1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
86 #define Undefined (1<<25) /* No Such Instruction */
87 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
88 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
90 /* Source 2 operand type */
91 #define Src2None (0<<29)
92 #define Src2CL (1<<29)
93 #define Src2ImmByte (2<<29)
94 #define Src2One (3<<29)
95 #define Src2Mask (7<<29)
98 #define X3(x...) X2(x), x
99 #define X4(x...) X2(x), X2(x)
100 #define X5(x...) X4(x), x
101 #define X6(x...) X4(x), X2(x)
102 #define X7(x...) X4(x), X3(x)
103 #define X8(x...) X4(x), X4(x)
104 #define X16(x...) X8(x), X8(x)
109 int (*execute)(struct x86_emulate_ctxt *ctxt);
110 struct opcode *group;
111 struct group_dual *gdual;
116 struct opcode mod012[8];
117 struct opcode mod3[8];
120 /* EFLAGS bit definitions. */
121 #define EFLG_ID (1<<21)
122 #define EFLG_VIP (1<<20)
123 #define EFLG_VIF (1<<19)
124 #define EFLG_AC (1<<18)
125 #define EFLG_VM (1<<17)
126 #define EFLG_RF (1<<16)
127 #define EFLG_IOPL (3<<12)
128 #define EFLG_NT (1<<14)
129 #define EFLG_OF (1<<11)
130 #define EFLG_DF (1<<10)
131 #define EFLG_IF (1<<9)
132 #define EFLG_TF (1<<8)
133 #define EFLG_SF (1<<7)
134 #define EFLG_ZF (1<<6)
135 #define EFLG_AF (1<<4)
136 #define EFLG_PF (1<<2)
137 #define EFLG_CF (1<<0)
139 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
140 #define EFLG_RESERVED_ONE_MASK 2
143 * Instruction emulation:
144 * Most instructions are emulated directly via a fragment of inline assembly
145 * code. This allows us to save/restore EFLAGS and thus very easily pick up
146 * any modified flags.
149 #if defined(CONFIG_X86_64)
150 #define _LO32 "k" /* force 32-bit operand */
151 #define _STK "%%rsp" /* stack pointer */
152 #elif defined(__i386__)
153 #define _LO32 "" /* force 32-bit operand */
154 #define _STK "%%esp" /* stack pointer */
158 * These EFLAGS bits are restored from saved value during emulation, and
159 * any changes are written back to the saved value after emulation.
161 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
163 /* Before executing instruction: restore necessary bits in EFLAGS. */
164 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
165 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
166 "movl %"_sav",%"_LO32 _tmp"; " \
169 "movl %"_msk",%"_LO32 _tmp"; " \
170 "andl %"_LO32 _tmp",("_STK"); " \
172 "notl %"_LO32 _tmp"; " \
173 "andl %"_LO32 _tmp",("_STK"); " \
174 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
176 "orl %"_LO32 _tmp",("_STK"); " \
180 /* After executing instruction: write-back necessary bits in EFLAGS. */
181 #define _POST_EFLAGS(_sav, _msk, _tmp) \
182 /* _sav |= EFLAGS & _msk; */ \
185 "andl %"_msk",%"_LO32 _tmp"; " \
186 "orl %"_LO32 _tmp",%"_sav"; "
194 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
196 __asm__ __volatile__ ( \
197 _PRE_EFLAGS("0", "4", "2") \
198 _op _suffix " %"_x"3,%1; " \
199 _POST_EFLAGS("0", "4", "2") \
200 : "=m" (_eflags), "=m" ((_dst).val), \
202 : _y ((_src).val), "i" (EFLAGS_MASK)); \
206 /* Raw emulation: instruction has two explicit operands. */
207 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
209 unsigned long _tmp; \
211 switch ((_dst).bytes) { \
213 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
216 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
219 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
224 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
226 unsigned long _tmp; \
227 switch ((_dst).bytes) { \
229 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
232 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
233 _wx, _wy, _lx, _ly, _qx, _qy); \
238 /* Source operand is byte-sized and may be restricted to just %cl. */
239 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
240 __emulate_2op(_op, _src, _dst, _eflags, \
241 "b", "c", "b", "c", "b", "c", "b", "c")
243 /* Source operand is byte, word, long or quad sized. */
244 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
245 __emulate_2op(_op, _src, _dst, _eflags, \
246 "b", "q", "w", "r", _LO32, "r", "", "r")
248 /* Source operand is word, long or quad sized. */
249 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
250 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
251 "w", "r", _LO32, "r", "", "r")
253 /* Instruction has three operands and one operand is stored in ECX register */
254 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
256 unsigned long _tmp; \
257 _type _clv = (_cl).val; \
258 _type _srcv = (_src).val; \
259 _type _dstv = (_dst).val; \
261 __asm__ __volatile__ ( \
262 _PRE_EFLAGS("0", "5", "2") \
263 _op _suffix " %4,%1 \n" \
264 _POST_EFLAGS("0", "5", "2") \
265 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
266 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
269 (_cl).val = (unsigned long) _clv; \
270 (_src).val = (unsigned long) _srcv; \
271 (_dst).val = (unsigned long) _dstv; \
274 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
276 switch ((_dst).bytes) { \
278 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
279 "w", unsigned short); \
282 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
283 "l", unsigned int); \
286 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
287 "q", unsigned long)); \
292 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
294 unsigned long _tmp; \
296 __asm__ __volatile__ ( \
297 _PRE_EFLAGS("0", "3", "2") \
298 _op _suffix " %1; " \
299 _POST_EFLAGS("0", "3", "2") \
300 : "=m" (_eflags), "+m" ((_dst).val), \
302 : "i" (EFLAGS_MASK)); \
305 /* Instruction has only one explicit operand (no source operand). */
306 #define emulate_1op(_op, _dst, _eflags) \
308 switch ((_dst).bytes) { \
309 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
310 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
311 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
312 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
316 /* Fetch next part of the instruction being emulated. */
317 #define insn_fetch(_type, _size, _eip) \
318 ({ unsigned long _x; \
319 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
320 if (rc != X86EMUL_CONTINUE) \
326 #define insn_fetch_arr(_arr, _size, _eip) \
327 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
328 if (rc != X86EMUL_CONTINUE) \
333 static inline unsigned long ad_mask(struct decode_cache *c)
335 return (1UL << (c->ad_bytes << 3)) - 1;
338 /* Access/update address held in a register, based on addressing mode. */
339 static inline unsigned long
340 address_mask(struct decode_cache *c, unsigned long reg)
342 if (c->ad_bytes == sizeof(unsigned long))
345 return reg & ad_mask(c);
348 static inline unsigned long
349 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
351 return base + address_mask(c, reg);
355 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
357 if (c->ad_bytes == sizeof(unsigned long))
360 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
363 static inline void jmp_rel(struct decode_cache *c, int rel)
365 register_address_increment(c, &c->eip, rel);
368 static void set_seg_override(struct decode_cache *c, int seg)
370 c->has_seg_override = true;
371 c->seg_override = seg;
374 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
375 struct x86_emulate_ops *ops, int seg)
377 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
380 return ops->get_cached_segment_base(seg, ctxt->vcpu);
383 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
384 struct x86_emulate_ops *ops,
385 struct decode_cache *c)
387 if (!c->has_seg_override)
390 return seg_base(ctxt, ops, c->seg_override);
393 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
394 struct x86_emulate_ops *ops)
396 return seg_base(ctxt, ops, VCPU_SREG_ES);
399 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
400 struct x86_emulate_ops *ops)
402 return seg_base(ctxt, ops, VCPU_SREG_SS);
405 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
406 u32 error, bool valid)
408 ctxt->exception = vec;
409 ctxt->error_code = error;
410 ctxt->error_code_valid = valid;
411 ctxt->restart = false;
414 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
416 emulate_exception(ctxt, GP_VECTOR, err, true);
419 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
423 emulate_exception(ctxt, PF_VECTOR, err, true);
426 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
428 emulate_exception(ctxt, UD_VECTOR, 0, false);
431 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
433 emulate_exception(ctxt, TS_VECTOR, err, true);
436 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
437 struct x86_emulate_ops *ops,
438 unsigned long eip, u8 *dest)
440 struct fetch_cache *fc = &ctxt->decode.fetch;
444 if (eip == fc->end) {
445 cur_size = fc->end - fc->start;
446 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
447 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
448 size, ctxt->vcpu, NULL);
449 if (rc != X86EMUL_CONTINUE)
453 *dest = fc->data[eip - fc->start];
454 return X86EMUL_CONTINUE;
457 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
458 struct x86_emulate_ops *ops,
459 unsigned long eip, void *dest, unsigned size)
463 /* x86 instructions are limited to 15 bytes. */
464 if (eip + size - ctxt->eip > 15)
465 return X86EMUL_UNHANDLEABLE;
467 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
468 if (rc != X86EMUL_CONTINUE)
471 return X86EMUL_CONTINUE;
475 * Given the 'reg' portion of a ModRM byte, and a register block, return a
476 * pointer into the block that addresses the relevant register.
477 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
479 static void *decode_register(u8 modrm_reg, unsigned long *regs,
484 p = ®s[modrm_reg];
485 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
486 p = (unsigned char *)®s[modrm_reg & 3] + 1;
490 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
491 struct x86_emulate_ops *ops,
493 u16 *size, unsigned long *address, int op_bytes)
500 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
501 if (rc != X86EMUL_CONTINUE)
503 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
507 static int test_cc(unsigned int condition, unsigned int flags)
511 switch ((condition & 15) >> 1) {
513 rc |= (flags & EFLG_OF);
515 case 1: /* b/c/nae */
516 rc |= (flags & EFLG_CF);
519 rc |= (flags & EFLG_ZF);
522 rc |= (flags & (EFLG_CF|EFLG_ZF));
525 rc |= (flags & EFLG_SF);
528 rc |= (flags & EFLG_PF);
531 rc |= (flags & EFLG_ZF);
534 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
538 /* Odd condition identifiers (lsb == 1) have inverted sense. */
539 return (!!rc ^ (condition & 1));
542 static void fetch_register_operand(struct operand *op)
546 op->val = *(u8 *)op->addr.reg;
549 op->val = *(u16 *)op->addr.reg;
552 op->val = *(u32 *)op->addr.reg;
555 op->val = *(u64 *)op->addr.reg;
560 static void decode_register_operand(struct operand *op,
561 struct decode_cache *c,
564 unsigned reg = c->modrm_reg;
565 int highbyte_regs = c->rex_prefix == 0;
568 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
570 if ((c->d & ByteOp) && !inhibit_bytereg) {
571 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
574 op->addr.reg = decode_register(reg, c->regs, 0);
575 op->bytes = c->op_bytes;
577 fetch_register_operand(op);
578 op->orig_val = op->val;
581 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
582 struct x86_emulate_ops *ops)
584 struct decode_cache *c = &ctxt->decode;
586 int index_reg = 0, base_reg = 0, scale;
587 int rc = X86EMUL_CONTINUE;
590 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
591 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
592 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
595 c->modrm = insn_fetch(u8, 1, c->eip);
596 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
597 c->modrm_reg |= (c->modrm & 0x38) >> 3;
598 c->modrm_rm |= (c->modrm & 0x07);
600 c->modrm_seg = VCPU_SREG_DS;
602 if (c->modrm_mod == 3) {
603 c->modrm_ptr = decode_register(c->modrm_rm,
604 c->regs, c->d & ByteOp);
605 c->modrm_val = *(unsigned long *)c->modrm_ptr;
609 if (c->ad_bytes == 2) {
610 unsigned bx = c->regs[VCPU_REGS_RBX];
611 unsigned bp = c->regs[VCPU_REGS_RBP];
612 unsigned si = c->regs[VCPU_REGS_RSI];
613 unsigned di = c->regs[VCPU_REGS_RDI];
615 /* 16-bit ModR/M decode. */
616 switch (c->modrm_mod) {
618 if (c->modrm_rm == 6)
619 c->modrm_ea += insn_fetch(u16, 2, c->eip);
622 c->modrm_ea += insn_fetch(s8, 1, c->eip);
625 c->modrm_ea += insn_fetch(u16, 2, c->eip);
628 switch (c->modrm_rm) {
630 c->modrm_ea += bx + si;
633 c->modrm_ea += bx + di;
636 c->modrm_ea += bp + si;
639 c->modrm_ea += bp + di;
648 if (c->modrm_mod != 0)
655 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
656 (c->modrm_rm == 6 && c->modrm_mod != 0))
657 c->modrm_seg = VCPU_SREG_SS;
658 c->modrm_ea = (u16)c->modrm_ea;
660 /* 32/64-bit ModR/M decode. */
661 if ((c->modrm_rm & 7) == 4) {
662 sib = insn_fetch(u8, 1, c->eip);
663 index_reg |= (sib >> 3) & 7;
667 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
668 c->modrm_ea += insn_fetch(s32, 4, c->eip);
670 c->modrm_ea += c->regs[base_reg];
672 c->modrm_ea += c->regs[index_reg] << scale;
673 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
674 if (ctxt->mode == X86EMUL_MODE_PROT64)
677 c->modrm_ea += c->regs[c->modrm_rm];
678 switch (c->modrm_mod) {
680 if (c->modrm_rm == 5)
681 c->modrm_ea += insn_fetch(s32, 4, c->eip);
684 c->modrm_ea += insn_fetch(s8, 1, c->eip);
687 c->modrm_ea += insn_fetch(s32, 4, c->eip);
695 static int decode_abs(struct x86_emulate_ctxt *ctxt,
696 struct x86_emulate_ops *ops)
698 struct decode_cache *c = &ctxt->decode;
699 int rc = X86EMUL_CONTINUE;
701 switch (c->ad_bytes) {
703 c->modrm_ea = insn_fetch(u16, 2, c->eip);
706 c->modrm_ea = insn_fetch(u32, 4, c->eip);
709 c->modrm_ea = insn_fetch(u64, 8, c->eip);
716 static int read_emulated(struct x86_emulate_ctxt *ctxt,
717 struct x86_emulate_ops *ops,
718 unsigned long addr, void *dest, unsigned size)
721 struct read_cache *mc = &ctxt->decode.mem_read;
725 int n = min(size, 8u);
727 if (mc->pos < mc->end)
730 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
732 if (rc == X86EMUL_PROPAGATE_FAULT)
733 emulate_pf(ctxt, addr, err);
734 if (rc != X86EMUL_CONTINUE)
739 memcpy(dest, mc->data + mc->pos, n);
744 return X86EMUL_CONTINUE;
747 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
748 struct x86_emulate_ops *ops,
749 unsigned int size, unsigned short port,
752 struct read_cache *rc = &ctxt->decode.io_read;
754 if (rc->pos == rc->end) { /* refill pio read ahead */
755 struct decode_cache *c = &ctxt->decode;
756 unsigned int in_page, n;
757 unsigned int count = c->rep_prefix ?
758 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
759 in_page = (ctxt->eflags & EFLG_DF) ?
760 offset_in_page(c->regs[VCPU_REGS_RDI]) :
761 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
762 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
766 rc->pos = rc->end = 0;
767 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
772 memcpy(dest, rc->data + rc->pos, size);
777 static u32 desc_limit_scaled(struct desc_struct *desc)
779 u32 limit = get_desc_limit(desc);
781 return desc->g ? (limit << 12) | 0xfff : limit;
784 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
785 struct x86_emulate_ops *ops,
786 u16 selector, struct desc_ptr *dt)
788 if (selector & 1 << 2) {
789 struct desc_struct desc;
790 memset (dt, 0, sizeof *dt);
791 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
794 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
795 dt->address = get_desc_base(&desc);
797 ops->get_gdt(dt, ctxt->vcpu);
800 /* allowed just for 8 bytes segments */
801 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
802 struct x86_emulate_ops *ops,
803 u16 selector, struct desc_struct *desc)
806 u16 index = selector >> 3;
811 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
813 if (dt.size < index * 8 + 7) {
814 emulate_gp(ctxt, selector & 0xfffc);
815 return X86EMUL_PROPAGATE_FAULT;
817 addr = dt.address + index * 8;
818 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
819 if (ret == X86EMUL_PROPAGATE_FAULT)
820 emulate_pf(ctxt, addr, err);
825 /* allowed just for 8 bytes segments */
826 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
827 struct x86_emulate_ops *ops,
828 u16 selector, struct desc_struct *desc)
831 u16 index = selector >> 3;
836 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
838 if (dt.size < index * 8 + 7) {
839 emulate_gp(ctxt, selector & 0xfffc);
840 return X86EMUL_PROPAGATE_FAULT;
843 addr = dt.address + index * 8;
844 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
845 if (ret == X86EMUL_PROPAGATE_FAULT)
846 emulate_pf(ctxt, addr, err);
851 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
852 struct x86_emulate_ops *ops,
853 u16 selector, int seg)
855 struct desc_struct seg_desc;
857 unsigned err_vec = GP_VECTOR;
859 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
862 memset(&seg_desc, 0, sizeof seg_desc);
864 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
865 || ctxt->mode == X86EMUL_MODE_REAL) {
866 /* set real mode segment descriptor */
867 set_desc_base(&seg_desc, selector << 4);
868 set_desc_limit(&seg_desc, 0xffff);
875 /* NULL selector is not valid for TR, CS and SS */
876 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
880 /* TR should be in GDT only */
881 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
884 if (null_selector) /* for NULL selector skip all following checks */
887 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
888 if (ret != X86EMUL_CONTINUE)
891 err_code = selector & 0xfffc;
894 /* can't load system descriptor into segment selecor */
895 if (seg <= VCPU_SREG_GS && !seg_desc.s)
899 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
905 cpl = ops->cpl(ctxt->vcpu);
910 * segment is not a writable data segment or segment
911 * selector's RPL != CPL or segment selector's RPL != CPL
913 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
917 if (!(seg_desc.type & 8))
920 if (seg_desc.type & 4) {
926 if (rpl > cpl || dpl != cpl)
930 selector = (selector & 0xfffc) | cpl;
933 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
937 if (seg_desc.s || seg_desc.type != 2)
940 default: /* DS, ES, FS, or GS */
942 * segment is not a data or readable code segment or
943 * ((segment is a data or nonconforming code segment)
944 * and (both RPL and CPL > DPL))
946 if ((seg_desc.type & 0xa) == 0x8 ||
947 (((seg_desc.type & 0xc) != 0xc) &&
948 (rpl > dpl && cpl > dpl)))
954 /* mark segment as accessed */
956 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
957 if (ret != X86EMUL_CONTINUE)
961 ops->set_segment_selector(selector, seg, ctxt->vcpu);
962 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
963 return X86EMUL_CONTINUE;
965 emulate_exception(ctxt, err_vec, err_code, true);
966 return X86EMUL_PROPAGATE_FAULT;
969 static inline int writeback(struct x86_emulate_ctxt *ctxt,
970 struct x86_emulate_ops *ops)
973 struct decode_cache *c = &ctxt->decode;
976 switch (c->dst.type) {
978 /* The 4-byte case *is* correct:
979 * in 64-bit mode we zero-extend.
981 switch (c->dst.bytes) {
983 *(u8 *)c->dst.addr.reg = (u8)c->dst.val;
986 *(u16 *)c->dst.addr.reg = (u16)c->dst.val;
989 *c->dst.addr.reg = (u32)c->dst.val;
990 break; /* 64b: zero-ext */
992 *c->dst.addr.reg = c->dst.val;
998 rc = ops->cmpxchg_emulated(
1006 rc = ops->write_emulated(
1012 if (rc == X86EMUL_PROPAGATE_FAULT)
1013 emulate_pf(ctxt, c->dst.addr.mem, err);
1014 if (rc != X86EMUL_CONTINUE)
1023 return X86EMUL_CONTINUE;
1026 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1027 struct x86_emulate_ops *ops)
1029 struct decode_cache *c = &ctxt->decode;
1031 c->dst.type = OP_MEM;
1032 c->dst.bytes = c->op_bytes;
1033 c->dst.val = c->src.val;
1034 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1035 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1036 c->regs[VCPU_REGS_RSP]);
1039 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1040 struct x86_emulate_ops *ops,
1041 void *dest, int len)
1043 struct decode_cache *c = &ctxt->decode;
1046 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1047 c->regs[VCPU_REGS_RSP]),
1049 if (rc != X86EMUL_CONTINUE)
1052 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1056 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1057 struct x86_emulate_ops *ops,
1058 void *dest, int len)
1061 unsigned long val, change_mask;
1062 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1063 int cpl = ops->cpl(ctxt->vcpu);
1065 rc = emulate_pop(ctxt, ops, &val, len);
1066 if (rc != X86EMUL_CONTINUE)
1069 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1070 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1072 switch(ctxt->mode) {
1073 case X86EMUL_MODE_PROT64:
1074 case X86EMUL_MODE_PROT32:
1075 case X86EMUL_MODE_PROT16:
1077 change_mask |= EFLG_IOPL;
1079 change_mask |= EFLG_IF;
1081 case X86EMUL_MODE_VM86:
1083 emulate_gp(ctxt, 0);
1084 return X86EMUL_PROPAGATE_FAULT;
1086 change_mask |= EFLG_IF;
1088 default: /* real mode */
1089 change_mask |= (EFLG_IOPL | EFLG_IF);
1093 *(unsigned long *)dest =
1094 (ctxt->eflags & ~change_mask) | (val & change_mask);
1099 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1100 struct x86_emulate_ops *ops, int seg)
1102 struct decode_cache *c = &ctxt->decode;
1104 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1106 emulate_push(ctxt, ops);
1109 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1110 struct x86_emulate_ops *ops, int seg)
1112 struct decode_cache *c = &ctxt->decode;
1113 unsigned long selector;
1116 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1117 if (rc != X86EMUL_CONTINUE)
1120 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1124 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1125 struct x86_emulate_ops *ops)
1127 struct decode_cache *c = &ctxt->decode;
1128 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1129 int rc = X86EMUL_CONTINUE;
1130 int reg = VCPU_REGS_RAX;
1132 while (reg <= VCPU_REGS_RDI) {
1133 (reg == VCPU_REGS_RSP) ?
1134 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1136 emulate_push(ctxt, ops);
1138 rc = writeback(ctxt, ops);
1139 if (rc != X86EMUL_CONTINUE)
1145 /* Disable writeback. */
1146 c->dst.type = OP_NONE;
1151 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1152 struct x86_emulate_ops *ops)
1154 struct decode_cache *c = &ctxt->decode;
1155 int rc = X86EMUL_CONTINUE;
1156 int reg = VCPU_REGS_RDI;
1158 while (reg >= VCPU_REGS_RAX) {
1159 if (reg == VCPU_REGS_RSP) {
1160 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1165 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1166 if (rc != X86EMUL_CONTINUE)
1173 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1174 struct x86_emulate_ops *ops)
1176 struct decode_cache *c = &ctxt->decode;
1177 int rc = X86EMUL_CONTINUE;
1178 unsigned long temp_eip = 0;
1179 unsigned long temp_eflags = 0;
1180 unsigned long cs = 0;
1181 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1182 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1183 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1184 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1186 /* TODO: Add stack limit check */
1188 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1190 if (rc != X86EMUL_CONTINUE)
1193 if (temp_eip & ~0xffff) {
1194 emulate_gp(ctxt, 0);
1195 return X86EMUL_PROPAGATE_FAULT;
1198 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1200 if (rc != X86EMUL_CONTINUE)
1203 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1205 if (rc != X86EMUL_CONTINUE)
1208 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1210 if (rc != X86EMUL_CONTINUE)
1216 if (c->op_bytes == 4)
1217 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1218 else if (c->op_bytes == 2) {
1219 ctxt->eflags &= ~0xffff;
1220 ctxt->eflags |= temp_eflags;
1223 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1224 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1229 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1230 struct x86_emulate_ops* ops)
1232 switch(ctxt->mode) {
1233 case X86EMUL_MODE_REAL:
1234 return emulate_iret_real(ctxt, ops);
1235 case X86EMUL_MODE_VM86:
1236 case X86EMUL_MODE_PROT16:
1237 case X86EMUL_MODE_PROT32:
1238 case X86EMUL_MODE_PROT64:
1240 /* iret from protected mode unimplemented yet */
1241 return X86EMUL_UNHANDLEABLE;
1245 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1246 struct x86_emulate_ops *ops)
1248 struct decode_cache *c = &ctxt->decode;
1250 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1253 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1255 struct decode_cache *c = &ctxt->decode;
1256 switch (c->modrm_reg) {
1258 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1261 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1264 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1267 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1269 case 4: /* sal/shl */
1270 case 6: /* sal/shl */
1271 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1274 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1277 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1282 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1283 struct x86_emulate_ops *ops)
1285 struct decode_cache *c = &ctxt->decode;
1287 switch (c->modrm_reg) {
1288 case 0 ... 1: /* test */
1289 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1292 c->dst.val = ~c->dst.val;
1295 emulate_1op("neg", c->dst, ctxt->eflags);
1303 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1304 struct x86_emulate_ops *ops)
1306 struct decode_cache *c = &ctxt->decode;
1308 switch (c->modrm_reg) {
1310 emulate_1op("inc", c->dst, ctxt->eflags);
1313 emulate_1op("dec", c->dst, ctxt->eflags);
1315 case 2: /* call near abs */ {
1318 c->eip = c->src.val;
1319 c->src.val = old_eip;
1320 emulate_push(ctxt, ops);
1323 case 4: /* jmp abs */
1324 c->eip = c->src.val;
1327 emulate_push(ctxt, ops);
1330 return X86EMUL_CONTINUE;
1333 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1334 struct x86_emulate_ops *ops)
1336 struct decode_cache *c = &ctxt->decode;
1337 u64 old = c->dst.orig_val64;
1339 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1340 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1341 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1342 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1343 ctxt->eflags &= ~EFLG_ZF;
1345 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1346 (u32) c->regs[VCPU_REGS_RBX];
1348 ctxt->eflags |= EFLG_ZF;
1350 return X86EMUL_CONTINUE;
1353 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1354 struct x86_emulate_ops *ops)
1356 struct decode_cache *c = &ctxt->decode;
1360 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1361 if (rc != X86EMUL_CONTINUE)
1363 if (c->op_bytes == 4)
1364 c->eip = (u32)c->eip;
1365 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1366 if (rc != X86EMUL_CONTINUE)
1368 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1373 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1374 struct x86_emulate_ops *ops, struct desc_struct *cs,
1375 struct desc_struct *ss)
1377 memset(cs, 0, sizeof(struct desc_struct));
1378 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1379 memset(ss, 0, sizeof(struct desc_struct));
1381 cs->l = 0; /* will be adjusted later */
1382 set_desc_base(cs, 0); /* flat segment */
1383 cs->g = 1; /* 4kb granularity */
1384 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1385 cs->type = 0x0b; /* Read, Execute, Accessed */
1387 cs->dpl = 0; /* will be adjusted later */
1391 set_desc_base(ss, 0); /* flat segment */
1392 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1393 ss->g = 1; /* 4kb granularity */
1395 ss->type = 0x03; /* Read/Write, Accessed */
1396 ss->d = 1; /* 32bit stack segment */
1402 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1404 struct decode_cache *c = &ctxt->decode;
1405 struct desc_struct cs, ss;
1409 /* syscall is not available in real mode */
1410 if (ctxt->mode == X86EMUL_MODE_REAL ||
1411 ctxt->mode == X86EMUL_MODE_VM86) {
1413 return X86EMUL_PROPAGATE_FAULT;
1416 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1418 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1420 cs_sel = (u16)(msr_data & 0xfffc);
1421 ss_sel = (u16)(msr_data + 8);
1423 if (is_long_mode(ctxt->vcpu)) {
1427 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1428 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1429 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1430 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1432 c->regs[VCPU_REGS_RCX] = c->eip;
1433 if (is_long_mode(ctxt->vcpu)) {
1434 #ifdef CONFIG_X86_64
1435 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1437 ops->get_msr(ctxt->vcpu,
1438 ctxt->mode == X86EMUL_MODE_PROT64 ?
1439 MSR_LSTAR : MSR_CSTAR, &msr_data);
1442 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1443 ctxt->eflags &= ~(msr_data | EFLG_RF);
1447 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1448 c->eip = (u32)msr_data;
1450 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1453 return X86EMUL_CONTINUE;
1457 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1459 struct decode_cache *c = &ctxt->decode;
1460 struct desc_struct cs, ss;
1464 /* inject #GP if in real mode */
1465 if (ctxt->mode == X86EMUL_MODE_REAL) {
1466 emulate_gp(ctxt, 0);
1467 return X86EMUL_PROPAGATE_FAULT;
1470 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1471 * Therefore, we inject an #UD.
1473 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1475 return X86EMUL_PROPAGATE_FAULT;
1478 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1480 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1481 switch (ctxt->mode) {
1482 case X86EMUL_MODE_PROT32:
1483 if ((msr_data & 0xfffc) == 0x0) {
1484 emulate_gp(ctxt, 0);
1485 return X86EMUL_PROPAGATE_FAULT;
1488 case X86EMUL_MODE_PROT64:
1489 if (msr_data == 0x0) {
1490 emulate_gp(ctxt, 0);
1491 return X86EMUL_PROPAGATE_FAULT;
1496 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1497 cs_sel = (u16)msr_data;
1498 cs_sel &= ~SELECTOR_RPL_MASK;
1499 ss_sel = cs_sel + 8;
1500 ss_sel &= ~SELECTOR_RPL_MASK;
1501 if (ctxt->mode == X86EMUL_MODE_PROT64
1502 || is_long_mode(ctxt->vcpu)) {
1507 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1508 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1509 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1510 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1512 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1515 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1516 c->regs[VCPU_REGS_RSP] = msr_data;
1518 return X86EMUL_CONTINUE;
1522 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1524 struct decode_cache *c = &ctxt->decode;
1525 struct desc_struct cs, ss;
1530 /* inject #GP if in real mode or Virtual 8086 mode */
1531 if (ctxt->mode == X86EMUL_MODE_REAL ||
1532 ctxt->mode == X86EMUL_MODE_VM86) {
1533 emulate_gp(ctxt, 0);
1534 return X86EMUL_PROPAGATE_FAULT;
1537 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1539 if ((c->rex_prefix & 0x8) != 0x0)
1540 usermode = X86EMUL_MODE_PROT64;
1542 usermode = X86EMUL_MODE_PROT32;
1546 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1548 case X86EMUL_MODE_PROT32:
1549 cs_sel = (u16)(msr_data + 16);
1550 if ((msr_data & 0xfffc) == 0x0) {
1551 emulate_gp(ctxt, 0);
1552 return X86EMUL_PROPAGATE_FAULT;
1554 ss_sel = (u16)(msr_data + 24);
1556 case X86EMUL_MODE_PROT64:
1557 cs_sel = (u16)(msr_data + 32);
1558 if (msr_data == 0x0) {
1559 emulate_gp(ctxt, 0);
1560 return X86EMUL_PROPAGATE_FAULT;
1562 ss_sel = cs_sel + 8;
1567 cs_sel |= SELECTOR_RPL_MASK;
1568 ss_sel |= SELECTOR_RPL_MASK;
1570 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1571 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1572 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1573 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1575 c->eip = c->regs[VCPU_REGS_RDX];
1576 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1578 return X86EMUL_CONTINUE;
1581 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1582 struct x86_emulate_ops *ops)
1585 if (ctxt->mode == X86EMUL_MODE_REAL)
1587 if (ctxt->mode == X86EMUL_MODE_VM86)
1589 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1590 return ops->cpl(ctxt->vcpu) > iopl;
1593 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1594 struct x86_emulate_ops *ops,
1597 struct desc_struct tr_seg;
1600 u8 perm, bit_idx = port & 0x7;
1601 unsigned mask = (1 << len) - 1;
1603 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1606 if (desc_limit_scaled(&tr_seg) < 103)
1608 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1610 if (r != X86EMUL_CONTINUE)
1612 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1614 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1615 &perm, 1, ctxt->vcpu, NULL);
1616 if (r != X86EMUL_CONTINUE)
1618 if ((perm >> bit_idx) & mask)
1623 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1624 struct x86_emulate_ops *ops,
1630 if (emulator_bad_iopl(ctxt, ops))
1631 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1634 ctxt->perm_ok = true;
1639 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1640 struct x86_emulate_ops *ops,
1641 struct tss_segment_16 *tss)
1643 struct decode_cache *c = &ctxt->decode;
1646 tss->flag = ctxt->eflags;
1647 tss->ax = c->regs[VCPU_REGS_RAX];
1648 tss->cx = c->regs[VCPU_REGS_RCX];
1649 tss->dx = c->regs[VCPU_REGS_RDX];
1650 tss->bx = c->regs[VCPU_REGS_RBX];
1651 tss->sp = c->regs[VCPU_REGS_RSP];
1652 tss->bp = c->regs[VCPU_REGS_RBP];
1653 tss->si = c->regs[VCPU_REGS_RSI];
1654 tss->di = c->regs[VCPU_REGS_RDI];
1656 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1657 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1658 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1659 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1660 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1663 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1664 struct x86_emulate_ops *ops,
1665 struct tss_segment_16 *tss)
1667 struct decode_cache *c = &ctxt->decode;
1671 ctxt->eflags = tss->flag | 2;
1672 c->regs[VCPU_REGS_RAX] = tss->ax;
1673 c->regs[VCPU_REGS_RCX] = tss->cx;
1674 c->regs[VCPU_REGS_RDX] = tss->dx;
1675 c->regs[VCPU_REGS_RBX] = tss->bx;
1676 c->regs[VCPU_REGS_RSP] = tss->sp;
1677 c->regs[VCPU_REGS_RBP] = tss->bp;
1678 c->regs[VCPU_REGS_RSI] = tss->si;
1679 c->regs[VCPU_REGS_RDI] = tss->di;
1682 * SDM says that segment selectors are loaded before segment
1685 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1686 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1687 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1688 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1689 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1692 * Now load segment descriptors. If fault happenes at this stage
1693 * it is handled in a context of new task
1695 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1696 if (ret != X86EMUL_CONTINUE)
1698 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1699 if (ret != X86EMUL_CONTINUE)
1701 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1702 if (ret != X86EMUL_CONTINUE)
1704 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1705 if (ret != X86EMUL_CONTINUE)
1707 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1708 if (ret != X86EMUL_CONTINUE)
1711 return X86EMUL_CONTINUE;
1714 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1715 struct x86_emulate_ops *ops,
1716 u16 tss_selector, u16 old_tss_sel,
1717 ulong old_tss_base, struct desc_struct *new_desc)
1719 struct tss_segment_16 tss_seg;
1721 u32 err, new_tss_base = get_desc_base(new_desc);
1723 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1725 if (ret == X86EMUL_PROPAGATE_FAULT) {
1726 /* FIXME: need to provide precise fault address */
1727 emulate_pf(ctxt, old_tss_base, err);
1731 save_state_to_tss16(ctxt, ops, &tss_seg);
1733 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1735 if (ret == X86EMUL_PROPAGATE_FAULT) {
1736 /* FIXME: need to provide precise fault address */
1737 emulate_pf(ctxt, old_tss_base, err);
1741 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1743 if (ret == X86EMUL_PROPAGATE_FAULT) {
1744 /* FIXME: need to provide precise fault address */
1745 emulate_pf(ctxt, new_tss_base, err);
1749 if (old_tss_sel != 0xffff) {
1750 tss_seg.prev_task_link = old_tss_sel;
1752 ret = ops->write_std(new_tss_base,
1753 &tss_seg.prev_task_link,
1754 sizeof tss_seg.prev_task_link,
1756 if (ret == X86EMUL_PROPAGATE_FAULT) {
1757 /* FIXME: need to provide precise fault address */
1758 emulate_pf(ctxt, new_tss_base, err);
1763 return load_state_from_tss16(ctxt, ops, &tss_seg);
1766 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1767 struct x86_emulate_ops *ops,
1768 struct tss_segment_32 *tss)
1770 struct decode_cache *c = &ctxt->decode;
1772 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1774 tss->eflags = ctxt->eflags;
1775 tss->eax = c->regs[VCPU_REGS_RAX];
1776 tss->ecx = c->regs[VCPU_REGS_RCX];
1777 tss->edx = c->regs[VCPU_REGS_RDX];
1778 tss->ebx = c->regs[VCPU_REGS_RBX];
1779 tss->esp = c->regs[VCPU_REGS_RSP];
1780 tss->ebp = c->regs[VCPU_REGS_RBP];
1781 tss->esi = c->regs[VCPU_REGS_RSI];
1782 tss->edi = c->regs[VCPU_REGS_RDI];
1784 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1785 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1786 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1787 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1788 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1789 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1790 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1793 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1794 struct x86_emulate_ops *ops,
1795 struct tss_segment_32 *tss)
1797 struct decode_cache *c = &ctxt->decode;
1800 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1801 emulate_gp(ctxt, 0);
1802 return X86EMUL_PROPAGATE_FAULT;
1805 ctxt->eflags = tss->eflags | 2;
1806 c->regs[VCPU_REGS_RAX] = tss->eax;
1807 c->regs[VCPU_REGS_RCX] = tss->ecx;
1808 c->regs[VCPU_REGS_RDX] = tss->edx;
1809 c->regs[VCPU_REGS_RBX] = tss->ebx;
1810 c->regs[VCPU_REGS_RSP] = tss->esp;
1811 c->regs[VCPU_REGS_RBP] = tss->ebp;
1812 c->regs[VCPU_REGS_RSI] = tss->esi;
1813 c->regs[VCPU_REGS_RDI] = tss->edi;
1816 * SDM says that segment selectors are loaded before segment
1819 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1820 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1821 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1822 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1823 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1824 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1825 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1828 * Now load segment descriptors. If fault happenes at this stage
1829 * it is handled in a context of new task
1831 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1832 if (ret != X86EMUL_CONTINUE)
1834 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1835 if (ret != X86EMUL_CONTINUE)
1837 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1838 if (ret != X86EMUL_CONTINUE)
1840 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1841 if (ret != X86EMUL_CONTINUE)
1843 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1844 if (ret != X86EMUL_CONTINUE)
1846 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1847 if (ret != X86EMUL_CONTINUE)
1849 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1850 if (ret != X86EMUL_CONTINUE)
1853 return X86EMUL_CONTINUE;
1856 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
1857 struct x86_emulate_ops *ops,
1858 u16 tss_selector, u16 old_tss_sel,
1859 ulong old_tss_base, struct desc_struct *new_desc)
1861 struct tss_segment_32 tss_seg;
1863 u32 err, new_tss_base = get_desc_base(new_desc);
1865 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1867 if (ret == X86EMUL_PROPAGATE_FAULT) {
1868 /* FIXME: need to provide precise fault address */
1869 emulate_pf(ctxt, old_tss_base, err);
1873 save_state_to_tss32(ctxt, ops, &tss_seg);
1875 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1877 if (ret == X86EMUL_PROPAGATE_FAULT) {
1878 /* FIXME: need to provide precise fault address */
1879 emulate_pf(ctxt, old_tss_base, err);
1883 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1885 if (ret == X86EMUL_PROPAGATE_FAULT) {
1886 /* FIXME: need to provide precise fault address */
1887 emulate_pf(ctxt, new_tss_base, err);
1891 if (old_tss_sel != 0xffff) {
1892 tss_seg.prev_task_link = old_tss_sel;
1894 ret = ops->write_std(new_tss_base,
1895 &tss_seg.prev_task_link,
1896 sizeof tss_seg.prev_task_link,
1898 if (ret == X86EMUL_PROPAGATE_FAULT) {
1899 /* FIXME: need to provide precise fault address */
1900 emulate_pf(ctxt, new_tss_base, err);
1905 return load_state_from_tss32(ctxt, ops, &tss_seg);
1908 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
1909 struct x86_emulate_ops *ops,
1910 u16 tss_selector, int reason,
1911 bool has_error_code, u32 error_code)
1913 struct desc_struct curr_tss_desc, next_tss_desc;
1915 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
1916 ulong old_tss_base =
1917 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
1920 /* FIXME: old_tss_base == ~0 ? */
1922 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
1923 if (ret != X86EMUL_CONTINUE)
1925 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
1926 if (ret != X86EMUL_CONTINUE)
1929 /* FIXME: check that next_tss_desc is tss */
1931 if (reason != TASK_SWITCH_IRET) {
1932 if ((tss_selector & 3) > next_tss_desc.dpl ||
1933 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
1934 emulate_gp(ctxt, 0);
1935 return X86EMUL_PROPAGATE_FAULT;
1939 desc_limit = desc_limit_scaled(&next_tss_desc);
1940 if (!next_tss_desc.p ||
1941 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
1942 desc_limit < 0x2b)) {
1943 emulate_ts(ctxt, tss_selector & 0xfffc);
1944 return X86EMUL_PROPAGATE_FAULT;
1947 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
1948 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
1949 write_segment_descriptor(ctxt, ops, old_tss_sel,
1953 if (reason == TASK_SWITCH_IRET)
1954 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
1956 /* set back link to prev task only if NT bit is set in eflags
1957 note that old_tss_sel is not used afetr this point */
1958 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
1959 old_tss_sel = 0xffff;
1961 if (next_tss_desc.type & 8)
1962 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
1963 old_tss_base, &next_tss_desc);
1965 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
1966 old_tss_base, &next_tss_desc);
1967 if (ret != X86EMUL_CONTINUE)
1970 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
1971 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
1973 if (reason != TASK_SWITCH_IRET) {
1974 next_tss_desc.type |= (1 << 1); /* set busy flag */
1975 write_segment_descriptor(ctxt, ops, tss_selector,
1979 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
1980 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
1981 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
1983 if (has_error_code) {
1984 struct decode_cache *c = &ctxt->decode;
1986 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
1988 c->src.val = (unsigned long) error_code;
1989 emulate_push(ctxt, ops);
1995 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
1996 u16 tss_selector, int reason,
1997 bool has_error_code, u32 error_code)
1999 struct x86_emulate_ops *ops = ctxt->ops;
2000 struct decode_cache *c = &ctxt->decode;
2004 c->dst.type = OP_NONE;
2006 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2007 has_error_code, error_code);
2009 if (rc == X86EMUL_CONTINUE) {
2010 rc = writeback(ctxt, ops);
2011 if (rc == X86EMUL_CONTINUE)
2015 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2018 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2019 int reg, struct operand *op)
2021 struct decode_cache *c = &ctxt->decode;
2022 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2024 register_address_increment(c, &c->regs[reg], df * op->bytes);
2025 op->addr.mem = register_address(c, base, c->regs[reg]);
2028 static int em_push(struct x86_emulate_ctxt *ctxt)
2030 emulate_push(ctxt, ctxt->ops);
2031 return X86EMUL_CONTINUE;
2034 #define D(_y) { .flags = (_y) }
2036 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2037 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2038 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2040 static struct opcode group1[] = {
2044 static struct opcode group1A[] = {
2045 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2048 static struct opcode group3[] = {
2049 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2050 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2054 static struct opcode group4[] = {
2055 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2059 static struct opcode group5[] = {
2060 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2061 D(SrcMem | ModRM | Stack), N,
2062 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2063 D(SrcMem | ModRM | Stack), N,
2066 static struct group_dual group7 = { {
2067 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2068 D(SrcNone | ModRM | DstMem | Mov), N,
2069 D(SrcMem16 | ModRM | Mov | Priv), D(SrcMem | ModRM | ByteOp | Priv),
2071 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2072 D(SrcNone | ModRM | DstMem | Mov), N,
2073 D(SrcMem16 | ModRM | Mov | Priv), N,
2076 static struct opcode group8[] = {
2078 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2079 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2082 static struct group_dual group9 = { {
2083 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2085 N, N, N, N, N, N, N, N,
2088 static struct opcode opcode_table[256] = {
2090 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2091 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2092 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2093 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2095 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2096 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2097 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2098 D(ImplicitOps | Stack | No64), N,
2100 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2101 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2102 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2103 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2105 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2106 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2107 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2108 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2110 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2111 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2112 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2114 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2115 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2116 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2118 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2119 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2120 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2122 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2123 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2124 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2129 X8(I(SrcReg | Stack, em_push)),
2131 X8(D(DstReg | Stack)),
2133 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2134 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2137 I(SrcImm | Mov | Stack, em_push), N,
2138 I(SrcImmByte | Mov | Stack, em_push), N,
2139 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2140 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2144 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2145 G(DstMem | SrcImm | ModRM | Group, group1),
2146 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2147 G(DstMem | SrcImmByte | ModRM | Group, group1),
2148 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2149 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2151 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2152 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2153 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | DstReg),
2154 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2156 X8(D(SrcAcc | DstReg)),
2158 N, N, D(SrcImmFAddr | No64), N,
2159 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2161 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2162 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2163 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2164 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2166 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm), D(ByteOp | DstDI | Mov | String), D(DstDI | Mov | String),
2167 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2168 D(ByteOp | DstDI | String), D(DstDI | String),
2170 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2172 X8(D(DstReg | SrcImm | Mov)),
2174 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2175 N, D(ImplicitOps | Stack), N, N,
2176 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2178 N, N, N, D(ImplicitOps | Stack),
2179 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2181 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2182 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2185 N, N, N, N, N, N, N, N,
2188 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2189 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2191 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2192 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2193 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2194 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2197 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2199 D(ImplicitOps), N, D(ImplicitOps), D(ImplicitOps),
2200 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2203 static struct opcode twobyte_table[256] = {
2205 N, GD(0, &group7), N, N,
2206 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2207 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2208 N, D(ImplicitOps | ModRM), N, N,
2210 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2212 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
2213 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
2215 N, N, N, N, N, N, N, N,
2217 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
2218 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2219 N, N, N, N, N, N, N, N,
2221 X16(D(DstReg | SrcMem | ModRM | Mov)),
2223 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2225 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2227 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2231 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2233 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2234 N, D(DstMem | SrcReg | ModRM | BitOp),
2235 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2236 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2238 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2239 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2240 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2241 D(DstMem | SrcReg | Src2CL | ModRM),
2244 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2245 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2246 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2247 D(DstReg | SrcMem16 | ModRM | Mov),
2250 G(0, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2251 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2252 D(DstReg | SrcMem16 | ModRM | Mov),
2254 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
2255 N, N, N, GD(0, &group9),
2256 N, N, N, N, N, N, N, N,
2258 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2260 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2262 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2272 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2274 struct x86_emulate_ops *ops = ctxt->ops;
2275 struct decode_cache *c = &ctxt->decode;
2276 int rc = X86EMUL_CONTINUE;
2277 int mode = ctxt->mode;
2278 int def_op_bytes, def_ad_bytes, dual, goffset;
2279 struct opcode opcode, *g_mod012, *g_mod3;
2281 /* we cannot decode insn before we complete previous rep insn */
2282 WARN_ON(ctxt->restart);
2285 c->fetch.start = c->fetch.end = c->eip;
2286 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2289 case X86EMUL_MODE_REAL:
2290 case X86EMUL_MODE_VM86:
2291 case X86EMUL_MODE_PROT16:
2292 def_op_bytes = def_ad_bytes = 2;
2294 case X86EMUL_MODE_PROT32:
2295 def_op_bytes = def_ad_bytes = 4;
2297 #ifdef CONFIG_X86_64
2298 case X86EMUL_MODE_PROT64:
2307 c->op_bytes = def_op_bytes;
2308 c->ad_bytes = def_ad_bytes;
2310 /* Legacy prefixes. */
2312 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2313 case 0x66: /* operand-size override */
2314 /* switch between 2/4 bytes */
2315 c->op_bytes = def_op_bytes ^ 6;
2317 case 0x67: /* address-size override */
2318 if (mode == X86EMUL_MODE_PROT64)
2319 /* switch between 4/8 bytes */
2320 c->ad_bytes = def_ad_bytes ^ 12;
2322 /* switch between 2/4 bytes */
2323 c->ad_bytes = def_ad_bytes ^ 6;
2325 case 0x26: /* ES override */
2326 case 0x2e: /* CS override */
2327 case 0x36: /* SS override */
2328 case 0x3e: /* DS override */
2329 set_seg_override(c, (c->b >> 3) & 3);
2331 case 0x64: /* FS override */
2332 case 0x65: /* GS override */
2333 set_seg_override(c, c->b & 7);
2335 case 0x40 ... 0x4f: /* REX */
2336 if (mode != X86EMUL_MODE_PROT64)
2338 c->rex_prefix = c->b;
2340 case 0xf0: /* LOCK */
2343 case 0xf2: /* REPNE/REPNZ */
2344 c->rep_prefix = REPNE_PREFIX;
2346 case 0xf3: /* REP/REPE/REPZ */
2347 c->rep_prefix = REPE_PREFIX;
2353 /* Any legacy prefix after a REX prefix nullifies its effect. */
2362 if (c->rex_prefix & 8)
2363 c->op_bytes = 8; /* REX.W */
2365 /* Opcode byte(s). */
2366 opcode = opcode_table[c->b];
2367 if (opcode.flags == 0) {
2368 /* Two-byte opcode? */
2371 c->b = insn_fetch(u8, 1, c->eip);
2372 opcode = twobyte_table[c->b];
2375 c->d = opcode.flags;
2378 dual = c->d & GroupDual;
2379 c->modrm = insn_fetch(u8, 1, c->eip);
2382 if (c->d & GroupDual) {
2383 g_mod012 = opcode.u.gdual->mod012;
2384 g_mod3 = opcode.u.gdual->mod3;
2386 g_mod012 = g_mod3 = opcode.u.group;
2388 c->d &= ~(Group | GroupDual);
2390 goffset = (c->modrm >> 3) & 7;
2392 if ((c->modrm >> 6) == 3)
2393 opcode = g_mod3[goffset];
2395 opcode = g_mod012[goffset];
2396 c->d |= opcode.flags;
2399 c->execute = opcode.u.execute;
2402 if (c->d == 0 || (c->d & Undefined)) {
2403 DPRINTF("Cannot emulate %02x\n", c->b);
2407 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2410 /* ModRM and SIB bytes. */
2412 rc = decode_modrm(ctxt, ops);
2413 if (!c->has_seg_override)
2414 set_seg_override(c, c->modrm_seg);
2415 } else if (c->d & MemAbs)
2416 rc = decode_abs(ctxt, ops);
2417 if (rc != X86EMUL_CONTINUE)
2420 if (!c->has_seg_override)
2421 set_seg_override(c, VCPU_SREG_DS);
2423 if (!(!c->twobyte && c->b == 0x8d))
2424 c->modrm_ea += seg_override_base(ctxt, ops, c);
2426 if (c->ad_bytes != 8)
2427 c->modrm_ea = (u32)c->modrm_ea;
2429 if (c->rip_relative)
2430 c->modrm_ea += c->eip;
2433 * Decode and fetch the source operand: register, memory
2436 switch (c->d & SrcMask) {
2440 decode_register_operand(&c->src, c, 0);
2449 c->src.bytes = (c->d & ByteOp) ? 1 :
2451 /* Don't fetch the address for invlpg: it could be unmapped. */
2452 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
2456 * For instructions with a ModR/M byte, switch to register
2457 * access if Mod = 3.
2459 if ((c->d & ModRM) && c->modrm_mod == 3) {
2460 c->src.type = OP_REG;
2461 c->src.val = c->modrm_val;
2462 c->src.addr.reg = c->modrm_ptr;
2465 c->src.type = OP_MEM;
2466 c->src.addr.mem = c->modrm_ea;
2471 c->src.type = OP_IMM;
2472 c->src.addr.mem = c->eip;
2473 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2474 if (c->src.bytes == 8)
2476 /* NB. Immediates are sign-extended as necessary. */
2477 switch (c->src.bytes) {
2479 c->src.val = insn_fetch(s8, 1, c->eip);
2482 c->src.val = insn_fetch(s16, 2, c->eip);
2485 c->src.val = insn_fetch(s32, 4, c->eip);
2488 if ((c->d & SrcMask) == SrcImmU) {
2489 switch (c->src.bytes) {
2494 c->src.val &= 0xffff;
2497 c->src.val &= 0xffffffff;
2504 c->src.type = OP_IMM;
2505 c->src.addr.mem = c->eip;
2507 if ((c->d & SrcMask) == SrcImmByte)
2508 c->src.val = insn_fetch(s8, 1, c->eip);
2510 c->src.val = insn_fetch(u8, 1, c->eip);
2513 c->src.type = OP_REG;
2514 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2515 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2516 fetch_register_operand(&c->src);
2523 c->src.type = OP_MEM;
2524 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2526 register_address(c, seg_override_base(ctxt, ops, c),
2527 c->regs[VCPU_REGS_RSI]);
2531 c->src.type = OP_IMM;
2532 c->src.addr.mem = c->eip;
2533 c->src.bytes = c->op_bytes + 2;
2534 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2537 c->src.type = OP_MEM;
2538 c->src.addr.mem = c->modrm_ea;
2539 c->src.bytes = c->op_bytes + 2;
2544 * Decode and fetch the second source operand: register, memory
2547 switch (c->d & Src2Mask) {
2552 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2555 c->src2.type = OP_IMM;
2556 c->src2.addr.mem = c->eip;
2558 c->src2.val = insn_fetch(u8, 1, c->eip);
2566 /* Decode and fetch the destination operand: register or memory. */
2567 switch (c->d & DstMask) {
2569 /* Special instructions do their own operand decoding. */
2572 decode_register_operand(&c->dst, c,
2573 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2577 if ((c->d & ModRM) && c->modrm_mod == 3) {
2578 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2579 c->dst.type = OP_REG;
2580 c->dst.val = c->dst.orig_val = c->modrm_val;
2581 c->dst.addr.reg = c->modrm_ptr;
2584 c->dst.type = OP_MEM;
2585 c->dst.addr.mem = c->modrm_ea;
2586 if ((c->d & DstMask) == DstMem64)
2589 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2592 unsigned long mask = ~(c->dst.bytes * 8 - 1);
2594 c->dst.addr.mem = c->dst.addr.mem +
2595 (c->src.val & mask) / 8;
2599 c->dst.type = OP_REG;
2600 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2601 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2602 fetch_register_operand(&c->dst);
2603 c->dst.orig_val = c->dst.val;
2606 c->dst.type = OP_MEM;
2607 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2609 register_address(c, es_base(ctxt, ops),
2610 c->regs[VCPU_REGS_RDI]);
2616 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2620 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2622 struct x86_emulate_ops *ops = ctxt->ops;
2624 struct decode_cache *c = &ctxt->decode;
2625 int rc = X86EMUL_CONTINUE;
2626 int saved_dst_type = c->dst.type;
2628 ctxt->decode.mem_read.pos = 0;
2630 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2635 /* LOCK prefix is allowed only with some instructions */
2636 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2641 /* Privileged instruction can be executed only in CPL=0 */
2642 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2643 emulate_gp(ctxt, 0);
2647 if (c->rep_prefix && (c->d & String)) {
2648 ctxt->restart = true;
2649 /* All REP prefixes have the same first termination condition */
2650 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2652 ctxt->restart = false;
2656 /* The second termination condition only applies for REPE
2657 * and REPNE. Test if the repeat string operation prefix is
2658 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2659 * corresponding termination condition according to:
2660 * - if REPE/REPZ and ZF = 0 then done
2661 * - if REPNE/REPNZ and ZF = 1 then done
2663 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2664 (c->b == 0xae) || (c->b == 0xaf)) {
2665 if ((c->rep_prefix == REPE_PREFIX) &&
2666 ((ctxt->eflags & EFLG_ZF) == 0))
2668 if ((c->rep_prefix == REPNE_PREFIX) &&
2669 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2675 if (c->src.type == OP_MEM) {
2676 rc = read_emulated(ctxt, ops, c->src.addr.mem,
2677 c->src.valptr, c->src.bytes);
2678 if (rc != X86EMUL_CONTINUE)
2680 c->src.orig_val64 = c->src.val64;
2683 if (c->src2.type == OP_MEM) {
2684 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
2685 &c->src2.val, c->src2.bytes);
2686 if (rc != X86EMUL_CONTINUE)
2690 if ((c->d & DstMask) == ImplicitOps)
2694 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2695 /* optimisation - avoid slow emulated read if Mov */
2696 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
2697 &c->dst.val, c->dst.bytes);
2698 if (rc != X86EMUL_CONTINUE)
2701 c->dst.orig_val = c->dst.val;
2706 rc = c->execute(ctxt);
2707 if (rc != X86EMUL_CONTINUE)
2718 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2720 case 0x06: /* push es */
2721 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2723 case 0x07: /* pop es */
2724 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2725 if (rc != X86EMUL_CONTINUE)
2730 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2732 case 0x0e: /* push cs */
2733 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2737 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2739 case 0x16: /* push ss */
2740 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2742 case 0x17: /* pop ss */
2743 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2744 if (rc != X86EMUL_CONTINUE)
2749 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2751 case 0x1e: /* push ds */
2752 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2754 case 0x1f: /* pop ds */
2755 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2756 if (rc != X86EMUL_CONTINUE)
2761 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2765 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2769 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2773 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2775 case 0x40 ... 0x47: /* inc r16/r32 */
2776 emulate_1op("inc", c->dst, ctxt->eflags);
2778 case 0x48 ... 0x4f: /* dec r16/r32 */
2779 emulate_1op("dec", c->dst, ctxt->eflags);
2781 case 0x58 ... 0x5f: /* pop reg */
2783 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2784 if (rc != X86EMUL_CONTINUE)
2787 case 0x60: /* pusha */
2788 rc = emulate_pusha(ctxt, ops);
2789 if (rc != X86EMUL_CONTINUE)
2792 case 0x61: /* popa */
2793 rc = emulate_popa(ctxt, ops);
2794 if (rc != X86EMUL_CONTINUE)
2797 case 0x63: /* movsxd */
2798 if (ctxt->mode != X86EMUL_MODE_PROT64)
2799 goto cannot_emulate;
2800 c->dst.val = (s32) c->src.val;
2802 case 0x6c: /* insb */
2803 case 0x6d: /* insw/insd */
2804 c->dst.bytes = min(c->dst.bytes, 4u);
2805 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2807 emulate_gp(ctxt, 0);
2810 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2811 c->regs[VCPU_REGS_RDX], &c->dst.val))
2812 goto done; /* IO is needed, skip writeback */
2814 case 0x6e: /* outsb */
2815 case 0x6f: /* outsw/outsd */
2816 c->src.bytes = min(c->src.bytes, 4u);
2817 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2819 emulate_gp(ctxt, 0);
2822 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2823 &c->src.val, 1, ctxt->vcpu);
2825 c->dst.type = OP_NONE; /* nothing to writeback */
2827 case 0x70 ... 0x7f: /* jcc (short) */
2828 if (test_cc(c->b, ctxt->eflags))
2829 jmp_rel(c, c->src.val);
2831 case 0x80 ... 0x83: /* Grp1 */
2832 switch (c->modrm_reg) {
2853 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2855 case 0x86 ... 0x87: /* xchg */
2857 /* Write back the register source. */
2858 switch (c->dst.bytes) {
2860 *(u8 *) c->src.addr.reg = (u8) c->dst.val;
2863 *(u16 *) c->src.addr.reg = (u16) c->dst.val;
2866 *c->src.addr.reg = (u32) c->dst.val;
2867 break; /* 64b reg: zero-extend */
2869 *c->src.addr.reg = c->dst.val;
2873 * Write back the memory destination with implicit LOCK
2876 c->dst.val = c->src.val;
2879 case 0x88 ... 0x8b: /* mov */
2881 case 0x8c: /* mov r/m, sreg */
2882 if (c->modrm_reg > VCPU_SREG_GS) {
2886 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2888 case 0x8d: /* lea r16/r32, m */
2889 c->dst.val = c->modrm_ea;
2891 case 0x8e: { /* mov seg, r/m16 */
2896 if (c->modrm_reg == VCPU_SREG_CS ||
2897 c->modrm_reg > VCPU_SREG_GS) {
2902 if (c->modrm_reg == VCPU_SREG_SS)
2903 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2905 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2907 c->dst.type = OP_NONE; /* Disable writeback. */
2910 case 0x8f: /* pop (sole member of Grp1a) */
2911 rc = emulate_grp1a(ctxt, ops);
2912 if (rc != X86EMUL_CONTINUE)
2915 case 0x90 ... 0x97: /* nop / xchg reg, rax */
2916 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
2919 case 0x9c: /* pushf */
2920 c->src.val = (unsigned long) ctxt->eflags;
2921 emulate_push(ctxt, ops);
2923 case 0x9d: /* popf */
2924 c->dst.type = OP_REG;
2925 c->dst.addr.reg = &ctxt->eflags;
2926 c->dst.bytes = c->op_bytes;
2927 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2928 if (rc != X86EMUL_CONTINUE)
2931 case 0xa0 ... 0xa3: /* mov */
2932 case 0xa4 ... 0xa5: /* movs */
2934 case 0xa6 ... 0xa7: /* cmps */
2935 c->dst.type = OP_NONE; /* Disable writeback. */
2936 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
2938 case 0xa8 ... 0xa9: /* test ax, imm */
2940 case 0xaa ... 0xab: /* stos */
2941 c->dst.val = c->regs[VCPU_REGS_RAX];
2943 case 0xac ... 0xad: /* lods */
2945 case 0xae ... 0xaf: /* scas */
2946 DPRINTF("Urk! I don't handle SCAS.\n");
2947 goto cannot_emulate;
2948 case 0xb0 ... 0xbf: /* mov r, imm */
2953 case 0xc3: /* ret */
2954 c->dst.type = OP_REG;
2955 c->dst.addr.reg = &c->eip;
2956 c->dst.bytes = c->op_bytes;
2957 goto pop_instruction;
2958 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2960 c->dst.val = c->src.val;
2962 case 0xcb: /* ret far */
2963 rc = emulate_ret_far(ctxt, ops);
2964 if (rc != X86EMUL_CONTINUE)
2967 case 0xcf: /* iret */
2968 rc = emulate_iret(ctxt, ops);
2970 if (rc != X86EMUL_CONTINUE)
2973 case 0xd0 ... 0xd1: /* Grp2 */
2977 case 0xd2 ... 0xd3: /* Grp2 */
2978 c->src.val = c->regs[VCPU_REGS_RCX];
2981 case 0xe4: /* inb */
2984 case 0xe6: /* outb */
2985 case 0xe7: /* out */
2987 case 0xe8: /* call (near) */ {
2988 long int rel = c->src.val;
2989 c->src.val = (unsigned long) c->eip;
2991 emulate_push(ctxt, ops);
2994 case 0xe9: /* jmp rel */
2996 case 0xea: { /* jmp far */
2999 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3001 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3005 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3009 jmp: /* jmp rel short */
3010 jmp_rel(c, c->src.val);
3011 c->dst.type = OP_NONE; /* Disable writeback. */
3013 case 0xec: /* in al,dx */
3014 case 0xed: /* in (e/r)ax,dx */
3015 c->src.val = c->regs[VCPU_REGS_RDX];
3017 c->dst.bytes = min(c->dst.bytes, 4u);
3018 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3019 emulate_gp(ctxt, 0);
3022 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3024 goto done; /* IO is needed */
3026 case 0xee: /* out dx,al */
3027 case 0xef: /* out dx,(e/r)ax */
3028 c->src.val = c->regs[VCPU_REGS_RDX];
3030 c->dst.bytes = min(c->dst.bytes, 4u);
3031 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3032 emulate_gp(ctxt, 0);
3035 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3037 c->dst.type = OP_NONE; /* Disable writeback. */
3039 case 0xf4: /* hlt */
3040 ctxt->vcpu->arch.halt_request = 1;
3042 case 0xf5: /* cmc */
3043 /* complement carry flag from eflags reg */
3044 ctxt->eflags ^= EFLG_CF;
3045 c->dst.type = OP_NONE; /* Disable writeback. */
3047 case 0xf6 ... 0xf7: /* Grp3 */
3048 if (!emulate_grp3(ctxt, ops))
3049 goto cannot_emulate;
3051 case 0xf8: /* clc */
3052 ctxt->eflags &= ~EFLG_CF;
3053 c->dst.type = OP_NONE; /* Disable writeback. */
3055 case 0xfa: /* cli */
3056 if (emulator_bad_iopl(ctxt, ops)) {
3057 emulate_gp(ctxt, 0);
3060 ctxt->eflags &= ~X86_EFLAGS_IF;
3061 c->dst.type = OP_NONE; /* Disable writeback. */
3064 case 0xfb: /* sti */
3065 if (emulator_bad_iopl(ctxt, ops)) {
3066 emulate_gp(ctxt, 0);
3069 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3070 ctxt->eflags |= X86_EFLAGS_IF;
3071 c->dst.type = OP_NONE; /* Disable writeback. */
3074 case 0xfc: /* cld */
3075 ctxt->eflags &= ~EFLG_DF;
3076 c->dst.type = OP_NONE; /* Disable writeback. */
3078 case 0xfd: /* std */
3079 ctxt->eflags |= EFLG_DF;
3080 c->dst.type = OP_NONE; /* Disable writeback. */
3082 case 0xfe: /* Grp4 */
3084 rc = emulate_grp45(ctxt, ops);
3085 if (rc != X86EMUL_CONTINUE)
3088 case 0xff: /* Grp5 */
3089 if (c->modrm_reg == 5)
3093 goto cannot_emulate;
3097 rc = writeback(ctxt, ops);
3098 if (rc != X86EMUL_CONTINUE)
3102 * restore dst type in case the decoding will be reused
3103 * (happens for string instruction )
3105 c->dst.type = saved_dst_type;
3107 if ((c->d & SrcMask) == SrcSI)
3108 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3109 VCPU_REGS_RSI, &c->src);
3111 if ((c->d & DstMask) == DstDI)
3112 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3115 if (c->rep_prefix && (c->d & String)) {
3116 struct read_cache *rc = &ctxt->decode.io_read;
3117 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3119 * Re-enter guest when pio read ahead buffer is empty or,
3120 * if it is not used, after each 1024 iteration.
3122 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3123 (rc->end != 0 && rc->end == rc->pos))
3124 ctxt->restart = false;
3127 * reset read cache here in case string instruction is restared
3130 ctxt->decode.mem_read.end = 0;
3134 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3138 case 0x01: /* lgdt, lidt, lmsw */
3139 switch (c->modrm_reg) {
3141 unsigned long address;
3143 case 0: /* vmcall */
3144 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3145 goto cannot_emulate;
3147 rc = kvm_fix_hypercall(ctxt->vcpu);
3148 if (rc != X86EMUL_CONTINUE)
3151 /* Let the processor re-execute the fixed hypercall */
3153 /* Disable writeback. */
3154 c->dst.type = OP_NONE;
3157 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3158 &size, &address, c->op_bytes);
3159 if (rc != X86EMUL_CONTINUE)
3161 realmode_lgdt(ctxt->vcpu, size, address);
3162 /* Disable writeback. */
3163 c->dst.type = OP_NONE;
3165 case 3: /* lidt/vmmcall */
3166 if (c->modrm_mod == 3) {
3167 switch (c->modrm_rm) {
3169 rc = kvm_fix_hypercall(ctxt->vcpu);
3170 if (rc != X86EMUL_CONTINUE)
3174 goto cannot_emulate;
3177 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3180 if (rc != X86EMUL_CONTINUE)
3182 realmode_lidt(ctxt->vcpu, size, address);
3184 /* Disable writeback. */
3185 c->dst.type = OP_NONE;
3189 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3192 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3193 (c->src.val & 0x0f), ctxt->vcpu);
3194 c->dst.type = OP_NONE;
3196 case 5: /* not defined */
3200 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3201 /* Disable writeback. */
3202 c->dst.type = OP_NONE;
3205 goto cannot_emulate;
3208 case 0x05: /* syscall */
3209 rc = emulate_syscall(ctxt, ops);
3210 if (rc != X86EMUL_CONTINUE)
3216 emulate_clts(ctxt->vcpu);
3217 c->dst.type = OP_NONE;
3219 case 0x09: /* wbinvd */
3220 kvm_emulate_wbinvd(ctxt->vcpu);
3221 c->dst.type = OP_NONE;
3223 case 0x08: /* invd */
3224 case 0x0d: /* GrpP (prefetch) */
3225 case 0x18: /* Grp16 (prefetch/nop) */
3226 c->dst.type = OP_NONE;
3228 case 0x20: /* mov cr, reg */
3229 switch (c->modrm_reg) {
3236 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3237 c->dst.type = OP_NONE; /* no writeback */
3239 case 0x21: /* mov from dr to reg */
3240 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3241 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3245 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3246 c->dst.type = OP_NONE; /* no writeback */
3248 case 0x22: /* mov reg, cr */
3249 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3250 emulate_gp(ctxt, 0);
3253 c->dst.type = OP_NONE;
3255 case 0x23: /* mov from reg to dr */
3256 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3257 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3262 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3263 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3264 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3265 /* #UD condition is already handled by the code above */
3266 emulate_gp(ctxt, 0);
3270 c->dst.type = OP_NONE; /* no writeback */
3274 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3275 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3276 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3277 emulate_gp(ctxt, 0);
3280 rc = X86EMUL_CONTINUE;
3281 c->dst.type = OP_NONE;
3285 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3286 emulate_gp(ctxt, 0);
3289 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3290 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3292 rc = X86EMUL_CONTINUE;
3293 c->dst.type = OP_NONE;
3295 case 0x34: /* sysenter */
3296 rc = emulate_sysenter(ctxt, ops);
3297 if (rc != X86EMUL_CONTINUE)
3302 case 0x35: /* sysexit */
3303 rc = emulate_sysexit(ctxt, ops);
3304 if (rc != X86EMUL_CONTINUE)
3309 case 0x40 ... 0x4f: /* cmov */
3310 c->dst.val = c->dst.orig_val = c->src.val;
3311 if (!test_cc(c->b, ctxt->eflags))
3312 c->dst.type = OP_NONE; /* no writeback */
3314 case 0x80 ... 0x8f: /* jnz rel, etc*/
3315 if (test_cc(c->b, ctxt->eflags))
3316 jmp_rel(c, c->src.val);
3317 c->dst.type = OP_NONE;
3319 case 0xa0: /* push fs */
3320 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3322 case 0xa1: /* pop fs */
3323 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3324 if (rc != X86EMUL_CONTINUE)
3329 c->dst.type = OP_NONE;
3330 /* only subword offset */
3331 c->src.val &= (c->dst.bytes << 3) - 1;
3332 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3334 case 0xa4: /* shld imm8, r, r/m */
3335 case 0xa5: /* shld cl, r, r/m */
3336 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3338 case 0xa8: /* push gs */
3339 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3341 case 0xa9: /* pop gs */
3342 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3343 if (rc != X86EMUL_CONTINUE)
3348 /* only subword offset */
3349 c->src.val &= (c->dst.bytes << 3) - 1;
3350 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3352 case 0xac: /* shrd imm8, r, r/m */
3353 case 0xad: /* shrd cl, r, r/m */
3354 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3356 case 0xae: /* clflush */
3358 case 0xb0 ... 0xb1: /* cmpxchg */
3360 * Save real source value, then compare EAX against
3363 c->src.orig_val = c->src.val;
3364 c->src.val = c->regs[VCPU_REGS_RAX];
3365 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3366 if (ctxt->eflags & EFLG_ZF) {
3367 /* Success: write back to memory. */
3368 c->dst.val = c->src.orig_val;
3370 /* Failure: write the value we saw to EAX. */
3371 c->dst.type = OP_REG;
3372 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3377 /* only subword offset */
3378 c->src.val &= (c->dst.bytes << 3) - 1;
3379 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3381 case 0xb6 ... 0xb7: /* movzx */
3382 c->dst.bytes = c->op_bytes;
3383 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3386 case 0xba: /* Grp8 */
3387 switch (c->modrm_reg & 3) {
3400 /* only subword offset */
3401 c->src.val &= (c->dst.bytes << 3) - 1;
3402 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3404 case 0xbe ... 0xbf: /* movsx */
3405 c->dst.bytes = c->op_bytes;
3406 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3409 case 0xc3: /* movnti */
3410 c->dst.bytes = c->op_bytes;
3411 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3414 case 0xc7: /* Grp9 (cmpxchg8b) */
3415 rc = emulate_grp9(ctxt, ops);
3416 if (rc != X86EMUL_CONTINUE)
3420 goto cannot_emulate;
3425 DPRINTF("Cannot emulate %02x\n", c->b);
projects / ~andy / linux / blob