1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstImmUByte (7<<1) /* 8-bit unsigned immediate operand */
58 #define DstMask (7<<1)
59 /* Source operand type. */
60 #define SrcNone (0<<4) /* No source operand. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcImmU16 (0xe<<4) /* Immediate operand, unsigned, 16 bits */
75 #define SrcMask (0xf<<4)
76 /* Generic ModRM decode. */
78 /* Destination is only written; never read. */
81 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
82 #define String (1<<12) /* String instruction (rep capable) */
83 #define Stack (1<<13) /* Stack instruction (push/pop) */
84 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
85 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
87 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
88 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
89 #define Undefined (1<<25) /* No Such Instruction */
90 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
91 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
93 /* Source 2 operand type */
94 #define Src2None (0<<29)
95 #define Src2CL (1<<29)
96 #define Src2ImmByte (2<<29)
97 #define Src2One (3<<29)
98 #define Src2Imm (4<<29)
99 #define Src2Mask (7<<29)
101 #define X2(x...) x, x
102 #define X3(x...) X2(x), x
103 #define X4(x...) X2(x), X2(x)
104 #define X5(x...) X4(x), x
105 #define X6(x...) X4(x), X2(x)
106 #define X7(x...) X4(x), X3(x)
107 #define X8(x...) X4(x), X4(x)
108 #define X16(x...) X8(x), X8(x)
113 int (*execute)(struct x86_emulate_ctxt *ctxt);
114 struct opcode *group;
115 struct group_dual *gdual;
120 struct opcode mod012[8];
121 struct opcode mod3[8];
124 /* EFLAGS bit definitions. */
125 #define EFLG_ID (1<<21)
126 #define EFLG_VIP (1<<20)
127 #define EFLG_VIF (1<<19)
128 #define EFLG_AC (1<<18)
129 #define EFLG_VM (1<<17)
130 #define EFLG_RF (1<<16)
131 #define EFLG_IOPL (3<<12)
132 #define EFLG_NT (1<<14)
133 #define EFLG_OF (1<<11)
134 #define EFLG_DF (1<<10)
135 #define EFLG_IF (1<<9)
136 #define EFLG_TF (1<<8)
137 #define EFLG_SF (1<<7)
138 #define EFLG_ZF (1<<6)
139 #define EFLG_AF (1<<4)
140 #define EFLG_PF (1<<2)
141 #define EFLG_CF (1<<0)
143 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
144 #define EFLG_RESERVED_ONE_MASK 2
147 * Instruction emulation:
148 * Most instructions are emulated directly via a fragment of inline assembly
149 * code. This allows us to save/restore EFLAGS and thus very easily pick up
150 * any modified flags.
153 #if defined(CONFIG_X86_64)
154 #define _LO32 "k" /* force 32-bit operand */
155 #define _STK "%%rsp" /* stack pointer */
156 #elif defined(__i386__)
157 #define _LO32 "" /* force 32-bit operand */
158 #define _STK "%%esp" /* stack pointer */
162 * These EFLAGS bits are restored from saved value during emulation, and
163 * any changes are written back to the saved value after emulation.
165 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
167 /* Before executing instruction: restore necessary bits in EFLAGS. */
168 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
169 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
170 "movl %"_sav",%"_LO32 _tmp"; " \
173 "movl %"_msk",%"_LO32 _tmp"; " \
174 "andl %"_LO32 _tmp",("_STK"); " \
176 "notl %"_LO32 _tmp"; " \
177 "andl %"_LO32 _tmp",("_STK"); " \
178 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
180 "orl %"_LO32 _tmp",("_STK"); " \
184 /* After executing instruction: write-back necessary bits in EFLAGS. */
185 #define _POST_EFLAGS(_sav, _msk, _tmp) \
186 /* _sav |= EFLAGS & _msk; */ \
189 "andl %"_msk",%"_LO32 _tmp"; " \
190 "orl %"_LO32 _tmp",%"_sav"; "
198 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
200 __asm__ __volatile__ ( \
201 _PRE_EFLAGS("0", "4", "2") \
202 _op _suffix " %"_x"3,%1; " \
203 _POST_EFLAGS("0", "4", "2") \
204 : "=m" (_eflags), "+q" (*(_dsttype*)&(_dst).val),\
206 : _y ((_src).val), "i" (EFLAGS_MASK)); \
210 /* Raw emulation: instruction has two explicit operands. */
211 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
213 unsigned long _tmp; \
215 switch ((_dst).bytes) { \
217 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
220 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l",u32);\
223 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q",u64)); \
228 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
230 unsigned long _tmp; \
231 switch ((_dst).bytes) { \
233 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
236 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
237 _wx, _wy, _lx, _ly, _qx, _qy); \
242 /* Source operand is byte-sized and may be restricted to just %cl. */
243 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
244 __emulate_2op(_op, _src, _dst, _eflags, \
245 "b", "c", "b", "c", "b", "c", "b", "c")
247 /* Source operand is byte, word, long or quad sized. */
248 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
249 __emulate_2op(_op, _src, _dst, _eflags, \
250 "b", "q", "w", "r", _LO32, "r", "", "r")
252 /* Source operand is word, long or quad sized. */
253 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
254 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
255 "w", "r", _LO32, "r", "", "r")
257 /* Instruction has three operands and one operand is stored in ECX register */
258 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
260 unsigned long _tmp; \
261 _type _clv = (_cl).val; \
262 _type _srcv = (_src).val; \
263 _type _dstv = (_dst).val; \
265 __asm__ __volatile__ ( \
266 _PRE_EFLAGS("0", "5", "2") \
267 _op _suffix " %4,%1 \n" \
268 _POST_EFLAGS("0", "5", "2") \
269 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
270 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
273 (_cl).val = (unsigned long) _clv; \
274 (_src).val = (unsigned long) _srcv; \
275 (_dst).val = (unsigned long) _dstv; \
278 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
280 switch ((_dst).bytes) { \
282 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
283 "w", unsigned short); \
286 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
287 "l", unsigned int); \
290 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
291 "q", unsigned long)); \
296 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
298 unsigned long _tmp; \
300 __asm__ __volatile__ ( \
301 _PRE_EFLAGS("0", "3", "2") \
302 _op _suffix " %1; " \
303 _POST_EFLAGS("0", "3", "2") \
304 : "=m" (_eflags), "+m" ((_dst).val), \
306 : "i" (EFLAGS_MASK)); \
309 /* Instruction has only one explicit operand (no source operand). */
310 #define emulate_1op(_op, _dst, _eflags) \
312 switch ((_dst).bytes) { \
313 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
314 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
315 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
316 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
320 #define __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, _suffix) \
322 unsigned long _tmp; \
324 __asm__ __volatile__ ( \
325 _PRE_EFLAGS("0", "4", "1") \
326 _op _suffix " %5; " \
327 _POST_EFLAGS("0", "4", "1") \
328 : "=m" (_eflags), "=&r" (_tmp), \
329 "+a" (_rax), "+d" (_rdx) \
330 : "i" (EFLAGS_MASK), "m" ((_src).val), \
331 "a" (_rax), "d" (_rdx)); \
334 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
335 #define emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags) \
337 switch((_src).bytes) { \
338 case 1: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "b"); break; \
339 case 2: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "w"); break; \
340 case 4: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "l"); break; \
341 case 8: ON64(__emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "q")); break; \
345 /* Fetch next part of the instruction being emulated. */
346 #define insn_fetch(_type, _size, _eip) \
347 ({ unsigned long _x; \
348 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
349 if (rc != X86EMUL_CONTINUE) \
355 #define insn_fetch_arr(_arr, _size, _eip) \
356 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
357 if (rc != X86EMUL_CONTINUE) \
362 static inline unsigned long ad_mask(struct decode_cache *c)
364 return (1UL << (c->ad_bytes << 3)) - 1;
367 /* Access/update address held in a register, based on addressing mode. */
368 static inline unsigned long
369 address_mask(struct decode_cache *c, unsigned long reg)
371 if (c->ad_bytes == sizeof(unsigned long))
374 return reg & ad_mask(c);
377 static inline unsigned long
378 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
380 return base + address_mask(c, reg);
384 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
386 if (c->ad_bytes == sizeof(unsigned long))
389 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
392 static inline void jmp_rel(struct decode_cache *c, int rel)
394 register_address_increment(c, &c->eip, rel);
397 static void set_seg_override(struct decode_cache *c, int seg)
399 c->has_seg_override = true;
400 c->seg_override = seg;
403 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
404 struct x86_emulate_ops *ops, int seg)
406 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
409 return ops->get_cached_segment_base(seg, ctxt->vcpu);
412 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
413 struct x86_emulate_ops *ops,
414 struct decode_cache *c)
416 if (!c->has_seg_override)
419 return seg_base(ctxt, ops, c->seg_override);
422 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
423 struct x86_emulate_ops *ops)
425 return seg_base(ctxt, ops, VCPU_SREG_ES);
428 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
429 struct x86_emulate_ops *ops)
431 return seg_base(ctxt, ops, VCPU_SREG_SS);
434 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
435 u32 error, bool valid)
437 ctxt->exception = vec;
438 ctxt->error_code = error;
439 ctxt->error_code_valid = valid;
442 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
444 emulate_exception(ctxt, GP_VECTOR, err, true);
447 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
451 emulate_exception(ctxt, PF_VECTOR, err, true);
454 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
456 emulate_exception(ctxt, UD_VECTOR, 0, false);
459 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
461 emulate_exception(ctxt, TS_VECTOR, err, true);
464 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
465 struct x86_emulate_ops *ops,
466 unsigned long eip, u8 *dest)
468 struct fetch_cache *fc = &ctxt->decode.fetch;
472 if (eip == fc->end) {
473 cur_size = fc->end - fc->start;
474 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
475 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
476 size, ctxt->vcpu, NULL);
477 if (rc != X86EMUL_CONTINUE)
481 *dest = fc->data[eip - fc->start];
482 return X86EMUL_CONTINUE;
485 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
486 struct x86_emulate_ops *ops,
487 unsigned long eip, void *dest, unsigned size)
491 /* x86 instructions are limited to 15 bytes. */
492 if (eip + size - ctxt->eip > 15)
493 return X86EMUL_UNHANDLEABLE;
495 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
496 if (rc != X86EMUL_CONTINUE)
499 return X86EMUL_CONTINUE;
503 * Given the 'reg' portion of a ModRM byte, and a register block, return a
504 * pointer into the block that addresses the relevant register.
505 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
507 static void *decode_register(u8 modrm_reg, unsigned long *regs,
512 p = ®s[modrm_reg];
513 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
514 p = (unsigned char *)®s[modrm_reg & 3] + 1;
518 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
519 struct x86_emulate_ops *ops,
521 u16 *size, unsigned long *address, int op_bytes)
528 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
529 if (rc != X86EMUL_CONTINUE)
531 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
535 static int test_cc(unsigned int condition, unsigned int flags)
539 switch ((condition & 15) >> 1) {
541 rc |= (flags & EFLG_OF);
543 case 1: /* b/c/nae */
544 rc |= (flags & EFLG_CF);
547 rc |= (flags & EFLG_ZF);
550 rc |= (flags & (EFLG_CF|EFLG_ZF));
553 rc |= (flags & EFLG_SF);
556 rc |= (flags & EFLG_PF);
559 rc |= (flags & EFLG_ZF);
562 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
566 /* Odd condition identifiers (lsb == 1) have inverted sense. */
567 return (!!rc ^ (condition & 1));
570 static void fetch_register_operand(struct operand *op)
574 op->val = *(u8 *)op->addr.reg;
577 op->val = *(u16 *)op->addr.reg;
580 op->val = *(u32 *)op->addr.reg;
583 op->val = *(u64 *)op->addr.reg;
588 static void decode_register_operand(struct operand *op,
589 struct decode_cache *c,
592 unsigned reg = c->modrm_reg;
593 int highbyte_regs = c->rex_prefix == 0;
596 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
598 if ((c->d & ByteOp) && !inhibit_bytereg) {
599 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
602 op->addr.reg = decode_register(reg, c->regs, 0);
603 op->bytes = c->op_bytes;
605 fetch_register_operand(op);
606 op->orig_val = op->val;
609 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
610 struct x86_emulate_ops *ops,
613 struct decode_cache *c = &ctxt->decode;
615 int index_reg = 0, base_reg = 0, scale;
616 int rc = X86EMUL_CONTINUE;
620 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
621 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
622 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
625 c->modrm = insn_fetch(u8, 1, c->eip);
626 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
627 c->modrm_reg |= (c->modrm & 0x38) >> 3;
628 c->modrm_rm |= (c->modrm & 0x07);
629 c->modrm_seg = VCPU_SREG_DS;
631 if (c->modrm_mod == 3) {
633 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
634 op->addr.reg = decode_register(c->modrm_rm,
635 c->regs, c->d & ByteOp);
636 fetch_register_operand(op);
642 if (c->ad_bytes == 2) {
643 unsigned bx = c->regs[VCPU_REGS_RBX];
644 unsigned bp = c->regs[VCPU_REGS_RBP];
645 unsigned si = c->regs[VCPU_REGS_RSI];
646 unsigned di = c->regs[VCPU_REGS_RDI];
648 /* 16-bit ModR/M decode. */
649 switch (c->modrm_mod) {
651 if (c->modrm_rm == 6)
652 modrm_ea += insn_fetch(u16, 2, c->eip);
655 modrm_ea += insn_fetch(s8, 1, c->eip);
658 modrm_ea += insn_fetch(u16, 2, c->eip);
661 switch (c->modrm_rm) {
681 if (c->modrm_mod != 0)
688 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
689 (c->modrm_rm == 6 && c->modrm_mod != 0))
690 c->modrm_seg = VCPU_SREG_SS;
691 modrm_ea = (u16)modrm_ea;
693 /* 32/64-bit ModR/M decode. */
694 if ((c->modrm_rm & 7) == 4) {
695 sib = insn_fetch(u8, 1, c->eip);
696 index_reg |= (sib >> 3) & 7;
700 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
701 modrm_ea += insn_fetch(s32, 4, c->eip);
703 modrm_ea += c->regs[base_reg];
705 modrm_ea += c->regs[index_reg] << scale;
706 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
707 if (ctxt->mode == X86EMUL_MODE_PROT64)
710 modrm_ea += c->regs[c->modrm_rm];
711 switch (c->modrm_mod) {
713 if (c->modrm_rm == 5)
714 modrm_ea += insn_fetch(s32, 4, c->eip);
717 modrm_ea += insn_fetch(s8, 1, c->eip);
720 modrm_ea += insn_fetch(s32, 4, c->eip);
724 op->addr.mem = modrm_ea;
729 static int decode_abs(struct x86_emulate_ctxt *ctxt,
730 struct x86_emulate_ops *ops,
733 struct decode_cache *c = &ctxt->decode;
734 int rc = X86EMUL_CONTINUE;
737 switch (c->ad_bytes) {
739 op->addr.mem = insn_fetch(u16, 2, c->eip);
742 op->addr.mem = insn_fetch(u32, 4, c->eip);
745 op->addr.mem = insn_fetch(u64, 8, c->eip);
752 static void fetch_bit_operand(struct decode_cache *c)
756 if (c->dst.type == OP_MEM && c->src.type == OP_REG) {
757 mask = ~(c->dst.bytes * 8 - 1);
759 if (c->src.bytes == 2)
760 sv = (s16)c->src.val & (s16)mask;
761 else if (c->src.bytes == 4)
762 sv = (s32)c->src.val & (s32)mask;
764 c->dst.addr.mem += (sv >> 3);
767 /* only subword offset */
768 c->src.val &= (c->dst.bytes << 3) - 1;
771 static int read_emulated(struct x86_emulate_ctxt *ctxt,
772 struct x86_emulate_ops *ops,
773 unsigned long addr, void *dest, unsigned size)
776 struct read_cache *mc = &ctxt->decode.mem_read;
780 int n = min(size, 8u);
782 if (mc->pos < mc->end)
785 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
787 if (rc == X86EMUL_PROPAGATE_FAULT)
788 emulate_pf(ctxt, addr, err);
789 if (rc != X86EMUL_CONTINUE)
794 memcpy(dest, mc->data + mc->pos, n);
799 return X86EMUL_CONTINUE;
802 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
803 struct x86_emulate_ops *ops,
804 unsigned int size, unsigned short port,
807 struct read_cache *rc = &ctxt->decode.io_read;
809 if (rc->pos == rc->end) { /* refill pio read ahead */
810 struct decode_cache *c = &ctxt->decode;
811 unsigned int in_page, n;
812 unsigned int count = c->rep_prefix ?
813 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
814 in_page = (ctxt->eflags & EFLG_DF) ?
815 offset_in_page(c->regs[VCPU_REGS_RDI]) :
816 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
817 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
821 rc->pos = rc->end = 0;
822 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
827 memcpy(dest, rc->data + rc->pos, size);
832 static u32 desc_limit_scaled(struct desc_struct *desc)
834 u32 limit = get_desc_limit(desc);
836 return desc->g ? (limit << 12) | 0xfff : limit;
839 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
840 struct x86_emulate_ops *ops,
841 u16 selector, struct desc_ptr *dt)
843 if (selector & 1 << 2) {
844 struct desc_struct desc;
845 memset (dt, 0, sizeof *dt);
846 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
849 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
850 dt->address = get_desc_base(&desc);
852 ops->get_gdt(dt, ctxt->vcpu);
855 /* allowed just for 8 bytes segments */
856 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
857 struct x86_emulate_ops *ops,
858 u16 selector, struct desc_struct *desc)
861 u16 index = selector >> 3;
866 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
868 if (dt.size < index * 8 + 7) {
869 emulate_gp(ctxt, selector & 0xfffc);
870 return X86EMUL_PROPAGATE_FAULT;
872 addr = dt.address + index * 8;
873 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
874 if (ret == X86EMUL_PROPAGATE_FAULT)
875 emulate_pf(ctxt, addr, err);
880 /* allowed just for 8 bytes segments */
881 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
882 struct x86_emulate_ops *ops,
883 u16 selector, struct desc_struct *desc)
886 u16 index = selector >> 3;
891 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
893 if (dt.size < index * 8 + 7) {
894 emulate_gp(ctxt, selector & 0xfffc);
895 return X86EMUL_PROPAGATE_FAULT;
898 addr = dt.address + index * 8;
899 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
900 if (ret == X86EMUL_PROPAGATE_FAULT)
901 emulate_pf(ctxt, addr, err);
906 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
907 struct x86_emulate_ops *ops,
908 u16 selector, int seg)
910 struct desc_struct seg_desc;
912 unsigned err_vec = GP_VECTOR;
914 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
917 memset(&seg_desc, 0, sizeof seg_desc);
919 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
920 || ctxt->mode == X86EMUL_MODE_REAL) {
921 /* set real mode segment descriptor */
922 set_desc_base(&seg_desc, selector << 4);
923 set_desc_limit(&seg_desc, 0xffff);
930 /* NULL selector is not valid for TR, CS and SS */
931 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
935 /* TR should be in GDT only */
936 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
939 if (null_selector) /* for NULL selector skip all following checks */
942 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
943 if (ret != X86EMUL_CONTINUE)
946 err_code = selector & 0xfffc;
949 /* can't load system descriptor into segment selecor */
950 if (seg <= VCPU_SREG_GS && !seg_desc.s)
954 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
960 cpl = ops->cpl(ctxt->vcpu);
965 * segment is not a writable data segment or segment
966 * selector's RPL != CPL or segment selector's RPL != CPL
968 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
972 if (!(seg_desc.type & 8))
975 if (seg_desc.type & 4) {
981 if (rpl > cpl || dpl != cpl)
985 selector = (selector & 0xfffc) | cpl;
988 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
992 if (seg_desc.s || seg_desc.type != 2)
995 default: /* DS, ES, FS, or GS */
997 * segment is not a data or readable code segment or
998 * ((segment is a data or nonconforming code segment)
999 * and (both RPL and CPL > DPL))
1001 if ((seg_desc.type & 0xa) == 0x8 ||
1002 (((seg_desc.type & 0xc) != 0xc) &&
1003 (rpl > dpl && cpl > dpl)))
1009 /* mark segment as accessed */
1011 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1012 if (ret != X86EMUL_CONTINUE)
1016 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1017 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1018 return X86EMUL_CONTINUE;
1020 emulate_exception(ctxt, err_vec, err_code, true);
1021 return X86EMUL_PROPAGATE_FAULT;
1024 static void write_register_operand(struct operand *op)
1026 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1027 switch (op->bytes) {
1029 *(u8 *)op->addr.reg = (u8)op->val;
1032 *(u16 *)op->addr.reg = (u16)op->val;
1035 *op->addr.reg = (u32)op->val;
1036 break; /* 64b: zero-extend */
1038 *op->addr.reg = op->val;
1043 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1044 struct x86_emulate_ops *ops)
1047 struct decode_cache *c = &ctxt->decode;
1050 switch (c->dst.type) {
1052 write_register_operand(&c->dst);
1056 rc = ops->cmpxchg_emulated(
1064 rc = ops->write_emulated(
1070 if (rc == X86EMUL_PROPAGATE_FAULT)
1071 emulate_pf(ctxt, c->dst.addr.mem, err);
1072 if (rc != X86EMUL_CONTINUE)
1081 return X86EMUL_CONTINUE;
1084 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1085 struct x86_emulate_ops *ops)
1087 struct decode_cache *c = &ctxt->decode;
1089 c->dst.type = OP_MEM;
1090 c->dst.bytes = c->op_bytes;
1091 c->dst.val = c->src.val;
1092 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1093 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1094 c->regs[VCPU_REGS_RSP]);
1097 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1098 struct x86_emulate_ops *ops,
1099 void *dest, int len)
1101 struct decode_cache *c = &ctxt->decode;
1104 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1105 c->regs[VCPU_REGS_RSP]),
1107 if (rc != X86EMUL_CONTINUE)
1110 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1114 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1115 struct x86_emulate_ops *ops,
1116 void *dest, int len)
1119 unsigned long val, change_mask;
1120 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1121 int cpl = ops->cpl(ctxt->vcpu);
1123 rc = emulate_pop(ctxt, ops, &val, len);
1124 if (rc != X86EMUL_CONTINUE)
1127 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1128 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1130 switch(ctxt->mode) {
1131 case X86EMUL_MODE_PROT64:
1132 case X86EMUL_MODE_PROT32:
1133 case X86EMUL_MODE_PROT16:
1135 change_mask |= EFLG_IOPL;
1137 change_mask |= EFLG_IF;
1139 case X86EMUL_MODE_VM86:
1141 emulate_gp(ctxt, 0);
1142 return X86EMUL_PROPAGATE_FAULT;
1144 change_mask |= EFLG_IF;
1146 default: /* real mode */
1147 change_mask |= (EFLG_IOPL | EFLG_IF);
1151 *(unsigned long *)dest =
1152 (ctxt->eflags & ~change_mask) | (val & change_mask);
1157 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1158 struct x86_emulate_ops *ops, int seg)
1160 struct decode_cache *c = &ctxt->decode;
1162 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1164 emulate_push(ctxt, ops);
1167 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1168 struct x86_emulate_ops *ops, int seg)
1170 struct decode_cache *c = &ctxt->decode;
1171 unsigned long selector;
1174 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1175 if (rc != X86EMUL_CONTINUE)
1178 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1182 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1183 struct x86_emulate_ops *ops)
1185 struct decode_cache *c = &ctxt->decode;
1186 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1187 int rc = X86EMUL_CONTINUE;
1188 int reg = VCPU_REGS_RAX;
1190 while (reg <= VCPU_REGS_RDI) {
1191 (reg == VCPU_REGS_RSP) ?
1192 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1194 emulate_push(ctxt, ops);
1196 rc = writeback(ctxt, ops);
1197 if (rc != X86EMUL_CONTINUE)
1203 /* Disable writeback. */
1204 c->dst.type = OP_NONE;
1209 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1210 struct x86_emulate_ops *ops)
1212 struct decode_cache *c = &ctxt->decode;
1213 int rc = X86EMUL_CONTINUE;
1214 int reg = VCPU_REGS_RDI;
1216 while (reg >= VCPU_REGS_RAX) {
1217 if (reg == VCPU_REGS_RSP) {
1218 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1223 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1224 if (rc != X86EMUL_CONTINUE)
1231 int emulate_int_real(struct x86_emulate_ctxt *ctxt,
1232 struct x86_emulate_ops *ops, int irq)
1234 struct decode_cache *c = &ctxt->decode;
1242 /* TODO: Add limit checks */
1243 c->src.val = ctxt->eflags;
1244 emulate_push(ctxt, ops);
1245 rc = writeback(ctxt, ops);
1246 if (rc != X86EMUL_CONTINUE)
1249 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1251 c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1252 emulate_push(ctxt, ops);
1253 rc = writeback(ctxt, ops);
1254 if (rc != X86EMUL_CONTINUE)
1257 c->src.val = c->eip;
1258 emulate_push(ctxt, ops);
1259 rc = writeback(ctxt, ops);
1260 if (rc != X86EMUL_CONTINUE)
1263 c->dst.type = OP_NONE;
1265 ops->get_idt(&dt, ctxt->vcpu);
1267 eip_addr = dt.address + (irq << 2);
1268 cs_addr = dt.address + (irq << 2) + 2;
1270 rc = ops->read_std(cs_addr, &cs, 2, ctxt->vcpu, &err);
1271 if (rc != X86EMUL_CONTINUE)
1274 rc = ops->read_std(eip_addr, &eip, 2, ctxt->vcpu, &err);
1275 if (rc != X86EMUL_CONTINUE)
1278 rc = load_segment_descriptor(ctxt, ops, cs, VCPU_SREG_CS);
1279 if (rc != X86EMUL_CONTINUE)
1287 static int emulate_int(struct x86_emulate_ctxt *ctxt,
1288 struct x86_emulate_ops *ops, int irq)
1290 switch(ctxt->mode) {
1291 case X86EMUL_MODE_REAL:
1292 return emulate_int_real(ctxt, ops, irq);
1293 case X86EMUL_MODE_VM86:
1294 case X86EMUL_MODE_PROT16:
1295 case X86EMUL_MODE_PROT32:
1296 case X86EMUL_MODE_PROT64:
1298 /* Protected mode interrupts unimplemented yet */
1299 return X86EMUL_UNHANDLEABLE;
1303 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1304 struct x86_emulate_ops *ops)
1306 struct decode_cache *c = &ctxt->decode;
1307 int rc = X86EMUL_CONTINUE;
1308 unsigned long temp_eip = 0;
1309 unsigned long temp_eflags = 0;
1310 unsigned long cs = 0;
1311 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1312 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1313 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1314 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1316 /* TODO: Add stack limit check */
1318 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1320 if (rc != X86EMUL_CONTINUE)
1323 if (temp_eip & ~0xffff) {
1324 emulate_gp(ctxt, 0);
1325 return X86EMUL_PROPAGATE_FAULT;
1328 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1330 if (rc != X86EMUL_CONTINUE)
1333 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1335 if (rc != X86EMUL_CONTINUE)
1338 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1340 if (rc != X86EMUL_CONTINUE)
1346 if (c->op_bytes == 4)
1347 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1348 else if (c->op_bytes == 2) {
1349 ctxt->eflags &= ~0xffff;
1350 ctxt->eflags |= temp_eflags;
1353 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1354 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1359 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1360 struct x86_emulate_ops* ops)
1362 switch(ctxt->mode) {
1363 case X86EMUL_MODE_REAL:
1364 return emulate_iret_real(ctxt, ops);
1365 case X86EMUL_MODE_VM86:
1366 case X86EMUL_MODE_PROT16:
1367 case X86EMUL_MODE_PROT32:
1368 case X86EMUL_MODE_PROT64:
1370 /* iret from protected mode unimplemented yet */
1371 return X86EMUL_UNHANDLEABLE;
1375 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1376 struct x86_emulate_ops *ops)
1378 struct decode_cache *c = &ctxt->decode;
1380 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1383 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1385 struct decode_cache *c = &ctxt->decode;
1386 switch (c->modrm_reg) {
1388 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1391 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1394 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1397 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1399 case 4: /* sal/shl */
1400 case 6: /* sal/shl */
1401 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1404 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1407 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1412 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1413 struct x86_emulate_ops *ops)
1415 struct decode_cache *c = &ctxt->decode;
1416 unsigned long *rax = &c->regs[VCPU_REGS_RAX];
1417 unsigned long *rdx = &c->regs[VCPU_REGS_RDX];
1419 switch (c->modrm_reg) {
1420 case 0 ... 1: /* test */
1421 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1424 c->dst.val = ~c->dst.val;
1427 emulate_1op("neg", c->dst, ctxt->eflags);
1430 emulate_1op_rax_rdx("mul", c->src, *rax, *rdx, ctxt->eflags);
1433 emulate_1op_rax_rdx("imul", c->src, *rax, *rdx, ctxt->eflags);
1436 emulate_1op_rax_rdx("div", c->src, *rax, *rdx, ctxt->eflags);
1439 emulate_1op_rax_rdx("idiv", c->src, *rax, *rdx, ctxt->eflags);
1442 return X86EMUL_UNHANDLEABLE;
1444 return X86EMUL_CONTINUE;
1447 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1448 struct x86_emulate_ops *ops)
1450 struct decode_cache *c = &ctxt->decode;
1452 switch (c->modrm_reg) {
1454 emulate_1op("inc", c->dst, ctxt->eflags);
1457 emulate_1op("dec", c->dst, ctxt->eflags);
1459 case 2: /* call near abs */ {
1462 c->eip = c->src.val;
1463 c->src.val = old_eip;
1464 emulate_push(ctxt, ops);
1467 case 4: /* jmp abs */
1468 c->eip = c->src.val;
1471 emulate_push(ctxt, ops);
1474 return X86EMUL_CONTINUE;
1477 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1478 struct x86_emulate_ops *ops)
1480 struct decode_cache *c = &ctxt->decode;
1481 u64 old = c->dst.orig_val64;
1483 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1484 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1485 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1486 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1487 ctxt->eflags &= ~EFLG_ZF;
1489 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1490 (u32) c->regs[VCPU_REGS_RBX];
1492 ctxt->eflags |= EFLG_ZF;
1494 return X86EMUL_CONTINUE;
1497 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1498 struct x86_emulate_ops *ops)
1500 struct decode_cache *c = &ctxt->decode;
1504 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1505 if (rc != X86EMUL_CONTINUE)
1507 if (c->op_bytes == 4)
1508 c->eip = (u32)c->eip;
1509 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1510 if (rc != X86EMUL_CONTINUE)
1512 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1516 static int emulate_load_segment(struct x86_emulate_ctxt *ctxt,
1517 struct x86_emulate_ops *ops, int seg)
1519 struct decode_cache *c = &ctxt->decode;
1523 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
1525 rc = load_segment_descriptor(ctxt, ops, sel, seg);
1526 if (rc != X86EMUL_CONTINUE)
1529 c->dst.val = c->src.val;
1534 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1535 struct x86_emulate_ops *ops, struct desc_struct *cs,
1536 struct desc_struct *ss)
1538 memset(cs, 0, sizeof(struct desc_struct));
1539 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1540 memset(ss, 0, sizeof(struct desc_struct));
1542 cs->l = 0; /* will be adjusted later */
1543 set_desc_base(cs, 0); /* flat segment */
1544 cs->g = 1; /* 4kb granularity */
1545 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1546 cs->type = 0x0b; /* Read, Execute, Accessed */
1548 cs->dpl = 0; /* will be adjusted later */
1552 set_desc_base(ss, 0); /* flat segment */
1553 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1554 ss->g = 1; /* 4kb granularity */
1556 ss->type = 0x03; /* Read/Write, Accessed */
1557 ss->d = 1; /* 32bit stack segment */
1563 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1565 struct decode_cache *c = &ctxt->decode;
1566 struct desc_struct cs, ss;
1570 /* syscall is not available in real mode */
1571 if (ctxt->mode == X86EMUL_MODE_REAL ||
1572 ctxt->mode == X86EMUL_MODE_VM86) {
1574 return X86EMUL_PROPAGATE_FAULT;
1577 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1579 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1581 cs_sel = (u16)(msr_data & 0xfffc);
1582 ss_sel = (u16)(msr_data + 8);
1584 if (is_long_mode(ctxt->vcpu)) {
1588 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1589 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1590 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1591 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1593 c->regs[VCPU_REGS_RCX] = c->eip;
1594 if (is_long_mode(ctxt->vcpu)) {
1595 #ifdef CONFIG_X86_64
1596 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1598 ops->get_msr(ctxt->vcpu,
1599 ctxt->mode == X86EMUL_MODE_PROT64 ?
1600 MSR_LSTAR : MSR_CSTAR, &msr_data);
1603 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1604 ctxt->eflags &= ~(msr_data | EFLG_RF);
1608 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1609 c->eip = (u32)msr_data;
1611 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1614 return X86EMUL_CONTINUE;
1618 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1620 struct decode_cache *c = &ctxt->decode;
1621 struct desc_struct cs, ss;
1625 /* inject #GP if in real mode */
1626 if (ctxt->mode == X86EMUL_MODE_REAL) {
1627 emulate_gp(ctxt, 0);
1628 return X86EMUL_PROPAGATE_FAULT;
1631 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1632 * Therefore, we inject an #UD.
1634 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1636 return X86EMUL_PROPAGATE_FAULT;
1639 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1641 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1642 switch (ctxt->mode) {
1643 case X86EMUL_MODE_PROT32:
1644 if ((msr_data & 0xfffc) == 0x0) {
1645 emulate_gp(ctxt, 0);
1646 return X86EMUL_PROPAGATE_FAULT;
1649 case X86EMUL_MODE_PROT64:
1650 if (msr_data == 0x0) {
1651 emulate_gp(ctxt, 0);
1652 return X86EMUL_PROPAGATE_FAULT;
1657 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1658 cs_sel = (u16)msr_data;
1659 cs_sel &= ~SELECTOR_RPL_MASK;
1660 ss_sel = cs_sel + 8;
1661 ss_sel &= ~SELECTOR_RPL_MASK;
1662 if (ctxt->mode == X86EMUL_MODE_PROT64
1663 || is_long_mode(ctxt->vcpu)) {
1668 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1669 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1670 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1671 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1673 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1676 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1677 c->regs[VCPU_REGS_RSP] = msr_data;
1679 return X86EMUL_CONTINUE;
1683 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1685 struct decode_cache *c = &ctxt->decode;
1686 struct desc_struct cs, ss;
1691 /* inject #GP if in real mode or Virtual 8086 mode */
1692 if (ctxt->mode == X86EMUL_MODE_REAL ||
1693 ctxt->mode == X86EMUL_MODE_VM86) {
1694 emulate_gp(ctxt, 0);
1695 return X86EMUL_PROPAGATE_FAULT;
1698 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1700 if ((c->rex_prefix & 0x8) != 0x0)
1701 usermode = X86EMUL_MODE_PROT64;
1703 usermode = X86EMUL_MODE_PROT32;
1707 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1709 case X86EMUL_MODE_PROT32:
1710 cs_sel = (u16)(msr_data + 16);
1711 if ((msr_data & 0xfffc) == 0x0) {
1712 emulate_gp(ctxt, 0);
1713 return X86EMUL_PROPAGATE_FAULT;
1715 ss_sel = (u16)(msr_data + 24);
1717 case X86EMUL_MODE_PROT64:
1718 cs_sel = (u16)(msr_data + 32);
1719 if (msr_data == 0x0) {
1720 emulate_gp(ctxt, 0);
1721 return X86EMUL_PROPAGATE_FAULT;
1723 ss_sel = cs_sel + 8;
1728 cs_sel |= SELECTOR_RPL_MASK;
1729 ss_sel |= SELECTOR_RPL_MASK;
1731 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1732 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1733 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1734 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1736 c->eip = c->regs[VCPU_REGS_RDX];
1737 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1739 return X86EMUL_CONTINUE;
1742 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1743 struct x86_emulate_ops *ops)
1746 if (ctxt->mode == X86EMUL_MODE_REAL)
1748 if (ctxt->mode == X86EMUL_MODE_VM86)
1750 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1751 return ops->cpl(ctxt->vcpu) > iopl;
1754 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1755 struct x86_emulate_ops *ops,
1758 struct desc_struct tr_seg;
1761 u8 perm, bit_idx = port & 0x7;
1762 unsigned mask = (1 << len) - 1;
1764 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1767 if (desc_limit_scaled(&tr_seg) < 103)
1769 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1771 if (r != X86EMUL_CONTINUE)
1773 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1775 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1776 &perm, 1, ctxt->vcpu, NULL);
1777 if (r != X86EMUL_CONTINUE)
1779 if ((perm >> bit_idx) & mask)
1784 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1785 struct x86_emulate_ops *ops,
1791 if (emulator_bad_iopl(ctxt, ops))
1792 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1795 ctxt->perm_ok = true;
1800 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1801 struct x86_emulate_ops *ops,
1802 struct tss_segment_16 *tss)
1804 struct decode_cache *c = &ctxt->decode;
1807 tss->flag = ctxt->eflags;
1808 tss->ax = c->regs[VCPU_REGS_RAX];
1809 tss->cx = c->regs[VCPU_REGS_RCX];
1810 tss->dx = c->regs[VCPU_REGS_RDX];
1811 tss->bx = c->regs[VCPU_REGS_RBX];
1812 tss->sp = c->regs[VCPU_REGS_RSP];
1813 tss->bp = c->regs[VCPU_REGS_RBP];
1814 tss->si = c->regs[VCPU_REGS_RSI];
1815 tss->di = c->regs[VCPU_REGS_RDI];
1817 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1818 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1819 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1820 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1821 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1824 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1825 struct x86_emulate_ops *ops,
1826 struct tss_segment_16 *tss)
1828 struct decode_cache *c = &ctxt->decode;
1832 ctxt->eflags = tss->flag | 2;
1833 c->regs[VCPU_REGS_RAX] = tss->ax;
1834 c->regs[VCPU_REGS_RCX] = tss->cx;
1835 c->regs[VCPU_REGS_RDX] = tss->dx;
1836 c->regs[VCPU_REGS_RBX] = tss->bx;
1837 c->regs[VCPU_REGS_RSP] = tss->sp;
1838 c->regs[VCPU_REGS_RBP] = tss->bp;
1839 c->regs[VCPU_REGS_RSI] = tss->si;
1840 c->regs[VCPU_REGS_RDI] = tss->di;
1843 * SDM says that segment selectors are loaded before segment
1846 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1847 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1848 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1849 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1850 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1853 * Now load segment descriptors. If fault happenes at this stage
1854 * it is handled in a context of new task
1856 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1857 if (ret != X86EMUL_CONTINUE)
1859 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1860 if (ret != X86EMUL_CONTINUE)
1862 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1863 if (ret != X86EMUL_CONTINUE)
1865 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1866 if (ret != X86EMUL_CONTINUE)
1868 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1869 if (ret != X86EMUL_CONTINUE)
1872 return X86EMUL_CONTINUE;
1875 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1876 struct x86_emulate_ops *ops,
1877 u16 tss_selector, u16 old_tss_sel,
1878 ulong old_tss_base, struct desc_struct *new_desc)
1880 struct tss_segment_16 tss_seg;
1882 u32 err, new_tss_base = get_desc_base(new_desc);
1884 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1886 if (ret == X86EMUL_PROPAGATE_FAULT) {
1887 /* FIXME: need to provide precise fault address */
1888 emulate_pf(ctxt, old_tss_base, err);
1892 save_state_to_tss16(ctxt, ops, &tss_seg);
1894 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1896 if (ret == X86EMUL_PROPAGATE_FAULT) {
1897 /* FIXME: need to provide precise fault address */
1898 emulate_pf(ctxt, old_tss_base, err);
1902 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1904 if (ret == X86EMUL_PROPAGATE_FAULT) {
1905 /* FIXME: need to provide precise fault address */
1906 emulate_pf(ctxt, new_tss_base, err);
1910 if (old_tss_sel != 0xffff) {
1911 tss_seg.prev_task_link = old_tss_sel;
1913 ret = ops->write_std(new_tss_base,
1914 &tss_seg.prev_task_link,
1915 sizeof tss_seg.prev_task_link,
1917 if (ret == X86EMUL_PROPAGATE_FAULT) {
1918 /* FIXME: need to provide precise fault address */
1919 emulate_pf(ctxt, new_tss_base, err);
1924 return load_state_from_tss16(ctxt, ops, &tss_seg);
1927 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1928 struct x86_emulate_ops *ops,
1929 struct tss_segment_32 *tss)
1931 struct decode_cache *c = &ctxt->decode;
1933 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1935 tss->eflags = ctxt->eflags;
1936 tss->eax = c->regs[VCPU_REGS_RAX];
1937 tss->ecx = c->regs[VCPU_REGS_RCX];
1938 tss->edx = c->regs[VCPU_REGS_RDX];
1939 tss->ebx = c->regs[VCPU_REGS_RBX];
1940 tss->esp = c->regs[VCPU_REGS_RSP];
1941 tss->ebp = c->regs[VCPU_REGS_RBP];
1942 tss->esi = c->regs[VCPU_REGS_RSI];
1943 tss->edi = c->regs[VCPU_REGS_RDI];
1945 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1946 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1947 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1948 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1949 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1950 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1951 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1954 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1955 struct x86_emulate_ops *ops,
1956 struct tss_segment_32 *tss)
1958 struct decode_cache *c = &ctxt->decode;
1961 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1962 emulate_gp(ctxt, 0);
1963 return X86EMUL_PROPAGATE_FAULT;
1966 ctxt->eflags = tss->eflags | 2;
1967 c->regs[VCPU_REGS_RAX] = tss->eax;
1968 c->regs[VCPU_REGS_RCX] = tss->ecx;
1969 c->regs[VCPU_REGS_RDX] = tss->edx;
1970 c->regs[VCPU_REGS_RBX] = tss->ebx;
1971 c->regs[VCPU_REGS_RSP] = tss->esp;
1972 c->regs[VCPU_REGS_RBP] = tss->ebp;
1973 c->regs[VCPU_REGS_RSI] = tss->esi;
1974 c->regs[VCPU_REGS_RDI] = tss->edi;
1977 * SDM says that segment selectors are loaded before segment
1980 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1981 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1982 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1983 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1984 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1985 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1986 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1989 * Now load segment descriptors. If fault happenes at this stage
1990 * it is handled in a context of new task
1992 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1993 if (ret != X86EMUL_CONTINUE)
1995 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1996 if (ret != X86EMUL_CONTINUE)
1998 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1999 if (ret != X86EMUL_CONTINUE)
2001 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2002 if (ret != X86EMUL_CONTINUE)
2004 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2005 if (ret != X86EMUL_CONTINUE)
2007 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2008 if (ret != X86EMUL_CONTINUE)
2010 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2011 if (ret != X86EMUL_CONTINUE)
2014 return X86EMUL_CONTINUE;
2017 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2018 struct x86_emulate_ops *ops,
2019 u16 tss_selector, u16 old_tss_sel,
2020 ulong old_tss_base, struct desc_struct *new_desc)
2022 struct tss_segment_32 tss_seg;
2024 u32 err, new_tss_base = get_desc_base(new_desc);
2026 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2028 if (ret == X86EMUL_PROPAGATE_FAULT) {
2029 /* FIXME: need to provide precise fault address */
2030 emulate_pf(ctxt, old_tss_base, err);
2034 save_state_to_tss32(ctxt, ops, &tss_seg);
2036 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2038 if (ret == X86EMUL_PROPAGATE_FAULT) {
2039 /* FIXME: need to provide precise fault address */
2040 emulate_pf(ctxt, old_tss_base, err);
2044 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2046 if (ret == X86EMUL_PROPAGATE_FAULT) {
2047 /* FIXME: need to provide precise fault address */
2048 emulate_pf(ctxt, new_tss_base, err);
2052 if (old_tss_sel != 0xffff) {
2053 tss_seg.prev_task_link = old_tss_sel;
2055 ret = ops->write_std(new_tss_base,
2056 &tss_seg.prev_task_link,
2057 sizeof tss_seg.prev_task_link,
2059 if (ret == X86EMUL_PROPAGATE_FAULT) {
2060 /* FIXME: need to provide precise fault address */
2061 emulate_pf(ctxt, new_tss_base, err);
2066 return load_state_from_tss32(ctxt, ops, &tss_seg);
2069 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2070 struct x86_emulate_ops *ops,
2071 u16 tss_selector, int reason,
2072 bool has_error_code, u32 error_code)
2074 struct desc_struct curr_tss_desc, next_tss_desc;
2076 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2077 ulong old_tss_base =
2078 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2081 /* FIXME: old_tss_base == ~0 ? */
2083 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2084 if (ret != X86EMUL_CONTINUE)
2086 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2087 if (ret != X86EMUL_CONTINUE)
2090 /* FIXME: check that next_tss_desc is tss */
2092 if (reason != TASK_SWITCH_IRET) {
2093 if ((tss_selector & 3) > next_tss_desc.dpl ||
2094 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2095 emulate_gp(ctxt, 0);
2096 return X86EMUL_PROPAGATE_FAULT;
2100 desc_limit = desc_limit_scaled(&next_tss_desc);
2101 if (!next_tss_desc.p ||
2102 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2103 desc_limit < 0x2b)) {
2104 emulate_ts(ctxt, tss_selector & 0xfffc);
2105 return X86EMUL_PROPAGATE_FAULT;
2108 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2109 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2110 write_segment_descriptor(ctxt, ops, old_tss_sel,
2114 if (reason == TASK_SWITCH_IRET)
2115 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2117 /* set back link to prev task only if NT bit is set in eflags
2118 note that old_tss_sel is not used afetr this point */
2119 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2120 old_tss_sel = 0xffff;
2122 if (next_tss_desc.type & 8)
2123 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2124 old_tss_base, &next_tss_desc);
2126 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2127 old_tss_base, &next_tss_desc);
2128 if (ret != X86EMUL_CONTINUE)
2131 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2132 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2134 if (reason != TASK_SWITCH_IRET) {
2135 next_tss_desc.type |= (1 << 1); /* set busy flag */
2136 write_segment_descriptor(ctxt, ops, tss_selector,
2140 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2141 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2142 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2144 if (has_error_code) {
2145 struct decode_cache *c = &ctxt->decode;
2147 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2149 c->src.val = (unsigned long) error_code;
2150 emulate_push(ctxt, ops);
2156 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2157 u16 tss_selector, int reason,
2158 bool has_error_code, u32 error_code)
2160 struct x86_emulate_ops *ops = ctxt->ops;
2161 struct decode_cache *c = &ctxt->decode;
2165 c->dst.type = OP_NONE;
2167 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2168 has_error_code, error_code);
2170 if (rc == X86EMUL_CONTINUE) {
2171 rc = writeback(ctxt, ops);
2172 if (rc == X86EMUL_CONTINUE)
2176 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2179 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2180 int reg, struct operand *op)
2182 struct decode_cache *c = &ctxt->decode;
2183 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2185 register_address_increment(c, &c->regs[reg], df * op->bytes);
2186 op->addr.mem = register_address(c, base, c->regs[reg]);
2189 static int em_push(struct x86_emulate_ctxt *ctxt)
2191 emulate_push(ctxt, ctxt->ops);
2192 return X86EMUL_CONTINUE;
2195 static int em_das(struct x86_emulate_ctxt *ctxt)
2197 struct decode_cache *c = &ctxt->decode;
2199 bool af, cf, old_cf;
2201 cf = ctxt->eflags & X86_EFLAGS_CF;
2207 af = ctxt->eflags & X86_EFLAGS_AF;
2208 if ((al & 0x0f) > 9 || af) {
2210 cf = old_cf | (al >= 250);
2215 if (old_al > 0x99 || old_cf) {
2221 /* Set PF, ZF, SF */
2222 c->src.type = OP_IMM;
2225 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2226 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2228 ctxt->eflags |= X86_EFLAGS_CF;
2230 ctxt->eflags |= X86_EFLAGS_AF;
2231 return X86EMUL_CONTINUE;
2234 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2236 struct decode_cache *c = &ctxt->decode;
2241 old_cs = ctxt->ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2244 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2245 if (load_segment_descriptor(ctxt, ctxt->ops, sel, VCPU_SREG_CS))
2246 return X86EMUL_CONTINUE;
2249 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2251 c->src.val = old_cs;
2252 emulate_push(ctxt, ctxt->ops);
2253 rc = writeback(ctxt, ctxt->ops);
2254 if (rc != X86EMUL_CONTINUE)
2257 c->src.val = old_eip;
2258 emulate_push(ctxt, ctxt->ops);
2259 rc = writeback(ctxt, ctxt->ops);
2260 if (rc != X86EMUL_CONTINUE)
2263 c->dst.type = OP_NONE;
2265 return X86EMUL_CONTINUE;
2268 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2270 struct decode_cache *c = &ctxt->decode;
2273 c->dst.type = OP_REG;
2274 c->dst.addr.reg = &c->eip;
2275 c->dst.bytes = c->op_bytes;
2276 rc = emulate_pop(ctxt, ctxt->ops, &c->dst.val, c->op_bytes);
2277 if (rc != X86EMUL_CONTINUE)
2279 register_address_increment(c, &c->regs[VCPU_REGS_RSP], c->src.val);
2280 return X86EMUL_CONTINUE;
2283 static int em_imul(struct x86_emulate_ctxt *ctxt)
2285 struct decode_cache *c = &ctxt->decode;
2287 emulate_2op_SrcV_nobyte("imul", c->src, c->dst, ctxt->eflags);
2288 return X86EMUL_CONTINUE;
2291 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2293 struct decode_cache *c = &ctxt->decode;
2295 c->dst.val = c->src2.val;
2296 return em_imul(ctxt);
2299 static int em_cwd(struct x86_emulate_ctxt *ctxt)
2301 struct decode_cache *c = &ctxt->decode;
2303 c->dst.type = OP_REG;
2304 c->dst.bytes = c->src.bytes;
2305 c->dst.addr.reg = &c->regs[VCPU_REGS_RDX];
2306 c->dst.val = ~((c->src.val >> (c->src.bytes * 8 - 1)) - 1);
2308 return X86EMUL_CONTINUE;
2311 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2313 unsigned cpl = ctxt->ops->cpl(ctxt->vcpu);
2314 struct decode_cache *c = &ctxt->decode;
2317 if (cpl > 0 && (ctxt->ops->get_cr(4, ctxt->vcpu) & X86_CR4_TSD)) {
2318 emulate_gp(ctxt, 0);
2319 return X86EMUL_PROPAGATE_FAULT;
2321 ctxt->ops->get_msr(ctxt->vcpu, MSR_IA32_TSC, &tsc);
2322 c->regs[VCPU_REGS_RAX] = (u32)tsc;
2323 c->regs[VCPU_REGS_RDX] = tsc >> 32;
2324 return X86EMUL_CONTINUE;
2327 #define D(_y) { .flags = (_y) }
2329 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2330 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2331 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2333 static struct opcode group1[] = {
2337 static struct opcode group1A[] = {
2338 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2341 static struct opcode group3[] = {
2342 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2343 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2344 X4(D(SrcMem | ModRM)),
2347 static struct opcode group4[] = {
2348 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2352 static struct opcode group5[] = {
2353 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2354 D(SrcMem | ModRM | Stack),
2355 I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
2356 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2357 D(SrcMem | ModRM | Stack), N,
2360 static struct group_dual group7 = { {
2361 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2362 D(SrcNone | ModRM | DstMem | Mov), N,
2363 D(SrcMem16 | ModRM | Mov | Priv),
2364 D(SrcMem | ModRM | ByteOp | Priv | NoAccess),
2366 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2367 D(SrcNone | ModRM | DstMem | Mov), N,
2368 D(SrcMem16 | ModRM | Mov | Priv), N,
2371 static struct opcode group8[] = {
2373 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2374 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2377 static struct group_dual group9 = { {
2378 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2380 N, N, N, N, N, N, N, N,
2383 static struct opcode opcode_table[256] = {
2385 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2386 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2387 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2388 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2390 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2391 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2392 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2393 D(ImplicitOps | Stack | No64), N,
2395 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2396 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2397 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2398 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2400 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2401 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2402 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2403 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2405 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2406 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2407 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2409 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2410 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2411 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm),
2412 N, I(ByteOp | DstAcc | No64, em_das),
2414 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2415 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2416 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2418 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2419 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2420 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2425 X8(I(SrcReg | Stack, em_push)),
2427 X8(D(DstReg | Stack)),
2429 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2430 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2433 I(SrcImm | Mov | Stack, em_push),
2434 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
2435 I(SrcImmByte | Mov | Stack, em_push),
2436 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
2437 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2438 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2442 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2443 G(DstMem | SrcImm | ModRM | Group, group1),
2444 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2445 G(DstMem | SrcImmByte | ModRM | Group, group1),
2446 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2447 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2449 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2450 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2451 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2452 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2454 X8(D(SrcAcc | DstReg)),
2456 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
2457 I(SrcImmFAddr | No64, em_call_far), N,
2458 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2460 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2461 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2462 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2463 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2465 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm),
2466 D(ByteOp | SrcAcc | DstDI | Mov | String), D(SrcAcc | DstDI | Mov | String),
2467 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2468 D(ByteOp | SrcAcc | DstDI | String), D(SrcAcc | DstDI | String),
2470 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2472 X8(D(DstReg | SrcImm | Mov)),
2474 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2475 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
2476 D(ImplicitOps | Stack),
2477 D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr | ModRM | No64),
2478 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2480 N, N, N, D(ImplicitOps | Stack),
2481 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2483 D(ByteOp | DstMem | SrcOne | ModRM), D(DstMem | SrcOne | ModRM),
2484 D(ByteOp | DstMem | ModRM), D(DstMem | ModRM),
2487 N, N, N, N, N, N, N, N,
2490 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2491 D(ByteOp | SrcAcc | DstImmUByte), D(SrcAcc | DstImmUByte),
2493 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2494 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2495 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2496 D(ByteOp | SrcAcc | ImplicitOps), D(SrcAcc | ImplicitOps),
2499 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2501 D(ImplicitOps), D(ImplicitOps), D(ImplicitOps), D(ImplicitOps),
2502 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2505 static struct opcode twobyte_table[256] = {
2507 N, GD(0, &group7), N, N,
2508 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2509 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2510 N, D(ImplicitOps | ModRM), N, N,
2512 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2514 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2515 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2517 N, N, N, N, N, N, N, N,
2519 D(ImplicitOps | Priv), I(ImplicitOps, em_rdtsc),
2520 D(ImplicitOps | Priv), N,
2521 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2522 N, N, N, N, N, N, N, N,
2524 X16(D(DstReg | SrcMem | ModRM | Mov)),
2526 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2528 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2530 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2534 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
2536 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2537 N, D(DstMem | SrcReg | ModRM | BitOp),
2538 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2539 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2541 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2542 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2543 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2544 D(DstMem | SrcReg | Src2CL | ModRM),
2545 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
2547 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2548 D(DstReg | SrcMemFAddr | ModRM), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2549 D(DstReg | SrcMemFAddr | ModRM), D(DstReg | SrcMemFAddr | ModRM),
2550 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2553 G(BitOp, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2554 D(DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2555 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2557 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2558 N, D(DstMem | SrcReg | ModRM | Mov),
2559 N, N, N, GD(0, &group9),
2560 N, N, N, N, N, N, N, N,
2562 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2564 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2566 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2575 static unsigned imm_size(struct decode_cache *c)
2579 size = (c->d & ByteOp) ? 1 : c->op_bytes;
2585 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
2586 unsigned size, bool sign_extension)
2588 struct decode_cache *c = &ctxt->decode;
2589 struct x86_emulate_ops *ops = ctxt->ops;
2590 int rc = X86EMUL_CONTINUE;
2594 op->addr.mem = c->eip;
2595 /* NB. Immediates are sign-extended as necessary. */
2596 switch (op->bytes) {
2598 op->val = insn_fetch(s8, 1, c->eip);
2601 op->val = insn_fetch(s16, 2, c->eip);
2604 op->val = insn_fetch(s32, 4, c->eip);
2607 if (!sign_extension) {
2608 switch (op->bytes) {
2616 op->val &= 0xffffffff;
2625 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2627 struct x86_emulate_ops *ops = ctxt->ops;
2628 struct decode_cache *c = &ctxt->decode;
2629 int rc = X86EMUL_CONTINUE;
2630 int mode = ctxt->mode;
2631 int def_op_bytes, def_ad_bytes, dual, goffset;
2632 struct opcode opcode, *g_mod012, *g_mod3;
2633 struct operand memop = { .type = OP_NONE };
2636 c->fetch.start = c->fetch.end = c->eip;
2637 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2640 case X86EMUL_MODE_REAL:
2641 case X86EMUL_MODE_VM86:
2642 case X86EMUL_MODE_PROT16:
2643 def_op_bytes = def_ad_bytes = 2;
2645 case X86EMUL_MODE_PROT32:
2646 def_op_bytes = def_ad_bytes = 4;
2648 #ifdef CONFIG_X86_64
2649 case X86EMUL_MODE_PROT64:
2658 c->op_bytes = def_op_bytes;
2659 c->ad_bytes = def_ad_bytes;
2661 /* Legacy prefixes. */
2663 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2664 case 0x66: /* operand-size override */
2665 /* switch between 2/4 bytes */
2666 c->op_bytes = def_op_bytes ^ 6;
2668 case 0x67: /* address-size override */
2669 if (mode == X86EMUL_MODE_PROT64)
2670 /* switch between 4/8 bytes */
2671 c->ad_bytes = def_ad_bytes ^ 12;
2673 /* switch between 2/4 bytes */
2674 c->ad_bytes = def_ad_bytes ^ 6;
2676 case 0x26: /* ES override */
2677 case 0x2e: /* CS override */
2678 case 0x36: /* SS override */
2679 case 0x3e: /* DS override */
2680 set_seg_override(c, (c->b >> 3) & 3);
2682 case 0x64: /* FS override */
2683 case 0x65: /* GS override */
2684 set_seg_override(c, c->b & 7);
2686 case 0x40 ... 0x4f: /* REX */
2687 if (mode != X86EMUL_MODE_PROT64)
2689 c->rex_prefix = c->b;
2691 case 0xf0: /* LOCK */
2694 case 0xf2: /* REPNE/REPNZ */
2695 c->rep_prefix = REPNE_PREFIX;
2697 case 0xf3: /* REP/REPE/REPZ */
2698 c->rep_prefix = REPE_PREFIX;
2704 /* Any legacy prefix after a REX prefix nullifies its effect. */
2712 if (c->rex_prefix & 8)
2713 c->op_bytes = 8; /* REX.W */
2715 /* Opcode byte(s). */
2716 opcode = opcode_table[c->b];
2717 /* Two-byte opcode? */
2720 c->b = insn_fetch(u8, 1, c->eip);
2721 opcode = twobyte_table[c->b];
2723 c->d = opcode.flags;
2726 dual = c->d & GroupDual;
2727 c->modrm = insn_fetch(u8, 1, c->eip);
2730 if (c->d & GroupDual) {
2731 g_mod012 = opcode.u.gdual->mod012;
2732 g_mod3 = opcode.u.gdual->mod3;
2734 g_mod012 = g_mod3 = opcode.u.group;
2736 c->d &= ~(Group | GroupDual);
2738 goffset = (c->modrm >> 3) & 7;
2740 if ((c->modrm >> 6) == 3)
2741 opcode = g_mod3[goffset];
2743 opcode = g_mod012[goffset];
2744 c->d |= opcode.flags;
2747 c->execute = opcode.u.execute;
2750 if (c->d == 0 || (c->d & Undefined)) {
2751 DPRINTF("Cannot emulate %02x\n", c->b);
2755 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2758 if (c->d & Op3264) {
2759 if (mode == X86EMUL_MODE_PROT64)
2765 /* ModRM and SIB bytes. */
2767 rc = decode_modrm(ctxt, ops, &memop);
2768 if (!c->has_seg_override)
2769 set_seg_override(c, c->modrm_seg);
2770 } else if (c->d & MemAbs)
2771 rc = decode_abs(ctxt, ops, &memop);
2772 if (rc != X86EMUL_CONTINUE)
2775 if (!c->has_seg_override)
2776 set_seg_override(c, VCPU_SREG_DS);
2778 if (memop.type == OP_MEM && !(!c->twobyte && c->b == 0x8d))
2779 memop.addr.mem += seg_override_base(ctxt, ops, c);
2781 if (memop.type == OP_MEM && c->ad_bytes != 8)
2782 memop.addr.mem = (u32)memop.addr.mem;
2784 if (memop.type == OP_MEM && c->rip_relative)
2785 memop.addr.mem += c->eip;
2788 * Decode and fetch the source operand: register, memory
2791 switch (c->d & SrcMask) {
2795 decode_register_operand(&c->src, c, 0);
2804 memop.bytes = (c->d & ByteOp) ? 1 :
2810 rc = decode_imm(ctxt, &c->src, 2, false);
2813 rc = decode_imm(ctxt, &c->src, imm_size(c), true);
2816 rc = decode_imm(ctxt, &c->src, imm_size(c), false);
2819 rc = decode_imm(ctxt, &c->src, 1, true);
2822 rc = decode_imm(ctxt, &c->src, 1, false);
2825 c->src.type = OP_REG;
2826 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2827 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2828 fetch_register_operand(&c->src);
2835 c->src.type = OP_MEM;
2836 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2838 register_address(c, seg_override_base(ctxt, ops, c),
2839 c->regs[VCPU_REGS_RSI]);
2843 c->src.type = OP_IMM;
2844 c->src.addr.mem = c->eip;
2845 c->src.bytes = c->op_bytes + 2;
2846 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2849 memop.bytes = c->op_bytes + 2;
2854 if (rc != X86EMUL_CONTINUE)
2858 * Decode and fetch the second source operand: register, memory
2861 switch (c->d & Src2Mask) {
2866 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2869 rc = decode_imm(ctxt, &c->src2, 1, true);
2876 rc = decode_imm(ctxt, &c->src2, imm_size(c), true);
2880 if (rc != X86EMUL_CONTINUE)
2883 /* Decode and fetch the destination operand: register or memory. */
2884 switch (c->d & DstMask) {
2886 decode_register_operand(&c->dst, c,
2887 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2890 c->dst.type = OP_IMM;
2891 c->dst.addr.mem = c->eip;
2893 c->dst.val = insn_fetch(u8, 1, c->eip);
2898 if ((c->d & DstMask) == DstMem64)
2901 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2903 fetch_bit_operand(c);
2904 c->dst.orig_val = c->dst.val;
2907 c->dst.type = OP_REG;
2908 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2909 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2910 fetch_register_operand(&c->dst);
2911 c->dst.orig_val = c->dst.val;
2914 c->dst.type = OP_MEM;
2915 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2917 register_address(c, es_base(ctxt, ops),
2918 c->regs[VCPU_REGS_RDI]);
2922 /* Special instructions do their own operand decoding. */
2924 c->dst.type = OP_NONE; /* Disable writeback. */
2929 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2932 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
2934 struct decode_cache *c = &ctxt->decode;
2936 /* The second termination condition only applies for REPE
2937 * and REPNE. Test if the repeat string operation prefix is
2938 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2939 * corresponding termination condition according to:
2940 * - if REPE/REPZ and ZF = 0 then done
2941 * - if REPNE/REPNZ and ZF = 1 then done
2943 if (((c->b == 0xa6) || (c->b == 0xa7) ||
2944 (c->b == 0xae) || (c->b == 0xaf))
2945 && (((c->rep_prefix == REPE_PREFIX) &&
2946 ((ctxt->eflags & EFLG_ZF) == 0))
2947 || ((c->rep_prefix == REPNE_PREFIX) &&
2948 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
2955 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2957 struct x86_emulate_ops *ops = ctxt->ops;
2959 struct decode_cache *c = &ctxt->decode;
2960 int rc = X86EMUL_CONTINUE;
2961 int saved_dst_type = c->dst.type;
2962 int irq; /* Used for int 3, int, and into */
2964 ctxt->decode.mem_read.pos = 0;
2966 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2971 /* LOCK prefix is allowed only with some instructions */
2972 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2977 /* Privileged instruction can be executed only in CPL=0 */
2978 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2979 emulate_gp(ctxt, 0);
2983 if (c->rep_prefix && (c->d & String)) {
2984 /* All REP prefixes have the same first termination condition */
2985 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2991 if ((c->src.type == OP_MEM) && !(c->d & NoAccess)) {
2992 rc = read_emulated(ctxt, ops, c->src.addr.mem,
2993 c->src.valptr, c->src.bytes);
2994 if (rc != X86EMUL_CONTINUE)
2996 c->src.orig_val64 = c->src.val64;
2999 if (c->src2.type == OP_MEM) {
3000 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
3001 &c->src2.val, c->src2.bytes);
3002 if (rc != X86EMUL_CONTINUE)
3006 if ((c->d & DstMask) == ImplicitOps)
3010 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
3011 /* optimisation - avoid slow emulated read if Mov */
3012 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
3013 &c->dst.val, c->dst.bytes);
3014 if (rc != X86EMUL_CONTINUE)
3017 c->dst.orig_val = c->dst.val;
3022 rc = c->execute(ctxt);
3023 if (rc != X86EMUL_CONTINUE)
3034 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3036 case 0x06: /* push es */
3037 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
3039 case 0x07: /* pop es */
3040 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
3041 if (rc != X86EMUL_CONTINUE)
3046 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
3048 case 0x0e: /* push cs */
3049 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
3053 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
3055 case 0x16: /* push ss */
3056 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
3058 case 0x17: /* pop ss */
3059 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
3060 if (rc != X86EMUL_CONTINUE)
3065 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
3067 case 0x1e: /* push ds */
3068 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
3070 case 0x1f: /* pop ds */
3071 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
3072 if (rc != X86EMUL_CONTINUE)
3077 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
3081 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
3085 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
3089 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3091 case 0x40 ... 0x47: /* inc r16/r32 */
3092 emulate_1op("inc", c->dst, ctxt->eflags);
3094 case 0x48 ... 0x4f: /* dec r16/r32 */
3095 emulate_1op("dec", c->dst, ctxt->eflags);
3097 case 0x58 ... 0x5f: /* pop reg */
3099 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
3100 if (rc != X86EMUL_CONTINUE)
3103 case 0x60: /* pusha */
3104 rc = emulate_pusha(ctxt, ops);
3105 if (rc != X86EMUL_CONTINUE)
3108 case 0x61: /* popa */
3109 rc = emulate_popa(ctxt, ops);
3110 if (rc != X86EMUL_CONTINUE)
3113 case 0x63: /* movsxd */
3114 if (ctxt->mode != X86EMUL_MODE_PROT64)
3115 goto cannot_emulate;
3116 c->dst.val = (s32) c->src.val;
3118 case 0x6c: /* insb */
3119 case 0x6d: /* insw/insd */
3120 c->src.val = c->regs[VCPU_REGS_RDX];
3122 case 0x6e: /* outsb */
3123 case 0x6f: /* outsw/outsd */
3124 c->dst.val = c->regs[VCPU_REGS_RDX];
3127 case 0x70 ... 0x7f: /* jcc (short) */
3128 if (test_cc(c->b, ctxt->eflags))
3129 jmp_rel(c, c->src.val);
3131 case 0x80 ... 0x83: /* Grp1 */
3132 switch (c->modrm_reg) {
3153 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
3155 case 0x86 ... 0x87: /* xchg */
3157 /* Write back the register source. */
3158 c->src.val = c->dst.val;
3159 write_register_operand(&c->src);
3161 * Write back the memory destination with implicit LOCK
3164 c->dst.val = c->src.orig_val;
3167 case 0x88 ... 0x8b: /* mov */
3169 case 0x8c: /* mov r/m, sreg */
3170 if (c->modrm_reg > VCPU_SREG_GS) {
3174 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
3176 case 0x8d: /* lea r16/r32, m */
3177 c->dst.val = c->src.addr.mem;
3179 case 0x8e: { /* mov seg, r/m16 */
3184 if (c->modrm_reg == VCPU_SREG_CS ||
3185 c->modrm_reg > VCPU_SREG_GS) {
3190 if (c->modrm_reg == VCPU_SREG_SS)
3191 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3193 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
3195 c->dst.type = OP_NONE; /* Disable writeback. */
3198 case 0x8f: /* pop (sole member of Grp1a) */
3199 rc = emulate_grp1a(ctxt, ops);
3200 if (rc != X86EMUL_CONTINUE)
3203 case 0x90 ... 0x97: /* nop / xchg reg, rax */
3204 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
3207 case 0x98: /* cbw/cwde/cdqe */
3208 switch (c->op_bytes) {
3209 case 2: c->dst.val = (s8)c->dst.val; break;
3210 case 4: c->dst.val = (s16)c->dst.val; break;
3211 case 8: c->dst.val = (s32)c->dst.val; break;
3214 case 0x9c: /* pushf */
3215 c->src.val = (unsigned long) ctxt->eflags;
3216 emulate_push(ctxt, ops);
3218 case 0x9d: /* popf */
3219 c->dst.type = OP_REG;
3220 c->dst.addr.reg = &ctxt->eflags;
3221 c->dst.bytes = c->op_bytes;
3222 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
3223 if (rc != X86EMUL_CONTINUE)
3226 case 0xa0 ... 0xa3: /* mov */
3227 case 0xa4 ... 0xa5: /* movs */
3229 case 0xa6 ... 0xa7: /* cmps */
3230 c->dst.type = OP_NONE; /* Disable writeback. */
3231 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
3233 case 0xa8 ... 0xa9: /* test ax, imm */
3235 case 0xaa ... 0xab: /* stos */
3236 case 0xac ... 0xad: /* lods */
3238 case 0xae ... 0xaf: /* scas */
3240 case 0xb0 ... 0xbf: /* mov r, imm */
3245 case 0xc3: /* ret */
3246 c->dst.type = OP_REG;
3247 c->dst.addr.reg = &c->eip;
3248 c->dst.bytes = c->op_bytes;
3249 goto pop_instruction;
3250 case 0xc4: /* les */
3251 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_ES);
3252 if (rc != X86EMUL_CONTINUE)
3255 case 0xc5: /* lds */
3256 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_DS);
3257 if (rc != X86EMUL_CONTINUE)
3260 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
3262 c->dst.val = c->src.val;
3264 case 0xcb: /* ret far */
3265 rc = emulate_ret_far(ctxt, ops);
3266 if (rc != X86EMUL_CONTINUE)
3269 case 0xcc: /* int3 */
3272 case 0xcd: /* int n */
3275 rc = emulate_int(ctxt, ops, irq);
3276 if (rc != X86EMUL_CONTINUE)
3279 case 0xce: /* into */
3280 if (ctxt->eflags & EFLG_OF) {
3285 case 0xcf: /* iret */
3286 rc = emulate_iret(ctxt, ops);
3288 if (rc != X86EMUL_CONTINUE)
3291 case 0xd0 ... 0xd1: /* Grp2 */
3294 case 0xd2 ... 0xd3: /* Grp2 */
3295 c->src.val = c->regs[VCPU_REGS_RCX];
3298 case 0xe0 ... 0xe2: /* loop/loopz/loopnz */
3299 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3300 if (address_mask(c, c->regs[VCPU_REGS_RCX]) != 0 &&
3301 (c->b == 0xe2 || test_cc(c->b ^ 0x5, ctxt->eflags)))
3302 jmp_rel(c, c->src.val);
3304 case 0xe3: /* jcxz/jecxz/jrcxz */
3305 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0)
3306 jmp_rel(c, c->src.val);
3308 case 0xe4: /* inb */
3311 case 0xe6: /* outb */
3312 case 0xe7: /* out */
3314 case 0xe8: /* call (near) */ {
3315 long int rel = c->src.val;
3316 c->src.val = (unsigned long) c->eip;
3318 emulate_push(ctxt, ops);
3321 case 0xe9: /* jmp rel */
3323 case 0xea: { /* jmp far */
3326 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3328 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3332 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3336 jmp: /* jmp rel short */
3337 jmp_rel(c, c->src.val);
3338 c->dst.type = OP_NONE; /* Disable writeback. */
3340 case 0xec: /* in al,dx */
3341 case 0xed: /* in (e/r)ax,dx */
3342 c->src.val = c->regs[VCPU_REGS_RDX];
3344 c->dst.bytes = min(c->dst.bytes, 4u);
3345 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3346 emulate_gp(ctxt, 0);
3349 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3351 goto done; /* IO is needed */
3353 case 0xee: /* out dx,al */
3354 case 0xef: /* out dx,(e/r)ax */
3355 c->dst.val = c->regs[VCPU_REGS_RDX];
3357 c->src.bytes = min(c->src.bytes, 4u);
3358 if (!emulator_io_permited(ctxt, ops, c->dst.val,
3360 emulate_gp(ctxt, 0);
3363 ops->pio_out_emulated(c->src.bytes, c->dst.val,
3364 &c->src.val, 1, ctxt->vcpu);
3365 c->dst.type = OP_NONE; /* Disable writeback. */
3367 case 0xf4: /* hlt */
3368 ctxt->vcpu->arch.halt_request = 1;
3370 case 0xf5: /* cmc */
3371 /* complement carry flag from eflags reg */
3372 ctxt->eflags ^= EFLG_CF;
3374 case 0xf6 ... 0xf7: /* Grp3 */
3375 if (emulate_grp3(ctxt, ops) != X86EMUL_CONTINUE)
3376 goto cannot_emulate;
3378 case 0xf8: /* clc */
3379 ctxt->eflags &= ~EFLG_CF;
3381 case 0xf9: /* stc */
3382 ctxt->eflags |= EFLG_CF;
3384 case 0xfa: /* cli */
3385 if (emulator_bad_iopl(ctxt, ops)) {
3386 emulate_gp(ctxt, 0);
3389 ctxt->eflags &= ~X86_EFLAGS_IF;
3391 case 0xfb: /* sti */
3392 if (emulator_bad_iopl(ctxt, ops)) {
3393 emulate_gp(ctxt, 0);
3396 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3397 ctxt->eflags |= X86_EFLAGS_IF;
3400 case 0xfc: /* cld */
3401 ctxt->eflags &= ~EFLG_DF;
3403 case 0xfd: /* std */
3404 ctxt->eflags |= EFLG_DF;
3406 case 0xfe: /* Grp4 */
3408 rc = emulate_grp45(ctxt, ops);
3409 if (rc != X86EMUL_CONTINUE)
3412 case 0xff: /* Grp5 */
3413 if (c->modrm_reg == 5)
3417 goto cannot_emulate;
3421 rc = writeback(ctxt, ops);
3422 if (rc != X86EMUL_CONTINUE)
3426 * restore dst type in case the decoding will be reused
3427 * (happens for string instruction )
3429 c->dst.type = saved_dst_type;
3431 if ((c->d & SrcMask) == SrcSI)
3432 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3433 VCPU_REGS_RSI, &c->src);
3435 if ((c->d & DstMask) == DstDI)
3436 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3439 if (c->rep_prefix && (c->d & String)) {
3440 struct read_cache *r = &ctxt->decode.io_read;
3441 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3443 if (!string_insn_completed(ctxt)) {
3445 * Re-enter guest when pio read ahead buffer is empty
3446 * or, if it is not used, after each 1024 iteration.
3448 if ((r->end != 0 || c->regs[VCPU_REGS_RCX] & 0x3ff) &&
3449 (r->end == 0 || r->end != r->pos)) {
3451 * Reset read cache. Usually happens before
3452 * decode, but since instruction is restarted
3453 * we have to do it here.
3455 ctxt->decode.mem_read.end = 0;
3456 return EMULATION_RESTART;
3458 goto done; /* skip rip writeback */
3465 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3469 case 0x01: /* lgdt, lidt, lmsw */
3470 switch (c->modrm_reg) {
3472 unsigned long address;
3474 case 0: /* vmcall */
3475 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3476 goto cannot_emulate;
3478 rc = kvm_fix_hypercall(ctxt->vcpu);
3479 if (rc != X86EMUL_CONTINUE)
3482 /* Let the processor re-execute the fixed hypercall */
3484 /* Disable writeback. */
3485 c->dst.type = OP_NONE;
3488 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3489 &size, &address, c->op_bytes);
3490 if (rc != X86EMUL_CONTINUE)
3492 realmode_lgdt(ctxt->vcpu, size, address);
3493 /* Disable writeback. */
3494 c->dst.type = OP_NONE;
3496 case 3: /* lidt/vmmcall */
3497 if (c->modrm_mod == 3) {
3498 switch (c->modrm_rm) {
3500 rc = kvm_fix_hypercall(ctxt->vcpu);
3501 if (rc != X86EMUL_CONTINUE)
3505 goto cannot_emulate;
3508 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3511 if (rc != X86EMUL_CONTINUE)
3513 realmode_lidt(ctxt->vcpu, size, address);
3515 /* Disable writeback. */
3516 c->dst.type = OP_NONE;
3520 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3523 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3524 (c->src.val & 0x0f), ctxt->vcpu);
3525 c->dst.type = OP_NONE;
3527 case 5: /* not defined */
3531 emulate_invlpg(ctxt->vcpu, c->src.addr.mem);
3532 /* Disable writeback. */
3533 c->dst.type = OP_NONE;
3536 goto cannot_emulate;
3539 case 0x05: /* syscall */
3540 rc = emulate_syscall(ctxt, ops);
3541 if (rc != X86EMUL_CONTINUE)
3547 emulate_clts(ctxt->vcpu);
3549 case 0x09: /* wbinvd */
3550 kvm_emulate_wbinvd(ctxt->vcpu);
3552 case 0x08: /* invd */
3553 case 0x0d: /* GrpP (prefetch) */
3554 case 0x18: /* Grp16 (prefetch/nop) */
3556 case 0x20: /* mov cr, reg */
3557 switch (c->modrm_reg) {
3564 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3566 case 0x21: /* mov from dr to reg */
3567 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3568 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3572 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3574 case 0x22: /* mov reg, cr */
3575 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3576 emulate_gp(ctxt, 0);
3579 c->dst.type = OP_NONE;
3581 case 0x23: /* mov from reg to dr */
3582 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3583 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3588 if (ops->set_dr(c->modrm_reg, c->src.val &
3589 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3590 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3591 /* #UD condition is already handled by the code above */
3592 emulate_gp(ctxt, 0);
3596 c->dst.type = OP_NONE; /* no writeback */
3600 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3601 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3602 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3603 emulate_gp(ctxt, 0);
3606 rc = X86EMUL_CONTINUE;
3610 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3611 emulate_gp(ctxt, 0);
3614 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3615 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3617 rc = X86EMUL_CONTINUE;
3619 case 0x34: /* sysenter */
3620 rc = emulate_sysenter(ctxt, ops);
3621 if (rc != X86EMUL_CONTINUE)
3626 case 0x35: /* sysexit */
3627 rc = emulate_sysexit(ctxt, ops);
3628 if (rc != X86EMUL_CONTINUE)
3633 case 0x40 ... 0x4f: /* cmov */
3634 c->dst.val = c->dst.orig_val = c->src.val;
3635 if (!test_cc(c->b, ctxt->eflags))
3636 c->dst.type = OP_NONE; /* no writeback */
3638 case 0x80 ... 0x8f: /* jnz rel, etc*/
3639 if (test_cc(c->b, ctxt->eflags))
3640 jmp_rel(c, c->src.val);
3642 case 0x90 ... 0x9f: /* setcc r/m8 */
3643 c->dst.val = test_cc(c->b, ctxt->eflags);
3645 case 0xa0: /* push fs */
3646 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3648 case 0xa1: /* pop fs */
3649 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3650 if (rc != X86EMUL_CONTINUE)
3655 c->dst.type = OP_NONE;
3656 /* only subword offset */
3657 c->src.val &= (c->dst.bytes << 3) - 1;
3658 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3660 case 0xa4: /* shld imm8, r, r/m */
3661 case 0xa5: /* shld cl, r, r/m */
3662 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3664 case 0xa8: /* push gs */
3665 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3667 case 0xa9: /* pop gs */
3668 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3669 if (rc != X86EMUL_CONTINUE)
3674 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3676 case 0xac: /* shrd imm8, r, r/m */
3677 case 0xad: /* shrd cl, r, r/m */
3678 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3680 case 0xae: /* clflush */
3682 case 0xb0 ... 0xb1: /* cmpxchg */
3684 * Save real source value, then compare EAX against
3687 c->src.orig_val = c->src.val;
3688 c->src.val = c->regs[VCPU_REGS_RAX];
3689 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3690 if (ctxt->eflags & EFLG_ZF) {
3691 /* Success: write back to memory. */
3692 c->dst.val = c->src.orig_val;
3694 /* Failure: write the value we saw to EAX. */
3695 c->dst.type = OP_REG;
3696 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3699 case 0xb2: /* lss */
3700 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_SS);
3701 if (rc != X86EMUL_CONTINUE)
3706 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3708 case 0xb4: /* lfs */
3709 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_FS);
3710 if (rc != X86EMUL_CONTINUE)
3713 case 0xb5: /* lgs */
3714 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_GS);
3715 if (rc != X86EMUL_CONTINUE)
3718 case 0xb6 ... 0xb7: /* movzx */
3719 c->dst.bytes = c->op_bytes;
3720 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3723 case 0xba: /* Grp8 */
3724 switch (c->modrm_reg & 3) {
3737 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3739 case 0xbc: { /* bsf */
3741 __asm__ ("bsf %2, %0; setz %1"
3742 : "=r"(c->dst.val), "=q"(zf)
3744 ctxt->eflags &= ~X86_EFLAGS_ZF;
3746 ctxt->eflags |= X86_EFLAGS_ZF;
3747 c->dst.type = OP_NONE; /* Disable writeback. */
3751 case 0xbd: { /* bsr */
3753 __asm__ ("bsr %2, %0; setz %1"
3754 : "=r"(c->dst.val), "=q"(zf)
3756 ctxt->eflags &= ~X86_EFLAGS_ZF;
3758 ctxt->eflags |= X86_EFLAGS_ZF;
3759 c->dst.type = OP_NONE; /* Disable writeback. */
3763 case 0xbe ... 0xbf: /* movsx */
3764 c->dst.bytes = c->op_bytes;
3765 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3768 case 0xc0 ... 0xc1: /* xadd */
3769 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3770 /* Write back the register source. */
3771 c->src.val = c->dst.orig_val;
3772 write_register_operand(&c->src);
3774 case 0xc3: /* movnti */
3775 c->dst.bytes = c->op_bytes;
3776 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3779 case 0xc7: /* Grp9 (cmpxchg8b) */
3780 rc = emulate_grp9(ctxt, ops);
3781 if (rc != X86EMUL_CONTINUE)
3785 goto cannot_emulate;
3790 DPRINTF("Cannot emulate %02x\n", c->b);