 0xf5: /* cmc */
3322 /* complement carry flag from eflags reg */
3323 ctxt->eflags ^= EFLG_CF;
3325 case 0xf6 ... 0xf7: /* Grp3 */
3326 rc = emulate_grp3(ctxt, ops);
3328 case 0xf8: /* clc */
3329 ctxt->eflags &= ~EFLG_CF;
3331 case 0xf9: /* stc */
3332 ctxt->eflags |= EFLG_CF;
3334 case 0xfa: /* cli */
3335 if (emulator_bad_iopl(ctxt, ops)) {
3336 rc = emulate_gp(ctxt, 0);
3339 ctxt->eflags &= ~X86_EFLAGS_IF;
3341 case 0xfb: /* sti */
3342 if (emulator_bad_iopl(ctxt, ops)) {
3343 rc = emulate_gp(ctxt, 0);
3346 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3347 ctxt->eflags |= X86_EFLAGS_IF;
3350 case 0xfc: /* cld */
3351 ctxt->eflags &= ~EFLG_DF;
3353 case 0xfd: /* std */
3354 ctxt->eflags |= EFLG_DF;
3356 case 0xfe: /* Grp4 */
3358 rc = emulate_grp45(ctxt, ops);
3360 case 0xff: /* Grp5 */
3361 if (c->modrm_reg == 5)
3365 goto cannot_emulate;
3368 if (rc != X86EMUL_CONTINUE)
3372 rc = writeback(ctxt, ops);
3373 if (rc != X86EMUL_CONTINUE)
3377 * restore dst type in case the decoding will be reused
3378 * (happens for string instruction )
3380 c->dst.type = saved_dst_type;
3382 if ((c->d & SrcMask) == SrcSI)
3383 string_addr_inc(ctxt, seg_override(ctxt, ops, c),
3384 VCPU_REGS_RSI, &c->src);
3386 if ((c->d & DstMask) == DstDI)
3387 string_addr_inc(ctxt, VCPU_SREG_ES, VCPU_REGS_RDI,
3390 if (c->rep_prefix && (c->d & String)) {
3391 struct read_cache *r = &ctxt->decode.io_read;
3392 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3394 if (!string_insn_completed(ctxt)) {
3396 * Re-enter guest when pio read ahead buffer is empty
3397 * or, if it is not used, after each 1024 iteration.
3399 if ((r->end != 0 || c->regs[VCPU_REGS_RCX] & 0x3ff) &&
3400 (r->end == 0 || r->end != r->pos)) {
3402 * Reset read cache. Usually happens before
3403 * decode, but since instruction is restarted
3404 * we have to do it here.
3406 ctxt->decode.mem_read.end = 0;
3407 return EMULATION_RESTART;
3409 goto done; /* skip rip writeback */
3416 if (rc == X86EMUL_PROPAGATE_FAULT)
3417 ctxt->have_exception = true;
3418 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3422 case 0x01: /* lgdt, lidt, lmsw */
3423 switch (c->modrm_reg) {
3425 unsigned long address;
3427 case 0: /* vmcall */
3428 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3429 goto cannot_emulate;
3431 rc = kvm_fix_hypercall(ctxt->vcpu);
3432 if (rc != X86EMUL_CONTINUE)
3435 /* Let the processor re-execute the fixed hypercall */
3437 /* Disable writeback. */
3438 c->dst.type = OP_NONE;
3441 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3442 &size, &address, c->op_bytes);
3443 if (rc != X86EMUL_CONTINUE)
3445 realmode_lgdt(ctxt->vcpu, size, address);
3446 /* Disable writeback. */
3447 c->dst.type = OP_NONE;
3449 case 3: /* lidt/vmmcall */
3450 if (c->modrm_mod == 3) {
3451 switch (c->modrm_rm) {
3453 rc = kvm_fix_hypercall(ctxt->vcpu);
3456 goto cannot_emulate;
3459 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3462 if (rc != X86EMUL_CONTINUE)
3464 realmode_lidt(ctxt->vcpu, size, address);
3466 /* Disable writeback. */
3467 c->dst.type = OP_NONE;
3471 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3474 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3475 (c->src.val & 0x0f), ctxt->vcpu);
3476 c->dst.type = OP_NONE;
3478 case 5: /* not defined */
3480 rc = X86EMUL_PROPAGATE_FAULT;
3483 emulate_invlpg(ctxt->vcpu,
3484 linear(ctxt, c->src.addr.mem));
3485 /* Disable writeback. */
3486 c->dst.type = OP_NONE;
3489 goto cannot_emulate;
3492 case 0x05: /* syscall */
3493 rc = emulate_syscall(ctxt, ops);
3496 emulate_clts(ctxt->vcpu);
3498 case 0x09: /* wbinvd */
3499 kvm_emulate_wbinvd(ctxt->vcpu);
3501 case 0x08: /* invd */
3502 case 0x0d: /* GrpP (prefetch) */
3503 case 0x18: /* Grp16 (prefetch/nop) */
3505 case 0x20: /* mov cr, reg */
3506 switch (c->modrm_reg) {
3511 rc = X86EMUL_PROPAGATE_FAULT;
3514 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3516 case 0x21: /* mov from dr to reg */
3517 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3518 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3520 rc = X86EMUL_PROPAGATE_FAULT;
3523 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3525 case 0x22: /* mov reg, cr */
3526 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3527 emulate_gp(ctxt, 0);
3528 rc = X86EMUL_PROPAGATE_FAULT;
3531 c->dst.type = OP_NONE;
3533 case 0x23: /* mov from reg to dr */
3534 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3535 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3537 rc = X86EMUL_PROPAGATE_FAULT;
3541 if (ops->set_dr(c->modrm_reg, c->src.val &
3542 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3543 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3544 /* #UD condition is already handled by the code above */
3545 emulate_gp(ctxt, 0);
3546 rc = X86EMUL_PROPAGATE_FAULT;
3550 c->dst.type = OP_NONE; /* no writeback */
3554 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3555 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3556 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3557 emulate_gp(ctxt, 0);
3558 rc = X86EMUL_PROPAGATE_FAULT;
3561 rc = X86EMUL_CONTINUE;
3565 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3566 emulate_gp(ctxt, 0);
3567 rc = X86EMUL_PROPAGATE_FAULT;
3570 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3571 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3573 rc = X86EMUL_CONTINUE;
3575 case 0x34: /* sysenter */
3576 rc = emulate_sysenter(ctxt, ops);
3578 case 0x35: /* sysexit */
3579 rc = emulate_sysexit(ctxt, ops);
3581 case 0x40 ... 0x4f: /* cmov */
3582 c->dst.val = c->dst.orig_val = c->src.val;
3583 if (!test_cc(c->b, ctxt->eflags))
3584 c->dst.type = OP_NONE; /* no writeback */
3586 case 0x80 ... 0x8f: /* jnz rel, etc*/
3587 if (test_cc(c->b, ctxt->eflags))
3588 jmp_rel(c, c->src.val);
3590 case 0x90 ... 0x9f: /* setcc r/m8 */
3591 c->dst.val = test_cc(c->b, ctxt->eflags);
3593 case 0xa0: /* push fs */
3594 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3596 case 0xa1: /* pop fs */
3597 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3601 c->dst.type = OP_NONE;
3602 /* only subword offset */
3603 c->src.val &= (c->dst.bytes << 3) - 1;
3604 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3606 case 0xa4: /* shld imm8, r, r/m */
3607 case 0xa5: /* shld cl, r, r/m */
3608 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3610 case 0xa8: /* push gs */
3611 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3613 case 0xa9: /* pop gs */
3614 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3618 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3620 case 0xac: /* shrd imm8, r, r/m */
3621 case 0xad: /* shrd cl, r, r/m */
3622 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3624 case 0xae: /* clflush */
3626 case 0xb0 ... 0xb1: /* cmpxchg */
3628 * Save real source value, then compare EAX against
3631 c->src.orig_val = c->src.val;
3632 c->src.val = c->regs[VCPU_REGS_RAX];
3633 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3634 if (ctxt->eflags & EFLG_ZF) {
3635 /* Success: write back to memory. */
3636 c->dst.val = c->src.orig_val;
3638 /* Failure: write the value we saw to EAX. */
3639 c->dst.type = OP_REG;
3640 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3643 case 0xb2: /* lss */
3644 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_SS);
3648 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3650 case 0xb4: /* lfs */
3651 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_FS);
3653 case 0xb5: /* lgs */
3654 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_GS);
3656 case 0xb6 ... 0xb7: /* movzx */
3657 c->dst.bytes = c->op_bytes;
3658 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3661 case 0xba: /* Grp8 */
3662 switch (c->modrm_reg & 3) {
3675 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3677 case 0xbc: { /* bsf */
3679 __asm__ ("bsf %2, %0; setz %1"
3680 : "=r"(c->dst.val), "=q"(zf)
3682 ctxt->eflags &= ~X86_EFLAGS_ZF;
3684 ctxt->eflags |= X86_EFLAGS_ZF;
3685 c->dst.type = OP_NONE; /* Disable writeback. */
3689 case 0xbd: { /* bsr */
3691 __asm__ ("bsr %2, %0; setz %1"
3692 : "=r"(c->dst.val), "=q"(zf)
3694 ctxt->eflags &= ~X86_EFLAGS_ZF;
3696 ctxt->eflags |= X86_EFLAGS_ZF;
3697 c->dst.type = OP_NONE; /* Disable writeback. */
3701 case 0xbe ... 0xbf: /* movsx */
3702 c->dst.bytes = c->op_bytes;
3703 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3706 case 0xc0 ... 0xc1: /* xadd */
3707 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3708 /* Write back the register source. */
3709 c->src.val = c->dst.orig_val;
3710 write_register_operand(&c->src);
3712 case 0xc3: /* movnti */
3713 c->dst.bytes = c->op_bytes;
3714 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3717 case 0xc7: /* Grp9 (cmpxchg8b) */
3718 rc = emulate_grp9(ctxt, ops);
3721 goto cannot_emulate;
3724 if (rc != X86EMUL_CONTINUE)