1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
85 #define GroupMask 0xff /* Group number stored in bits 0:7 */
87 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
88 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
90 /* Source 2 operand type */
91 #define Src2None (0<<29)
92 #define Src2CL (1<<29)
93 #define Src2ImmByte (2<<29)
94 #define Src2One (3<<29)
95 #define Src2Mask (7<<29)
97 #define X2(x) (x), (x)
98 #define X3(x) X2(x), (x)
99 #define X4(x) X2(x), X2(x)
100 #define X5(x) X4(x), (x)
101 #define X6(x) X4(x), X2(x)
102 #define X7(x) X4(x), X3(x)
103 #define X8(x) X4(x), X4(x)
104 #define X16(x) X8(x), X8(x)
107 Group1_80, Group1_81, Group1_82, Group1_83,
108 Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
112 static u32 opcode_table[256] = {
114 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
115 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
116 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
117 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
119 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
120 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
121 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
122 ImplicitOps | Stack | No64, 0,
124 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
125 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
126 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
127 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
129 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
130 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
131 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
132 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
134 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
135 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
136 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
138 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
139 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
140 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
142 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
143 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
144 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
146 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
147 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
148 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
157 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
158 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
161 SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
162 DstDI | ByteOp | Mov | String, DstDI | Mov | String, /* insb, insw/insd */
163 SrcSI | ByteOp | ImplicitOps | String, SrcSI | ImplicitOps | String, /* outsb, outsw/outsd */
165 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
166 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
168 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
169 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
171 Group | Group1_80, Group | Group1_81,
172 Group | Group1_82, Group | Group1_83,
173 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
174 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
176 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
177 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
178 DstMem | SrcNone | ModRM | Mov, ModRM | DstReg,
179 ImplicitOps | SrcMem16 | ModRM, Group | Group1A,
181 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
183 0, 0, SrcImmFAddr | No64, 0,
184 ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
186 ByteOp | DstAcc | SrcMem | Mov | MemAbs, DstAcc | SrcMem | Mov | MemAbs,
187 ByteOp | DstMem | SrcAcc | Mov | MemAbs, DstMem | SrcAcc | Mov | MemAbs,
188 ByteOp | SrcSI | DstDI | Mov | String, SrcSI | DstDI | Mov | String,
189 ByteOp | SrcSI | DstDI | String, SrcSI | DstDI | String,
191 DstAcc | SrcImmByte | ByteOp, DstAcc | SrcImm, ByteOp | DstDI | Mov | String, DstDI | Mov | String,
192 ByteOp | SrcSI | DstAcc | Mov | String, SrcSI | DstAcc | Mov | String,
193 ByteOp | DstDI | String, DstDI | String,
195 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
196 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
197 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
198 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
200 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
201 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
202 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
203 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
205 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
206 0, ImplicitOps | Stack, 0, 0,
207 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
209 0, 0, 0, ImplicitOps | Stack,
210 ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
212 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
213 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
216 0, 0, 0, 0, 0, 0, 0, 0,
219 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
220 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
222 SrcImm | Stack, SrcImm | ImplicitOps,
223 SrcImmFAddr | No64, SrcImmByte | ImplicitOps,
224 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
225 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
228 ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
230 ImplicitOps, 0, ImplicitOps, ImplicitOps,
231 ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
234 static u32 twobyte_table[256] = {
236 0, Group | GroupDual | Group7, 0, 0,
237 0, ImplicitOps, ImplicitOps | Priv, 0,
238 ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
239 0, ImplicitOps | ModRM, 0, 0,
241 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
243 ModRM | ImplicitOps | Priv, ModRM | Priv,
244 ModRM | ImplicitOps | Priv, ModRM | Priv,
246 0, 0, 0, 0, 0, 0, 0, 0,
248 ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
249 ImplicitOps, ImplicitOps | Priv, 0, 0,
250 0, 0, 0, 0, 0, 0, 0, 0,
252 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
253 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
254 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
255 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
257 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
258 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
259 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
260 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
262 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
264 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
266 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
268 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
269 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
271 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
273 ImplicitOps | Stack, ImplicitOps | Stack,
274 0, DstMem | SrcReg | ModRM | BitOp,
275 DstMem | SrcReg | Src2ImmByte | ModRM,
276 DstMem | SrcReg | Src2CL | ModRM, 0, 0,
278 ImplicitOps | Stack, ImplicitOps | Stack,
279 0, DstMem | SrcReg | ModRM | BitOp | Lock,
280 DstMem | SrcReg | Src2ImmByte | ModRM,
281 DstMem | SrcReg | Src2CL | ModRM,
284 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
285 0, DstMem | SrcReg | ModRM | BitOp | Lock,
286 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
287 DstReg | SrcMem16 | ModRM | Mov,
290 Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
291 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
292 DstReg | SrcMem16 | ModRM | Mov,
294 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
295 0, 0, 0, Group | GroupDual | Group9,
296 0, 0, 0, 0, 0, 0, 0, 0,
298 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
300 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
302 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
305 static u32 group_table[] = {
307 ByteOp | DstMem | SrcImm | ModRM | Lock,
308 ByteOp | DstMem | SrcImm | ModRM | Lock,
309 ByteOp | DstMem | SrcImm | ModRM | Lock,
310 ByteOp | DstMem | SrcImm | ModRM | Lock,
311 ByteOp | DstMem | SrcImm | ModRM | Lock,
312 ByteOp | DstMem | SrcImm | ModRM | Lock,
313 ByteOp | DstMem | SrcImm | ModRM | Lock,
314 ByteOp | DstMem | SrcImm | ModRM,
316 DstMem | SrcImm | ModRM | Lock,
317 DstMem | SrcImm | ModRM | Lock,
318 DstMem | SrcImm | ModRM | Lock,
319 DstMem | SrcImm | ModRM | Lock,
320 DstMem | SrcImm | ModRM | Lock,
321 DstMem | SrcImm | ModRM | Lock,
322 DstMem | SrcImm | ModRM | Lock,
323 DstMem | SrcImm | ModRM,
325 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
326 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
327 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
328 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
329 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
330 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
331 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
332 ByteOp | DstMem | SrcImm | ModRM | No64,
334 DstMem | SrcImmByte | ModRM | Lock,
335 DstMem | SrcImmByte | ModRM | Lock,
336 DstMem | SrcImmByte | ModRM | Lock,
337 DstMem | SrcImmByte | ModRM | Lock,
338 DstMem | SrcImmByte | ModRM | Lock,
339 DstMem | SrcImmByte | ModRM | Lock,
340 DstMem | SrcImmByte | ModRM | Lock,
341 DstMem | SrcImmByte | ModRM,
343 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
345 ByteOp | SrcImm | DstMem | ModRM, ByteOp | SrcImm | DstMem | ModRM,
346 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
349 DstMem | SrcImm | ModRM, DstMem | SrcImm | ModRM,
350 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
353 ByteOp | DstMem | SrcNone | ModRM | Lock, ByteOp | DstMem | SrcNone | ModRM | Lock,
356 DstMem | SrcNone | ModRM | Lock, DstMem | SrcNone | ModRM | Lock,
357 SrcMem | ModRM | Stack, 0,
358 SrcMem | ModRM | Stack, SrcMemFAddr | ModRM | ImplicitOps,
359 SrcMem | ModRM | Stack, 0,
361 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
362 SrcNone | ModRM | DstMem | Mov, 0,
363 SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
366 DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
367 DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
369 0, DstMem64 | ModRM | Lock, 0, 0, 0, 0, 0, 0,
372 static u32 group2_table[] = {
374 SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
375 SrcNone | ModRM | DstMem | Mov, 0,
376 SrcMem16 | ModRM | Mov | Priv, 0,
378 0, 0, 0, 0, 0, 0, 0, 0,
381 /* EFLAGS bit definitions. */
382 #define EFLG_ID (1<<21)
383 #define EFLG_VIP (1<<20)
384 #define EFLG_VIF (1<<19)
385 #define EFLG_AC (1<<18)
386 #define EFLG_VM (1<<17)
387 #define EFLG_RF (1<<16)
388 #define EFLG_IOPL (3<<12)
389 #define EFLG_NT (1<<14)
390 #define EFLG_OF (1<<11)
391 #define EFLG_DF (1<<10)
392 #define EFLG_IF (1<<9)
393 #define EFLG_TF (1<<8)
394 #define EFLG_SF (1<<7)
395 #define EFLG_ZF (1<<6)
396 #define EFLG_AF (1<<4)
397 #define EFLG_PF (1<<2)
398 #define EFLG_CF (1<<0)
401 * Instruction emulation:
402 * Most instructions are emulated directly via a fragment of inline assembly
403 * code. This allows us to save/restore EFLAGS and thus very easily pick up
404 * any modified flags.
407 #if defined(CONFIG_X86_64)
408 #define _LO32 "k" /* force 32-bit operand */
409 #define _STK "%%rsp" /* stack pointer */
410 #elif defined(__i386__)
411 #define _LO32 "" /* force 32-bit operand */
412 #define _STK "%%esp" /* stack pointer */
416 * These EFLAGS bits are restored from saved value during emulation, and
417 * any changes are written back to the saved value after emulation.
419 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
421 /* Before executing instruction: restore necessary bits in EFLAGS. */
422 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
423 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
424 "movl %"_sav",%"_LO32 _tmp"; " \
427 "movl %"_msk",%"_LO32 _tmp"; " \
428 "andl %"_LO32 _tmp",("_STK"); " \
430 "notl %"_LO32 _tmp"; " \
431 "andl %"_LO32 _tmp",("_STK"); " \
432 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
434 "orl %"_LO32 _tmp",("_STK"); " \
438 /* After executing instruction: write-back necessary bits in EFLAGS. */
439 #define _POST_EFLAGS(_sav, _msk, _tmp) \
440 /* _sav |= EFLAGS & _msk; */ \
443 "andl %"_msk",%"_LO32 _tmp"; " \
444 "orl %"_LO32 _tmp",%"_sav"; "
452 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
454 __asm__ __volatile__ ( \
455 _PRE_EFLAGS("0", "4", "2") \
456 _op _suffix " %"_x"3,%1; " \
457 _POST_EFLAGS("0", "4", "2") \
458 : "=m" (_eflags), "=m" ((_dst).val), \
460 : _y ((_src).val), "i" (EFLAGS_MASK)); \
464 /* Raw emulation: instruction has two explicit operands. */
465 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
467 unsigned long _tmp; \
469 switch ((_dst).bytes) { \
471 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
474 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
477 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
482 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
484 unsigned long _tmp; \
485 switch ((_dst).bytes) { \
487 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
490 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
491 _wx, _wy, _lx, _ly, _qx, _qy); \
496 /* Source operand is byte-sized and may be restricted to just %cl. */
497 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
498 __emulate_2op(_op, _src, _dst, _eflags, \
499 "b", "c", "b", "c", "b", "c", "b", "c")
501 /* Source operand is byte, word, long or quad sized. */
502 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
503 __emulate_2op(_op, _src, _dst, _eflags, \
504 "b", "q", "w", "r", _LO32, "r", "", "r")
506 /* Source operand is word, long or quad sized. */
507 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
508 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
509 "w", "r", _LO32, "r", "", "r")
511 /* Instruction has three operands and one operand is stored in ECX register */
512 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
514 unsigned long _tmp; \
515 _type _clv = (_cl).val; \
516 _type _srcv = (_src).val; \
517 _type _dstv = (_dst).val; \
519 __asm__ __volatile__ ( \
520 _PRE_EFLAGS("0", "5", "2") \
521 _op _suffix " %4,%1 \n" \
522 _POST_EFLAGS("0", "5", "2") \
523 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
524 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
527 (_cl).val = (unsigned long) _clv; \
528 (_src).val = (unsigned long) _srcv; \
529 (_dst).val = (unsigned long) _dstv; \
532 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
534 switch ((_dst).bytes) { \
536 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
537 "w", unsigned short); \
540 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
541 "l", unsigned int); \
544 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
545 "q", unsigned long)); \
550 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
552 unsigned long _tmp; \
554 __asm__ __volatile__ ( \
555 _PRE_EFLAGS("0", "3", "2") \
556 _op _suffix " %1; " \
557 _POST_EFLAGS("0", "3", "2") \
558 : "=m" (_eflags), "+m" ((_dst).val), \
560 : "i" (EFLAGS_MASK)); \
563 /* Instruction has only one explicit operand (no source operand). */
564 #define emulate_1op(_op, _dst, _eflags) \
566 switch ((_dst).bytes) { \
567 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
568 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
569 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
570 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
574 /* Fetch next part of the instruction being emulated. */
575 #define insn_fetch(_type, _size, _eip) \
576 ({ unsigned long _x; \
577 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
578 if (rc != X86EMUL_CONTINUE) \
584 #define insn_fetch_arr(_arr, _size, _eip) \
585 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
586 if (rc != X86EMUL_CONTINUE) \
591 static inline unsigned long ad_mask(struct decode_cache *c)
593 return (1UL << (c->ad_bytes << 3)) - 1;
596 /* Access/update address held in a register, based on addressing mode. */
597 static inline unsigned long
598 address_mask(struct decode_cache *c, unsigned long reg)
600 if (c->ad_bytes == sizeof(unsigned long))
603 return reg & ad_mask(c);
606 static inline unsigned long
607 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
609 return base + address_mask(c, reg);
613 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
615 if (c->ad_bytes == sizeof(unsigned long))
618 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
621 static inline void jmp_rel(struct decode_cache *c, int rel)
623 register_address_increment(c, &c->eip, rel);
626 static void set_seg_override(struct decode_cache *c, int seg)
628 c->has_seg_override = true;
629 c->seg_override = seg;
632 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
633 struct x86_emulate_ops *ops, int seg)
635 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
638 return ops->get_cached_segment_base(seg, ctxt->vcpu);
641 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
642 struct x86_emulate_ops *ops,
643 struct decode_cache *c)
645 if (!c->has_seg_override)
648 return seg_base(ctxt, ops, c->seg_override);
651 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
652 struct x86_emulate_ops *ops)
654 return seg_base(ctxt, ops, VCPU_SREG_ES);
657 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
658 struct x86_emulate_ops *ops)
660 return seg_base(ctxt, ops, VCPU_SREG_SS);
663 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
664 u32 error, bool valid)
666 ctxt->exception = vec;
667 ctxt->error_code = error;
668 ctxt->error_code_valid = valid;
669 ctxt->restart = false;
672 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
674 emulate_exception(ctxt, GP_VECTOR, err, true);
677 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
681 emulate_exception(ctxt, PF_VECTOR, err, true);
684 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
686 emulate_exception(ctxt, UD_VECTOR, 0, false);
689 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
691 emulate_exception(ctxt, TS_VECTOR, err, true);
694 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
695 struct x86_emulate_ops *ops,
696 unsigned long eip, u8 *dest)
698 struct fetch_cache *fc = &ctxt->decode.fetch;
702 if (eip == fc->end) {
703 cur_size = fc->end - fc->start;
704 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
705 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
706 size, ctxt->vcpu, NULL);
707 if (rc != X86EMUL_CONTINUE)
711 *dest = fc->data[eip - fc->start];
712 return X86EMUL_CONTINUE;
715 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
716 struct x86_emulate_ops *ops,
717 unsigned long eip, void *dest, unsigned size)
721 /* x86 instructions are limited to 15 bytes. */
722 if (eip + size - ctxt->eip > 15)
723 return X86EMUL_UNHANDLEABLE;
725 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
726 if (rc != X86EMUL_CONTINUE)
729 return X86EMUL_CONTINUE;
733 * Given the 'reg' portion of a ModRM byte, and a register block, return a
734 * pointer into the block that addresses the relevant register.
735 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
737 static void *decode_register(u8 modrm_reg, unsigned long *regs,
742 p = ®s[modrm_reg];
743 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
744 p = (unsigned char *)®s[modrm_reg & 3] + 1;
748 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
749 struct x86_emulate_ops *ops,
751 u16 *size, unsigned long *address, int op_bytes)
758 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
760 if (rc != X86EMUL_CONTINUE)
762 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
767 static int test_cc(unsigned int condition, unsigned int flags)
771 switch ((condition & 15) >> 1) {
773 rc |= (flags & EFLG_OF);
775 case 1: /* b/c/nae */
776 rc |= (flags & EFLG_CF);
779 rc |= (flags & EFLG_ZF);
782 rc |= (flags & (EFLG_CF|EFLG_ZF));
785 rc |= (flags & EFLG_SF);
788 rc |= (flags & EFLG_PF);
791 rc |= (flags & EFLG_ZF);
794 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
798 /* Odd condition identifiers (lsb == 1) have inverted sense. */
799 return (!!rc ^ (condition & 1));
802 static void decode_register_operand(struct operand *op,
803 struct decode_cache *c,
806 unsigned reg = c->modrm_reg;
807 int highbyte_regs = c->rex_prefix == 0;
810 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
812 if ((c->d & ByteOp) && !inhibit_bytereg) {
813 op->ptr = decode_register(reg, c->regs, highbyte_regs);
814 op->val = *(u8 *)op->ptr;
817 op->ptr = decode_register(reg, c->regs, 0);
818 op->bytes = c->op_bytes;
821 op->val = *(u16 *)op->ptr;
824 op->val = *(u32 *)op->ptr;
827 op->val = *(u64 *) op->ptr;
831 op->orig_val = op->val;
834 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
835 struct x86_emulate_ops *ops)
837 struct decode_cache *c = &ctxt->decode;
839 int index_reg = 0, base_reg = 0, scale;
840 int rc = X86EMUL_CONTINUE;
843 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
844 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
845 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
848 c->modrm = insn_fetch(u8, 1, c->eip);
849 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
850 c->modrm_reg |= (c->modrm & 0x38) >> 3;
851 c->modrm_rm |= (c->modrm & 0x07);
855 if (c->modrm_mod == 3) {
856 c->modrm_ptr = decode_register(c->modrm_rm,
857 c->regs, c->d & ByteOp);
858 c->modrm_val = *(unsigned long *)c->modrm_ptr;
862 if (c->ad_bytes == 2) {
863 unsigned bx = c->regs[VCPU_REGS_RBX];
864 unsigned bp = c->regs[VCPU_REGS_RBP];
865 unsigned si = c->regs[VCPU_REGS_RSI];
866 unsigned di = c->regs[VCPU_REGS_RDI];
868 /* 16-bit ModR/M decode. */
869 switch (c->modrm_mod) {
871 if (c->modrm_rm == 6)
872 c->modrm_ea += insn_fetch(u16, 2, c->eip);
875 c->modrm_ea += insn_fetch(s8, 1, c->eip);
878 c->modrm_ea += insn_fetch(u16, 2, c->eip);
881 switch (c->modrm_rm) {
883 c->modrm_ea += bx + si;
886 c->modrm_ea += bx + di;
889 c->modrm_ea += bp + si;
892 c->modrm_ea += bp + di;
901 if (c->modrm_mod != 0)
908 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
909 (c->modrm_rm == 6 && c->modrm_mod != 0))
910 if (!c->has_seg_override)
911 set_seg_override(c, VCPU_SREG_SS);
912 c->modrm_ea = (u16)c->modrm_ea;
914 /* 32/64-bit ModR/M decode. */
915 if ((c->modrm_rm & 7) == 4) {
916 sib = insn_fetch(u8, 1, c->eip);
917 index_reg |= (sib >> 3) & 7;
921 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
922 c->modrm_ea += insn_fetch(s32, 4, c->eip);
924 c->modrm_ea += c->regs[base_reg];
926 c->modrm_ea += c->regs[index_reg] << scale;
927 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
928 if (ctxt->mode == X86EMUL_MODE_PROT64)
931 c->modrm_ea += c->regs[c->modrm_rm];
932 switch (c->modrm_mod) {
934 if (c->modrm_rm == 5)
935 c->modrm_ea += insn_fetch(s32, 4, c->eip);
938 c->modrm_ea += insn_fetch(s8, 1, c->eip);
941 c->modrm_ea += insn_fetch(s32, 4, c->eip);
949 static int decode_abs(struct x86_emulate_ctxt *ctxt,
950 struct x86_emulate_ops *ops)
952 struct decode_cache *c = &ctxt->decode;
953 int rc = X86EMUL_CONTINUE;
955 switch (c->ad_bytes) {
957 c->modrm_ea = insn_fetch(u16, 2, c->eip);
960 c->modrm_ea = insn_fetch(u32, 4, c->eip);
963 c->modrm_ea = insn_fetch(u64, 8, c->eip);
971 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
973 struct decode_cache *c = &ctxt->decode;
974 int rc = X86EMUL_CONTINUE;
975 int mode = ctxt->mode;
976 int def_op_bytes, def_ad_bytes, group;
979 /* we cannot decode insn before we complete previous rep insn */
980 WARN_ON(ctxt->restart);
983 c->fetch.start = c->fetch.end = c->eip;
984 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
987 case X86EMUL_MODE_REAL:
988 case X86EMUL_MODE_VM86:
989 case X86EMUL_MODE_PROT16:
990 def_op_bytes = def_ad_bytes = 2;
992 case X86EMUL_MODE_PROT32:
993 def_op_bytes = def_ad_bytes = 4;
996 case X86EMUL_MODE_PROT64:
1005 c->op_bytes = def_op_bytes;
1006 c->ad_bytes = def_ad_bytes;
1008 /* Legacy prefixes. */
1010 switch (c->b = insn_fetch(u8, 1, c->eip)) {
1011 case 0x66: /* operand-size override */
1012 /* switch between 2/4 bytes */
1013 c->op_bytes = def_op_bytes ^ 6;
1015 case 0x67: /* address-size override */
1016 if (mode == X86EMUL_MODE_PROT64)
1017 /* switch between 4/8 bytes */
1018 c->ad_bytes = def_ad_bytes ^ 12;
1020 /* switch between 2/4 bytes */
1021 c->ad_bytes = def_ad_bytes ^ 6;
1023 case 0x26: /* ES override */
1024 case 0x2e: /* CS override */
1025 case 0x36: /* SS override */
1026 case 0x3e: /* DS override */
1027 set_seg_override(c, (c->b >> 3) & 3);
1029 case 0x64: /* FS override */
1030 case 0x65: /* GS override */
1031 set_seg_override(c, c->b & 7);
1033 case 0x40 ... 0x4f: /* REX */
1034 if (mode != X86EMUL_MODE_PROT64)
1036 c->rex_prefix = c->b;
1038 case 0xf0: /* LOCK */
1041 case 0xf2: /* REPNE/REPNZ */
1042 c->rep_prefix = REPNE_PREFIX;
1044 case 0xf3: /* REP/REPE/REPZ */
1045 c->rep_prefix = REPE_PREFIX;
1051 /* Any legacy prefix after a REX prefix nullifies its effect. */
1060 if (c->rex_prefix & 8)
1061 c->op_bytes = 8; /* REX.W */
1063 /* Opcode byte(s). */
1064 c->d = opcode_table[c->b];
1066 /* Two-byte opcode? */
1069 c->b = insn_fetch(u8, 1, c->eip);
1070 c->d = twobyte_table[c->b];
1075 group = c->d & GroupMask;
1076 c->modrm = insn_fetch(u8, 1, c->eip);
1079 group = (group << 3) + ((c->modrm >> 3) & 7);
1080 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
1081 c->d = group2_table[group];
1083 c->d = group_table[group];
1088 DPRINTF("Cannot emulate %02x\n", c->b);
1092 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1095 /* ModRM and SIB bytes. */
1097 rc = decode_modrm(ctxt, ops);
1098 else if (c->d & MemAbs)
1099 rc = decode_abs(ctxt, ops);
1100 if (rc != X86EMUL_CONTINUE)
1103 if (!c->has_seg_override)
1104 set_seg_override(c, VCPU_SREG_DS);
1106 if (!(!c->twobyte && c->b == 0x8d))
1107 c->modrm_ea += seg_override_base(ctxt, ops, c);
1109 if (c->ad_bytes != 8)
1110 c->modrm_ea = (u32)c->modrm_ea;
1112 if (c->rip_relative)
1113 c->modrm_ea += c->eip;
1116 * Decode and fetch the source operand: register, memory
1119 switch (c->d & SrcMask) {
1123 decode_register_operand(&c->src, c, 0);
1132 c->src.bytes = (c->d & ByteOp) ? 1 :
1134 /* Don't fetch the address for invlpg: it could be unmapped. */
1135 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1139 * For instructions with a ModR/M byte, switch to register
1140 * access if Mod = 3.
1142 if ((c->d & ModRM) && c->modrm_mod == 3) {
1143 c->src.type = OP_REG;
1144 c->src.val = c->modrm_val;
1145 c->src.ptr = c->modrm_ptr;
1148 c->src.type = OP_MEM;
1149 c->src.ptr = (unsigned long *)c->modrm_ea;
1154 c->src.type = OP_IMM;
1155 c->src.ptr = (unsigned long *)c->eip;
1156 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1157 if (c->src.bytes == 8)
1159 /* NB. Immediates are sign-extended as necessary. */
1160 switch (c->src.bytes) {
1162 c->src.val = insn_fetch(s8, 1, c->eip);
1165 c->src.val = insn_fetch(s16, 2, c->eip);
1168 c->src.val = insn_fetch(s32, 4, c->eip);
1171 if ((c->d & SrcMask) == SrcImmU) {
1172 switch (c->src.bytes) {
1177 c->src.val &= 0xffff;
1180 c->src.val &= 0xffffffff;
1187 c->src.type = OP_IMM;
1188 c->src.ptr = (unsigned long *)c->eip;
1190 if ((c->d & SrcMask) == SrcImmByte)
1191 c->src.val = insn_fetch(s8, 1, c->eip);
1193 c->src.val = insn_fetch(u8, 1, c->eip);
1196 c->src.type = OP_REG;
1197 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1198 c->src.ptr = &c->regs[VCPU_REGS_RAX];
1199 switch (c->src.bytes) {
1201 c->src.val = *(u8 *)c->src.ptr;
1204 c->src.val = *(u16 *)c->src.ptr;
1207 c->src.val = *(u32 *)c->src.ptr;
1210 c->src.val = *(u64 *)c->src.ptr;
1219 c->src.type = OP_MEM;
1220 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1221 c->src.ptr = (unsigned long *)
1222 register_address(c, seg_override_base(ctxt, ops, c),
1223 c->regs[VCPU_REGS_RSI]);
1227 c->src.type = OP_IMM;
1228 c->src.ptr = (unsigned long *)c->eip;
1229 c->src.bytes = c->op_bytes + 2;
1230 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
1233 c->src.type = OP_MEM;
1234 c->src.ptr = (unsigned long *)c->modrm_ea;
1235 c->src.bytes = c->op_bytes + 2;
1240 * Decode and fetch the second source operand: register, memory
1243 switch (c->d & Src2Mask) {
1248 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1251 c->src2.type = OP_IMM;
1252 c->src2.ptr = (unsigned long *)c->eip;
1254 c->src2.val = insn_fetch(u8, 1, c->eip);
1262 /* Decode and fetch the destination operand: register or memory. */
1263 switch (c->d & DstMask) {
1265 /* Special instructions do their own operand decoding. */
1268 decode_register_operand(&c->dst, c,
1269 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1273 if ((c->d & ModRM) && c->modrm_mod == 3) {
1274 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1275 c->dst.type = OP_REG;
1276 c->dst.val = c->dst.orig_val = c->modrm_val;
1277 c->dst.ptr = c->modrm_ptr;
1280 c->dst.type = OP_MEM;
1281 c->dst.ptr = (unsigned long *)c->modrm_ea;
1282 if ((c->d & DstMask) == DstMem64)
1285 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1288 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1290 c->dst.ptr = (void *)c->dst.ptr +
1291 (c->src.val & mask) / 8;
1295 c->dst.type = OP_REG;
1296 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1297 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1298 switch (c->dst.bytes) {
1300 c->dst.val = *(u8 *)c->dst.ptr;
1303 c->dst.val = *(u16 *)c->dst.ptr;
1306 c->dst.val = *(u32 *)c->dst.ptr;
1309 c->dst.val = *(u64 *)c->dst.ptr;
1312 c->dst.orig_val = c->dst.val;
1315 c->dst.type = OP_MEM;
1316 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1317 c->dst.ptr = (unsigned long *)
1318 register_address(c, es_base(ctxt, ops),
1319 c->regs[VCPU_REGS_RDI]);
1325 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1328 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1329 struct x86_emulate_ops *ops,
1330 unsigned long addr, void *dest, unsigned size)
1333 struct read_cache *mc = &ctxt->decode.mem_read;
1337 int n = min(size, 8u);
1339 if (mc->pos < mc->end)
1342 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
1344 if (rc == X86EMUL_PROPAGATE_FAULT)
1345 emulate_pf(ctxt, addr, err);
1346 if (rc != X86EMUL_CONTINUE)
1351 memcpy(dest, mc->data + mc->pos, n);
1356 return X86EMUL_CONTINUE;
1359 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1360 struct x86_emulate_ops *ops,
1361 unsigned int size, unsigned short port,
1364 struct read_cache *rc = &ctxt->decode.io_read;
1366 if (rc->pos == rc->end) { /* refill pio read ahead */
1367 struct decode_cache *c = &ctxt->decode;
1368 unsigned int in_page, n;
1369 unsigned int count = c->rep_prefix ?
1370 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
1371 in_page = (ctxt->eflags & EFLG_DF) ?
1372 offset_in_page(c->regs[VCPU_REGS_RDI]) :
1373 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
1374 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1378 rc->pos = rc->end = 0;
1379 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
1384 memcpy(dest, rc->data + rc->pos, size);
1389 static u32 desc_limit_scaled(struct desc_struct *desc)
1391 u32 limit = get_desc_limit(desc);
1393 return desc->g ? (limit << 12) | 0xfff : limit;
1396 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1397 struct x86_emulate_ops *ops,
1398 u16 selector, struct desc_ptr *dt)
1400 if (selector & 1 << 2) {
1401 struct desc_struct desc;
1402 memset (dt, 0, sizeof *dt);
1403 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1406 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1407 dt->address = get_desc_base(&desc);
1409 ops->get_gdt(dt, ctxt->vcpu);
1412 /* allowed just for 8 bytes segments */
1413 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1414 struct x86_emulate_ops *ops,
1415 u16 selector, struct desc_struct *desc)
1418 u16 index = selector >> 3;
1423 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1425 if (dt.size < index * 8 + 7) {
1426 emulate_gp(ctxt, selector & 0xfffc);
1427 return X86EMUL_PROPAGATE_FAULT;
1429 addr = dt.address + index * 8;
1430 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1431 if (ret == X86EMUL_PROPAGATE_FAULT)
1432 emulate_pf(ctxt, addr, err);
1437 /* allowed just for 8 bytes segments */
1438 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1439 struct x86_emulate_ops *ops,
1440 u16 selector, struct desc_struct *desc)
1443 u16 index = selector >> 3;
1448 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1450 if (dt.size < index * 8 + 7) {
1451 emulate_gp(ctxt, selector & 0xfffc);
1452 return X86EMUL_PROPAGATE_FAULT;
1455 addr = dt.address + index * 8;
1456 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1457 if (ret == X86EMUL_PROPAGATE_FAULT)
1458 emulate_pf(ctxt, addr, err);
1463 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1464 struct x86_emulate_ops *ops,
1465 u16 selector, int seg)
1467 struct desc_struct seg_desc;
1469 unsigned err_vec = GP_VECTOR;
1471 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1474 memset(&seg_desc, 0, sizeof seg_desc);
1476 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1477 || ctxt->mode == X86EMUL_MODE_REAL) {
1478 /* set real mode segment descriptor */
1479 set_desc_base(&seg_desc, selector << 4);
1480 set_desc_limit(&seg_desc, 0xffff);
1487 /* NULL selector is not valid for TR, CS and SS */
1488 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1492 /* TR should be in GDT only */
1493 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1496 if (null_selector) /* for NULL selector skip all following checks */
1499 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1500 if (ret != X86EMUL_CONTINUE)
1503 err_code = selector & 0xfffc;
1504 err_vec = GP_VECTOR;
1506 /* can't load system descriptor into segment selecor */
1507 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1511 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1517 cpl = ops->cpl(ctxt->vcpu);
1522 * segment is not a writable data segment or segment
1523 * selector's RPL != CPL or segment selector's RPL != CPL
1525 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1529 if (!(seg_desc.type & 8))
1532 if (seg_desc.type & 4) {
1538 if (rpl > cpl || dpl != cpl)
1541 /* CS(RPL) <- CPL */
1542 selector = (selector & 0xfffc) | cpl;
1545 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1548 case VCPU_SREG_LDTR:
1549 if (seg_desc.s || seg_desc.type != 2)
1552 default: /* DS, ES, FS, or GS */
1554 * segment is not a data or readable code segment or
1555 * ((segment is a data or nonconforming code segment)
1556 * and (both RPL and CPL > DPL))
1558 if ((seg_desc.type & 0xa) == 0x8 ||
1559 (((seg_desc.type & 0xc) != 0xc) &&
1560 (rpl > dpl && cpl > dpl)))
1566 /* mark segment as accessed */
1568 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1569 if (ret != X86EMUL_CONTINUE)
1573 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1574 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1575 return X86EMUL_CONTINUE;
1577 emulate_exception(ctxt, err_vec, err_code, true);
1578 return X86EMUL_PROPAGATE_FAULT;
1581 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1582 struct x86_emulate_ops *ops)
1585 struct decode_cache *c = &ctxt->decode;
1588 switch (c->dst.type) {
1590 /* The 4-byte case *is* correct:
1591 * in 64-bit mode we zero-extend.
1593 switch (c->dst.bytes) {
1595 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1598 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1601 *c->dst.ptr = (u32)c->dst.val;
1602 break; /* 64b: zero-ext */
1604 *c->dst.ptr = c->dst.val;
1610 rc = ops->cmpxchg_emulated(
1611 (unsigned long)c->dst.ptr,
1618 rc = ops->write_emulated(
1619 (unsigned long)c->dst.ptr,
1624 if (rc == X86EMUL_PROPAGATE_FAULT)
1626 (unsigned long)c->dst.ptr, err);
1627 if (rc != X86EMUL_CONTINUE)
1636 return X86EMUL_CONTINUE;
1639 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1640 struct x86_emulate_ops *ops)
1642 struct decode_cache *c = &ctxt->decode;
1644 c->dst.type = OP_MEM;
1645 c->dst.bytes = c->op_bytes;
1646 c->dst.val = c->src.val;
1647 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1648 c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1649 c->regs[VCPU_REGS_RSP]);
1652 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1653 struct x86_emulate_ops *ops,
1654 void *dest, int len)
1656 struct decode_cache *c = &ctxt->decode;
1659 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1660 c->regs[VCPU_REGS_RSP]),
1662 if (rc != X86EMUL_CONTINUE)
1665 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1669 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1670 struct x86_emulate_ops *ops,
1671 void *dest, int len)
1674 unsigned long val, change_mask;
1675 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1676 int cpl = ops->cpl(ctxt->vcpu);
1678 rc = emulate_pop(ctxt, ops, &val, len);
1679 if (rc != X86EMUL_CONTINUE)
1682 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1683 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1685 switch(ctxt->mode) {
1686 case X86EMUL_MODE_PROT64:
1687 case X86EMUL_MODE_PROT32:
1688 case X86EMUL_MODE_PROT16:
1690 change_mask |= EFLG_IOPL;
1692 change_mask |= EFLG_IF;
1694 case X86EMUL_MODE_VM86:
1696 emulate_gp(ctxt, 0);
1697 return X86EMUL_PROPAGATE_FAULT;
1699 change_mask |= EFLG_IF;
1701 default: /* real mode */
1702 change_mask |= (EFLG_IOPL | EFLG_IF);
1706 *(unsigned long *)dest =
1707 (ctxt->eflags & ~change_mask) | (val & change_mask);
1712 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1713 struct x86_emulate_ops *ops, int seg)
1715 struct decode_cache *c = &ctxt->decode;
1717 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1719 emulate_push(ctxt, ops);
1722 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1723 struct x86_emulate_ops *ops, int seg)
1725 struct decode_cache *c = &ctxt->decode;
1726 unsigned long selector;
1729 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1730 if (rc != X86EMUL_CONTINUE)
1733 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1737 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1738 struct x86_emulate_ops *ops)
1740 struct decode_cache *c = &ctxt->decode;
1741 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1742 int rc = X86EMUL_CONTINUE;
1743 int reg = VCPU_REGS_RAX;
1745 while (reg <= VCPU_REGS_RDI) {
1746 (reg == VCPU_REGS_RSP) ?
1747 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1749 emulate_push(ctxt, ops);
1751 rc = writeback(ctxt, ops);
1752 if (rc != X86EMUL_CONTINUE)
1758 /* Disable writeback. */
1759 c->dst.type = OP_NONE;
1764 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1765 struct x86_emulate_ops *ops)
1767 struct decode_cache *c = &ctxt->decode;
1768 int rc = X86EMUL_CONTINUE;
1769 int reg = VCPU_REGS_RDI;
1771 while (reg >= VCPU_REGS_RAX) {
1772 if (reg == VCPU_REGS_RSP) {
1773 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1778 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1779 if (rc != X86EMUL_CONTINUE)
1786 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1787 struct x86_emulate_ops *ops)
1789 struct decode_cache *c = &ctxt->decode;
1791 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1794 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1796 struct decode_cache *c = &ctxt->decode;
1797 switch (c->modrm_reg) {
1799 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1802 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1805 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1808 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1810 case 4: /* sal/shl */
1811 case 6: /* sal/shl */
1812 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1815 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1818 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1823 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1824 struct x86_emulate_ops *ops)
1826 struct decode_cache *c = &ctxt->decode;
1828 switch (c->modrm_reg) {
1829 case 0 ... 1: /* test */
1830 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1833 c->dst.val = ~c->dst.val;
1836 emulate_1op("neg", c->dst, ctxt->eflags);
1844 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1845 struct x86_emulate_ops *ops)
1847 struct decode_cache *c = &ctxt->decode;
1849 switch (c->modrm_reg) {
1851 emulate_1op("inc", c->dst, ctxt->eflags);
1854 emulate_1op("dec", c->dst, ctxt->eflags);
1856 case 2: /* call near abs */ {
1859 c->eip = c->src.val;
1860 c->src.val = old_eip;
1861 emulate_push(ctxt, ops);
1864 case 4: /* jmp abs */
1865 c->eip = c->src.val;
1868 emulate_push(ctxt, ops);
1871 return X86EMUL_CONTINUE;
1874 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1875 struct x86_emulate_ops *ops)
1877 struct decode_cache *c = &ctxt->decode;
1878 u64 old = c->dst.orig_val64;
1880 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1881 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1882 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1883 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1884 ctxt->eflags &= ~EFLG_ZF;
1886 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1887 (u32) c->regs[VCPU_REGS_RBX];
1889 ctxt->eflags |= EFLG_ZF;
1891 return X86EMUL_CONTINUE;
1894 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1895 struct x86_emulate_ops *ops)
1897 struct decode_cache *c = &ctxt->decode;
1901 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1902 if (rc != X86EMUL_CONTINUE)
1904 if (c->op_bytes == 4)
1905 c->eip = (u32)c->eip;
1906 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1907 if (rc != X86EMUL_CONTINUE)
1909 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1914 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1915 struct x86_emulate_ops *ops, struct desc_struct *cs,
1916 struct desc_struct *ss)
1918 memset(cs, 0, sizeof(struct desc_struct));
1919 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1920 memset(ss, 0, sizeof(struct desc_struct));
1922 cs->l = 0; /* will be adjusted later */
1923 set_desc_base(cs, 0); /* flat segment */
1924 cs->g = 1; /* 4kb granularity */
1925 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1926 cs->type = 0x0b; /* Read, Execute, Accessed */
1928 cs->dpl = 0; /* will be adjusted later */
1932 set_desc_base(ss, 0); /* flat segment */
1933 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1934 ss->g = 1; /* 4kb granularity */
1936 ss->type = 0x03; /* Read/Write, Accessed */
1937 ss->d = 1; /* 32bit stack segment */
1943 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1945 struct decode_cache *c = &ctxt->decode;
1946 struct desc_struct cs, ss;
1950 /* syscall is not available in real mode */
1951 if (ctxt->mode == X86EMUL_MODE_REAL ||
1952 ctxt->mode == X86EMUL_MODE_VM86) {
1954 return X86EMUL_PROPAGATE_FAULT;
1957 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1959 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1961 cs_sel = (u16)(msr_data & 0xfffc);
1962 ss_sel = (u16)(msr_data + 8);
1964 if (is_long_mode(ctxt->vcpu)) {
1968 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1969 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1970 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1971 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1973 c->regs[VCPU_REGS_RCX] = c->eip;
1974 if (is_long_mode(ctxt->vcpu)) {
1975 #ifdef CONFIG_X86_64
1976 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1978 ops->get_msr(ctxt->vcpu,
1979 ctxt->mode == X86EMUL_MODE_PROT64 ?
1980 MSR_LSTAR : MSR_CSTAR, &msr_data);
1983 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1984 ctxt->eflags &= ~(msr_data | EFLG_RF);
1988 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1989 c->eip = (u32)msr_data;
1991 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1994 return X86EMUL_CONTINUE;
1998 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2000 struct decode_cache *c = &ctxt->decode;
2001 struct desc_struct cs, ss;
2005 /* inject #GP if in real mode */
2006 if (ctxt->mode == X86EMUL_MODE_REAL) {
2007 emulate_gp(ctxt, 0);
2008 return X86EMUL_PROPAGATE_FAULT;
2011 /* XXX sysenter/sysexit have not been tested in 64bit mode.
2012 * Therefore, we inject an #UD.
2014 if (ctxt->mode == X86EMUL_MODE_PROT64) {
2016 return X86EMUL_PROPAGATE_FAULT;
2019 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2021 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2022 switch (ctxt->mode) {
2023 case X86EMUL_MODE_PROT32:
2024 if ((msr_data & 0xfffc) == 0x0) {
2025 emulate_gp(ctxt, 0);
2026 return X86EMUL_PROPAGATE_FAULT;
2029 case X86EMUL_MODE_PROT64:
2030 if (msr_data == 0x0) {
2031 emulate_gp(ctxt, 0);
2032 return X86EMUL_PROPAGATE_FAULT;
2037 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2038 cs_sel = (u16)msr_data;
2039 cs_sel &= ~SELECTOR_RPL_MASK;
2040 ss_sel = cs_sel + 8;
2041 ss_sel &= ~SELECTOR_RPL_MASK;
2042 if (ctxt->mode == X86EMUL_MODE_PROT64
2043 || is_long_mode(ctxt->vcpu)) {
2048 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2049 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2050 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2051 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2053 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
2056 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
2057 c->regs[VCPU_REGS_RSP] = msr_data;
2059 return X86EMUL_CONTINUE;
2063 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2065 struct decode_cache *c = &ctxt->decode;
2066 struct desc_struct cs, ss;
2071 /* inject #GP if in real mode or Virtual 8086 mode */
2072 if (ctxt->mode == X86EMUL_MODE_REAL ||
2073 ctxt->mode == X86EMUL_MODE_VM86) {
2074 emulate_gp(ctxt, 0);
2075 return X86EMUL_PROPAGATE_FAULT;
2078 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2080 if ((c->rex_prefix & 0x8) != 0x0)
2081 usermode = X86EMUL_MODE_PROT64;
2083 usermode = X86EMUL_MODE_PROT32;
2087 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2089 case X86EMUL_MODE_PROT32:
2090 cs_sel = (u16)(msr_data + 16);
2091 if ((msr_data & 0xfffc) == 0x0) {
2092 emulate_gp(ctxt, 0);
2093 return X86EMUL_PROPAGATE_FAULT;
2095 ss_sel = (u16)(msr_data + 24);
2097 case X86EMUL_MODE_PROT64:
2098 cs_sel = (u16)(msr_data + 32);
2099 if (msr_data == 0x0) {
2100 emulate_gp(ctxt, 0);
2101 return X86EMUL_PROPAGATE_FAULT;
2103 ss_sel = cs_sel + 8;
2108 cs_sel |= SELECTOR_RPL_MASK;
2109 ss_sel |= SELECTOR_RPL_MASK;
2111 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2112 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2113 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2114 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2116 c->eip = c->regs[VCPU_REGS_RDX];
2117 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
2119 return X86EMUL_CONTINUE;
2122 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
2123 struct x86_emulate_ops *ops)
2126 if (ctxt->mode == X86EMUL_MODE_REAL)
2128 if (ctxt->mode == X86EMUL_MODE_VM86)
2130 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2131 return ops->cpl(ctxt->vcpu) > iopl;
2134 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2135 struct x86_emulate_ops *ops,
2138 struct desc_struct tr_seg;
2141 u8 perm, bit_idx = port & 0x7;
2142 unsigned mask = (1 << len) - 1;
2144 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
2147 if (desc_limit_scaled(&tr_seg) < 103)
2149 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
2151 if (r != X86EMUL_CONTINUE)
2153 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2155 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
2156 &perm, 1, ctxt->vcpu, NULL);
2157 if (r != X86EMUL_CONTINUE)
2159 if ((perm >> bit_idx) & mask)
2164 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2165 struct x86_emulate_ops *ops,
2168 if (emulator_bad_iopl(ctxt, ops))
2169 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
2174 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2175 struct x86_emulate_ops *ops,
2176 struct tss_segment_16 *tss)
2178 struct decode_cache *c = &ctxt->decode;
2181 tss->flag = ctxt->eflags;
2182 tss->ax = c->regs[VCPU_REGS_RAX];
2183 tss->cx = c->regs[VCPU_REGS_RCX];
2184 tss->dx = c->regs[VCPU_REGS_RDX];
2185 tss->bx = c->regs[VCPU_REGS_RBX];
2186 tss->sp = c->regs[VCPU_REGS_RSP];
2187 tss->bp = c->regs[VCPU_REGS_RBP];
2188 tss->si = c->regs[VCPU_REGS_RSI];
2189 tss->di = c->regs[VCPU_REGS_RDI];
2191 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2192 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2193 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2194 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2195 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2198 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2199 struct x86_emulate_ops *ops,
2200 struct tss_segment_16 *tss)
2202 struct decode_cache *c = &ctxt->decode;
2206 ctxt->eflags = tss->flag | 2;
2207 c->regs[VCPU_REGS_RAX] = tss->ax;
2208 c->regs[VCPU_REGS_RCX] = tss->cx;
2209 c->regs[VCPU_REGS_RDX] = tss->dx;
2210 c->regs[VCPU_REGS_RBX] = tss->bx;
2211 c->regs[VCPU_REGS_RSP] = tss->sp;
2212 c->regs[VCPU_REGS_RBP] = tss->bp;
2213 c->regs[VCPU_REGS_RSI] = tss->si;
2214 c->regs[VCPU_REGS_RDI] = tss->di;
2217 * SDM says that segment selectors are loaded before segment
2220 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
2221 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2222 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2223 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2224 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2227 * Now load segment descriptors. If fault happenes at this stage
2228 * it is handled in a context of new task
2230 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
2231 if (ret != X86EMUL_CONTINUE)
2233 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2234 if (ret != X86EMUL_CONTINUE)
2236 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2237 if (ret != X86EMUL_CONTINUE)
2239 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2240 if (ret != X86EMUL_CONTINUE)
2242 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2243 if (ret != X86EMUL_CONTINUE)
2246 return X86EMUL_CONTINUE;
2249 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2250 struct x86_emulate_ops *ops,
2251 u16 tss_selector, u16 old_tss_sel,
2252 ulong old_tss_base, struct desc_struct *new_desc)
2254 struct tss_segment_16 tss_seg;
2256 u32 err, new_tss_base = get_desc_base(new_desc);
2258 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2260 if (ret == X86EMUL_PROPAGATE_FAULT) {
2261 /* FIXME: need to provide precise fault address */
2262 emulate_pf(ctxt, old_tss_base, err);
2266 save_state_to_tss16(ctxt, ops, &tss_seg);
2268 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2270 if (ret == X86EMUL_PROPAGATE_FAULT) {
2271 /* FIXME: need to provide precise fault address */
2272 emulate_pf(ctxt, old_tss_base, err);
2276 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2278 if (ret == X86EMUL_PROPAGATE_FAULT) {
2279 /* FIXME: need to provide precise fault address */
2280 emulate_pf(ctxt, new_tss_base, err);
2284 if (old_tss_sel != 0xffff) {
2285 tss_seg.prev_task_link = old_tss_sel;
2287 ret = ops->write_std(new_tss_base,
2288 &tss_seg.prev_task_link,
2289 sizeof tss_seg.prev_task_link,
2291 if (ret == X86EMUL_PROPAGATE_FAULT) {
2292 /* FIXME: need to provide precise fault address */
2293 emulate_pf(ctxt, new_tss_base, err);
2298 return load_state_from_tss16(ctxt, ops, &tss_seg);
2301 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2302 struct x86_emulate_ops *ops,
2303 struct tss_segment_32 *tss)
2305 struct decode_cache *c = &ctxt->decode;
2307 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2309 tss->eflags = ctxt->eflags;
2310 tss->eax = c->regs[VCPU_REGS_RAX];
2311 tss->ecx = c->regs[VCPU_REGS_RCX];
2312 tss->edx = c->regs[VCPU_REGS_RDX];
2313 tss->ebx = c->regs[VCPU_REGS_RBX];
2314 tss->esp = c->regs[VCPU_REGS_RSP];
2315 tss->ebp = c->regs[VCPU_REGS_RBP];
2316 tss->esi = c->regs[VCPU_REGS_RSI];
2317 tss->edi = c->regs[VCPU_REGS_RDI];
2319 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2320 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2321 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2322 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2323 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2324 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2325 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2328 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2329 struct x86_emulate_ops *ops,
2330 struct tss_segment_32 *tss)
2332 struct decode_cache *c = &ctxt->decode;
2335 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
2336 emulate_gp(ctxt, 0);
2337 return X86EMUL_PROPAGATE_FAULT;
2340 ctxt->eflags = tss->eflags | 2;
2341 c->regs[VCPU_REGS_RAX] = tss->eax;
2342 c->regs[VCPU_REGS_RCX] = tss->ecx;
2343 c->regs[VCPU_REGS_RDX] = tss->edx;
2344 c->regs[VCPU_REGS_RBX] = tss->ebx;
2345 c->regs[VCPU_REGS_RSP] = tss->esp;
2346 c->regs[VCPU_REGS_RBP] = tss->ebp;
2347 c->regs[VCPU_REGS_RSI] = tss->esi;
2348 c->regs[VCPU_REGS_RDI] = tss->edi;
2351 * SDM says that segment selectors are loaded before segment
2354 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2355 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2356 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2357 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2358 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2359 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2360 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2363 * Now load segment descriptors. If fault happenes at this stage
2364 * it is handled in a context of new task
2366 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2367 if (ret != X86EMUL_CONTINUE)
2369 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2370 if (ret != X86EMUL_CONTINUE)
2372 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2373 if (ret != X86EMUL_CONTINUE)
2375 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2376 if (ret != X86EMUL_CONTINUE)
2378 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2379 if (ret != X86EMUL_CONTINUE)
2381 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2382 if (ret != X86EMUL_CONTINUE)
2384 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2385 if (ret != X86EMUL_CONTINUE)
2388 return X86EMUL_CONTINUE;
2391 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2392 struct x86_emulate_ops *ops,
2393 u16 tss_selector, u16 old_tss_sel,
2394 ulong old_tss_base, struct desc_struct *new_desc)
2396 struct tss_segment_32 tss_seg;
2398 u32 err, new_tss_base = get_desc_base(new_desc);
2400 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2402 if (ret == X86EMUL_PROPAGATE_FAULT) {
2403 /* FIXME: need to provide precise fault address */
2404 emulate_pf(ctxt, old_tss_base, err);
2408 save_state_to_tss32(ctxt, ops, &tss_seg);
2410 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2412 if (ret == X86EMUL_PROPAGATE_FAULT) {
2413 /* FIXME: need to provide precise fault address */
2414 emulate_pf(ctxt, old_tss_base, err);
2418 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2420 if (ret == X86EMUL_PROPAGATE_FAULT) {
2421 /* FIXME: need to provide precise fault address */
2422 emulate_pf(ctxt, new_tss_base, err);
2426 if (old_tss_sel != 0xffff) {
2427 tss_seg.prev_task_link = old_tss_sel;
2429 ret = ops->write_std(new_tss_base,
2430 &tss_seg.prev_task_link,
2431 sizeof tss_seg.prev_task_link,
2433 if (ret == X86EMUL_PROPAGATE_FAULT) {
2434 /* FIXME: need to provide precise fault address */
2435 emulate_pf(ctxt, new_tss_base, err);
2440 return load_state_from_tss32(ctxt, ops, &tss_seg);
2443 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2444 struct x86_emulate_ops *ops,
2445 u16 tss_selector, int reason,
2446 bool has_error_code, u32 error_code)
2448 struct desc_struct curr_tss_desc, next_tss_desc;
2450 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2451 ulong old_tss_base =
2452 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2455 /* FIXME: old_tss_base == ~0 ? */
2457 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2458 if (ret != X86EMUL_CONTINUE)
2460 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2461 if (ret != X86EMUL_CONTINUE)
2464 /* FIXME: check that next_tss_desc is tss */
2466 if (reason != TASK_SWITCH_IRET) {
2467 if ((tss_selector & 3) > next_tss_desc.dpl ||
2468 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2469 emulate_gp(ctxt, 0);
2470 return X86EMUL_PROPAGATE_FAULT;
2474 desc_limit = desc_limit_scaled(&next_tss_desc);
2475 if (!next_tss_desc.p ||
2476 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2477 desc_limit < 0x2b)) {
2478 emulate_ts(ctxt, tss_selector & 0xfffc);
2479 return X86EMUL_PROPAGATE_FAULT;
2482 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2483 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2484 write_segment_descriptor(ctxt, ops, old_tss_sel,
2488 if (reason == TASK_SWITCH_IRET)
2489 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2491 /* set back link to prev task only if NT bit is set in eflags
2492 note that old_tss_sel is not used afetr this point */
2493 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2494 old_tss_sel = 0xffff;
2496 if (next_tss_desc.type & 8)
2497 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2498 old_tss_base, &next_tss_desc);
2500 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2501 old_tss_base, &next_tss_desc);
2502 if (ret != X86EMUL_CONTINUE)
2505 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2506 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2508 if (reason != TASK_SWITCH_IRET) {
2509 next_tss_desc.type |= (1 << 1); /* set busy flag */
2510 write_segment_descriptor(ctxt, ops, tss_selector,
2514 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2515 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2516 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2518 if (has_error_code) {
2519 struct decode_cache *c = &ctxt->decode;
2521 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2523 c->src.val = (unsigned long) error_code;
2524 emulate_push(ctxt, ops);
2530 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2531 struct x86_emulate_ops *ops,
2532 u16 tss_selector, int reason,
2533 bool has_error_code, u32 error_code)
2535 struct decode_cache *c = &ctxt->decode;
2539 c->dst.type = OP_NONE;
2541 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2542 has_error_code, error_code);
2544 if (rc == X86EMUL_CONTINUE) {
2545 rc = writeback(ctxt, ops);
2546 if (rc == X86EMUL_CONTINUE)
2550 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2553 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2554 int reg, struct operand *op)
2556 struct decode_cache *c = &ctxt->decode;
2557 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2559 register_address_increment(c, &c->regs[reg], df * op->bytes);
2560 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2564 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2567 struct decode_cache *c = &ctxt->decode;
2568 int rc = X86EMUL_CONTINUE;
2569 int saved_dst_type = c->dst.type;
2571 ctxt->decode.mem_read.pos = 0;
2573 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2578 /* LOCK prefix is allowed only with some instructions */
2579 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2584 /* Privileged instruction can be executed only in CPL=0 */
2585 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2586 emulate_gp(ctxt, 0);
2590 if (c->rep_prefix && (c->d & String)) {
2591 ctxt->restart = true;
2592 /* All REP prefixes have the same first termination condition */
2593 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2595 ctxt->restart = false;
2599 /* The second termination condition only applies for REPE
2600 * and REPNE. Test if the repeat string operation prefix is
2601 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2602 * corresponding termination condition according to:
2603 * - if REPE/REPZ and ZF = 0 then done
2604 * - if REPNE/REPNZ and ZF = 1 then done
2606 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2607 (c->b == 0xae) || (c->b == 0xaf)) {
2608 if ((c->rep_prefix == REPE_PREFIX) &&
2609 ((ctxt->eflags & EFLG_ZF) == 0))
2611 if ((c->rep_prefix == REPNE_PREFIX) &&
2612 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2618 if (c->src.type == OP_MEM) {
2619 rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2620 c->src.valptr, c->src.bytes);
2621 if (rc != X86EMUL_CONTINUE)
2623 c->src.orig_val64 = c->src.val64;
2626 if (c->src2.type == OP_MEM) {
2627 rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
2628 &c->src2.val, c->src2.bytes);
2629 if (rc != X86EMUL_CONTINUE)
2633 if ((c->d & DstMask) == ImplicitOps)
2637 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2638 /* optimisation - avoid slow emulated read if Mov */
2639 rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
2640 &c->dst.val, c->dst.bytes);
2641 if (rc != X86EMUL_CONTINUE)
2644 c->dst.orig_val = c->dst.val;
2654 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2656 case 0x06: /* push es */
2657 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2659 case 0x07: /* pop es */
2660 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2661 if (rc != X86EMUL_CONTINUE)
2666 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2668 case 0x0e: /* push cs */
2669 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2673 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2675 case 0x16: /* push ss */
2676 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2678 case 0x17: /* pop ss */
2679 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2680 if (rc != X86EMUL_CONTINUE)
2685 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2687 case 0x1e: /* push ds */
2688 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2690 case 0x1f: /* pop ds */
2691 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2692 if (rc != X86EMUL_CONTINUE)
2697 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2701 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2705 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2709 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2711 case 0x40 ... 0x47: /* inc r16/r32 */
2712 emulate_1op("inc", c->dst, ctxt->eflags);
2714 case 0x48 ... 0x4f: /* dec r16/r32 */
2715 emulate_1op("dec", c->dst, ctxt->eflags);
2717 case 0x50 ... 0x57: /* push reg */
2718 emulate_push(ctxt, ops);
2720 case 0x58 ... 0x5f: /* pop reg */
2722 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2723 if (rc != X86EMUL_CONTINUE)
2726 case 0x60: /* pusha */
2727 rc = emulate_pusha(ctxt, ops);
2728 if (rc != X86EMUL_CONTINUE)
2731 case 0x61: /* popa */
2732 rc = emulate_popa(ctxt, ops);
2733 if (rc != X86EMUL_CONTINUE)
2736 case 0x63: /* movsxd */
2737 if (ctxt->mode != X86EMUL_MODE_PROT64)
2738 goto cannot_emulate;
2739 c->dst.val = (s32) c->src.val;
2741 case 0x68: /* push imm */
2742 case 0x6a: /* push imm8 */
2743 emulate_push(ctxt, ops);
2745 case 0x6c: /* insb */
2746 case 0x6d: /* insw/insd */
2747 c->dst.bytes = min(c->dst.bytes, 4u);
2748 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2750 emulate_gp(ctxt, 0);
2753 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2754 c->regs[VCPU_REGS_RDX], &c->dst.val))
2755 goto done; /* IO is needed, skip writeback */
2757 case 0x6e: /* outsb */
2758 case 0x6f: /* outsw/outsd */
2759 c->src.bytes = min(c->src.bytes, 4u);
2760 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2762 emulate_gp(ctxt, 0);
2765 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2766 &c->src.val, 1, ctxt->vcpu);
2768 c->dst.type = OP_NONE; /* nothing to writeback */
2770 case 0x70 ... 0x7f: /* jcc (short) */
2771 if (test_cc(c->b, ctxt->eflags))
2772 jmp_rel(c, c->src.val);
2774 case 0x80 ... 0x83: /* Grp1 */
2775 switch (c->modrm_reg) {
2796 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2798 case 0x86 ... 0x87: /* xchg */
2800 /* Write back the register source. */
2801 switch (c->dst.bytes) {
2803 *(u8 *) c->src.ptr = (u8) c->dst.val;
2806 *(u16 *) c->src.ptr = (u16) c->dst.val;
2809 *c->src.ptr = (u32) c->dst.val;
2810 break; /* 64b reg: zero-extend */
2812 *c->src.ptr = c->dst.val;
2816 * Write back the memory destination with implicit LOCK
2819 c->dst.val = c->src.val;
2822 case 0x88 ... 0x8b: /* mov */
2824 case 0x8c: /* mov r/m, sreg */
2825 if (c->modrm_reg > VCPU_SREG_GS) {
2829 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2831 case 0x8d: /* lea r16/r32, m */
2832 c->dst.val = c->modrm_ea;
2834 case 0x8e: { /* mov seg, r/m16 */
2839 if (c->modrm_reg == VCPU_SREG_CS ||
2840 c->modrm_reg > VCPU_SREG_GS) {
2845 if (c->modrm_reg == VCPU_SREG_SS)
2846 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2848 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2850 c->dst.type = OP_NONE; /* Disable writeback. */
2853 case 0x8f: /* pop (sole member of Grp1a) */
2854 rc = emulate_grp1a(ctxt, ops);
2855 if (rc != X86EMUL_CONTINUE)
2858 case 0x90: /* nop / xchg r8,rax */
2859 if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
2860 c->dst.type = OP_NONE; /* nop */
2863 case 0x91 ... 0x97: /* xchg reg,rax */
2864 c->src.type = OP_REG;
2865 c->src.bytes = c->op_bytes;
2866 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2867 c->src.val = *(c->src.ptr);
2869 case 0x9c: /* pushf */
2870 c->src.val = (unsigned long) ctxt->eflags;
2871 emulate_push(ctxt, ops);
2873 case 0x9d: /* popf */
2874 c->dst.type = OP_REG;
2875 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2876 c->dst.bytes = c->op_bytes;
2877 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2878 if (rc != X86EMUL_CONTINUE)
2881 case 0xa0 ... 0xa3: /* mov */
2882 case 0xa4 ... 0xa5: /* movs */
2884 case 0xa6 ... 0xa7: /* cmps */
2885 c->dst.type = OP_NONE; /* Disable writeback. */
2886 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2888 case 0xa8 ... 0xa9: /* test ax, imm */
2890 case 0xaa ... 0xab: /* stos */
2891 c->dst.val = c->regs[VCPU_REGS_RAX];
2893 case 0xac ... 0xad: /* lods */
2895 case 0xae ... 0xaf: /* scas */
2896 DPRINTF("Urk! I don't handle SCAS.\n");
2897 goto cannot_emulate;
2898 case 0xb0 ... 0xbf: /* mov r, imm */
2903 case 0xc3: /* ret */
2904 c->dst.type = OP_REG;
2905 c->dst.ptr = &c->eip;
2906 c->dst.bytes = c->op_bytes;
2907 goto pop_instruction;
2908 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2910 c->dst.val = c->src.val;
2912 case 0xcb: /* ret far */
2913 rc = emulate_ret_far(ctxt, ops);
2914 if (rc != X86EMUL_CONTINUE)
2917 case 0xd0 ... 0xd1: /* Grp2 */
2921 case 0xd2 ... 0xd3: /* Grp2 */
2922 c->src.val = c->regs[VCPU_REGS_RCX];
2925 case 0xe4: /* inb */
2928 case 0xe6: /* outb */
2929 case 0xe7: /* out */
2931 case 0xe8: /* call (near) */ {
2932 long int rel = c->src.val;
2933 c->src.val = (unsigned long) c->eip;
2935 emulate_push(ctxt, ops);
2938 case 0xe9: /* jmp rel */
2940 case 0xea: { /* jmp far */
2943 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2945 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
2949 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2953 jmp: /* jmp rel short */
2954 jmp_rel(c, c->src.val);
2955 c->dst.type = OP_NONE; /* Disable writeback. */
2957 case 0xec: /* in al,dx */
2958 case 0xed: /* in (e/r)ax,dx */
2959 c->src.val = c->regs[VCPU_REGS_RDX];
2961 c->dst.bytes = min(c->dst.bytes, 4u);
2962 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2963 emulate_gp(ctxt, 0);
2966 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
2968 goto done; /* IO is needed */
2970 case 0xee: /* out dx,al */
2971 case 0xef: /* out dx,(e/r)ax */
2972 c->src.val = c->regs[VCPU_REGS_RDX];
2974 c->dst.bytes = min(c->dst.bytes, 4u);
2975 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2976 emulate_gp(ctxt, 0);
2979 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
2981 c->dst.type = OP_NONE; /* Disable writeback. */
2983 case 0xf4: /* hlt */
2984 ctxt->vcpu->arch.halt_request = 1;
2986 case 0xf5: /* cmc */
2987 /* complement carry flag from eflags reg */
2988 ctxt->eflags ^= EFLG_CF;
2989 c->dst.type = OP_NONE; /* Disable writeback. */
2991 case 0xf6 ... 0xf7: /* Grp3 */
2992 if (!emulate_grp3(ctxt, ops))
2993 goto cannot_emulate;
2995 case 0xf8: /* clc */
2996 ctxt->eflags &= ~EFLG_CF;
2997 c->dst.type = OP_NONE; /* Disable writeback. */
2999 case 0xfa: /* cli */
3000 if (emulator_bad_iopl(ctxt, ops)) {
3001 emulate_gp(ctxt, 0);
3004 ctxt->eflags &= ~X86_EFLAGS_IF;
3005 c->dst.type = OP_NONE; /* Disable writeback. */
3008 case 0xfb: /* sti */
3009 if (emulator_bad_iopl(ctxt, ops)) {
3010 emulate_gp(ctxt, 0);
3013 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3014 ctxt->eflags |= X86_EFLAGS_IF;
3015 c->dst.type = OP_NONE; /* Disable writeback. */
3018 case 0xfc: /* cld */
3019 ctxt->eflags &= ~EFLG_DF;
3020 c->dst.type = OP_NONE; /* Disable writeback. */
3022 case 0xfd: /* std */
3023 ctxt->eflags |= EFLG_DF;
3024 c->dst.type = OP_NONE; /* Disable writeback. */
3026 case 0xfe: /* Grp4 */
3028 rc = emulate_grp45(ctxt, ops);
3029 if (rc != X86EMUL_CONTINUE)
3032 case 0xff: /* Grp5 */
3033 if (c->modrm_reg == 5)
3037 goto cannot_emulate;
3041 rc = writeback(ctxt, ops);
3042 if (rc != X86EMUL_CONTINUE)
3046 * restore dst type in case the decoding will be reused
3047 * (happens for string instruction )
3049 c->dst.type = saved_dst_type;
3051 if ((c->d & SrcMask) == SrcSI)
3052 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3053 VCPU_REGS_RSI, &c->src);
3055 if ((c->d & DstMask) == DstDI)
3056 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3059 if (c->rep_prefix && (c->d & String)) {
3060 struct read_cache *rc = &ctxt->decode.io_read;
3061 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3063 * Re-enter guest when pio read ahead buffer is empty or,
3064 * if it is not used, after each 1024 iteration.
3066 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3067 (rc->end != 0 && rc->end == rc->pos))
3068 ctxt->restart = false;
3071 * reset read cache here in case string instruction is restared
3074 ctxt->decode.mem_read.end = 0;
3078 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3082 case 0x01: /* lgdt, lidt, lmsw */
3083 switch (c->modrm_reg) {
3085 unsigned long address;
3087 case 0: /* vmcall */
3088 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3089 goto cannot_emulate;
3091 rc = kvm_fix_hypercall(ctxt->vcpu);
3092 if (rc != X86EMUL_CONTINUE)
3095 /* Let the processor re-execute the fixed hypercall */
3097 /* Disable writeback. */
3098 c->dst.type = OP_NONE;
3101 rc = read_descriptor(ctxt, ops, c->src.ptr,
3102 &size, &address, c->op_bytes);
3103 if (rc != X86EMUL_CONTINUE)
3105 realmode_lgdt(ctxt->vcpu, size, address);
3106 /* Disable writeback. */
3107 c->dst.type = OP_NONE;
3109 case 3: /* lidt/vmmcall */
3110 if (c->modrm_mod == 3) {
3111 switch (c->modrm_rm) {
3113 rc = kvm_fix_hypercall(ctxt->vcpu);
3114 if (rc != X86EMUL_CONTINUE)
3118 goto cannot_emulate;
3121 rc = read_descriptor(ctxt, ops, c->src.ptr,
3124 if (rc != X86EMUL_CONTINUE)
3126 realmode_lidt(ctxt->vcpu, size, address);
3128 /* Disable writeback. */
3129 c->dst.type = OP_NONE;
3133 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3136 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3137 (c->src.val & 0x0f), ctxt->vcpu);
3138 c->dst.type = OP_NONE;
3140 case 5: /* not defined */
3144 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3145 /* Disable writeback. */
3146 c->dst.type = OP_NONE;
3149 goto cannot_emulate;
3152 case 0x05: /* syscall */
3153 rc = emulate_syscall(ctxt, ops);
3154 if (rc != X86EMUL_CONTINUE)
3160 emulate_clts(ctxt->vcpu);
3161 c->dst.type = OP_NONE;
3163 case 0x09: /* wbinvd */
3164 kvm_emulate_wbinvd(ctxt->vcpu);
3165 c->dst.type = OP_NONE;
3167 case 0x08: /* invd */
3168 case 0x0d: /* GrpP (prefetch) */
3169 case 0x18: /* Grp16 (prefetch/nop) */
3170 c->dst.type = OP_NONE;
3172 case 0x20: /* mov cr, reg */
3173 switch (c->modrm_reg) {
3180 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3181 c->dst.type = OP_NONE; /* no writeback */
3183 case 0x21: /* mov from dr to reg */
3184 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3185 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3189 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3190 c->dst.type = OP_NONE; /* no writeback */
3192 case 0x22: /* mov reg, cr */
3193 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3194 emulate_gp(ctxt, 0);
3197 c->dst.type = OP_NONE;
3199 case 0x23: /* mov from reg to dr */
3200 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3201 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3206 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3207 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3208 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3209 /* #UD condition is already handled by the code above */
3210 emulate_gp(ctxt, 0);
3214 c->dst.type = OP_NONE; /* no writeback */
3218 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3219 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3220 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3221 emulate_gp(ctxt, 0);
3224 rc = X86EMUL_CONTINUE;
3225 c->dst.type = OP_NONE;
3229 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3230 emulate_gp(ctxt, 0);
3233 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3234 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3236 rc = X86EMUL_CONTINUE;
3237 c->dst.type = OP_NONE;
3239 case 0x34: /* sysenter */
3240 rc = emulate_sysenter(ctxt, ops);
3241 if (rc != X86EMUL_CONTINUE)
3246 case 0x35: /* sysexit */
3247 rc = emulate_sysexit(ctxt, ops);
3248 if (rc != X86EMUL_CONTINUE)
3253 case 0x40 ... 0x4f: /* cmov */
3254 c->dst.val = c->dst.orig_val = c->src.val;
3255 if (!test_cc(c->b, ctxt->eflags))
3256 c->dst.type = OP_NONE; /* no writeback */
3258 case 0x80 ... 0x8f: /* jnz rel, etc*/
3259 if (test_cc(c->b, ctxt->eflags))
3260 jmp_rel(c, c->src.val);
3261 c->dst.type = OP_NONE;
3263 case 0xa0: /* push fs */
3264 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3266 case 0xa1: /* pop fs */
3267 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3268 if (rc != X86EMUL_CONTINUE)
3273 c->dst.type = OP_NONE;
3274 /* only subword offset */
3275 c->src.val &= (c->dst.bytes << 3) - 1;
3276 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3278 case 0xa4: /* shld imm8, r, r/m */
3279 case 0xa5: /* shld cl, r, r/m */
3280 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3282 case 0xa8: /* push gs */
3283 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3285 case 0xa9: /* pop gs */
3286 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3287 if (rc != X86EMUL_CONTINUE)
3292 /* only subword offset */
3293 c->src.val &= (c->dst.bytes << 3) - 1;
3294 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3296 case 0xac: /* shrd imm8, r, r/m */
3297 case 0xad: /* shrd cl, r, r/m */
3298 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3300 case 0xae: /* clflush */
3302 case 0xb0 ... 0xb1: /* cmpxchg */
3304 * Save real source value, then compare EAX against
3307 c->src.orig_val = c->src.val;
3308 c->src.val = c->regs[VCPU_REGS_RAX];
3309 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3310 if (ctxt->eflags & EFLG_ZF) {
3311 /* Success: write back to memory. */
3312 c->dst.val = c->src.orig_val;
3314 /* Failure: write the value we saw to EAX. */
3315 c->dst.type = OP_REG;
3316 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3321 /* only subword offset */
3322 c->src.val &= (c->dst.bytes << 3) - 1;
3323 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3325 case 0xb6 ... 0xb7: /* movzx */
3326 c->dst.bytes = c->op_bytes;
3327 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3330 case 0xba: /* Grp8 */
3331 switch (c->modrm_reg & 3) {
3344 /* only subword offset */
3345 c->src.val &= (c->dst.bytes << 3) - 1;
3346 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3348 case 0xbe ... 0xbf: /* movsx */
3349 c->dst.bytes = c->op_bytes;
3350 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3353 case 0xc3: /* movnti */
3354 c->dst.bytes = c->op_bytes;
3355 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3358 case 0xc7: /* Grp9 (cmpxchg8b) */
3359 rc = emulate_grp9(ctxt, ops);
3360 if (rc != X86EMUL_CONTINUE)
3364 goto cannot_emulate;
3369 DPRINTF("Cannot emulate %02x\n", c->b);
git.openpandora.org / pandora-kernel.git / blob