1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
86 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
87 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
88 #define Undefined (1<<25) /* No Such Instruction */
89 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
90 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
92 /* Source 2 operand type */
93 #define Src2None (0<<29)
94 #define Src2CL (1<<29)
95 #define Src2ImmByte (2<<29)
96 #define Src2One (3<<29)
97 #define Src2Mask (7<<29)
100 #define X3(x...) X2(x), x
101 #define X4(x...) X2(x), X2(x)
102 #define X5(x...) X4(x), x
103 #define X6(x...) X4(x), X2(x)
104 #define X7(x...) X4(x), X3(x)
105 #define X8(x...) X4(x), X4(x)
106 #define X16(x...) X8(x), X8(x)
111 int (*execute)(struct x86_emulate_ctxt *ctxt);
112 struct opcode *group;
113 struct group_dual *gdual;
118 struct opcode mod012[8];
119 struct opcode mod3[8];
122 /* EFLAGS bit definitions. */
123 #define EFLG_ID (1<<21)
124 #define EFLG_VIP (1<<20)
125 #define EFLG_VIF (1<<19)
126 #define EFLG_AC (1<<18)
127 #define EFLG_VM (1<<17)
128 #define EFLG_RF (1<<16)
129 #define EFLG_IOPL (3<<12)
130 #define EFLG_NT (1<<14)
131 #define EFLG_OF (1<<11)
132 #define EFLG_DF (1<<10)
133 #define EFLG_IF (1<<9)
134 #define EFLG_TF (1<<8)
135 #define EFLG_SF (1<<7)
136 #define EFLG_ZF (1<<6)
137 #define EFLG_AF (1<<4)
138 #define EFLG_PF (1<<2)
139 #define EFLG_CF (1<<0)
141 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
142 #define EFLG_RESERVED_ONE_MASK 2
145 * Instruction emulation:
146 * Most instructions are emulated directly via a fragment of inline assembly
147 * code. This allows us to save/restore EFLAGS and thus very easily pick up
148 * any modified flags.
151 #if defined(CONFIG_X86_64)
152 #define _LO32 "k" /* force 32-bit operand */
153 #define _STK "%%rsp" /* stack pointer */
154 #elif defined(__i386__)
155 #define _LO32 "" /* force 32-bit operand */
156 #define _STK "%%esp" /* stack pointer */
160 * These EFLAGS bits are restored from saved value during emulation, and
161 * any changes are written back to the saved value after emulation.
163 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
165 /* Before executing instruction: restore necessary bits in EFLAGS. */
166 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
167 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
168 "movl %"_sav",%"_LO32 _tmp"; " \
171 "movl %"_msk",%"_LO32 _tmp"; " \
172 "andl %"_LO32 _tmp",("_STK"); " \
174 "notl %"_LO32 _tmp"; " \
175 "andl %"_LO32 _tmp",("_STK"); " \
176 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
178 "orl %"_LO32 _tmp",("_STK"); " \
182 /* After executing instruction: write-back necessary bits in EFLAGS. */
183 #define _POST_EFLAGS(_sav, _msk, _tmp) \
184 /* _sav |= EFLAGS & _msk; */ \
187 "andl %"_msk",%"_LO32 _tmp"; " \
188 "orl %"_LO32 _tmp",%"_sav"; "
196 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
198 __asm__ __volatile__ ( \
199 _PRE_EFLAGS("0", "4", "2") \
200 _op _suffix " %"_x"3,%1; " \
201 _POST_EFLAGS("0", "4", "2") \
202 : "=m" (_eflags), "=m" ((_dst).val), \
204 : _y ((_src).val), "i" (EFLAGS_MASK)); \
208 /* Raw emulation: instruction has two explicit operands. */
209 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
211 unsigned long _tmp; \
213 switch ((_dst).bytes) { \
215 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
218 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
221 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
226 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
228 unsigned long _tmp; \
229 switch ((_dst).bytes) { \
231 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
234 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
235 _wx, _wy, _lx, _ly, _qx, _qy); \
240 /* Source operand is byte-sized and may be restricted to just %cl. */
241 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
242 __emulate_2op(_op, _src, _dst, _eflags, \
243 "b", "c", "b", "c", "b", "c", "b", "c")
245 /* Source operand is byte, word, long or quad sized. */
246 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
247 __emulate_2op(_op, _src, _dst, _eflags, \
248 "b", "q", "w", "r", _LO32, "r", "", "r")
250 /* Source operand is word, long or quad sized. */
251 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
252 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
253 "w", "r", _LO32, "r", "", "r")
255 /* Instruction has three operands and one operand is stored in ECX register */
256 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
258 unsigned long _tmp; \
259 _type _clv = (_cl).val; \
260 _type _srcv = (_src).val; \
261 _type _dstv = (_dst).val; \
263 __asm__ __volatile__ ( \
264 _PRE_EFLAGS("0", "5", "2") \
265 _op _suffix " %4,%1 \n" \
266 _POST_EFLAGS("0", "5", "2") \
267 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
268 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
271 (_cl).val = (unsigned long) _clv; \
272 (_src).val = (unsigned long) _srcv; \
273 (_dst).val = (unsigned long) _dstv; \
276 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
278 switch ((_dst).bytes) { \
280 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
281 "w", unsigned short); \
284 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
285 "l", unsigned int); \
288 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
289 "q", unsigned long)); \
294 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
296 unsigned long _tmp; \
298 __asm__ __volatile__ ( \
299 _PRE_EFLAGS("0", "3", "2") \
300 _op _suffix " %1; " \
301 _POST_EFLAGS("0", "3", "2") \
302 : "=m" (_eflags), "+m" ((_dst).val), \
304 : "i" (EFLAGS_MASK)); \
307 /* Instruction has only one explicit operand (no source operand). */
308 #define emulate_1op(_op, _dst, _eflags) \
310 switch ((_dst).bytes) { \
311 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
312 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
313 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
314 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
318 /* Fetch next part of the instruction being emulated. */
319 #define insn_fetch(_type, _size, _eip) \
320 ({ unsigned long _x; \
321 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
322 if (rc != X86EMUL_CONTINUE) \
328 #define insn_fetch_arr(_arr, _size, _eip) \
329 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
330 if (rc != X86EMUL_CONTINUE) \
335 static inline unsigned long ad_mask(struct decode_cache *c)
337 return (1UL << (c->ad_bytes << 3)) - 1;
340 /* Access/update address held in a register, based on addressing mode. */
341 static inline unsigned long
342 address_mask(struct decode_cache *c, unsigned long reg)
344 if (c->ad_bytes == sizeof(unsigned long))
347 return reg & ad_mask(c);
350 static inline unsigned long
351 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
353 return base + address_mask(c, reg);
357 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
359 if (c->ad_bytes == sizeof(unsigned long))
362 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
365 static inline void jmp_rel(struct decode_cache *c, int rel)
367 register_address_increment(c, &c->eip, rel);
370 static void set_seg_override(struct decode_cache *c, int seg)
372 c->has_seg_override = true;
373 c->seg_override = seg;
376 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
377 struct x86_emulate_ops *ops, int seg)
379 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
382 return ops->get_cached_segment_base(seg, ctxt->vcpu);
385 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
386 struct x86_emulate_ops *ops,
387 struct decode_cache *c)
389 if (!c->has_seg_override)
392 return seg_base(ctxt, ops, c->seg_override);
395 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
396 struct x86_emulate_ops *ops)
398 return seg_base(ctxt, ops, VCPU_SREG_ES);
401 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
402 struct x86_emulate_ops *ops)
404 return seg_base(ctxt, ops, VCPU_SREG_SS);
407 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
408 u32 error, bool valid)
410 ctxt->exception = vec;
411 ctxt->error_code = error;
412 ctxt->error_code_valid = valid;
413 ctxt->restart = false;
416 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
418 emulate_exception(ctxt, GP_VECTOR, err, true);
421 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
425 emulate_exception(ctxt, PF_VECTOR, err, true);
428 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
430 emulate_exception(ctxt, UD_VECTOR, 0, false);
433 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
435 emulate_exception(ctxt, TS_VECTOR, err, true);
438 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
439 struct x86_emulate_ops *ops,
440 unsigned long eip, u8 *dest)
442 struct fetch_cache *fc = &ctxt->decode.fetch;
446 if (eip == fc->end) {
447 cur_size = fc->end - fc->start;
448 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
449 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
450 size, ctxt->vcpu, NULL);
451 if (rc != X86EMUL_CONTINUE)
455 *dest = fc->data[eip - fc->start];
456 return X86EMUL_CONTINUE;
459 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
460 struct x86_emulate_ops *ops,
461 unsigned long eip, void *dest, unsigned size)
465 /* x86 instructions are limited to 15 bytes. */
466 if (eip + size - ctxt->eip > 15)
467 return X86EMUL_UNHANDLEABLE;
469 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
470 if (rc != X86EMUL_CONTINUE)
473 return X86EMUL_CONTINUE;
477 * Given the 'reg' portion of a ModRM byte, and a register block, return a
478 * pointer into the block that addresses the relevant register.
479 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
481 static void *decode_register(u8 modrm_reg, unsigned long *regs,
486 p = ®s[modrm_reg];
487 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
488 p = (unsigned char *)®s[modrm_reg & 3] + 1;
492 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
493 struct x86_emulate_ops *ops,
495 u16 *size, unsigned long *address, int op_bytes)
502 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
503 if (rc != X86EMUL_CONTINUE)
505 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
509 static int test_cc(unsigned int condition, unsigned int flags)
513 switch ((condition & 15) >> 1) {
515 rc |= (flags & EFLG_OF);
517 case 1: /* b/c/nae */
518 rc |= (flags & EFLG_CF);
521 rc |= (flags & EFLG_ZF);
524 rc |= (flags & (EFLG_CF|EFLG_ZF));
527 rc |= (flags & EFLG_SF);
530 rc |= (flags & EFLG_PF);
533 rc |= (flags & EFLG_ZF);
536 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
540 /* Odd condition identifiers (lsb == 1) have inverted sense. */
541 return (!!rc ^ (condition & 1));
544 static void fetch_register_operand(struct operand *op)
548 op->val = *(u8 *)op->addr.reg;
551 op->val = *(u16 *)op->addr.reg;
554 op->val = *(u32 *)op->addr.reg;
557 op->val = *(u64 *)op->addr.reg;
562 static void decode_register_operand(struct operand *op,
563 struct decode_cache *c,
566 unsigned reg = c->modrm_reg;
567 int highbyte_regs = c->rex_prefix == 0;
570 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
572 if ((c->d & ByteOp) && !inhibit_bytereg) {
573 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
576 op->addr.reg = decode_register(reg, c->regs, 0);
577 op->bytes = c->op_bytes;
579 fetch_register_operand(op);
580 op->orig_val = op->val;
583 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
584 struct x86_emulate_ops *ops,
587 struct decode_cache *c = &ctxt->decode;
589 int index_reg = 0, base_reg = 0, scale;
590 int rc = X86EMUL_CONTINUE;
594 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
595 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
596 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
599 c->modrm = insn_fetch(u8, 1, c->eip);
600 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
601 c->modrm_reg |= (c->modrm & 0x38) >> 3;
602 c->modrm_rm |= (c->modrm & 0x07);
603 c->modrm_seg = VCPU_SREG_DS;
605 if (c->modrm_mod == 3) {
607 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
608 op->addr.reg = decode_register(c->modrm_rm,
609 c->regs, c->d & ByteOp);
610 fetch_register_operand(op);
616 if (c->ad_bytes == 2) {
617 unsigned bx = c->regs[VCPU_REGS_RBX];
618 unsigned bp = c->regs[VCPU_REGS_RBP];
619 unsigned si = c->regs[VCPU_REGS_RSI];
620 unsigned di = c->regs[VCPU_REGS_RDI];
622 /* 16-bit ModR/M decode. */
623 switch (c->modrm_mod) {
625 if (c->modrm_rm == 6)
626 modrm_ea += insn_fetch(u16, 2, c->eip);
629 modrm_ea += insn_fetch(s8, 1, c->eip);
632 modrm_ea += insn_fetch(u16, 2, c->eip);
635 switch (c->modrm_rm) {
655 if (c->modrm_mod != 0)
662 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
663 (c->modrm_rm == 6 && c->modrm_mod != 0))
664 c->modrm_seg = VCPU_SREG_SS;
665 modrm_ea = (u16)modrm_ea;
667 /* 32/64-bit ModR/M decode. */
668 if ((c->modrm_rm & 7) == 4) {
669 sib = insn_fetch(u8, 1, c->eip);
670 index_reg |= (sib >> 3) & 7;
674 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
675 modrm_ea += insn_fetch(s32, 4, c->eip);
677 modrm_ea += c->regs[base_reg];
679 modrm_ea += c->regs[index_reg] << scale;
680 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
681 if (ctxt->mode == X86EMUL_MODE_PROT64)
684 modrm_ea += c->regs[c->modrm_rm];
685 switch (c->modrm_mod) {
687 if (c->modrm_rm == 5)
688 modrm_ea += insn_fetch(s32, 4, c->eip);
691 modrm_ea += insn_fetch(s8, 1, c->eip);
694 modrm_ea += insn_fetch(s32, 4, c->eip);
698 op->addr.mem = modrm_ea;
703 static int decode_abs(struct x86_emulate_ctxt *ctxt,
704 struct x86_emulate_ops *ops,
707 struct decode_cache *c = &ctxt->decode;
708 int rc = X86EMUL_CONTINUE;
711 switch (c->ad_bytes) {
713 op->addr.mem = insn_fetch(u16, 2, c->eip);
716 op->addr.mem = insn_fetch(u32, 4, c->eip);
719 op->addr.mem = insn_fetch(u64, 8, c->eip);
726 static int read_emulated(struct x86_emulate_ctxt *ctxt,
727 struct x86_emulate_ops *ops,
728 unsigned long addr, void *dest, unsigned size)
731 struct read_cache *mc = &ctxt->decode.mem_read;
735 int n = min(size, 8u);
737 if (mc->pos < mc->end)
740 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
742 if (rc == X86EMUL_PROPAGATE_FAULT)
743 emulate_pf(ctxt, addr, err);
744 if (rc != X86EMUL_CONTINUE)
749 memcpy(dest, mc->data + mc->pos, n);
754 return X86EMUL_CONTINUE;
757 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
758 struct x86_emulate_ops *ops,
759 unsigned int size, unsigned short port,
762 struct read_cache *rc = &ctxt->decode.io_read;
764 if (rc->pos == rc->end) { /* refill pio read ahead */
765 struct decode_cache *c = &ctxt->decode;
766 unsigned int in_page, n;
767 unsigned int count = c->rep_prefix ?
768 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
769 in_page = (ctxt->eflags & EFLG_DF) ?
770 offset_in_page(c->regs[VCPU_REGS_RDI]) :
771 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
772 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
776 rc->pos = rc->end = 0;
777 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
782 memcpy(dest, rc->data + rc->pos, size);
787 static u32 desc_limit_scaled(struct desc_struct *desc)
789 u32 limit = get_desc_limit(desc);
791 return desc->g ? (limit << 12) | 0xfff : limit;
794 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
795 struct x86_emulate_ops *ops,
796 u16 selector, struct desc_ptr *dt)
798 if (selector & 1 << 2) {
799 struct desc_struct desc;
800 memset (dt, 0, sizeof *dt);
801 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
804 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
805 dt->address = get_desc_base(&desc);
807 ops->get_gdt(dt, ctxt->vcpu);
810 /* allowed just for 8 bytes segments */
811 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
812 struct x86_emulate_ops *ops,
813 u16 selector, struct desc_struct *desc)
816 u16 index = selector >> 3;
821 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
823 if (dt.size < index * 8 + 7) {
824 emulate_gp(ctxt, selector & 0xfffc);
825 return X86EMUL_PROPAGATE_FAULT;
827 addr = dt.address + index * 8;
828 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
829 if (ret == X86EMUL_PROPAGATE_FAULT)
830 emulate_pf(ctxt, addr, err);
835 /* allowed just for 8 bytes segments */
836 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
837 struct x86_emulate_ops *ops,
838 u16 selector, struct desc_struct *desc)
841 u16 index = selector >> 3;
846 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
848 if (dt.size < index * 8 + 7) {
849 emulate_gp(ctxt, selector & 0xfffc);
850 return X86EMUL_PROPAGATE_FAULT;
853 addr = dt.address + index * 8;
854 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
855 if (ret == X86EMUL_PROPAGATE_FAULT)
856 emulate_pf(ctxt, addr, err);
861 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
862 struct x86_emulate_ops *ops,
863 u16 selector, int seg)
865 struct desc_struct seg_desc;
867 unsigned err_vec = GP_VECTOR;
869 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
872 memset(&seg_desc, 0, sizeof seg_desc);
874 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
875 || ctxt->mode == X86EMUL_MODE_REAL) {
876 /* set real mode segment descriptor */
877 set_desc_base(&seg_desc, selector << 4);
878 set_desc_limit(&seg_desc, 0xffff);
885 /* NULL selector is not valid for TR, CS and SS */
886 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
890 /* TR should be in GDT only */
891 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
894 if (null_selector) /* for NULL selector skip all following checks */
897 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
898 if (ret != X86EMUL_CONTINUE)
901 err_code = selector & 0xfffc;
904 /* can't load system descriptor into segment selecor */
905 if (seg <= VCPU_SREG_GS && !seg_desc.s)
909 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
915 cpl = ops->cpl(ctxt->vcpu);
920 * segment is not a writable data segment or segment
921 * selector's RPL != CPL or segment selector's RPL != CPL
923 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
927 if (!(seg_desc.type & 8))
930 if (seg_desc.type & 4) {
936 if (rpl > cpl || dpl != cpl)
940 selector = (selector & 0xfffc) | cpl;
943 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
947 if (seg_desc.s || seg_desc.type != 2)
950 default: /* DS, ES, FS, or GS */
952 * segment is not a data or readable code segment or
953 * ((segment is a data or nonconforming code segment)
954 * and (both RPL and CPL > DPL))
956 if ((seg_desc.type & 0xa) == 0x8 ||
957 (((seg_desc.type & 0xc) != 0xc) &&
958 (rpl > dpl && cpl > dpl)))
964 /* mark segment as accessed */
966 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
967 if (ret != X86EMUL_CONTINUE)
971 ops->set_segment_selector(selector, seg, ctxt->vcpu);
972 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
973 return X86EMUL_CONTINUE;
975 emulate_exception(ctxt, err_vec, err_code, true);
976 return X86EMUL_PROPAGATE_FAULT;
979 static inline int writeback(struct x86_emulate_ctxt *ctxt,
980 struct x86_emulate_ops *ops)
983 struct decode_cache *c = &ctxt->decode;
986 switch (c->dst.type) {
988 /* The 4-byte case *is* correct:
989 * in 64-bit mode we zero-extend.
991 switch (c->dst.bytes) {
993 *(u8 *)c->dst.addr.reg = (u8)c->dst.val;
996 *(u16 *)c->dst.addr.reg = (u16)c->dst.val;
999 *c->dst.addr.reg = (u32)c->dst.val;
1000 break; /* 64b: zero-ext */
1002 *c->dst.addr.reg = c->dst.val;
1008 rc = ops->cmpxchg_emulated(
1016 rc = ops->write_emulated(
1022 if (rc == X86EMUL_PROPAGATE_FAULT)
1023 emulate_pf(ctxt, c->dst.addr.mem, err);
1024 if (rc != X86EMUL_CONTINUE)
1033 return X86EMUL_CONTINUE;
1036 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1037 struct x86_emulate_ops *ops)
1039 struct decode_cache *c = &ctxt->decode;
1041 c->dst.type = OP_MEM;
1042 c->dst.bytes = c->op_bytes;
1043 c->dst.val = c->src.val;
1044 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1045 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1046 c->regs[VCPU_REGS_RSP]);
1049 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1050 struct x86_emulate_ops *ops,
1051 void *dest, int len)
1053 struct decode_cache *c = &ctxt->decode;
1056 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1057 c->regs[VCPU_REGS_RSP]),
1059 if (rc != X86EMUL_CONTINUE)
1062 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1066 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1067 struct x86_emulate_ops *ops,
1068 void *dest, int len)
1071 unsigned long val, change_mask;
1072 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1073 int cpl = ops->cpl(ctxt->vcpu);
1075 rc = emulate_pop(ctxt, ops, &val, len);
1076 if (rc != X86EMUL_CONTINUE)
1079 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1080 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1082 switch(ctxt->mode) {
1083 case X86EMUL_MODE_PROT64:
1084 case X86EMUL_MODE_PROT32:
1085 case X86EMUL_MODE_PROT16:
1087 change_mask |= EFLG_IOPL;
1089 change_mask |= EFLG_IF;
1091 case X86EMUL_MODE_VM86:
1093 emulate_gp(ctxt, 0);
1094 return X86EMUL_PROPAGATE_FAULT;
1096 change_mask |= EFLG_IF;
1098 default: /* real mode */
1099 change_mask |= (EFLG_IOPL | EFLG_IF);
1103 *(unsigned long *)dest =
1104 (ctxt->eflags & ~change_mask) | (val & change_mask);
1109 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1110 struct x86_emulate_ops *ops, int seg)
1112 struct decode_cache *c = &ctxt->decode;
1114 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1116 emulate_push(ctxt, ops);
1119 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1120 struct x86_emulate_ops *ops, int seg)
1122 struct decode_cache *c = &ctxt->decode;
1123 unsigned long selector;
1126 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1127 if (rc != X86EMUL_CONTINUE)
1130 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1134 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1135 struct x86_emulate_ops *ops)
1137 struct decode_cache *c = &ctxt->decode;
1138 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1139 int rc = X86EMUL_CONTINUE;
1140 int reg = VCPU_REGS_RAX;
1142 while (reg <= VCPU_REGS_RDI) {
1143 (reg == VCPU_REGS_RSP) ?
1144 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1146 emulate_push(ctxt, ops);
1148 rc = writeback(ctxt, ops);
1149 if (rc != X86EMUL_CONTINUE)
1155 /* Disable writeback. */
1156 c->dst.type = OP_NONE;
1161 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1162 struct x86_emulate_ops *ops)
1164 struct decode_cache *c = &ctxt->decode;
1165 int rc = X86EMUL_CONTINUE;
1166 int reg = VCPU_REGS_RDI;
1168 while (reg >= VCPU_REGS_RAX) {
1169 if (reg == VCPU_REGS_RSP) {
1170 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1175 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1176 if (rc != X86EMUL_CONTINUE)
1183 int emulate_int_real(struct x86_emulate_ctxt *ctxt,
1184 struct x86_emulate_ops *ops, int irq)
1186 struct decode_cache *c = &ctxt->decode;
1187 int rc = X86EMUL_CONTINUE;
1194 /* TODO: Add limit checks */
1195 c->src.val = ctxt->eflags;
1196 emulate_push(ctxt, ops);
1198 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1200 c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1201 emulate_push(ctxt, ops);
1203 c->src.val = c->eip;
1204 emulate_push(ctxt, ops);
1206 ops->get_idt(&dt, ctxt->vcpu);
1208 eip_addr = dt.address + (irq << 2);
1209 cs_addr = dt.address + (irq << 2) + 2;
1211 rc = ops->read_std(cs_addr, &cs, 2, ctxt->vcpu, &err);
1212 if (rc != X86EMUL_CONTINUE)
1215 rc = ops->read_std(eip_addr, &eip, 2, ctxt->vcpu, &err);
1216 if (rc != X86EMUL_CONTINUE)
1219 rc = load_segment_descriptor(ctxt, ops, cs, VCPU_SREG_CS);
1220 if (rc != X86EMUL_CONTINUE)
1228 static int emulate_int(struct x86_emulate_ctxt *ctxt,
1229 struct x86_emulate_ops *ops, int irq)
1231 switch(ctxt->mode) {
1232 case X86EMUL_MODE_REAL:
1233 return emulate_int_real(ctxt, ops, irq);
1234 case X86EMUL_MODE_VM86:
1235 case X86EMUL_MODE_PROT16:
1236 case X86EMUL_MODE_PROT32:
1237 case X86EMUL_MODE_PROT64:
1239 /* Protected mode interrupts unimplemented yet */
1240 return X86EMUL_UNHANDLEABLE;
1244 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1245 struct x86_emulate_ops *ops)
1247 struct decode_cache *c = &ctxt->decode;
1248 int rc = X86EMUL_CONTINUE;
1249 unsigned long temp_eip = 0;
1250 unsigned long temp_eflags = 0;
1251 unsigned long cs = 0;
1252 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1253 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1254 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1255 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1257 /* TODO: Add stack limit check */
1259 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1261 if (rc != X86EMUL_CONTINUE)
1264 if (temp_eip & ~0xffff) {
1265 emulate_gp(ctxt, 0);
1266 return X86EMUL_PROPAGATE_FAULT;
1269 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1271 if (rc != X86EMUL_CONTINUE)
1274 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1276 if (rc != X86EMUL_CONTINUE)
1279 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1281 if (rc != X86EMUL_CONTINUE)
1287 if (c->op_bytes == 4)
1288 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1289 else if (c->op_bytes == 2) {
1290 ctxt->eflags &= ~0xffff;
1291 ctxt->eflags |= temp_eflags;
1294 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1295 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1300 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1301 struct x86_emulate_ops* ops)
1303 switch(ctxt->mode) {
1304 case X86EMUL_MODE_REAL:
1305 return emulate_iret_real(ctxt, ops);
1306 case X86EMUL_MODE_VM86:
1307 case X86EMUL_MODE_PROT16:
1308 case X86EMUL_MODE_PROT32:
1309 case X86EMUL_MODE_PROT64:
1311 /* iret from protected mode unimplemented yet */
1312 return X86EMUL_UNHANDLEABLE;
1316 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1317 struct x86_emulate_ops *ops)
1319 struct decode_cache *c = &ctxt->decode;
1321 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1324 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1326 struct decode_cache *c = &ctxt->decode;
1327 switch (c->modrm_reg) {
1329 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1332 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1335 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1338 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1340 case 4: /* sal/shl */
1341 case 6: /* sal/shl */
1342 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1345 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1348 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1353 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1354 struct x86_emulate_ops *ops)
1356 struct decode_cache *c = &ctxt->decode;
1358 switch (c->modrm_reg) {
1359 case 0 ... 1: /* test */
1360 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1363 c->dst.val = ~c->dst.val;
1366 emulate_1op("neg", c->dst, ctxt->eflags);
1374 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1375 struct x86_emulate_ops *ops)
1377 struct decode_cache *c = &ctxt->decode;
1379 switch (c->modrm_reg) {
1381 emulate_1op("inc", c->dst, ctxt->eflags);
1384 emulate_1op("dec", c->dst, ctxt->eflags);
1386 case 2: /* call near abs */ {
1389 c->eip = c->src.val;
1390 c->src.val = old_eip;
1391 emulate_push(ctxt, ops);
1394 case 4: /* jmp abs */
1395 c->eip = c->src.val;
1398 emulate_push(ctxt, ops);
1401 return X86EMUL_CONTINUE;
1404 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1405 struct x86_emulate_ops *ops)
1407 struct decode_cache *c = &ctxt->decode;
1408 u64 old = c->dst.orig_val64;
1410 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1411 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1412 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1413 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1414 ctxt->eflags &= ~EFLG_ZF;
1416 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1417 (u32) c->regs[VCPU_REGS_RBX];
1419 ctxt->eflags |= EFLG_ZF;
1421 return X86EMUL_CONTINUE;
1424 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1425 struct x86_emulate_ops *ops)
1427 struct decode_cache *c = &ctxt->decode;
1431 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1432 if (rc != X86EMUL_CONTINUE)
1434 if (c->op_bytes == 4)
1435 c->eip = (u32)c->eip;
1436 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1437 if (rc != X86EMUL_CONTINUE)
1439 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1444 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1445 struct x86_emulate_ops *ops, struct desc_struct *cs,
1446 struct desc_struct *ss)
1448 memset(cs, 0, sizeof(struct desc_struct));
1449 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1450 memset(ss, 0, sizeof(struct desc_struct));
1452 cs->l = 0; /* will be adjusted later */
1453 set_desc_base(cs, 0); /* flat segment */
1454 cs->g = 1; /* 4kb granularity */
1455 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1456 cs->type = 0x0b; /* Read, Execute, Accessed */
1458 cs->dpl = 0; /* will be adjusted later */
1462 set_desc_base(ss, 0); /* flat segment */
1463 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1464 ss->g = 1; /* 4kb granularity */
1466 ss->type = 0x03; /* Read/Write, Accessed */
1467 ss->d = 1; /* 32bit stack segment */
1473 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1475 struct decode_cache *c = &ctxt->decode;
1476 struct desc_struct cs, ss;
1480 /* syscall is not available in real mode */
1481 if (ctxt->mode == X86EMUL_MODE_REAL ||
1482 ctxt->mode == X86EMUL_MODE_VM86) {
1484 return X86EMUL_PROPAGATE_FAULT;
1487 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1489 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1491 cs_sel = (u16)(msr_data & 0xfffc);
1492 ss_sel = (u16)(msr_data + 8);
1494 if (is_long_mode(ctxt->vcpu)) {
1498 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1499 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1500 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1501 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1503 c->regs[VCPU_REGS_RCX] = c->eip;
1504 if (is_long_mode(ctxt->vcpu)) {
1505 #ifdef CONFIG_X86_64
1506 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1508 ops->get_msr(ctxt->vcpu,
1509 ctxt->mode == X86EMUL_MODE_PROT64 ?
1510 MSR_LSTAR : MSR_CSTAR, &msr_data);
1513 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1514 ctxt->eflags &= ~(msr_data | EFLG_RF);
1518 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1519 c->eip = (u32)msr_data;
1521 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1524 return X86EMUL_CONTINUE;
1528 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1530 struct decode_cache *c = &ctxt->decode;
1531 struct desc_struct cs, ss;
1535 /* inject #GP if in real mode */
1536 if (ctxt->mode == X86EMUL_MODE_REAL) {
1537 emulate_gp(ctxt, 0);
1538 return X86EMUL_PROPAGATE_FAULT;
1541 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1542 * Therefore, we inject an #UD.
1544 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1546 return X86EMUL_PROPAGATE_FAULT;
1549 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1551 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1552 switch (ctxt->mode) {
1553 case X86EMUL_MODE_PROT32:
1554 if ((msr_data & 0xfffc) == 0x0) {
1555 emulate_gp(ctxt, 0);
1556 return X86EMUL_PROPAGATE_FAULT;
1559 case X86EMUL_MODE_PROT64:
1560 if (msr_data == 0x0) {
1561 emulate_gp(ctxt, 0);
1562 return X86EMUL_PROPAGATE_FAULT;
1567 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1568 cs_sel = (u16)msr_data;
1569 cs_sel &= ~SELECTOR_RPL_MASK;
1570 ss_sel = cs_sel + 8;
1571 ss_sel &= ~SELECTOR_RPL_MASK;
1572 if (ctxt->mode == X86EMUL_MODE_PROT64
1573 || is_long_mode(ctxt->vcpu)) {
1578 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1579 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1580 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1581 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1583 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1586 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1587 c->regs[VCPU_REGS_RSP] = msr_data;
1589 return X86EMUL_CONTINUE;
1593 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1595 struct decode_cache *c = &ctxt->decode;
1596 struct desc_struct cs, ss;
1601 /* inject #GP if in real mode or Virtual 8086 mode */
1602 if (ctxt->mode == X86EMUL_MODE_REAL ||
1603 ctxt->mode == X86EMUL_MODE_VM86) {
1604 emulate_gp(ctxt, 0);
1605 return X86EMUL_PROPAGATE_FAULT;
1608 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1610 if ((c->rex_prefix & 0x8) != 0x0)
1611 usermode = X86EMUL_MODE_PROT64;
1613 usermode = X86EMUL_MODE_PROT32;
1617 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1619 case X86EMUL_MODE_PROT32:
1620 cs_sel = (u16)(msr_data + 16);
1621 if ((msr_data & 0xfffc) == 0x0) {
1622 emulate_gp(ctxt, 0);
1623 return X86EMUL_PROPAGATE_FAULT;
1625 ss_sel = (u16)(msr_data + 24);
1627 case X86EMUL_MODE_PROT64:
1628 cs_sel = (u16)(msr_data + 32);
1629 if (msr_data == 0x0) {
1630 emulate_gp(ctxt, 0);
1631 return X86EMUL_PROPAGATE_FAULT;
1633 ss_sel = cs_sel + 8;
1638 cs_sel |= SELECTOR_RPL_MASK;
1639 ss_sel |= SELECTOR_RPL_MASK;
1641 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1642 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1643 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1644 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1646 c->eip = c->regs[VCPU_REGS_RDX];
1647 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1649 return X86EMUL_CONTINUE;
1652 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1653 struct x86_emulate_ops *ops)
1656 if (ctxt->mode == X86EMUL_MODE_REAL)
1658 if (ctxt->mode == X86EMUL_MODE_VM86)
1660 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1661 return ops->cpl(ctxt->vcpu) > iopl;
1664 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1665 struct x86_emulate_ops *ops,
1668 struct desc_struct tr_seg;
1671 u8 perm, bit_idx = port & 0x7;
1672 unsigned mask = (1 << len) - 1;
1674 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1677 if (desc_limit_scaled(&tr_seg) < 103)
1679 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1681 if (r != X86EMUL_CONTINUE)
1683 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1685 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1686 &perm, 1, ctxt->vcpu, NULL);
1687 if (r != X86EMUL_CONTINUE)
1689 if ((perm >> bit_idx) & mask)
1694 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1695 struct x86_emulate_ops *ops,
1701 if (emulator_bad_iopl(ctxt, ops))
1702 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1705 ctxt->perm_ok = true;
1710 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1711 struct x86_emulate_ops *ops,
1712 struct tss_segment_16 *tss)
1714 struct decode_cache *c = &ctxt->decode;
1717 tss->flag = ctxt->eflags;
1718 tss->ax = c->regs[VCPU_REGS_RAX];
1719 tss->cx = c->regs[VCPU_REGS_RCX];
1720 tss->dx = c->regs[VCPU_REGS_RDX];
1721 tss->bx = c->regs[VCPU_REGS_RBX];
1722 tss->sp = c->regs[VCPU_REGS_RSP];
1723 tss->bp = c->regs[VCPU_REGS_RBP];
1724 tss->si = c->regs[VCPU_REGS_RSI];
1725 tss->di = c->regs[VCPU_REGS_RDI];
1727 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1728 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1729 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1730 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1731 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1734 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1735 struct x86_emulate_ops *ops,
1736 struct tss_segment_16 *tss)
1738 struct decode_cache *c = &ctxt->decode;
1742 ctxt->eflags = tss->flag | 2;
1743 c->regs[VCPU_REGS_RAX] = tss->ax;
1744 c->regs[VCPU_REGS_RCX] = tss->cx;
1745 c->regs[VCPU_REGS_RDX] = tss->dx;
1746 c->regs[VCPU_REGS_RBX] = tss->bx;
1747 c->regs[VCPU_REGS_RSP] = tss->sp;
1748 c->regs[VCPU_REGS_RBP] = tss->bp;
1749 c->regs[VCPU_REGS_RSI] = tss->si;
1750 c->regs[VCPU_REGS_RDI] = tss->di;
1753 * SDM says that segment selectors are loaded before segment
1756 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1757 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1758 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1759 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1760 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1763 * Now load segment descriptors. If fault happenes at this stage
1764 * it is handled in a context of new task
1766 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1767 if (ret != X86EMUL_CONTINUE)
1769 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1770 if (ret != X86EMUL_CONTINUE)
1772 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1773 if (ret != X86EMUL_CONTINUE)
1775 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1776 if (ret != X86EMUL_CONTINUE)
1778 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1779 if (ret != X86EMUL_CONTINUE)
1782 return X86EMUL_CONTINUE;
1785 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1786 struct x86_emulate_ops *ops,
1787 u16 tss_selector, u16 old_tss_sel,
1788 ulong old_tss_base, struct desc_struct *new_desc)
1790 struct tss_segment_16 tss_seg;
1792 u32 err, new_tss_base = get_desc_base(new_desc);
1794 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1796 if (ret == X86EMUL_PROPAGATE_FAULT) {
1797 /* FIXME: need to provide precise fault address */
1798 emulate_pf(ctxt, old_tss_base, err);
1802 save_state_to_tss16(ctxt, ops, &tss_seg);
1804 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1806 if (ret == X86EMUL_PROPAGATE_FAULT) {
1807 /* FIXME: need to provide precise fault address */
1808 emulate_pf(ctxt, old_tss_base, err);
1812 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1814 if (ret == X86EMUL_PROPAGATE_FAULT) {
1815 /* FIXME: need to provide precise fault address */
1816 emulate_pf(ctxt, new_tss_base, err);
1820 if (old_tss_sel != 0xffff) {
1821 tss_seg.prev_task_link = old_tss_sel;
1823 ret = ops->write_std(new_tss_base,
1824 &tss_seg.prev_task_link,
1825 sizeof tss_seg.prev_task_link,
1827 if (ret == X86EMUL_PROPAGATE_FAULT) {
1828 /* FIXME: need to provide precise fault address */
1829 emulate_pf(ctxt, new_tss_base, err);
1834 return load_state_from_tss16(ctxt, ops, &tss_seg);
1837 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1838 struct x86_emulate_ops *ops,
1839 struct tss_segment_32 *tss)
1841 struct decode_cache *c = &ctxt->decode;
1843 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1845 tss->eflags = ctxt->eflags;
1846 tss->eax = c->regs[VCPU_REGS_RAX];
1847 tss->ecx = c->regs[VCPU_REGS_RCX];
1848 tss->edx = c->regs[VCPU_REGS_RDX];
1849 tss->ebx = c->regs[VCPU_REGS_RBX];
1850 tss->esp = c->regs[VCPU_REGS_RSP];
1851 tss->ebp = c->regs[VCPU_REGS_RBP];
1852 tss->esi = c->regs[VCPU_REGS_RSI];
1853 tss->edi = c->regs[VCPU_REGS_RDI];
1855 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1856 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1857 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1858 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1859 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1860 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1861 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1864 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1865 struct x86_emulate_ops *ops,
1866 struct tss_segment_32 *tss)
1868 struct decode_cache *c = &ctxt->decode;
1871 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1872 emulate_gp(ctxt, 0);
1873 return X86EMUL_PROPAGATE_FAULT;
1876 ctxt->eflags = tss->eflags | 2;
1877 c->regs[VCPU_REGS_RAX] = tss->eax;
1878 c->regs[VCPU_REGS_RCX] = tss->ecx;
1879 c->regs[VCPU_REGS_RDX] = tss->edx;
1880 c->regs[VCPU_REGS_RBX] = tss->ebx;
1881 c->regs[VCPU_REGS_RSP] = tss->esp;
1882 c->regs[VCPU_REGS_RBP] = tss->ebp;
1883 c->regs[VCPU_REGS_RSI] = tss->esi;
1884 c->regs[VCPU_REGS_RDI] = tss->edi;
1887 * SDM says that segment selectors are loaded before segment
1890 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1891 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1892 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1893 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1894 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1895 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1896 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1899 * Now load segment descriptors. If fault happenes at this stage
1900 * it is handled in a context of new task
1902 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1903 if (ret != X86EMUL_CONTINUE)
1905 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1906 if (ret != X86EMUL_CONTINUE)
1908 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1909 if (ret != X86EMUL_CONTINUE)
1911 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1912 if (ret != X86EMUL_CONTINUE)
1914 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1915 if (ret != X86EMUL_CONTINUE)
1917 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1918 if (ret != X86EMUL_CONTINUE)
1920 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1921 if (ret != X86EMUL_CONTINUE)
1924 return X86EMUL_CONTINUE;
1927 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
1928 struct x86_emulate_ops *ops,
1929 u16 tss_selector, u16 old_tss_sel,
1930 ulong old_tss_base, struct desc_struct *new_desc)
1932 struct tss_segment_32 tss_seg;
1934 u32 err, new_tss_base = get_desc_base(new_desc);
1936 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1938 if (ret == X86EMUL_PROPAGATE_FAULT) {
1939 /* FIXME: need to provide precise fault address */
1940 emulate_pf(ctxt, old_tss_base, err);
1944 save_state_to_tss32(ctxt, ops, &tss_seg);
1946 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1948 if (ret == X86EMUL_PROPAGATE_FAULT) {
1949 /* FIXME: need to provide precise fault address */
1950 emulate_pf(ctxt, old_tss_base, err);
1954 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1956 if (ret == X86EMUL_PROPAGATE_FAULT) {
1957 /* FIXME: need to provide precise fault address */
1958 emulate_pf(ctxt, new_tss_base, err);
1962 if (old_tss_sel != 0xffff) {
1963 tss_seg.prev_task_link = old_tss_sel;
1965 ret = ops->write_std(new_tss_base,
1966 &tss_seg.prev_task_link,
1967 sizeof tss_seg.prev_task_link,
1969 if (ret == X86EMUL_PROPAGATE_FAULT) {
1970 /* FIXME: need to provide precise fault address */
1971 emulate_pf(ctxt, new_tss_base, err);
1976 return load_state_from_tss32(ctxt, ops, &tss_seg);
1979 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
1980 struct x86_emulate_ops *ops,
1981 u16 tss_selector, int reason,
1982 bool has_error_code, u32 error_code)
1984 struct desc_struct curr_tss_desc, next_tss_desc;
1986 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
1987 ulong old_tss_base =
1988 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
1991 /* FIXME: old_tss_base == ~0 ? */
1993 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
1994 if (ret != X86EMUL_CONTINUE)
1996 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
1997 if (ret != X86EMUL_CONTINUE)
2000 /* FIXME: check that next_tss_desc is tss */
2002 if (reason != TASK_SWITCH_IRET) {
2003 if ((tss_selector & 3) > next_tss_desc.dpl ||
2004 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2005 emulate_gp(ctxt, 0);
2006 return X86EMUL_PROPAGATE_FAULT;
2010 desc_limit = desc_limit_scaled(&next_tss_desc);
2011 if (!next_tss_desc.p ||
2012 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2013 desc_limit < 0x2b)) {
2014 emulate_ts(ctxt, tss_selector & 0xfffc);
2015 return X86EMUL_PROPAGATE_FAULT;
2018 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2019 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2020 write_segment_descriptor(ctxt, ops, old_tss_sel,
2024 if (reason == TASK_SWITCH_IRET)
2025 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2027 /* set back link to prev task only if NT bit is set in eflags
2028 note that old_tss_sel is not used afetr this point */
2029 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2030 old_tss_sel = 0xffff;
2032 if (next_tss_desc.type & 8)
2033 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2034 old_tss_base, &next_tss_desc);
2036 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2037 old_tss_base, &next_tss_desc);
2038 if (ret != X86EMUL_CONTINUE)
2041 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2042 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2044 if (reason != TASK_SWITCH_IRET) {
2045 next_tss_desc.type |= (1 << 1); /* set busy flag */
2046 write_segment_descriptor(ctxt, ops, tss_selector,
2050 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2051 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2052 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2054 if (has_error_code) {
2055 struct decode_cache *c = &ctxt->decode;
2057 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2059 c->src.val = (unsigned long) error_code;
2060 emulate_push(ctxt, ops);
2066 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2067 u16 tss_selector, int reason,
2068 bool has_error_code, u32 error_code)
2070 struct x86_emulate_ops *ops = ctxt->ops;
2071 struct decode_cache *c = &ctxt->decode;
2075 c->dst.type = OP_NONE;
2077 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2078 has_error_code, error_code);
2080 if (rc == X86EMUL_CONTINUE) {
2081 rc = writeback(ctxt, ops);
2082 if (rc == X86EMUL_CONTINUE)
2086 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2089 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2090 int reg, struct operand *op)
2092 struct decode_cache *c = &ctxt->decode;
2093 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2095 register_address_increment(c, &c->regs[reg], df * op->bytes);
2096 op->addr.mem = register_address(c, base, c->regs[reg]);
2099 static int em_push(struct x86_emulate_ctxt *ctxt)
2101 emulate_push(ctxt, ctxt->ops);
2102 return X86EMUL_CONTINUE;
2105 #define D(_y) { .flags = (_y) }
2107 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2108 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2109 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2111 static struct opcode group1[] = {
2115 static struct opcode group1A[] = {
2116 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2119 static struct opcode group3[] = {
2120 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2121 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2125 static struct opcode group4[] = {
2126 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2130 static struct opcode group5[] = {
2131 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2132 D(SrcMem | ModRM | Stack), N,
2133 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2134 D(SrcMem | ModRM | Stack), N,
2137 static struct group_dual group7 = { {
2138 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2139 D(SrcNone | ModRM | DstMem | Mov), N,
2140 D(SrcMem16 | ModRM | Mov | Priv),
2141 D(SrcMem | ModRM | ByteOp | Priv | NoAccess),
2143 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2144 D(SrcNone | ModRM | DstMem | Mov), N,
2145 D(SrcMem16 | ModRM | Mov | Priv), N,
2148 static struct opcode group8[] = {
2150 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2151 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2154 static struct group_dual group9 = { {
2155 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2157 N, N, N, N, N, N, N, N,
2160 static struct opcode opcode_table[256] = {
2162 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2163 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2164 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2165 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2167 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2168 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2169 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2170 D(ImplicitOps | Stack | No64), N,
2172 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2173 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2174 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2175 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2177 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2178 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2179 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2180 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2182 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2183 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2184 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2186 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2187 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2188 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2190 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2191 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2192 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2194 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2195 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2196 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2201 X8(I(SrcReg | Stack, em_push)),
2203 X8(D(DstReg | Stack)),
2205 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2206 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2209 I(SrcImm | Mov | Stack, em_push), N,
2210 I(SrcImmByte | Mov | Stack, em_push), N,
2211 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2212 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2216 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2217 G(DstMem | SrcImm | ModRM | Group, group1),
2218 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2219 G(DstMem | SrcImmByte | ModRM | Group, group1),
2220 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2221 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2223 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2224 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2225 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2226 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2228 X8(D(SrcAcc | DstReg)),
2230 N, N, D(SrcImmFAddr | No64), N,
2231 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2233 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2234 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2235 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2236 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2238 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm), D(ByteOp | DstDI | Mov | String), D(DstDI | Mov | String),
2239 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2240 D(ByteOp | DstDI | String), D(DstDI | String),
2242 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2244 X8(D(DstReg | SrcImm | Mov)),
2246 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2247 N, D(ImplicitOps | Stack), N, N,
2248 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2250 N, N, N, D(ImplicitOps | Stack),
2251 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2253 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2254 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2257 N, N, N, N, N, N, N, N,
2260 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2261 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2263 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2264 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2265 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2266 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2269 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2271 D(ImplicitOps), N, D(ImplicitOps), D(ImplicitOps),
2272 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2275 static struct opcode twobyte_table[256] = {
2277 N, GD(0, &group7), N, N,
2278 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2279 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2280 N, D(ImplicitOps | ModRM), N, N,
2282 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2284 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2285 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2287 N, N, N, N, N, N, N, N,
2289 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
2290 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2291 N, N, N, N, N, N, N, N,
2293 X16(D(DstReg | SrcMem | ModRM | Mov)),
2295 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2297 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2299 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2303 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2305 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2306 N, D(DstMem | SrcReg | ModRM | BitOp),
2307 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2308 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2310 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2311 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2312 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2313 D(DstMem | SrcReg | Src2CL | ModRM),
2316 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2317 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2318 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2319 D(DstReg | SrcMem16 | ModRM | Mov),
2322 G(0, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2323 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2324 D(DstReg | SrcMem16 | ModRM | Mov),
2326 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
2327 N, N, N, GD(0, &group9),
2328 N, N, N, N, N, N, N, N,
2330 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2332 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2334 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2344 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2346 struct x86_emulate_ops *ops = ctxt->ops;
2347 struct decode_cache *c = &ctxt->decode;
2348 int rc = X86EMUL_CONTINUE;
2349 int mode = ctxt->mode;
2350 int def_op_bytes, def_ad_bytes, dual, goffset;
2351 struct opcode opcode, *g_mod012, *g_mod3;
2352 struct operand memop = { .type = OP_NONE };
2354 /* we cannot decode insn before we complete previous rep insn */
2355 WARN_ON(ctxt->restart);
2358 c->fetch.start = c->fetch.end = c->eip;
2359 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2362 case X86EMUL_MODE_REAL:
2363 case X86EMUL_MODE_VM86:
2364 case X86EMUL_MODE_PROT16:
2365 def_op_bytes = def_ad_bytes = 2;
2367 case X86EMUL_MODE_PROT32:
2368 def_op_bytes = def_ad_bytes = 4;
2370 #ifdef CONFIG_X86_64
2371 case X86EMUL_MODE_PROT64:
2380 c->op_bytes = def_op_bytes;
2381 c->ad_bytes = def_ad_bytes;
2383 /* Legacy prefixes. */
2385 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2386 case 0x66: /* operand-size override */
2387 /* switch between 2/4 bytes */
2388 c->op_bytes = def_op_bytes ^ 6;
2390 case 0x67: /* address-size override */
2391 if (mode == X86EMUL_MODE_PROT64)
2392 /* switch between 4/8 bytes */
2393 c->ad_bytes = def_ad_bytes ^ 12;
2395 /* switch between 2/4 bytes */
2396 c->ad_bytes = def_ad_bytes ^ 6;
2398 case 0x26: /* ES override */
2399 case 0x2e: /* CS override */
2400 case 0x36: /* SS override */
2401 case 0x3e: /* DS override */
2402 set_seg_override(c, (c->b >> 3) & 3);
2404 case 0x64: /* FS override */
2405 case 0x65: /* GS override */
2406 set_seg_override(c, c->b & 7);
2408 case 0x40 ... 0x4f: /* REX */
2409 if (mode != X86EMUL_MODE_PROT64)
2411 c->rex_prefix = c->b;
2413 case 0xf0: /* LOCK */
2416 case 0xf2: /* REPNE/REPNZ */
2417 c->rep_prefix = REPNE_PREFIX;
2419 case 0xf3: /* REP/REPE/REPZ */
2420 c->rep_prefix = REPE_PREFIX;
2426 /* Any legacy prefix after a REX prefix nullifies its effect. */
2434 if (c->rex_prefix & 8)
2435 c->op_bytes = 8; /* REX.W */
2437 /* Opcode byte(s). */
2438 opcode = opcode_table[c->b];
2439 /* Two-byte opcode? */
2442 c->b = insn_fetch(u8, 1, c->eip);
2443 opcode = twobyte_table[c->b];
2445 c->d = opcode.flags;
2448 dual = c->d & GroupDual;
2449 c->modrm = insn_fetch(u8, 1, c->eip);
2452 if (c->d & GroupDual) {
2453 g_mod012 = opcode.u.gdual->mod012;
2454 g_mod3 = opcode.u.gdual->mod3;
2456 g_mod012 = g_mod3 = opcode.u.group;
2458 c->d &= ~(Group | GroupDual);
2460 goffset = (c->modrm >> 3) & 7;
2462 if ((c->modrm >> 6) == 3)
2463 opcode = g_mod3[goffset];
2465 opcode = g_mod012[goffset];
2466 c->d |= opcode.flags;
2469 c->execute = opcode.u.execute;
2472 if (c->d == 0 || (c->d & Undefined)) {
2473 DPRINTF("Cannot emulate %02x\n", c->b);
2477 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2480 if (c->d & Op3264) {
2481 if (mode == X86EMUL_MODE_PROT64)
2487 /* ModRM and SIB bytes. */
2489 rc = decode_modrm(ctxt, ops, &memop);
2490 if (!c->has_seg_override)
2491 set_seg_override(c, c->modrm_seg);
2492 } else if (c->d & MemAbs)
2493 rc = decode_abs(ctxt, ops, &memop);
2494 if (rc != X86EMUL_CONTINUE)
2497 if (!c->has_seg_override)
2498 set_seg_override(c, VCPU_SREG_DS);
2500 if (memop.type == OP_MEM && !(!c->twobyte && c->b == 0x8d))
2501 memop.addr.mem += seg_override_base(ctxt, ops, c);
2503 if (memop.type == OP_MEM && c->ad_bytes != 8)
2504 memop.addr.mem = (u32)memop.addr.mem;
2506 if (memop.type == OP_MEM && c->rip_relative)
2507 memop.addr.mem += c->eip;
2510 * Decode and fetch the source operand: register, memory
2513 switch (c->d & SrcMask) {
2517 decode_register_operand(&c->src, c, 0);
2526 memop.bytes = (c->d & ByteOp) ? 1 :
2533 c->src.type = OP_IMM;
2534 c->src.addr.mem = c->eip;
2535 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2536 if (c->src.bytes == 8)
2538 /* NB. Immediates are sign-extended as necessary. */
2539 switch (c->src.bytes) {
2541 c->src.val = insn_fetch(s8, 1, c->eip);
2544 c->src.val = insn_fetch(s16, 2, c->eip);
2547 c->src.val = insn_fetch(s32, 4, c->eip);
2550 if ((c->d & SrcMask) == SrcImmU) {
2551 switch (c->src.bytes) {
2556 c->src.val &= 0xffff;
2559 c->src.val &= 0xffffffff;
2566 c->src.type = OP_IMM;
2567 c->src.addr.mem = c->eip;
2569 if ((c->d & SrcMask) == SrcImmByte)
2570 c->src.val = insn_fetch(s8, 1, c->eip);
2572 c->src.val = insn_fetch(u8, 1, c->eip);
2575 c->src.type = OP_REG;
2576 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2577 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2578 fetch_register_operand(&c->src);
2585 c->src.type = OP_MEM;
2586 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2588 register_address(c, seg_override_base(ctxt, ops, c),
2589 c->regs[VCPU_REGS_RSI]);
2593 c->src.type = OP_IMM;
2594 c->src.addr.mem = c->eip;
2595 c->src.bytes = c->op_bytes + 2;
2596 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2599 memop.bytes = c->op_bytes + 2;
2605 * Decode and fetch the second source operand: register, memory
2608 switch (c->d & Src2Mask) {
2613 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2616 c->src2.type = OP_IMM;
2617 c->src2.addr.mem = c->eip;
2619 c->src2.val = insn_fetch(u8, 1, c->eip);
2627 /* Decode and fetch the destination operand: register or memory. */
2628 switch (c->d & DstMask) {
2630 /* Special instructions do their own operand decoding. */
2633 decode_register_operand(&c->dst, c,
2634 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2639 if ((c->d & DstMask) == DstMem64)
2642 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2643 if (c->dst.type == OP_MEM && (c->d & BitOp)) {
2644 unsigned long mask = ~(c->dst.bytes * 8 - 1);
2646 c->dst.addr.mem = c->dst.addr.mem +
2647 (c->src.val & mask) / 8;
2649 c->dst.orig_val = c->dst.val;
2652 c->dst.type = OP_REG;
2653 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2654 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2655 fetch_register_operand(&c->dst);
2656 c->dst.orig_val = c->dst.val;
2659 c->dst.type = OP_MEM;
2660 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2662 register_address(c, es_base(ctxt, ops),
2663 c->regs[VCPU_REGS_RDI]);
2669 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2673 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2675 struct x86_emulate_ops *ops = ctxt->ops;
2677 struct decode_cache *c = &ctxt->decode;
2678 int rc = X86EMUL_CONTINUE;
2679 int saved_dst_type = c->dst.type;
2680 int irq; /* Used for int 3, int, and into */
2682 ctxt->decode.mem_read.pos = 0;
2684 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2689 /* LOCK prefix is allowed only with some instructions */
2690 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2695 /* Privileged instruction can be executed only in CPL=0 */
2696 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2697 emulate_gp(ctxt, 0);
2701 if (c->rep_prefix && (c->d & String)) {
2702 ctxt->restart = true;
2703 /* All REP prefixes have the same first termination condition */
2704 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2706 ctxt->restart = false;
2710 /* The second termination condition only applies for REPE
2711 * and REPNE. Test if the repeat string operation prefix is
2712 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2713 * corresponding termination condition according to:
2714 * - if REPE/REPZ and ZF = 0 then done
2715 * - if REPNE/REPNZ and ZF = 1 then done
2717 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2718 (c->b == 0xae) || (c->b == 0xaf)) {
2719 if ((c->rep_prefix == REPE_PREFIX) &&
2720 ((ctxt->eflags & EFLG_ZF) == 0))
2722 if ((c->rep_prefix == REPNE_PREFIX) &&
2723 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2729 if (c->src.type == OP_MEM) {
2730 if (c->d & NoAccess)
2732 rc = read_emulated(ctxt, ops, c->src.addr.mem,
2733 c->src.valptr, c->src.bytes);
2734 if (rc != X86EMUL_CONTINUE)
2736 c->src.orig_val64 = c->src.val64;
2741 if (c->src2.type == OP_MEM) {
2742 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
2743 &c->src2.val, c->src2.bytes);
2744 if (rc != X86EMUL_CONTINUE)
2748 if ((c->d & DstMask) == ImplicitOps)
2752 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2753 /* optimisation - avoid slow emulated read if Mov */
2754 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
2755 &c->dst.val, c->dst.bytes);
2756 if (rc != X86EMUL_CONTINUE)
2759 c->dst.orig_val = c->dst.val;
2764 rc = c->execute(ctxt);
2765 if (rc != X86EMUL_CONTINUE)
2776 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2778 case 0x06: /* push es */
2779 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2781 case 0x07: /* pop es */
2782 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2783 if (rc != X86EMUL_CONTINUE)
2788 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2790 case 0x0e: /* push cs */
2791 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2795 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2797 case 0x16: /* push ss */
2798 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2800 case 0x17: /* pop ss */
2801 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2802 if (rc != X86EMUL_CONTINUE)
2807 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2809 case 0x1e: /* push ds */
2810 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2812 case 0x1f: /* pop ds */
2813 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2814 if (rc != X86EMUL_CONTINUE)
2819 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2823 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2827 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2831 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2833 case 0x40 ... 0x47: /* inc r16/r32 */
2834 emulate_1op("inc", c->dst, ctxt->eflags);
2836 case 0x48 ... 0x4f: /* dec r16/r32 */
2837 emulate_1op("dec", c->dst, ctxt->eflags);
2839 case 0x58 ... 0x5f: /* pop reg */
2841 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2842 if (rc != X86EMUL_CONTINUE)
2845 case 0x60: /* pusha */
2846 rc = emulate_pusha(ctxt, ops);
2847 if (rc != X86EMUL_CONTINUE)
2850 case 0x61: /* popa */
2851 rc = emulate_popa(ctxt, ops);
2852 if (rc != X86EMUL_CONTINUE)
2855 case 0x63: /* movsxd */
2856 if (ctxt->mode != X86EMUL_MODE_PROT64)
2857 goto cannot_emulate;
2858 c->dst.val = (s32) c->src.val;
2860 case 0x6c: /* insb */
2861 case 0x6d: /* insw/insd */
2862 c->dst.bytes = min(c->dst.bytes, 4u);
2863 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2865 emulate_gp(ctxt, 0);
2868 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2869 c->regs[VCPU_REGS_RDX], &c->dst.val))
2870 goto done; /* IO is needed, skip writeback */
2872 case 0x6e: /* outsb */
2873 case 0x6f: /* outsw/outsd */
2874 c->src.bytes = min(c->src.bytes, 4u);
2875 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2877 emulate_gp(ctxt, 0);
2880 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2881 &c->src.val, 1, ctxt->vcpu);
2883 c->dst.type = OP_NONE; /* nothing to writeback */
2885 case 0x70 ... 0x7f: /* jcc (short) */
2886 if (test_cc(c->b, ctxt->eflags))
2887 jmp_rel(c, c->src.val);
2889 case 0x80 ... 0x83: /* Grp1 */
2890 switch (c->modrm_reg) {
2911 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2913 case 0x86 ... 0x87: /* xchg */
2915 /* Write back the register source. */
2916 switch (c->dst.bytes) {
2918 *(u8 *) c->src.addr.reg = (u8) c->dst.val;
2921 *(u16 *) c->src.addr.reg = (u16) c->dst.val;
2924 *c->src.addr.reg = (u32) c->dst.val;
2925 break; /* 64b reg: zero-extend */
2927 *c->src.addr.reg = c->dst.val;
2931 * Write back the memory destination with implicit LOCK
2934 c->dst.val = c->src.val;
2937 case 0x88 ... 0x8b: /* mov */
2939 case 0x8c: /* mov r/m, sreg */
2940 if (c->modrm_reg > VCPU_SREG_GS) {
2944 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2946 case 0x8d: /* lea r16/r32, m */
2947 c->dst.val = c->src.addr.mem;
2949 case 0x8e: { /* mov seg, r/m16 */
2954 if (c->modrm_reg == VCPU_SREG_CS ||
2955 c->modrm_reg > VCPU_SREG_GS) {
2960 if (c->modrm_reg == VCPU_SREG_SS)
2961 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2963 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2965 c->dst.type = OP_NONE; /* Disable writeback. */
2968 case 0x8f: /* pop (sole member of Grp1a) */
2969 rc = emulate_grp1a(ctxt, ops);
2970 if (rc != X86EMUL_CONTINUE)
2973 case 0x90 ... 0x97: /* nop / xchg reg, rax */
2974 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
2977 case 0x9c: /* pushf */
2978 c->src.val = (unsigned long) ctxt->eflags;
2979 emulate_push(ctxt, ops);
2981 case 0x9d: /* popf */
2982 c->dst.type = OP_REG;
2983 c->dst.addr.reg = &ctxt->eflags;
2984 c->dst.bytes = c->op_bytes;
2985 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2986 if (rc != X86EMUL_CONTINUE)
2989 case 0xa0 ... 0xa3: /* mov */
2990 case 0xa4 ... 0xa5: /* movs */
2992 case 0xa6 ... 0xa7: /* cmps */
2993 c->dst.type = OP_NONE; /* Disable writeback. */
2994 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
2996 case 0xa8 ... 0xa9: /* test ax, imm */
2998 case 0xaa ... 0xab: /* stos */
2999 c->dst.val = c->regs[VCPU_REGS_RAX];
3001 case 0xac ... 0xad: /* lods */
3003 case 0xae ... 0xaf: /* scas */
3004 DPRINTF("Urk! I don't handle SCAS.\n");
3005 goto cannot_emulate;
3006 case 0xb0 ... 0xbf: /* mov r, imm */
3011 case 0xc3: /* ret */
3012 c->dst.type = OP_REG;
3013 c->dst.addr.reg = &c->eip;
3014 c->dst.bytes = c->op_bytes;
3015 goto pop_instruction;
3016 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
3018 c->dst.val = c->src.val;
3020 case 0xcb: /* ret far */
3021 rc = emulate_ret_far(ctxt, ops);
3022 if (rc != X86EMUL_CONTINUE)
3025 case 0xcc: /* int3 */
3028 case 0xcd: /* int n */
3031 rc = emulate_int(ctxt, ops, irq);
3032 if (rc != X86EMUL_CONTINUE)
3035 case 0xce: /* into */
3036 if (ctxt->eflags & EFLG_OF) {
3041 case 0xcf: /* iret */
3042 rc = emulate_iret(ctxt, ops);
3044 if (rc != X86EMUL_CONTINUE)
3047 case 0xd0 ... 0xd1: /* Grp2 */
3051 case 0xd2 ... 0xd3: /* Grp2 */
3052 c->src.val = c->regs[VCPU_REGS_RCX];
3055 case 0xe4: /* inb */
3058 case 0xe6: /* outb */
3059 case 0xe7: /* out */
3061 case 0xe8: /* call (near) */ {
3062 long int rel = c->src.val;
3063 c->src.val = (unsigned long) c->eip;
3065 emulate_push(ctxt, ops);
3068 case 0xe9: /* jmp rel */
3070 case 0xea: { /* jmp far */
3073 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3075 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3079 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3083 jmp: /* jmp rel short */
3084 jmp_rel(c, c->src.val);
3085 c->dst.type = OP_NONE; /* Disable writeback. */
3087 case 0xec: /* in al,dx */
3088 case 0xed: /* in (e/r)ax,dx */
3089 c->src.val = c->regs[VCPU_REGS_RDX];
3091 c->dst.bytes = min(c->dst.bytes, 4u);
3092 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3093 emulate_gp(ctxt, 0);
3096 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3098 goto done; /* IO is needed */
3100 case 0xee: /* out dx,al */
3101 case 0xef: /* out dx,(e/r)ax */
3102 c->src.val = c->regs[VCPU_REGS_RDX];
3104 c->dst.bytes = min(c->dst.bytes, 4u);
3105 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3106 emulate_gp(ctxt, 0);
3109 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3111 c->dst.type = OP_NONE; /* Disable writeback. */
3113 case 0xf4: /* hlt */
3114 ctxt->vcpu->arch.halt_request = 1;
3116 case 0xf5: /* cmc */
3117 /* complement carry flag from eflags reg */
3118 ctxt->eflags ^= EFLG_CF;
3119 c->dst.type = OP_NONE; /* Disable writeback. */
3121 case 0xf6 ... 0xf7: /* Grp3 */
3122 if (!emulate_grp3(ctxt, ops))
3123 goto cannot_emulate;
3125 case 0xf8: /* clc */
3126 ctxt->eflags &= ~EFLG_CF;
3127 c->dst.type = OP_NONE; /* Disable writeback. */
3129 case 0xfa: /* cli */
3130 if (emulator_bad_iopl(ctxt, ops)) {
3131 emulate_gp(ctxt, 0);
3134 ctxt->eflags &= ~X86_EFLAGS_IF;
3135 c->dst.type = OP_NONE; /* Disable writeback. */
3138 case 0xfb: /* sti */
3139 if (emulator_bad_iopl(ctxt, ops)) {
3140 emulate_gp(ctxt, 0);
3143 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3144 ctxt->eflags |= X86_EFLAGS_IF;
3145 c->dst.type = OP_NONE; /* Disable writeback. */
3148 case 0xfc: /* cld */
3149 ctxt->eflags &= ~EFLG_DF;
3150 c->dst.type = OP_NONE; /* Disable writeback. */
3152 case 0xfd: /* std */
3153 ctxt->eflags |= EFLG_DF;
3154 c->dst.type = OP_NONE; /* Disable writeback. */
3156 case 0xfe: /* Grp4 */
3158 rc = emulate_grp45(ctxt, ops);
3159 if (rc != X86EMUL_CONTINUE)
3162 case 0xff: /* Grp5 */
3163 if (c->modrm_reg == 5)
3167 goto cannot_emulate;
3171 rc = writeback(ctxt, ops);
3172 if (rc != X86EMUL_CONTINUE)
3176 * restore dst type in case the decoding will be reused
3177 * (happens for string instruction )
3179 c->dst.type = saved_dst_type;
3181 if ((c->d & SrcMask) == SrcSI)
3182 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3183 VCPU_REGS_RSI, &c->src);
3185 if ((c->d & DstMask) == DstDI)
3186 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3189 if (c->rep_prefix && (c->d & String)) {
3190 struct read_cache *rc = &ctxt->decode.io_read;
3191 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3193 * Re-enter guest when pio read ahead buffer is empty or,
3194 * if it is not used, after each 1024 iteration.
3196 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3197 (rc->end != 0 && rc->end == rc->pos))
3198 ctxt->restart = false;
3201 * reset read cache here in case string instruction is restared
3204 ctxt->decode.mem_read.end = 0;
3208 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3212 case 0x01: /* lgdt, lidt, lmsw */
3213 switch (c->modrm_reg) {
3215 unsigned long address;
3217 case 0: /* vmcall */
3218 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3219 goto cannot_emulate;
3221 rc = kvm_fix_hypercall(ctxt->vcpu);
3222 if (rc != X86EMUL_CONTINUE)
3225 /* Let the processor re-execute the fixed hypercall */
3227 /* Disable writeback. */
3228 c->dst.type = OP_NONE;
3231 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3232 &size, &address, c->op_bytes);
3233 if (rc != X86EMUL_CONTINUE)
3235 realmode_lgdt(ctxt->vcpu, size, address);
3236 /* Disable writeback. */
3237 c->dst.type = OP_NONE;
3239 case 3: /* lidt/vmmcall */
3240 if (c->modrm_mod == 3) {
3241 switch (c->modrm_rm) {
3243 rc = kvm_fix_hypercall(ctxt->vcpu);
3244 if (rc != X86EMUL_CONTINUE)
3248 goto cannot_emulate;
3251 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3254 if (rc != X86EMUL_CONTINUE)
3256 realmode_lidt(ctxt->vcpu, size, address);
3258 /* Disable writeback. */
3259 c->dst.type = OP_NONE;
3263 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3266 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3267 (c->src.val & 0x0f), ctxt->vcpu);
3268 c->dst.type = OP_NONE;
3270 case 5: /* not defined */
3274 emulate_invlpg(ctxt->vcpu, c->src.addr.mem);
3275 /* Disable writeback. */
3276 c->dst.type = OP_NONE;
3279 goto cannot_emulate;
3282 case 0x05: /* syscall */
3283 rc = emulate_syscall(ctxt, ops);
3284 if (rc != X86EMUL_CONTINUE)
3290 emulate_clts(ctxt->vcpu);
3291 c->dst.type = OP_NONE;
3293 case 0x09: /* wbinvd */
3294 kvm_emulate_wbinvd(ctxt->vcpu);
3295 c->dst.type = OP_NONE;
3297 case 0x08: /* invd */
3298 case 0x0d: /* GrpP (prefetch) */
3299 case 0x18: /* Grp16 (prefetch/nop) */
3300 c->dst.type = OP_NONE;
3302 case 0x20: /* mov cr, reg */
3303 switch (c->modrm_reg) {
3310 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3312 case 0x21: /* mov from dr to reg */
3313 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3314 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3318 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3320 case 0x22: /* mov reg, cr */
3321 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3322 emulate_gp(ctxt, 0);
3325 c->dst.type = OP_NONE;
3327 case 0x23: /* mov from reg to dr */
3328 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3329 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3334 if (ops->set_dr(c->modrm_reg, c->src.val &
3335 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3336 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3337 /* #UD condition is already handled by the code above */
3338 emulate_gp(ctxt, 0);
3342 c->dst.type = OP_NONE; /* no writeback */
3346 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3347 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3348 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3349 emulate_gp(ctxt, 0);
3352 rc = X86EMUL_CONTINUE;
3353 c->dst.type = OP_NONE;
3357 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3358 emulate_gp(ctxt, 0);
3361 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3362 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3364 rc = X86EMUL_CONTINUE;
3365 c->dst.type = OP_NONE;
3367 case 0x34: /* sysenter */
3368 rc = emulate_sysenter(ctxt, ops);
3369 if (rc != X86EMUL_CONTINUE)
3374 case 0x35: /* sysexit */
3375 rc = emulate_sysexit(ctxt, ops);
3376 if (rc != X86EMUL_CONTINUE)
3381 case 0x40 ... 0x4f: /* cmov */
3382 c->dst.val = c->dst.orig_val = c->src.val;
3383 if (!test_cc(c->b, ctxt->eflags))
3384 c->dst.type = OP_NONE; /* no writeback */
3386 case 0x80 ... 0x8f: /* jnz rel, etc*/
3387 if (test_cc(c->b, ctxt->eflags))
3388 jmp_rel(c, c->src.val);
3389 c->dst.type = OP_NONE;
3391 case 0xa0: /* push fs */
3392 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3394 case 0xa1: /* pop fs */
3395 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3396 if (rc != X86EMUL_CONTINUE)
3401 c->dst.type = OP_NONE;
3402 /* only subword offset */
3403 c->src.val &= (c->dst.bytes << 3) - 1;
3404 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3406 case 0xa4: /* shld imm8, r, r/m */
3407 case 0xa5: /* shld cl, r, r/m */
3408 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3410 case 0xa8: /* push gs */
3411 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3413 case 0xa9: /* pop gs */
3414 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3415 if (rc != X86EMUL_CONTINUE)
3420 /* only subword offset */
3421 c->src.val &= (c->dst.bytes << 3) - 1;
3422 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3424 case 0xac: /* shrd imm8, r, r/m */
3425 case 0xad: /* shrd cl, r, r/m */
3426 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3428 case 0xae: /* clflush */
3430 case 0xb0 ... 0xb1: /* cmpxchg */
3432 * Save real source value, then compare EAX against
3435 c->src.orig_val = c->src.val;
3436 c->src.val = c->regs[VCPU_REGS_RAX];
3437 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3438 if (ctxt->eflags & EFLG_ZF) {
3439 /* Success: write back to memory. */
3440 c->dst.val = c->src.orig_val;
3442 /* Failure: write the value we saw to EAX. */
3443 c->dst.type = OP_REG;
3444 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3449 /* only subword offset */
3450 c->src.val &= (c->dst.bytes << 3) - 1;
3451 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3453 case 0xb6 ... 0xb7: /* movzx */
3454 c->dst.bytes = c->op_bytes;
3455 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3458 case 0xba: /* Grp8 */
3459 switch (c->modrm_reg & 3) {
3472 /* only subword offset */
3473 c->src.val &= (c->dst.bytes << 3) - 1;
3474 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3476 case 0xbe ... 0xbf: /* movsx */
3477 c->dst.bytes = c->op_bytes;
3478 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3481 case 0xc3: /* movnti */
3482 c->dst.bytes = c->op_bytes;
3483 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3486 case 0xc7: /* Grp9 (cmpxchg8b) */
3487 rc = emulate_grp9(ctxt, ops);
3488 if (rc != X86EMUL_CONTINUE)
3492 goto cannot_emulate;
3497 DPRINTF("Cannot emulate %02x\n", c->b);
git.openpandora.org / pandora-kernel.git / blob