1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
86 #define Undefined (1<<25) /* No Such Instruction */
87 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
88 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
90 /* Source 2 operand type */
91 #define Src2None (0<<29)
92 #define Src2CL (1<<29)
93 #define Src2ImmByte (2<<29)
94 #define Src2One (3<<29)
95 #define Src2Mask (7<<29)
98 #define X3(x) X2(x), x
99 #define X4(x) X2(x), X2(x)
100 #define X5(x) X4(x), x
101 #define X6(x) X4(x), X2(x)
102 #define X7(x) X4(x), X3(x)
103 #define X8(x) X4(x), X4(x)
104 #define X16(x) X8(x), X8(x)
109 int (*execute)(struct x86_emulate_ctxt *ctxt);
110 struct opcode *group;
111 struct group_dual *gdual;
116 struct opcode mod012[8];
117 struct opcode mod3[8];
120 /* EFLAGS bit definitions. */
121 #define EFLG_ID (1<<21)
122 #define EFLG_VIP (1<<20)
123 #define EFLG_VIF (1<<19)
124 #define EFLG_AC (1<<18)
125 #define EFLG_VM (1<<17)
126 #define EFLG_RF (1<<16)
127 #define EFLG_IOPL (3<<12)
128 #define EFLG_NT (1<<14)
129 #define EFLG_OF (1<<11)
130 #define EFLG_DF (1<<10)
131 #define EFLG_IF (1<<9)
132 #define EFLG_TF (1<<8)
133 #define EFLG_SF (1<<7)
134 #define EFLG_ZF (1<<6)
135 #define EFLG_AF (1<<4)
136 #define EFLG_PF (1<<2)
137 #define EFLG_CF (1<<0)
139 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
140 #define EFLG_RESERVED_ONE_MASK 2
143 * Instruction emulation:
144 * Most instructions are emulated directly via a fragment of inline assembly
145 * code. This allows us to save/restore EFLAGS and thus very easily pick up
146 * any modified flags.
149 #if defined(CONFIG_X86_64)
150 #define _LO32 "k" /* force 32-bit operand */
151 #define _STK "%%rsp" /* stack pointer */
152 #elif defined(__i386__)
153 #define _LO32 "" /* force 32-bit operand */
154 #define _STK "%%esp" /* stack pointer */
158 * These EFLAGS bits are restored from saved value during emulation, and
159 * any changes are written back to the saved value after emulation.
161 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
163 /* Before executing instruction: restore necessary bits in EFLAGS. */
164 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
165 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
166 "movl %"_sav",%"_LO32 _tmp"; " \
169 "movl %"_msk",%"_LO32 _tmp"; " \
170 "andl %"_LO32 _tmp",("_STK"); " \
172 "notl %"_LO32 _tmp"; " \
173 "andl %"_LO32 _tmp",("_STK"); " \
174 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
176 "orl %"_LO32 _tmp",("_STK"); " \
180 /* After executing instruction: write-back necessary bits in EFLAGS. */
181 #define _POST_EFLAGS(_sav, _msk, _tmp) \
182 /* _sav |= EFLAGS & _msk; */ \
185 "andl %"_msk",%"_LO32 _tmp"; " \
186 "orl %"_LO32 _tmp",%"_sav"; "
194 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
196 __asm__ __volatile__ ( \
197 _PRE_EFLAGS("0", "4", "2") \
198 _op _suffix " %"_x"3,%1; " \
199 _POST_EFLAGS("0", "4", "2") \
200 : "=m" (_eflags), "=m" ((_dst).val), \
202 : _y ((_src).val), "i" (EFLAGS_MASK)); \
206 /* Raw emulation: instruction has two explicit operands. */
207 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
209 unsigned long _tmp; \
211 switch ((_dst).bytes) { \
213 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
216 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
219 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
224 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
226 unsigned long _tmp; \
227 switch ((_dst).bytes) { \
229 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
232 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
233 _wx, _wy, _lx, _ly, _qx, _qy); \
238 /* Source operand is byte-sized and may be restricted to just %cl. */
239 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
240 __emulate_2op(_op, _src, _dst, _eflags, \
241 "b", "c", "b", "c", "b", "c", "b", "c")
243 /* Source operand is byte, word, long or quad sized. */
244 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
245 __emulate_2op(_op, _src, _dst, _eflags, \
246 "b", "q", "w", "r", _LO32, "r", "", "r")
248 /* Source operand is word, long or quad sized. */
249 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
250 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
251 "w", "r", _LO32, "r", "", "r")
253 /* Instruction has three operands and one operand is stored in ECX register */
254 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
256 unsigned long _tmp; \
257 _type _clv = (_cl).val; \
258 _type _srcv = (_src).val; \
259 _type _dstv = (_dst).val; \
261 __asm__ __volatile__ ( \
262 _PRE_EFLAGS("0", "5", "2") \
263 _op _suffix " %4,%1 \n" \
264 _POST_EFLAGS("0", "5", "2") \
265 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
266 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
269 (_cl).val = (unsigned long) _clv; \
270 (_src).val = (unsigned long) _srcv; \
271 (_dst).val = (unsigned long) _dstv; \
274 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
276 switch ((_dst).bytes) { \
278 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
279 "w", unsigned short); \
282 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
283 "l", unsigned int); \
286 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
287 "q", unsigned long)); \
292 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
294 unsigned long _tmp; \
296 __asm__ __volatile__ ( \
297 _PRE_EFLAGS("0", "3", "2") \
298 _op _suffix " %1; " \
299 _POST_EFLAGS("0", "3", "2") \
300 : "=m" (_eflags), "+m" ((_dst).val), \
302 : "i" (EFLAGS_MASK)); \
305 /* Instruction has only one explicit operand (no source operand). */
306 #define emulate_1op(_op, _dst, _eflags) \
308 switch ((_dst).bytes) { \
309 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
310 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
311 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
312 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
316 /* Fetch next part of the instruction being emulated. */
317 #define insn_fetch(_type, _size, _eip) \
318 ({ unsigned long _x; \
319 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
320 if (rc != X86EMUL_CONTINUE) \
326 #define insn_fetch_arr(_arr, _size, _eip) \
327 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
328 if (rc != X86EMUL_CONTINUE) \
333 static inline unsigned long ad_mask(struct decode_cache *c)
335 return (1UL << (c->ad_bytes << 3)) - 1;
338 /* Access/update address held in a register, based on addressing mode. */
339 static inline unsigned long
340 address_mask(struct decode_cache *c, unsigned long reg)
342 if (c->ad_bytes == sizeof(unsigned long))
345 return reg & ad_mask(c);
348 static inline unsigned long
349 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
351 return base + address_mask(c, reg);
355 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
357 if (c->ad_bytes == sizeof(unsigned long))
360 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
363 static inline void jmp_rel(struct decode_cache *c, int rel)
365 register_address_increment(c, &c->eip, rel);
368 static void set_seg_override(struct decode_cache *c, int seg)
370 c->has_seg_override = true;
371 c->seg_override = seg;
374 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
375 struct x86_emulate_ops *ops, int seg)
377 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
380 return ops->get_cached_segment_base(seg, ctxt->vcpu);
383 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
384 struct x86_emulate_ops *ops,
385 struct decode_cache *c)
387 if (!c->has_seg_override)
390 return seg_base(ctxt, ops, c->seg_override);
393 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
394 struct x86_emulate_ops *ops)
396 return seg_base(ctxt, ops, VCPU_SREG_ES);
399 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
400 struct x86_emulate_ops *ops)
402 return seg_base(ctxt, ops, VCPU_SREG_SS);
405 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
406 u32 error, bool valid)
408 ctxt->exception = vec;
409 ctxt->error_code = error;
410 ctxt->error_code_valid = valid;
411 ctxt->restart = false;
414 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
416 emulate_exception(ctxt, GP_VECTOR, err, true);
419 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
423 emulate_exception(ctxt, PF_VECTOR, err, true);
426 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
428 emulate_exception(ctxt, UD_VECTOR, 0, false);
431 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
433 emulate_exception(ctxt, TS_VECTOR, err, true);
436 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
437 struct x86_emulate_ops *ops,
438 unsigned long eip, u8 *dest)
440 struct fetch_cache *fc = &ctxt->decode.fetch;
444 if (eip == fc->end) {
445 cur_size = fc->end - fc->start;
446 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
447 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
448 size, ctxt->vcpu, NULL);
449 if (rc != X86EMUL_CONTINUE)
453 *dest = fc->data[eip - fc->start];
454 return X86EMUL_CONTINUE;
457 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
458 struct x86_emulate_ops *ops,
459 unsigned long eip, void *dest, unsigned size)
463 /* x86 instructions are limited to 15 bytes. */
464 if (eip + size - ctxt->eip > 15)
465 return X86EMUL_UNHANDLEABLE;
467 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
468 if (rc != X86EMUL_CONTINUE)
471 return X86EMUL_CONTINUE;
475 * Given the 'reg' portion of a ModRM byte, and a register block, return a
476 * pointer into the block that addresses the relevant register.
477 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
479 static void *decode_register(u8 modrm_reg, unsigned long *regs,
484 p = ®s[modrm_reg];
485 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
486 p = (unsigned char *)®s[modrm_reg & 3] + 1;
490 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
491 struct x86_emulate_ops *ops,
493 u16 *size, unsigned long *address, int op_bytes)
500 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
502 if (rc != X86EMUL_CONTINUE)
504 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
509 static int test_cc(unsigned int condition, unsigned int flags)
513 switch ((condition & 15) >> 1) {
515 rc |= (flags & EFLG_OF);
517 case 1: /* b/c/nae */
518 rc |= (flags & EFLG_CF);
521 rc |= (flags & EFLG_ZF);
524 rc |= (flags & (EFLG_CF|EFLG_ZF));
527 rc |= (flags & EFLG_SF);
530 rc |= (flags & EFLG_PF);
533 rc |= (flags & EFLG_ZF);
536 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
540 /* Odd condition identifiers (lsb == 1) have inverted sense. */
541 return (!!rc ^ (condition & 1));
544 static void decode_register_operand(struct operand *op,
545 struct decode_cache *c,
548 unsigned reg = c->modrm_reg;
549 int highbyte_regs = c->rex_prefix == 0;
552 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
554 if ((c->d & ByteOp) && !inhibit_bytereg) {
555 op->ptr = decode_register(reg, c->regs, highbyte_regs);
556 op->val = *(u8 *)op->ptr;
559 op->ptr = decode_register(reg, c->regs, 0);
560 op->bytes = c->op_bytes;
563 op->val = *(u16 *)op->ptr;
566 op->val = *(u32 *)op->ptr;
569 op->val = *(u64 *) op->ptr;
573 op->orig_val = op->val;
576 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
577 struct x86_emulate_ops *ops)
579 struct decode_cache *c = &ctxt->decode;
581 int index_reg = 0, base_reg = 0, scale;
582 int rc = X86EMUL_CONTINUE;
585 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
586 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
587 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
590 c->modrm = insn_fetch(u8, 1, c->eip);
591 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
592 c->modrm_reg |= (c->modrm & 0x38) >> 3;
593 c->modrm_rm |= (c->modrm & 0x07);
597 if (c->modrm_mod == 3) {
598 c->modrm_ptr = decode_register(c->modrm_rm,
599 c->regs, c->d & ByteOp);
600 c->modrm_val = *(unsigned long *)c->modrm_ptr;
604 if (c->ad_bytes == 2) {
605 unsigned bx = c->regs[VCPU_REGS_RBX];
606 unsigned bp = c->regs[VCPU_REGS_RBP];
607 unsigned si = c->regs[VCPU_REGS_RSI];
608 unsigned di = c->regs[VCPU_REGS_RDI];
610 /* 16-bit ModR/M decode. */
611 switch (c->modrm_mod) {
613 if (c->modrm_rm == 6)
614 c->modrm_ea += insn_fetch(u16, 2, c->eip);
617 c->modrm_ea += insn_fetch(s8, 1, c->eip);
620 c->modrm_ea += insn_fetch(u16, 2, c->eip);
623 switch (c->modrm_rm) {
625 c->modrm_ea += bx + si;
628 c->modrm_ea += bx + di;
631 c->modrm_ea += bp + si;
634 c->modrm_ea += bp + di;
643 if (c->modrm_mod != 0)
650 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
651 (c->modrm_rm == 6 && c->modrm_mod != 0))
652 if (!c->has_seg_override)
653 set_seg_override(c, VCPU_SREG_SS);
654 c->modrm_ea = (u16)c->modrm_ea;
656 /* 32/64-bit ModR/M decode. */
657 if ((c->modrm_rm & 7) == 4) {
658 sib = insn_fetch(u8, 1, c->eip);
659 index_reg |= (sib >> 3) & 7;
663 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
664 c->modrm_ea += insn_fetch(s32, 4, c->eip);
666 c->modrm_ea += c->regs[base_reg];
668 c->modrm_ea += c->regs[index_reg] << scale;
669 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
670 if (ctxt->mode == X86EMUL_MODE_PROT64)
673 c->modrm_ea += c->regs[c->modrm_rm];
674 switch (c->modrm_mod) {
676 if (c->modrm_rm == 5)
677 c->modrm_ea += insn_fetch(s32, 4, c->eip);
680 c->modrm_ea += insn_fetch(s8, 1, c->eip);
683 c->modrm_ea += insn_fetch(s32, 4, c->eip);
691 static int decode_abs(struct x86_emulate_ctxt *ctxt,
692 struct x86_emulate_ops *ops)
694 struct decode_cache *c = &ctxt->decode;
695 int rc = X86EMUL_CONTINUE;
697 switch (c->ad_bytes) {
699 c->modrm_ea = insn_fetch(u16, 2, c->eip);
702 c->modrm_ea = insn_fetch(u32, 4, c->eip);
705 c->modrm_ea = insn_fetch(u64, 8, c->eip);
712 static int read_emulated(struct x86_emulate_ctxt *ctxt,
713 struct x86_emulate_ops *ops,
714 unsigned long addr, void *dest, unsigned size)
717 struct read_cache *mc = &ctxt->decode.mem_read;
721 int n = min(size, 8u);
723 if (mc->pos < mc->end)
726 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
728 if (rc == X86EMUL_PROPAGATE_FAULT)
729 emulate_pf(ctxt, addr, err);
730 if (rc != X86EMUL_CONTINUE)
735 memcpy(dest, mc->data + mc->pos, n);
740 return X86EMUL_CONTINUE;
743 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
744 struct x86_emulate_ops *ops,
745 unsigned int size, unsigned short port,
748 struct read_cache *rc = &ctxt->decode.io_read;
750 if (rc->pos == rc->end) { /* refill pio read ahead */
751 struct decode_cache *c = &ctxt->decode;
752 unsigned int in_page, n;
753 unsigned int count = c->rep_prefix ?
754 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
755 in_page = (ctxt->eflags & EFLG_DF) ?
756 offset_in_page(c->regs[VCPU_REGS_RDI]) :
757 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
758 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
762 rc->pos = rc->end = 0;
763 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
768 memcpy(dest, rc->data + rc->pos, size);
773 static u32 desc_limit_scaled(struct desc_struct *desc)
775 u32 limit = get_desc_limit(desc);
777 return desc->g ? (limit << 12) | 0xfff : limit;
780 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
781 struct x86_emulate_ops *ops,
782 u16 selector, struct desc_ptr *dt)
784 if (selector & 1 << 2) {
785 struct desc_struct desc;
786 memset (dt, 0, sizeof *dt);
787 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
790 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
791 dt->address = get_desc_base(&desc);
793 ops->get_gdt(dt, ctxt->vcpu);
796 /* allowed just for 8 bytes segments */
797 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
798 struct x86_emulate_ops *ops,
799 u16 selector, struct desc_struct *desc)
802 u16 index = selector >> 3;
807 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
809 if (dt.size < index * 8 + 7) {
810 emulate_gp(ctxt, selector & 0xfffc);
811 return X86EMUL_PROPAGATE_FAULT;
813 addr = dt.address + index * 8;
814 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
815 if (ret == X86EMUL_PROPAGATE_FAULT)
816 emulate_pf(ctxt, addr, err);
821 /* allowed just for 8 bytes segments */
822 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
823 struct x86_emulate_ops *ops,
824 u16 selector, struct desc_struct *desc)
827 u16 index = selector >> 3;
832 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
834 if (dt.size < index * 8 + 7) {
835 emulate_gp(ctxt, selector & 0xfffc);
836 return X86EMUL_PROPAGATE_FAULT;
839 addr = dt.address + index * 8;
840 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
841 if (ret == X86EMUL_PROPAGATE_FAULT)
842 emulate_pf(ctxt, addr, err);
847 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
848 struct x86_emulate_ops *ops,
849 u16 selector, int seg)
851 struct desc_struct seg_desc;
853 unsigned err_vec = GP_VECTOR;
855 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
858 memset(&seg_desc, 0, sizeof seg_desc);
860 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
861 || ctxt->mode == X86EMUL_MODE_REAL) {
862 /* set real mode segment descriptor */
863 set_desc_base(&seg_desc, selector << 4);
864 set_desc_limit(&seg_desc, 0xffff);
871 /* NULL selector is not valid for TR, CS and SS */
872 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
876 /* TR should be in GDT only */
877 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
880 if (null_selector) /* for NULL selector skip all following checks */
883 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
884 if (ret != X86EMUL_CONTINUE)
887 err_code = selector & 0xfffc;
890 /* can't load system descriptor into segment selecor */
891 if (seg <= VCPU_SREG_GS && !seg_desc.s)
895 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
901 cpl = ops->cpl(ctxt->vcpu);
906 * segment is not a writable data segment or segment
907 * selector's RPL != CPL or segment selector's RPL != CPL
909 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
913 if (!(seg_desc.type & 8))
916 if (seg_desc.type & 4) {
922 if (rpl > cpl || dpl != cpl)
926 selector = (selector & 0xfffc) | cpl;
929 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
933 if (seg_desc.s || seg_desc.type != 2)
936 default: /* DS, ES, FS, or GS */
938 * segment is not a data or readable code segment or
939 * ((segment is a data or nonconforming code segment)
940 * and (both RPL and CPL > DPL))
942 if ((seg_desc.type & 0xa) == 0x8 ||
943 (((seg_desc.type & 0xc) != 0xc) &&
944 (rpl > dpl && cpl > dpl)))
950 /* mark segment as accessed */
952 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
953 if (ret != X86EMUL_CONTINUE)
957 ops->set_segment_selector(selector, seg, ctxt->vcpu);
958 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
959 return X86EMUL_CONTINUE;
961 emulate_exception(ctxt, err_vec, err_code, true);
962 return X86EMUL_PROPAGATE_FAULT;
965 static inline int writeback(struct x86_emulate_ctxt *ctxt,
966 struct x86_emulate_ops *ops)
969 struct decode_cache *c = &ctxt->decode;
972 switch (c->dst.type) {
974 /* The 4-byte case *is* correct:
975 * in 64-bit mode we zero-extend.
977 switch (c->dst.bytes) {
979 *(u8 *)c->dst.ptr = (u8)c->dst.val;
982 *(u16 *)c->dst.ptr = (u16)c->dst.val;
985 *c->dst.ptr = (u32)c->dst.val;
986 break; /* 64b: zero-ext */
988 *c->dst.ptr = c->dst.val;
994 rc = ops->cmpxchg_emulated(
995 (unsigned long)c->dst.ptr,
1002 rc = ops->write_emulated(
1003 (unsigned long)c->dst.ptr,
1008 if (rc == X86EMUL_PROPAGATE_FAULT)
1010 (unsigned long)c->dst.ptr, err);
1011 if (rc != X86EMUL_CONTINUE)
1020 return X86EMUL_CONTINUE;
1023 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1024 struct x86_emulate_ops *ops)
1026 struct decode_cache *c = &ctxt->decode;
1028 c->dst.type = OP_MEM;
1029 c->dst.bytes = c->op_bytes;
1030 c->dst.val = c->src.val;
1031 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1032 c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1033 c->regs[VCPU_REGS_RSP]);
1036 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1037 struct x86_emulate_ops *ops,
1038 void *dest, int len)
1040 struct decode_cache *c = &ctxt->decode;
1043 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1044 c->regs[VCPU_REGS_RSP]),
1046 if (rc != X86EMUL_CONTINUE)
1049 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1053 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1054 struct x86_emulate_ops *ops,
1055 void *dest, int len)
1058 unsigned long val, change_mask;
1059 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1060 int cpl = ops->cpl(ctxt->vcpu);
1062 rc = emulate_pop(ctxt, ops, &val, len);
1063 if (rc != X86EMUL_CONTINUE)
1066 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1067 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1069 switch(ctxt->mode) {
1070 case X86EMUL_MODE_PROT64:
1071 case X86EMUL_MODE_PROT32:
1072 case X86EMUL_MODE_PROT16:
1074 change_mask |= EFLG_IOPL;
1076 change_mask |= EFLG_IF;
1078 case X86EMUL_MODE_VM86:
1080 emulate_gp(ctxt, 0);
1081 return X86EMUL_PROPAGATE_FAULT;
1083 change_mask |= EFLG_IF;
1085 default: /* real mode */
1086 change_mask |= (EFLG_IOPL | EFLG_IF);
1090 *(unsigned long *)dest =
1091 (ctxt->eflags & ~change_mask) | (val & change_mask);
1096 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1097 struct x86_emulate_ops *ops, int seg)
1099 struct decode_cache *c = &ctxt->decode;
1101 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1103 emulate_push(ctxt, ops);
1106 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1107 struct x86_emulate_ops *ops, int seg)
1109 struct decode_cache *c = &ctxt->decode;
1110 unsigned long selector;
1113 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1114 if (rc != X86EMUL_CONTINUE)
1117 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1121 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1122 struct x86_emulate_ops *ops)
1124 struct decode_cache *c = &ctxt->decode;
1125 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1126 int rc = X86EMUL_CONTINUE;
1127 int reg = VCPU_REGS_RAX;
1129 while (reg <= VCPU_REGS_RDI) {
1130 (reg == VCPU_REGS_RSP) ?
1131 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1133 emulate_push(ctxt, ops);
1135 rc = writeback(ctxt, ops);
1136 if (rc != X86EMUL_CONTINUE)
1142 /* Disable writeback. */
1143 c->dst.type = OP_NONE;
1148 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1149 struct x86_emulate_ops *ops)
1151 struct decode_cache *c = &ctxt->decode;
1152 int rc = X86EMUL_CONTINUE;
1153 int reg = VCPU_REGS_RDI;
1155 while (reg >= VCPU_REGS_RAX) {
1156 if (reg == VCPU_REGS_RSP) {
1157 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1162 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1163 if (rc != X86EMUL_CONTINUE)
1170 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1171 struct x86_emulate_ops *ops)
1173 struct decode_cache *c = &ctxt->decode;
1174 int rc = X86EMUL_CONTINUE;
1175 unsigned long temp_eip = 0;
1176 unsigned long temp_eflags = 0;
1177 unsigned long cs = 0;
1178 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1179 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1180 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1181 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1183 /* TODO: Add stack limit check */
1185 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1187 if (rc != X86EMUL_CONTINUE)
1190 if (temp_eip & ~0xffff) {
1191 emulate_gp(ctxt, 0);
1192 return X86EMUL_PROPAGATE_FAULT;
1195 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1197 if (rc != X86EMUL_CONTINUE)
1200 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1202 if (rc != X86EMUL_CONTINUE)
1205 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1207 if (rc != X86EMUL_CONTINUE)
1213 if (c->op_bytes == 4)
1214 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1215 else if (c->op_bytes == 2) {
1216 ctxt->eflags &= ~0xffff;
1217 ctxt->eflags |= temp_eflags;
1220 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1221 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1226 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1227 struct x86_emulate_ops* ops)
1229 switch(ctxt->mode) {
1230 case X86EMUL_MODE_REAL:
1231 return emulate_iret_real(ctxt, ops);
1232 case X86EMUL_MODE_VM86:
1233 case X86EMUL_MODE_PROT16:
1234 case X86EMUL_MODE_PROT32:
1235 case X86EMUL_MODE_PROT64:
1237 /* iret from protected mode unimplemented yet */
1238 return X86EMUL_UNHANDLEABLE;
1242 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1243 struct x86_emulate_ops *ops)
1245 struct decode_cache *c = &ctxt->decode;
1247 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1250 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1252 struct decode_cache *c = &ctxt->decode;
1253 switch (c->modrm_reg) {
1255 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1258 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1261 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1264 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1266 case 4: /* sal/shl */
1267 case 6: /* sal/shl */
1268 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1271 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1274 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1279 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1280 struct x86_emulate_ops *ops)
1282 struct decode_cache *c = &ctxt->decode;
1284 switch (c->modrm_reg) {
1285 case 0 ... 1: /* test */
1286 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1289 c->dst.val = ~c->dst.val;
1292 emulate_1op("neg", c->dst, ctxt->eflags);
1300 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1301 struct x86_emulate_ops *ops)
1303 struct decode_cache *c = &ctxt->decode;
1305 switch (c->modrm_reg) {
1307 emulate_1op("inc", c->dst, ctxt->eflags);
1310 emulate_1op("dec", c->dst, ctxt->eflags);
1312 case 2: /* call near abs */ {
1315 c->eip = c->src.val;
1316 c->src.val = old_eip;
1317 emulate_push(ctxt, ops);
1320 case 4: /* jmp abs */
1321 c->eip = c->src.val;
1324 emulate_push(ctxt, ops);
1327 return X86EMUL_CONTINUE;
1330 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1331 struct x86_emulate_ops *ops)
1333 struct decode_cache *c = &ctxt->decode;
1334 u64 old = c->dst.orig_val64;
1336 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1337 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1338 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1339 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1340 ctxt->eflags &= ~EFLG_ZF;
1342 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1343 (u32) c->regs[VCPU_REGS_RBX];
1345 ctxt->eflags |= EFLG_ZF;
1347 return X86EMUL_CONTINUE;
1350 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1351 struct x86_emulate_ops *ops)
1353 struct decode_cache *c = &ctxt->decode;
1357 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1358 if (rc != X86EMUL_CONTINUE)
1360 if (c->op_bytes == 4)
1361 c->eip = (u32)c->eip;
1362 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1363 if (rc != X86EMUL_CONTINUE)
1365 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1370 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1371 struct x86_emulate_ops *ops, struct desc_struct *cs,
1372 struct desc_struct *ss)
1374 memset(cs, 0, sizeof(struct desc_struct));
1375 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1376 memset(ss, 0, sizeof(struct desc_struct));
1378 cs->l = 0; /* will be adjusted later */
1379 set_desc_base(cs, 0); /* flat segment */
1380 cs->g = 1; /* 4kb granularity */
1381 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1382 cs->type = 0x0b; /* Read, Execute, Accessed */
1384 cs->dpl = 0; /* will be adjusted later */
1388 set_desc_base(ss, 0); /* flat segment */
1389 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1390 ss->g = 1; /* 4kb granularity */
1392 ss->type = 0x03; /* Read/Write, Accessed */
1393 ss->d = 1; /* 32bit stack segment */
1399 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1401 struct decode_cache *c = &ctxt->decode;
1402 struct desc_struct cs, ss;
1406 /* syscall is not available in real mode */
1407 if (ctxt->mode == X86EMUL_MODE_REAL ||
1408 ctxt->mode == X86EMUL_MODE_VM86) {
1410 return X86EMUL_PROPAGATE_FAULT;
1413 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1415 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1417 cs_sel = (u16)(msr_data & 0xfffc);
1418 ss_sel = (u16)(msr_data + 8);
1420 if (is_long_mode(ctxt->vcpu)) {
1424 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1425 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1426 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1427 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1429 c->regs[VCPU_REGS_RCX] = c->eip;
1430 if (is_long_mode(ctxt->vcpu)) {
1431 #ifdef CONFIG_X86_64
1432 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1434 ops->get_msr(ctxt->vcpu,
1435 ctxt->mode == X86EMUL_MODE_PROT64 ?
1436 MSR_LSTAR : MSR_CSTAR, &msr_data);
1439 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1440 ctxt->eflags &= ~(msr_data | EFLG_RF);
1444 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1445 c->eip = (u32)msr_data;
1447 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1450 return X86EMUL_CONTINUE;
1454 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1456 struct decode_cache *c = &ctxt->decode;
1457 struct desc_struct cs, ss;
1461 /* inject #GP if in real mode */
1462 if (ctxt->mode == X86EMUL_MODE_REAL) {
1463 emulate_gp(ctxt, 0);
1464 return X86EMUL_PROPAGATE_FAULT;
1467 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1468 * Therefore, we inject an #UD.
1470 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1472 return X86EMUL_PROPAGATE_FAULT;
1475 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1477 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1478 switch (ctxt->mode) {
1479 case X86EMUL_MODE_PROT32:
1480 if ((msr_data & 0xfffc) == 0x0) {
1481 emulate_gp(ctxt, 0);
1482 return X86EMUL_PROPAGATE_FAULT;
1485 case X86EMUL_MODE_PROT64:
1486 if (msr_data == 0x0) {
1487 emulate_gp(ctxt, 0);
1488 return X86EMUL_PROPAGATE_FAULT;
1493 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1494 cs_sel = (u16)msr_data;
1495 cs_sel &= ~SELECTOR_RPL_MASK;
1496 ss_sel = cs_sel + 8;
1497 ss_sel &= ~SELECTOR_RPL_MASK;
1498 if (ctxt->mode == X86EMUL_MODE_PROT64
1499 || is_long_mode(ctxt->vcpu)) {
1504 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1505 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1506 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1507 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1509 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1512 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1513 c->regs[VCPU_REGS_RSP] = msr_data;
1515 return X86EMUL_CONTINUE;
1519 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1521 struct decode_cache *c = &ctxt->decode;
1522 struct desc_struct cs, ss;
1527 /* inject #GP if in real mode or Virtual 8086 mode */
1528 if (ctxt->mode == X86EMUL_MODE_REAL ||
1529 ctxt->mode == X86EMUL_MODE_VM86) {
1530 emulate_gp(ctxt, 0);
1531 return X86EMUL_PROPAGATE_FAULT;
1534 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1536 if ((c->rex_prefix & 0x8) != 0x0)
1537 usermode = X86EMUL_MODE_PROT64;
1539 usermode = X86EMUL_MODE_PROT32;
1543 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1545 case X86EMUL_MODE_PROT32:
1546 cs_sel = (u16)(msr_data + 16);
1547 if ((msr_data & 0xfffc) == 0x0) {
1548 emulate_gp(ctxt, 0);
1549 return X86EMUL_PROPAGATE_FAULT;
1551 ss_sel = (u16)(msr_data + 24);
1553 case X86EMUL_MODE_PROT64:
1554 cs_sel = (u16)(msr_data + 32);
1555 if (msr_data == 0x0) {
1556 emulate_gp(ctxt, 0);
1557 return X86EMUL_PROPAGATE_FAULT;
1559 ss_sel = cs_sel + 8;
1564 cs_sel |= SELECTOR_RPL_MASK;
1565 ss_sel |= SELECTOR_RPL_MASK;
1567 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1568 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1569 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1570 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1572 c->eip = c->regs[VCPU_REGS_RDX];
1573 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1575 return X86EMUL_CONTINUE;
1578 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1579 struct x86_emulate_ops *ops)
1582 if (ctxt->mode == X86EMUL_MODE_REAL)
1584 if (ctxt->mode == X86EMUL_MODE_VM86)
1586 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1587 return ops->cpl(ctxt->vcpu) > iopl;
1590 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1591 struct x86_emulate_ops *ops,
1594 struct desc_struct tr_seg;
1597 u8 perm, bit_idx = port & 0x7;
1598 unsigned mask = (1 << len) - 1;
1600 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1603 if (desc_limit_scaled(&tr_seg) < 103)
1605 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1607 if (r != X86EMUL_CONTINUE)
1609 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1611 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1612 &perm, 1, ctxt->vcpu, NULL);
1613 if (r != X86EMUL_CONTINUE)
1615 if ((perm >> bit_idx) & mask)
1620 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1621 struct x86_emulate_ops *ops,
1624 if (emulator_bad_iopl(ctxt, ops))
1625 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1630 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1631 struct x86_emulate_ops *ops,
1632 struct tss_segment_16 *tss)
1634 struct decode_cache *c = &ctxt->decode;
1637 tss->flag = ctxt->eflags;
1638 tss->ax = c->regs[VCPU_REGS_RAX];
1639 tss->cx = c->regs[VCPU_REGS_RCX];
1640 tss->dx = c->regs[VCPU_REGS_RDX];
1641 tss->bx = c->regs[VCPU_REGS_RBX];
1642 tss->sp = c->regs[VCPU_REGS_RSP];
1643 tss->bp = c->regs[VCPU_REGS_RBP];
1644 tss->si = c->regs[VCPU_REGS_RSI];
1645 tss->di = c->regs[VCPU_REGS_RDI];
1647 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1648 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1649 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1650 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1651 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1654 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1655 struct x86_emulate_ops *ops,
1656 struct tss_segment_16 *tss)
1658 struct decode_cache *c = &ctxt->decode;
1662 ctxt->eflags = tss->flag | 2;
1663 c->regs[VCPU_REGS_RAX] = tss->ax;
1664 c->regs[VCPU_REGS_RCX] = tss->cx;
1665 c->regs[VCPU_REGS_RDX] = tss->dx;
1666 c->regs[VCPU_REGS_RBX] = tss->bx;
1667 c->regs[VCPU_REGS_RSP] = tss->sp;
1668 c->regs[VCPU_REGS_RBP] = tss->bp;
1669 c->regs[VCPU_REGS_RSI] = tss->si;
1670 c->regs[VCPU_REGS_RDI] = tss->di;
1673 * SDM says that segment selectors are loaded before segment
1676 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1677 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1678 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1679 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1680 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1683 * Now load segment descriptors. If fault happenes at this stage
1684 * it is handled in a context of new task
1686 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1687 if (ret != X86EMUL_CONTINUE)
1689 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1690 if (ret != X86EMUL_CONTINUE)
1692 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1693 if (ret != X86EMUL_CONTINUE)
1695 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1696 if (ret != X86EMUL_CONTINUE)
1698 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1699 if (ret != X86EMUL_CONTINUE)
1702 return X86EMUL_CONTINUE;
1705 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1706 struct x86_emulate_ops *ops,
1707 u16 tss_selector, u16 old_tss_sel,
1708 ulong old_tss_base, struct desc_struct *new_desc)
1710 struct tss_segment_16 tss_seg;
1712 u32 err, new_tss_base = get_desc_base(new_desc);
1714 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1716 if (ret == X86EMUL_PROPAGATE_FAULT) {
1717 /* FIXME: need to provide precise fault address */
1718 emulate_pf(ctxt, old_tss_base, err);
1722 save_state_to_tss16(ctxt, ops, &tss_seg);
1724 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1726 if (ret == X86EMUL_PROPAGATE_FAULT) {
1727 /* FIXME: need to provide precise fault address */
1728 emulate_pf(ctxt, old_tss_base, err);
1732 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1734 if (ret == X86EMUL_PROPAGATE_FAULT) {
1735 /* FIXME: need to provide precise fault address */
1736 emulate_pf(ctxt, new_tss_base, err);
1740 if (old_tss_sel != 0xffff) {
1741 tss_seg.prev_task_link = old_tss_sel;
1743 ret = ops->write_std(new_tss_base,
1744 &tss_seg.prev_task_link,
1745 sizeof tss_seg.prev_task_link,
1747 if (ret == X86EMUL_PROPAGATE_FAULT) {
1748 /* FIXME: need to provide precise fault address */
1749 emulate_pf(ctxt, new_tss_base, err);
1754 return load_state_from_tss16(ctxt, ops, &tss_seg);
1757 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1758 struct x86_emulate_ops *ops,
1759 struct tss_segment_32 *tss)
1761 struct decode_cache *c = &ctxt->decode;
1763 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1765 tss->eflags = ctxt->eflags;
1766 tss->eax = c->regs[VCPU_REGS_RAX];
1767 tss->ecx = c->regs[VCPU_REGS_RCX];
1768 tss->edx = c->regs[VCPU_REGS_RDX];
1769 tss->ebx = c->regs[VCPU_REGS_RBX];
1770 tss->esp = c->regs[VCPU_REGS_RSP];
1771 tss->ebp = c->regs[VCPU_REGS_RBP];
1772 tss->esi = c->regs[VCPU_REGS_RSI];
1773 tss->edi = c->regs[VCPU_REGS_RDI];
1775 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1776 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1777 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1778 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1779 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1780 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1781 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1784 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1785 struct x86_emulate_ops *ops,
1786 struct tss_segment_32 *tss)
1788 struct decode_cache *c = &ctxt->decode;
1791 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1792 emulate_gp(ctxt, 0);
1793 return X86EMUL_PROPAGATE_FAULT;
1796 ctxt->eflags = tss->eflags | 2;
1797 c->regs[VCPU_REGS_RAX] = tss->eax;
1798 c->regs[VCPU_REGS_RCX] = tss->ecx;
1799 c->regs[VCPU_REGS_RDX] = tss->edx;
1800 c->regs[VCPU_REGS_RBX] = tss->ebx;
1801 c->regs[VCPU_REGS_RSP] = tss->esp;
1802 c->regs[VCPU_REGS_RBP] = tss->ebp;
1803 c->regs[VCPU_REGS_RSI] = tss->esi;
1804 c->regs[VCPU_REGS_RDI] = tss->edi;
1807 * SDM says that segment selectors are loaded before segment
1810 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1811 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1812 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1813 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1814 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1815 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1816 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1819 * Now load segment descriptors. If fault happenes at this stage
1820 * it is handled in a context of new task
1822 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1823 if (ret != X86EMUL_CONTINUE)
1825 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1826 if (ret != X86EMUL_CONTINUE)
1828 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1829 if (ret != X86EMUL_CONTINUE)
1831 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1832 if (ret != X86EMUL_CONTINUE)
1834 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1835 if (ret != X86EMUL_CONTINUE)
1837 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1838 if (ret != X86EMUL_CONTINUE)
1840 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1841 if (ret != X86EMUL_CONTINUE)
1844 return X86EMUL_CONTINUE;
1847 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
1848 struct x86_emulate_ops *ops,
1849 u16 tss_selector, u16 old_tss_sel,
1850 ulong old_tss_base, struct desc_struct *new_desc)
1852 struct tss_segment_32 tss_seg;
1854 u32 err, new_tss_base = get_desc_base(new_desc);
1856 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1858 if (ret == X86EMUL_PROPAGATE_FAULT) {
1859 /* FIXME: need to provide precise fault address */
1860 emulate_pf(ctxt, old_tss_base, err);
1864 save_state_to_tss32(ctxt, ops, &tss_seg);
1866 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1868 if (ret == X86EMUL_PROPAGATE_FAULT) {
1869 /* FIXME: need to provide precise fault address */
1870 emulate_pf(ctxt, old_tss_base, err);
1874 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1876 if (ret == X86EMUL_PROPAGATE_FAULT) {
1877 /* FIXME: need to provide precise fault address */
1878 emulate_pf(ctxt, new_tss_base, err);
1882 if (old_tss_sel != 0xffff) {
1883 tss_seg.prev_task_link = old_tss_sel;
1885 ret = ops->write_std(new_tss_base,
1886 &tss_seg.prev_task_link,
1887 sizeof tss_seg.prev_task_link,
1889 if (ret == X86EMUL_PROPAGATE_FAULT) {
1890 /* FIXME: need to provide precise fault address */
1891 emulate_pf(ctxt, new_tss_base, err);
1896 return load_state_from_tss32(ctxt, ops, &tss_seg);
1899 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
1900 struct x86_emulate_ops *ops,
1901 u16 tss_selector, int reason,
1902 bool has_error_code, u32 error_code)
1904 struct desc_struct curr_tss_desc, next_tss_desc;
1906 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
1907 ulong old_tss_base =
1908 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
1911 /* FIXME: old_tss_base == ~0 ? */
1913 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
1914 if (ret != X86EMUL_CONTINUE)
1916 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
1917 if (ret != X86EMUL_CONTINUE)
1920 /* FIXME: check that next_tss_desc is tss */
1922 if (reason != TASK_SWITCH_IRET) {
1923 if ((tss_selector & 3) > next_tss_desc.dpl ||
1924 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
1925 emulate_gp(ctxt, 0);
1926 return X86EMUL_PROPAGATE_FAULT;
1930 desc_limit = desc_limit_scaled(&next_tss_desc);
1931 if (!next_tss_desc.p ||
1932 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
1933 desc_limit < 0x2b)) {
1934 emulate_ts(ctxt, tss_selector & 0xfffc);
1935 return X86EMUL_PROPAGATE_FAULT;
1938 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
1939 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
1940 write_segment_descriptor(ctxt, ops, old_tss_sel,
1944 if (reason == TASK_SWITCH_IRET)
1945 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
1947 /* set back link to prev task only if NT bit is set in eflags
1948 note that old_tss_sel is not used afetr this point */
1949 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
1950 old_tss_sel = 0xffff;
1952 if (next_tss_desc.type & 8)
1953 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
1954 old_tss_base, &next_tss_desc);
1956 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
1957 old_tss_base, &next_tss_desc);
1958 if (ret != X86EMUL_CONTINUE)
1961 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
1962 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
1964 if (reason != TASK_SWITCH_IRET) {
1965 next_tss_desc.type |= (1 << 1); /* set busy flag */
1966 write_segment_descriptor(ctxt, ops, tss_selector,
1970 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
1971 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
1972 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
1974 if (has_error_code) {
1975 struct decode_cache *c = &ctxt->decode;
1977 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
1979 c->src.val = (unsigned long) error_code;
1980 emulate_push(ctxt, ops);
1986 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
1987 u16 tss_selector, int reason,
1988 bool has_error_code, u32 error_code)
1990 struct x86_emulate_ops *ops = ctxt->ops;
1991 struct decode_cache *c = &ctxt->decode;
1995 c->dst.type = OP_NONE;
1997 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
1998 has_error_code, error_code);
2000 if (rc == X86EMUL_CONTINUE) {
2001 rc = writeback(ctxt, ops);
2002 if (rc == X86EMUL_CONTINUE)
2006 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2009 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2010 int reg, struct operand *op)
2012 struct decode_cache *c = &ctxt->decode;
2013 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2015 register_address_increment(c, &c->regs[reg], df * op->bytes);
2016 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2019 #define D(_y) { .flags = (_y) }
2021 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2022 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2023 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2025 static struct opcode group1[] = {
2029 static struct opcode group1A[] = {
2030 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2033 static struct opcode group3[] = {
2034 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2035 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2039 static struct opcode group4[] = {
2040 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2044 static struct opcode group5[] = {
2045 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2046 D(SrcMem | ModRM | Stack), N,
2047 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2048 D(SrcMem | ModRM | Stack), N,
2051 static struct group_dual group7 = { {
2052 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2053 D(SrcNone | ModRM | DstMem | Mov), N,
2054 D(SrcMem16 | ModRM | Mov | Priv), D(SrcMem | ModRM | ByteOp | Priv),
2056 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2057 D(SrcNone | ModRM | DstMem | Mov), N,
2058 D(SrcMem16 | ModRM | Mov | Priv), N,
2061 static struct opcode group8[] = {
2063 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2064 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2067 static struct group_dual group9 = { {
2068 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2070 N, N, N, N, N, N, N, N,
2073 static struct opcode opcode_table[256] = {
2075 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2076 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2077 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2078 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2080 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2081 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2082 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2083 D(ImplicitOps | Stack | No64), N,
2085 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2086 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2087 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2088 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2090 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2091 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2092 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2093 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2095 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2096 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2097 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2099 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2100 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2101 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2103 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2104 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2105 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2107 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2108 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2109 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2114 X8(D(SrcReg | Stack)),
2116 X8(D(DstReg | Stack)),
2118 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2119 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2122 D(SrcImm | Mov | Stack), N, D(SrcImmByte | Mov | Stack), N,
2123 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2124 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2128 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2129 G(DstMem | SrcImm | ModRM | Group, group1),
2130 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2131 G(DstMem | SrcImmByte | ModRM | Group, group1),
2132 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2133 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2135 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2136 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2137 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | DstReg),
2138 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2140 D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg), D(DstReg),
2142 N, N, D(SrcImmFAddr | No64), N,
2143 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2145 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2146 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2147 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2148 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2150 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm), D(ByteOp | DstDI | Mov | String), D(DstDI | Mov | String),
2151 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2152 D(ByteOp | DstDI | String), D(DstDI | String),
2154 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2156 X8(D(DstReg | SrcImm | Mov)),
2158 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2159 N, D(ImplicitOps | Stack), N, N,
2160 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2162 N, N, N, D(ImplicitOps | Stack),
2163 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2165 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2166 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2169 N, N, N, N, N, N, N, N,
2172 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2173 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2175 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2176 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2177 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2178 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2181 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2183 D(ImplicitOps), N, D(ImplicitOps), D(ImplicitOps),
2184 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2187 static struct opcode twobyte_table[256] = {
2189 N, GD(0, &group7), N, N,
2190 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2191 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2192 N, D(ImplicitOps | ModRM), N, N,
2194 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2196 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
2197 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
2199 N, N, N, N, N, N, N, N,
2201 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
2202 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2203 N, N, N, N, N, N, N, N,
2205 X16(D(DstReg | SrcMem | ModRM | Mov)),
2207 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2209 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2211 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2215 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2217 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2218 N, D(DstMem | SrcReg | ModRM | BitOp),
2219 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2220 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2222 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2223 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2224 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2225 D(DstMem | SrcReg | Src2CL | ModRM),
2228 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2229 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2230 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2231 D(DstReg | SrcMem16 | ModRM | Mov),
2234 G(0, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2235 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2236 D(DstReg | SrcMem16 | ModRM | Mov),
2238 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
2239 N, N, N, GD(0, &group9),
2240 N, N, N, N, N, N, N, N,
2242 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2244 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2246 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2256 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2258 struct x86_emulate_ops *ops = ctxt->ops;
2259 struct decode_cache *c = &ctxt->decode;
2260 int rc = X86EMUL_CONTINUE;
2261 int mode = ctxt->mode;
2262 int def_op_bytes, def_ad_bytes, dual, goffset;
2263 struct opcode opcode, *g_mod012, *g_mod3;
2265 /* we cannot decode insn before we complete previous rep insn */
2266 WARN_ON(ctxt->restart);
2269 c->fetch.start = c->fetch.end = c->eip;
2270 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2273 case X86EMUL_MODE_REAL:
2274 case X86EMUL_MODE_VM86:
2275 case X86EMUL_MODE_PROT16:
2276 def_op_bytes = def_ad_bytes = 2;
2278 case X86EMUL_MODE_PROT32:
2279 def_op_bytes = def_ad_bytes = 4;
2281 #ifdef CONFIG_X86_64
2282 case X86EMUL_MODE_PROT64:
2291 c->op_bytes = def_op_bytes;
2292 c->ad_bytes = def_ad_bytes;
2294 /* Legacy prefixes. */
2296 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2297 case 0x66: /* operand-size override */
2298 /* switch between 2/4 bytes */
2299 c->op_bytes = def_op_bytes ^ 6;
2301 case 0x67: /* address-size override */
2302 if (mode == X86EMUL_MODE_PROT64)
2303 /* switch between 4/8 bytes */
2304 c->ad_bytes = def_ad_bytes ^ 12;
2306 /* switch between 2/4 bytes */
2307 c->ad_bytes = def_ad_bytes ^ 6;
2309 case 0x26: /* ES override */
2310 case 0x2e: /* CS override */
2311 case 0x36: /* SS override */
2312 case 0x3e: /* DS override */
2313 set_seg_override(c, (c->b >> 3) & 3);
2315 case 0x64: /* FS override */
2316 case 0x65: /* GS override */
2317 set_seg_override(c, c->b & 7);
2319 case 0x40 ... 0x4f: /* REX */
2320 if (mode != X86EMUL_MODE_PROT64)
2322 c->rex_prefix = c->b;
2324 case 0xf0: /* LOCK */
2327 case 0xf2: /* REPNE/REPNZ */
2328 c->rep_prefix = REPNE_PREFIX;
2330 case 0xf3: /* REP/REPE/REPZ */
2331 c->rep_prefix = REPE_PREFIX;
2337 /* Any legacy prefix after a REX prefix nullifies its effect. */
2346 if (c->rex_prefix & 8)
2347 c->op_bytes = 8; /* REX.W */
2349 /* Opcode byte(s). */
2350 opcode = opcode_table[c->b];
2351 if (opcode.flags == 0) {
2352 /* Two-byte opcode? */
2355 c->b = insn_fetch(u8, 1, c->eip);
2356 opcode = twobyte_table[c->b];
2359 c->d = opcode.flags;
2362 dual = c->d & GroupDual;
2363 c->modrm = insn_fetch(u8, 1, c->eip);
2366 if (c->d & GroupDual) {
2367 g_mod012 = opcode.u.gdual->mod012;
2368 g_mod3 = opcode.u.gdual->mod3;
2370 g_mod012 = g_mod3 = opcode.u.group;
2372 c->d &= ~(Group | GroupDual);
2374 goffset = (c->modrm >> 3) & 7;
2376 if ((c->modrm >> 6) == 3)
2377 opcode = g_mod3[goffset];
2379 opcode = g_mod012[goffset];
2380 c->d |= opcode.flags;
2383 c->execute = opcode.u.execute;
2386 if (c->d == 0 || (c->d & Undefined)) {
2387 DPRINTF("Cannot emulate %02x\n", c->b);
2391 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2394 /* ModRM and SIB bytes. */
2396 rc = decode_modrm(ctxt, ops);
2397 else if (c->d & MemAbs)
2398 rc = decode_abs(ctxt, ops);
2399 if (rc != X86EMUL_CONTINUE)
2402 if (!c->has_seg_override)
2403 set_seg_override(c, VCPU_SREG_DS);
2405 if (!(!c->twobyte && c->b == 0x8d))
2406 c->modrm_ea += seg_override_base(ctxt, ops, c);
2408 if (c->ad_bytes != 8)
2409 c->modrm_ea = (u32)c->modrm_ea;
2411 if (c->rip_relative)
2412 c->modrm_ea += c->eip;
2415 * Decode and fetch the source operand: register, memory
2418 switch (c->d & SrcMask) {
2422 decode_register_operand(&c->src, c, 0);
2431 c->src.bytes = (c->d & ByteOp) ? 1 :
2433 /* Don't fetch the address for invlpg: it could be unmapped. */
2434 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
2438 * For instructions with a ModR/M byte, switch to register
2439 * access if Mod = 3.
2441 if ((c->d & ModRM) && c->modrm_mod == 3) {
2442 c->src.type = OP_REG;
2443 c->src.val = c->modrm_val;
2444 c->src.ptr = c->modrm_ptr;
2447 c->src.type = OP_MEM;
2448 c->src.ptr = (unsigned long *)c->modrm_ea;
2453 c->src.type = OP_IMM;
2454 c->src.ptr = (unsigned long *)c->eip;
2455 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2456 if (c->src.bytes == 8)
2458 /* NB. Immediates are sign-extended as necessary. */
2459 switch (c->src.bytes) {
2461 c->src.val = insn_fetch(s8, 1, c->eip);
2464 c->src.val = insn_fetch(s16, 2, c->eip);
2467 c->src.val = insn_fetch(s32, 4, c->eip);
2470 if ((c->d & SrcMask) == SrcImmU) {
2471 switch (c->src.bytes) {
2476 c->src.val &= 0xffff;
2479 c->src.val &= 0xffffffff;
2486 c->src.type = OP_IMM;
2487 c->src.ptr = (unsigned long *)c->eip;
2489 if ((c->d & SrcMask) == SrcImmByte)
2490 c->src.val = insn_fetch(s8, 1, c->eip);
2492 c->src.val = insn_fetch(u8, 1, c->eip);
2495 c->src.type = OP_REG;
2496 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2497 c->src.ptr = &c->regs[VCPU_REGS_RAX];
2498 switch (c->src.bytes) {
2500 c->src.val = *(u8 *)c->src.ptr;
2503 c->src.val = *(u16 *)c->src.ptr;
2506 c->src.val = *(u32 *)c->src.ptr;
2509 c->src.val = *(u64 *)c->src.ptr;
2518 c->src.type = OP_MEM;
2519 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2520 c->src.ptr = (unsigned long *)
2521 register_address(c, seg_override_base(ctxt, ops, c),
2522 c->regs[VCPU_REGS_RSI]);
2526 c->src.type = OP_IMM;
2527 c->src.ptr = (unsigned long *)c->eip;
2528 c->src.bytes = c->op_bytes + 2;
2529 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2532 c->src.type = OP_MEM;
2533 c->src.ptr = (unsigned long *)c->modrm_ea;
2534 c->src.bytes = c->op_bytes + 2;
2539 * Decode and fetch the second source operand: register, memory
2542 switch (c->d & Src2Mask) {
2547 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2550 c->src2.type = OP_IMM;
2551 c->src2.ptr = (unsigned long *)c->eip;
2553 c->src2.val = insn_fetch(u8, 1, c->eip);
2561 /* Decode and fetch the destination operand: register or memory. */
2562 switch (c->d & DstMask) {
2564 /* Special instructions do their own operand decoding. */
2567 decode_register_operand(&c->dst, c,
2568 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2572 if ((c->d & ModRM) && c->modrm_mod == 3) {
2573 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2574 c->dst.type = OP_REG;
2575 c->dst.val = c->dst.orig_val = c->modrm_val;
2576 c->dst.ptr = c->modrm_ptr;
2579 c->dst.type = OP_MEM;
2580 c->dst.ptr = (unsigned long *)c->modrm_ea;
2581 if ((c->d & DstMask) == DstMem64)
2584 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2587 unsigned long mask = ~(c->dst.bytes * 8 - 1);
2589 c->dst.ptr = (void *)c->dst.ptr +
2590 (c->src.val & mask) / 8;
2594 c->dst.type = OP_REG;
2595 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2596 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
2597 switch (c->dst.bytes) {
2599 c->dst.val = *(u8 *)c->dst.ptr;
2602 c->dst.val = *(u16 *)c->dst.ptr;
2605 c->dst.val = *(u32 *)c->dst.ptr;
2608 c->dst.val = *(u64 *)c->dst.ptr;
2611 c->dst.orig_val = c->dst.val;
2614 c->dst.type = OP_MEM;
2615 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2616 c->dst.ptr = (unsigned long *)
2617 register_address(c, es_base(ctxt, ops),
2618 c->regs[VCPU_REGS_RDI]);
2624 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2628 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2630 struct x86_emulate_ops *ops = ctxt->ops;
2632 struct decode_cache *c = &ctxt->decode;
2633 int rc = X86EMUL_CONTINUE;
2634 int saved_dst_type = c->dst.type;
2636 ctxt->decode.mem_read.pos = 0;
2638 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2643 /* LOCK prefix is allowed only with some instructions */
2644 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2649 /* Privileged instruction can be executed only in CPL=0 */
2650 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2651 emulate_gp(ctxt, 0);
2655 if (c->rep_prefix && (c->d & String)) {
2656 ctxt->restart = true;
2657 /* All REP prefixes have the same first termination condition */
2658 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2660 ctxt->restart = false;
2664 /* The second termination condition only applies for REPE
2665 * and REPNE. Test if the repeat string operation prefix is
2666 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2667 * corresponding termination condition according to:
2668 * - if REPE/REPZ and ZF = 0 then done
2669 * - if REPNE/REPNZ and ZF = 1 then done
2671 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2672 (c->b == 0xae) || (c->b == 0xaf)) {
2673 if ((c->rep_prefix == REPE_PREFIX) &&
2674 ((ctxt->eflags & EFLG_ZF) == 0))
2676 if ((c->rep_prefix == REPNE_PREFIX) &&
2677 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2683 if (c->src.type == OP_MEM) {
2684 rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2685 c->src.valptr, c->src.bytes);
2686 if (rc != X86EMUL_CONTINUE)
2688 c->src.orig_val64 = c->src.val64;
2691 if (c->src2.type == OP_MEM) {
2692 rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
2693 &c->src2.val, c->src2.bytes);
2694 if (rc != X86EMUL_CONTINUE)
2698 if ((c->d & DstMask) == ImplicitOps)
2702 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2703 /* optimisation - avoid slow emulated read if Mov */
2704 rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
2705 &c->dst.val, c->dst.bytes);
2706 if (rc != X86EMUL_CONTINUE)
2709 c->dst.orig_val = c->dst.val;
2714 rc = c->execute(ctxt);
2715 if (rc != X86EMUL_CONTINUE)
2726 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2728 case 0x06: /* push es */
2729 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2731 case 0x07: /* pop es */
2732 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2733 if (rc != X86EMUL_CONTINUE)
2738 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2740 case 0x0e: /* push cs */
2741 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2745 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2747 case 0x16: /* push ss */
2748 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2750 case 0x17: /* pop ss */
2751 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2752 if (rc != X86EMUL_CONTINUE)
2757 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2759 case 0x1e: /* push ds */
2760 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2762 case 0x1f: /* pop ds */
2763 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2764 if (rc != X86EMUL_CONTINUE)
2769 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2773 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2777 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2781 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2783 case 0x40 ... 0x47: /* inc r16/r32 */
2784 emulate_1op("inc", c->dst, ctxt->eflags);
2786 case 0x48 ... 0x4f: /* dec r16/r32 */
2787 emulate_1op("dec", c->dst, ctxt->eflags);
2789 case 0x50 ... 0x57: /* push reg */
2790 emulate_push(ctxt, ops);
2792 case 0x58 ... 0x5f: /* pop reg */
2794 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2795 if (rc != X86EMUL_CONTINUE)
2798 case 0x60: /* pusha */
2799 rc = emulate_pusha(ctxt, ops);
2800 if (rc != X86EMUL_CONTINUE)
2803 case 0x61: /* popa */
2804 rc = emulate_popa(ctxt, ops);
2805 if (rc != X86EMUL_CONTINUE)
2808 case 0x63: /* movsxd */
2809 if (ctxt->mode != X86EMUL_MODE_PROT64)
2810 goto cannot_emulate;
2811 c->dst.val = (s32) c->src.val;
2813 case 0x68: /* push imm */
2814 case 0x6a: /* push imm8 */
2815 emulate_push(ctxt, ops);
2817 case 0x6c: /* insb */
2818 case 0x6d: /* insw/insd */
2819 c->dst.bytes = min(c->dst.bytes, 4u);
2820 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2822 emulate_gp(ctxt, 0);
2825 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2826 c->regs[VCPU_REGS_RDX], &c->dst.val))
2827 goto done; /* IO is needed, skip writeback */
2829 case 0x6e: /* outsb */
2830 case 0x6f: /* outsw/outsd */
2831 c->src.bytes = min(c->src.bytes, 4u);
2832 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2834 emulate_gp(ctxt, 0);
2837 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2838 &c->src.val, 1, ctxt->vcpu);
2840 c->dst.type = OP_NONE; /* nothing to writeback */
2842 case 0x70 ... 0x7f: /* jcc (short) */
2843 if (test_cc(c->b, ctxt->eflags))
2844 jmp_rel(c, c->src.val);
2846 case 0x80 ... 0x83: /* Grp1 */
2847 switch (c->modrm_reg) {
2868 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2870 case 0x86 ... 0x87: /* xchg */
2872 /* Write back the register source. */
2873 switch (c->dst.bytes) {
2875 *(u8 *) c->src.ptr = (u8) c->dst.val;
2878 *(u16 *) c->src.ptr = (u16) c->dst.val;
2881 *c->src.ptr = (u32) c->dst.val;
2882 break; /* 64b reg: zero-extend */
2884 *c->src.ptr = c->dst.val;
2888 * Write back the memory destination with implicit LOCK
2891 c->dst.val = c->src.val;
2894 case 0x88 ... 0x8b: /* mov */
2896 case 0x8c: /* mov r/m, sreg */
2897 if (c->modrm_reg > VCPU_SREG_GS) {
2901 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2903 case 0x8d: /* lea r16/r32, m */
2904 c->dst.val = c->modrm_ea;
2906 case 0x8e: { /* mov seg, r/m16 */
2911 if (c->modrm_reg == VCPU_SREG_CS ||
2912 c->modrm_reg > VCPU_SREG_GS) {
2917 if (c->modrm_reg == VCPU_SREG_SS)
2918 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2920 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2922 c->dst.type = OP_NONE; /* Disable writeback. */
2925 case 0x8f: /* pop (sole member of Grp1a) */
2926 rc = emulate_grp1a(ctxt, ops);
2927 if (rc != X86EMUL_CONTINUE)
2930 case 0x90: /* nop / xchg r8,rax */
2931 if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
2932 c->dst.type = OP_NONE; /* nop */
2935 case 0x91 ... 0x97: /* xchg reg,rax */
2936 c->src.type = OP_REG;
2937 c->src.bytes = c->op_bytes;
2938 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2939 c->src.val = *(c->src.ptr);
2941 case 0x9c: /* pushf */
2942 c->src.val = (unsigned long) ctxt->eflags;
2943 emulate_push(ctxt, ops);
2945 case 0x9d: /* popf */
2946 c->dst.type = OP_REG;
2947 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2948 c->dst.bytes = c->op_bytes;
2949 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2950 if (rc != X86EMUL_CONTINUE)
2953 case 0xa0 ... 0xa3: /* mov */
2954 case 0xa4 ... 0xa5: /* movs */
2956 case 0xa6 ... 0xa7: /* cmps */
2957 c->dst.type = OP_NONE; /* Disable writeback. */
2958 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2960 case 0xa8 ... 0xa9: /* test ax, imm */
2962 case 0xaa ... 0xab: /* stos */
2963 c->dst.val = c->regs[VCPU_REGS_RAX];
2965 case 0xac ... 0xad: /* lods */
2967 case 0xae ... 0xaf: /* scas */
2968 DPRINTF("Urk! I don't handle SCAS.\n");
2969 goto cannot_emulate;
2970 case 0xb0 ... 0xbf: /* mov r, imm */
2975 case 0xc3: /* ret */
2976 c->dst.type = OP_REG;
2977 c->dst.ptr = &c->eip;
2978 c->dst.bytes = c->op_bytes;
2979 goto pop_instruction;
2980 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2982 c->dst.val = c->src.val;
2984 case 0xcb: /* ret far */
2985 rc = emulate_ret_far(ctxt, ops);
2986 if (rc != X86EMUL_CONTINUE)
2989 case 0xcf: /* iret */
2990 rc = emulate_iret(ctxt, ops);
2992 if (rc != X86EMUL_CONTINUE)
2995 case 0xd0 ... 0xd1: /* Grp2 */
2999 case 0xd2 ... 0xd3: /* Grp2 */
3000 c->src.val = c->regs[VCPU_REGS_RCX];
3003 case 0xe4: /* inb */
3006 case 0xe6: /* outb */
3007 case 0xe7: /* out */
3009 case 0xe8: /* call (near) */ {
3010 long int rel = c->src.val;
3011 c->src.val = (unsigned long) c->eip;
3013 emulate_push(ctxt, ops);
3016 case 0xe9: /* jmp rel */
3018 case 0xea: { /* jmp far */
3021 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3023 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3027 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3031 jmp: /* jmp rel short */
3032 jmp_rel(c, c->src.val);
3033 c->dst.type = OP_NONE; /* Disable writeback. */
3035 case 0xec: /* in al,dx */
3036 case 0xed: /* in (e/r)ax,dx */
3037 c->src.val = c->regs[VCPU_REGS_RDX];
3039 c->dst.bytes = min(c->dst.bytes, 4u);
3040 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3041 emulate_gp(ctxt, 0);
3044 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3046 goto done; /* IO is needed */
3048 case 0xee: /* out dx,al */
3049 case 0xef: /* out dx,(e/r)ax */
3050 c->src.val = c->regs[VCPU_REGS_RDX];
3052 c->dst.bytes = min(c->dst.bytes, 4u);
3053 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3054 emulate_gp(ctxt, 0);
3057 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3059 c->dst.type = OP_NONE; /* Disable writeback. */
3061 case 0xf4: /* hlt */
3062 ctxt->vcpu->arch.halt_request = 1;
3064 case 0xf5: /* cmc */
3065 /* complement carry flag from eflags reg */
3066 ctxt->eflags ^= EFLG_CF;
3067 c->dst.type = OP_NONE; /* Disable writeback. */
3069 case 0xf6 ... 0xf7: /* Grp3 */
3070 if (!emulate_grp3(ctxt, ops))
3071 goto cannot_emulate;
3073 case 0xf8: /* clc */
3074 ctxt->eflags &= ~EFLG_CF;
3075 c->dst.type = OP_NONE; /* Disable writeback. */
3077 case 0xfa: /* cli */
3078 if (emulator_bad_iopl(ctxt, ops)) {
3079 emulate_gp(ctxt, 0);
3082 ctxt->eflags &= ~X86_EFLAGS_IF;
3083 c->dst.type = OP_NONE; /* Disable writeback. */
3086 case 0xfb: /* sti */
3087 if (emulator_bad_iopl(ctxt, ops)) {
3088 emulate_gp(ctxt, 0);
3091 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3092 ctxt->eflags |= X86_EFLAGS_IF;
3093 c->dst.type = OP_NONE; /* Disable writeback. */
3096 case 0xfc: /* cld */
3097 ctxt->eflags &= ~EFLG_DF;
3098 c->dst.type = OP_NONE; /* Disable writeback. */
3100 case 0xfd: /* std */
3101 ctxt->eflags |= EFLG_DF;
3102 c->dst.type = OP_NONE; /* Disable writeback. */
3104 case 0xfe: /* Grp4 */
3106 rc = emulate_grp45(ctxt, ops);
3107 if (rc != X86EMUL_CONTINUE)
3110 case 0xff: /* Grp5 */
3111 if (c->modrm_reg == 5)
3115 goto cannot_emulate;
3119 rc = writeback(ctxt, ops);
3120 if (rc != X86EMUL_CONTINUE)
3124 * restore dst type in case the decoding will be reused
3125 * (happens for string instruction )
3127 c->dst.type = saved_dst_type;
3129 if ((c->d & SrcMask) == SrcSI)
3130 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3131 VCPU_REGS_RSI, &c->src);
3133 if ((c->d & DstMask) == DstDI)
3134 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3137 if (c->rep_prefix && (c->d & String)) {
3138 struct read_cache *rc = &ctxt->decode.io_read;
3139 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3141 * Re-enter guest when pio read ahead buffer is empty or,
3142 * if it is not used, after each 1024 iteration.
3144 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3145 (rc->end != 0 && rc->end == rc->pos))
3146 ctxt->restart = false;
3149 * reset read cache here in case string instruction is restared
3152 ctxt->decode.mem_read.end = 0;
3156 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3160 case 0x01: /* lgdt, lidt, lmsw */
3161 switch (c->modrm_reg) {
3163 unsigned long address;
3165 case 0: /* vmcall */
3166 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3167 goto cannot_emulate;
3169 rc = kvm_fix_hypercall(ctxt->vcpu);
3170 if (rc != X86EMUL_CONTINUE)
3173 /* Let the processor re-execute the fixed hypercall */
3175 /* Disable writeback. */
3176 c->dst.type = OP_NONE;
3179 rc = read_descriptor(ctxt, ops, c->src.ptr,
3180 &size, &address, c->op_bytes);
3181 if (rc != X86EMUL_CONTINUE)
3183 realmode_lgdt(ctxt->vcpu, size, address);
3184 /* Disable writeback. */
3185 c->dst.type = OP_NONE;
3187 case 3: /* lidt/vmmcall */
3188 if (c->modrm_mod == 3) {
3189 switch (c->modrm_rm) {
3191 rc = kvm_fix_hypercall(ctxt->vcpu);
3192 if (rc != X86EMUL_CONTINUE)
3196 goto cannot_emulate;
3199 rc = read_descriptor(ctxt, ops, c->src.ptr,
3202 if (rc != X86EMUL_CONTINUE)
3204 realmode_lidt(ctxt->vcpu, size, address);
3206 /* Disable writeback. */
3207 c->dst.type = OP_NONE;
3211 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3214 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3215 (c->src.val & 0x0f), ctxt->vcpu);
3216 c->dst.type = OP_NONE;
3218 case 5: /* not defined */
3222 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3223 /* Disable writeback. */
3224 c->dst.type = OP_NONE;
3227 goto cannot_emulate;
3230 case 0x05: /* syscall */
3231 rc = emulate_syscall(ctxt, ops);
3232 if (rc != X86EMUL_CONTINUE)
3238 emulate_clts(ctxt->vcpu);
3239 c->dst.type = OP_NONE;
3241 case 0x09: /* wbinvd */
3242 kvm_emulate_wbinvd(ctxt->vcpu);
3243 c->dst.type = OP_NONE;
3245 case 0x08: /* invd */
3246 case 0x0d: /* GrpP (prefetch) */
3247 case 0x18: /* Grp16 (prefetch/nop) */
3248 c->dst.type = OP_NONE;
3250 case 0x20: /* mov cr, reg */
3251 switch (c->modrm_reg) {
3258 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3259 c->dst.type = OP_NONE; /* no writeback */
3261 case 0x21: /* mov from dr to reg */
3262 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3263 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3267 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3268 c->dst.type = OP_NONE; /* no writeback */
3270 case 0x22: /* mov reg, cr */
3271 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3272 emulate_gp(ctxt, 0);
3275 c->dst.type = OP_NONE;
3277 case 0x23: /* mov from reg to dr */
3278 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3279 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3284 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3285 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3286 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3287 /* #UD condition is already handled by the code above */
3288 emulate_gp(ctxt, 0);
3292 c->dst.type = OP_NONE; /* no writeback */
3296 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3297 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3298 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3299 emulate_gp(ctxt, 0);
3302 rc = X86EMUL_CONTINUE;
3303 c->dst.type = OP_NONE;
3307 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3308 emulate_gp(ctxt, 0);
3311 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3312 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3314 rc = X86EMUL_CONTINUE;
3315 c->dst.type = OP_NONE;
3317 case 0x34: /* sysenter */
3318 rc = emulate_sysenter(ctxt, ops);
3319 if (rc != X86EMUL_CONTINUE)
3324 case 0x35: /* sysexit */
3325 rc = emulate_sysexit(ctxt, ops);
3326 if (rc != X86EMUL_CONTINUE)
3331 case 0x40 ... 0x4f: /* cmov */
3332 c->dst.val = c->dst.orig_val = c->src.val;
3333 if (!test_cc(c->b, ctxt->eflags))
3334 c->dst.type = OP_NONE; /* no writeback */
3336 case 0x80 ... 0x8f: /* jnz rel, etc*/
3337 if (test_cc(c->b, ctxt->eflags))
3338 jmp_rel(c, c->src.val);
3339 c->dst.type = OP_NONE;
3341 case 0xa0: /* push fs */
3342 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3344 case 0xa1: /* pop fs */
3345 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3346 if (rc != X86EMUL_CONTINUE)
3351 c->dst.type = OP_NONE;
3352 /* only subword offset */
3353 c->src.val &= (c->dst.bytes << 3) - 1;
3354 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3356 case 0xa4: /* shld imm8, r, r/m */
3357 case 0xa5: /* shld cl, r, r/m */
3358 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3360 case 0xa8: /* push gs */
3361 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3363 case 0xa9: /* pop gs */
3364 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3365 if (rc != X86EMUL_CONTINUE)
3370 /* only subword offset */
3371 c->src.val &= (c->dst.bytes << 3) - 1;
3372 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3374 case 0xac: /* shrd imm8, r, r/m */
3375 case 0xad: /* shrd cl, r, r/m */
3376 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3378 case 0xae: /* clflush */
3380 case 0xb0 ... 0xb1: /* cmpxchg */
3382 * Save real source value, then compare EAX against
3385 c->src.orig_val = c->src.val;
3386 c->src.val = c->regs[VCPU_REGS_RAX];
3387 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3388 if (ctxt->eflags & EFLG_ZF) {
3389 /* Success: write back to memory. */
3390 c->dst.val = c->src.orig_val;
3392 /* Failure: write the value we saw to EAX. */
3393 c->dst.type = OP_REG;
3394 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3399 /* only subword offset */
3400 c->src.val &= (c->dst.bytes << 3) - 1;
3401 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3403 case 0xb6 ... 0xb7: /* movzx */
3404 c->dst.bytes = c->op_bytes;
3405 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3408 case 0xba: /* Grp8 */
3409 switch (c->modrm_reg & 3) {
3422 /* only subword offset */
3423 c->src.val &= (c->dst.bytes << 3) - 1;
3424 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3426 case 0xbe ... 0xbf: /* movsx */
3427 c->dst.bytes = c->op_bytes;
3428 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3431 case 0xc3: /* movnti */
3432 c->dst.bytes = c->op_bytes;
3433 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3436 case 0xc7: /* Grp9 (cmpxchg8b) */
3437 rc = emulate_grp9(ctxt, ops);
3438 if (rc != X86EMUL_CONTINUE)
3442 goto cannot_emulate;
3447 DPRINTF("Cannot emulate %02x\n", c->b);