1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<16) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<17) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<17) /* Register operand. */
53 #define DstMem (3<<17) /* Memory operand. */
54 #define DstAcc (4<<17) /* Destination Accumulator */
55 #define DstDI (5<<17) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<17) /* 64bit memory operand */
57 #define DstMask (7<<17)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
85 #define GroupMask 0x0f /* Group number stored in bits 0:3 */
87 #define Undefined (1<<25) /* No Such Instruction */
88 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
89 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
91 /* Source 2 operand type */
92 #define Src2None (0<<29)
93 #define Src2CL (1<<29)
94 #define Src2ImmByte (2<<29)
95 #define Src2One (3<<29)
96 #define Src2Mask (7<<29)
99 #define X3(x) X2(x), x
100 #define X4(x) X2(x), X2(x)
101 #define X5(x) X4(x), x
102 #define X6(x) X4(x), X2(x)
103 #define X7(x) X4(x), X3(x)
104 #define X8(x) X4(x), X4(x)
105 #define X16(x) X8(x), X8(x)
108 NoGrp, Group1, Group1A, Group3, Group4, Group5, Group7, Group8, Group9,
114 struct opcode *group;
115 struct group_dual *gdual;
120 struct opcode mod012[8];
121 struct opcode mod3[8];
124 #define D(_y) { .flags = (_y) }
126 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
127 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
129 static struct opcode group_table[] = {
133 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
135 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
136 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
139 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
142 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
143 D(SrcMem | ModRM | Stack), N,
144 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
145 D(SrcMem | ModRM | Stack), N,
147 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
148 D(SrcNone | ModRM | DstMem | Mov), N,
149 D(SrcMem16 | ModRM | Mov | Priv), D(SrcMem | ModRM | ByteOp | Priv),
152 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
153 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
155 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
158 static struct opcode group2_table[] = {
160 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
161 D(SrcNone | ModRM | DstMem | Mov), N,
162 D(SrcMem16 | ModRM | Mov | Priv), N,
164 N, N, N, N, N, N, N, N,
167 static struct opcode opcode_table[256] = {
169 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
170 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
171 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
172 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
174 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
175 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
176 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
177 D(ImplicitOps | Stack | No64), N,
179 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
180 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
181 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
182 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
184 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
185 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
186 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
187 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
189 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
190 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
191 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
193 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
194 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
195 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
197 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
198 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
199 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
201 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
202 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
203 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
208 X8(D(SrcReg | Stack)),
210 X8(D(DstReg | Stack)),
212 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
213 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
216 D(SrcImm | Mov | Stack), N, D(SrcImmByte | Mov | Stack), N,
217 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
218 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
222 D(ByteOp | DstMem | SrcImm | ModRM | Group | Group1),
223 D(DstMem | SrcImm | ModRM | Group | Group1),
224 D(ByteOp | DstMem | SrcImm | ModRM | No64 | Group | Group1),
225 D(DstMem | SrcImmByte | ModRM | Group | Group1),
226 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
227 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
229 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
230 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
231 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | DstReg),
232 D(ImplicitOps | SrcMem16 | ModRM), D(Group | Group1A),
234 D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg),
236 N, N, D(SrcImmFAddr | No64), N,
237 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
239 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
240 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
241 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
242 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
244 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm), D(ByteOp | DstDI | Mov | String), D(DstDI | Mov | String),
245 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
246 D(ByteOp | DstDI | String), D(DstDI | String),
248 X8(D(ByteOp | DstReg | SrcImm | Mov)),
250 X8(D(DstReg | SrcImm | Mov)),
252 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
253 N, D(ImplicitOps | Stack), N, N,
254 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
256 N, N, N, D(ImplicitOps | Stack),
257 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
259 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
260 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
263 N, N, N, N, N, N, N, N,
266 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
267 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
269 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
270 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
271 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
272 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
275 D(ImplicitOps | Priv), D(ImplicitOps), D(ByteOp | Group | Group3), D(Group | Group3),
277 D(ImplicitOps), N, D(ImplicitOps), D(ImplicitOps),
278 D(ImplicitOps), D(ImplicitOps), D(Group | Group4), D(Group | Group5),
281 static struct opcode twobyte_table[256] = {
283 N, D(Group | GroupDual | Group7), N, N,
284 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
285 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
286 N, D(ImplicitOps | ModRM), N, N,
288 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
290 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
291 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
293 N, N, N, N, N, N, N, N,
295 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
296 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
297 N, N, N, N, N, N, N, N,
299 X16(D(DstReg | SrcMem | ModRM | Mov)),
301 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
303 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
305 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
309 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
311 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
312 N, D(DstMem | SrcReg | ModRM | BitOp),
313 D(DstMem | SrcReg | Src2ImmByte | ModRM),
314 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
316 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
317 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
318 D(DstMem | SrcReg | Src2ImmByte | ModRM),
319 D(DstMem | SrcReg | Src2CL | ModRM),
322 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
323 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
324 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
325 D(DstReg | SrcMem16 | ModRM | Mov),
328 D(Group | Group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
329 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
330 D(DstReg | SrcMem16 | ModRM | Mov),
332 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
333 N, N, N, D(Group | GroupDual | Group9),
334 N, N, N, N, N, N, N, N,
336 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
338 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
340 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
348 /* EFLAGS bit definitions. */
349 #define EFLG_ID (1<<21)
350 #define EFLG_VIP (1<<20)
351 #define EFLG_VIF (1<<19)
352 #define EFLG_AC (1<<18)
353 #define EFLG_VM (1<<17)
354 #define EFLG_RF (1<<16)
355 #define EFLG_IOPL (3<<12)
356 #define EFLG_NT (1<<14)
357 #define EFLG_OF (1<<11)
358 #define EFLG_DF (1<<10)
359 #define EFLG_IF (1<<9)
360 #define EFLG_TF (1<<8)
361 #define EFLG_SF (1<<7)
362 #define EFLG_ZF (1<<6)
363 #define EFLG_AF (1<<4)
364 #define EFLG_PF (1<<2)
365 #define EFLG_CF (1<<0)
367 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
368 #define EFLG_RESERVED_ONE_MASK 2
371 * Instruction emulation:
372 * Most instructions are emulated directly via a fragment of inline assembly
373 * code. This allows us to save/restore EFLAGS and thus very easily pick up
374 * any modified flags.
377 #if defined(CONFIG_X86_64)
378 #define _LO32 "k" /* force 32-bit operand */
379 #define _STK "%%rsp" /* stack pointer */
380 #elif defined(__i386__)
381 #define _LO32 "" /* force 32-bit operand */
382 #define _STK "%%esp" /* stack pointer */
386 * These EFLAGS bits are restored from saved value during emulation, and
387 * any changes are written back to the saved value after emulation.
389 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
391 /* Before executing instruction: restore necessary bits in EFLAGS. */
392 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
393 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
394 "movl %"_sav",%"_LO32 _tmp"; " \
397 "movl %"_msk",%"_LO32 _tmp"; " \
398 "andl %"_LO32 _tmp",("_STK"); " \
400 "notl %"_LO32 _tmp"; " \
401 "andl %"_LO32 _tmp",("_STK"); " \
402 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
404 "orl %"_LO32 _tmp",("_STK"); " \
408 /* After executing instruction: write-back necessary bits in EFLAGS. */
409 #define _POST_EFLAGS(_sav, _msk, _tmp) \
410 /* _sav |= EFLAGS & _msk; */ \
413 "andl %"_msk",%"_LO32 _tmp"; " \
414 "orl %"_LO32 _tmp",%"_sav"; "
422 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
424 __asm__ __volatile__ ( \
425 _PRE_EFLAGS("0", "4", "2") \
426 _op _suffix " %"_x"3,%1; " \
427 _POST_EFLAGS("0", "4", "2") \
428 : "=m" (_eflags), "=m" ((_dst).val), \
430 : _y ((_src).val), "i" (EFLAGS_MASK)); \
434 /* Raw emulation: instruction has two explicit operands. */
435 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
437 unsigned long _tmp; \
439 switch ((_dst).bytes) { \
441 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
444 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
447 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
452 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
454 unsigned long _tmp; \
455 switch ((_dst).bytes) { \
457 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
460 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
461 _wx, _wy, _lx, _ly, _qx, _qy); \
466 /* Source operand is byte-sized and may be restricted to just %cl. */
467 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
468 __emulate_2op(_op, _src, _dst, _eflags, \
469 "b", "c", "b", "c", "b", "c", "b", "c")
471 /* Source operand is byte, word, long or quad sized. */
472 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
473 __emulate_2op(_op, _src, _dst, _eflags, \
474 "b", "q", "w", "r", _LO32, "r", "", "r")
476 /* Source operand is word, long or quad sized. */
477 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
478 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
479 "w", "r", _LO32, "r", "", "r")
481 /* Instruction has three operands and one operand is stored in ECX register */
482 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
484 unsigned long _tmp; \
485 _type _clv = (_cl).val; \
486 _type _srcv = (_src).val; \
487 _type _dstv = (_dst).val; \
489 __asm__ __volatile__ ( \
490 _PRE_EFLAGS("0", "5", "2") \
491 _op _suffix " %4,%1 \n" \
492 _POST_EFLAGS("0", "5", "2") \
493 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
494 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
497 (_cl).val = (unsigned long) _clv; \
498 (_src).val = (unsigned long) _srcv; \
499 (_dst).val = (unsigned long) _dstv; \
502 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
504 switch ((_dst).bytes) { \
506 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
507 "w", unsigned short); \
510 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
511 "l", unsigned int); \
514 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
515 "q", unsigned long)); \
520 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
522 unsigned long _tmp; \
524 __asm__ __volatile__ ( \
525 _PRE_EFLAGS("0", "3", "2") \
526 _op _suffix " %1; " \
527 _POST_EFLAGS("0", "3", "2") \
528 : "=m" (_eflags), "+m" ((_dst).val), \
530 : "i" (EFLAGS_MASK)); \
533 /* Instruction has only one explicit operand (no source operand). */
534 #define emulate_1op(_op, _dst, _eflags) \
536 switch ((_dst).bytes) { \
537 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
538 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
539 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
540 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
544 /* Fetch next part of the instruction being emulated. */
545 #define insn_fetch(_type, _size, _eip) \
546 ({ unsigned long _x; \
547 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
548 if (rc != X86EMUL_CONTINUE) \
554 #define insn_fetch_arr(_arr, _size, _eip) \
555 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
556 if (rc != X86EMUL_CONTINUE) \
561 static inline unsigned long ad_mask(struct decode_cache *c)
563 return (1UL << (c->ad_bytes << 3)) - 1;
566 /* Access/update address held in a register, based on addressing mode. */
567 static inline unsigned long
568 address_mask(struct decode_cache *c, unsigned long reg)
570 if (c->ad_bytes == sizeof(unsigned long))
573 return reg & ad_mask(c);
576 static inline unsigned long
577 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
579 return base + address_mask(c, reg);
583 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
585 if (c->ad_bytes == sizeof(unsigned long))
588 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
591 static inline void jmp_rel(struct decode_cache *c, int rel)
593 register_address_increment(c, &c->eip, rel);
596 static void set_seg_override(struct decode_cache *c, int seg)
598 c->has_seg_override = true;
599 c->seg_override = seg;
602 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
603 struct x86_emulate_ops *ops, int seg)
605 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
608 return ops->get_cached_segment_base(seg, ctxt->vcpu);
611 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
612 struct x86_emulate_ops *ops,
613 struct decode_cache *c)
615 if (!c->has_seg_override)
618 return seg_base(ctxt, ops, c->seg_override);
621 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
622 struct x86_emulate_ops *ops)
624 return seg_base(ctxt, ops, VCPU_SREG_ES);
627 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
628 struct x86_emulate_ops *ops)
630 return seg_base(ctxt, ops, VCPU_SREG_SS);
633 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
634 u32 error, bool valid)
636 ctxt->exception = vec;
637 ctxt->error_code = error;
638 ctxt->error_code_valid = valid;
639 ctxt->restart = false;
642 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
644 emulate_exception(ctxt, GP_VECTOR, err, true);
647 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
651 emulate_exception(ctxt, PF_VECTOR, err, true);
654 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
656 emulate_exception(ctxt, UD_VECTOR, 0, false);
659 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
661 emulate_exception(ctxt, TS_VECTOR, err, true);
664 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
665 struct x86_emulate_ops *ops,
666 unsigned long eip, u8 *dest)
668 struct fetch_cache *fc = &ctxt->decode.fetch;
672 if (eip == fc->end) {
673 cur_size = fc->end - fc->start;
674 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
675 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
676 size, ctxt->vcpu, NULL);
677 if (rc != X86EMUL_CONTINUE)
681 *dest = fc->data[eip - fc->start];
682 return X86EMUL_CONTINUE;
685 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
686 struct x86_emulate_ops *ops,
687 unsigned long eip, void *dest, unsigned size)
691 /* x86 instructions are limited to 15 bytes. */
692 if (eip + size - ctxt->eip > 15)
693 return X86EMUL_UNHANDLEABLE;
695 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
696 if (rc != X86EMUL_CONTINUE)
699 return X86EMUL_CONTINUE;
703 * Given the 'reg' portion of a ModRM byte, and a register block, return a
704 * pointer into the block that addresses the relevant register.
705 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
707 static void *decode_register(u8 modrm_reg, unsigned long *regs,
712 p = ®s[modrm_reg];
713 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
714 p = (unsigned char *)®s[modrm_reg & 3] + 1;
718 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
719 struct x86_emulate_ops *ops,
721 u16 *size, unsigned long *address, int op_bytes)
728 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
730 if (rc != X86EMUL_CONTINUE)
732 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
737 static int test_cc(unsigned int condition, unsigned int flags)
741 switch ((condition & 15) >> 1) {
743 rc |= (flags & EFLG_OF);
745 case 1: /* b/c/nae */
746 rc |= (flags & EFLG_CF);
749 rc |= (flags & EFLG_ZF);
752 rc |= (flags & (EFLG_CF|EFLG_ZF));
755 rc |= (flags & EFLG_SF);
758 rc |= (flags & EFLG_PF);
761 rc |= (flags & EFLG_ZF);
764 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
768 /* Odd condition identifiers (lsb == 1) have inverted sense. */
769 return (!!rc ^ (condition & 1));
772 static void decode_register_operand(struct operand *op,
773 struct decode_cache *c,
776 unsigned reg = c->modrm_reg;
777 int highbyte_regs = c->rex_prefix == 0;
780 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
782 if ((c->d & ByteOp) && !inhibit_bytereg) {
783 op->ptr = decode_register(reg, c->regs, highbyte_regs);
784 op->val = *(u8 *)op->ptr;
787 op->ptr = decode_register(reg, c->regs, 0);
788 op->bytes = c->op_bytes;
791 op->val = *(u16 *)op->ptr;
794 op->val = *(u32 *)op->ptr;
797 op->val = *(u64 *) op->ptr;
801 op->orig_val = op->val;
804 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
805 struct x86_emulate_ops *ops)
807 struct decode_cache *c = &ctxt->decode;
809 int index_reg = 0, base_reg = 0, scale;
810 int rc = X86EMUL_CONTINUE;
813 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
814 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
815 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
818 c->modrm = insn_fetch(u8, 1, c->eip);
819 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
820 c->modrm_reg |= (c->modrm & 0x38) >> 3;
821 c->modrm_rm |= (c->modrm & 0x07);
825 if (c->modrm_mod == 3) {
826 c->modrm_ptr = decode_register(c->modrm_rm,
827 c->regs, c->d & ByteOp);
828 c->modrm_val = *(unsigned long *)c->modrm_ptr;
832 if (c->ad_bytes == 2) {
833 unsigned bx = c->regs[VCPU_REGS_RBX];
834 unsigned bp = c->regs[VCPU_REGS_RBP];
835 unsigned si = c->regs[VCPU_REGS_RSI];
836 unsigned di = c->regs[VCPU_REGS_RDI];
838 /* 16-bit ModR/M decode. */
839 switch (c->modrm_mod) {
841 if (c->modrm_rm == 6)
842 c->modrm_ea += insn_fetch(u16, 2, c->eip);
845 c->modrm_ea += insn_fetch(s8, 1, c->eip);
848 c->modrm_ea += insn_fetch(u16, 2, c->eip);
851 switch (c->modrm_rm) {
853 c->modrm_ea += bx + si;
856 c->modrm_ea += bx + di;
859 c->modrm_ea += bp + si;
862 c->modrm_ea += bp + di;
871 if (c->modrm_mod != 0)
878 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
879 (c->modrm_rm == 6 && c->modrm_mod != 0))
880 if (!c->has_seg_override)
881 set_seg_override(c, VCPU_SREG_SS);
882 c->modrm_ea = (u16)c->modrm_ea;
884 /* 32/64-bit ModR/M decode. */
885 if ((c->modrm_rm & 7) == 4) {
886 sib = insn_fetch(u8, 1, c->eip);
887 index_reg |= (sib >> 3) & 7;
891 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
892 c->modrm_ea += insn_fetch(s32, 4, c->eip);
894 c->modrm_ea += c->regs[base_reg];
896 c->modrm_ea += c->regs[index_reg] << scale;
897 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
898 if (ctxt->mode == X86EMUL_MODE_PROT64)
901 c->modrm_ea += c->regs[c->modrm_rm];
902 switch (c->modrm_mod) {
904 if (c->modrm_rm == 5)
905 c->modrm_ea += insn_fetch(s32, 4, c->eip);
908 c->modrm_ea += insn_fetch(s8, 1, c->eip);
911 c->modrm_ea += insn_fetch(s32, 4, c->eip);
919 static int decode_abs(struct x86_emulate_ctxt *ctxt,
920 struct x86_emulate_ops *ops)
922 struct decode_cache *c = &ctxt->decode;
923 int rc = X86EMUL_CONTINUE;
925 switch (c->ad_bytes) {
927 c->modrm_ea = insn_fetch(u16, 2, c->eip);
930 c->modrm_ea = insn_fetch(u32, 4, c->eip);
933 c->modrm_ea = insn_fetch(u64, 8, c->eip);
941 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
943 struct decode_cache *c = &ctxt->decode;
944 int rc = X86EMUL_CONTINUE;
945 int mode = ctxt->mode;
946 int def_op_bytes, def_ad_bytes, group, dual, goffset;
947 struct opcode opcode, *g_mod012, *g_mod3;
949 /* we cannot decode insn before we complete previous rep insn */
950 WARN_ON(ctxt->restart);
953 c->fetch.start = c->fetch.end = c->eip;
954 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
957 case X86EMUL_MODE_REAL:
958 case X86EMUL_MODE_VM86:
959 case X86EMUL_MODE_PROT16:
960 def_op_bytes = def_ad_bytes = 2;
962 case X86EMUL_MODE_PROT32:
963 def_op_bytes = def_ad_bytes = 4;
966 case X86EMUL_MODE_PROT64:
975 c->op_bytes = def_op_bytes;
976 c->ad_bytes = def_ad_bytes;
978 /* Legacy prefixes. */
980 switch (c->b = insn_fetch(u8, 1, c->eip)) {
981 case 0x66: /* operand-size override */
982 /* switch between 2/4 bytes */
983 c->op_bytes = def_op_bytes ^ 6;
985 case 0x67: /* address-size override */
986 if (mode == X86EMUL_MODE_PROT64)
987 /* switch between 4/8 bytes */
988 c->ad_bytes = def_ad_bytes ^ 12;
990 /* switch between 2/4 bytes */
991 c->ad_bytes = def_ad_bytes ^ 6;
993 case 0x26: /* ES override */
994 case 0x2e: /* CS override */
995 case 0x36: /* SS override */
996 case 0x3e: /* DS override */
997 set_seg_override(c, (c->b >> 3) & 3);
999 case 0x64: /* FS override */
1000 case 0x65: /* GS override */
1001 set_seg_override(c, c->b & 7);
1003 case 0x40 ... 0x4f: /* REX */
1004 if (mode != X86EMUL_MODE_PROT64)
1006 c->rex_prefix = c->b;
1008 case 0xf0: /* LOCK */
1011 case 0xf2: /* REPNE/REPNZ */
1012 c->rep_prefix = REPNE_PREFIX;
1014 case 0xf3: /* REP/REPE/REPZ */
1015 c->rep_prefix = REPE_PREFIX;
1021 /* Any legacy prefix after a REX prefix nullifies its effect. */
1030 if (c->rex_prefix & 8)
1031 c->op_bytes = 8; /* REX.W */
1033 /* Opcode byte(s). */
1034 opcode = opcode_table[c->b];
1035 if (opcode.flags == 0) {
1036 /* Two-byte opcode? */
1039 c->b = insn_fetch(u8, 1, c->eip);
1040 opcode = twobyte_table[c->b];
1043 c->d = opcode.flags;
1046 group = c->d & GroupMask;
1047 dual = c->d & GroupDual;
1048 c->modrm = insn_fetch(u8, 1, c->eip);
1052 g_mod012 = g_mod3 = &group_table[group * 8];
1053 if (c->d & GroupDual)
1054 g_mod3 = &group2_table[group * 8];
1056 if (c->d & GroupDual) {
1057 g_mod012 = opcode.u.gdual->mod012;
1058 g_mod3 = opcode.u.gdual->mod3;
1060 g_mod012 = g_mod3 = opcode.u.group;
1063 c->d &= ~(Group | GroupDual | GroupMask);
1065 goffset = (c->modrm >> 3) & 7;
1067 if ((c->modrm >> 6) == 3)
1068 opcode = g_mod3[goffset];
1070 opcode = g_mod012[goffset];
1071 c->d |= opcode.flags;
1075 if (c->d == 0 || (c->d & Undefined)) {
1076 DPRINTF("Cannot emulate %02x\n", c->b);
1080 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1083 /* ModRM and SIB bytes. */
1085 rc = decode_modrm(ctxt, ops);
1086 else if (c->d & MemAbs)
1087 rc = decode_abs(ctxt, ops);
1088 if (rc != X86EMUL_CONTINUE)
1091 if (!c->has_seg_override)
1092 set_seg_override(c, VCPU_SREG_DS);
1094 if (!(!c->twobyte && c->b == 0x8d))
1095 c->modrm_ea += seg_override_base(ctxt, ops, c);
1097 if (c->ad_bytes != 8)
1098 c->modrm_ea = (u32)c->modrm_ea;
1100 if (c->rip_relative)
1101 c->modrm_ea += c->eip;
1104 * Decode and fetch the source operand: register, memory
1107 switch (c->d & SrcMask) {
1111 decode_register_operand(&c->src, c, 0);
1120 c->src.bytes = (c->d & ByteOp) ? 1 :
1122 /* Don't fetch the address for invlpg: it could be unmapped. */
1123 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1127 * For instructions with a ModR/M byte, switch to register
1128 * access if Mod = 3.
1130 if ((c->d & ModRM) && c->modrm_mod == 3) {
1131 c->src.type = OP_REG;
1132 c->src.val = c->modrm_val;
1133 c->src.ptr = c->modrm_ptr;
1136 c->src.type = OP_MEM;
1137 c->src.ptr = (unsigned long *)c->modrm_ea;
1142 c->src.type = OP_IMM;
1143 c->src.ptr = (unsigned long *)c->eip;
1144 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1145 if (c->src.bytes == 8)
1147 /* NB. Immediates are sign-extended as necessary. */
1148 switch (c->src.bytes) {
1150 c->src.val = insn_fetch(s8, 1, c->eip);
1153 c->src.val = insn_fetch(s16, 2, c->eip);
1156 c->src.val = insn_fetch(s32, 4, c->eip);
1159 if ((c->d & SrcMask) == SrcImmU) {
1160 switch (c->src.bytes) {
1165 c->src.val &= 0xffff;
1168 c->src.val &= 0xffffffff;
1175 c->src.type = OP_IMM;
1176 c->src.ptr = (unsigned long *)c->eip;
1178 if ((c->d & SrcMask) == SrcImmByte)
1179 c->src.val = insn_fetch(s8, 1, c->eip);
1181 c->src.val = insn_fetch(u8, 1, c->eip);
1184 c->src.type = OP_REG;
1185 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1186 c->src.ptr = &c->regs[VCPU_REGS_RAX];
1187 switch (c->src.bytes) {
1189 c->src.val = *(u8 *)c->src.ptr;
1192 c->src.val = *(u16 *)c->src.ptr;
1195 c->src.val = *(u32 *)c->src.ptr;
1198 c->src.val = *(u64 *)c->src.ptr;
1207 c->src.type = OP_MEM;
1208 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1209 c->src.ptr = (unsigned long *)
1210 register_address(c, seg_override_base(ctxt, ops, c),
1211 c->regs[VCPU_REGS_RSI]);
1215 c->src.type = OP_IMM;
1216 c->src.ptr = (unsigned long *)c->eip;
1217 c->src.bytes = c->op_bytes + 2;
1218 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
1221 c->src.type = OP_MEM;
1222 c->src.ptr = (unsigned long *)c->modrm_ea;
1223 c->src.bytes = c->op_bytes + 2;
1228 * Decode and fetch the second source operand: register, memory
1231 switch (c->d & Src2Mask) {
1236 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1239 c->src2.type = OP_IMM;
1240 c->src2.ptr = (unsigned long *)c->eip;
1242 c->src2.val = insn_fetch(u8, 1, c->eip);
1250 /* Decode and fetch the destination operand: register or memory. */
1251 switch (c->d & DstMask) {
1253 /* Special instructions do their own operand decoding. */
1256 decode_register_operand(&c->dst, c,
1257 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1261 if ((c->d & ModRM) && c->modrm_mod == 3) {
1262 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1263 c->dst.type = OP_REG;
1264 c->dst.val = c->dst.orig_val = c->modrm_val;
1265 c->dst.ptr = c->modrm_ptr;
1268 c->dst.type = OP_MEM;
1269 c->dst.ptr = (unsigned long *)c->modrm_ea;
1270 if ((c->d & DstMask) == DstMem64)
1273 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1276 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1278 c->dst.ptr = (void *)c->dst.ptr +
1279 (c->src.val & mask) / 8;
1283 c->dst.type = OP_REG;
1284 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1285 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1286 switch (c->dst.bytes) {
1288 c->dst.val = *(u8 *)c->dst.ptr;
1291 c->dst.val = *(u16 *)c->dst.ptr;
1294 c->dst.val = *(u32 *)c->dst.ptr;
1297 c->dst.val = *(u64 *)c->dst.ptr;
1300 c->dst.orig_val = c->dst.val;
1303 c->dst.type = OP_MEM;
1304 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1305 c->dst.ptr = (unsigned long *)
1306 register_address(c, es_base(ctxt, ops),
1307 c->regs[VCPU_REGS_RDI]);
1313 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1316 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1317 struct x86_emulate_ops *ops,
1318 unsigned long addr, void *dest, unsigned size)
1321 struct read_cache *mc = &ctxt->decode.mem_read;
1325 int n = min(size, 8u);
1327 if (mc->pos < mc->end)
1330 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
1332 if (rc == X86EMUL_PROPAGATE_FAULT)
1333 emulate_pf(ctxt, addr, err);
1334 if (rc != X86EMUL_CONTINUE)
1339 memcpy(dest, mc->data + mc->pos, n);
1344 return X86EMUL_CONTINUE;
1347 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1348 struct x86_emulate_ops *ops,
1349 unsigned int size, unsigned short port,
1352 struct read_cache *rc = &ctxt->decode.io_read;
1354 if (rc->pos == rc->end) { /* refill pio read ahead */
1355 struct decode_cache *c = &ctxt->decode;
1356 unsigned int in_page, n;
1357 unsigned int count = c->rep_prefix ?
1358 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
1359 in_page = (ctxt->eflags & EFLG_DF) ?
1360 offset_in_page(c->regs[VCPU_REGS_RDI]) :
1361 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
1362 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1366 rc->pos = rc->end = 0;
1367 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
1372 memcpy(dest, rc->data + rc->pos, size);
1377 static u32 desc_limit_scaled(struct desc_struct *desc)
1379 u32 limit = get_desc_limit(desc);
1381 return desc->g ? (limit << 12) | 0xfff : limit;
1384 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1385 struct x86_emulate_ops *ops,
1386 u16 selector, struct desc_ptr *dt)
1388 if (selector & 1 << 2) {
1389 struct desc_struct desc;
1390 memset (dt, 0, sizeof *dt);
1391 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1394 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1395 dt->address = get_desc_base(&desc);
1397 ops->get_gdt(dt, ctxt->vcpu);
1400 /* allowed just for 8 bytes segments */
1401 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1402 struct x86_emulate_ops *ops,
1403 u16 selector, struct desc_struct *desc)
1406 u16 index = selector >> 3;
1411 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1413 if (dt.size < index * 8 + 7) {
1414 emulate_gp(ctxt, selector & 0xfffc);
1415 return X86EMUL_PROPAGATE_FAULT;
1417 addr = dt.address + index * 8;
1418 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1419 if (ret == X86EMUL_PROPAGATE_FAULT)
1420 emulate_pf(ctxt, addr, err);
1425 /* allowed just for 8 bytes segments */
1426 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1427 struct x86_emulate_ops *ops,
1428 u16 selector, struct desc_struct *desc)
1431 u16 index = selector >> 3;
1436 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1438 if (dt.size < index * 8 + 7) {
1439 emulate_gp(ctxt, selector & 0xfffc);
1440 return X86EMUL_PROPAGATE_FAULT;
1443 addr = dt.address + index * 8;
1444 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1445 if (ret == X86EMUL_PROPAGATE_FAULT)
1446 emulate_pf(ctxt, addr, err);
1451 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1452 struct x86_emulate_ops *ops,
1453 u16 selector, int seg)
1455 struct desc_struct seg_desc;
1457 unsigned err_vec = GP_VECTOR;
1459 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1462 memset(&seg_desc, 0, sizeof seg_desc);
1464 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1465 || ctxt->mode == X86EMUL_MODE_REAL) {
1466 /* set real mode segment descriptor */
1467 set_desc_base(&seg_desc, selector << 4);
1468 set_desc_limit(&seg_desc, 0xffff);
1475 /* NULL selector is not valid for TR, CS and SS */
1476 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1480 /* TR should be in GDT only */
1481 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1484 if (null_selector) /* for NULL selector skip all following checks */
1487 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1488 if (ret != X86EMUL_CONTINUE)
1491 err_code = selector & 0xfffc;
1492 err_vec = GP_VECTOR;
1494 /* can't load system descriptor into segment selecor */
1495 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1499 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1505 cpl = ops->cpl(ctxt->vcpu);
1510 * segment is not a writable data segment or segment
1511 * selector's RPL != CPL or segment selector's RPL != CPL
1513 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1517 if (!(seg_desc.type & 8))
1520 if (seg_desc.type & 4) {
1526 if (rpl > cpl || dpl != cpl)
1529 /* CS(RPL) <- CPL */
1530 selector = (selector & 0xfffc) | cpl;
1533 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1536 case VCPU_SREG_LDTR:
1537 if (seg_desc.s || seg_desc.type != 2)
1540 default: /* DS, ES, FS, or GS */
1542 * segment is not a data or readable code segment or
1543 * ((segment is a data or nonconforming code segment)
1544 * and (both RPL and CPL > DPL))
1546 if ((seg_desc.type & 0xa) == 0x8 ||
1547 (((seg_desc.type & 0xc) != 0xc) &&
1548 (rpl > dpl && cpl > dpl)))
1554 /* mark segment as accessed */
1556 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1557 if (ret != X86EMUL_CONTINUE)
1561 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1562 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1563 return X86EMUL_CONTINUE;
1565 emulate_exception(ctxt, err_vec, err_code, true);
1566 return X86EMUL_PROPAGATE_FAULT;
1569 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1570 struct x86_emulate_ops *ops)
1573 struct decode_cache *c = &ctxt->decode;
1576 switch (c->dst.type) {
1578 /* The 4-byte case *is* correct:
1579 * in 64-bit mode we zero-extend.
1581 switch (c->dst.bytes) {
1583 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1586 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1589 *c->dst.ptr = (u32)c->dst.val;
1590 break; /* 64b: zero-ext */
1592 *c->dst.ptr = c->dst.val;
1598 rc = ops->cmpxchg_emulated(
1599 (unsigned long)c->dst.ptr,
1606 rc = ops->write_emulated(
1607 (unsigned long)c->dst.ptr,
1612 if (rc == X86EMUL_PROPAGATE_FAULT)
1614 (unsigned long)c->dst.ptr, err);
1615 if (rc != X86EMUL_CONTINUE)
1624 return X86EMUL_CONTINUE;
1627 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1628 struct x86_emulate_ops *ops)
1630 struct decode_cache *c = &ctxt->decode;
1632 c->dst.type = OP_MEM;
1633 c->dst.bytes = c->op_bytes;
1634 c->dst.val = c->src.val;
1635 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1636 c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1637 c->regs[VCPU_REGS_RSP]);
1640 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1641 struct x86_emulate_ops *ops,
1642 void *dest, int len)
1644 struct decode_cache *c = &ctxt->decode;
1647 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1648 c->regs[VCPU_REGS_RSP]),
1650 if (rc != X86EMUL_CONTINUE)
1653 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1657 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1658 struct x86_emulate_ops *ops,
1659 void *dest, int len)
1662 unsigned long val, change_mask;
1663 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1664 int cpl = ops->cpl(ctxt->vcpu);
1666 rc = emulate_pop(ctxt, ops, &val, len);
1667 if (rc != X86EMUL_CONTINUE)
1670 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1671 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1673 switch(ctxt->mode) {
1674 case X86EMUL_MODE_PROT64:
1675 case X86EMUL_MODE_PROT32:
1676 case X86EMUL_MODE_PROT16:
1678 change_mask |= EFLG_IOPL;
1680 change_mask |= EFLG_IF;
1682 case X86EMUL_MODE_VM86:
1684 emulate_gp(ctxt, 0);
1685 return X86EMUL_PROPAGATE_FAULT;
1687 change_mask |= EFLG_IF;
1689 default: /* real mode */
1690 change_mask |= (EFLG_IOPL | EFLG_IF);
1694 *(unsigned long *)dest =
1695 (ctxt->eflags & ~change_mask) | (val & change_mask);
1700 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1701 struct x86_emulate_ops *ops, int seg)
1703 struct decode_cache *c = &ctxt->decode;
1705 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1707 emulate_push(ctxt, ops);
1710 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1711 struct x86_emulate_ops *ops, int seg)
1713 struct decode_cache *c = &ctxt->decode;
1714 unsigned long selector;
1717 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1718 if (rc != X86EMUL_CONTINUE)
1721 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1725 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1726 struct x86_emulate_ops *ops)
1728 struct decode_cache *c = &ctxt->decode;
1729 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1730 int rc = X86EMUL_CONTINUE;
1731 int reg = VCPU_REGS_RAX;
1733 while (reg <= VCPU_REGS_RDI) {
1734 (reg == VCPU_REGS_RSP) ?
1735 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1737 emulate_push(ctxt, ops);
1739 rc = writeback(ctxt, ops);
1740 if (rc != X86EMUL_CONTINUE)
1746 /* Disable writeback. */
1747 c->dst.type = OP_NONE;
1752 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1753 struct x86_emulate_ops *ops)
1755 struct decode_cache *c = &ctxt->decode;
1756 int rc = X86EMUL_CONTINUE;
1757 int reg = VCPU_REGS_RDI;
1759 while (reg >= VCPU_REGS_RAX) {
1760 if (reg == VCPU_REGS_RSP) {
1761 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1766 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1767 if (rc != X86EMUL_CONTINUE)
1774 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1775 struct x86_emulate_ops *ops)
1777 struct decode_cache *c = &ctxt->decode;
1778 int rc = X86EMUL_CONTINUE;
1779 unsigned long temp_eip = 0;
1780 unsigned long temp_eflags = 0;
1781 unsigned long cs = 0;
1782 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1783 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1784 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1785 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1787 /* TODO: Add stack limit check */
1789 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1791 if (rc != X86EMUL_CONTINUE)
1794 if (temp_eip & ~0xffff) {
1795 emulate_gp(ctxt, 0);
1796 return X86EMUL_PROPAGATE_FAULT;
1799 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1801 if (rc != X86EMUL_CONTINUE)
1804 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1806 if (rc != X86EMUL_CONTINUE)
1809 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1811 if (rc != X86EMUL_CONTINUE)
1817 if (c->op_bytes == 4)
1818 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1819 else if (c->op_bytes == 2) {
1820 ctxt->eflags &= ~0xffff;
1821 ctxt->eflags |= temp_eflags;
1824 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1825 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1830 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1831 struct x86_emulate_ops* ops)
1833 switch(ctxt->mode) {
1834 case X86EMUL_MODE_REAL:
1835 return emulate_iret_real(ctxt, ops);
1836 case X86EMUL_MODE_VM86:
1837 case X86EMUL_MODE_PROT16:
1838 case X86EMUL_MODE_PROT32:
1839 case X86EMUL_MODE_PROT64:
1841 /* iret from protected mode unimplemented yet */
1842 return X86EMUL_UNHANDLEABLE;
1846 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1847 struct x86_emulate_ops *ops)
1849 struct decode_cache *c = &ctxt->decode;
1851 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1854 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1856 struct decode_cache *c = &ctxt->decode;
1857 switch (c->modrm_reg) {
1859 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1862 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1865 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1868 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1870 case 4: /* sal/shl */
1871 case 6: /* sal/shl */
1872 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1875 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1878 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1883 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1884 struct x86_emulate_ops *ops)
1886 struct decode_cache *c = &ctxt->decode;
1888 switch (c->modrm_reg) {
1889 case 0 ... 1: /* test */
1890 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1893 c->dst.val = ~c->dst.val;
1896 emulate_1op("neg", c->dst, ctxt->eflags);
1904 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1905 struct x86_emulate_ops *ops)
1907 struct decode_cache *c = &ctxt->decode;
1909 switch (c->modrm_reg) {
1911 emulate_1op("inc", c->dst, ctxt->eflags);
1914 emulate_1op("dec", c->dst, ctxt->eflags);
1916 case 2: /* call near abs */ {
1919 c->eip = c->src.val;
1920 c->src.val = old_eip;
1921 emulate_push(ctxt, ops);
1924 case 4: /* jmp abs */
1925 c->eip = c->src.val;
1928 emulate_push(ctxt, ops);
1931 return X86EMUL_CONTINUE;
1934 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1935 struct x86_emulate_ops *ops)
1937 struct decode_cache *c = &ctxt->decode;
1938 u64 old = c->dst.orig_val64;
1940 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1941 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1942 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1943 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1944 ctxt->eflags &= ~EFLG_ZF;
1946 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1947 (u32) c->regs[VCPU_REGS_RBX];
1949 ctxt->eflags |= EFLG_ZF;
1951 return X86EMUL_CONTINUE;
1954 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1955 struct x86_emulate_ops *ops)
1957 struct decode_cache *c = &ctxt->decode;
1961 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1962 if (rc != X86EMUL_CONTINUE)
1964 if (c->op_bytes == 4)
1965 c->eip = (u32)c->eip;
1966 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1967 if (rc != X86EMUL_CONTINUE)
1969 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1974 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1975 struct x86_emulate_ops *ops, struct desc_struct *cs,
1976 struct desc_struct *ss)
1978 memset(cs, 0, sizeof(struct desc_struct));
1979 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1980 memset(ss, 0, sizeof(struct desc_struct));
1982 cs->l = 0; /* will be adjusted later */
1983 set_desc_base(cs, 0); /* flat segment */
1984 cs->g = 1; /* 4kb granularity */
1985 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1986 cs->type = 0x0b; /* Read, Execute, Accessed */
1988 cs->dpl = 0; /* will be adjusted later */
1992 set_desc_base(ss, 0); /* flat segment */
1993 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1994 ss->g = 1; /* 4kb granularity */
1996 ss->type = 0x03; /* Read/Write, Accessed */
1997 ss->d = 1; /* 32bit stack segment */
2003 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2005 struct decode_cache *c = &ctxt->decode;
2006 struct desc_struct cs, ss;
2010 /* syscall is not available in real mode */
2011 if (ctxt->mode == X86EMUL_MODE_REAL ||
2012 ctxt->mode == X86EMUL_MODE_VM86) {
2014 return X86EMUL_PROPAGATE_FAULT;
2017 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2019 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
2021 cs_sel = (u16)(msr_data & 0xfffc);
2022 ss_sel = (u16)(msr_data + 8);
2024 if (is_long_mode(ctxt->vcpu)) {
2028 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2029 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2030 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2031 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2033 c->regs[VCPU_REGS_RCX] = c->eip;
2034 if (is_long_mode(ctxt->vcpu)) {
2035 #ifdef CONFIG_X86_64
2036 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
2038 ops->get_msr(ctxt->vcpu,
2039 ctxt->mode == X86EMUL_MODE_PROT64 ?
2040 MSR_LSTAR : MSR_CSTAR, &msr_data);
2043 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
2044 ctxt->eflags &= ~(msr_data | EFLG_RF);
2048 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
2049 c->eip = (u32)msr_data;
2051 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2054 return X86EMUL_CONTINUE;
2058 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2060 struct decode_cache *c = &ctxt->decode;
2061 struct desc_struct cs, ss;
2065 /* inject #GP if in real mode */
2066 if (ctxt->mode == X86EMUL_MODE_REAL) {
2067 emulate_gp(ctxt, 0);
2068 return X86EMUL_PROPAGATE_FAULT;
2071 /* XXX sysenter/sysexit have not been tested in 64bit mode.
2072 * Therefore, we inject an #UD.
2074 if (ctxt->mode == X86EMUL_MODE_PROT64) {
2076 return X86EMUL_PROPAGATE_FAULT;
2079 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2081 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2082 switch (ctxt->mode) {
2083 case X86EMUL_MODE_PROT32:
2084 if ((msr_data & 0xfffc) == 0x0) {
2085 emulate_gp(ctxt, 0);
2086 return X86EMUL_PROPAGATE_FAULT;
2089 case X86EMUL_MODE_PROT64:
2090 if (msr_data == 0x0) {
2091 emulate_gp(ctxt, 0);
2092 return X86EMUL_PROPAGATE_FAULT;
2097 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2098 cs_sel = (u16)msr_data;
2099 cs_sel &= ~SELECTOR_RPL_MASK;
2100 ss_sel = cs_sel + 8;
2101 ss_sel &= ~SELECTOR_RPL_MASK;
2102 if (ctxt->mode == X86EMUL_MODE_PROT64
2103 || is_long_mode(ctxt->vcpu)) {
2108 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2109 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2110 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2111 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2113 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
2116 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
2117 c->regs[VCPU_REGS_RSP] = msr_data;
2119 return X86EMUL_CONTINUE;
2123 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2125 struct decode_cache *c = &ctxt->decode;
2126 struct desc_struct cs, ss;
2131 /* inject #GP if in real mode or Virtual 8086 mode */
2132 if (ctxt->mode == X86EMUL_MODE_REAL ||
2133 ctxt->mode == X86EMUL_MODE_VM86) {
2134 emulate_gp(ctxt, 0);
2135 return X86EMUL_PROPAGATE_FAULT;
2138 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2140 if ((c->rex_prefix & 0x8) != 0x0)
2141 usermode = X86EMUL_MODE_PROT64;
2143 usermode = X86EMUL_MODE_PROT32;
2147 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2149 case X86EMUL_MODE_PROT32:
2150 cs_sel = (u16)(msr_data + 16);
2151 if ((msr_data & 0xfffc) == 0x0) {
2152 emulate_gp(ctxt, 0);
2153 return X86EMUL_PROPAGATE_FAULT;
2155 ss_sel = (u16)(msr_data + 24);
2157 case X86EMUL_MODE_PROT64:
2158 cs_sel = (u16)(msr_data + 32);
2159 if (msr_data == 0x0) {
2160 emulate_gp(ctxt, 0);
2161 return X86EMUL_PROPAGATE_FAULT;
2163 ss_sel = cs_sel + 8;
2168 cs_sel |= SELECTOR_RPL_MASK;
2169 ss_sel |= SELECTOR_RPL_MASK;
2171 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2172 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2173 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2174 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2176 c->eip = c->regs[VCPU_REGS_RDX];
2177 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
2179 return X86EMUL_CONTINUE;
2182 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
2183 struct x86_emulate_ops *ops)
2186 if (ctxt->mode == X86EMUL_MODE_REAL)
2188 if (ctxt->mode == X86EMUL_MODE_VM86)
2190 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2191 return ops->cpl(ctxt->vcpu) > iopl;
2194 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2195 struct x86_emulate_ops *ops,
2198 struct desc_struct tr_seg;
2201 u8 perm, bit_idx = port & 0x7;
2202 unsigned mask = (1 << len) - 1;
2204 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
2207 if (desc_limit_scaled(&tr_seg) < 103)
2209 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
2211 if (r != X86EMUL_CONTINUE)
2213 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2215 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
2216 &perm, 1, ctxt->vcpu, NULL);
2217 if (r != X86EMUL_CONTINUE)
2219 if ((perm >> bit_idx) & mask)
2224 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2225 struct x86_emulate_ops *ops,
2228 if (emulator_bad_iopl(ctxt, ops))
2229 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
2234 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2235 struct x86_emulate_ops *ops,
2236 struct tss_segment_16 *tss)
2238 struct decode_cache *c = &ctxt->decode;
2241 tss->flag = ctxt->eflags;
2242 tss->ax = c->regs[VCPU_REGS_RAX];
2243 tss->cx = c->regs[VCPU_REGS_RCX];
2244 tss->dx = c->regs[VCPU_REGS_RDX];
2245 tss->bx = c->regs[VCPU_REGS_RBX];
2246 tss->sp = c->regs[VCPU_REGS_RSP];
2247 tss->bp = c->regs[VCPU_REGS_RBP];
2248 tss->si = c->regs[VCPU_REGS_RSI];
2249 tss->di = c->regs[VCPU_REGS_RDI];
2251 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2252 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2253 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2254 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2255 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2258 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2259 struct x86_emulate_ops *ops,
2260 struct tss_segment_16 *tss)
2262 struct decode_cache *c = &ctxt->decode;
2266 ctxt->eflags = tss->flag | 2;
2267 c->regs[VCPU_REGS_RAX] = tss->ax;
2268 c->regs[VCPU_REGS_RCX] = tss->cx;
2269 c->regs[VCPU_REGS_RDX] = tss->dx;
2270 c->regs[VCPU_REGS_RBX] = tss->bx;
2271 c->regs[VCPU_REGS_RSP] = tss->sp;
2272 c->regs[VCPU_REGS_RBP] = tss->bp;
2273 c->regs[VCPU_REGS_RSI] = tss->si;
2274 c->regs[VCPU_REGS_RDI] = tss->di;
2277 * SDM says that segment selectors are loaded before segment
2280 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
2281 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2282 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2283 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2284 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2287 * Now load segment descriptors. If fault happenes at this stage
2288 * it is handled in a context of new task
2290 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
2291 if (ret != X86EMUL_CONTINUE)
2293 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2294 if (ret != X86EMUL_CONTINUE)
2296 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2297 if (ret != X86EMUL_CONTINUE)
2299 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2300 if (ret != X86EMUL_CONTINUE)
2302 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2303 if (ret != X86EMUL_CONTINUE)
2306 return X86EMUL_CONTINUE;
2309 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2310 struct x86_emulate_ops *ops,
2311 u16 tss_selector, u16 old_tss_sel,
2312 ulong old_tss_base, struct desc_struct *new_desc)
2314 struct tss_segment_16 tss_seg;
2316 u32 err, new_tss_base = get_desc_base(new_desc);
2318 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2320 if (ret == X86EMUL_PROPAGATE_FAULT) {
2321 /* FIXME: need to provide precise fault address */
2322 emulate_pf(ctxt, old_tss_base, err);
2326 save_state_to_tss16(ctxt, ops, &tss_seg);
2328 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2330 if (ret == X86EMUL_PROPAGATE_FAULT) {
2331 /* FIXME: need to provide precise fault address */
2332 emulate_pf(ctxt, old_tss_base, err);
2336 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2338 if (ret == X86EMUL_PROPAGATE_FAULT) {
2339 /* FIXME: need to provide precise fault address */
2340 emulate_pf(ctxt, new_tss_base, err);
2344 if (old_tss_sel != 0xffff) {
2345 tss_seg.prev_task_link = old_tss_sel;
2347 ret = ops->write_std(new_tss_base,
2348 &tss_seg.prev_task_link,
2349 sizeof tss_seg.prev_task_link,
2351 if (ret == X86EMUL_PROPAGATE_FAULT) {
2352 /* FIXME: need to provide precise fault address */
2353 emulate_pf(ctxt, new_tss_base, err);
2358 return load_state_from_tss16(ctxt, ops, &tss_seg);
2361 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2362 struct x86_emulate_ops *ops,
2363 struct tss_segment_32 *tss)
2365 struct decode_cache *c = &ctxt->decode;
2367 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2369 tss->eflags = ctxt->eflags;
2370 tss->eax = c->regs[VCPU_REGS_RAX];
2371 tss->ecx = c->regs[VCPU_REGS_RCX];
2372 tss->edx = c->regs[VCPU_REGS_RDX];
2373 tss->ebx = c->regs[VCPU_REGS_RBX];
2374 tss->esp = c->regs[VCPU_REGS_RSP];
2375 tss->ebp = c->regs[VCPU_REGS_RBP];
2376 tss->esi = c->regs[VCPU_REGS_RSI];
2377 tss->edi = c->regs[VCPU_REGS_RDI];
2379 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2380 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2381 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2382 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2383 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2384 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2385 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2388 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2389 struct x86_emulate_ops *ops,
2390 struct tss_segment_32 *tss)
2392 struct decode_cache *c = &ctxt->decode;
2395 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
2396 emulate_gp(ctxt, 0);
2397 return X86EMUL_PROPAGATE_FAULT;
2400 ctxt->eflags = tss->eflags | 2;
2401 c->regs[VCPU_REGS_RAX] = tss->eax;
2402 c->regs[VCPU_REGS_RCX] = tss->ecx;
2403 c->regs[VCPU_REGS_RDX] = tss->edx;
2404 c->regs[VCPU_REGS_RBX] = tss->ebx;
2405 c->regs[VCPU_REGS_RSP] = tss->esp;
2406 c->regs[VCPU_REGS_RBP] = tss->ebp;
2407 c->regs[VCPU_REGS_RSI] = tss->esi;
2408 c->regs[VCPU_REGS_RDI] = tss->edi;
2411 * SDM says that segment selectors are loaded before segment
2414 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2415 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2416 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2417 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2418 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2419 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2420 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2423 * Now load segment descriptors. If fault happenes at this stage
2424 * it is handled in a context of new task
2426 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2427 if (ret != X86EMUL_CONTINUE)
2429 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2430 if (ret != X86EMUL_CONTINUE)
2432 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2433 if (ret != X86EMUL_CONTINUE)
2435 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2436 if (ret != X86EMUL_CONTINUE)
2438 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2439 if (ret != X86EMUL_CONTINUE)
2441 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2442 if (ret != X86EMUL_CONTINUE)
2444 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2445 if (ret != X86EMUL_CONTINUE)
2448 return X86EMUL_CONTINUE;
2451 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2452 struct x86_emulate_ops *ops,
2453 u16 tss_selector, u16 old_tss_sel,
2454 ulong old_tss_base, struct desc_struct *new_desc)
2456 struct tss_segment_32 tss_seg;
2458 u32 err, new_tss_base = get_desc_base(new_desc);
2460 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2462 if (ret == X86EMUL_PROPAGATE_FAULT) {
2463 /* FIXME: need to provide precise fault address */
2464 emulate_pf(ctxt, old_tss_base, err);
2468 save_state_to_tss32(ctxt, ops, &tss_seg);
2470 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2472 if (ret == X86EMUL_PROPAGATE_FAULT) {
2473 /* FIXME: need to provide precise fault address */
2474 emulate_pf(ctxt, old_tss_base, err);
2478 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2480 if (ret == X86EMUL_PROPAGATE_FAULT) {
2481 /* FIXME: need to provide precise fault address */
2482 emulate_pf(ctxt, new_tss_base, err);
2486 if (old_tss_sel != 0xffff) {
2487 tss_seg.prev_task_link = old_tss_sel;
2489 ret = ops->write_std(new_tss_base,
2490 &tss_seg.prev_task_link,
2491 sizeof tss_seg.prev_task_link,
2493 if (ret == X86EMUL_PROPAGATE_FAULT) {
2494 /* FIXME: need to provide precise fault address */
2495 emulate_pf(ctxt, new_tss_base, err);
2500 return load_state_from_tss32(ctxt, ops, &tss_seg);
2503 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2504 struct x86_emulate_ops *ops,
2505 u16 tss_selector, int reason,
2506 bool has_error_code, u32 error_code)
2508 struct desc_struct curr_tss_desc, next_tss_desc;
2510 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2511 ulong old_tss_base =
2512 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2515 /* FIXME: old_tss_base == ~0 ? */
2517 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2518 if (ret != X86EMUL_CONTINUE)
2520 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2521 if (ret != X86EMUL_CONTINUE)
2524 /* FIXME: check that next_tss_desc is tss */
2526 if (reason != TASK_SWITCH_IRET) {
2527 if ((tss_selector & 3) > next_tss_desc.dpl ||
2528 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2529 emulate_gp(ctxt, 0);
2530 return X86EMUL_PROPAGATE_FAULT;
2534 desc_limit = desc_limit_scaled(&next_tss_desc);
2535 if (!next_tss_desc.p ||
2536 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2537 desc_limit < 0x2b)) {
2538 emulate_ts(ctxt, tss_selector & 0xfffc);
2539 return X86EMUL_PROPAGATE_FAULT;
2542 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2543 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2544 write_segment_descriptor(ctxt, ops, old_tss_sel,
2548 if (reason == TASK_SWITCH_IRET)
2549 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2551 /* set back link to prev task only if NT bit is set in eflags
2552 note that old_tss_sel is not used afetr this point */
2553 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2554 old_tss_sel = 0xffff;
2556 if (next_tss_desc.type & 8)
2557 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2558 old_tss_base, &next_tss_desc);
2560 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2561 old_tss_base, &next_tss_desc);
2562 if (ret != X86EMUL_CONTINUE)
2565 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2566 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2568 if (reason != TASK_SWITCH_IRET) {
2569 next_tss_desc.type |= (1 << 1); /* set busy flag */
2570 write_segment_descriptor(ctxt, ops, tss_selector,
2574 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2575 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2576 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2578 if (has_error_code) {
2579 struct decode_cache *c = &ctxt->decode;
2581 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2583 c->src.val = (unsigned long) error_code;
2584 emulate_push(ctxt, ops);
2590 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2591 struct x86_emulate_ops *ops,
2592 u16 tss_selector, int reason,
2593 bool has_error_code, u32 error_code)
2595 struct decode_cache *c = &ctxt->decode;
2599 c->dst.type = OP_NONE;
2601 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2602 has_error_code, error_code);
2604 if (rc == X86EMUL_CONTINUE) {
2605 rc = writeback(ctxt, ops);
2606 if (rc == X86EMUL_CONTINUE)
2610 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2613 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2614 int reg, struct operand *op)
2616 struct decode_cache *c = &ctxt->decode;
2617 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2619 register_address_increment(c, &c->regs[reg], df * op->bytes);
2620 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2624 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2627 struct decode_cache *c = &ctxt->decode;
2628 int rc = X86EMUL_CONTINUE;
2629 int saved_dst_type = c->dst.type;
2631 ctxt->decode.mem_read.pos = 0;
2633 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2638 /* LOCK prefix is allowed only with some instructions */
2639 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2644 /* Privileged instruction can be executed only in CPL=0 */
2645 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2646 emulate_gp(ctxt, 0);
2650 if (c->rep_prefix && (c->d & String)) {
2651 ctxt->restart = true;
2652 /* All REP prefixes have the same first termination condition */
2653 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2655 ctxt->restart = false;
2659 /* The second termination condition only applies for REPE
2660 * and REPNE. Test if the repeat string operation prefix is
2661 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2662 * corresponding termination condition according to:
2663 * - if REPE/REPZ and ZF = 0 then done
2664 * - if REPNE/REPNZ and ZF = 1 then done
2666 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2667 (c->b == 0xae) || (c->b == 0xaf)) {
2668 if ((c->rep_prefix == REPE_PREFIX) &&
2669 ((ctxt->eflags & EFLG_ZF) == 0))
2671 if ((c->rep_prefix == REPNE_PREFIX) &&
2672 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2678 if (c->src.type == OP_MEM) {
2679 rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2680 c->src.valptr, c->src.bytes);
2681 if (rc != X86EMUL_CONTINUE)
2683 c->src.orig_val64 = c->src.val64;
2686 if (c->src2.type == OP_MEM) {
2687 rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
2688 &c->src2.val, c->src2.bytes);
2689 if (rc != X86EMUL_CONTINUE)
2693 if ((c->d & DstMask) == ImplicitOps)
2697 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2698 /* optimisation - avoid slow emulated read if Mov */
2699 rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
2700 &c->dst.val, c->dst.bytes);
2701 if (rc != X86EMUL_CONTINUE)
2704 c->dst.orig_val = c->dst.val;
2714 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2716 case 0x06: /* push es */
2717 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2719 case 0x07: /* pop es */
2720 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2721 if (rc != X86EMUL_CONTINUE)
2726 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2728 case 0x0e: /* push cs */
2729 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2733 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2735 case 0x16: /* push ss */
2736 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2738 case 0x17: /* pop ss */
2739 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2740 if (rc != X86EMUL_CONTINUE)
2745 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2747 case 0x1e: /* push ds */
2748 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2750 case 0x1f: /* pop ds */
2751 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2752 if (rc != X86EMUL_CONTINUE)
2757 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2761 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2765 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2769 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2771 case 0x40 ... 0x47: /* inc r16/r32 */
2772 emulate_1op("inc", c->dst, ctxt->eflags);
2774 case 0x48 ... 0x4f: /* dec r16/r32 */
2775 emulate_1op("dec", c->dst, ctxt->eflags);
2777 case 0x50 ... 0x57: /* push reg */
2778 emulate_push(ctxt, ops);
2780 case 0x58 ... 0x5f: /* pop reg */
2782 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2783 if (rc != X86EMUL_CONTINUE)
2786 case 0x60: /* pusha */
2787 rc = emulate_pusha(ctxt, ops);
2788 if (rc != X86EMUL_CONTINUE)
2791 case 0x61: /* popa */
2792 rc = emulate_popa(ctxt, ops);
2793 if (rc != X86EMUL_CONTINUE)
2796 case 0x63: /* movsxd */
2797 if (ctxt->mode != X86EMUL_MODE_PROT64)
2798 goto cannot_emulate;
2799 c->dst.val = (s32) c->src.val;
2801 case 0x68: /* push imm */
2802 case 0x6a: /* push imm8 */
2803 emulate_push(ctxt, ops);
2805 case 0x6c: /* insb */
2806 case 0x6d: /* insw/insd */
2807 c->dst.bytes = min(c->dst.bytes, 4u);
2808 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2810 emulate_gp(ctxt, 0);
2813 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2814 c->regs[VCPU_REGS_RDX], &c->dst.val))
2815 goto done; /* IO is needed, skip writeback */
2817 case 0x6e: /* outsb */
2818 case 0x6f: /* outsw/outsd */
2819 c->src.bytes = min(c->src.bytes, 4u);
2820 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2822 emulate_gp(ctxt, 0);
2825 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2826 &c->src.val, 1, ctxt->vcpu);
2828 c->dst.type = OP_NONE; /* nothing to writeback */
2830 case 0x70 ... 0x7f: /* jcc (short) */
2831 if (test_cc(c->b, ctxt->eflags))
2832 jmp_rel(c, c->src.val);
2834 case 0x80 ... 0x83: /* Grp1 */
2835 switch (c->modrm_reg) {
2856 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2858 case 0x86 ... 0x87: /* xchg */
2860 /* Write back the register source. */
2861 switch (c->dst.bytes) {
2863 *(u8 *) c->src.ptr = (u8) c->dst.val;
2866 *(u16 *) c->src.ptr = (u16) c->dst.val;
2869 *c->src.ptr = (u32) c->dst.val;
2870 break; /* 64b reg: zero-extend */
2872 *c->src.ptr = c->dst.val;
2876 * Write back the memory destination with implicit LOCK
2879 c->dst.val = c->src.val;
2882 case 0x88 ... 0x8b: /* mov */
2884 case 0x8c: /* mov r/m, sreg */
2885 if (c->modrm_reg > VCPU_SREG_GS) {
2889 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2891 case 0x8d: /* lea r16/r32, m */
2892 c->dst.val = c->modrm_ea;
2894 case 0x8e: { /* mov seg, r/m16 */
2899 if (c->modrm_reg == VCPU_SREG_CS ||
2900 c->modrm_reg > VCPU_SREG_GS) {
2905 if (c->modrm_reg == VCPU_SREG_SS)
2906 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2908 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2910 c->dst.type = OP_NONE; /* Disable writeback. */
2913 case 0x8f: /* pop (sole member of Grp1a) */
2914 rc = emulate_grp1a(ctxt, ops);
2915 if (rc != X86EMUL_CONTINUE)
2918 case 0x90: /* nop / xchg r8,rax */
2919 if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
2920 c->dst.type = OP_NONE; /* nop */
2923 case 0x91 ... 0x97: /* xchg reg,rax */
2924 c->src.type = OP_REG;
2925 c->src.bytes = c->op_bytes;
2926 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2927 c->src.val = *(c->src.ptr);
2929 case 0x9c: /* pushf */
2930 c->src.val = (unsigned long) ctxt->eflags;
2931 emulate_push(ctxt, ops);
2933 case 0x9d: /* popf */
2934 c->dst.type = OP_REG;
2935 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2936 c->dst.bytes = c->op_bytes;
2937 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2938 if (rc != X86EMUL_CONTINUE)
2941 case 0xa0 ... 0xa3: /* mov */
2942 case 0xa4 ... 0xa5: /* movs */
2944 case 0xa6 ... 0xa7: /* cmps */
2945 c->dst.type = OP_NONE; /* Disable writeback. */
2946 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2948 case 0xa8 ... 0xa9: /* test ax, imm */
2950 case 0xaa ... 0xab: /* stos */
2951 c->dst.val = c->regs[VCPU_REGS_RAX];
2953 case 0xac ... 0xad: /* lods */
2955 case 0xae ... 0xaf: /* scas */
2956 DPRINTF("Urk! I don't handle SCAS.\n");
2957 goto cannot_emulate;
2958 case 0xb0 ... 0xbf: /* mov r, imm */
2963 case 0xc3: /* ret */
2964 c->dst.type = OP_REG;
2965 c->dst.ptr = &c->eip;
2966 c->dst.bytes = c->op_bytes;
2967 goto pop_instruction;
2968 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2970 c->dst.val = c->src.val;
2972 case 0xcb: /* ret far */
2973 rc = emulate_ret_far(ctxt, ops);
2974 if (rc != X86EMUL_CONTINUE)
2977 case 0xcf: /* iret */
2978 rc = emulate_iret(ctxt, ops);
2980 if (rc != X86EMUL_CONTINUE)
2983 case 0xd0 ... 0xd1: /* Grp2 */
2987 case 0xd2 ... 0xd3: /* Grp2 */
2988 c->src.val = c->regs[VCPU_REGS_RCX];
2991 case 0xe4: /* inb */
2994 case 0xe6: /* outb */
2995 case 0xe7: /* out */
2997 case 0xe8: /* call (near) */ {
2998 long int rel = c->src.val;
2999 c->src.val = (unsigned long) c->eip;
3001 emulate_push(ctxt, ops);
3004 case 0xe9: /* jmp rel */
3006 case 0xea: { /* jmp far */
3009 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3011 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3015 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3019 jmp: /* jmp rel short */
3020 jmp_rel(c, c->src.val);
3021 c->dst.type = OP_NONE; /* Disable writeback. */
3023 case 0xec: /* in al,dx */
3024 case 0xed: /* in (e/r)ax,dx */
3025 c->src.val = c->regs[VCPU_REGS_RDX];
3027 c->dst.bytes = min(c->dst.bytes, 4u);
3028 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3029 emulate_gp(ctxt, 0);
3032 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3034 goto done; /* IO is needed */
3036 case 0xee: /* out dx,al */
3037 case 0xef: /* out dx,(e/r)ax */
3038 c->src.val = c->regs[VCPU_REGS_RDX];
3040 c->dst.bytes = min(c->dst.bytes, 4u);
3041 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3042 emulate_gp(ctxt, 0);
3045 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3047 c->dst.type = OP_NONE; /* Disable writeback. */
3049 case 0xf4: /* hlt */
3050 ctxt->vcpu->arch.halt_request = 1;
3052 case 0xf5: /* cmc */
3053 /* complement carry flag from eflags reg */
3054 ctxt->eflags ^= EFLG_CF;
3055 c->dst.type = OP_NONE; /* Disable writeback. */
3057 case 0xf6 ... 0xf7: /* Grp3 */
3058 if (!emulate_grp3(ctxt, ops))
3059 goto cannot_emulate;
3061 case 0xf8: /* clc */
3062 ctxt->eflags &= ~EFLG_CF;
3063 c->dst.type = OP_NONE; /* Disable writeback. */
3065 case 0xfa: /* cli */
3066 if (emulator_bad_iopl(ctxt, ops)) {
3067 emulate_gp(ctxt, 0);
3070 ctxt->eflags &= ~X86_EFLAGS_IF;
3071 c->dst.type = OP_NONE; /* Disable writeback. */
3074 case 0xfb: /* sti */
3075 if (emulator_bad_iopl(ctxt, ops)) {
3076 emulate_gp(ctxt, 0);
3079 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3080 ctxt->eflags |= X86_EFLAGS_IF;
3081 c->dst.type = OP_NONE; /* Disable writeback. */
3084 case 0xfc: /* cld */
3085 ctxt->eflags &= ~EFLG_DF;
3086 c->dst.type = OP_NONE; /* Disable writeback. */
3088 case 0xfd: /* std */
3089 ctxt->eflags |= EFLG_DF;
3090 c->dst.type = OP_NONE; /* Disable writeback. */
3092 case 0xfe: /* Grp4 */
3094 rc = emulate_grp45(ctxt, ops);
3095 if (rc != X86EMUL_CONTINUE)
3098 case 0xff: /* Grp5 */
3099 if (c->modrm_reg == 5)
3103 goto cannot_emulate;
3107 rc = writeback(ctxt, ops);
3108 if (rc != X86EMUL_CONTINUE)
3112 * restore dst type in case the decoding will be reused
3113 * (happens for string instruction )
3115 c->dst.type = saved_dst_type;
3117 if ((c->d & SrcMask) == SrcSI)
3118 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3119 VCPU_REGS_RSI, &c->src);
3121 if ((c->d & DstMask) == DstDI)
3122 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3125 if (c->rep_prefix && (c->d & String)) {
3126 struct read_cache *rc = &ctxt->decode.io_read;
3127 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3129 * Re-enter guest when pio read ahead buffer is empty or,
3130 * if it is not used, after each 1024 iteration.
3132 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3133 (rc->end != 0 && rc->end == rc->pos))
3134 ctxt->restart = false;
3137 * reset read cache here in case string instruction is restared
3140 ctxt->decode.mem_read.end = 0;
3144 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3148 case 0x01: /* lgdt, lidt, lmsw */
3149 switch (c->modrm_reg) {
3151 unsigned long address;
3153 case 0: /* vmcall */
3154 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3155 goto cannot_emulate;
3157 rc = kvm_fix_hypercall(ctxt->vcpu);
3158 if (rc != X86EMUL_CONTINUE)
3161 /* Let the processor re-execute the fixed hypercall */
3163 /* Disable writeback. */
3164 c->dst.type = OP_NONE;
3167 rc = read_descriptor(ctxt, ops, c->src.ptr,
3168 &size, &address, c->op_bytes);
3169 if (rc != X86EMUL_CONTINUE)
3171 realmode_lgdt(ctxt->vcpu, size, address);
3172 /* Disable writeback. */
3173 c->dst.type = OP_NONE;
3175 case 3: /* lidt/vmmcall */
3176 if (c->modrm_mod == 3) {
3177 switch (c->modrm_rm) {
3179 rc = kvm_fix_hypercall(ctxt->vcpu);
3180 if (rc != X86EMUL_CONTINUE)
3184 goto cannot_emulate;
3187 rc = read_descriptor(ctxt, ops, c->src.ptr,
3190 if (rc != X86EMUL_CONTINUE)
3192 realmode_lidt(ctxt->vcpu, size, address);
3194 /* Disable writeback. */
3195 c->dst.type = OP_NONE;
3199 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3202 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3203 (c->src.val & 0x0f), ctxt->vcpu);
3204 c->dst.type = OP_NONE;
3206 case 5: /* not defined */
3210 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3211 /* Disable writeback. */
3212 c->dst.type = OP_NONE;
3215 goto cannot_emulate;
3218 case 0x05: /* syscall */
3219 rc = emulate_syscall(ctxt, ops);
3220 if (rc != X86EMUL_CONTINUE)
3226 emulate_clts(ctxt->vcpu);
3227 c->dst.type = OP_NONE;
3229 case 0x09: /* wbinvd */
3230 kvm_emulate_wbinvd(ctxt->vcpu);
3231 c->dst.type = OP_NONE;
3233 case 0x08: /* invd */
3234 case 0x0d: /* GrpP (prefetch) */
3235 case 0x18: /* Grp16 (prefetch/nop) */
3236 c->dst.type = OP_NONE;
3238 case 0x20: /* mov cr, reg */
3239 switch (c->modrm_reg) {
3246 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3247 c->dst.type = OP_NONE; /* no writeback */
3249 case 0x21: /* mov from dr to reg */
3250 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3251 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3255 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3256 c->dst.type = OP_NONE; /* no writeback */
3258 case 0x22: /* mov reg, cr */
3259 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3260 emulate_gp(ctxt, 0);
3263 c->dst.type = OP_NONE;
3265 case 0x23: /* mov from reg to dr */
3266 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3267 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3272 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3273 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3274 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3275 /* #UD condition is already handled by the code above */
3276 emulate_gp(ctxt, 0);
3280 c->dst.type = OP_NONE; /* no writeback */
3284 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3285 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3286 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3287 emulate_gp(ctxt, 0);
3290 rc = X86EMUL_CONTINUE;
3291 c->dst.type = OP_NONE;
3295 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3296 emulate_gp(ctxt, 0);
3299 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3300 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3302 rc = X86EMUL_CONTINUE;
3303 c->dst.type = OP_NONE;
3305 case 0x34: /* sysenter */
3306 rc = emulate_sysenter(ctxt, ops);
3307 if (rc != X86EMUL_CONTINUE)
3312 case 0x35: /* sysexit */
3313 rc = emulate_sysexit(ctxt, ops);
3314 if (rc != X86EMUL_CONTINUE)
3319 case 0x40 ... 0x4f: /* cmov */
3320 c->dst.val = c->dst.orig_val = c->src.val;
3321 if (!test_cc(c->b, ctxt->eflags))
3322 c->dst.type = OP_NONE; /* no writeback */
3324 case 0x80 ... 0x8f: /* jnz rel, etc*/
3325 if (test_cc(c->b, ctxt->eflags))
3326 jmp_rel(c, c->src.val);
3327 c->dst.type = OP_NONE;
3329 case 0xa0: /* push fs */
3330 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3332 case 0xa1: /* pop fs */
3333 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3334 if (rc != X86EMUL_CONTINUE)
3339 c->dst.type = OP_NONE;
3340 /* only subword offset */
3341 c->src.val &= (c->dst.bytes << 3) - 1;
3342 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3344 case 0xa4: /* shld imm8, r, r/m */
3345 case 0xa5: /* shld cl, r, r/m */
3346 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3348 case 0xa8: /* push gs */
3349 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3351 case 0xa9: /* pop gs */
3352 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3353 if (rc != X86EMUL_CONTINUE)
3358 /* only subword offset */
3359 c->src.val &= (c->dst.bytes << 3) - 1;
3360 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3362 case 0xac: /* shrd imm8, r, r/m */
3363 case 0xad: /* shrd cl, r, r/m */
3364 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3366 case 0xae: /* clflush */
3368 case 0xb0 ... 0xb1: /* cmpxchg */
3370 * Save real source value, then compare EAX against
3373 c->src.orig_val = c->src.val;
3374 c->src.val = c->regs[VCPU_REGS_RAX];
3375 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3376 if (ctxt->eflags & EFLG_ZF) {
3377 /* Success: write back to memory. */
3378 c->dst.val = c->src.orig_val;
3380 /* Failure: write the value we saw to EAX. */
3381 c->dst.type = OP_REG;
3382 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3387 /* only subword offset */
3388 c->src.val &= (c->dst.bytes << 3) - 1;
3389 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3391 case 0xb6 ... 0xb7: /* movzx */
3392 c->dst.bytes = c->op_bytes;
3393 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3396 case 0xba: /* Grp8 */
3397 switch (c->modrm_reg & 3) {
3410 /* only subword offset */
3411 c->src.val &= (c->dst.bytes << 3) - 1;
3412 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3414 case 0xbe ... 0xbf: /* movsx */
3415 c->dst.bytes = c->op_bytes;
3416 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3419 case 0xc3: /* movnti */
3420 c->dst.bytes = c->op_bytes;
3421 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3424 case 0xc7: /* Grp9 (cmpxchg8b) */
3425 rc = emulate_grp9(ctxt, ops);
3426 if (rc != X86EMUL_CONTINUE)
3430 goto cannot_emulate;
3435 DPRINTF("Cannot emulate %02x\n", c->b);
git.openpandora.org / pandora-kernel.git / blob