1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstImmUByte (7<<1) /* 8-bit unsigned immediate operand */
58 #define DstMask (7<<1)
59 /* Source operand type. */
60 #define SrcNone (0<<4) /* No source operand. */
61 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
62 #define SrcReg (1<<4) /* Register operand. */
63 #define SrcMem (2<<4) /* Memory operand. */
64 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
65 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
66 #define SrcImm (5<<4) /* Immediate operand. */
67 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
68 #define SrcOne (7<<4) /* Implied '1' */
69 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
70 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
71 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
72 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
73 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
74 #define SrcAcc (0xd<<4) /* Source Accumulator */
75 #define SrcMask (0xf<<4)
76 /* Generic ModRM decode. */
78 /* Destination is only written; never read. */
81 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
82 #define String (1<<12) /* String instruction (rep capable) */
83 #define Stack (1<<13) /* Stack instruction (push/pop) */
84 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
85 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
87 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
88 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
89 #define Undefined (1<<25) /* No Such Instruction */
90 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
91 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
93 /* Source 2 operand type */
94 #define Src2None (0<<29)
95 #define Src2CL (1<<29)
96 #define Src2ImmByte (2<<29)
97 #define Src2One (3<<29)
98 #define Src2Mask (7<<29)
100 #define X2(x...) x, x
101 #define X3(x...) X2(x), x
102 #define X4(x...) X2(x), X2(x)
103 #define X5(x...) X4(x), x
104 #define X6(x...) X4(x), X2(x)
105 #define X7(x...) X4(x), X3(x)
106 #define X8(x...) X4(x), X4(x)
107 #define X16(x...) X8(x), X8(x)
112 int (*execute)(struct x86_emulate_ctxt *ctxt);
113 struct opcode *group;
114 struct group_dual *gdual;
119 struct opcode mod012[8];
120 struct opcode mod3[8];
123 /* EFLAGS bit definitions. */
124 #define EFLG_ID (1<<21)
125 #define EFLG_VIP (1<<20)
126 #define EFLG_VIF (1<<19)
127 #define EFLG_AC (1<<18)
128 #define EFLG_VM (1<<17)
129 #define EFLG_RF (1<<16)
130 #define EFLG_IOPL (3<<12)
131 #define EFLG_NT (1<<14)
132 #define EFLG_OF (1<<11)
133 #define EFLG_DF (1<<10)
134 #define EFLG_IF (1<<9)
135 #define EFLG_TF (1<<8)
136 #define EFLG_SF (1<<7)
137 #define EFLG_ZF (1<<6)
138 #define EFLG_AF (1<<4)
139 #define EFLG_PF (1<<2)
140 #define EFLG_CF (1<<0)
142 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
143 #define EFLG_RESERVED_ONE_MASK 2
146 * Instruction emulation:
147 * Most instructions are emulated directly via a fragment of inline assembly
148 * code. This allows us to save/restore EFLAGS and thus very easily pick up
149 * any modified flags.
152 #if defined(CONFIG_X86_64)
153 #define _LO32 "k" /* force 32-bit operand */
154 #define _STK "%%rsp" /* stack pointer */
155 #elif defined(__i386__)
156 #define _LO32 "" /* force 32-bit operand */
157 #define _STK "%%esp" /* stack pointer */
161 * These EFLAGS bits are restored from saved value during emulation, and
162 * any changes are written back to the saved value after emulation.
164 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
166 /* Before executing instruction: restore necessary bits in EFLAGS. */
167 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
168 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
169 "movl %"_sav",%"_LO32 _tmp"; " \
172 "movl %"_msk",%"_LO32 _tmp"; " \
173 "andl %"_LO32 _tmp",("_STK"); " \
175 "notl %"_LO32 _tmp"; " \
176 "andl %"_LO32 _tmp",("_STK"); " \
177 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
179 "orl %"_LO32 _tmp",("_STK"); " \
183 /* After executing instruction: write-back necessary bits in EFLAGS. */
184 #define _POST_EFLAGS(_sav, _msk, _tmp) \
185 /* _sav |= EFLAGS & _msk; */ \
188 "andl %"_msk",%"_LO32 _tmp"; " \
189 "orl %"_LO32 _tmp",%"_sav"; "
197 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
199 __asm__ __volatile__ ( \
200 _PRE_EFLAGS("0", "4", "2") \
201 _op _suffix " %"_x"3,%1; " \
202 _POST_EFLAGS("0", "4", "2") \
203 : "=m" (_eflags), "=m" ((_dst).val), \
205 : _y ((_src).val), "i" (EFLAGS_MASK)); \
209 /* Raw emulation: instruction has two explicit operands. */
210 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
212 unsigned long _tmp; \
214 switch ((_dst).bytes) { \
216 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
219 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
222 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
227 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
229 unsigned long _tmp; \
230 switch ((_dst).bytes) { \
232 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
235 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
236 _wx, _wy, _lx, _ly, _qx, _qy); \
241 /* Source operand is byte-sized and may be restricted to just %cl. */
242 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
243 __emulate_2op(_op, _src, _dst, _eflags, \
244 "b", "c", "b", "c", "b", "c", "b", "c")
246 /* Source operand is byte, word, long or quad sized. */
247 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
248 __emulate_2op(_op, _src, _dst, _eflags, \
249 "b", "q", "w", "r", _LO32, "r", "", "r")
251 /* Source operand is word, long or quad sized. */
252 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
253 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
254 "w", "r", _LO32, "r", "", "r")
256 /* Instruction has three operands and one operand is stored in ECX register */
257 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
259 unsigned long _tmp; \
260 _type _clv = (_cl).val; \
261 _type _srcv = (_src).val; \
262 _type _dstv = (_dst).val; \
264 __asm__ __volatile__ ( \
265 _PRE_EFLAGS("0", "5", "2") \
266 _op _suffix " %4,%1 \n" \
267 _POST_EFLAGS("0", "5", "2") \
268 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
269 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
272 (_cl).val = (unsigned long) _clv; \
273 (_src).val = (unsigned long) _srcv; \
274 (_dst).val = (unsigned long) _dstv; \
277 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
279 switch ((_dst).bytes) { \
281 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
282 "w", unsigned short); \
285 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
286 "l", unsigned int); \
289 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
290 "q", unsigned long)); \
295 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
297 unsigned long _tmp; \
299 __asm__ __volatile__ ( \
300 _PRE_EFLAGS("0", "3", "2") \
301 _op _suffix " %1; " \
302 _POST_EFLAGS("0", "3", "2") \
303 : "=m" (_eflags), "+m" ((_dst).val), \
305 : "i" (EFLAGS_MASK)); \
308 /* Instruction has only one explicit operand (no source operand). */
309 #define emulate_1op(_op, _dst, _eflags) \
311 switch ((_dst).bytes) { \
312 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
313 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
314 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
315 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
319 #define __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, _suffix) \
321 unsigned long _tmp; \
323 __asm__ __volatile__ ( \
324 _PRE_EFLAGS("0", "4", "1") \
325 _op _suffix " %5; " \
326 _POST_EFLAGS("0", "4", "1") \
327 : "=m" (_eflags), "=&r" (_tmp), \
328 "+a" (_rax), "+d" (_rdx) \
329 : "i" (EFLAGS_MASK), "m" ((_src).val), \
330 "a" (_rax), "d" (_rdx)); \
333 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
334 #define emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags) \
336 switch((_src).bytes) { \
337 case 1: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "b"); break; \
338 case 2: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "w"); break; \
339 case 4: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "l"); break; \
340 case 8: ON64(__emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "q")); break; \
344 /* Fetch next part of the instruction being emulated. */
345 #define insn_fetch(_type, _size, _eip) \
346 ({ unsigned long _x; \
347 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
348 if (rc != X86EMUL_CONTINUE) \
354 #define insn_fetch_arr(_arr, _size, _eip) \
355 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
356 if (rc != X86EMUL_CONTINUE) \
361 static inline unsigned long ad_mask(struct decode_cache *c)
363 return (1UL << (c->ad_bytes << 3)) - 1;
366 /* Access/update address held in a register, based on addressing mode. */
367 static inline unsigned long
368 address_mask(struct decode_cache *c, unsigned long reg)
370 if (c->ad_bytes == sizeof(unsigned long))
373 return reg & ad_mask(c);
376 static inline unsigned long
377 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
379 return base + address_mask(c, reg);
383 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
385 if (c->ad_bytes == sizeof(unsigned long))
388 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
391 static inline void jmp_rel(struct decode_cache *c, int rel)
393 register_address_increment(c, &c->eip, rel);
396 static void set_seg_override(struct decode_cache *c, int seg)
398 c->has_seg_override = true;
399 c->seg_override = seg;
402 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
403 struct x86_emulate_ops *ops, int seg)
405 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
408 return ops->get_cached_segment_base(seg, ctxt->vcpu);
411 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
412 struct x86_emulate_ops *ops,
413 struct decode_cache *c)
415 if (!c->has_seg_override)
418 return seg_base(ctxt, ops, c->seg_override);
421 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
422 struct x86_emulate_ops *ops)
424 return seg_base(ctxt, ops, VCPU_SREG_ES);
427 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
428 struct x86_emulate_ops *ops)
430 return seg_base(ctxt, ops, VCPU_SREG_SS);
433 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
434 u32 error, bool valid)
436 ctxt->exception = vec;
437 ctxt->error_code = error;
438 ctxt->error_code_valid = valid;
439 ctxt->restart = false;
442 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
444 emulate_exception(ctxt, GP_VECTOR, err, true);
447 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
451 emulate_exception(ctxt, PF_VECTOR, err, true);
454 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
456 emulate_exception(ctxt, UD_VECTOR, 0, false);
459 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
461 emulate_exception(ctxt, TS_VECTOR, err, true);
464 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
465 struct x86_emulate_ops *ops,
466 unsigned long eip, u8 *dest)
468 struct fetch_cache *fc = &ctxt->decode.fetch;
472 if (eip == fc->end) {
473 cur_size = fc->end - fc->start;
474 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
475 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
476 size, ctxt->vcpu, NULL);
477 if (rc != X86EMUL_CONTINUE)
481 *dest = fc->data[eip - fc->start];
482 return X86EMUL_CONTINUE;
485 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
486 struct x86_emulate_ops *ops,
487 unsigned long eip, void *dest, unsigned size)
491 /* x86 instructions are limited to 15 bytes. */
492 if (eip + size - ctxt->eip > 15)
493 return X86EMUL_UNHANDLEABLE;
495 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
496 if (rc != X86EMUL_CONTINUE)
499 return X86EMUL_CONTINUE;
503 * Given the 'reg' portion of a ModRM byte, and a register block, return a
504 * pointer into the block that addresses the relevant register.
505 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
507 static void *decode_register(u8 modrm_reg, unsigned long *regs,
512 p = ®s[modrm_reg];
513 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
514 p = (unsigned char *)®s[modrm_reg & 3] + 1;
518 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
519 struct x86_emulate_ops *ops,
521 u16 *size, unsigned long *address, int op_bytes)
528 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
529 if (rc != X86EMUL_CONTINUE)
531 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
535 static int test_cc(unsigned int condition, unsigned int flags)
539 switch ((condition & 15) >> 1) {
541 rc |= (flags & EFLG_OF);
543 case 1: /* b/c/nae */
544 rc |= (flags & EFLG_CF);
547 rc |= (flags & EFLG_ZF);
550 rc |= (flags & (EFLG_CF|EFLG_ZF));
553 rc |= (flags & EFLG_SF);
556 rc |= (flags & EFLG_PF);
559 rc |= (flags & EFLG_ZF);
562 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
566 /* Odd condition identifiers (lsb == 1) have inverted sense. */
567 return (!!rc ^ (condition & 1));
570 static void fetch_register_operand(struct operand *op)
574 op->val = *(u8 *)op->addr.reg;
577 op->val = *(u16 *)op->addr.reg;
580 op->val = *(u32 *)op->addr.reg;
583 op->val = *(u64 *)op->addr.reg;
588 static void decode_register_operand(struct operand *op,
589 struct decode_cache *c,
592 unsigned reg = c->modrm_reg;
593 int highbyte_regs = c->rex_prefix == 0;
596 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
598 if ((c->d & ByteOp) && !inhibit_bytereg) {
599 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
602 op->addr.reg = decode_register(reg, c->regs, 0);
603 op->bytes = c->op_bytes;
605 fetch_register_operand(op);
606 op->orig_val = op->val;
609 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
610 struct x86_emulate_ops *ops,
613 struct decode_cache *c = &ctxt->decode;
615 int index_reg = 0, base_reg = 0, scale;
616 int rc = X86EMUL_CONTINUE;
620 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
621 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
622 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
625 c->modrm = insn_fetch(u8, 1, c->eip);
626 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
627 c->modrm_reg |= (c->modrm & 0x38) >> 3;
628 c->modrm_rm |= (c->modrm & 0x07);
629 c->modrm_seg = VCPU_SREG_DS;
631 if (c->modrm_mod == 3) {
633 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
634 op->addr.reg = decode_register(c->modrm_rm,
635 c->regs, c->d & ByteOp);
636 fetch_register_operand(op);
642 if (c->ad_bytes == 2) {
643 unsigned bx = c->regs[VCPU_REGS_RBX];
644 unsigned bp = c->regs[VCPU_REGS_RBP];
645 unsigned si = c->regs[VCPU_REGS_RSI];
646 unsigned di = c->regs[VCPU_REGS_RDI];
648 /* 16-bit ModR/M decode. */
649 switch (c->modrm_mod) {
651 if (c->modrm_rm == 6)
652 modrm_ea += insn_fetch(u16, 2, c->eip);
655 modrm_ea += insn_fetch(s8, 1, c->eip);
658 modrm_ea += insn_fetch(u16, 2, c->eip);
661 switch (c->modrm_rm) {
681 if (c->modrm_mod != 0)
688 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
689 (c->modrm_rm == 6 && c->modrm_mod != 0))
690 c->modrm_seg = VCPU_SREG_SS;
691 modrm_ea = (u16)modrm_ea;
693 /* 32/64-bit ModR/M decode. */
694 if ((c->modrm_rm & 7) == 4) {
695 sib = insn_fetch(u8, 1, c->eip);
696 index_reg |= (sib >> 3) & 7;
700 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
701 modrm_ea += insn_fetch(s32, 4, c->eip);
703 modrm_ea += c->regs[base_reg];
705 modrm_ea += c->regs[index_reg] << scale;
706 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
707 if (ctxt->mode == X86EMUL_MODE_PROT64)
710 modrm_ea += c->regs[c->modrm_rm];
711 switch (c->modrm_mod) {
713 if (c->modrm_rm == 5)
714 modrm_ea += insn_fetch(s32, 4, c->eip);
717 modrm_ea += insn_fetch(s8, 1, c->eip);
720 modrm_ea += insn_fetch(s32, 4, c->eip);
724 op->addr.mem = modrm_ea;
729 static int decode_abs(struct x86_emulate_ctxt *ctxt,
730 struct x86_emulate_ops *ops,
733 struct decode_cache *c = &ctxt->decode;
734 int rc = X86EMUL_CONTINUE;
737 switch (c->ad_bytes) {
739 op->addr.mem = insn_fetch(u16, 2, c->eip);
742 op->addr.mem = insn_fetch(u32, 4, c->eip);
745 op->addr.mem = insn_fetch(u64, 8, c->eip);
752 static void fetch_bit_operand(struct decode_cache *c)
756 if (c->dst.type == OP_MEM && c->src.type == OP_REG) {
757 mask = ~(c->dst.bytes * 8 - 1);
759 if (c->src.bytes == 2)
760 sv = (s16)c->src.val & (s16)mask;
761 else if (c->src.bytes == 4)
762 sv = (s32)c->src.val & (s32)mask;
764 c->dst.addr.mem += (sv >> 3);
767 /* only subword offset */
768 c->src.val &= (c->dst.bytes << 3) - 1;
771 static int read_emulated(struct x86_emulate_ctxt *ctxt,
772 struct x86_emulate_ops *ops,
773 unsigned long addr, void *dest, unsigned size)
776 struct read_cache *mc = &ctxt->decode.mem_read;
780 int n = min(size, 8u);
782 if (mc->pos < mc->end)
785 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
787 if (rc == X86EMUL_PROPAGATE_FAULT)
788 emulate_pf(ctxt, addr, err);
789 if (rc != X86EMUL_CONTINUE)
794 memcpy(dest, mc->data + mc->pos, n);
799 return X86EMUL_CONTINUE;
802 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
803 struct x86_emulate_ops *ops,
804 unsigned int size, unsigned short port,
807 struct read_cache *rc = &ctxt->decode.io_read;
809 if (rc->pos == rc->end) { /* refill pio read ahead */
810 struct decode_cache *c = &ctxt->decode;
811 unsigned int in_page, n;
812 unsigned int count = c->rep_prefix ?
813 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
814 in_page = (ctxt->eflags & EFLG_DF) ?
815 offset_in_page(c->regs[VCPU_REGS_RDI]) :
816 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
817 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
821 rc->pos = rc->end = 0;
822 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
827 memcpy(dest, rc->data + rc->pos, size);
832 static u32 desc_limit_scaled(struct desc_struct *desc)
834 u32 limit = get_desc_limit(desc);
836 return desc->g ? (limit << 12) | 0xfff : limit;
839 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
840 struct x86_emulate_ops *ops,
841 u16 selector, struct desc_ptr *dt)
843 if (selector & 1 << 2) {
844 struct desc_struct desc;
845 memset (dt, 0, sizeof *dt);
846 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
849 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
850 dt->address = get_desc_base(&desc);
852 ops->get_gdt(dt, ctxt->vcpu);
855 /* allowed just for 8 bytes segments */
856 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
857 struct x86_emulate_ops *ops,
858 u16 selector, struct desc_struct *desc)
861 u16 index = selector >> 3;
866 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
868 if (dt.size < index * 8 + 7) {
869 emulate_gp(ctxt, selector & 0xfffc);
870 return X86EMUL_PROPAGATE_FAULT;
872 addr = dt.address + index * 8;
873 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
874 if (ret == X86EMUL_PROPAGATE_FAULT)
875 emulate_pf(ctxt, addr, err);
880 /* allowed just for 8 bytes segments */
881 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
882 struct x86_emulate_ops *ops,
883 u16 selector, struct desc_struct *desc)
886 u16 index = selector >> 3;
891 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
893 if (dt.size < index * 8 + 7) {
894 emulate_gp(ctxt, selector & 0xfffc);
895 return X86EMUL_PROPAGATE_FAULT;
898 addr = dt.address + index * 8;
899 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
900 if (ret == X86EMUL_PROPAGATE_FAULT)
901 emulate_pf(ctxt, addr, err);
906 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
907 struct x86_emulate_ops *ops,
908 u16 selector, int seg)
910 struct desc_struct seg_desc;
912 unsigned err_vec = GP_VECTOR;
914 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
917 memset(&seg_desc, 0, sizeof seg_desc);
919 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
920 || ctxt->mode == X86EMUL_MODE_REAL) {
921 /* set real mode segment descriptor */
922 set_desc_base(&seg_desc, selector << 4);
923 set_desc_limit(&seg_desc, 0xffff);
930 /* NULL selector is not valid for TR, CS and SS */
931 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
935 /* TR should be in GDT only */
936 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
939 if (null_selector) /* for NULL selector skip all following checks */
942 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
943 if (ret != X86EMUL_CONTINUE)
946 err_code = selector & 0xfffc;
949 /* can't load system descriptor into segment selecor */
950 if (seg <= VCPU_SREG_GS && !seg_desc.s)
954 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
960 cpl = ops->cpl(ctxt->vcpu);
965 * segment is not a writable data segment or segment
966 * selector's RPL != CPL or segment selector's RPL != CPL
968 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
972 if (!(seg_desc.type & 8))
975 if (seg_desc.type & 4) {
981 if (rpl > cpl || dpl != cpl)
985 selector = (selector & 0xfffc) | cpl;
988 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
992 if (seg_desc.s || seg_desc.type != 2)
995 default: /* DS, ES, FS, or GS */
997 * segment is not a data or readable code segment or
998 * ((segment is a data or nonconforming code segment)
999 * and (both RPL and CPL > DPL))
1001 if ((seg_desc.type & 0xa) == 0x8 ||
1002 (((seg_desc.type & 0xc) != 0xc) &&
1003 (rpl > dpl && cpl > dpl)))
1009 /* mark segment as accessed */
1011 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1012 if (ret != X86EMUL_CONTINUE)
1016 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1017 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1018 return X86EMUL_CONTINUE;
1020 emulate_exception(ctxt, err_vec, err_code, true);
1021 return X86EMUL_PROPAGATE_FAULT;
1024 static void write_register_operand(struct operand *op)
1026 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1027 switch (op->bytes) {
1029 *(u8 *)op->addr.reg = (u8)op->val;
1032 *(u16 *)op->addr.reg = (u16)op->val;
1035 *op->addr.reg = (u32)op->val;
1036 break; /* 64b: zero-extend */
1038 *op->addr.reg = op->val;
1043 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1044 struct x86_emulate_ops *ops)
1047 struct decode_cache *c = &ctxt->decode;
1050 switch (c->dst.type) {
1052 write_register_operand(&c->dst);
1056 rc = ops->cmpxchg_emulated(
1064 rc = ops->write_emulated(
1070 if (rc == X86EMUL_PROPAGATE_FAULT)
1071 emulate_pf(ctxt, c->dst.addr.mem, err);
1072 if (rc != X86EMUL_CONTINUE)
1081 return X86EMUL_CONTINUE;
1084 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1085 struct x86_emulate_ops *ops)
1087 struct decode_cache *c = &ctxt->decode;
1089 c->dst.type = OP_MEM;
1090 c->dst.bytes = c->op_bytes;
1091 c->dst.val = c->src.val;
1092 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1093 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1094 c->regs[VCPU_REGS_RSP]);
1097 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1098 struct x86_emulate_ops *ops,
1099 void *dest, int len)
1101 struct decode_cache *c = &ctxt->decode;
1104 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1105 c->regs[VCPU_REGS_RSP]),
1107 if (rc != X86EMUL_CONTINUE)
1110 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1114 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1115 struct x86_emulate_ops *ops,
1116 void *dest, int len)
1119 unsigned long val, change_mask;
1120 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1121 int cpl = ops->cpl(ctxt->vcpu);
1123 rc = emulate_pop(ctxt, ops, &val, len);
1124 if (rc != X86EMUL_CONTINUE)
1127 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1128 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1130 switch(ctxt->mode) {
1131 case X86EMUL_MODE_PROT64:
1132 case X86EMUL_MODE_PROT32:
1133 case X86EMUL_MODE_PROT16:
1135 change_mask |= EFLG_IOPL;
1137 change_mask |= EFLG_IF;
1139 case X86EMUL_MODE_VM86:
1141 emulate_gp(ctxt, 0);
1142 return X86EMUL_PROPAGATE_FAULT;
1144 change_mask |= EFLG_IF;
1146 default: /* real mode */
1147 change_mask |= (EFLG_IOPL | EFLG_IF);
1151 *(unsigned long *)dest =
1152 (ctxt->eflags & ~change_mask) | (val & change_mask);
1157 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1158 struct x86_emulate_ops *ops, int seg)
1160 struct decode_cache *c = &ctxt->decode;
1162 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1164 emulate_push(ctxt, ops);
1167 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1168 struct x86_emulate_ops *ops, int seg)
1170 struct decode_cache *c = &ctxt->decode;
1171 unsigned long selector;
1174 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1175 if (rc != X86EMUL_CONTINUE)
1178 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1182 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1183 struct x86_emulate_ops *ops)
1185 struct decode_cache *c = &ctxt->decode;
1186 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1187 int rc = X86EMUL_CONTINUE;
1188 int reg = VCPU_REGS_RAX;
1190 while (reg <= VCPU_REGS_RDI) {
1191 (reg == VCPU_REGS_RSP) ?
1192 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1194 emulate_push(ctxt, ops);
1196 rc = writeback(ctxt, ops);
1197 if (rc != X86EMUL_CONTINUE)
1203 /* Disable writeback. */
1204 c->dst.type = OP_NONE;
1209 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1210 struct x86_emulate_ops *ops)
1212 struct decode_cache *c = &ctxt->decode;
1213 int rc = X86EMUL_CONTINUE;
1214 int reg = VCPU_REGS_RDI;
1216 while (reg >= VCPU_REGS_RAX) {
1217 if (reg == VCPU_REGS_RSP) {
1218 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1223 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1224 if (rc != X86EMUL_CONTINUE)
1231 int emulate_int_real(struct x86_emulate_ctxt *ctxt,
1232 struct x86_emulate_ops *ops, int irq)
1234 struct decode_cache *c = &ctxt->decode;
1235 int rc = X86EMUL_CONTINUE;
1242 /* TODO: Add limit checks */
1243 c->src.val = ctxt->eflags;
1244 emulate_push(ctxt, ops);
1246 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1248 c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1249 emulate_push(ctxt, ops);
1251 c->src.val = c->eip;
1252 emulate_push(ctxt, ops);
1254 ops->get_idt(&dt, ctxt->vcpu);
1256 eip_addr = dt.address + (irq << 2);
1257 cs_addr = dt.address + (irq << 2) + 2;
1259 rc = ops->read_std(cs_addr, &cs, 2, ctxt->vcpu, &err);
1260 if (rc != X86EMUL_CONTINUE)
1263 rc = ops->read_std(eip_addr, &eip, 2, ctxt->vcpu, &err);
1264 if (rc != X86EMUL_CONTINUE)
1267 rc = load_segment_descriptor(ctxt, ops, cs, VCPU_SREG_CS);
1268 if (rc != X86EMUL_CONTINUE)
1276 static int emulate_int(struct x86_emulate_ctxt *ctxt,
1277 struct x86_emulate_ops *ops, int irq)
1279 switch(ctxt->mode) {
1280 case X86EMUL_MODE_REAL:
1281 return emulate_int_real(ctxt, ops, irq);
1282 case X86EMUL_MODE_VM86:
1283 case X86EMUL_MODE_PROT16:
1284 case X86EMUL_MODE_PROT32:
1285 case X86EMUL_MODE_PROT64:
1287 /* Protected mode interrupts unimplemented yet */
1288 return X86EMUL_UNHANDLEABLE;
1292 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1293 struct x86_emulate_ops *ops)
1295 struct decode_cache *c = &ctxt->decode;
1296 int rc = X86EMUL_CONTINUE;
1297 unsigned long temp_eip = 0;
1298 unsigned long temp_eflags = 0;
1299 unsigned long cs = 0;
1300 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1301 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1302 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1303 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1305 /* TODO: Add stack limit check */
1307 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1309 if (rc != X86EMUL_CONTINUE)
1312 if (temp_eip & ~0xffff) {
1313 emulate_gp(ctxt, 0);
1314 return X86EMUL_PROPAGATE_FAULT;
1317 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1319 if (rc != X86EMUL_CONTINUE)
1322 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1324 if (rc != X86EMUL_CONTINUE)
1327 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1329 if (rc != X86EMUL_CONTINUE)
1335 if (c->op_bytes == 4)
1336 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1337 else if (c->op_bytes == 2) {
1338 ctxt->eflags &= ~0xffff;
1339 ctxt->eflags |= temp_eflags;
1342 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1343 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1348 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1349 struct x86_emulate_ops* ops)
1351 switch(ctxt->mode) {
1352 case X86EMUL_MODE_REAL:
1353 return emulate_iret_real(ctxt, ops);
1354 case X86EMUL_MODE_VM86:
1355 case X86EMUL_MODE_PROT16:
1356 case X86EMUL_MODE_PROT32:
1357 case X86EMUL_MODE_PROT64:
1359 /* iret from protected mode unimplemented yet */
1360 return X86EMUL_UNHANDLEABLE;
1364 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1365 struct x86_emulate_ops *ops)
1367 struct decode_cache *c = &ctxt->decode;
1369 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1372 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1374 struct decode_cache *c = &ctxt->decode;
1375 switch (c->modrm_reg) {
1377 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1380 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1383 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1386 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1388 case 4: /* sal/shl */
1389 case 6: /* sal/shl */
1390 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1393 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1396 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1401 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1402 struct x86_emulate_ops *ops)
1404 struct decode_cache *c = &ctxt->decode;
1405 unsigned long *rax = &c->regs[VCPU_REGS_RAX];
1406 unsigned long *rdx = &c->regs[VCPU_REGS_RDX];
1408 switch (c->modrm_reg) {
1409 case 0 ... 1: /* test */
1410 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1413 c->dst.val = ~c->dst.val;
1416 emulate_1op("neg", c->dst, ctxt->eflags);
1419 emulate_1op_rax_rdx("mul", c->src, *rax, *rdx, ctxt->eflags);
1422 emulate_1op_rax_rdx("imul", c->src, *rax, *rdx, ctxt->eflags);
1425 emulate_1op_rax_rdx("div", c->src, *rax, *rdx, ctxt->eflags);
1428 emulate_1op_rax_rdx("idiv", c->src, *rax, *rdx, ctxt->eflags);
1431 return X86EMUL_UNHANDLEABLE;
1433 return X86EMUL_CONTINUE;
1436 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1437 struct x86_emulate_ops *ops)
1439 struct decode_cache *c = &ctxt->decode;
1441 switch (c->modrm_reg) {
1443 emulate_1op("inc", c->dst, ctxt->eflags);
1446 emulate_1op("dec", c->dst, ctxt->eflags);
1448 case 2: /* call near abs */ {
1451 c->eip = c->src.val;
1452 c->src.val = old_eip;
1453 emulate_push(ctxt, ops);
1456 case 4: /* jmp abs */
1457 c->eip = c->src.val;
1460 emulate_push(ctxt, ops);
1463 return X86EMUL_CONTINUE;
1466 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1467 struct x86_emulate_ops *ops)
1469 struct decode_cache *c = &ctxt->decode;
1470 u64 old = c->dst.orig_val64;
1472 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1473 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1474 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1475 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1476 ctxt->eflags &= ~EFLG_ZF;
1478 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1479 (u32) c->regs[VCPU_REGS_RBX];
1481 ctxt->eflags |= EFLG_ZF;
1483 return X86EMUL_CONTINUE;
1486 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1487 struct x86_emulate_ops *ops)
1489 struct decode_cache *c = &ctxt->decode;
1493 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1494 if (rc != X86EMUL_CONTINUE)
1496 if (c->op_bytes == 4)
1497 c->eip = (u32)c->eip;
1498 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1499 if (rc != X86EMUL_CONTINUE)
1501 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1506 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1507 struct x86_emulate_ops *ops, struct desc_struct *cs,
1508 struct desc_struct *ss)
1510 memset(cs, 0, sizeof(struct desc_struct));
1511 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1512 memset(ss, 0, sizeof(struct desc_struct));
1514 cs->l = 0; /* will be adjusted later */
1515 set_desc_base(cs, 0); /* flat segment */
1516 cs->g = 1; /* 4kb granularity */
1517 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1518 cs->type = 0x0b; /* Read, Execute, Accessed */
1520 cs->dpl = 0; /* will be adjusted later */
1524 set_desc_base(ss, 0); /* flat segment */
1525 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1526 ss->g = 1; /* 4kb granularity */
1528 ss->type = 0x03; /* Read/Write, Accessed */
1529 ss->d = 1; /* 32bit stack segment */
1535 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1537 struct decode_cache *c = &ctxt->decode;
1538 struct desc_struct cs, ss;
1542 /* syscall is not available in real mode */
1543 if (ctxt->mode == X86EMUL_MODE_REAL ||
1544 ctxt->mode == X86EMUL_MODE_VM86) {
1546 return X86EMUL_PROPAGATE_FAULT;
1549 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1551 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1553 cs_sel = (u16)(msr_data & 0xfffc);
1554 ss_sel = (u16)(msr_data + 8);
1556 if (is_long_mode(ctxt->vcpu)) {
1560 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1561 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1562 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1563 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1565 c->regs[VCPU_REGS_RCX] = c->eip;
1566 if (is_long_mode(ctxt->vcpu)) {
1567 #ifdef CONFIG_X86_64
1568 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1570 ops->get_msr(ctxt->vcpu,
1571 ctxt->mode == X86EMUL_MODE_PROT64 ?
1572 MSR_LSTAR : MSR_CSTAR, &msr_data);
1575 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1576 ctxt->eflags &= ~(msr_data | EFLG_RF);
1580 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1581 c->eip = (u32)msr_data;
1583 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1586 return X86EMUL_CONTINUE;
1590 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1592 struct decode_cache *c = &ctxt->decode;
1593 struct desc_struct cs, ss;
1597 /* inject #GP if in real mode */
1598 if (ctxt->mode == X86EMUL_MODE_REAL) {
1599 emulate_gp(ctxt, 0);
1600 return X86EMUL_PROPAGATE_FAULT;
1603 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1604 * Therefore, we inject an #UD.
1606 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1608 return X86EMUL_PROPAGATE_FAULT;
1611 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1613 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1614 switch (ctxt->mode) {
1615 case X86EMUL_MODE_PROT32:
1616 if ((msr_data & 0xfffc) == 0x0) {
1617 emulate_gp(ctxt, 0);
1618 return X86EMUL_PROPAGATE_FAULT;
1621 case X86EMUL_MODE_PROT64:
1622 if (msr_data == 0x0) {
1623 emulate_gp(ctxt, 0);
1624 return X86EMUL_PROPAGATE_FAULT;
1629 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1630 cs_sel = (u16)msr_data;
1631 cs_sel &= ~SELECTOR_RPL_MASK;
1632 ss_sel = cs_sel + 8;
1633 ss_sel &= ~SELECTOR_RPL_MASK;
1634 if (ctxt->mode == X86EMUL_MODE_PROT64
1635 || is_long_mode(ctxt->vcpu)) {
1640 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1641 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1642 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1643 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1645 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1648 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1649 c->regs[VCPU_REGS_RSP] = msr_data;
1651 return X86EMUL_CONTINUE;
1655 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1657 struct decode_cache *c = &ctxt->decode;
1658 struct desc_struct cs, ss;
1663 /* inject #GP if in real mode or Virtual 8086 mode */
1664 if (ctxt->mode == X86EMUL_MODE_REAL ||
1665 ctxt->mode == X86EMUL_MODE_VM86) {
1666 emulate_gp(ctxt, 0);
1667 return X86EMUL_PROPAGATE_FAULT;
1670 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1672 if ((c->rex_prefix & 0x8) != 0x0)
1673 usermode = X86EMUL_MODE_PROT64;
1675 usermode = X86EMUL_MODE_PROT32;
1679 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1681 case X86EMUL_MODE_PROT32:
1682 cs_sel = (u16)(msr_data + 16);
1683 if ((msr_data & 0xfffc) == 0x0) {
1684 emulate_gp(ctxt, 0);
1685 return X86EMUL_PROPAGATE_FAULT;
1687 ss_sel = (u16)(msr_data + 24);
1689 case X86EMUL_MODE_PROT64:
1690 cs_sel = (u16)(msr_data + 32);
1691 if (msr_data == 0x0) {
1692 emulate_gp(ctxt, 0);
1693 return X86EMUL_PROPAGATE_FAULT;
1695 ss_sel = cs_sel + 8;
1700 cs_sel |= SELECTOR_RPL_MASK;
1701 ss_sel |= SELECTOR_RPL_MASK;
1703 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1704 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1705 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1706 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1708 c->eip = c->regs[VCPU_REGS_RDX];
1709 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1711 return X86EMUL_CONTINUE;
1714 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1715 struct x86_emulate_ops *ops)
1718 if (ctxt->mode == X86EMUL_MODE_REAL)
1720 if (ctxt->mode == X86EMUL_MODE_VM86)
1722 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1723 return ops->cpl(ctxt->vcpu) > iopl;
1726 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1727 struct x86_emulate_ops *ops,
1730 struct desc_struct tr_seg;
1733 u8 perm, bit_idx = port & 0x7;
1734 unsigned mask = (1 << len) - 1;
1736 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1739 if (desc_limit_scaled(&tr_seg) < 103)
1741 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1743 if (r != X86EMUL_CONTINUE)
1745 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1747 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1748 &perm, 1, ctxt->vcpu, NULL);
1749 if (r != X86EMUL_CONTINUE)
1751 if ((perm >> bit_idx) & mask)
1756 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1757 struct x86_emulate_ops *ops,
1763 if (emulator_bad_iopl(ctxt, ops))
1764 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1767 ctxt->perm_ok = true;
1772 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1773 struct x86_emulate_ops *ops,
1774 struct tss_segment_16 *tss)
1776 struct decode_cache *c = &ctxt->decode;
1779 tss->flag = ctxt->eflags;
1780 tss->ax = c->regs[VCPU_REGS_RAX];
1781 tss->cx = c->regs[VCPU_REGS_RCX];
1782 tss->dx = c->regs[VCPU_REGS_RDX];
1783 tss->bx = c->regs[VCPU_REGS_RBX];
1784 tss->sp = c->regs[VCPU_REGS_RSP];
1785 tss->bp = c->regs[VCPU_REGS_RBP];
1786 tss->si = c->regs[VCPU_REGS_RSI];
1787 tss->di = c->regs[VCPU_REGS_RDI];
1789 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1790 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1791 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1792 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1793 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1796 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1797 struct x86_emulate_ops *ops,
1798 struct tss_segment_16 *tss)
1800 struct decode_cache *c = &ctxt->decode;
1804 ctxt->eflags = tss->flag | 2;
1805 c->regs[VCPU_REGS_RAX] = tss->ax;
1806 c->regs[VCPU_REGS_RCX] = tss->cx;
1807 c->regs[VCPU_REGS_RDX] = tss->dx;
1808 c->regs[VCPU_REGS_RBX] = tss->bx;
1809 c->regs[VCPU_REGS_RSP] = tss->sp;
1810 c->regs[VCPU_REGS_RBP] = tss->bp;
1811 c->regs[VCPU_REGS_RSI] = tss->si;
1812 c->regs[VCPU_REGS_RDI] = tss->di;
1815 * SDM says that segment selectors are loaded before segment
1818 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1819 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1820 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1821 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1822 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1825 * Now load segment descriptors. If fault happenes at this stage
1826 * it is handled in a context of new task
1828 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1829 if (ret != X86EMUL_CONTINUE)
1831 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1832 if (ret != X86EMUL_CONTINUE)
1834 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1835 if (ret != X86EMUL_CONTINUE)
1837 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1838 if (ret != X86EMUL_CONTINUE)
1840 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1841 if (ret != X86EMUL_CONTINUE)
1844 return X86EMUL_CONTINUE;
1847 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1848 struct x86_emulate_ops *ops,
1849 u16 tss_selector, u16 old_tss_sel,
1850 ulong old_tss_base, struct desc_struct *new_desc)
1852 struct tss_segment_16 tss_seg;
1854 u32 err, new_tss_base = get_desc_base(new_desc);
1856 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1858 if (ret == X86EMUL_PROPAGATE_FAULT) {
1859 /* FIXME: need to provide precise fault address */
1860 emulate_pf(ctxt, old_tss_base, err);
1864 save_state_to_tss16(ctxt, ops, &tss_seg);
1866 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1868 if (ret == X86EMUL_PROPAGATE_FAULT) {
1869 /* FIXME: need to provide precise fault address */
1870 emulate_pf(ctxt, old_tss_base, err);
1874 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1876 if (ret == X86EMUL_PROPAGATE_FAULT) {
1877 /* FIXME: need to provide precise fault address */
1878 emulate_pf(ctxt, new_tss_base, err);
1882 if (old_tss_sel != 0xffff) {
1883 tss_seg.prev_task_link = old_tss_sel;
1885 ret = ops->write_std(new_tss_base,
1886 &tss_seg.prev_task_link,
1887 sizeof tss_seg.prev_task_link,
1889 if (ret == X86EMUL_PROPAGATE_FAULT) {
1890 /* FIXME: need to provide precise fault address */
1891 emulate_pf(ctxt, new_tss_base, err);
1896 return load_state_from_tss16(ctxt, ops, &tss_seg);
1899 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1900 struct x86_emulate_ops *ops,
1901 struct tss_segment_32 *tss)
1903 struct decode_cache *c = &ctxt->decode;
1905 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1907 tss->eflags = ctxt->eflags;
1908 tss->eax = c->regs[VCPU_REGS_RAX];
1909 tss->ecx = c->regs[VCPU_REGS_RCX];
1910 tss->edx = c->regs[VCPU_REGS_RDX];
1911 tss->ebx = c->regs[VCPU_REGS_RBX];
1912 tss->esp = c->regs[VCPU_REGS_RSP];
1913 tss->ebp = c->regs[VCPU_REGS_RBP];
1914 tss->esi = c->regs[VCPU_REGS_RSI];
1915 tss->edi = c->regs[VCPU_REGS_RDI];
1917 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1918 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1919 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1920 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1921 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1922 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1923 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1926 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1927 struct x86_emulate_ops *ops,
1928 struct tss_segment_32 *tss)
1930 struct decode_cache *c = &ctxt->decode;
1933 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1934 emulate_gp(ctxt, 0);
1935 return X86EMUL_PROPAGATE_FAULT;
1938 ctxt->eflags = tss->eflags | 2;
1939 c->regs[VCPU_REGS_RAX] = tss->eax;
1940 c->regs[VCPU_REGS_RCX] = tss->ecx;
1941 c->regs[VCPU_REGS_RDX] = tss->edx;
1942 c->regs[VCPU_REGS_RBX] = tss->ebx;
1943 c->regs[VCPU_REGS_RSP] = tss->esp;
1944 c->regs[VCPU_REGS_RBP] = tss->ebp;
1945 c->regs[VCPU_REGS_RSI] = tss->esi;
1946 c->regs[VCPU_REGS_RDI] = tss->edi;
1949 * SDM says that segment selectors are loaded before segment
1952 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1953 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1954 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1955 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1956 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1957 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1958 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1961 * Now load segment descriptors. If fault happenes at this stage
1962 * it is handled in a context of new task
1964 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1965 if (ret != X86EMUL_CONTINUE)
1967 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1968 if (ret != X86EMUL_CONTINUE)
1970 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1971 if (ret != X86EMUL_CONTINUE)
1973 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1974 if (ret != X86EMUL_CONTINUE)
1976 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1977 if (ret != X86EMUL_CONTINUE)
1979 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1980 if (ret != X86EMUL_CONTINUE)
1982 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1983 if (ret != X86EMUL_CONTINUE)
1986 return X86EMUL_CONTINUE;
1989 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
1990 struct x86_emulate_ops *ops,
1991 u16 tss_selector, u16 old_tss_sel,
1992 ulong old_tss_base, struct desc_struct *new_desc)
1994 struct tss_segment_32 tss_seg;
1996 u32 err, new_tss_base = get_desc_base(new_desc);
1998 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2000 if (ret == X86EMUL_PROPAGATE_FAULT) {
2001 /* FIXME: need to provide precise fault address */
2002 emulate_pf(ctxt, old_tss_base, err);
2006 save_state_to_tss32(ctxt, ops, &tss_seg);
2008 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2010 if (ret == X86EMUL_PROPAGATE_FAULT) {
2011 /* FIXME: need to provide precise fault address */
2012 emulate_pf(ctxt, old_tss_base, err);
2016 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2018 if (ret == X86EMUL_PROPAGATE_FAULT) {
2019 /* FIXME: need to provide precise fault address */
2020 emulate_pf(ctxt, new_tss_base, err);
2024 if (old_tss_sel != 0xffff) {
2025 tss_seg.prev_task_link = old_tss_sel;
2027 ret = ops->write_std(new_tss_base,
2028 &tss_seg.prev_task_link,
2029 sizeof tss_seg.prev_task_link,
2031 if (ret == X86EMUL_PROPAGATE_FAULT) {
2032 /* FIXME: need to provide precise fault address */
2033 emulate_pf(ctxt, new_tss_base, err);
2038 return load_state_from_tss32(ctxt, ops, &tss_seg);
2041 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2042 struct x86_emulate_ops *ops,
2043 u16 tss_selector, int reason,
2044 bool has_error_code, u32 error_code)
2046 struct desc_struct curr_tss_desc, next_tss_desc;
2048 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2049 ulong old_tss_base =
2050 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2053 /* FIXME: old_tss_base == ~0 ? */
2055 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2056 if (ret != X86EMUL_CONTINUE)
2058 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2059 if (ret != X86EMUL_CONTINUE)
2062 /* FIXME: check that next_tss_desc is tss */
2064 if (reason != TASK_SWITCH_IRET) {
2065 if ((tss_selector & 3) > next_tss_desc.dpl ||
2066 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2067 emulate_gp(ctxt, 0);
2068 return X86EMUL_PROPAGATE_FAULT;
2072 desc_limit = desc_limit_scaled(&next_tss_desc);
2073 if (!next_tss_desc.p ||
2074 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2075 desc_limit < 0x2b)) {
2076 emulate_ts(ctxt, tss_selector & 0xfffc);
2077 return X86EMUL_PROPAGATE_FAULT;
2080 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2081 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2082 write_segment_descriptor(ctxt, ops, old_tss_sel,
2086 if (reason == TASK_SWITCH_IRET)
2087 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2089 /* set back link to prev task only if NT bit is set in eflags
2090 note that old_tss_sel is not used afetr this point */
2091 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2092 old_tss_sel = 0xffff;
2094 if (next_tss_desc.type & 8)
2095 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2096 old_tss_base, &next_tss_desc);
2098 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2099 old_tss_base, &next_tss_desc);
2100 if (ret != X86EMUL_CONTINUE)
2103 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2104 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2106 if (reason != TASK_SWITCH_IRET) {
2107 next_tss_desc.type |= (1 << 1); /* set busy flag */
2108 write_segment_descriptor(ctxt, ops, tss_selector,
2112 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2113 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2114 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2116 if (has_error_code) {
2117 struct decode_cache *c = &ctxt->decode;
2119 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2121 c->src.val = (unsigned long) error_code;
2122 emulate_push(ctxt, ops);
2128 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2129 u16 tss_selector, int reason,
2130 bool has_error_code, u32 error_code)
2132 struct x86_emulate_ops *ops = ctxt->ops;
2133 struct decode_cache *c = &ctxt->decode;
2137 c->dst.type = OP_NONE;
2139 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2140 has_error_code, error_code);
2142 if (rc == X86EMUL_CONTINUE) {
2143 rc = writeback(ctxt, ops);
2144 if (rc == X86EMUL_CONTINUE)
2148 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2151 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2152 int reg, struct operand *op)
2154 struct decode_cache *c = &ctxt->decode;
2155 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2157 register_address_increment(c, &c->regs[reg], df * op->bytes);
2158 op->addr.mem = register_address(c, base, c->regs[reg]);
2161 static int em_push(struct x86_emulate_ctxt *ctxt)
2163 emulate_push(ctxt, ctxt->ops);
2164 return X86EMUL_CONTINUE;
2167 #define D(_y) { .flags = (_y) }
2169 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2170 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2171 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2173 static struct opcode group1[] = {
2177 static struct opcode group1A[] = {
2178 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2181 static struct opcode group3[] = {
2182 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2183 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2184 X4(D(SrcMem | ModRM)),
2187 static struct opcode group4[] = {
2188 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2192 static struct opcode group5[] = {
2193 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2194 D(SrcMem | ModRM | Stack), N,
2195 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2196 D(SrcMem | ModRM | Stack), N,
2199 static struct group_dual group7 = { {
2200 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2201 D(SrcNone | ModRM | DstMem | Mov), N,
2202 D(SrcMem16 | ModRM | Mov | Priv),
2203 D(SrcMem | ModRM | ByteOp | Priv | NoAccess),
2205 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2206 D(SrcNone | ModRM | DstMem | Mov), N,
2207 D(SrcMem16 | ModRM | Mov | Priv), N,
2210 static struct opcode group8[] = {
2212 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2213 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2216 static struct group_dual group9 = { {
2217 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2219 N, N, N, N, N, N, N, N,
2222 static struct opcode opcode_table[256] = {
2224 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2225 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2226 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2227 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2229 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2230 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2231 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2232 D(ImplicitOps | Stack | No64), N,
2234 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2235 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2236 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2237 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2239 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2240 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2241 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2242 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2244 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2245 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2246 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2248 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2249 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2250 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2252 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2253 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2254 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2256 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2257 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2258 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2263 X8(I(SrcReg | Stack, em_push)),
2265 X8(D(DstReg | Stack)),
2267 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2268 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2271 I(SrcImm | Mov | Stack, em_push), N,
2272 I(SrcImmByte | Mov | Stack, em_push), N,
2273 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2274 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2278 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2279 G(DstMem | SrcImm | ModRM | Group, group1),
2280 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2281 G(DstMem | SrcImmByte | ModRM | Group, group1),
2282 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2283 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2285 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2286 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2287 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2288 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2290 X8(D(SrcAcc | DstReg)),
2292 N, N, D(SrcImmFAddr | No64), N,
2293 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2295 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2296 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2297 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2298 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2300 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm),
2301 D(ByteOp | SrcAcc | DstDI | Mov | String), D(SrcAcc | DstDI | Mov | String),
2302 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2303 D(ByteOp | DstDI | String), D(DstDI | String),
2305 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2307 X8(D(DstReg | SrcImm | Mov)),
2309 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2310 N, D(ImplicitOps | Stack), N, N,
2311 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2313 N, N, N, D(ImplicitOps | Stack),
2314 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2316 D(ByteOp | DstMem | SrcOne | ModRM), D(DstMem | SrcOne | ModRM),
2317 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2320 N, N, N, N, N, N, N, N,
2323 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2324 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2326 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2327 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2328 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2329 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2332 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2334 D(ImplicitOps), D(ImplicitOps), D(ImplicitOps), D(ImplicitOps),
2335 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2338 static struct opcode twobyte_table[256] = {
2340 N, GD(0, &group7), N, N,
2341 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2342 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2343 N, D(ImplicitOps | ModRM), N, N,
2345 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2347 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2348 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2350 N, N, N, N, N, N, N, N,
2352 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
2353 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2354 N, N, N, N, N, N, N, N,
2356 X16(D(DstReg | SrcMem | ModRM | Mov)),
2358 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2360 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2362 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2366 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
2368 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2369 N, D(DstMem | SrcReg | ModRM | BitOp),
2370 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2371 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2373 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2374 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2375 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2376 D(DstMem | SrcReg | Src2CL | ModRM),
2379 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2380 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2381 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2382 D(DstReg | SrcMem16 | ModRM | Mov),
2385 G(BitOp, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2386 D(DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2387 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2389 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2390 N, D(DstMem | SrcReg | ModRM | Mov),
2391 N, N, N, GD(0, &group9),
2392 N, N, N, N, N, N, N, N,
2394 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2396 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2398 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2408 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2410 struct x86_emulate_ops *ops = ctxt->ops;
2411 struct decode_cache *c = &ctxt->decode;
2412 int rc = X86EMUL_CONTINUE;
2413 int mode = ctxt->mode;
2414 int def_op_bytes, def_ad_bytes, dual, goffset;
2415 struct opcode opcode, *g_mod012, *g_mod3;
2416 struct operand memop = { .type = OP_NONE };
2418 /* we cannot decode insn before we complete previous rep insn */
2419 WARN_ON(ctxt->restart);
2422 c->fetch.start = c->fetch.end = c->eip;
2423 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2426 case X86EMUL_MODE_REAL:
2427 case X86EMUL_MODE_VM86:
2428 case X86EMUL_MODE_PROT16:
2429 def_op_bytes = def_ad_bytes = 2;
2431 case X86EMUL_MODE_PROT32:
2432 def_op_bytes = def_ad_bytes = 4;
2434 #ifdef CONFIG_X86_64
2435 case X86EMUL_MODE_PROT64:
2444 c->op_bytes = def_op_bytes;
2445 c->ad_bytes = def_ad_bytes;
2447 /* Legacy prefixes. */
2449 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2450 case 0x66: /* operand-size override */
2451 /* switch between 2/4 bytes */
2452 c->op_bytes = def_op_bytes ^ 6;
2454 case 0x67: /* address-size override */
2455 if (mode == X86EMUL_MODE_PROT64)
2456 /* switch between 4/8 bytes */
2457 c->ad_bytes = def_ad_bytes ^ 12;
2459 /* switch between 2/4 bytes */
2460 c->ad_bytes = def_ad_bytes ^ 6;
2462 case 0x26: /* ES override */
2463 case 0x2e: /* CS override */
2464 case 0x36: /* SS override */
2465 case 0x3e: /* DS override */
2466 set_seg_override(c, (c->b >> 3) & 3);
2468 case 0x64: /* FS override */
2469 case 0x65: /* GS override */
2470 set_seg_override(c, c->b & 7);
2472 case 0x40 ... 0x4f: /* REX */
2473 if (mode != X86EMUL_MODE_PROT64)
2475 c->rex_prefix = c->b;
2477 case 0xf0: /* LOCK */
2480 case 0xf2: /* REPNE/REPNZ */
2481 c->rep_prefix = REPNE_PREFIX;
2483 case 0xf3: /* REP/REPE/REPZ */
2484 c->rep_prefix = REPE_PREFIX;
2490 /* Any legacy prefix after a REX prefix nullifies its effect. */
2498 if (c->rex_prefix & 8)
2499 c->op_bytes = 8; /* REX.W */
2501 /* Opcode byte(s). */
2502 opcode = opcode_table[c->b];
2503 /* Two-byte opcode? */
2506 c->b = insn_fetch(u8, 1, c->eip);
2507 opcode = twobyte_table[c->b];
2509 c->d = opcode.flags;
2512 dual = c->d & GroupDual;
2513 c->modrm = insn_fetch(u8, 1, c->eip);
2516 if (c->d & GroupDual) {
2517 g_mod012 = opcode.u.gdual->mod012;
2518 g_mod3 = opcode.u.gdual->mod3;
2520 g_mod012 = g_mod3 = opcode.u.group;
2522 c->d &= ~(Group | GroupDual);
2524 goffset = (c->modrm >> 3) & 7;
2526 if ((c->modrm >> 6) == 3)
2527 opcode = g_mod3[goffset];
2529 opcode = g_mod012[goffset];
2530 c->d |= opcode.flags;
2533 c->execute = opcode.u.execute;
2536 if (c->d == 0 || (c->d & Undefined)) {
2537 DPRINTF("Cannot emulate %02x\n", c->b);
2541 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2544 if (c->d & Op3264) {
2545 if (mode == X86EMUL_MODE_PROT64)
2551 /* ModRM and SIB bytes. */
2553 rc = decode_modrm(ctxt, ops, &memop);
2554 if (!c->has_seg_override)
2555 set_seg_override(c, c->modrm_seg);
2556 } else if (c->d & MemAbs)
2557 rc = decode_abs(ctxt, ops, &memop);
2558 if (rc != X86EMUL_CONTINUE)
2561 if (!c->has_seg_override)
2562 set_seg_override(c, VCPU_SREG_DS);
2564 if (memop.type == OP_MEM && !(!c->twobyte && c->b == 0x8d))
2565 memop.addr.mem += seg_override_base(ctxt, ops, c);
2567 if (memop.type == OP_MEM && c->ad_bytes != 8)
2568 memop.addr.mem = (u32)memop.addr.mem;
2570 if (memop.type == OP_MEM && c->rip_relative)
2571 memop.addr.mem += c->eip;
2574 * Decode and fetch the source operand: register, memory
2577 switch (c->d & SrcMask) {
2581 decode_register_operand(&c->src, c, 0);
2590 memop.bytes = (c->d & ByteOp) ? 1 :
2597 c->src.type = OP_IMM;
2598 c->src.addr.mem = c->eip;
2599 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2600 if (c->src.bytes == 8)
2602 /* NB. Immediates are sign-extended as necessary. */
2603 switch (c->src.bytes) {
2605 c->src.val = insn_fetch(s8, 1, c->eip);
2608 c->src.val = insn_fetch(s16, 2, c->eip);
2611 c->src.val = insn_fetch(s32, 4, c->eip);
2614 if ((c->d & SrcMask) == SrcImmU) {
2615 switch (c->src.bytes) {
2620 c->src.val &= 0xffff;
2623 c->src.val &= 0xffffffff;
2630 c->src.type = OP_IMM;
2631 c->src.addr.mem = c->eip;
2633 if ((c->d & SrcMask) == SrcImmByte)
2634 c->src.val = insn_fetch(s8, 1, c->eip);
2636 c->src.val = insn_fetch(u8, 1, c->eip);
2639 c->src.type = OP_REG;
2640 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2641 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2642 fetch_register_operand(&c->src);
2649 c->src.type = OP_MEM;
2650 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2652 register_address(c, seg_override_base(ctxt, ops, c),
2653 c->regs[VCPU_REGS_RSI]);
2657 c->src.type = OP_IMM;
2658 c->src.addr.mem = c->eip;
2659 c->src.bytes = c->op_bytes + 2;
2660 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2663 memop.bytes = c->op_bytes + 2;
2669 * Decode and fetch the second source operand: register, memory
2672 switch (c->d & Src2Mask) {
2677 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2680 c->src2.type = OP_IMM;
2681 c->src2.addr.mem = c->eip;
2683 c->src2.val = insn_fetch(u8, 1, c->eip);
2691 /* Decode and fetch the destination operand: register or memory. */
2692 switch (c->d & DstMask) {
2694 decode_register_operand(&c->dst, c,
2695 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2698 c->dst.type = OP_IMM;
2699 c->dst.addr.mem = c->eip;
2701 c->dst.val = insn_fetch(u8, 1, c->eip);
2706 if ((c->d & DstMask) == DstMem64)
2709 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2711 fetch_bit_operand(c);
2712 c->dst.orig_val = c->dst.val;
2715 c->dst.type = OP_REG;
2716 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2717 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2718 fetch_register_operand(&c->dst);
2719 c->dst.orig_val = c->dst.val;
2722 c->dst.type = OP_MEM;
2723 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2725 register_address(c, es_base(ctxt, ops),
2726 c->regs[VCPU_REGS_RDI]);
2730 /* Special instructions do their own operand decoding. */
2732 c->dst.type = OP_NONE; /* Disable writeback. */
2737 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2741 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2743 struct x86_emulate_ops *ops = ctxt->ops;
2745 struct decode_cache *c = &ctxt->decode;
2746 int rc = X86EMUL_CONTINUE;
2747 int saved_dst_type = c->dst.type;
2748 int irq; /* Used for int 3, int, and into */
2750 ctxt->decode.mem_read.pos = 0;
2752 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2757 /* LOCK prefix is allowed only with some instructions */
2758 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2763 /* Privileged instruction can be executed only in CPL=0 */
2764 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2765 emulate_gp(ctxt, 0);
2769 if (c->rep_prefix && (c->d & String)) {
2770 ctxt->restart = true;
2771 /* All REP prefixes have the same first termination condition */
2772 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2774 ctxt->restart = false;
2778 /* The second termination condition only applies for REPE
2779 * and REPNE. Test if the repeat string operation prefix is
2780 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2781 * corresponding termination condition according to:
2782 * - if REPE/REPZ and ZF = 0 then done
2783 * - if REPNE/REPNZ and ZF = 1 then done
2785 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2786 (c->b == 0xae) || (c->b == 0xaf)) {
2787 if ((c->rep_prefix == REPE_PREFIX) &&
2788 ((ctxt->eflags & EFLG_ZF) == 0))
2790 if ((c->rep_prefix == REPNE_PREFIX) &&
2791 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2797 if ((c->src.type == OP_MEM) && !(c->d & NoAccess)) {
2798 rc = read_emulated(ctxt, ops, c->src.addr.mem,
2799 c->src.valptr, c->src.bytes);
2800 if (rc != X86EMUL_CONTINUE)
2802 c->src.orig_val64 = c->src.val64;
2805 if (c->src2.type == OP_MEM) {
2806 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
2807 &c->src2.val, c->src2.bytes);
2808 if (rc != X86EMUL_CONTINUE)
2812 if ((c->d & DstMask) == ImplicitOps)
2816 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2817 /* optimisation - avoid slow emulated read if Mov */
2818 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
2819 &c->dst.val, c->dst.bytes);
2820 if (rc != X86EMUL_CONTINUE)
2823 c->dst.orig_val = c->dst.val;
2828 rc = c->execute(ctxt);
2829 if (rc != X86EMUL_CONTINUE)
2840 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2842 case 0x06: /* push es */
2843 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2845 case 0x07: /* pop es */
2846 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2847 if (rc != X86EMUL_CONTINUE)
2852 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2854 case 0x0e: /* push cs */
2855 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2859 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2861 case 0x16: /* push ss */
2862 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2864 case 0x17: /* pop ss */
2865 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2866 if (rc != X86EMUL_CONTINUE)
2871 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2873 case 0x1e: /* push ds */
2874 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2876 case 0x1f: /* pop ds */
2877 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2878 if (rc != X86EMUL_CONTINUE)
2883 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2887 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2891 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2895 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2897 case 0x40 ... 0x47: /* inc r16/r32 */
2898 emulate_1op("inc", c->dst, ctxt->eflags);
2900 case 0x48 ... 0x4f: /* dec r16/r32 */
2901 emulate_1op("dec", c->dst, ctxt->eflags);
2903 case 0x58 ... 0x5f: /* pop reg */
2905 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2906 if (rc != X86EMUL_CONTINUE)
2909 case 0x60: /* pusha */
2910 rc = emulate_pusha(ctxt, ops);
2911 if (rc != X86EMUL_CONTINUE)
2914 case 0x61: /* popa */
2915 rc = emulate_popa(ctxt, ops);
2916 if (rc != X86EMUL_CONTINUE)
2919 case 0x63: /* movsxd */
2920 if (ctxt->mode != X86EMUL_MODE_PROT64)
2921 goto cannot_emulate;
2922 c->dst.val = (s32) c->src.val;
2924 case 0x6c: /* insb */
2925 case 0x6d: /* insw/insd */
2926 c->dst.bytes = min(c->dst.bytes, 4u);
2927 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2929 emulate_gp(ctxt, 0);
2932 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2933 c->regs[VCPU_REGS_RDX], &c->dst.val))
2934 goto done; /* IO is needed, skip writeback */
2936 case 0x6e: /* outsb */
2937 case 0x6f: /* outsw/outsd */
2938 c->src.bytes = min(c->src.bytes, 4u);
2939 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2941 emulate_gp(ctxt, 0);
2944 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2945 &c->src.val, 1, ctxt->vcpu);
2947 c->dst.type = OP_NONE; /* nothing to writeback */
2949 case 0x70 ... 0x7f: /* jcc (short) */
2950 if (test_cc(c->b, ctxt->eflags))
2951 jmp_rel(c, c->src.val);
2953 case 0x80 ... 0x83: /* Grp1 */
2954 switch (c->modrm_reg) {
2975 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2977 case 0x86 ... 0x87: /* xchg */
2979 /* Write back the register source. */
2980 c->src.val = c->dst.val;
2981 write_register_operand(&c->src);
2983 * Write back the memory destination with implicit LOCK
2986 c->dst.val = c->src.orig_val;
2989 case 0x88 ... 0x8b: /* mov */
2991 case 0x8c: /* mov r/m, sreg */
2992 if (c->modrm_reg > VCPU_SREG_GS) {
2996 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2998 case 0x8d: /* lea r16/r32, m */
2999 c->dst.val = c->src.addr.mem;
3001 case 0x8e: { /* mov seg, r/m16 */
3006 if (c->modrm_reg == VCPU_SREG_CS ||
3007 c->modrm_reg > VCPU_SREG_GS) {
3012 if (c->modrm_reg == VCPU_SREG_SS)
3013 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3015 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
3017 c->dst.type = OP_NONE; /* Disable writeback. */
3020 case 0x8f: /* pop (sole member of Grp1a) */
3021 rc = emulate_grp1a(ctxt, ops);
3022 if (rc != X86EMUL_CONTINUE)
3025 case 0x90 ... 0x97: /* nop / xchg reg, rax */
3026 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
3029 case 0x9c: /* pushf */
3030 c->src.val = (unsigned long) ctxt->eflags;
3031 emulate_push(ctxt, ops);
3033 case 0x9d: /* popf */
3034 c->dst.type = OP_REG;
3035 c->dst.addr.reg = &ctxt->eflags;
3036 c->dst.bytes = c->op_bytes;
3037 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
3038 if (rc != X86EMUL_CONTINUE)
3041 case 0xa0 ... 0xa3: /* mov */
3042 case 0xa4 ... 0xa5: /* movs */
3044 case 0xa6 ... 0xa7: /* cmps */
3045 c->dst.type = OP_NONE; /* Disable writeback. */
3046 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
3048 case 0xa8 ... 0xa9: /* test ax, imm */
3050 case 0xaa ... 0xab: /* stos */
3051 case 0xac ... 0xad: /* lods */
3053 case 0xae ... 0xaf: /* scas */
3054 DPRINTF("Urk! I don't handle SCAS.\n");
3055 goto cannot_emulate;
3056 case 0xb0 ... 0xbf: /* mov r, imm */
3061 case 0xc3: /* ret */
3062 c->dst.type = OP_REG;
3063 c->dst.addr.reg = &c->eip;
3064 c->dst.bytes = c->op_bytes;
3065 goto pop_instruction;
3066 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
3068 c->dst.val = c->src.val;
3070 case 0xcb: /* ret far */
3071 rc = emulate_ret_far(ctxt, ops);
3072 if (rc != X86EMUL_CONTINUE)
3075 case 0xcc: /* int3 */
3078 case 0xcd: /* int n */
3081 rc = emulate_int(ctxt, ops, irq);
3082 if (rc != X86EMUL_CONTINUE)
3085 case 0xce: /* into */
3086 if (ctxt->eflags & EFLG_OF) {
3091 case 0xcf: /* iret */
3092 rc = emulate_iret(ctxt, ops);
3094 if (rc != X86EMUL_CONTINUE)
3097 case 0xd0 ... 0xd1: /* Grp2 */
3100 case 0xd2 ... 0xd3: /* Grp2 */
3101 c->src.val = c->regs[VCPU_REGS_RCX];
3104 case 0xe4: /* inb */
3107 case 0xe6: /* outb */
3108 case 0xe7: /* out */
3110 case 0xe8: /* call (near) */ {
3111 long int rel = c->src.val;
3112 c->src.val = (unsigned long) c->eip;
3114 emulate_push(ctxt, ops);
3117 case 0xe9: /* jmp rel */
3119 case 0xea: { /* jmp far */
3122 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3124 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3128 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3132 jmp: /* jmp rel short */
3133 jmp_rel(c, c->src.val);
3134 c->dst.type = OP_NONE; /* Disable writeback. */
3136 case 0xec: /* in al,dx */
3137 case 0xed: /* in (e/r)ax,dx */
3138 c->src.val = c->regs[VCPU_REGS_RDX];
3140 c->dst.bytes = min(c->dst.bytes, 4u);
3141 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3142 emulate_gp(ctxt, 0);
3145 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3147 goto done; /* IO is needed */
3149 case 0xee: /* out dx,al */
3150 case 0xef: /* out dx,(e/r)ax */
3151 c->src.val = c->regs[VCPU_REGS_RDX];
3153 c->dst.bytes = min(c->dst.bytes, 4u);
3154 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3155 emulate_gp(ctxt, 0);
3158 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3160 c->dst.type = OP_NONE; /* Disable writeback. */
3162 case 0xf4: /* hlt */
3163 ctxt->vcpu->arch.halt_request = 1;
3165 case 0xf5: /* cmc */
3166 /* complement carry flag from eflags reg */
3167 ctxt->eflags ^= EFLG_CF;
3169 case 0xf6 ... 0xf7: /* Grp3 */
3170 if (emulate_grp3(ctxt, ops) != X86EMUL_CONTINUE)
3171 goto cannot_emulate;
3173 case 0xf8: /* clc */
3174 ctxt->eflags &= ~EFLG_CF;
3176 case 0xf9: /* stc */
3177 ctxt->eflags |= EFLG_CF;
3179 case 0xfa: /* cli */
3180 if (emulator_bad_iopl(ctxt, ops)) {
3181 emulate_gp(ctxt, 0);
3184 ctxt->eflags &= ~X86_EFLAGS_IF;
3186 case 0xfb: /* sti */
3187 if (emulator_bad_iopl(ctxt, ops)) {
3188 emulate_gp(ctxt, 0);
3191 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3192 ctxt->eflags |= X86_EFLAGS_IF;
3195 case 0xfc: /* cld */
3196 ctxt->eflags &= ~EFLG_DF;
3198 case 0xfd: /* std */
3199 ctxt->eflags |= EFLG_DF;
3201 case 0xfe: /* Grp4 */
3203 rc = emulate_grp45(ctxt, ops);
3204 if (rc != X86EMUL_CONTINUE)
3207 case 0xff: /* Grp5 */
3208 if (c->modrm_reg == 5)
3212 goto cannot_emulate;
3216 rc = writeback(ctxt, ops);
3217 if (rc != X86EMUL_CONTINUE)
3221 * restore dst type in case the decoding will be reused
3222 * (happens for string instruction )
3224 c->dst.type = saved_dst_type;
3226 if ((c->d & SrcMask) == SrcSI)
3227 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3228 VCPU_REGS_RSI, &c->src);
3230 if ((c->d & DstMask) == DstDI)
3231 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3234 if (c->rep_prefix && (c->d & String)) {
3235 struct read_cache *rc = &ctxt->decode.io_read;
3236 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3238 * Re-enter guest when pio read ahead buffer is empty or,
3239 * if it is not used, after each 1024 iteration.
3241 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3242 (rc->end != 0 && rc->end == rc->pos))
3243 ctxt->restart = false;
3246 * reset read cache here in case string instruction is restared
3249 ctxt->decode.mem_read.end = 0;
3253 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3257 case 0x01: /* lgdt, lidt, lmsw */
3258 switch (c->modrm_reg) {
3260 unsigned long address;
3262 case 0: /* vmcall */
3263 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3264 goto cannot_emulate;
3266 rc = kvm_fix_hypercall(ctxt->vcpu);
3267 if (rc != X86EMUL_CONTINUE)
3270 /* Let the processor re-execute the fixed hypercall */
3272 /* Disable writeback. */
3273 c->dst.type = OP_NONE;
3276 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3277 &size, &address, c->op_bytes);
3278 if (rc != X86EMUL_CONTINUE)
3280 realmode_lgdt(ctxt->vcpu, size, address);
3281 /* Disable writeback. */
3282 c->dst.type = OP_NONE;
3284 case 3: /* lidt/vmmcall */
3285 if (c->modrm_mod == 3) {
3286 switch (c->modrm_rm) {
3288 rc = kvm_fix_hypercall(ctxt->vcpu);
3289 if (rc != X86EMUL_CONTINUE)
3293 goto cannot_emulate;
3296 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3299 if (rc != X86EMUL_CONTINUE)
3301 realmode_lidt(ctxt->vcpu, size, address);
3303 /* Disable writeback. */
3304 c->dst.type = OP_NONE;
3308 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3311 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3312 (c->src.val & 0x0f), ctxt->vcpu);
3313 c->dst.type = OP_NONE;
3315 case 5: /* not defined */
3319 emulate_invlpg(ctxt->vcpu, c->src.addr.mem);
3320 /* Disable writeback. */
3321 c->dst.type = OP_NONE;
3324 goto cannot_emulate;
3327 case 0x05: /* syscall */
3328 rc = emulate_syscall(ctxt, ops);
3329 if (rc != X86EMUL_CONTINUE)
3335 emulate_clts(ctxt->vcpu);
3337 case 0x09: /* wbinvd */
3338 kvm_emulate_wbinvd(ctxt->vcpu);
3340 case 0x08: /* invd */
3341 case 0x0d: /* GrpP (prefetch) */
3342 case 0x18: /* Grp16 (prefetch/nop) */
3344 case 0x20: /* mov cr, reg */
3345 switch (c->modrm_reg) {
3352 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3354 case 0x21: /* mov from dr to reg */
3355 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3356 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3360 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3362 case 0x22: /* mov reg, cr */
3363 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3364 emulate_gp(ctxt, 0);
3367 c->dst.type = OP_NONE;
3369 case 0x23: /* mov from reg to dr */
3370 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3371 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3376 if (ops->set_dr(c->modrm_reg, c->src.val &
3377 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3378 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3379 /* #UD condition is already handled by the code above */
3380 emulate_gp(ctxt, 0);
3384 c->dst.type = OP_NONE; /* no writeback */
3388 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3389 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3390 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3391 emulate_gp(ctxt, 0);
3394 rc = X86EMUL_CONTINUE;
3398 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3399 emulate_gp(ctxt, 0);
3402 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3403 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3405 rc = X86EMUL_CONTINUE;
3407 case 0x34: /* sysenter */
3408 rc = emulate_sysenter(ctxt, ops);
3409 if (rc != X86EMUL_CONTINUE)
3414 case 0x35: /* sysexit */
3415 rc = emulate_sysexit(ctxt, ops);
3416 if (rc != X86EMUL_CONTINUE)
3421 case 0x40 ... 0x4f: /* cmov */
3422 c->dst.val = c->dst.orig_val = c->src.val;
3423 if (!test_cc(c->b, ctxt->eflags))
3424 c->dst.type = OP_NONE; /* no writeback */
3426 case 0x80 ... 0x8f: /* jnz rel, etc*/
3427 if (test_cc(c->b, ctxt->eflags))
3428 jmp_rel(c, c->src.val);
3430 case 0x90 ... 0x9f: /* setcc r/m8 */
3431 c->dst.val = test_cc(c->b, ctxt->eflags);
3433 case 0xa0: /* push fs */
3434 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3436 case 0xa1: /* pop fs */
3437 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3438 if (rc != X86EMUL_CONTINUE)
3443 c->dst.type = OP_NONE;
3444 /* only subword offset */
3445 c->src.val &= (c->dst.bytes << 3) - 1;
3446 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3448 case 0xa4: /* shld imm8, r, r/m */
3449 case 0xa5: /* shld cl, r, r/m */
3450 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3452 case 0xa8: /* push gs */
3453 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3455 case 0xa9: /* pop gs */
3456 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3457 if (rc != X86EMUL_CONTINUE)
3462 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3464 case 0xac: /* shrd imm8, r, r/m */
3465 case 0xad: /* shrd cl, r, r/m */
3466 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3468 case 0xae: /* clflush */
3470 case 0xb0 ... 0xb1: /* cmpxchg */
3472 * Save real source value, then compare EAX against
3475 c->src.orig_val = c->src.val;
3476 c->src.val = c->regs[VCPU_REGS_RAX];
3477 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3478 if (ctxt->eflags & EFLG_ZF) {
3479 /* Success: write back to memory. */
3480 c->dst.val = c->src.orig_val;
3482 /* Failure: write the value we saw to EAX. */
3483 c->dst.type = OP_REG;
3484 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3489 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3491 case 0xb6 ... 0xb7: /* movzx */
3492 c->dst.bytes = c->op_bytes;
3493 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3496 case 0xba: /* Grp8 */
3497 switch (c->modrm_reg & 3) {
3510 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3512 case 0xbc: { /* bsf */
3514 __asm__ ("bsf %2, %0; setz %1"
3515 : "=r"(c->dst.val), "=q"(zf)
3517 ctxt->eflags &= ~X86_EFLAGS_ZF;
3519 ctxt->eflags |= X86_EFLAGS_ZF;
3520 c->dst.type = OP_NONE; /* Disable writeback. */
3524 case 0xbd: { /* bsr */
3526 __asm__ ("bsr %2, %0; setz %1"
3527 : "=r"(c->dst.val), "=q"(zf)
3529 ctxt->eflags &= ~X86_EFLAGS_ZF;
3531 ctxt->eflags |= X86_EFLAGS_ZF;
3532 c->dst.type = OP_NONE; /* Disable writeback. */
3536 case 0xbe ... 0xbf: /* movsx */
3537 c->dst.bytes = c->op_bytes;
3538 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3541 case 0xc0 ... 0xc1: /* xadd */
3542 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3543 /* Write back the register source. */
3544 c->src.val = c->dst.orig_val;
3545 write_register_operand(&c->src);
3547 case 0xc3: /* movnti */
3548 c->dst.bytes = c->op_bytes;
3549 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3552 case 0xc7: /* Grp9 (cmpxchg8b) */
3553 rc = emulate_grp9(ctxt, ops);
3554 if (rc != X86EMUL_CONTINUE)
3558 goto cannot_emulate;
3563 DPRINTF("Cannot emulate %02x\n", c->b);
git.openpandora.org / pandora-kernel.git / blob