1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<16) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<17) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<17) /* Register operand. */
53 #define DstMem (3<<17) /* Memory operand. */
54 #define DstAcc (4<<17) /* Destination Accumulator */
55 #define DstDI (5<<17) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<17) /* 64bit memory operand */
57 #define DstMask (7<<17)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
85 #define GroupMask 0x0f /* Group number stored in bits 0:3 */
87 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
88 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
90 /* Source 2 operand type */
91 #define Src2None (0<<29)
92 #define Src2CL (1<<29)
93 #define Src2ImmByte (2<<29)
94 #define Src2One (3<<29)
95 #define Src2Mask (7<<29)
97 #define X2(x) (x), (x)
98 #define X3(x) X2(x), (x)
99 #define X4(x) X2(x), X2(x)
100 #define X5(x) X4(x), (x)
101 #define X6(x) X4(x), X2(x)
102 #define X7(x) X4(x), X3(x)
103 #define X8(x) X4(x), X4(x)
104 #define X16(x) X8(x), X8(x)
107 Group1_80, Group1_81, Group1_82, Group1_83,
108 Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
112 static u32 opcode_table[256] = {
114 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
115 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
116 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
117 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
119 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
120 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
121 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
122 ImplicitOps | Stack | No64, 0,
124 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
125 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
126 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
127 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
129 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
130 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
131 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
132 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
134 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
135 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
136 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
138 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
139 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
140 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
142 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
143 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
144 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
146 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
147 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
148 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
157 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
158 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
161 SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
162 DstDI | ByteOp | Mov | String, DstDI | Mov | String, /* insb, insw/insd */
163 SrcSI | ByteOp | ImplicitOps | String, SrcSI | ImplicitOps | String, /* outsb, outsw/outsd */
167 Group | Group1_80, Group | Group1_81,
168 Group | Group1_82, Group | Group1_83,
169 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
170 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
172 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
173 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
174 DstMem | SrcNone | ModRM | Mov, ModRM | DstReg,
175 ImplicitOps | SrcMem16 | ModRM, Group | Group1A,
177 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
179 0, 0, SrcImmFAddr | No64, 0,
180 ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
182 ByteOp | DstAcc | SrcMem | Mov | MemAbs, DstAcc | SrcMem | Mov | MemAbs,
183 ByteOp | DstMem | SrcAcc | Mov | MemAbs, DstMem | SrcAcc | Mov | MemAbs,
184 ByteOp | SrcSI | DstDI | Mov | String, SrcSI | DstDI | Mov | String,
185 ByteOp | SrcSI | DstDI | String, SrcSI | DstDI | String,
187 DstAcc | SrcImmByte | ByteOp, DstAcc | SrcImm, ByteOp | DstDI | Mov | String, DstDI | Mov | String,
188 ByteOp | SrcSI | DstAcc | Mov | String, SrcSI | DstAcc | Mov | String,
189 ByteOp | DstDI | String, DstDI | String,
191 X8(ByteOp | DstReg | SrcImm | Mov),
193 X8(DstReg | SrcImm | Mov),
195 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
196 0, ImplicitOps | Stack, 0, 0,
197 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
199 0, 0, 0, ImplicitOps | Stack,
200 ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
202 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
203 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
206 0, 0, 0, 0, 0, 0, 0, 0,
209 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
210 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
212 SrcImm | Stack, SrcImm | ImplicitOps,
213 SrcImmFAddr | No64, SrcImmByte | ImplicitOps,
214 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
215 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
218 ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
220 ImplicitOps, 0, ImplicitOps, ImplicitOps,
221 ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
224 static u32 twobyte_table[256] = {
226 0, Group | GroupDual | Group7, 0, 0,
227 0, ImplicitOps, ImplicitOps | Priv, 0,
228 ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
229 0, ImplicitOps | ModRM, 0, 0,
231 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
233 ModRM | ImplicitOps | Priv, ModRM | Priv,
234 ModRM | ImplicitOps | Priv, ModRM | Priv,
236 0, 0, 0, 0, 0, 0, 0, 0,
238 ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
239 ImplicitOps, ImplicitOps | Priv, 0, 0,
240 0, 0, 0, 0, 0, 0, 0, 0,
242 X16(DstReg | SrcMem | ModRM | Mov),
244 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
246 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
248 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
252 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
254 ImplicitOps | Stack, ImplicitOps | Stack,
255 0, DstMem | SrcReg | ModRM | BitOp,
256 DstMem | SrcReg | Src2ImmByte | ModRM,
257 DstMem | SrcReg | Src2CL | ModRM, 0, 0,
259 ImplicitOps | Stack, ImplicitOps | Stack,
260 0, DstMem | SrcReg | ModRM | BitOp | Lock,
261 DstMem | SrcReg | Src2ImmByte | ModRM,
262 DstMem | SrcReg | Src2CL | ModRM,
265 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
266 0, DstMem | SrcReg | ModRM | BitOp | Lock,
267 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
268 DstReg | SrcMem16 | ModRM | Mov,
271 Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
272 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
273 DstReg | SrcMem16 | ModRM | Mov,
275 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
276 0, 0, 0, Group | GroupDual | Group9,
277 0, 0, 0, 0, 0, 0, 0, 0,
279 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
281 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
283 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
286 static u32 group_table[] = {
288 ByteOp | DstMem | SrcImm | ModRM | Lock,
289 ByteOp | DstMem | SrcImm | ModRM | Lock,
290 ByteOp | DstMem | SrcImm | ModRM | Lock,
291 ByteOp | DstMem | SrcImm | ModRM | Lock,
292 ByteOp | DstMem | SrcImm | ModRM | Lock,
293 ByteOp | DstMem | SrcImm | ModRM | Lock,
294 ByteOp | DstMem | SrcImm | ModRM | Lock,
295 ByteOp | DstMem | SrcImm | ModRM,
297 DstMem | SrcImm | ModRM | Lock,
298 DstMem | SrcImm | ModRM | Lock,
299 DstMem | SrcImm | ModRM | Lock,
300 DstMem | SrcImm | ModRM | Lock,
301 DstMem | SrcImm | ModRM | Lock,
302 DstMem | SrcImm | ModRM | Lock,
303 DstMem | SrcImm | ModRM | Lock,
304 DstMem | SrcImm | ModRM,
306 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
307 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
308 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
309 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
310 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
311 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
312 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
313 ByteOp | DstMem | SrcImm | ModRM | No64,
315 DstMem | SrcImmByte | ModRM | Lock,
316 DstMem | SrcImmByte | ModRM | Lock,
317 DstMem | SrcImmByte | ModRM | Lock,
318 DstMem | SrcImmByte | ModRM | Lock,
319 DstMem | SrcImmByte | ModRM | Lock,
320 DstMem | SrcImmByte | ModRM | Lock,
321 DstMem | SrcImmByte | ModRM | Lock,
322 DstMem | SrcImmByte | ModRM,
324 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
326 ByteOp | SrcImm | DstMem | ModRM, ByteOp | SrcImm | DstMem | ModRM,
327 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
330 DstMem | SrcImm | ModRM, DstMem | SrcImm | ModRM,
331 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
334 ByteOp | DstMem | SrcNone | ModRM | Lock, ByteOp | DstMem | SrcNone | ModRM | Lock,
337 DstMem | SrcNone | ModRM | Lock, DstMem | SrcNone | ModRM | Lock,
338 SrcMem | ModRM | Stack, 0,
339 SrcMem | ModRM | Stack, SrcMemFAddr | ModRM | ImplicitOps,
340 SrcMem | ModRM | Stack, 0,
342 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
343 SrcNone | ModRM | DstMem | Mov, 0,
344 SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
347 DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
348 DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
350 0, DstMem64 | ModRM | Lock, 0, 0, 0, 0, 0, 0,
353 static u32 group2_table[] = {
355 SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
356 SrcNone | ModRM | DstMem | Mov, 0,
357 SrcMem16 | ModRM | Mov | Priv, 0,
359 0, 0, 0, 0, 0, 0, 0, 0,
362 /* EFLAGS bit definitions. */
363 #define EFLG_ID (1<<21)
364 #define EFLG_VIP (1<<20)
365 #define EFLG_VIF (1<<19)
366 #define EFLG_AC (1<<18)
367 #define EFLG_VM (1<<17)
368 #define EFLG_RF (1<<16)
369 #define EFLG_IOPL (3<<12)
370 #define EFLG_NT (1<<14)
371 #define EFLG_OF (1<<11)
372 #define EFLG_DF (1<<10)
373 #define EFLG_IF (1<<9)
374 #define EFLG_TF (1<<8)
375 #define EFLG_SF (1<<7)
376 #define EFLG_ZF (1<<6)
377 #define EFLG_AF (1<<4)
378 #define EFLG_PF (1<<2)
379 #define EFLG_CF (1<<0)
382 * Instruction emulation:
383 * Most instructions are emulated directly via a fragment of inline assembly
384 * code. This allows us to save/restore EFLAGS and thus very easily pick up
385 * any modified flags.
388 #if defined(CONFIG_X86_64)
389 #define _LO32 "k" /* force 32-bit operand */
390 #define _STK "%%rsp" /* stack pointer */
391 #elif defined(__i386__)
392 #define _LO32 "" /* force 32-bit operand */
393 #define _STK "%%esp" /* stack pointer */
397 * These EFLAGS bits are restored from saved value during emulation, and
398 * any changes are written back to the saved value after emulation.
400 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
402 /* Before executing instruction: restore necessary bits in EFLAGS. */
403 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
404 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
405 "movl %"_sav",%"_LO32 _tmp"; " \
408 "movl %"_msk",%"_LO32 _tmp"; " \
409 "andl %"_LO32 _tmp",("_STK"); " \
411 "notl %"_LO32 _tmp"; " \
412 "andl %"_LO32 _tmp",("_STK"); " \
413 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
415 "orl %"_LO32 _tmp",("_STK"); " \
419 /* After executing instruction: write-back necessary bits in EFLAGS. */
420 #define _POST_EFLAGS(_sav, _msk, _tmp) \
421 /* _sav |= EFLAGS & _msk; */ \
424 "andl %"_msk",%"_LO32 _tmp"; " \
425 "orl %"_LO32 _tmp",%"_sav"; "
433 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
435 __asm__ __volatile__ ( \
436 _PRE_EFLAGS("0", "4", "2") \
437 _op _suffix " %"_x"3,%1; " \
438 _POST_EFLAGS("0", "4", "2") \
439 : "=m" (_eflags), "=m" ((_dst).val), \
441 : _y ((_src).val), "i" (EFLAGS_MASK)); \
445 /* Raw emulation: instruction has two explicit operands. */
446 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
448 unsigned long _tmp; \
450 switch ((_dst).bytes) { \
452 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
455 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
458 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
463 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
465 unsigned long _tmp; \
466 switch ((_dst).bytes) { \
468 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
471 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
472 _wx, _wy, _lx, _ly, _qx, _qy); \
477 /* Source operand is byte-sized and may be restricted to just %cl. */
478 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
479 __emulate_2op(_op, _src, _dst, _eflags, \
480 "b", "c", "b", "c", "b", "c", "b", "c")
482 /* Source operand is byte, word, long or quad sized. */
483 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
484 __emulate_2op(_op, _src, _dst, _eflags, \
485 "b", "q", "w", "r", _LO32, "r", "", "r")
487 /* Source operand is word, long or quad sized. */
488 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
489 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
490 "w", "r", _LO32, "r", "", "r")
492 /* Instruction has three operands and one operand is stored in ECX register */
493 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
495 unsigned long _tmp; \
496 _type _clv = (_cl).val; \
497 _type _srcv = (_src).val; \
498 _type _dstv = (_dst).val; \
500 __asm__ __volatile__ ( \
501 _PRE_EFLAGS("0", "5", "2") \
502 _op _suffix " %4,%1 \n" \
503 _POST_EFLAGS("0", "5", "2") \
504 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
505 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
508 (_cl).val = (unsigned long) _clv; \
509 (_src).val = (unsigned long) _srcv; \
510 (_dst).val = (unsigned long) _dstv; \
513 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
515 switch ((_dst).bytes) { \
517 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
518 "w", unsigned short); \
521 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
522 "l", unsigned int); \
525 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
526 "q", unsigned long)); \
531 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
533 unsigned long _tmp; \
535 __asm__ __volatile__ ( \
536 _PRE_EFLAGS("0", "3", "2") \
537 _op _suffix " %1; " \
538 _POST_EFLAGS("0", "3", "2") \
539 : "=m" (_eflags), "+m" ((_dst).val), \
541 : "i" (EFLAGS_MASK)); \
544 /* Instruction has only one explicit operand (no source operand). */
545 #define emulate_1op(_op, _dst, _eflags) \
547 switch ((_dst).bytes) { \
548 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
549 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
550 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
551 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
555 /* Fetch next part of the instruction being emulated. */
556 #define insn_fetch(_type, _size, _eip) \
557 ({ unsigned long _x; \
558 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
559 if (rc != X86EMUL_CONTINUE) \
565 #define insn_fetch_arr(_arr, _size, _eip) \
566 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
567 if (rc != X86EMUL_CONTINUE) \
572 static inline unsigned long ad_mask(struct decode_cache *c)
574 return (1UL << (c->ad_bytes << 3)) - 1;
577 /* Access/update address held in a register, based on addressing mode. */
578 static inline unsigned long
579 address_mask(struct decode_cache *c, unsigned long reg)
581 if (c->ad_bytes == sizeof(unsigned long))
584 return reg & ad_mask(c);
587 static inline unsigned long
588 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
590 return base + address_mask(c, reg);
594 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
596 if (c->ad_bytes == sizeof(unsigned long))
599 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
602 static inline void jmp_rel(struct decode_cache *c, int rel)
604 register_address_increment(c, &c->eip, rel);
607 static void set_seg_override(struct decode_cache *c, int seg)
609 c->has_seg_override = true;
610 c->seg_override = seg;
613 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
614 struct x86_emulate_ops *ops, int seg)
616 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
619 return ops->get_cached_segment_base(seg, ctxt->vcpu);
622 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
623 struct x86_emulate_ops *ops,
624 struct decode_cache *c)
626 if (!c->has_seg_override)
629 return seg_base(ctxt, ops, c->seg_override);
632 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
633 struct x86_emulate_ops *ops)
635 return seg_base(ctxt, ops, VCPU_SREG_ES);
638 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
639 struct x86_emulate_ops *ops)
641 return seg_base(ctxt, ops, VCPU_SREG_SS);
644 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
645 u32 error, bool valid)
647 ctxt->exception = vec;
648 ctxt->error_code = error;
649 ctxt->error_code_valid = valid;
650 ctxt->restart = false;
653 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
655 emulate_exception(ctxt, GP_VECTOR, err, true);
658 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
662 emulate_exception(ctxt, PF_VECTOR, err, true);
665 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
667 emulate_exception(ctxt, UD_VECTOR, 0, false);
670 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
672 emulate_exception(ctxt, TS_VECTOR, err, true);
675 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
676 struct x86_emulate_ops *ops,
677 unsigned long eip, u8 *dest)
679 struct fetch_cache *fc = &ctxt->decode.fetch;
683 if (eip == fc->end) {
684 cur_size = fc->end - fc->start;
685 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
686 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
687 size, ctxt->vcpu, NULL);
688 if (rc != X86EMUL_CONTINUE)
692 *dest = fc->data[eip - fc->start];
693 return X86EMUL_CONTINUE;
696 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
697 struct x86_emulate_ops *ops,
698 unsigned long eip, void *dest, unsigned size)
702 /* x86 instructions are limited to 15 bytes. */
703 if (eip + size - ctxt->eip > 15)
704 return X86EMUL_UNHANDLEABLE;
706 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
707 if (rc != X86EMUL_CONTINUE)
710 return X86EMUL_CONTINUE;
714 * Given the 'reg' portion of a ModRM byte, and a register block, return a
715 * pointer into the block that addresses the relevant register.
716 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
718 static void *decode_register(u8 modrm_reg, unsigned long *regs,
723 p = ®s[modrm_reg];
724 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
725 p = (unsigned char *)®s[modrm_reg & 3] + 1;
729 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
730 struct x86_emulate_ops *ops,
732 u16 *size, unsigned long *address, int op_bytes)
739 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
741 if (rc != X86EMUL_CONTINUE)
743 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
748 static int test_cc(unsigned int condition, unsigned int flags)
752 switch ((condition & 15) >> 1) {
754 rc |= (flags & EFLG_OF);
756 case 1: /* b/c/nae */
757 rc |= (flags & EFLG_CF);
760 rc |= (flags & EFLG_ZF);
763 rc |= (flags & (EFLG_CF|EFLG_ZF));
766 rc |= (flags & EFLG_SF);
769 rc |= (flags & EFLG_PF);
772 rc |= (flags & EFLG_ZF);
775 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
779 /* Odd condition identifiers (lsb == 1) have inverted sense. */
780 return (!!rc ^ (condition & 1));
783 static void decode_register_operand(struct operand *op,
784 struct decode_cache *c,
787 unsigned reg = c->modrm_reg;
788 int highbyte_regs = c->rex_prefix == 0;
791 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
793 if ((c->d & ByteOp) && !inhibit_bytereg) {
794 op->ptr = decode_register(reg, c->regs, highbyte_regs);
795 op->val = *(u8 *)op->ptr;
798 op->ptr = decode_register(reg, c->regs, 0);
799 op->bytes = c->op_bytes;
802 op->val = *(u16 *)op->ptr;
805 op->val = *(u32 *)op->ptr;
808 op->val = *(u64 *) op->ptr;
812 op->orig_val = op->val;
815 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
816 struct x86_emulate_ops *ops)
818 struct decode_cache *c = &ctxt->decode;
820 int index_reg = 0, base_reg = 0, scale;
821 int rc = X86EMUL_CONTINUE;
824 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
825 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
826 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
829 c->modrm = insn_fetch(u8, 1, c->eip);
830 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
831 c->modrm_reg |= (c->modrm & 0x38) >> 3;
832 c->modrm_rm |= (c->modrm & 0x07);
836 if (c->modrm_mod == 3) {
837 c->modrm_ptr = decode_register(c->modrm_rm,
838 c->regs, c->d & ByteOp);
839 c->modrm_val = *(unsigned long *)c->modrm_ptr;
843 if (c->ad_bytes == 2) {
844 unsigned bx = c->regs[VCPU_REGS_RBX];
845 unsigned bp = c->regs[VCPU_REGS_RBP];
846 unsigned si = c->regs[VCPU_REGS_RSI];
847 unsigned di = c->regs[VCPU_REGS_RDI];
849 /* 16-bit ModR/M decode. */
850 switch (c->modrm_mod) {
852 if (c->modrm_rm == 6)
853 c->modrm_ea += insn_fetch(u16, 2, c->eip);
856 c->modrm_ea += insn_fetch(s8, 1, c->eip);
859 c->modrm_ea += insn_fetch(u16, 2, c->eip);
862 switch (c->modrm_rm) {
864 c->modrm_ea += bx + si;
867 c->modrm_ea += bx + di;
870 c->modrm_ea += bp + si;
873 c->modrm_ea += bp + di;
882 if (c->modrm_mod != 0)
889 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
890 (c->modrm_rm == 6 && c->modrm_mod != 0))
891 if (!c->has_seg_override)
892 set_seg_override(c, VCPU_SREG_SS);
893 c->modrm_ea = (u16)c->modrm_ea;
895 /* 32/64-bit ModR/M decode. */
896 if ((c->modrm_rm & 7) == 4) {
897 sib = insn_fetch(u8, 1, c->eip);
898 index_reg |= (sib >> 3) & 7;
902 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
903 c->modrm_ea += insn_fetch(s32, 4, c->eip);
905 c->modrm_ea += c->regs[base_reg];
907 c->modrm_ea += c->regs[index_reg] << scale;
908 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
909 if (ctxt->mode == X86EMUL_MODE_PROT64)
912 c->modrm_ea += c->regs[c->modrm_rm];
913 switch (c->modrm_mod) {
915 if (c->modrm_rm == 5)
916 c->modrm_ea += insn_fetch(s32, 4, c->eip);
919 c->modrm_ea += insn_fetch(s8, 1, c->eip);
922 c->modrm_ea += insn_fetch(s32, 4, c->eip);
930 static int decode_abs(struct x86_emulate_ctxt *ctxt,
931 struct x86_emulate_ops *ops)
933 struct decode_cache *c = &ctxt->decode;
934 int rc = X86EMUL_CONTINUE;
936 switch (c->ad_bytes) {
938 c->modrm_ea = insn_fetch(u16, 2, c->eip);
941 c->modrm_ea = insn_fetch(u32, 4, c->eip);
944 c->modrm_ea = insn_fetch(u64, 8, c->eip);
952 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
954 struct decode_cache *c = &ctxt->decode;
955 int rc = X86EMUL_CONTINUE;
956 int mode = ctxt->mode;
957 int def_op_bytes, def_ad_bytes, group;
960 /* we cannot decode insn before we complete previous rep insn */
961 WARN_ON(ctxt->restart);
964 c->fetch.start = c->fetch.end = c->eip;
965 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
968 case X86EMUL_MODE_REAL:
969 case X86EMUL_MODE_VM86:
970 case X86EMUL_MODE_PROT16:
971 def_op_bytes = def_ad_bytes = 2;
973 case X86EMUL_MODE_PROT32:
974 def_op_bytes = def_ad_bytes = 4;
977 case X86EMUL_MODE_PROT64:
986 c->op_bytes = def_op_bytes;
987 c->ad_bytes = def_ad_bytes;
989 /* Legacy prefixes. */
991 switch (c->b = insn_fetch(u8, 1, c->eip)) {
992 case 0x66: /* operand-size override */
993 /* switch between 2/4 bytes */
994 c->op_bytes = def_op_bytes ^ 6;
996 case 0x67: /* address-size override */
997 if (mode == X86EMUL_MODE_PROT64)
998 /* switch between 4/8 bytes */
999 c->ad_bytes = def_ad_bytes ^ 12;
1001 /* switch between 2/4 bytes */
1002 c->ad_bytes = def_ad_bytes ^ 6;
1004 case 0x26: /* ES override */
1005 case 0x2e: /* CS override */
1006 case 0x36: /* SS override */
1007 case 0x3e: /* DS override */
1008 set_seg_override(c, (c->b >> 3) & 3);
1010 case 0x64: /* FS override */
1011 case 0x65: /* GS override */
1012 set_seg_override(c, c->b & 7);
1014 case 0x40 ... 0x4f: /* REX */
1015 if (mode != X86EMUL_MODE_PROT64)
1017 c->rex_prefix = c->b;
1019 case 0xf0: /* LOCK */
1022 case 0xf2: /* REPNE/REPNZ */
1023 c->rep_prefix = REPNE_PREFIX;
1025 case 0xf3: /* REP/REPE/REPZ */
1026 c->rep_prefix = REPE_PREFIX;
1032 /* Any legacy prefix after a REX prefix nullifies its effect. */
1041 if (c->rex_prefix & 8)
1042 c->op_bytes = 8; /* REX.W */
1044 /* Opcode byte(s). */
1045 c->d = opcode_table[c->b];
1047 /* Two-byte opcode? */
1050 c->b = insn_fetch(u8, 1, c->eip);
1051 c->d = twobyte_table[c->b];
1056 group = c->d & GroupMask;
1057 c->modrm = insn_fetch(u8, 1, c->eip);
1060 group = (group << 3) + ((c->modrm >> 3) & 7);
1061 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
1062 c->d = group2_table[group];
1064 c->d = group_table[group];
1069 DPRINTF("Cannot emulate %02x\n", c->b);
1073 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1076 /* ModRM and SIB bytes. */
1078 rc = decode_modrm(ctxt, ops);
1079 else if (c->d & MemAbs)
1080 rc = decode_abs(ctxt, ops);
1081 if (rc != X86EMUL_CONTINUE)
1084 if (!c->has_seg_override)
1085 set_seg_override(c, VCPU_SREG_DS);
1087 if (!(!c->twobyte && c->b == 0x8d))
1088 c->modrm_ea += seg_override_base(ctxt, ops, c);
1090 if (c->ad_bytes != 8)
1091 c->modrm_ea = (u32)c->modrm_ea;
1093 if (c->rip_relative)
1094 c->modrm_ea += c->eip;
1097 * Decode and fetch the source operand: register, memory
1100 switch (c->d & SrcMask) {
1104 decode_register_operand(&c->src, c, 0);
1113 c->src.bytes = (c->d & ByteOp) ? 1 :
1115 /* Don't fetch the address for invlpg: it could be unmapped. */
1116 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1120 * For instructions with a ModR/M byte, switch to register
1121 * access if Mod = 3.
1123 if ((c->d & ModRM) && c->modrm_mod == 3) {
1124 c->src.type = OP_REG;
1125 c->src.val = c->modrm_val;
1126 c->src.ptr = c->modrm_ptr;
1129 c->src.type = OP_MEM;
1130 c->src.ptr = (unsigned long *)c->modrm_ea;
1135 c->src.type = OP_IMM;
1136 c->src.ptr = (unsigned long *)c->eip;
1137 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1138 if (c->src.bytes == 8)
1140 /* NB. Immediates are sign-extended as necessary. */
1141 switch (c->src.bytes) {
1143 c->src.val = insn_fetch(s8, 1, c->eip);
1146 c->src.val = insn_fetch(s16, 2, c->eip);
1149 c->src.val = insn_fetch(s32, 4, c->eip);
1152 if ((c->d & SrcMask) == SrcImmU) {
1153 switch (c->src.bytes) {
1158 c->src.val &= 0xffff;
1161 c->src.val &= 0xffffffff;
1168 c->src.type = OP_IMM;
1169 c->src.ptr = (unsigned long *)c->eip;
1171 if ((c->d & SrcMask) == SrcImmByte)
1172 c->src.val = insn_fetch(s8, 1, c->eip);
1174 c->src.val = insn_fetch(u8, 1, c->eip);
1177 c->src.type = OP_REG;
1178 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1179 c->src.ptr = &c->regs[VCPU_REGS_RAX];
1180 switch (c->src.bytes) {
1182 c->src.val = *(u8 *)c->src.ptr;
1185 c->src.val = *(u16 *)c->src.ptr;
1188 c->src.val = *(u32 *)c->src.ptr;
1191 c->src.val = *(u64 *)c->src.ptr;
1200 c->src.type = OP_MEM;
1201 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1202 c->src.ptr = (unsigned long *)
1203 register_address(c, seg_override_base(ctxt, ops, c),
1204 c->regs[VCPU_REGS_RSI]);
1208 c->src.type = OP_IMM;
1209 c->src.ptr = (unsigned long *)c->eip;
1210 c->src.bytes = c->op_bytes + 2;
1211 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
1214 c->src.type = OP_MEM;
1215 c->src.ptr = (unsigned long *)c->modrm_ea;
1216 c->src.bytes = c->op_bytes + 2;
1221 * Decode and fetch the second source operand: register, memory
1224 switch (c->d & Src2Mask) {
1229 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1232 c->src2.type = OP_IMM;
1233 c->src2.ptr = (unsigned long *)c->eip;
1235 c->src2.val = insn_fetch(u8, 1, c->eip);
1243 /* Decode and fetch the destination operand: register or memory. */
1244 switch (c->d & DstMask) {
1246 /* Special instructions do their own operand decoding. */
1249 decode_register_operand(&c->dst, c,
1250 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1254 if ((c->d & ModRM) && c->modrm_mod == 3) {
1255 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1256 c->dst.type = OP_REG;
1257 c->dst.val = c->dst.orig_val = c->modrm_val;
1258 c->dst.ptr = c->modrm_ptr;
1261 c->dst.type = OP_MEM;
1262 c->dst.ptr = (unsigned long *)c->modrm_ea;
1263 if ((c->d & DstMask) == DstMem64)
1266 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1269 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1271 c->dst.ptr = (void *)c->dst.ptr +
1272 (c->src.val & mask) / 8;
1276 c->dst.type = OP_REG;
1277 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1278 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1279 switch (c->dst.bytes) {
1281 c->dst.val = *(u8 *)c->dst.ptr;
1284 c->dst.val = *(u16 *)c->dst.ptr;
1287 c->dst.val = *(u32 *)c->dst.ptr;
1290 c->dst.val = *(u64 *)c->dst.ptr;
1293 c->dst.orig_val = c->dst.val;
1296 c->dst.type = OP_MEM;
1297 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1298 c->dst.ptr = (unsigned long *)
1299 register_address(c, es_base(ctxt, ops),
1300 c->regs[VCPU_REGS_RDI]);
1306 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1309 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1310 struct x86_emulate_ops *ops,
1311 unsigned long addr, void *dest, unsigned size)
1314 struct read_cache *mc = &ctxt->decode.mem_read;
1318 int n = min(size, 8u);
1320 if (mc->pos < mc->end)
1323 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
1325 if (rc == X86EMUL_PROPAGATE_FAULT)
1326 emulate_pf(ctxt, addr, err);
1327 if (rc != X86EMUL_CONTINUE)
1332 memcpy(dest, mc->data + mc->pos, n);
1337 return X86EMUL_CONTINUE;
1340 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1341 struct x86_emulate_ops *ops,
1342 unsigned int size, unsigned short port,
1345 struct read_cache *rc = &ctxt->decode.io_read;
1347 if (rc->pos == rc->end) { /* refill pio read ahead */
1348 struct decode_cache *c = &ctxt->decode;
1349 unsigned int in_page, n;
1350 unsigned int count = c->rep_prefix ?
1351 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
1352 in_page = (ctxt->eflags & EFLG_DF) ?
1353 offset_in_page(c->regs[VCPU_REGS_RDI]) :
1354 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
1355 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1359 rc->pos = rc->end = 0;
1360 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
1365 memcpy(dest, rc->data + rc->pos, size);
1370 static u32 desc_limit_scaled(struct desc_struct *desc)
1372 u32 limit = get_desc_limit(desc);
1374 return desc->g ? (limit << 12) | 0xfff : limit;
1377 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1378 struct x86_emulate_ops *ops,
1379 u16 selector, struct desc_ptr *dt)
1381 if (selector & 1 << 2) {
1382 struct desc_struct desc;
1383 memset (dt, 0, sizeof *dt);
1384 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1387 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1388 dt->address = get_desc_base(&desc);
1390 ops->get_gdt(dt, ctxt->vcpu);
1393 /* allowed just for 8 bytes segments */
1394 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1395 struct x86_emulate_ops *ops,
1396 u16 selector, struct desc_struct *desc)
1399 u16 index = selector >> 3;
1404 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1406 if (dt.size < index * 8 + 7) {
1407 emulate_gp(ctxt, selector & 0xfffc);
1408 return X86EMUL_PROPAGATE_FAULT;
1410 addr = dt.address + index * 8;
1411 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1412 if (ret == X86EMUL_PROPAGATE_FAULT)
1413 emulate_pf(ctxt, addr, err);
1418 /* allowed just for 8 bytes segments */
1419 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1420 struct x86_emulate_ops *ops,
1421 u16 selector, struct desc_struct *desc)
1424 u16 index = selector >> 3;
1429 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1431 if (dt.size < index * 8 + 7) {
1432 emulate_gp(ctxt, selector & 0xfffc);
1433 return X86EMUL_PROPAGATE_FAULT;
1436 addr = dt.address + index * 8;
1437 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1438 if (ret == X86EMUL_PROPAGATE_FAULT)
1439 emulate_pf(ctxt, addr, err);
1444 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1445 struct x86_emulate_ops *ops,
1446 u16 selector, int seg)
1448 struct desc_struct seg_desc;
1450 unsigned err_vec = GP_VECTOR;
1452 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1455 memset(&seg_desc, 0, sizeof seg_desc);
1457 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1458 || ctxt->mode == X86EMUL_MODE_REAL) {
1459 /* set real mode segment descriptor */
1460 set_desc_base(&seg_desc, selector << 4);
1461 set_desc_limit(&seg_desc, 0xffff);
1468 /* NULL selector is not valid for TR, CS and SS */
1469 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1473 /* TR should be in GDT only */
1474 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1477 if (null_selector) /* for NULL selector skip all following checks */
1480 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1481 if (ret != X86EMUL_CONTINUE)
1484 err_code = selector & 0xfffc;
1485 err_vec = GP_VECTOR;
1487 /* can't load system descriptor into segment selecor */
1488 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1492 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1498 cpl = ops->cpl(ctxt->vcpu);
1503 * segment is not a writable data segment or segment
1504 * selector's RPL != CPL or segment selector's RPL != CPL
1506 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1510 if (!(seg_desc.type & 8))
1513 if (seg_desc.type & 4) {
1519 if (rpl > cpl || dpl != cpl)
1522 /* CS(RPL) <- CPL */
1523 selector = (selector & 0xfffc) | cpl;
1526 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1529 case VCPU_SREG_LDTR:
1530 if (seg_desc.s || seg_desc.type != 2)
1533 default: /* DS, ES, FS, or GS */
1535 * segment is not a data or readable code segment or
1536 * ((segment is a data or nonconforming code segment)
1537 * and (both RPL and CPL > DPL))
1539 if ((seg_desc.type & 0xa) == 0x8 ||
1540 (((seg_desc.type & 0xc) != 0xc) &&
1541 (rpl > dpl && cpl > dpl)))
1547 /* mark segment as accessed */
1549 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1550 if (ret != X86EMUL_CONTINUE)
1554 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1555 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1556 return X86EMUL_CONTINUE;
1558 emulate_exception(ctxt, err_vec, err_code, true);
1559 return X86EMUL_PROPAGATE_FAULT;
1562 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1563 struct x86_emulate_ops *ops)
1566 struct decode_cache *c = &ctxt->decode;
1569 switch (c->dst.type) {
1571 /* The 4-byte case *is* correct:
1572 * in 64-bit mode we zero-extend.
1574 switch (c->dst.bytes) {
1576 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1579 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1582 *c->dst.ptr = (u32)c->dst.val;
1583 break; /* 64b: zero-ext */
1585 *c->dst.ptr = c->dst.val;
1591 rc = ops->cmpxchg_emulated(
1592 (unsigned long)c->dst.ptr,
1599 rc = ops->write_emulated(
1600 (unsigned long)c->dst.ptr,
1605 if (rc == X86EMUL_PROPAGATE_FAULT)
1607 (unsigned long)c->dst.ptr, err);
1608 if (rc != X86EMUL_CONTINUE)
1617 return X86EMUL_CONTINUE;
1620 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1621 struct x86_emulate_ops *ops)
1623 struct decode_cache *c = &ctxt->decode;
1625 c->dst.type = OP_MEM;
1626 c->dst.bytes = c->op_bytes;
1627 c->dst.val = c->src.val;
1628 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1629 c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1630 c->regs[VCPU_REGS_RSP]);
1633 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1634 struct x86_emulate_ops *ops,
1635 void *dest, int len)
1637 struct decode_cache *c = &ctxt->decode;
1640 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1641 c->regs[VCPU_REGS_RSP]),
1643 if (rc != X86EMUL_CONTINUE)
1646 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1650 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1651 struct x86_emulate_ops *ops,
1652 void *dest, int len)
1655 unsigned long val, change_mask;
1656 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1657 int cpl = ops->cpl(ctxt->vcpu);
1659 rc = emulate_pop(ctxt, ops, &val, len);
1660 if (rc != X86EMUL_CONTINUE)
1663 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1664 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1666 switch(ctxt->mode) {
1667 case X86EMUL_MODE_PROT64:
1668 case X86EMUL_MODE_PROT32:
1669 case X86EMUL_MODE_PROT16:
1671 change_mask |= EFLG_IOPL;
1673 change_mask |= EFLG_IF;
1675 case X86EMUL_MODE_VM86:
1677 emulate_gp(ctxt, 0);
1678 return X86EMUL_PROPAGATE_FAULT;
1680 change_mask |= EFLG_IF;
1682 default: /* real mode */
1683 change_mask |= (EFLG_IOPL | EFLG_IF);
1687 *(unsigned long *)dest =
1688 (ctxt->eflags & ~change_mask) | (val & change_mask);
1693 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1694 struct x86_emulate_ops *ops, int seg)
1696 struct decode_cache *c = &ctxt->decode;
1698 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1700 emulate_push(ctxt, ops);
1703 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1704 struct x86_emulate_ops *ops, int seg)
1706 struct decode_cache *c = &ctxt->decode;
1707 unsigned long selector;
1710 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1711 if (rc != X86EMUL_CONTINUE)
1714 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1718 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1719 struct x86_emulate_ops *ops)
1721 struct decode_cache *c = &ctxt->decode;
1722 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1723 int rc = X86EMUL_CONTINUE;
1724 int reg = VCPU_REGS_RAX;
1726 while (reg <= VCPU_REGS_RDI) {
1727 (reg == VCPU_REGS_RSP) ?
1728 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1730 emulate_push(ctxt, ops);
1732 rc = writeback(ctxt, ops);
1733 if (rc != X86EMUL_CONTINUE)
1739 /* Disable writeback. */
1740 c->dst.type = OP_NONE;
1745 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1746 struct x86_emulate_ops *ops)
1748 struct decode_cache *c = &ctxt->decode;
1749 int rc = X86EMUL_CONTINUE;
1750 int reg = VCPU_REGS_RDI;
1752 while (reg >= VCPU_REGS_RAX) {
1753 if (reg == VCPU_REGS_RSP) {
1754 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1759 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1760 if (rc != X86EMUL_CONTINUE)
1767 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1768 struct x86_emulate_ops *ops)
1770 struct decode_cache *c = &ctxt->decode;
1772 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1775 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1777 struct decode_cache *c = &ctxt->decode;
1778 switch (c->modrm_reg) {
1780 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1783 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1786 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1789 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1791 case 4: /* sal/shl */
1792 case 6: /* sal/shl */
1793 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1796 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1799 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1804 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1805 struct x86_emulate_ops *ops)
1807 struct decode_cache *c = &ctxt->decode;
1809 switch (c->modrm_reg) {
1810 case 0 ... 1: /* test */
1811 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1814 c->dst.val = ~c->dst.val;
1817 emulate_1op("neg", c->dst, ctxt->eflags);
1825 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1826 struct x86_emulate_ops *ops)
1828 struct decode_cache *c = &ctxt->decode;
1830 switch (c->modrm_reg) {
1832 emulate_1op("inc", c->dst, ctxt->eflags);
1835 emulate_1op("dec", c->dst, ctxt->eflags);
1837 case 2: /* call near abs */ {
1840 c->eip = c->src.val;
1841 c->src.val = old_eip;
1842 emulate_push(ctxt, ops);
1845 case 4: /* jmp abs */
1846 c->eip = c->src.val;
1849 emulate_push(ctxt, ops);
1852 return X86EMUL_CONTINUE;
1855 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1856 struct x86_emulate_ops *ops)
1858 struct decode_cache *c = &ctxt->decode;
1859 u64 old = c->dst.orig_val64;
1861 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1862 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1863 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1864 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1865 ctxt->eflags &= ~EFLG_ZF;
1867 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1868 (u32) c->regs[VCPU_REGS_RBX];
1870 ctxt->eflags |= EFLG_ZF;
1872 return X86EMUL_CONTINUE;
1875 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1876 struct x86_emulate_ops *ops)
1878 struct decode_cache *c = &ctxt->decode;
1882 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1883 if (rc != X86EMUL_CONTINUE)
1885 if (c->op_bytes == 4)
1886 c->eip = (u32)c->eip;
1887 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1888 if (rc != X86EMUL_CONTINUE)
1890 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1895 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1896 struct x86_emulate_ops *ops, struct desc_struct *cs,
1897 struct desc_struct *ss)
1899 memset(cs, 0, sizeof(struct desc_struct));
1900 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1901 memset(ss, 0, sizeof(struct desc_struct));
1903 cs->l = 0; /* will be adjusted later */
1904 set_desc_base(cs, 0); /* flat segment */
1905 cs->g = 1; /* 4kb granularity */
1906 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1907 cs->type = 0x0b; /* Read, Execute, Accessed */
1909 cs->dpl = 0; /* will be adjusted later */
1913 set_desc_base(ss, 0); /* flat segment */
1914 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1915 ss->g = 1; /* 4kb granularity */
1917 ss->type = 0x03; /* Read/Write, Accessed */
1918 ss->d = 1; /* 32bit stack segment */
1924 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1926 struct decode_cache *c = &ctxt->decode;
1927 struct desc_struct cs, ss;
1931 /* syscall is not available in real mode */
1932 if (ctxt->mode == X86EMUL_MODE_REAL ||
1933 ctxt->mode == X86EMUL_MODE_VM86) {
1935 return X86EMUL_PROPAGATE_FAULT;
1938 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1940 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1942 cs_sel = (u16)(msr_data & 0xfffc);
1943 ss_sel = (u16)(msr_data + 8);
1945 if (is_long_mode(ctxt->vcpu)) {
1949 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1950 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1951 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1952 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1954 c->regs[VCPU_REGS_RCX] = c->eip;
1955 if (is_long_mode(ctxt->vcpu)) {
1956 #ifdef CONFIG_X86_64
1957 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1959 ops->get_msr(ctxt->vcpu,
1960 ctxt->mode == X86EMUL_MODE_PROT64 ?
1961 MSR_LSTAR : MSR_CSTAR, &msr_data);
1964 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1965 ctxt->eflags &= ~(msr_data | EFLG_RF);
1969 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1970 c->eip = (u32)msr_data;
1972 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1975 return X86EMUL_CONTINUE;
1979 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1981 struct decode_cache *c = &ctxt->decode;
1982 struct desc_struct cs, ss;
1986 /* inject #GP if in real mode */
1987 if (ctxt->mode == X86EMUL_MODE_REAL) {
1988 emulate_gp(ctxt, 0);
1989 return X86EMUL_PROPAGATE_FAULT;
1992 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1993 * Therefore, we inject an #UD.
1995 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1997 return X86EMUL_PROPAGATE_FAULT;
2000 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2002 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2003 switch (ctxt->mode) {
2004 case X86EMUL_MODE_PROT32:
2005 if ((msr_data & 0xfffc) == 0x0) {
2006 emulate_gp(ctxt, 0);
2007 return X86EMUL_PROPAGATE_FAULT;
2010 case X86EMUL_MODE_PROT64:
2011 if (msr_data == 0x0) {
2012 emulate_gp(ctxt, 0);
2013 return X86EMUL_PROPAGATE_FAULT;
2018 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2019 cs_sel = (u16)msr_data;
2020 cs_sel &= ~SELECTOR_RPL_MASK;
2021 ss_sel = cs_sel + 8;
2022 ss_sel &= ~SELECTOR_RPL_MASK;
2023 if (ctxt->mode == X86EMUL_MODE_PROT64
2024 || is_long_mode(ctxt->vcpu)) {
2029 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2030 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2031 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2032 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2034 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
2037 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
2038 c->regs[VCPU_REGS_RSP] = msr_data;
2040 return X86EMUL_CONTINUE;
2044 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2046 struct decode_cache *c = &ctxt->decode;
2047 struct desc_struct cs, ss;
2052 /* inject #GP if in real mode or Virtual 8086 mode */
2053 if (ctxt->mode == X86EMUL_MODE_REAL ||
2054 ctxt->mode == X86EMUL_MODE_VM86) {
2055 emulate_gp(ctxt, 0);
2056 return X86EMUL_PROPAGATE_FAULT;
2059 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2061 if ((c->rex_prefix & 0x8) != 0x0)
2062 usermode = X86EMUL_MODE_PROT64;
2064 usermode = X86EMUL_MODE_PROT32;
2068 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2070 case X86EMUL_MODE_PROT32:
2071 cs_sel = (u16)(msr_data + 16);
2072 if ((msr_data & 0xfffc) == 0x0) {
2073 emulate_gp(ctxt, 0);
2074 return X86EMUL_PROPAGATE_FAULT;
2076 ss_sel = (u16)(msr_data + 24);
2078 case X86EMUL_MODE_PROT64:
2079 cs_sel = (u16)(msr_data + 32);
2080 if (msr_data == 0x0) {
2081 emulate_gp(ctxt, 0);
2082 return X86EMUL_PROPAGATE_FAULT;
2084 ss_sel = cs_sel + 8;
2089 cs_sel |= SELECTOR_RPL_MASK;
2090 ss_sel |= SELECTOR_RPL_MASK;
2092 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2093 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2094 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2095 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2097 c->eip = c->regs[VCPU_REGS_RDX];
2098 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
2100 return X86EMUL_CONTINUE;
2103 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
2104 struct x86_emulate_ops *ops)
2107 if (ctxt->mode == X86EMUL_MODE_REAL)
2109 if (ctxt->mode == X86EMUL_MODE_VM86)
2111 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2112 return ops->cpl(ctxt->vcpu) > iopl;
2115 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2116 struct x86_emulate_ops *ops,
2119 struct desc_struct tr_seg;
2122 u8 perm, bit_idx = port & 0x7;
2123 unsigned mask = (1 << len) - 1;
2125 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
2128 if (desc_limit_scaled(&tr_seg) < 103)
2130 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
2132 if (r != X86EMUL_CONTINUE)
2134 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2136 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
2137 &perm, 1, ctxt->vcpu, NULL);
2138 if (r != X86EMUL_CONTINUE)
2140 if ((perm >> bit_idx) & mask)
2145 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2146 struct x86_emulate_ops *ops,
2149 if (emulator_bad_iopl(ctxt, ops))
2150 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
2155 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2156 struct x86_emulate_ops *ops,
2157 struct tss_segment_16 *tss)
2159 struct decode_cache *c = &ctxt->decode;
2162 tss->flag = ctxt->eflags;
2163 tss->ax = c->regs[VCPU_REGS_RAX];
2164 tss->cx = c->regs[VCPU_REGS_RCX];
2165 tss->dx = c->regs[VCPU_REGS_RDX];
2166 tss->bx = c->regs[VCPU_REGS_RBX];
2167 tss->sp = c->regs[VCPU_REGS_RSP];
2168 tss->bp = c->regs[VCPU_REGS_RBP];
2169 tss->si = c->regs[VCPU_REGS_RSI];
2170 tss->di = c->regs[VCPU_REGS_RDI];
2172 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2173 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2174 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2175 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2176 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2179 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2180 struct x86_emulate_ops *ops,
2181 struct tss_segment_16 *tss)
2183 struct decode_cache *c = &ctxt->decode;
2187 ctxt->eflags = tss->flag | 2;
2188 c->regs[VCPU_REGS_RAX] = tss->ax;
2189 c->regs[VCPU_REGS_RCX] = tss->cx;
2190 c->regs[VCPU_REGS_RDX] = tss->dx;
2191 c->regs[VCPU_REGS_RBX] = tss->bx;
2192 c->regs[VCPU_REGS_RSP] = tss->sp;
2193 c->regs[VCPU_REGS_RBP] = tss->bp;
2194 c->regs[VCPU_REGS_RSI] = tss->si;
2195 c->regs[VCPU_REGS_RDI] = tss->di;
2198 * SDM says that segment selectors are loaded before segment
2201 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
2202 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2203 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2204 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2205 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2208 * Now load segment descriptors. If fault happenes at this stage
2209 * it is handled in a context of new task
2211 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
2212 if (ret != X86EMUL_CONTINUE)
2214 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2215 if (ret != X86EMUL_CONTINUE)
2217 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2218 if (ret != X86EMUL_CONTINUE)
2220 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2221 if (ret != X86EMUL_CONTINUE)
2223 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2224 if (ret != X86EMUL_CONTINUE)
2227 return X86EMUL_CONTINUE;
2230 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2231 struct x86_emulate_ops *ops,
2232 u16 tss_selector, u16 old_tss_sel,
2233 ulong old_tss_base, struct desc_struct *new_desc)
2235 struct tss_segment_16 tss_seg;
2237 u32 err, new_tss_base = get_desc_base(new_desc);
2239 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2241 if (ret == X86EMUL_PROPAGATE_FAULT) {
2242 /* FIXME: need to provide precise fault address */
2243 emulate_pf(ctxt, old_tss_base, err);
2247 save_state_to_tss16(ctxt, ops, &tss_seg);
2249 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2251 if (ret == X86EMUL_PROPAGATE_FAULT) {
2252 /* FIXME: need to provide precise fault address */
2253 emulate_pf(ctxt, old_tss_base, err);
2257 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2259 if (ret == X86EMUL_PROPAGATE_FAULT) {
2260 /* FIXME: need to provide precise fault address */
2261 emulate_pf(ctxt, new_tss_base, err);
2265 if (old_tss_sel != 0xffff) {
2266 tss_seg.prev_task_link = old_tss_sel;
2268 ret = ops->write_std(new_tss_base,
2269 &tss_seg.prev_task_link,
2270 sizeof tss_seg.prev_task_link,
2272 if (ret == X86EMUL_PROPAGATE_FAULT) {
2273 /* FIXME: need to provide precise fault address */
2274 emulate_pf(ctxt, new_tss_base, err);
2279 return load_state_from_tss16(ctxt, ops, &tss_seg);
2282 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2283 struct x86_emulate_ops *ops,
2284 struct tss_segment_32 *tss)
2286 struct decode_cache *c = &ctxt->decode;
2288 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2290 tss->eflags = ctxt->eflags;
2291 tss->eax = c->regs[VCPU_REGS_RAX];
2292 tss->ecx = c->regs[VCPU_REGS_RCX];
2293 tss->edx = c->regs[VCPU_REGS_RDX];
2294 tss->ebx = c->regs[VCPU_REGS_RBX];
2295 tss->esp = c->regs[VCPU_REGS_RSP];
2296 tss->ebp = c->regs[VCPU_REGS_RBP];
2297 tss->esi = c->regs[VCPU_REGS_RSI];
2298 tss->edi = c->regs[VCPU_REGS_RDI];
2300 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2301 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2302 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2303 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2304 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2305 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2306 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2309 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2310 struct x86_emulate_ops *ops,
2311 struct tss_segment_32 *tss)
2313 struct decode_cache *c = &ctxt->decode;
2316 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
2317 emulate_gp(ctxt, 0);
2318 return X86EMUL_PROPAGATE_FAULT;
2321 ctxt->eflags = tss->eflags | 2;
2322 c->regs[VCPU_REGS_RAX] = tss->eax;
2323 c->regs[VCPU_REGS_RCX] = tss->ecx;
2324 c->regs[VCPU_REGS_RDX] = tss->edx;
2325 c->regs[VCPU_REGS_RBX] = tss->ebx;
2326 c->regs[VCPU_REGS_RSP] = tss->esp;
2327 c->regs[VCPU_REGS_RBP] = tss->ebp;
2328 c->regs[VCPU_REGS_RSI] = tss->esi;
2329 c->regs[VCPU_REGS_RDI] = tss->edi;
2332 * SDM says that segment selectors are loaded before segment
2335 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2336 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2337 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2338 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2339 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2340 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2341 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2344 * Now load segment descriptors. If fault happenes at this stage
2345 * it is handled in a context of new task
2347 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2348 if (ret != X86EMUL_CONTINUE)
2350 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2351 if (ret != X86EMUL_CONTINUE)
2353 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2354 if (ret != X86EMUL_CONTINUE)
2356 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2357 if (ret != X86EMUL_CONTINUE)
2359 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2360 if (ret != X86EMUL_CONTINUE)
2362 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2363 if (ret != X86EMUL_CONTINUE)
2365 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2366 if (ret != X86EMUL_CONTINUE)
2369 return X86EMUL_CONTINUE;
2372 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2373 struct x86_emulate_ops *ops,
2374 u16 tss_selector, u16 old_tss_sel,
2375 ulong old_tss_base, struct desc_struct *new_desc)
2377 struct tss_segment_32 tss_seg;
2379 u32 err, new_tss_base = get_desc_base(new_desc);
2381 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2383 if (ret == X86EMUL_PROPAGATE_FAULT) {
2384 /* FIXME: need to provide precise fault address */
2385 emulate_pf(ctxt, old_tss_base, err);
2389 save_state_to_tss32(ctxt, ops, &tss_seg);
2391 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2393 if (ret == X86EMUL_PROPAGATE_FAULT) {
2394 /* FIXME: need to provide precise fault address */
2395 emulate_pf(ctxt, old_tss_base, err);
2399 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2401 if (ret == X86EMUL_PROPAGATE_FAULT) {
2402 /* FIXME: need to provide precise fault address */
2403 emulate_pf(ctxt, new_tss_base, err);
2407 if (old_tss_sel != 0xffff) {
2408 tss_seg.prev_task_link = old_tss_sel;
2410 ret = ops->write_std(new_tss_base,
2411 &tss_seg.prev_task_link,
2412 sizeof tss_seg.prev_task_link,
2414 if (ret == X86EMUL_PROPAGATE_FAULT) {
2415 /* FIXME: need to provide precise fault address */
2416 emulate_pf(ctxt, new_tss_base, err);
2421 return load_state_from_tss32(ctxt, ops, &tss_seg);
2424 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2425 struct x86_emulate_ops *ops,
2426 u16 tss_selector, int reason,
2427 bool has_error_code, u32 error_code)
2429 struct desc_struct curr_tss_desc, next_tss_desc;
2431 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2432 ulong old_tss_base =
2433 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2436 /* FIXME: old_tss_base == ~0 ? */
2438 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2439 if (ret != X86EMUL_CONTINUE)
2441 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2442 if (ret != X86EMUL_CONTINUE)
2445 /* FIXME: check that next_tss_desc is tss */
2447 if (reason != TASK_SWITCH_IRET) {
2448 if ((tss_selector & 3) > next_tss_desc.dpl ||
2449 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2450 emulate_gp(ctxt, 0);
2451 return X86EMUL_PROPAGATE_FAULT;
2455 desc_limit = desc_limit_scaled(&next_tss_desc);
2456 if (!next_tss_desc.p ||
2457 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2458 desc_limit < 0x2b)) {
2459 emulate_ts(ctxt, tss_selector & 0xfffc);
2460 return X86EMUL_PROPAGATE_FAULT;
2463 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2464 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2465 write_segment_descriptor(ctxt, ops, old_tss_sel,
2469 if (reason == TASK_SWITCH_IRET)
2470 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2472 /* set back link to prev task only if NT bit is set in eflags
2473 note that old_tss_sel is not used afetr this point */
2474 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2475 old_tss_sel = 0xffff;
2477 if (next_tss_desc.type & 8)
2478 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2479 old_tss_base, &next_tss_desc);
2481 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2482 old_tss_base, &next_tss_desc);
2483 if (ret != X86EMUL_CONTINUE)
2486 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2487 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2489 if (reason != TASK_SWITCH_IRET) {
2490 next_tss_desc.type |= (1 << 1); /* set busy flag */
2491 write_segment_descriptor(ctxt, ops, tss_selector,
2495 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2496 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2497 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2499 if (has_error_code) {
2500 struct decode_cache *c = &ctxt->decode;
2502 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2504 c->src.val = (unsigned long) error_code;
2505 emulate_push(ctxt, ops);
2511 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2512 struct x86_emulate_ops *ops,
2513 u16 tss_selector, int reason,
2514 bool has_error_code, u32 error_code)
2516 struct decode_cache *c = &ctxt->decode;
2520 c->dst.type = OP_NONE;
2522 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2523 has_error_code, error_code);
2525 if (rc == X86EMUL_CONTINUE) {
2526 rc = writeback(ctxt, ops);
2527 if (rc == X86EMUL_CONTINUE)
2531 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2534 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2535 int reg, struct operand *op)
2537 struct decode_cache *c = &ctxt->decode;
2538 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2540 register_address_increment(c, &c->regs[reg], df * op->bytes);
2541 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2545 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2548 struct decode_cache *c = &ctxt->decode;
2549 int rc = X86EMUL_CONTINUE;
2550 int saved_dst_type = c->dst.type;
2552 ctxt->decode.mem_read.pos = 0;
2554 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2559 /* LOCK prefix is allowed only with some instructions */
2560 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2565 /* Privileged instruction can be executed only in CPL=0 */
2566 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2567 emulate_gp(ctxt, 0);
2571 if (c->rep_prefix && (c->d & String)) {
2572 ctxt->restart = true;
2573 /* All REP prefixes have the same first termination condition */
2574 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2576 ctxt->restart = false;
2580 /* The second termination condition only applies for REPE
2581 * and REPNE. Test if the repeat string operation prefix is
2582 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2583 * corresponding termination condition according to:
2584 * - if REPE/REPZ and ZF = 0 then done
2585 * - if REPNE/REPNZ and ZF = 1 then done
2587 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2588 (c->b == 0xae) || (c->b == 0xaf)) {
2589 if ((c->rep_prefix == REPE_PREFIX) &&
2590 ((ctxt->eflags & EFLG_ZF) == 0))
2592 if ((c->rep_prefix == REPNE_PREFIX) &&
2593 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2599 if (c->src.type == OP_MEM) {
2600 rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2601 c->src.valptr, c->src.bytes);
2602 if (rc != X86EMUL_CONTINUE)
2604 c->src.orig_val64 = c->src.val64;
2607 if (c->src2.type == OP_MEM) {
2608 rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
2609 &c->src2.val, c->src2.bytes);
2610 if (rc != X86EMUL_CONTINUE)
2614 if ((c->d & DstMask) == ImplicitOps)
2618 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2619 /* optimisation - avoid slow emulated read if Mov */
2620 rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
2621 &c->dst.val, c->dst.bytes);
2622 if (rc != X86EMUL_CONTINUE)
2625 c->dst.orig_val = c->dst.val;
2635 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2637 case 0x06: /* push es */
2638 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2640 case 0x07: /* pop es */
2641 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2642 if (rc != X86EMUL_CONTINUE)
2647 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2649 case 0x0e: /* push cs */
2650 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2654 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2656 case 0x16: /* push ss */
2657 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2659 case 0x17: /* pop ss */
2660 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2661 if (rc != X86EMUL_CONTINUE)
2666 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2668 case 0x1e: /* push ds */
2669 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2671 case 0x1f: /* pop ds */
2672 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2673 if (rc != X86EMUL_CONTINUE)
2678 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2682 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2686 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2690 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2692 case 0x40 ... 0x47: /* inc r16/r32 */
2693 emulate_1op("inc", c->dst, ctxt->eflags);
2695 case 0x48 ... 0x4f: /* dec r16/r32 */
2696 emulate_1op("dec", c->dst, ctxt->eflags);
2698 case 0x50 ... 0x57: /* push reg */
2699 emulate_push(ctxt, ops);
2701 case 0x58 ... 0x5f: /* pop reg */
2703 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2704 if (rc != X86EMUL_CONTINUE)
2707 case 0x60: /* pusha */
2708 rc = emulate_pusha(ctxt, ops);
2709 if (rc != X86EMUL_CONTINUE)
2712 case 0x61: /* popa */
2713 rc = emulate_popa(ctxt, ops);
2714 if (rc != X86EMUL_CONTINUE)
2717 case 0x63: /* movsxd */
2718 if (ctxt->mode != X86EMUL_MODE_PROT64)
2719 goto cannot_emulate;
2720 c->dst.val = (s32) c->src.val;
2722 case 0x68: /* push imm */
2723 case 0x6a: /* push imm8 */
2724 emulate_push(ctxt, ops);
2726 case 0x6c: /* insb */
2727 case 0x6d: /* insw/insd */
2728 c->dst.bytes = min(c->dst.bytes, 4u);
2729 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2731 emulate_gp(ctxt, 0);
2734 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2735 c->regs[VCPU_REGS_RDX], &c->dst.val))
2736 goto done; /* IO is needed, skip writeback */
2738 case 0x6e: /* outsb */
2739 case 0x6f: /* outsw/outsd */
2740 c->src.bytes = min(c->src.bytes, 4u);
2741 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2743 emulate_gp(ctxt, 0);
2746 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2747 &c->src.val, 1, ctxt->vcpu);
2749 c->dst.type = OP_NONE; /* nothing to writeback */
2751 case 0x70 ... 0x7f: /* jcc (short) */
2752 if (test_cc(c->b, ctxt->eflags))
2753 jmp_rel(c, c->src.val);
2755 case 0x80 ... 0x83: /* Grp1 */
2756 switch (c->modrm_reg) {
2777 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2779 case 0x86 ... 0x87: /* xchg */
2781 /* Write back the register source. */
2782 switch (c->dst.bytes) {
2784 *(u8 *) c->src.ptr = (u8) c->dst.val;
2787 *(u16 *) c->src.ptr = (u16) c->dst.val;
2790 *c->src.ptr = (u32) c->dst.val;
2791 break; /* 64b reg: zero-extend */
2793 *c->src.ptr = c->dst.val;
2797 * Write back the memory destination with implicit LOCK
2800 c->dst.val = c->src.val;
2803 case 0x88 ... 0x8b: /* mov */
2805 case 0x8c: /* mov r/m, sreg */
2806 if (c->modrm_reg > VCPU_SREG_GS) {
2810 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2812 case 0x8d: /* lea r16/r32, m */
2813 c->dst.val = c->modrm_ea;
2815 case 0x8e: { /* mov seg, r/m16 */
2820 if (c->modrm_reg == VCPU_SREG_CS ||
2821 c->modrm_reg > VCPU_SREG_GS) {
2826 if (c->modrm_reg == VCPU_SREG_SS)
2827 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2829 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2831 c->dst.type = OP_NONE; /* Disable writeback. */
2834 case 0x8f: /* pop (sole member of Grp1a) */
2835 rc = emulate_grp1a(ctxt, ops);
2836 if (rc != X86EMUL_CONTINUE)
2839 case 0x90: /* nop / xchg r8,rax */
2840 if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
2841 c->dst.type = OP_NONE; /* nop */
2844 case 0x91 ... 0x97: /* xchg reg,rax */
2845 c->src.type = OP_REG;
2846 c->src.bytes = c->op_bytes;
2847 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2848 c->src.val = *(c->src.ptr);
2850 case 0x9c: /* pushf */
2851 c->src.val = (unsigned long) ctxt->eflags;
2852 emulate_push(ctxt, ops);
2854 case 0x9d: /* popf */
2855 c->dst.type = OP_REG;
2856 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2857 c->dst.bytes = c->op_bytes;
2858 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2859 if (rc != X86EMUL_CONTINUE)
2862 case 0xa0 ... 0xa3: /* mov */
2863 case 0xa4 ... 0xa5: /* movs */
2865 case 0xa6 ... 0xa7: /* cmps */
2866 c->dst.type = OP_NONE; /* Disable writeback. */
2867 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2869 case 0xa8 ... 0xa9: /* test ax, imm */
2871 case 0xaa ... 0xab: /* stos */
2872 c->dst.val = c->regs[VCPU_REGS_RAX];
2874 case 0xac ... 0xad: /* lods */
2876 case 0xae ... 0xaf: /* scas */
2877 DPRINTF("Urk! I don't handle SCAS.\n");
2878 goto cannot_emulate;
2879 case 0xb0 ... 0xbf: /* mov r, imm */
2884 case 0xc3: /* ret */
2885 c->dst.type = OP_REG;
2886 c->dst.ptr = &c->eip;
2887 c->dst.bytes = c->op_bytes;
2888 goto pop_instruction;
2889 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2891 c->dst.val = c->src.val;
2893 case 0xcb: /* ret far */
2894 rc = emulate_ret_far(ctxt, ops);
2895 if (rc != X86EMUL_CONTINUE)
2898 case 0xd0 ... 0xd1: /* Grp2 */
2902 case 0xd2 ... 0xd3: /* Grp2 */
2903 c->src.val = c->regs[VCPU_REGS_RCX];
2906 case 0xe4: /* inb */
2909 case 0xe6: /* outb */
2910 case 0xe7: /* out */
2912 case 0xe8: /* call (near) */ {
2913 long int rel = c->src.val;
2914 c->src.val = (unsigned long) c->eip;
2916 emulate_push(ctxt, ops);
2919 case 0xe9: /* jmp rel */
2921 case 0xea: { /* jmp far */
2924 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2926 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
2930 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2934 jmp: /* jmp rel short */
2935 jmp_rel(c, c->src.val);
2936 c->dst.type = OP_NONE; /* Disable writeback. */
2938 case 0xec: /* in al,dx */
2939 case 0xed: /* in (e/r)ax,dx */
2940 c->src.val = c->regs[VCPU_REGS_RDX];
2942 c->dst.bytes = min(c->dst.bytes, 4u);
2943 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2944 emulate_gp(ctxt, 0);
2947 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
2949 goto done; /* IO is needed */
2951 case 0xee: /* out dx,al */
2952 case 0xef: /* out dx,(e/r)ax */
2953 c->src.val = c->regs[VCPU_REGS_RDX];
2955 c->dst.bytes = min(c->dst.bytes, 4u);
2956 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2957 emulate_gp(ctxt, 0);
2960 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
2962 c->dst.type = OP_NONE; /* Disable writeback. */
2964 case 0xf4: /* hlt */
2965 ctxt->vcpu->arch.halt_request = 1;
2967 case 0xf5: /* cmc */
2968 /* complement carry flag from eflags reg */
2969 ctxt->eflags ^= EFLG_CF;
2970 c->dst.type = OP_NONE; /* Disable writeback. */
2972 case 0xf6 ... 0xf7: /* Grp3 */
2973 if (!emulate_grp3(ctxt, ops))
2974 goto cannot_emulate;
2976 case 0xf8: /* clc */
2977 ctxt->eflags &= ~EFLG_CF;
2978 c->dst.type = OP_NONE; /* Disable writeback. */
2980 case 0xfa: /* cli */
2981 if (emulator_bad_iopl(ctxt, ops)) {
2982 emulate_gp(ctxt, 0);
2985 ctxt->eflags &= ~X86_EFLAGS_IF;
2986 c->dst.type = OP_NONE; /* Disable writeback. */
2989 case 0xfb: /* sti */
2990 if (emulator_bad_iopl(ctxt, ops)) {
2991 emulate_gp(ctxt, 0);
2994 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
2995 ctxt->eflags |= X86_EFLAGS_IF;
2996 c->dst.type = OP_NONE; /* Disable writeback. */
2999 case 0xfc: /* cld */
3000 ctxt->eflags &= ~EFLG_DF;
3001 c->dst.type = OP_NONE; /* Disable writeback. */
3003 case 0xfd: /* std */
3004 ctxt->eflags |= EFLG_DF;
3005 c->dst.type = OP_NONE; /* Disable writeback. */
3007 case 0xfe: /* Grp4 */
3009 rc = emulate_grp45(ctxt, ops);
3010 if (rc != X86EMUL_CONTINUE)
3013 case 0xff: /* Grp5 */
3014 if (c->modrm_reg == 5)
3018 goto cannot_emulate;
3022 rc = writeback(ctxt, ops);
3023 if (rc != X86EMUL_CONTINUE)
3027 * restore dst type in case the decoding will be reused
3028 * (happens for string instruction )
3030 c->dst.type = saved_dst_type;
3032 if ((c->d & SrcMask) == SrcSI)
3033 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3034 VCPU_REGS_RSI, &c->src);
3036 if ((c->d & DstMask) == DstDI)
3037 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3040 if (c->rep_prefix && (c->d & String)) {
3041 struct read_cache *rc = &ctxt->decode.io_read;
3042 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3044 * Re-enter guest when pio read ahead buffer is empty or,
3045 * if it is not used, after each 1024 iteration.
3047 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3048 (rc->end != 0 && rc->end == rc->pos))
3049 ctxt->restart = false;
3052 * reset read cache here in case string instruction is restared
3055 ctxt->decode.mem_read.end = 0;
3059 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3063 case 0x01: /* lgdt, lidt, lmsw */
3064 switch (c->modrm_reg) {
3066 unsigned long address;
3068 case 0: /* vmcall */
3069 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3070 goto cannot_emulate;
3072 rc = kvm_fix_hypercall(ctxt->vcpu);
3073 if (rc != X86EMUL_CONTINUE)
3076 /* Let the processor re-execute the fixed hypercall */
3078 /* Disable writeback. */
3079 c->dst.type = OP_NONE;
3082 rc = read_descriptor(ctxt, ops, c->src.ptr,
3083 &size, &address, c->op_bytes);
3084 if (rc != X86EMUL_CONTINUE)
3086 realmode_lgdt(ctxt->vcpu, size, address);
3087 /* Disable writeback. */
3088 c->dst.type = OP_NONE;
3090 case 3: /* lidt/vmmcall */
3091 if (c->modrm_mod == 3) {
3092 switch (c->modrm_rm) {
3094 rc = kvm_fix_hypercall(ctxt->vcpu);
3095 if (rc != X86EMUL_CONTINUE)
3099 goto cannot_emulate;
3102 rc = read_descriptor(ctxt, ops, c->src.ptr,
3105 if (rc != X86EMUL_CONTINUE)
3107 realmode_lidt(ctxt->vcpu, size, address);
3109 /* Disable writeback. */
3110 c->dst.type = OP_NONE;
3114 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3117 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3118 (c->src.val & 0x0f), ctxt->vcpu);
3119 c->dst.type = OP_NONE;
3121 case 5: /* not defined */
3125 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3126 /* Disable writeback. */
3127 c->dst.type = OP_NONE;
3130 goto cannot_emulate;
3133 case 0x05: /* syscall */
3134 rc = emulate_syscall(ctxt, ops);
3135 if (rc != X86EMUL_CONTINUE)
3141 emulate_clts(ctxt->vcpu);
3142 c->dst.type = OP_NONE;
3144 case 0x09: /* wbinvd */
3145 kvm_emulate_wbinvd(ctxt->vcpu);
3146 c->dst.type = OP_NONE;
3148 case 0x08: /* invd */
3149 case 0x0d: /* GrpP (prefetch) */
3150 case 0x18: /* Grp16 (prefetch/nop) */
3151 c->dst.type = OP_NONE;
3153 case 0x20: /* mov cr, reg */
3154 switch (c->modrm_reg) {
3161 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3162 c->dst.type = OP_NONE; /* no writeback */
3164 case 0x21: /* mov from dr to reg */
3165 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3166 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3170 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3171 c->dst.type = OP_NONE; /* no writeback */
3173 case 0x22: /* mov reg, cr */
3174 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3175 emulate_gp(ctxt, 0);
3178 c->dst.type = OP_NONE;
3180 case 0x23: /* mov from reg to dr */
3181 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3182 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3187 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3188 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3189 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3190 /* #UD condition is already handled by the code above */
3191 emulate_gp(ctxt, 0);
3195 c->dst.type = OP_NONE; /* no writeback */
3199 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3200 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3201 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3202 emulate_gp(ctxt, 0);
3205 rc = X86EMUL_CONTINUE;
3206 c->dst.type = OP_NONE;
3210 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3211 emulate_gp(ctxt, 0);
3214 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3215 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3217 rc = X86EMUL_CONTINUE;
3218 c->dst.type = OP_NONE;
3220 case 0x34: /* sysenter */
3221 rc = emulate_sysenter(ctxt, ops);
3222 if (rc != X86EMUL_CONTINUE)
3227 case 0x35: /* sysexit */
3228 rc = emulate_sysexit(ctxt, ops);
3229 if (rc != X86EMUL_CONTINUE)
3234 case 0x40 ... 0x4f: /* cmov */
3235 c->dst.val = c->dst.orig_val = c->src.val;
3236 if (!test_cc(c->b, ctxt->eflags))
3237 c->dst.type = OP_NONE; /* no writeback */
3239 case 0x80 ... 0x8f: /* jnz rel, etc*/
3240 if (test_cc(c->b, ctxt->eflags))
3241 jmp_rel(c, c->src.val);
3242 c->dst.type = OP_NONE;
3244 case 0xa0: /* push fs */
3245 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3247 case 0xa1: /* pop fs */
3248 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3249 if (rc != X86EMUL_CONTINUE)
3254 c->dst.type = OP_NONE;
3255 /* only subword offset */
3256 c->src.val &= (c->dst.bytes << 3) - 1;
3257 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3259 case 0xa4: /* shld imm8, r, r/m */
3260 case 0xa5: /* shld cl, r, r/m */
3261 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3263 case 0xa8: /* push gs */
3264 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3266 case 0xa9: /* pop gs */
3267 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3268 if (rc != X86EMUL_CONTINUE)
3273 /* only subword offset */
3274 c->src.val &= (c->dst.bytes << 3) - 1;
3275 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3277 case 0xac: /* shrd imm8, r, r/m */
3278 case 0xad: /* shrd cl, r, r/m */
3279 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3281 case 0xae: /* clflush */
3283 case 0xb0 ... 0xb1: /* cmpxchg */
3285 * Save real source value, then compare EAX against
3288 c->src.orig_val = c->src.val;
3289 c->src.val = c->regs[VCPU_REGS_RAX];
3290 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3291 if (ctxt->eflags & EFLG_ZF) {
3292 /* Success: write back to memory. */
3293 c->dst.val = c->src.orig_val;
3295 /* Failure: write the value we saw to EAX. */
3296 c->dst.type = OP_REG;
3297 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3302 /* only subword offset */
3303 c->src.val &= (c->dst.bytes << 3) - 1;
3304 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3306 case 0xb6 ... 0xb7: /* movzx */
3307 c->dst.bytes = c->op_bytes;
3308 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3311 case 0xba: /* Grp8 */
3312 switch (c->modrm_reg & 3) {
3325 /* only subword offset */
3326 c->src.val &= (c->dst.bytes << 3) - 1;
3327 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3329 case 0xbe ... 0xbf: /* movsx */
3330 c->dst.bytes = c->op_bytes;
3331 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3334 case 0xc3: /* movnti */
3335 c->dst.bytes = c->op_bytes;
3336 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3339 case 0xc7: /* Grp9 (cmpxchg8b) */
3340 rc = emulate_grp9(ctxt, ops);
3341 if (rc != X86EMUL_CONTINUE)
3345 goto cannot_emulate;
3350 DPRINTF("Cannot emulate %02x\n", c->b);
git.openpandora.org / pandora-kernel.git / blob