1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <linux/module.h>
26 #include <asm/kvm_emulate.h>
32 * Opcode effective-address decode tables.
33 * Note that we only emulate instructions that have at least one memory
34 * operand (excluding implicit stack references). We assume that stack
35 * references and instruction fetches will never occur in special memory
36 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
40 /* Operand sizes: 8-bit operands or specified/overridden size. */
41 #define ByteOp (1<<0) /* 8-bit operands. */
42 /* Destination operand type. */
43 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
44 #define DstReg (2<<1) /* Register operand. */
45 #define DstMem (3<<1) /* Memory operand. */
46 #define DstAcc (4<<1) /* Destination Accumulator */
47 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
48 #define DstMem64 (6<<1) /* 64bit memory operand */
49 #define DstImmUByte (7<<1) /* 8-bit unsigned immediate operand */
50 #define DstDX (8<<1) /* Destination is in DX register */
51 #define DstMask (0xf<<1)
52 /* Source operand type. */
53 #define SrcNone (0<<5) /* No source operand. */
54 #define SrcReg (1<<5) /* Register operand. */
55 #define SrcMem (2<<5) /* Memory operand. */
56 #define SrcMem16 (3<<5) /* Memory operand (16-bit). */
57 #define SrcMem32 (4<<5) /* Memory operand (32-bit). */
58 #define SrcImm (5<<5) /* Immediate operand. */
59 #define SrcImmByte (6<<5) /* 8-bit sign-extended immediate operand. */
60 #define SrcOne (7<<5) /* Implied '1' */
61 #define SrcImmUByte (8<<5) /* 8-bit unsigned immediate operand. */
62 #define SrcImmU (9<<5) /* Immediate operand, unsigned */
63 #define SrcSI (0xa<<5) /* Source is in the DS:RSI */
64 #define SrcImmFAddr (0xb<<5) /* Source is immediate far address */
65 #define SrcMemFAddr (0xc<<5) /* Source is far address in memory */
66 #define SrcAcc (0xd<<5) /* Source Accumulator */
67 #define SrcImmU16 (0xe<<5) /* Immediate operand, unsigned, 16 bits */
68 #define SrcDX (0xf<<5) /* Source is in DX register */
69 #define SrcMask (0xf<<5)
70 /* Generic ModRM decode. */
72 /* Destination is only written; never read. */
75 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
76 #define String (1<<13) /* String instruction (rep capable) */
77 #define Stack (1<<14) /* Stack instruction (push/pop) */
78 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
79 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
80 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
81 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
82 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
83 #define Sse (1<<18) /* SSE Vector instruction */
85 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
86 #define VendorSpecific (1<<22) /* Vendor specific instruction */
87 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
88 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
89 #define Undefined (1<<25) /* No Such Instruction */
90 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
91 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
93 /* Source 2 operand type */
94 #define Src2None (0<<29)
95 #define Src2CL (1<<29)
96 #define Src2ImmByte (2<<29)
97 #define Src2One (3<<29)
98 #define Src2Imm (4<<29)
99 #define Src2Mask (7<<29)
101 #define X2(x...) x, x
102 #define X3(x...) X2(x), x
103 #define X4(x...) X2(x), X2(x)
104 #define X5(x...) X4(x), x
105 #define X6(x...) X4(x), X2(x)
106 #define X7(x...) X4(x), X3(x)
107 #define X8(x...) X4(x), X4(x)
108 #define X16(x...) X8(x), X8(x)
114 int (*execute)(struct x86_emulate_ctxt *ctxt);
115 struct opcode *group;
116 struct group_dual *gdual;
117 struct gprefix *gprefix;
119 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
123 struct opcode mod012[8];
124 struct opcode mod3[8];
128 struct opcode pfx_no;
129 struct opcode pfx_66;
130 struct opcode pfx_f2;
131 struct opcode pfx_f3;
134 /* EFLAGS bit definitions. */
135 #define EFLG_ID (1<<21)
136 #define EFLG_VIP (1<<20)
137 #define EFLG_VIF (1<<19)
138 #define EFLG_AC (1<<18)
139 #define EFLG_VM (1<<17)
140 #define EFLG_RF (1<<16)
141 #define EFLG_IOPL (3<<12)
142 #define EFLG_NT (1<<14)
143 #define EFLG_OF (1<<11)
144 #define EFLG_DF (1<<10)
145 #define EFLG_IF (1<<9)
146 #define EFLG_TF (1<<8)
147 #define EFLG_SF (1<<7)
148 #define EFLG_ZF (1<<6)
149 #define EFLG_AF (1<<4)
150 #define EFLG_PF (1<<2)
151 #define EFLG_CF (1<<0)
153 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
154 #define EFLG_RESERVED_ONE_MASK 2
157 * Instruction emulation:
158 * Most instructions are emulated directly via a fragment of inline assembly
159 * code. This allows us to save/restore EFLAGS and thus very easily pick up
160 * any modified flags.
163 #if defined(CONFIG_X86_64)
164 #define _LO32 "k" /* force 32-bit operand */
165 #define _STK "%%rsp" /* stack pointer */
166 #elif defined(__i386__)
167 #define _LO32 "" /* force 32-bit operand */
168 #define _STK "%%esp" /* stack pointer */
172 * These EFLAGS bits are restored from saved value during emulation, and
173 * any changes are written back to the saved value after emulation.
175 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
177 /* Before executing instruction: restore necessary bits in EFLAGS. */
178 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
179 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
180 "movl %"_sav",%"_LO32 _tmp"; " \
183 "movl %"_msk",%"_LO32 _tmp"; " \
184 "andl %"_LO32 _tmp",("_STK"); " \
186 "notl %"_LO32 _tmp"; " \
187 "andl %"_LO32 _tmp",("_STK"); " \
188 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
190 "orl %"_LO32 _tmp",("_STK"); " \
194 /* After executing instruction: write-back necessary bits in EFLAGS. */
195 #define _POST_EFLAGS(_sav, _msk, _tmp) \
196 /* _sav |= EFLAGS & _msk; */ \
199 "andl %"_msk",%"_LO32 _tmp"; " \
200 "orl %"_LO32 _tmp",%"_sav"; "
208 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
210 __asm__ __volatile__ ( \
211 _PRE_EFLAGS("0", "4", "2") \
212 _op _suffix " %"_x"3,%1; " \
213 _POST_EFLAGS("0", "4", "2") \
214 : "=m" (_eflags), "+q" (*(_dsttype*)&(_dst).val),\
216 : _y ((_src).val), "i" (EFLAGS_MASK)); \
220 /* Raw emulation: instruction has two explicit operands. */
221 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
223 unsigned long _tmp; \
225 switch ((_dst).bytes) { \
227 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
230 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l",u32);\
233 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q",u64)); \
238 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
240 unsigned long _tmp; \
241 switch ((_dst).bytes) { \
243 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
246 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
247 _wx, _wy, _lx, _ly, _qx, _qy); \
252 /* Source operand is byte-sized and may be restricted to just %cl. */
253 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
254 __emulate_2op(_op, _src, _dst, _eflags, \
255 "b", "c", "b", "c", "b", "c", "b", "c")
257 /* Source operand is byte, word, long or quad sized. */
258 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
259 __emulate_2op(_op, _src, _dst, _eflags, \
260 "b", "q", "w", "r", _LO32, "r", "", "r")
262 /* Source operand is word, long or quad sized. */
263 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
264 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
265 "w", "r", _LO32, "r", "", "r")
267 /* Instruction has three operands and one operand is stored in ECX register */
268 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
270 unsigned long _tmp; \
271 _type _clv = (_cl).val; \
272 _type _srcv = (_src).val; \
273 _type _dstv = (_dst).val; \
275 __asm__ __volatile__ ( \
276 _PRE_EFLAGS("0", "5", "2") \
277 _op _suffix " %4,%1 \n" \
278 _POST_EFLAGS("0", "5", "2") \
279 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
280 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
283 (_cl).val = (unsigned long) _clv; \
284 (_src).val = (unsigned long) _srcv; \
285 (_dst).val = (unsigned long) _dstv; \
288 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
290 switch ((_dst).bytes) { \
292 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
293 "w", unsigned short); \
296 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
297 "l", unsigned int); \
300 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
301 "q", unsigned long)); \
306 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
308 unsigned long _tmp; \
310 __asm__ __volatile__ ( \
311 _PRE_EFLAGS("0", "3", "2") \
312 _op _suffix " %1; " \
313 _POST_EFLAGS("0", "3", "2") \
314 : "=m" (_eflags), "+m" ((_dst).val), \
316 : "i" (EFLAGS_MASK)); \
319 /* Instruction has only one explicit operand (no source operand). */
320 #define emulate_1op(_op, _dst, _eflags) \
322 switch ((_dst).bytes) { \
323 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
324 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
325 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
326 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
330 #define __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, _suffix) \
332 unsigned long _tmp; \
334 __asm__ __volatile__ ( \
335 _PRE_EFLAGS("0", "4", "1") \
336 _op _suffix " %5; " \
337 _POST_EFLAGS("0", "4", "1") \
338 : "=m" (_eflags), "=&r" (_tmp), \
339 "+a" (_rax), "+d" (_rdx) \
340 : "i" (EFLAGS_MASK), "m" ((_src).val), \
341 "a" (_rax), "d" (_rdx)); \
344 #define __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _suffix, _ex) \
346 unsigned long _tmp; \
348 __asm__ __volatile__ ( \
349 _PRE_EFLAGS("0", "5", "1") \
351 _op _suffix " %6; " \
353 _POST_EFLAGS("0", "5", "1") \
354 ".pushsection .fixup,\"ax\" \n\t" \
355 "3: movb $1, %4 \n\t" \
358 _ASM_EXTABLE(1b, 3b) \
359 : "=m" (_eflags), "=&r" (_tmp), \
360 "+a" (_rax), "+d" (_rdx), "+qm"(_ex) \
361 : "i" (EFLAGS_MASK), "m" ((_src).val), \
362 "a" (_rax), "d" (_rdx)); \
365 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
366 #define emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags) \
368 switch((_src).bytes) { \
370 __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, \
374 __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, \
378 __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, \
382 ON64(__emulate_1op_rax_rdx(_op, _src, _rax, _rdx, \
388 #define emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _ex) \
390 switch((_src).bytes) { \
392 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
393 _eflags, "b", _ex); \
396 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
397 _eflags, "w", _ex); \
400 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
401 _eflags, "l", _ex); \
404 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
405 _eflags, "q", _ex)); \
410 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
411 enum x86_intercept intercept,
412 enum x86_intercept_stage stage)
414 struct x86_instruction_info info = {
415 .intercept = intercept,
416 .rep_prefix = ctxt->decode.rep_prefix,
417 .modrm_mod = ctxt->decode.modrm_mod,
418 .modrm_reg = ctxt->decode.modrm_reg,
419 .modrm_rm = ctxt->decode.modrm_rm,
420 .src_val = ctxt->decode.src.val64,
421 .src_bytes = ctxt->decode.src.bytes,
422 .dst_bytes = ctxt->decode.dst.bytes,
423 .ad_bytes = ctxt->decode.ad_bytes,
424 .next_rip = ctxt->eip,
427 return ctxt->ops->intercept(ctxt, &info, stage);
430 static inline unsigned long ad_mask(struct decode_cache *c)
432 return (1UL << (c->ad_bytes << 3)) - 1;
435 /* Access/update address held in a register, based on addressing mode. */
436 static inline unsigned long
437 address_mask(struct decode_cache *c, unsigned long reg)
439 if (c->ad_bytes == sizeof(unsigned long))
442 return reg & ad_mask(c);
445 static inline unsigned long
446 register_address(struct decode_cache *c, unsigned long reg)
448 return address_mask(c, reg);
452 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
454 if (c->ad_bytes == sizeof(unsigned long))
457 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
460 static inline void jmp_rel(struct decode_cache *c, int rel)
462 register_address_increment(c, &c->eip, rel);
465 static u32 desc_limit_scaled(struct desc_struct *desc)
467 u32 limit = get_desc_limit(desc);
469 return desc->g ? (limit << 12) | 0xfff : limit;
472 static void set_seg_override(struct decode_cache *c, int seg)
474 c->has_seg_override = true;
475 c->seg_override = seg;
478 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
480 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
483 return ctxt->ops->get_cached_segment_base(ctxt, seg);
486 static unsigned seg_override(struct x86_emulate_ctxt *ctxt,
487 struct decode_cache *c)
489 if (!c->has_seg_override)
492 return c->seg_override;
495 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
496 u32 error, bool valid)
498 ctxt->exception.vector = vec;
499 ctxt->exception.error_code = error;
500 ctxt->exception.error_code_valid = valid;
501 return X86EMUL_PROPAGATE_FAULT;
504 static int emulate_db(struct x86_emulate_ctxt *ctxt)
506 return emulate_exception(ctxt, DB_VECTOR, 0, false);
509 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
511 return emulate_exception(ctxt, GP_VECTOR, err, true);
514 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
516 return emulate_exception(ctxt, SS_VECTOR, err, true);
519 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
521 return emulate_exception(ctxt, UD_VECTOR, 0, false);
524 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
526 return emulate_exception(ctxt, TS_VECTOR, err, true);
529 static int emulate_de(struct x86_emulate_ctxt *ctxt)
531 return emulate_exception(ctxt, DE_VECTOR, 0, false);
534 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
536 return emulate_exception(ctxt, NM_VECTOR, 0, false);
539 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
542 struct desc_struct desc;
544 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
548 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
553 struct desc_struct desc;
555 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
556 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
559 static int __linearize(struct x86_emulate_ctxt *ctxt,
560 struct segmented_address addr,
561 unsigned size, bool write, bool fetch,
564 struct decode_cache *c = &ctxt->decode;
565 struct desc_struct desc;
572 la = seg_base(ctxt, addr.seg) + addr.ea;
573 switch (ctxt->mode) {
574 case X86EMUL_MODE_REAL:
576 case X86EMUL_MODE_PROT64:
577 if (((signed long)la << 16) >> 16 != la)
578 return emulate_gp(ctxt, 0);
581 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
585 /* code segment or read-only data segment */
586 if (((desc.type & 8) || !(desc.type & 2)) && write)
588 /* unreadable code segment */
589 if (!fetch && (desc.type & 8) && !(desc.type & 2))
591 lim = desc_limit_scaled(&desc);
592 if ((desc.type & 8) || !(desc.type & 4)) {
593 /* expand-up segment */
594 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
597 /* exapand-down segment */
598 if (addr.ea <= lim || (u32)(addr.ea + size - 1) <= lim)
600 lim = desc.d ? 0xffffffff : 0xffff;
601 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
604 cpl = ctxt->ops->cpl(ctxt);
607 if (!(desc.type & 8)) {
611 } else if ((desc.type & 8) && !(desc.type & 4)) {
612 /* nonconforming code segment */
615 } else if ((desc.type & 8) && (desc.type & 4)) {
616 /* conforming code segment */
622 if (fetch ? ctxt->mode != X86EMUL_MODE_PROT64 : c->ad_bytes != 8)
625 return X86EMUL_CONTINUE;
627 if (addr.seg == VCPU_SREG_SS)
628 return emulate_ss(ctxt, addr.seg);
630 return emulate_gp(ctxt, addr.seg);
633 static int linearize(struct x86_emulate_ctxt *ctxt,
634 struct segmented_address addr,
635 unsigned size, bool write,
638 return __linearize(ctxt, addr, size, write, false, linear);
642 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
643 struct segmented_address addr,
650 rc = linearize(ctxt, addr, size, false, &linear);
651 if (rc != X86EMUL_CONTINUE)
653 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
656 static int do_insn_fetch_byte(struct x86_emulate_ctxt *ctxt,
657 unsigned long eip, u8 *dest)
659 struct fetch_cache *fc = &ctxt->decode.fetch;
663 if (eip == fc->end) {
664 unsigned long linear;
665 struct segmented_address addr = { .seg=VCPU_SREG_CS, .ea=eip};
666 cur_size = fc->end - fc->start;
667 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
668 rc = __linearize(ctxt, addr, size, false, true, &linear);
669 if (rc != X86EMUL_CONTINUE)
671 rc = ctxt->ops->fetch(ctxt, linear, fc->data + cur_size,
672 size, &ctxt->exception);
673 if (rc != X86EMUL_CONTINUE)
677 *dest = fc->data[eip - fc->start];
678 return X86EMUL_CONTINUE;
681 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
682 unsigned long eip, void *dest, unsigned size)
686 /* x86 instructions are limited to 15 bytes. */
687 if (eip + size - ctxt->eip > 15)
688 return X86EMUL_UNHANDLEABLE;
690 rc = do_insn_fetch_byte(ctxt, eip++, dest++);
691 if (rc != X86EMUL_CONTINUE)
694 return X86EMUL_CONTINUE;
697 /* Fetch next part of the instruction being emulated. */
698 #define insn_fetch(_type, _size, _eip) \
699 ({ unsigned long _x; \
700 rc = do_insn_fetch(ctxt, (_eip), &_x, (_size)); \
701 if (rc != X86EMUL_CONTINUE) \
707 #define insn_fetch_arr(_arr, _size, _eip) \
708 ({ rc = do_insn_fetch(ctxt, (_eip), _arr, (_size)); \
709 if (rc != X86EMUL_CONTINUE) \
715 * Given the 'reg' portion of a ModRM byte, and a register block, return a
716 * pointer into the block that addresses the relevant register.
717 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
719 static void *decode_register(u8 modrm_reg, unsigned long *regs,
724 p = ®s[modrm_reg];
725 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
726 p = (unsigned char *)®s[modrm_reg & 3] + 1;
730 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
731 struct segmented_address addr,
732 u16 *size, unsigned long *address, int op_bytes)
739 rc = segmented_read_std(ctxt, addr, size, 2);
740 if (rc != X86EMUL_CONTINUE)
743 rc = segmented_read_std(ctxt, addr, address, op_bytes);
747 static int test_cc(unsigned int condition, unsigned int flags)
751 switch ((condition & 15) >> 1) {
753 rc |= (flags & EFLG_OF);
755 case 1: /* b/c/nae */
756 rc |= (flags & EFLG_CF);
759 rc |= (flags & EFLG_ZF);
762 rc |= (flags & (EFLG_CF|EFLG_ZF));
765 rc |= (flags & EFLG_SF);
768 rc |= (flags & EFLG_PF);
771 rc |= (flags & EFLG_ZF);
774 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
778 /* Odd condition identifiers (lsb == 1) have inverted sense. */
779 return (!!rc ^ (condition & 1));
782 static void fetch_register_operand(struct operand *op)
786 op->val = *(u8 *)op->addr.reg;
789 op->val = *(u16 *)op->addr.reg;
792 op->val = *(u32 *)op->addr.reg;
795 op->val = *(u64 *)op->addr.reg;
800 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
802 ctxt->ops->get_fpu(ctxt);
804 case 0: asm("movdqu %%xmm0, %0" : "=m"(*data)); break;
805 case 1: asm("movdqu %%xmm1, %0" : "=m"(*data)); break;
806 case 2: asm("movdqu %%xmm2, %0" : "=m"(*data)); break;
807 case 3: asm("movdqu %%xmm3, %0" : "=m"(*data)); break;
808 case 4: asm("movdqu %%xmm4, %0" : "=m"(*data)); break;
809 case 5: asm("movdqu %%xmm5, %0" : "=m"(*data)); break;
810 case 6: asm("movdqu %%xmm6, %0" : "=m"(*data)); break;
811 case 7: asm("movdqu %%xmm7, %0" : "=m"(*data)); break;
813 case 8: asm("movdqu %%xmm8, %0" : "=m"(*data)); break;
814 case 9: asm("movdqu %%xmm9, %0" : "=m"(*data)); break;
815 case 10: asm("movdqu %%xmm10, %0" : "=m"(*data)); break;
816 case 11: asm("movdqu %%xmm11, %0" : "=m"(*data)); break;
817 case 12: asm("movdqu %%xmm12, %0" : "=m"(*data)); break;
818 case 13: asm("movdqu %%xmm13, %0" : "=m"(*data)); break;
819 case 14: asm("movdqu %%xmm14, %0" : "=m"(*data)); break;
820 case 15: asm("movdqu %%xmm15, %0" : "=m"(*data)); break;
824 ctxt->ops->put_fpu(ctxt);
827 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
830 ctxt->ops->get_fpu(ctxt);
832 case 0: asm("movdqu %0, %%xmm0" : : "m"(*data)); break;
833 case 1: asm("movdqu %0, %%xmm1" : : "m"(*data)); break;
834 case 2: asm("movdqu %0, %%xmm2" : : "m"(*data)); break;
835 case 3: asm("movdqu %0, %%xmm3" : : "m"(*data)); break;
836 case 4: asm("movdqu %0, %%xmm4" : : "m"(*data)); break;
837 case 5: asm("movdqu %0, %%xmm5" : : "m"(*data)); break;
838 case 6: asm("movdqu %0, %%xmm6" : : "m"(*data)); break;
839 case 7: asm("movdqu %0, %%xmm7" : : "m"(*data)); break;
841 case 8: asm("movdqu %0, %%xmm8" : : "m"(*data)); break;
842 case 9: asm("movdqu %0, %%xmm9" : : "m"(*data)); break;
843 case 10: asm("movdqu %0, %%xmm10" : : "m"(*data)); break;
844 case 11: asm("movdqu %0, %%xmm11" : : "m"(*data)); break;
845 case 12: asm("movdqu %0, %%xmm12" : : "m"(*data)); break;
846 case 13: asm("movdqu %0, %%xmm13" : : "m"(*data)); break;
847 case 14: asm("movdqu %0, %%xmm14" : : "m"(*data)); break;
848 case 15: asm("movdqu %0, %%xmm15" : : "m"(*data)); break;
852 ctxt->ops->put_fpu(ctxt);
855 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
857 struct decode_cache *c,
860 unsigned reg = c->modrm_reg;
861 int highbyte_regs = c->rex_prefix == 0;
864 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
870 read_sse_reg(ctxt, &op->vec_val, reg);
875 if ((c->d & ByteOp) && !inhibit_bytereg) {
876 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
879 op->addr.reg = decode_register(reg, c->regs, 0);
880 op->bytes = c->op_bytes;
882 fetch_register_operand(op);
883 op->orig_val = op->val;
886 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
889 struct decode_cache *c = &ctxt->decode;
891 int index_reg = 0, base_reg = 0, scale;
892 int rc = X86EMUL_CONTINUE;
896 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
897 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
898 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
901 c->modrm = insn_fetch(u8, 1, c->eip);
902 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
903 c->modrm_reg |= (c->modrm & 0x38) >> 3;
904 c->modrm_rm |= (c->modrm & 0x07);
905 c->modrm_seg = VCPU_SREG_DS;
907 if (c->modrm_mod == 3) {
909 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
910 op->addr.reg = decode_register(c->modrm_rm,
911 c->regs, c->d & ByteOp);
915 op->addr.xmm = c->modrm_rm;
916 read_sse_reg(ctxt, &op->vec_val, c->modrm_rm);
919 fetch_register_operand(op);
925 if (c->ad_bytes == 2) {
926 unsigned bx = c->regs[VCPU_REGS_RBX];
927 unsigned bp = c->regs[VCPU_REGS_RBP];
928 unsigned si = c->regs[VCPU_REGS_RSI];
929 unsigned di = c->regs[VCPU_REGS_RDI];
931 /* 16-bit ModR/M decode. */
932 switch (c->modrm_mod) {
934 if (c->modrm_rm == 6)
935 modrm_ea += insn_fetch(u16, 2, c->eip);
938 modrm_ea += insn_fetch(s8, 1, c->eip);
941 modrm_ea += insn_fetch(u16, 2, c->eip);
944 switch (c->modrm_rm) {
964 if (c->modrm_mod != 0)
971 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
972 (c->modrm_rm == 6 && c->modrm_mod != 0))
973 c->modrm_seg = VCPU_SREG_SS;
974 modrm_ea = (u16)modrm_ea;
976 /* 32/64-bit ModR/M decode. */
977 if ((c->modrm_rm & 7) == 4) {
978 sib = insn_fetch(u8, 1, c->eip);
979 index_reg |= (sib >> 3) & 7;
983 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
984 modrm_ea += insn_fetch(s32, 4, c->eip);
986 modrm_ea += c->regs[base_reg];
988 modrm_ea += c->regs[index_reg] << scale;
989 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
990 if (ctxt->mode == X86EMUL_MODE_PROT64)
993 modrm_ea += c->regs[c->modrm_rm];
994 switch (c->modrm_mod) {
996 if (c->modrm_rm == 5)
997 modrm_ea += insn_fetch(s32, 4, c->eip);
1000 modrm_ea += insn_fetch(s8, 1, c->eip);
1003 modrm_ea += insn_fetch(s32, 4, c->eip);
1007 op->addr.mem.ea = modrm_ea;
1012 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1015 struct decode_cache *c = &ctxt->decode;
1016 int rc = X86EMUL_CONTINUE;
1019 switch (c->ad_bytes) {
1021 op->addr.mem.ea = insn_fetch(u16, 2, c->eip);
1024 op->addr.mem.ea = insn_fetch(u32, 4, c->eip);
1027 op->addr.mem.ea = insn_fetch(u64, 8, c->eip);
1034 static void fetch_bit_operand(struct decode_cache *c)
1038 if (c->dst.type == OP_MEM && c->src.type == OP_REG) {
1039 mask = ~(c->dst.bytes * 8 - 1);
1041 if (c->src.bytes == 2)
1042 sv = (s16)c->src.val & (s16)mask;
1043 else if (c->src.bytes == 4)
1044 sv = (s32)c->src.val & (s32)mask;
1046 c->dst.addr.mem.ea += (sv >> 3);
1049 /* only subword offset */
1050 c->src.val &= (c->dst.bytes << 3) - 1;
1053 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1054 unsigned long addr, void *dest, unsigned size)
1057 struct read_cache *mc = &ctxt->decode.mem_read;
1060 int n = min(size, 8u);
1062 if (mc->pos < mc->end)
1065 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, n,
1067 if (rc != X86EMUL_CONTINUE)
1072 memcpy(dest, mc->data + mc->pos, n);
1077 return X86EMUL_CONTINUE;
1080 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1081 struct segmented_address addr,
1088 rc = linearize(ctxt, addr, size, false, &linear);
1089 if (rc != X86EMUL_CONTINUE)
1091 return read_emulated(ctxt, linear, data, size);
1094 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1095 struct segmented_address addr,
1102 rc = linearize(ctxt, addr, size, true, &linear);
1103 if (rc != X86EMUL_CONTINUE)
1105 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1109 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1110 struct segmented_address addr,
1111 const void *orig_data, const void *data,
1117 rc = linearize(ctxt, addr, size, true, &linear);
1118 if (rc != X86EMUL_CONTINUE)
1120 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1121 size, &ctxt->exception);
1124 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1125 unsigned int size, unsigned short port,
1128 struct read_cache *rc = &ctxt->decode.io_read;
1130 if (rc->pos == rc->end) { /* refill pio read ahead */
1131 struct decode_cache *c = &ctxt->decode;
1132 unsigned int in_page, n;
1133 unsigned int count = c->rep_prefix ?
1134 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
1135 in_page = (ctxt->eflags & EFLG_DF) ?
1136 offset_in_page(c->regs[VCPU_REGS_RDI]) :
1137 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
1138 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1142 rc->pos = rc->end = 0;
1143 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1148 memcpy(dest, rc->data + rc->pos, size);
1153 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1154 u16 selector, struct desc_ptr *dt)
1156 struct x86_emulate_ops *ops = ctxt->ops;
1158 if (selector & 1 << 2) {
1159 struct desc_struct desc;
1162 memset (dt, 0, sizeof *dt);
1163 if (!ops->get_segment(ctxt, &sel, &desc, NULL, VCPU_SREG_LDTR))
1166 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1167 dt->address = get_desc_base(&desc);
1169 ops->get_gdt(ctxt, dt);
1172 /* allowed just for 8 bytes segments */
1173 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1174 u16 selector, struct desc_struct *desc)
1177 u16 index = selector >> 3;
1180 get_descriptor_table_ptr(ctxt, selector, &dt);
1182 if (dt.size < index * 8 + 7)
1183 return emulate_gp(ctxt, selector & 0xfffc);
1185 addr = dt.address + index * 8;
1186 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1190 /* allowed just for 8 bytes segments */
1191 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1192 u16 selector, struct desc_struct *desc)
1195 u16 index = selector >> 3;
1198 get_descriptor_table_ptr(ctxt, selector, &dt);
1200 if (dt.size < index * 8 + 7)
1201 return emulate_gp(ctxt, selector & 0xfffc);
1203 addr = dt.address + index * 8;
1204 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1208 /* Does not support long mode */
1209 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1210 u16 selector, int seg)
1212 struct desc_struct seg_desc;
1214 unsigned err_vec = GP_VECTOR;
1216 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1219 memset(&seg_desc, 0, sizeof seg_desc);
1221 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1222 || ctxt->mode == X86EMUL_MODE_REAL) {
1223 /* set real mode segment descriptor */
1224 set_desc_base(&seg_desc, selector << 4);
1225 set_desc_limit(&seg_desc, 0xffff);
1232 /* NULL selector is not valid for TR, CS and SS */
1233 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1237 /* TR should be in GDT only */
1238 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1241 if (null_selector) /* for NULL selector skip all following checks */
1244 ret = read_segment_descriptor(ctxt, selector, &seg_desc);
1245 if (ret != X86EMUL_CONTINUE)
1248 err_code = selector & 0xfffc;
1249 err_vec = GP_VECTOR;
1251 /* can't load system descriptor into segment selecor */
1252 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1256 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1262 cpl = ctxt->ops->cpl(ctxt);
1267 * segment is not a writable data segment or segment
1268 * selector's RPL != CPL or segment selector's RPL != CPL
1270 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1274 if (!(seg_desc.type & 8))
1277 if (seg_desc.type & 4) {
1283 if (rpl > cpl || dpl != cpl)
1286 /* CS(RPL) <- CPL */
1287 selector = (selector & 0xfffc) | cpl;
1290 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1293 case VCPU_SREG_LDTR:
1294 if (seg_desc.s || seg_desc.type != 2)
1297 default: /* DS, ES, FS, or GS */
1299 * segment is not a data or readable code segment or
1300 * ((segment is a data or nonconforming code segment)
1301 * and (both RPL and CPL > DPL))
1303 if ((seg_desc.type & 0xa) == 0x8 ||
1304 (((seg_desc.type & 0xc) != 0xc) &&
1305 (rpl > dpl && cpl > dpl)))
1311 /* mark segment as accessed */
1313 ret = write_segment_descriptor(ctxt, selector, &seg_desc);
1314 if (ret != X86EMUL_CONTINUE)
1318 ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg);
1319 return X86EMUL_CONTINUE;
1321 emulate_exception(ctxt, err_vec, err_code, true);
1322 return X86EMUL_PROPAGATE_FAULT;
1325 static void write_register_operand(struct operand *op)
1327 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1328 switch (op->bytes) {
1330 *(u8 *)op->addr.reg = (u8)op->val;
1333 *(u16 *)op->addr.reg = (u16)op->val;
1336 *op->addr.reg = (u32)op->val;
1337 break; /* 64b: zero-extend */
1339 *op->addr.reg = op->val;
1344 static int writeback(struct x86_emulate_ctxt *ctxt)
1347 struct decode_cache *c = &ctxt->decode;
1349 switch (c->dst.type) {
1351 write_register_operand(&c->dst);
1355 rc = segmented_cmpxchg(ctxt,
1361 rc = segmented_write(ctxt,
1365 if (rc != X86EMUL_CONTINUE)
1369 write_sse_reg(ctxt, &c->dst.vec_val, c->dst.addr.xmm);
1377 return X86EMUL_CONTINUE;
1380 static int em_push(struct x86_emulate_ctxt *ctxt)
1382 struct decode_cache *c = &ctxt->decode;
1383 struct segmented_address addr;
1385 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1386 addr.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
1387 addr.seg = VCPU_SREG_SS;
1389 /* Disable writeback. */
1390 c->dst.type = OP_NONE;
1391 return segmented_write(ctxt, addr, &c->src.val, c->op_bytes);
1394 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1395 void *dest, int len)
1397 struct decode_cache *c = &ctxt->decode;
1399 struct segmented_address addr;
1401 addr.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
1402 addr.seg = VCPU_SREG_SS;
1403 rc = segmented_read(ctxt, addr, dest, len);
1404 if (rc != X86EMUL_CONTINUE)
1407 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1411 static int em_pop(struct x86_emulate_ctxt *ctxt)
1413 struct decode_cache *c = &ctxt->decode;
1415 return emulate_pop(ctxt, &c->dst.val, c->op_bytes);
1418 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1419 void *dest, int len)
1422 unsigned long val, change_mask;
1423 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1424 int cpl = ctxt->ops->cpl(ctxt);
1426 rc = emulate_pop(ctxt, &val, len);
1427 if (rc != X86EMUL_CONTINUE)
1430 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1431 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1433 switch(ctxt->mode) {
1434 case X86EMUL_MODE_PROT64:
1435 case X86EMUL_MODE_PROT32:
1436 case X86EMUL_MODE_PROT16:
1438 change_mask |= EFLG_IOPL;
1440 change_mask |= EFLG_IF;
1442 case X86EMUL_MODE_VM86:
1444 return emulate_gp(ctxt, 0);
1445 change_mask |= EFLG_IF;
1447 default: /* real mode */
1448 change_mask |= (EFLG_IOPL | EFLG_IF);
1452 *(unsigned long *)dest =
1453 (ctxt->eflags & ~change_mask) | (val & change_mask);
1458 static int em_popf(struct x86_emulate_ctxt *ctxt)
1460 struct decode_cache *c = &ctxt->decode;
1462 c->dst.type = OP_REG;
1463 c->dst.addr.reg = &ctxt->eflags;
1464 c->dst.bytes = c->op_bytes;
1465 return emulate_popf(ctxt, &c->dst.val, c->op_bytes);
1468 static int emulate_push_sreg(struct x86_emulate_ctxt *ctxt, int seg)
1470 struct decode_cache *c = &ctxt->decode;
1472 c->src.val = get_segment_selector(ctxt, seg);
1474 return em_push(ctxt);
1477 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt, int seg)
1479 struct decode_cache *c = &ctxt->decode;
1480 unsigned long selector;
1483 rc = emulate_pop(ctxt, &selector, c->op_bytes);
1484 if (rc != X86EMUL_CONTINUE)
1487 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1491 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1493 struct decode_cache *c = &ctxt->decode;
1494 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1495 int rc = X86EMUL_CONTINUE;
1496 int reg = VCPU_REGS_RAX;
1498 while (reg <= VCPU_REGS_RDI) {
1499 (reg == VCPU_REGS_RSP) ?
1500 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1503 if (rc != X86EMUL_CONTINUE)
1512 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1514 struct decode_cache *c = &ctxt->decode;
1516 c->src.val = (unsigned long)ctxt->eflags;
1517 return em_push(ctxt);
1520 static int em_popa(struct x86_emulate_ctxt *ctxt)
1522 struct decode_cache *c = &ctxt->decode;
1523 int rc = X86EMUL_CONTINUE;
1524 int reg = VCPU_REGS_RDI;
1526 while (reg >= VCPU_REGS_RAX) {
1527 if (reg == VCPU_REGS_RSP) {
1528 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1533 rc = emulate_pop(ctxt, &c->regs[reg], c->op_bytes);
1534 if (rc != X86EMUL_CONTINUE)
1541 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1543 struct decode_cache *c = &ctxt->decode;
1544 struct x86_emulate_ops *ops = ctxt->ops;
1551 /* TODO: Add limit checks */
1552 c->src.val = ctxt->eflags;
1554 if (rc != X86EMUL_CONTINUE)
1557 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1559 c->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
1561 if (rc != X86EMUL_CONTINUE)
1564 c->src.val = c->eip;
1566 if (rc != X86EMUL_CONTINUE)
1569 ops->get_idt(ctxt, &dt);
1571 eip_addr = dt.address + (irq << 2);
1572 cs_addr = dt.address + (irq << 2) + 2;
1574 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
1575 if (rc != X86EMUL_CONTINUE)
1578 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
1579 if (rc != X86EMUL_CONTINUE)
1582 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
1583 if (rc != X86EMUL_CONTINUE)
1591 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
1593 switch(ctxt->mode) {
1594 case X86EMUL_MODE_REAL:
1595 return emulate_int_real(ctxt, irq);
1596 case X86EMUL_MODE_VM86:
1597 case X86EMUL_MODE_PROT16:
1598 case X86EMUL_MODE_PROT32:
1599 case X86EMUL_MODE_PROT64:
1601 /* Protected mode interrupts unimplemented yet */
1602 return X86EMUL_UNHANDLEABLE;
1606 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
1608 struct decode_cache *c = &ctxt->decode;
1609 int rc = X86EMUL_CONTINUE;
1610 unsigned long temp_eip = 0;
1611 unsigned long temp_eflags = 0;
1612 unsigned long cs = 0;
1613 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1614 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1615 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1616 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1618 /* TODO: Add stack limit check */
1620 rc = emulate_pop(ctxt, &temp_eip, c->op_bytes);
1622 if (rc != X86EMUL_CONTINUE)
1625 if (temp_eip & ~0xffff)
1626 return emulate_gp(ctxt, 0);
1628 rc = emulate_pop(ctxt, &cs, c->op_bytes);
1630 if (rc != X86EMUL_CONTINUE)
1633 rc = emulate_pop(ctxt, &temp_eflags, c->op_bytes);
1635 if (rc != X86EMUL_CONTINUE)
1638 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1640 if (rc != X86EMUL_CONTINUE)
1646 if (c->op_bytes == 4)
1647 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1648 else if (c->op_bytes == 2) {
1649 ctxt->eflags &= ~0xffff;
1650 ctxt->eflags |= temp_eflags;
1653 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1654 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1659 static int em_iret(struct x86_emulate_ctxt *ctxt)
1661 switch(ctxt->mode) {
1662 case X86EMUL_MODE_REAL:
1663 return emulate_iret_real(ctxt);
1664 case X86EMUL_MODE_VM86:
1665 case X86EMUL_MODE_PROT16:
1666 case X86EMUL_MODE_PROT32:
1667 case X86EMUL_MODE_PROT64:
1669 /* iret from protected mode unimplemented yet */
1670 return X86EMUL_UNHANDLEABLE;
1674 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
1676 struct decode_cache *c = &ctxt->decode;
1680 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
1682 rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
1683 if (rc != X86EMUL_CONTINUE)
1687 memcpy(&c->eip, c->src.valptr, c->op_bytes);
1688 return X86EMUL_CONTINUE;
1691 static int em_grp1a(struct x86_emulate_ctxt *ctxt)
1693 struct decode_cache *c = &ctxt->decode;
1695 return emulate_pop(ctxt, &c->dst.val, c->dst.bytes);
1698 static int em_grp2(struct x86_emulate_ctxt *ctxt)
1700 struct decode_cache *c = &ctxt->decode;
1701 switch (c->modrm_reg) {
1703 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1706 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1709 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1712 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1714 case 4: /* sal/shl */
1715 case 6: /* sal/shl */
1716 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1719 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1722 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1725 return X86EMUL_CONTINUE;
1728 static int em_grp3(struct x86_emulate_ctxt *ctxt)
1730 struct decode_cache *c = &ctxt->decode;
1731 unsigned long *rax = &c->regs[VCPU_REGS_RAX];
1732 unsigned long *rdx = &c->regs[VCPU_REGS_RDX];
1735 switch (c->modrm_reg) {
1736 case 0 ... 1: /* test */
1737 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1740 c->dst.val = ~c->dst.val;
1743 emulate_1op("neg", c->dst, ctxt->eflags);
1746 emulate_1op_rax_rdx("mul", c->src, *rax, *rdx, ctxt->eflags);
1749 emulate_1op_rax_rdx("imul", c->src, *rax, *rdx, ctxt->eflags);
1752 emulate_1op_rax_rdx_ex("div", c->src, *rax, *rdx,
1756 emulate_1op_rax_rdx_ex("idiv", c->src, *rax, *rdx,
1760 return X86EMUL_UNHANDLEABLE;
1763 return emulate_de(ctxt);
1764 return X86EMUL_CONTINUE;
1767 static int em_grp45(struct x86_emulate_ctxt *ctxt)
1769 struct decode_cache *c = &ctxt->decode;
1770 int rc = X86EMUL_CONTINUE;
1772 switch (c->modrm_reg) {
1774 emulate_1op("inc", c->dst, ctxt->eflags);
1777 emulate_1op("dec", c->dst, ctxt->eflags);
1779 case 2: /* call near abs */ {
1782 c->eip = c->src.val;
1783 c->src.val = old_eip;
1787 case 4: /* jmp abs */
1788 c->eip = c->src.val;
1790 case 5: /* jmp far */
1791 rc = em_jmp_far(ctxt);
1800 static int em_grp9(struct x86_emulate_ctxt *ctxt)
1802 struct decode_cache *c = &ctxt->decode;
1803 u64 old = c->dst.orig_val64;
1805 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1806 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1807 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1808 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1809 ctxt->eflags &= ~EFLG_ZF;
1811 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1812 (u32) c->regs[VCPU_REGS_RBX];
1814 ctxt->eflags |= EFLG_ZF;
1816 return X86EMUL_CONTINUE;
1819 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
1821 struct decode_cache *c = &ctxt->decode;
1825 rc = emulate_pop(ctxt, &c->eip, c->op_bytes);
1826 if (rc != X86EMUL_CONTINUE)
1828 if (c->op_bytes == 4)
1829 c->eip = (u32)c->eip;
1830 rc = emulate_pop(ctxt, &cs, c->op_bytes);
1831 if (rc != X86EMUL_CONTINUE)
1833 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1837 static int emulate_load_segment(struct x86_emulate_ctxt *ctxt, int seg)
1839 struct decode_cache *c = &ctxt->decode;
1843 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
1845 rc = load_segment_descriptor(ctxt, sel, seg);
1846 if (rc != X86EMUL_CONTINUE)
1849 c->dst.val = c->src.val;
1854 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1855 struct desc_struct *cs, struct desc_struct *ss)
1859 memset(cs, 0, sizeof(struct desc_struct));
1860 ctxt->ops->get_segment(ctxt, &selector, cs, NULL, VCPU_SREG_CS);
1861 memset(ss, 0, sizeof(struct desc_struct));
1863 cs->l = 0; /* will be adjusted later */
1864 set_desc_base(cs, 0); /* flat segment */
1865 cs->g = 1; /* 4kb granularity */
1866 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1867 cs->type = 0x0b; /* Read, Execute, Accessed */
1869 cs->dpl = 0; /* will be adjusted later */
1873 set_desc_base(ss, 0); /* flat segment */
1874 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1875 ss->g = 1; /* 4kb granularity */
1877 ss->type = 0x03; /* Read/Write, Accessed */
1878 ss->d = 1; /* 32bit stack segment */
1883 static int em_syscall(struct x86_emulate_ctxt *ctxt)
1885 struct decode_cache *c = &ctxt->decode;
1886 struct x86_emulate_ops *ops = ctxt->ops;
1887 struct desc_struct cs, ss;
1892 /* syscall is not available in real mode */
1893 if (ctxt->mode == X86EMUL_MODE_REAL ||
1894 ctxt->mode == X86EMUL_MODE_VM86)
1895 return emulate_ud(ctxt);
1897 ops->get_msr(ctxt, MSR_EFER, &efer);
1898 setup_syscalls_segments(ctxt, &cs, &ss);
1900 ops->get_msr(ctxt, MSR_STAR, &msr_data);
1902 cs_sel = (u16)(msr_data & 0xfffc);
1903 ss_sel = (u16)(msr_data + 8);
1905 if (efer & EFER_LMA) {
1909 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
1910 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
1912 c->regs[VCPU_REGS_RCX] = c->eip;
1913 if (efer & EFER_LMA) {
1914 #ifdef CONFIG_X86_64
1915 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1918 ctxt->mode == X86EMUL_MODE_PROT64 ?
1919 MSR_LSTAR : MSR_CSTAR, &msr_data);
1922 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
1923 ctxt->eflags &= ~(msr_data | EFLG_RF);
1927 ops->get_msr(ctxt, MSR_STAR, &msr_data);
1928 c->eip = (u32)msr_data;
1930 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1933 return X86EMUL_CONTINUE;
1936 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
1938 struct decode_cache *c = &ctxt->decode;
1939 struct x86_emulate_ops *ops = ctxt->ops;
1940 struct desc_struct cs, ss;
1945 ops->get_msr(ctxt, MSR_EFER, &efer);
1946 /* inject #GP if in real mode */
1947 if (ctxt->mode == X86EMUL_MODE_REAL)
1948 return emulate_gp(ctxt, 0);
1950 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1951 * Therefore, we inject an #UD.
1953 if (ctxt->mode == X86EMUL_MODE_PROT64)
1954 return emulate_ud(ctxt);
1956 setup_syscalls_segments(ctxt, &cs, &ss);
1958 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
1959 switch (ctxt->mode) {
1960 case X86EMUL_MODE_PROT32:
1961 if ((msr_data & 0xfffc) == 0x0)
1962 return emulate_gp(ctxt, 0);
1964 case X86EMUL_MODE_PROT64:
1965 if (msr_data == 0x0)
1966 return emulate_gp(ctxt, 0);
1970 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1971 cs_sel = (u16)msr_data;
1972 cs_sel &= ~SELECTOR_RPL_MASK;
1973 ss_sel = cs_sel + 8;
1974 ss_sel &= ~SELECTOR_RPL_MASK;
1975 if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
1980 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
1981 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
1983 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
1986 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
1987 c->regs[VCPU_REGS_RSP] = msr_data;
1989 return X86EMUL_CONTINUE;
1992 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
1994 struct decode_cache *c = &ctxt->decode;
1995 struct x86_emulate_ops *ops = ctxt->ops;
1996 struct desc_struct cs, ss;
1999 u16 cs_sel = 0, ss_sel = 0;
2001 /* inject #GP if in real mode or Virtual 8086 mode */
2002 if (ctxt->mode == X86EMUL_MODE_REAL ||
2003 ctxt->mode == X86EMUL_MODE_VM86)
2004 return emulate_gp(ctxt, 0);
2006 setup_syscalls_segments(ctxt, &cs, &ss);
2008 if ((c->rex_prefix & 0x8) != 0x0)
2009 usermode = X86EMUL_MODE_PROT64;
2011 usermode = X86EMUL_MODE_PROT32;
2015 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2017 case X86EMUL_MODE_PROT32:
2018 cs_sel = (u16)(msr_data + 16);
2019 if ((msr_data & 0xfffc) == 0x0)
2020 return emulate_gp(ctxt, 0);
2021 ss_sel = (u16)(msr_data + 24);
2023 case X86EMUL_MODE_PROT64:
2024 cs_sel = (u16)(msr_data + 32);
2025 if (msr_data == 0x0)
2026 return emulate_gp(ctxt, 0);
2027 ss_sel = cs_sel + 8;
2032 cs_sel |= SELECTOR_RPL_MASK;
2033 ss_sel |= SELECTOR_RPL_MASK;
2035 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2036 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2038 c->eip = c->regs[VCPU_REGS_RDX];
2039 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
2041 return X86EMUL_CONTINUE;
2044 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2047 if (ctxt->mode == X86EMUL_MODE_REAL)
2049 if (ctxt->mode == X86EMUL_MODE_VM86)
2051 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2052 return ctxt->ops->cpl(ctxt) > iopl;
2055 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2058 struct x86_emulate_ops *ops = ctxt->ops;
2059 struct desc_struct tr_seg;
2062 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2063 unsigned mask = (1 << len) - 1;
2066 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2069 if (desc_limit_scaled(&tr_seg) < 103)
2071 base = get_desc_base(&tr_seg);
2072 #ifdef CONFIG_X86_64
2073 base |= ((u64)base3) << 32;
2075 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2076 if (r != X86EMUL_CONTINUE)
2078 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2080 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2081 if (r != X86EMUL_CONTINUE)
2083 if ((perm >> bit_idx) & mask)
2088 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2094 if (emulator_bad_iopl(ctxt))
2095 if (!emulator_io_port_access_allowed(ctxt, port, len))
2098 ctxt->perm_ok = true;
2103 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2104 struct tss_segment_16 *tss)
2106 struct decode_cache *c = &ctxt->decode;
2109 tss->flag = ctxt->eflags;
2110 tss->ax = c->regs[VCPU_REGS_RAX];
2111 tss->cx = c->regs[VCPU_REGS_RCX];
2112 tss->dx = c->regs[VCPU_REGS_RDX];
2113 tss->bx = c->regs[VCPU_REGS_RBX];
2114 tss->sp = c->regs[VCPU_REGS_RSP];
2115 tss->bp = c->regs[VCPU_REGS_RBP];
2116 tss->si = c->regs[VCPU_REGS_RSI];
2117 tss->di = c->regs[VCPU_REGS_RDI];
2119 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2120 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2121 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2122 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2123 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2126 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2127 struct tss_segment_16 *tss)
2129 struct decode_cache *c = &ctxt->decode;
2133 ctxt->eflags = tss->flag | 2;
2134 c->regs[VCPU_REGS_RAX] = tss->ax;
2135 c->regs[VCPU_REGS_RCX] = tss->cx;
2136 c->regs[VCPU_REGS_RDX] = tss->dx;
2137 c->regs[VCPU_REGS_RBX] = tss->bx;
2138 c->regs[VCPU_REGS_RSP] = tss->sp;
2139 c->regs[VCPU_REGS_RBP] = tss->bp;
2140 c->regs[VCPU_REGS_RSI] = tss->si;
2141 c->regs[VCPU_REGS_RDI] = tss->di;
2144 * SDM says that segment selectors are loaded before segment
2147 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2148 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2149 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2150 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2151 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2154 * Now load segment descriptors. If fault happenes at this stage
2155 * it is handled in a context of new task
2157 ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR);
2158 if (ret != X86EMUL_CONTINUE)
2160 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2161 if (ret != X86EMUL_CONTINUE)
2163 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2164 if (ret != X86EMUL_CONTINUE)
2166 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2167 if (ret != X86EMUL_CONTINUE)
2169 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2170 if (ret != X86EMUL_CONTINUE)
2173 return X86EMUL_CONTINUE;
2176 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2177 u16 tss_selector, u16 old_tss_sel,
2178 ulong old_tss_base, struct desc_struct *new_desc)
2180 struct x86_emulate_ops *ops = ctxt->ops;
2181 struct tss_segment_16 tss_seg;
2183 u32 new_tss_base = get_desc_base(new_desc);
2185 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2187 if (ret != X86EMUL_CONTINUE)
2188 /* FIXME: need to provide precise fault address */
2191 save_state_to_tss16(ctxt, &tss_seg);
2193 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2195 if (ret != X86EMUL_CONTINUE)
2196 /* FIXME: need to provide precise fault address */
2199 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2201 if (ret != X86EMUL_CONTINUE)
2202 /* FIXME: need to provide precise fault address */
2205 if (old_tss_sel != 0xffff) {
2206 tss_seg.prev_task_link = old_tss_sel;
2208 ret = ops->write_std(ctxt, new_tss_base,
2209 &tss_seg.prev_task_link,
2210 sizeof tss_seg.prev_task_link,
2212 if (ret != X86EMUL_CONTINUE)
2213 /* FIXME: need to provide precise fault address */
2217 return load_state_from_tss16(ctxt, &tss_seg);
2220 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2221 struct tss_segment_32 *tss)
2223 struct decode_cache *c = &ctxt->decode;
2225 tss->cr3 = ctxt->ops->get_cr(ctxt, 3);
2227 tss->eflags = ctxt->eflags;
2228 tss->eax = c->regs[VCPU_REGS_RAX];
2229 tss->ecx = c->regs[VCPU_REGS_RCX];
2230 tss->edx = c->regs[VCPU_REGS_RDX];
2231 tss->ebx = c->regs[VCPU_REGS_RBX];
2232 tss->esp = c->regs[VCPU_REGS_RSP];
2233 tss->ebp = c->regs[VCPU_REGS_RBP];
2234 tss->esi = c->regs[VCPU_REGS_RSI];
2235 tss->edi = c->regs[VCPU_REGS_RDI];
2237 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2238 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2239 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2240 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2241 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
2242 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
2243 tss->ldt_selector = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2246 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2247 struct tss_segment_32 *tss)
2249 struct decode_cache *c = &ctxt->decode;
2252 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
2253 return emulate_gp(ctxt, 0);
2255 ctxt->eflags = tss->eflags | 2;
2256 c->regs[VCPU_REGS_RAX] = tss->eax;
2257 c->regs[VCPU_REGS_RCX] = tss->ecx;
2258 c->regs[VCPU_REGS_RDX] = tss->edx;
2259 c->regs[VCPU_REGS_RBX] = tss->ebx;
2260 c->regs[VCPU_REGS_RSP] = tss->esp;
2261 c->regs[VCPU_REGS_RBP] = tss->ebp;
2262 c->regs[VCPU_REGS_RSI] = tss->esi;
2263 c->regs[VCPU_REGS_RDI] = tss->edi;
2266 * SDM says that segment selectors are loaded before segment
2269 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2270 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2271 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2272 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2273 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2274 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
2275 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
2278 * Now load segment descriptors. If fault happenes at this stage
2279 * it is handled in a context of new task
2281 ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2282 if (ret != X86EMUL_CONTINUE)
2284 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2285 if (ret != X86EMUL_CONTINUE)
2287 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2288 if (ret != X86EMUL_CONTINUE)
2290 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2291 if (ret != X86EMUL_CONTINUE)
2293 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2294 if (ret != X86EMUL_CONTINUE)
2296 ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS);
2297 if (ret != X86EMUL_CONTINUE)
2299 ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS);
2300 if (ret != X86EMUL_CONTINUE)
2303 return X86EMUL_CONTINUE;
2306 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2307 u16 tss_selector, u16 old_tss_sel,
2308 ulong old_tss_base, struct desc_struct *new_desc)
2310 struct x86_emulate_ops *ops = ctxt->ops;
2311 struct tss_segment_32 tss_seg;
2313 u32 new_tss_base = get_desc_base(new_desc);
2315 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2317 if (ret != X86EMUL_CONTINUE)
2318 /* FIXME: need to provide precise fault address */
2321 save_state_to_tss32(ctxt, &tss_seg);
2323 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2325 if (ret != X86EMUL_CONTINUE)
2326 /* FIXME: need to provide precise fault address */
2329 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2331 if (ret != X86EMUL_CONTINUE)
2332 /* FIXME: need to provide precise fault address */
2335 if (old_tss_sel != 0xffff) {
2336 tss_seg.prev_task_link = old_tss_sel;
2338 ret = ops->write_std(ctxt, new_tss_base,
2339 &tss_seg.prev_task_link,
2340 sizeof tss_seg.prev_task_link,
2342 if (ret != X86EMUL_CONTINUE)
2343 /* FIXME: need to provide precise fault address */
2347 return load_state_from_tss32(ctxt, &tss_seg);
2350 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2351 u16 tss_selector, int reason,
2352 bool has_error_code, u32 error_code)
2354 struct x86_emulate_ops *ops = ctxt->ops;
2355 struct desc_struct curr_tss_desc, next_tss_desc;
2357 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
2358 ulong old_tss_base =
2359 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
2362 /* FIXME: old_tss_base == ~0 ? */
2364 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2365 if (ret != X86EMUL_CONTINUE)
2367 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2368 if (ret != X86EMUL_CONTINUE)
2371 /* FIXME: check that next_tss_desc is tss */
2373 if (reason != TASK_SWITCH_IRET) {
2374 if ((tss_selector & 3) > next_tss_desc.dpl ||
2375 ops->cpl(ctxt) > next_tss_desc.dpl)
2376 return emulate_gp(ctxt, 0);
2379 desc_limit = desc_limit_scaled(&next_tss_desc);
2380 if (!next_tss_desc.p ||
2381 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2382 desc_limit < 0x2b)) {
2383 emulate_ts(ctxt, tss_selector & 0xfffc);
2384 return X86EMUL_PROPAGATE_FAULT;
2387 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2388 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2389 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2392 if (reason == TASK_SWITCH_IRET)
2393 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2395 /* set back link to prev task only if NT bit is set in eflags
2396 note that old_tss_sel is not used afetr this point */
2397 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2398 old_tss_sel = 0xffff;
2400 if (next_tss_desc.type & 8)
2401 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
2402 old_tss_base, &next_tss_desc);
2404 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
2405 old_tss_base, &next_tss_desc);
2406 if (ret != X86EMUL_CONTINUE)
2409 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2410 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2412 if (reason != TASK_SWITCH_IRET) {
2413 next_tss_desc.type |= (1 << 1); /* set busy flag */
2414 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2417 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
2418 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
2420 if (has_error_code) {
2421 struct decode_cache *c = &ctxt->decode;
2423 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2425 c->src.val = (unsigned long) error_code;
2426 ret = em_push(ctxt);
2432 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2433 u16 tss_selector, int reason,
2434 bool has_error_code, u32 error_code)
2436 struct decode_cache *c = &ctxt->decode;
2440 c->dst.type = OP_NONE;
2442 rc = emulator_do_task_switch(ctxt, tss_selector, reason,
2443 has_error_code, error_code);
2445 if (rc == X86EMUL_CONTINUE)
2448 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
2451 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned seg,
2452 int reg, struct operand *op)
2454 struct decode_cache *c = &ctxt->decode;
2455 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2457 register_address_increment(c, &c->regs[reg], df * op->bytes);
2458 op->addr.mem.ea = register_address(c, c->regs[reg]);
2459 op->addr.mem.seg = seg;
2462 static int em_das(struct x86_emulate_ctxt *ctxt)
2464 struct decode_cache *c = &ctxt->decode;
2466 bool af, cf, old_cf;
2468 cf = ctxt->eflags & X86_EFLAGS_CF;
2474 af = ctxt->eflags & X86_EFLAGS_AF;
2475 if ((al & 0x0f) > 9 || af) {
2477 cf = old_cf | (al >= 250);
2482 if (old_al > 0x99 || old_cf) {
2488 /* Set PF, ZF, SF */
2489 c->src.type = OP_IMM;
2492 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2493 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2495 ctxt->eflags |= X86_EFLAGS_CF;
2497 ctxt->eflags |= X86_EFLAGS_AF;
2498 return X86EMUL_CONTINUE;
2501 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2503 struct decode_cache *c = &ctxt->decode;
2508 old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2511 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2512 if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
2513 return X86EMUL_CONTINUE;
2516 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2518 c->src.val = old_cs;
2520 if (rc != X86EMUL_CONTINUE)
2523 c->src.val = old_eip;
2524 return em_push(ctxt);
2527 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2529 struct decode_cache *c = &ctxt->decode;
2532 c->dst.type = OP_REG;
2533 c->dst.addr.reg = &c->eip;
2534 c->dst.bytes = c->op_bytes;
2535 rc = emulate_pop(ctxt, &c->dst.val, c->op_bytes);
2536 if (rc != X86EMUL_CONTINUE)
2538 register_address_increment(c, &c->regs[VCPU_REGS_RSP], c->src.val);
2539 return X86EMUL_CONTINUE;
2542 static int em_add(struct x86_emulate_ctxt *ctxt)
2544 struct decode_cache *c = &ctxt->decode;
2546 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2547 return X86EMUL_CONTINUE;
2550 static int em_or(struct x86_emulate_ctxt *ctxt)
2552 struct decode_cache *c = &ctxt->decode;
2554 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2555 return X86EMUL_CONTINUE;
2558 static int em_adc(struct x86_emulate_ctxt *ctxt)
2560 struct decode_cache *c = &ctxt->decode;
2562 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2563 return X86EMUL_CONTINUE;
2566 static int em_sbb(struct x86_emulate_ctxt *ctxt)
2568 struct decode_cache *c = &ctxt->decode;
2570 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2571 return X86EMUL_CONTINUE;
2574 static int em_and(struct x86_emulate_ctxt *ctxt)
2576 struct decode_cache *c = &ctxt->decode;
2578 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2579 return X86EMUL_CONTINUE;
2582 static int em_sub(struct x86_emulate_ctxt *ctxt)
2584 struct decode_cache *c = &ctxt->decode;
2586 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2587 return X86EMUL_CONTINUE;
2590 static int em_xor(struct x86_emulate_ctxt *ctxt)
2592 struct decode_cache *c = &ctxt->decode;
2594 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2595 return X86EMUL_CONTINUE;
2598 static int em_cmp(struct x86_emulate_ctxt *ctxt)
2600 struct decode_cache *c = &ctxt->decode;
2602 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2603 /* Disable writeback. */
2604 c->dst.type = OP_NONE;
2605 return X86EMUL_CONTINUE;
2608 static int em_imul(struct x86_emulate_ctxt *ctxt)
2610 struct decode_cache *c = &ctxt->decode;
2612 emulate_2op_SrcV_nobyte("imul", c->src, c->dst, ctxt->eflags);
2613 return X86EMUL_CONTINUE;
2616 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2618 struct decode_cache *c = &ctxt->decode;
2620 c->dst.val = c->src2.val;
2621 return em_imul(ctxt);
2624 static int em_cwd(struct x86_emulate_ctxt *ctxt)
2626 struct decode_cache *c = &ctxt->decode;
2628 c->dst.type = OP_REG;
2629 c->dst.bytes = c->src.bytes;
2630 c->dst.addr.reg = &c->regs[VCPU_REGS_RDX];
2631 c->dst.val = ~((c->src.val >> (c->src.bytes * 8 - 1)) - 1);
2633 return X86EMUL_CONTINUE;
2636 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2638 struct decode_cache *c = &ctxt->decode;
2641 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
2642 c->regs[VCPU_REGS_RAX] = (u32)tsc;
2643 c->regs[VCPU_REGS_RDX] = tsc >> 32;
2644 return X86EMUL_CONTINUE;
2647 static int em_mov(struct x86_emulate_ctxt *ctxt)
2649 struct decode_cache *c = &ctxt->decode;
2650 c->dst.val = c->src.val;
2651 return X86EMUL_CONTINUE;
2654 static int em_movdqu(struct x86_emulate_ctxt *ctxt)
2656 struct decode_cache *c = &ctxt->decode;
2657 memcpy(&c->dst.vec_val, &c->src.vec_val, c->op_bytes);
2658 return X86EMUL_CONTINUE;
2661 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
2663 struct decode_cache *c = &ctxt->decode;
2667 rc = linearize(ctxt, c->src.addr.mem, 1, false, &linear);
2668 if (rc == X86EMUL_CONTINUE)
2669 ctxt->ops->invlpg(ctxt, linear);
2670 /* Disable writeback. */
2671 c->dst.type = OP_NONE;
2672 return X86EMUL_CONTINUE;
2675 static int em_clts(struct x86_emulate_ctxt *ctxt)
2679 cr0 = ctxt->ops->get_cr(ctxt, 0);
2681 ctxt->ops->set_cr(ctxt, 0, cr0);
2682 return X86EMUL_CONTINUE;
2685 static int em_vmcall(struct x86_emulate_ctxt *ctxt)
2687 struct decode_cache *c = &ctxt->decode;
2690 if (c->modrm_mod != 3 || c->modrm_rm != 1)
2691 return X86EMUL_UNHANDLEABLE;
2693 rc = ctxt->ops->fix_hypercall(ctxt);
2694 if (rc != X86EMUL_CONTINUE)
2697 /* Let the processor re-execute the fixed hypercall */
2699 /* Disable writeback. */
2700 c->dst.type = OP_NONE;
2701 return X86EMUL_CONTINUE;
2704 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
2706 struct decode_cache *c = &ctxt->decode;
2707 struct desc_ptr desc_ptr;
2710 rc = read_descriptor(ctxt, c->src.addr.mem,
2711 &desc_ptr.size, &desc_ptr.address,
2713 if (rc != X86EMUL_CONTINUE)
2715 ctxt->ops->set_gdt(ctxt, &desc_ptr);
2716 /* Disable writeback. */
2717 c->dst.type = OP_NONE;
2718 return X86EMUL_CONTINUE;
2721 static int em_vmmcall(struct x86_emulate_ctxt *ctxt)
2723 struct decode_cache *c = &ctxt->decode;
2726 rc = ctxt->ops->fix_hypercall(ctxt);
2728 /* Disable writeback. */
2729 c->dst.type = OP_NONE;
2733 static int em_lidt(struct x86_emulate_ctxt *ctxt)
2735 struct decode_cache *c = &ctxt->decode;
2736 struct desc_ptr desc_ptr;
2739 rc = read_descriptor(ctxt, c->src.addr.mem,
2740 &desc_ptr.size, &desc_ptr.address,
2742 if (rc != X86EMUL_CONTINUE)
2744 ctxt->ops->set_idt(ctxt, &desc_ptr);
2745 /* Disable writeback. */
2746 c->dst.type = OP_NONE;
2747 return X86EMUL_CONTINUE;
2750 static int em_smsw(struct x86_emulate_ctxt *ctxt)
2752 struct decode_cache *c = &ctxt->decode;
2755 c->dst.val = ctxt->ops->get_cr(ctxt, 0);
2756 return X86EMUL_CONTINUE;
2759 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
2761 struct decode_cache *c = &ctxt->decode;
2762 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
2763 | (c->src.val & 0x0f));
2764 c->dst.type = OP_NONE;
2765 return X86EMUL_CONTINUE;
2768 static bool valid_cr(int nr)
2780 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
2782 struct decode_cache *c = &ctxt->decode;
2784 if (!valid_cr(c->modrm_reg))
2785 return emulate_ud(ctxt);
2787 return X86EMUL_CONTINUE;
2790 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
2792 struct decode_cache *c = &ctxt->decode;
2793 u64 new_val = c->src.val64;
2794 int cr = c->modrm_reg;
2797 static u64 cr_reserved_bits[] = {
2798 0xffffffff00000000ULL,
2799 0, 0, 0, /* CR3 checked later */
2806 return emulate_ud(ctxt);
2808 if (new_val & cr_reserved_bits[cr])
2809 return emulate_gp(ctxt, 0);
2814 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
2815 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
2816 return emulate_gp(ctxt, 0);
2818 cr4 = ctxt->ops->get_cr(ctxt, 4);
2819 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
2821 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
2822 !(cr4 & X86_CR4_PAE))
2823 return emulate_gp(ctxt, 0);
2830 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
2831 if (efer & EFER_LMA)
2832 rsvd = CR3_L_MODE_RESERVED_BITS;
2833 else if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PAE)
2834 rsvd = CR3_PAE_RESERVED_BITS;
2835 else if (ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PG)
2836 rsvd = CR3_NONPAE_RESERVED_BITS;
2839 return emulate_gp(ctxt, 0);
2846 cr4 = ctxt->ops->get_cr(ctxt, 4);
2847 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
2849 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
2850 return emulate_gp(ctxt, 0);
2856 return X86EMUL_CONTINUE;
2859 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
2863 ctxt->ops->get_dr(ctxt, 7, &dr7);
2865 /* Check if DR7.Global_Enable is set */
2866 return dr7 & (1 << 13);
2869 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
2871 struct decode_cache *c = &ctxt->decode;
2872 int dr = c->modrm_reg;
2876 return emulate_ud(ctxt);
2878 cr4 = ctxt->ops->get_cr(ctxt, 4);
2879 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
2880 return emulate_ud(ctxt);
2882 if (check_dr7_gd(ctxt))
2883 return emulate_db(ctxt);
2885 return X86EMUL_CONTINUE;
2888 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
2890 struct decode_cache *c = &ctxt->decode;
2891 u64 new_val = c->src.val64;
2892 int dr = c->modrm_reg;
2894 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
2895 return emulate_gp(ctxt, 0);
2897 return check_dr_read(ctxt);
2900 static int check_svme(struct x86_emulate_ctxt *ctxt)
2904 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
2906 if (!(efer & EFER_SVME))
2907 return emulate_ud(ctxt);
2909 return X86EMUL_CONTINUE;
2912 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
2914 u64 rax = ctxt->decode.regs[VCPU_REGS_RAX];
2916 /* Valid physical address? */
2917 if (rax & 0xffff000000000000ULL)
2918 return emulate_gp(ctxt, 0);
2920 return check_svme(ctxt);
2923 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
2925 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
2927 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
2928 return emulate_ud(ctxt);
2930 return X86EMUL_CONTINUE;
2933 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
2935 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
2936 u64 rcx = ctxt->decode.regs[VCPU_REGS_RCX];
2938 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
2940 return emulate_gp(ctxt, 0);
2942 return X86EMUL_CONTINUE;
2945 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
2947 struct decode_cache *c = &ctxt->decode;
2949 c->dst.bytes = min(c->dst.bytes, 4u);
2950 if (!emulator_io_permited(ctxt, c->src.val, c->dst.bytes))
2951 return emulate_gp(ctxt, 0);
2953 return X86EMUL_CONTINUE;
2956 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
2958 struct decode_cache *c = &ctxt->decode;
2960 c->src.bytes = min(c->src.bytes, 4u);
2961 if (!emulator_io_permited(ctxt, c->dst.val, c->src.bytes))
2962 return emulate_gp(ctxt, 0);
2964 return X86EMUL_CONTINUE;
2967 #define D(_y) { .flags = (_y) }
2968 #define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
2969 #define DIP(_y, _i, _p) { .flags = (_y), .intercept = x86_intercept_##_i, \
2970 .check_perm = (_p) }
2972 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
2973 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2974 #define GD(_f, _g) { .flags = ((_f) | GroupDual), .u.gdual = (_g) }
2975 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2976 #define II(_f, _e, _i) \
2977 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
2978 #define IIP(_f, _e, _i, _p) \
2979 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i, \
2980 .check_perm = (_p) }
2981 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
2983 #define D2bv(_f) D((_f) | ByteOp), D(_f)
2984 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
2985 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
2987 #define I6ALU(_f, _e) I2bv((_f) | DstMem | SrcReg | ModRM, _e), \
2988 I2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
2989 I2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
2991 static struct opcode group7_rm1[] = {
2992 DI(SrcNone | ModRM | Priv, monitor),
2993 DI(SrcNone | ModRM | Priv, mwait),
2997 static struct opcode group7_rm3[] = {
2998 DIP(SrcNone | ModRM | Prot | Priv, vmrun, check_svme_pa),
2999 II(SrcNone | ModRM | Prot | VendorSpecific, em_vmmcall, vmmcall),
3000 DIP(SrcNone | ModRM | Prot | Priv, vmload, check_svme_pa),
3001 DIP(SrcNone | ModRM | Prot | Priv, vmsave, check_svme_pa),
3002 DIP(SrcNone | ModRM | Prot | Priv, stgi, check_svme),
3003 DIP(SrcNone | ModRM | Prot | Priv, clgi, check_svme),
3004 DIP(SrcNone | ModRM | Prot | Priv, skinit, check_svme),
3005 DIP(SrcNone | ModRM | Prot | Priv, invlpga, check_svme),
3008 static struct opcode group7_rm7[] = {
3010 DIP(SrcNone | ModRM, rdtscp, check_rdtsc),
3014 static struct opcode group1[] = {
3025 static struct opcode group1A[] = {
3026 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
3029 static struct opcode group3[] = {
3030 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
3031 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
3032 X4(D(SrcMem | ModRM)),
3035 static struct opcode group4[] = {
3036 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
3040 static struct opcode group5[] = {
3041 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
3042 D(SrcMem | ModRM | Stack),
3043 I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
3044 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
3045 D(SrcMem | ModRM | Stack), N,
3048 static struct opcode group6[] = {
3049 DI(ModRM | Prot, sldt),
3050 DI(ModRM | Prot, str),
3051 DI(ModRM | Prot | Priv, lldt),
3052 DI(ModRM | Prot | Priv, ltr),
3056 static struct group_dual group7 = { {
3057 DI(ModRM | Mov | DstMem | Priv, sgdt),
3058 DI(ModRM | Mov | DstMem | Priv, sidt),
3059 II(ModRM | SrcMem | Priv, em_lgdt, lgdt),
3060 II(ModRM | SrcMem | Priv, em_lidt, lidt),
3061 II(SrcNone | ModRM | DstMem | Mov, em_smsw, smsw), N,
3062 II(SrcMem16 | ModRM | Mov | Priv, em_lmsw, lmsw),
3063 II(SrcMem | ModRM | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
3065 I(SrcNone | ModRM | Priv | VendorSpecific, em_vmcall),
3067 N, EXT(0, group7_rm3),
3068 II(SrcNone | ModRM | DstMem | Mov, em_smsw, smsw), N,
3069 II(SrcMem16 | ModRM | Mov | Priv, em_lmsw, lmsw), EXT(0, group7_rm7),
3072 static struct opcode group8[] = {
3074 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
3075 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
3078 static struct group_dual group9 = { {
3079 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
3081 N, N, N, N, N, N, N, N,
3084 static struct opcode group11[] = {
3085 I(DstMem | SrcImm | ModRM | Mov, em_mov), X7(D(Undefined)),
3088 static struct gprefix pfx_0f_6f_0f_7f = {
3089 N, N, N, I(Sse, em_movdqu),
3092 static struct opcode opcode_table[256] = {
3094 I6ALU(Lock, em_add),
3095 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
3098 D(ImplicitOps | Stack | No64), N,
3100 I6ALU(Lock, em_adc),
3101 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
3103 I6ALU(Lock, em_sbb),
3104 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
3106 I6ALU(Lock, em_and), N, N,
3108 I6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
3110 I6ALU(Lock, em_xor), N, N,
3112 I6ALU(0, em_cmp), N, N,
3116 X8(I(SrcReg | Stack, em_push)),
3118 X8(I(DstReg | Stack, em_pop)),
3120 I(ImplicitOps | Stack | No64, em_pusha),
3121 I(ImplicitOps | Stack | No64, em_popa),
3122 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
3125 I(SrcImm | Mov | Stack, em_push),
3126 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
3127 I(SrcImmByte | Mov | Stack, em_push),
3128 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
3129 D2bvIP(DstDI | SrcDX | Mov | String, ins, check_perm_in), /* insb, insw/insd */
3130 D2bvIP(SrcSI | DstDX | String, outs, check_perm_out), /* outsb, outsw/outsd */
3134 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
3135 G(DstMem | SrcImm | ModRM | Group, group1),
3136 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
3137 G(DstMem | SrcImmByte | ModRM | Group, group1),
3138 D2bv(DstMem | SrcReg | ModRM), D2bv(DstMem | SrcReg | ModRM | Lock),
3140 I2bv(DstMem | SrcReg | ModRM | Mov, em_mov),
3141 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
3142 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
3143 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
3145 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
3147 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
3148 I(SrcImmFAddr | No64, em_call_far), N,
3149 II(ImplicitOps | Stack, em_pushf, pushf),
3150 II(ImplicitOps | Stack, em_popf, popf), N, N,
3152 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
3153 I2bv(DstMem | SrcAcc | Mov | MemAbs, em_mov),
3154 I2bv(SrcSI | DstDI | Mov | String, em_mov),
3155 I2bv(SrcSI | DstDI | String, em_cmp),
3157 D2bv(DstAcc | SrcImm),
3158 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
3159 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
3160 I2bv(SrcAcc | DstDI | String, em_cmp),
3162 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
3164 X8(I(DstReg | SrcImm | Mov, em_mov)),
3166 D2bv(DstMem | SrcImmByte | ModRM),
3167 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
3168 D(ImplicitOps | Stack),
3169 D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr | ModRM | No64),
3170 G(ByteOp, group11), G(0, group11),
3172 N, N, N, D(ImplicitOps | Stack),
3173 D(ImplicitOps), DI(SrcImmByte, intn),
3174 D(ImplicitOps | No64), DI(ImplicitOps, iret),
3176 D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
3179 N, N, N, N, N, N, N, N,
3182 D2bvIP(SrcImmUByte | DstAcc, in, check_perm_in),
3183 D2bvIP(SrcAcc | DstImmUByte, out, check_perm_out),
3185 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
3186 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
3187 D2bvIP(SrcDX | DstAcc, in, check_perm_in),
3188 D2bvIP(SrcAcc | DstDX, out, check_perm_out),
3190 N, DI(ImplicitOps, icebp), N, N,
3191 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
3192 G(ByteOp, group3), G(0, group3),
3194 D(ImplicitOps), D(ImplicitOps), D(ImplicitOps), D(ImplicitOps),
3195 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
3198 static struct opcode twobyte_table[256] = {
3200 G(0, group6), GD(0, &group7), N, N,
3201 N, D(ImplicitOps | VendorSpecific), DI(ImplicitOps | Priv, clts), N,
3202 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
3203 N, D(ImplicitOps | ModRM), N, N,
3205 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
3207 DIP(ModRM | DstMem | Priv | Op3264, cr_read, check_cr_read),
3208 DIP(ModRM | DstMem | Priv | Op3264, dr_read, check_dr_read),
3209 DIP(ModRM | SrcMem | Priv | Op3264, cr_write, check_cr_write),
3210 DIP(ModRM | SrcMem | Priv | Op3264, dr_write, check_dr_write),
3212 N, N, N, N, N, N, N, N,
3214 DI(ImplicitOps | Priv, wrmsr),
3215 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
3216 DI(ImplicitOps | Priv, rdmsr),
3217 DIP(ImplicitOps | Priv, rdpmc, check_rdpmc),
3218 D(ImplicitOps | VendorSpecific), D(ImplicitOps | Priv | VendorSpecific),
3220 N, N, N, N, N, N, N, N,
3222 X16(D(DstReg | SrcMem | ModRM | Mov)),
3224 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3229 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
3234 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
3238 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
3240 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
3241 DI(ImplicitOps, cpuid), D(DstMem | SrcReg | ModRM | BitOp),
3242 D(DstMem | SrcReg | Src2ImmByte | ModRM),
3243 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
3245 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
3246 DI(ImplicitOps, rsm), D(DstMem | SrcReg | ModRM | BitOp | Lock),
3247 D(DstMem | SrcReg | Src2ImmByte | ModRM),
3248 D(DstMem | SrcReg | Src2CL | ModRM),
3249 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
3251 D2bv(DstMem | SrcReg | ModRM | Lock),
3252 D(DstReg | SrcMemFAddr | ModRM), D(DstMem | SrcReg | ModRM | BitOp | Lock),
3253 D(DstReg | SrcMemFAddr | ModRM), D(DstReg | SrcMemFAddr | ModRM),
3254 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3257 G(BitOp, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
3258 D(DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
3259 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3261 D2bv(DstMem | SrcReg | ModRM | Lock),
3262 N, D(DstMem | SrcReg | ModRM | Mov),
3263 N, N, N, GD(0, &group9),
3264 N, N, N, N, N, N, N, N,
3266 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3268 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3270 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
3286 static unsigned imm_size(struct decode_cache *c)
3290 size = (c->d & ByteOp) ? 1 : c->op_bytes;
3296 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
3297 unsigned size, bool sign_extension)
3299 struct decode_cache *c = &ctxt->decode;
3300 int rc = X86EMUL_CONTINUE;
3304 op->addr.mem.ea = c->eip;
3305 /* NB. Immediates are sign-extended as necessary. */
3306 switch (op->bytes) {
3308 op->val = insn_fetch(s8, 1, c->eip);
3311 op->val = insn_fetch(s16, 2, c->eip);
3314 op->val = insn_fetch(s32, 4, c->eip);
3317 if (!sign_extension) {
3318 switch (op->bytes) {
3326 op->val &= 0xffffffff;
3334 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
3336 struct decode_cache *c = &ctxt->decode;
3337 int rc = X86EMUL_CONTINUE;
3338 int mode = ctxt->mode;
3339 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
3340 bool op_prefix = false;
3341 struct opcode opcode;
3342 struct operand memop = { .type = OP_NONE }, *memopp = NULL;
3345 c->fetch.start = c->eip;
3346 c->fetch.end = c->fetch.start + insn_len;
3348 memcpy(c->fetch.data, insn, insn_len);
3351 case X86EMUL_MODE_REAL:
3352 case X86EMUL_MODE_VM86:
3353 case X86EMUL_MODE_PROT16:
3354 def_op_bytes = def_ad_bytes = 2;
3356 case X86EMUL_MODE_PROT32:
3357 def_op_bytes = def_ad_bytes = 4;
3359 #ifdef CONFIG_X86_64
3360 case X86EMUL_MODE_PROT64:
3369 c->op_bytes = def_op_bytes;
3370 c->ad_bytes = def_ad_bytes;
3372 /* Legacy prefixes. */
3374 switch (c->b = insn_fetch(u8, 1, c->eip)) {
3375 case 0x66: /* operand-size override */
3377 /* switch between 2/4 bytes */
3378 c->op_bytes = def_op_bytes ^ 6;
3380 case 0x67: /* address-size override */
3381 if (mode == X86EMUL_MODE_PROT64)
3382 /* switch between 4/8 bytes */
3383 c->ad_bytes = def_ad_bytes ^ 12;
3385 /* switch between 2/4 bytes */
3386 c->ad_bytes = def_ad_bytes ^ 6;
3388 case 0x26: /* ES override */
3389 case 0x2e: /* CS override */
3390 case 0x36: /* SS override */
3391 case 0x3e: /* DS override */
3392 set_seg_override(c, (c->b >> 3) & 3);
3394 case 0x64: /* FS override */
3395 case 0x65: /* GS override */
3396 set_seg_override(c, c->b & 7);
3398 case 0x40 ... 0x4f: /* REX */
3399 if (mode != X86EMUL_MODE_PROT64)
3401 c->rex_prefix = c->b;
3403 case 0xf0: /* LOCK */
3406 case 0xf2: /* REPNE/REPNZ */
3407 case 0xf3: /* REP/REPE/REPZ */
3408 c->rep_prefix = c->b;
3414 /* Any legacy prefix after a REX prefix nullifies its effect. */
3422 if (c->rex_prefix & 8)
3423 c->op_bytes = 8; /* REX.W */
3425 /* Opcode byte(s). */
3426 opcode = opcode_table[c->b];
3427 /* Two-byte opcode? */
3430 c->b = insn_fetch(u8, 1, c->eip);
3431 opcode = twobyte_table[c->b];
3433 c->d = opcode.flags;
3435 while (c->d & GroupMask) {
3436 switch (c->d & GroupMask) {
3438 c->modrm = insn_fetch(u8, 1, c->eip);
3440 goffset = (c->modrm >> 3) & 7;
3441 opcode = opcode.u.group[goffset];
3444 c->modrm = insn_fetch(u8, 1, c->eip);
3446 goffset = (c->modrm >> 3) & 7;
3447 if ((c->modrm >> 6) == 3)
3448 opcode = opcode.u.gdual->mod3[goffset];
3450 opcode = opcode.u.gdual->mod012[goffset];
3453 goffset = c->modrm & 7;
3454 opcode = opcode.u.group[goffset];
3457 if (c->rep_prefix && op_prefix)
3458 return X86EMUL_UNHANDLEABLE;
3459 simd_prefix = op_prefix ? 0x66 : c->rep_prefix;
3460 switch (simd_prefix) {
3461 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
3462 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
3463 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
3464 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
3468 return X86EMUL_UNHANDLEABLE;
3472 c->d |= opcode.flags;
3475 c->execute = opcode.u.execute;
3476 c->check_perm = opcode.check_perm;
3477 c->intercept = opcode.intercept;
3480 if (c->d == 0 || (c->d & Undefined))
3483 if (!(c->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
3486 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
3489 if (c->d & Op3264) {
3490 if (mode == X86EMUL_MODE_PROT64)
3499 /* ModRM and SIB bytes. */
3501 rc = decode_modrm(ctxt, &memop);
3502 if (!c->has_seg_override)
3503 set_seg_override(c, c->modrm_seg);
3504 } else if (c->d & MemAbs)
3505 rc = decode_abs(ctxt, &memop);
3506 if (rc != X86EMUL_CONTINUE)
3509 if (!c->has_seg_override)
3510 set_seg_override(c, VCPU_SREG_DS);
3512 memop.addr.mem.seg = seg_override(ctxt, c);
3514 if (memop.type == OP_MEM && c->ad_bytes != 8)
3515 memop.addr.mem.ea = (u32)memop.addr.mem.ea;
3518 * Decode and fetch the source operand: register, memory
3521 switch (c->d & SrcMask) {
3525 decode_register_operand(ctxt, &c->src, c, 0);
3534 memop.bytes = (c->d & ByteOp) ? 1 :
3541 rc = decode_imm(ctxt, &c->src, 2, false);
3544 rc = decode_imm(ctxt, &c->src, imm_size(c), true);
3547 rc = decode_imm(ctxt, &c->src, imm_size(c), false);
3550 rc = decode_imm(ctxt, &c->src, 1, true);
3553 rc = decode_imm(ctxt, &c->src, 1, false);
3556 c->src.type = OP_REG;
3557 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3558 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
3559 fetch_register_operand(&c->src);
3566 c->src.type = OP_MEM;
3567 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3568 c->src.addr.mem.ea =
3569 register_address(c, c->regs[VCPU_REGS_RSI]);
3570 c->src.addr.mem.seg = seg_override(ctxt, c);
3574 c->src.type = OP_IMM;
3575 c->src.addr.mem.ea = c->eip;
3576 c->src.bytes = c->op_bytes + 2;
3577 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
3580 memop.bytes = c->op_bytes + 2;
3584 c->src.type = OP_REG;
3586 c->src.addr.reg = &c->regs[VCPU_REGS_RDX];
3587 fetch_register_operand(&c->src);
3591 if (rc != X86EMUL_CONTINUE)
3595 * Decode and fetch the second source operand: register, memory
3598 switch (c->d & Src2Mask) {
3603 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
3606 rc = decode_imm(ctxt, &c->src2, 1, true);
3613 rc = decode_imm(ctxt, &c->src2, imm_size(c), true);
3617 if (rc != X86EMUL_CONTINUE)
3620 /* Decode and fetch the destination operand: register or memory. */
3621 switch (c->d & DstMask) {
3623 decode_register_operand(ctxt, &c->dst, c,
3624 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
3627 c->dst.type = OP_IMM;
3628 c->dst.addr.mem.ea = c->eip;
3630 c->dst.val = insn_fetch(u8, 1, c->eip);
3636 if ((c->d & DstMask) == DstMem64)
3639 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3641 fetch_bit_operand(c);
3642 c->dst.orig_val = c->dst.val;
3645 c->dst.type = OP_REG;
3646 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3647 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
3648 fetch_register_operand(&c->dst);
3649 c->dst.orig_val = c->dst.val;
3652 c->dst.type = OP_MEM;
3653 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3654 c->dst.addr.mem.ea =
3655 register_address(c, c->regs[VCPU_REGS_RDI]);
3656 c->dst.addr.mem.seg = VCPU_SREG_ES;
3660 c->dst.type = OP_REG;
3662 c->dst.addr.reg = &c->regs[VCPU_REGS_RDX];
3663 fetch_register_operand(&c->dst);
3666 /* Special instructions do their own operand decoding. */
3668 c->dst.type = OP_NONE; /* Disable writeback. */
3673 if (memopp && memopp->type == OP_MEM && c->rip_relative)
3674 memopp->addr.mem.ea += c->eip;
3676 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3679 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
3681 struct decode_cache *c = &ctxt->decode;
3683 /* The second termination condition only applies for REPE
3684 * and REPNE. Test if the repeat string operation prefix is
3685 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
3686 * corresponding termination condition according to:
3687 * - if REPE/REPZ and ZF = 0 then done
3688 * - if REPNE/REPNZ and ZF = 1 then done
3690 if (((c->b == 0xa6) || (c->b == 0xa7) ||
3691 (c->b == 0xae) || (c->b == 0xaf))
3692 && (((c->rep_prefix == REPE_PREFIX) &&
3693 ((ctxt->eflags & EFLG_ZF) == 0))
3694 || ((c->rep_prefix == REPNE_PREFIX) &&
3695 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
3701 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
3703 struct x86_emulate_ops *ops = ctxt->ops;
3705 struct decode_cache *c = &ctxt->decode;
3706 int rc = X86EMUL_CONTINUE;
3707 int saved_dst_type = c->dst.type;
3708 int irq; /* Used for int 3, int, and into */
3710 c->mem_read.pos = 0;
3712 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
3713 rc = emulate_ud(ctxt);
3717 /* LOCK prefix is allowed only with some instructions */
3718 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
3719 rc = emulate_ud(ctxt);
3723 if ((c->d & SrcMask) == SrcMemFAddr && c->src.type != OP_MEM) {
3724 rc = emulate_ud(ctxt);
3729 && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)
3730 || !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
3731 rc = emulate_ud(ctxt);
3735 if ((c->d & Sse) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
3736 rc = emulate_nm(ctxt);
3740 if (unlikely(ctxt->guest_mode) && c->intercept) {
3741 rc = emulator_check_intercept(ctxt, c->intercept,
3742 X86_ICPT_PRE_EXCEPT);
3743 if (rc != X86EMUL_CONTINUE)
3747 /* Privileged instruction can be executed only in CPL=0 */
3748 if ((c->d & Priv) && ops->cpl(ctxt)) {
3749 rc = emulate_gp(ctxt, 0);
3753 /* Instruction can only be executed in protected mode */
3754 if ((c->d & Prot) && !(ctxt->mode & X86EMUL_MODE_PROT)) {
3755 rc = emulate_ud(ctxt);
3759 /* Do instruction specific permission checks */
3760 if (c->check_perm) {
3761 rc = c->check_perm(ctxt);
3762 if (rc != X86EMUL_CONTINUE)
3766 if (unlikely(ctxt->guest_mode) && c->intercept) {
3767 rc = emulator_check_intercept(ctxt, c->intercept,
3768 X86_ICPT_POST_EXCEPT);
3769 if (rc != X86EMUL_CONTINUE)
3773 if (c->rep_prefix && (c->d & String)) {
3774 /* All REP prefixes have the same first termination condition */
3775 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
3781 if ((c->src.type == OP_MEM) && !(c->d & NoAccess)) {
3782 rc = segmented_read(ctxt, c->src.addr.mem,
3783 c->src.valptr, c->src.bytes);
3784 if (rc != X86EMUL_CONTINUE)
3786 c->src.orig_val64 = c->src.val64;
3789 if (c->src2.type == OP_MEM) {
3790 rc = segmented_read(ctxt, c->src2.addr.mem,
3791 &c->src2.val, c->src2.bytes);
3792 if (rc != X86EMUL_CONTINUE)
3796 if ((c->d & DstMask) == ImplicitOps)
3800 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
3801 /* optimisation - avoid slow emulated read if Mov */
3802 rc = segmented_read(ctxt, c->dst.addr.mem,
3803 &c->dst.val, c->dst.bytes);
3804 if (rc != X86EMUL_CONTINUE)
3807 c->dst.orig_val = c->dst.val;
3811 if (unlikely(ctxt->guest_mode) && c->intercept) {
3812 rc = emulator_check_intercept(ctxt, c->intercept,
3813 X86_ICPT_POST_MEMACCESS);
3814 if (rc != X86EMUL_CONTINUE)
3819 rc = c->execute(ctxt);
3820 if (rc != X86EMUL_CONTINUE)
3829 case 0x06: /* push es */
3830 rc = emulate_push_sreg(ctxt, VCPU_SREG_ES);
3832 case 0x07: /* pop es */
3833 rc = emulate_pop_sreg(ctxt, VCPU_SREG_ES);
3835 case 0x0e: /* push cs */
3836 rc = emulate_push_sreg(ctxt, VCPU_SREG_CS);
3838 case 0x16: /* push ss */
3839 rc = emulate_push_sreg(ctxt, VCPU_SREG_SS);
3841 case 0x17: /* pop ss */
3842 rc = emulate_pop_sreg(ctxt, VCPU_SREG_SS);
3844 case 0x1e: /* push ds */
3845 rc = emulate_push_sreg(ctxt, VCPU_SREG_DS);
3847 case 0x1f: /* pop ds */
3848 rc = emulate_pop_sreg(ctxt, VCPU_SREG_DS);
3850 case 0x40 ... 0x47: /* inc r16/r32 */
3851 emulate_1op("inc", c->dst, ctxt->eflags);
3853 case 0x48 ... 0x4f: /* dec r16/r32 */
3854 emulate_1op("dec", c->dst, ctxt->eflags);
3856 case 0x63: /* movsxd */
3857 if (ctxt->mode != X86EMUL_MODE_PROT64)
3858 goto cannot_emulate;
3859 c->dst.val = (s32) c->src.val;
3861 case 0x6c: /* insb */
3862 case 0x6d: /* insw/insd */
3863 c->src.val = c->regs[VCPU_REGS_RDX];
3865 case 0x6e: /* outsb */
3866 case 0x6f: /* outsw/outsd */
3867 c->dst.val = c->regs[VCPU_REGS_RDX];
3870 case 0x70 ... 0x7f: /* jcc (short) */
3871 if (test_cc(c->b, ctxt->eflags))
3872 jmp_rel(c, c->src.val);
3876 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
3878 case 0x86 ... 0x87: /* xchg */
3880 /* Write back the register source. */
3881 c->src.val = c->dst.val;
3882 write_register_operand(&c->src);
3884 * Write back the memory destination with implicit LOCK
3887 c->dst.val = c->src.orig_val;
3890 case 0x8c: /* mov r/m, sreg */
3891 if (c->modrm_reg > VCPU_SREG_GS) {
3892 rc = emulate_ud(ctxt);
3895 c->dst.val = get_segment_selector(ctxt, c->modrm_reg);
3897 case 0x8d: /* lea r16/r32, m */
3898 c->dst.val = c->src.addr.mem.ea;
3900 case 0x8e: { /* mov seg, r/m16 */
3905 if (c->modrm_reg == VCPU_SREG_CS ||
3906 c->modrm_reg > VCPU_SREG_GS) {
3907 rc = emulate_ud(ctxt);
3911 if (c->modrm_reg == VCPU_SREG_SS)
3912 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3914 rc = load_segment_descriptor(ctxt, sel, c->modrm_reg);
3916 c->dst.type = OP_NONE; /* Disable writeback. */
3919 case 0x8f: /* pop (sole member of Grp1a) */
3920 rc = em_grp1a(ctxt);
3922 case 0x90 ... 0x97: /* nop / xchg reg, rax */
3923 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
3926 case 0x98: /* cbw/cwde/cdqe */
3927 switch (c->op_bytes) {
3928 case 2: c->dst.val = (s8)c->dst.val; break;
3929 case 4: c->dst.val = (s16)c->dst.val; break;
3930 case 8: c->dst.val = (s32)c->dst.val; break;
3933 case 0xa8 ... 0xa9: /* test ax, imm */
3938 case 0xc3: /* ret */
3939 c->dst.type = OP_REG;
3940 c->dst.addr.reg = &c->eip;
3941 c->dst.bytes = c->op_bytes;
3944 case 0xc4: /* les */
3945 rc = emulate_load_segment(ctxt, VCPU_SREG_ES);
3947 case 0xc5: /* lds */
3948 rc = emulate_load_segment(ctxt, VCPU_SREG_DS);
3950 case 0xcb: /* ret far */
3951 rc = em_ret_far(ctxt);
3953 case 0xcc: /* int3 */
3956 case 0xcd: /* int n */
3959 rc = emulate_int(ctxt, irq);
3961 case 0xce: /* into */
3962 if (ctxt->eflags & EFLG_OF) {
3967 case 0xcf: /* iret */
3970 case 0xd0 ... 0xd1: /* Grp2 */
3973 case 0xd2 ... 0xd3: /* Grp2 */
3974 c->src.val = c->regs[VCPU_REGS_RCX];
3977 case 0xe0 ... 0xe2: /* loop/loopz/loopnz */
3978 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3979 if (address_mask(c, c->regs[VCPU_REGS_RCX]) != 0 &&
3980 (c->b == 0xe2 || test_cc(c->b ^ 0x5, ctxt->eflags)))
3981 jmp_rel(c, c->src.val);
3983 case 0xe3: /* jcxz/jecxz/jrcxz */
3984 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0)
3985 jmp_rel(c, c->src.val);
3987 case 0xe4: /* inb */
3990 case 0xe6: /* outb */
3991 case 0xe7: /* out */
3993 case 0xe8: /* call (near) */ {
3994 long int rel = c->src.val;
3995 c->src.val = (unsigned long) c->eip;
4000 case 0xe9: /* jmp rel */
4002 case 0xea: /* jmp far */
4003 rc = em_jmp_far(ctxt);
4006 jmp: /* jmp rel short */
4007 jmp_rel(c, c->src.val);
4008 c->dst.type = OP_NONE; /* Disable writeback. */
4010 case 0xec: /* in al,dx */
4011 case 0xed: /* in (e/r)ax,dx */
4013 if (!pio_in_emulated(ctxt, c->dst.bytes, c->src.val,
4015 goto done; /* IO is needed */
4017 case 0xee: /* out dx,al */
4018 case 0xef: /* out dx,(e/r)ax */
4020 ops->pio_out_emulated(ctxt, c->src.bytes, c->dst.val,
4022 c->dst.type = OP_NONE; /* Disable writeback. */
4024 case 0xf4: /* hlt */
4025 ctxt->ops->halt(ctxt);
4027 case 0xf5: /* cmc */
4028 /* complement carry flag from eflags reg */
4029 ctxt->eflags ^= EFLG_CF;
4031 case 0xf6 ... 0xf7: /* Grp3 */
4034 case 0xf8: /* clc */
4035 ctxt->eflags &= ~EFLG_CF;
4037 case 0xf9: /* stc */
4038 ctxt->eflags |= EFLG_CF;
4040 case 0xfa: /* cli */
4041 if (emulator_bad_iopl(ctxt)) {
4042 rc = emulate_gp(ctxt, 0);
4045 ctxt->eflags &= ~X86_EFLAGS_IF;
4047 case 0xfb: /* sti */
4048 if (emulator_bad_iopl(ctxt)) {
4049 rc = emulate_gp(ctxt, 0);
4052 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
4053 ctxt->eflags |= X86_EFLAGS_IF;
4056 case 0xfc: /* cld */
4057 ctxt->eflags &= ~EFLG_DF;
4059 case 0xfd: /* std */
4060 ctxt->eflags |= EFLG_DF;
4062 case 0xfe: /* Grp4 */
4063 rc = em_grp45(ctxt);
4065 case 0xff: /* Grp5 */
4066 rc = em_grp45(ctxt);
4069 goto cannot_emulate;
4072 if (rc != X86EMUL_CONTINUE)
4076 rc = writeback(ctxt);
4077 if (rc != X86EMUL_CONTINUE)
4081 * restore dst type in case the decoding will be reused
4082 * (happens for string instruction )
4084 c->dst.type = saved_dst_type;
4086 if ((c->d & SrcMask) == SrcSI)
4087 string_addr_inc(ctxt, seg_override(ctxt, c),
4088 VCPU_REGS_RSI, &c->src);
4090 if ((c->d & DstMask) == DstDI)
4091 string_addr_inc(ctxt, VCPU_SREG_ES, VCPU_REGS_RDI,
4094 if (c->rep_prefix && (c->d & String)) {
4095 struct read_cache *r = &c->io_read;
4096 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
4098 if (!string_insn_completed(ctxt)) {
4100 * Re-enter guest when pio read ahead buffer is empty
4101 * or, if it is not used, after each 1024 iteration.
4103 if ((r->end != 0 || c->regs[VCPU_REGS_RCX] & 0x3ff) &&
4104 (r->end == 0 || r->end != r->pos)) {
4106 * Reset read cache. Usually happens before
4107 * decode, but since instruction is restarted
4108 * we have to do it here.
4110 c->mem_read.end = 0;
4111 return EMULATION_RESTART;
4113 goto done; /* skip rip writeback */
4120 if (rc == X86EMUL_PROPAGATE_FAULT)
4121 ctxt->have_exception = true;
4122 if (rc == X86EMUL_INTERCEPTED)
4123 return EMULATION_INTERCEPTED;
4125 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
4129 case 0x05: /* syscall */
4130 rc = em_syscall(ctxt);
4135 case 0x09: /* wbinvd */
4136 (ctxt->ops->wbinvd)(ctxt);
4138 case 0x08: /* invd */
4139 case 0x0d: /* GrpP (prefetch) */
4140 case 0x18: /* Grp16 (prefetch/nop) */
4142 case 0x20: /* mov cr, reg */
4143 c->dst.val = ops->get_cr(ctxt, c->modrm_reg);
4145 case 0x21: /* mov from dr to reg */
4146 ops->get_dr(ctxt, c->modrm_reg, &c->dst.val);
4148 case 0x22: /* mov reg, cr */
4149 if (ops->set_cr(ctxt, c->modrm_reg, c->src.val)) {
4150 emulate_gp(ctxt, 0);
4151 rc = X86EMUL_PROPAGATE_FAULT;
4154 c->dst.type = OP_NONE;
4156 case 0x23: /* mov from reg to dr */
4157 if (ops->set_dr(ctxt, c->modrm_reg, c->src.val &
4158 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
4159 ~0ULL : ~0U)) < 0) {
4160 /* #UD condition is already handled by the code above */
4161 emulate_gp(ctxt, 0);
4162 rc = X86EMUL_PROPAGATE_FAULT;
4166 c->dst.type = OP_NONE; /* no writeback */
4170 msr_data = (u32)c->regs[VCPU_REGS_RAX]
4171 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
4172 if (ops->set_msr(ctxt, c->regs[VCPU_REGS_RCX], msr_data)) {
4173 emulate_gp(ctxt, 0);
4174 rc = X86EMUL_PROPAGATE_FAULT;
4177 rc = X86EMUL_CONTINUE;
4181 if (ops->get_msr(ctxt, c->regs[VCPU_REGS_RCX], &msr_data)) {
4182 emulate_gp(ctxt, 0);
4183 rc = X86EMUL_PROPAGATE_FAULT;
4186 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
4187 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
4189 rc = X86EMUL_CONTINUE;
4191 case 0x34: /* sysenter */
4192 rc = em_sysenter(ctxt);
4194 case 0x35: /* sysexit */
4195 rc = em_sysexit(ctxt);
4197 case 0x40 ... 0x4f: /* cmov */
4198 c->dst.val = c->dst.orig_val = c->src.val;
4199 if (!test_cc(c->b, ctxt->eflags))
4200 c->dst.type = OP_NONE; /* no writeback */
4202 case 0x80 ... 0x8f: /* jnz rel, etc*/
4203 if (test_cc(c->b, ctxt->eflags))
4204 jmp_rel(c, c->src.val);
4206 case 0x90 ... 0x9f: /* setcc r/m8 */
4207 c->dst.val = test_cc(c->b, ctxt->eflags);
4209 case 0xa0: /* push fs */
4210 rc = emulate_push_sreg(ctxt, VCPU_SREG_FS);
4212 case 0xa1: /* pop fs */
4213 rc = emulate_pop_sreg(ctxt, VCPU_SREG_FS);
4217 c->dst.type = OP_NONE;
4218 /* only subword offset */
4219 c->src.val &= (c->dst.bytes << 3) - 1;
4220 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
4222 case 0xa4: /* shld imm8, r, r/m */
4223 case 0xa5: /* shld cl, r, r/m */
4224 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
4226 case 0xa8: /* push gs */
4227 rc = emulate_push_sreg(ctxt, VCPU_SREG_GS);
4229 case 0xa9: /* pop gs */
4230 rc = emulate_pop_sreg(ctxt, VCPU_SREG_GS);
4234 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
4236 case 0xac: /* shrd imm8, r, r/m */
4237 case 0xad: /* shrd cl, r, r/m */
4238 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
4240 case 0xae: /* clflush */
4242 case 0xb0 ... 0xb1: /* cmpxchg */
4244 * Save real source value, then compare EAX against
4247 c->src.orig_val = c->src.val;
4248 c->src.val = c->regs[VCPU_REGS_RAX];
4249 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
4250 if (ctxt->eflags & EFLG_ZF) {
4251 /* Success: write back to memory. */
4252 c->dst.val = c->src.orig_val;
4254 /* Failure: write the value we saw to EAX. */
4255 c->dst.type = OP_REG;
4256 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
4259 case 0xb2: /* lss */
4260 rc = emulate_load_segment(ctxt, VCPU_SREG_SS);
4264 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
4266 case 0xb4: /* lfs */
4267 rc = emulate_load_segment(ctxt, VCPU_SREG_FS);
4269 case 0xb5: /* lgs */
4270 rc = emulate_load_segment(ctxt, VCPU_SREG_GS);
4272 case 0xb6 ... 0xb7: /* movzx */
4273 c->dst.bytes = c->op_bytes;
4274 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
4277 case 0xba: /* Grp8 */
4278 switch (c->modrm_reg & 3) {
4291 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
4293 case 0xbc: { /* bsf */
4295 __asm__ ("bsf %2, %0; setz %1"
4296 : "=r"(c->dst.val), "=q"(zf)
4298 ctxt->eflags &= ~X86_EFLAGS_ZF;
4300 ctxt->eflags |= X86_EFLAGS_ZF;
4301 c->dst.type = OP_NONE; /* Disable writeback. */
4305 case 0xbd: { /* bsr */
4307 __asm__ ("bsr %2, %0; setz %1"
4308 : "=r"(c->dst.val), "=q"(zf)
4310 ctxt->eflags &= ~X86_EFLAGS_ZF;
4312 ctxt->eflags |= X86_EFLAGS_ZF;
4313 c->dst.type = OP_NONE; /* Disable writeback. */
4317 case 0xbe ... 0xbf: /* movsx */
4318 c->dst.bytes = c->op_bytes;
4319 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
4322 case 0xc0 ... 0xc1: /* xadd */
4323 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
4324 /* Write back the register source. */
4325 c->src.val = c->dst.orig_val;
4326 write_register_operand(&c->src);
4328 case 0xc3: /* movnti */
4329 c->dst.bytes = c->op_bytes;
4330 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
4333 case 0xc7: /* Grp9 (cmpxchg8b) */
4337 goto cannot_emulate;
4340 if (rc != X86EMUL_CONTINUE)
4346 return EMULATION_FAILED;
projects / firefly-linux-kernel-4.4.55.git / blob