1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
86 #define Undefined (1<<25) /* No Such Instruction */
87 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
88 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
90 /* Source 2 operand type */
91 #define Src2None (0<<29)
92 #define Src2CL (1<<29)
93 #define Src2ImmByte (2<<29)
94 #define Src2One (3<<29)
95 #define Src2Mask (7<<29)
98 #define X3(x...) X2(x), x
99 #define X4(x...) X2(x), X2(x)
100 #define X5(x...) X4(x), x
101 #define X6(x...) X4(x), X2(x)
102 #define X7(x...) X4(x), X3(x)
103 #define X8(x...) X4(x), X4(x)
104 #define X16(x...) X8(x), X8(x)
109 int (*execute)(struct x86_emulate_ctxt *ctxt);
110 struct opcode *group;
111 struct group_dual *gdual;
116 struct opcode mod012[8];
117 struct opcode mod3[8];
120 /* EFLAGS bit definitions. */
121 #define EFLG_ID (1<<21)
122 #define EFLG_VIP (1<<20)
123 #define EFLG_VIF (1<<19)
124 #define EFLG_AC (1<<18)
125 #define EFLG_VM (1<<17)
126 #define EFLG_RF (1<<16)
127 #define EFLG_IOPL (3<<12)
128 #define EFLG_NT (1<<14)
129 #define EFLG_OF (1<<11)
130 #define EFLG_DF (1<<10)
131 #define EFLG_IF (1<<9)
132 #define EFLG_TF (1<<8)
133 #define EFLG_SF (1<<7)
134 #define EFLG_ZF (1<<6)
135 #define EFLG_AF (1<<4)
136 #define EFLG_PF (1<<2)
137 #define EFLG_CF (1<<0)
139 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
140 #define EFLG_RESERVED_ONE_MASK 2
143 * Instruction emulation:
144 * Most instructions are emulated directly via a fragment of inline assembly
145 * code. This allows us to save/restore EFLAGS and thus very easily pick up
146 * any modified flags.
149 #if defined(CONFIG_X86_64)
150 #define _LO32 "k" /* force 32-bit operand */
151 #define _STK "%%rsp" /* stack pointer */
152 #elif defined(__i386__)
153 #define _LO32 "" /* force 32-bit operand */
154 #define _STK "%%esp" /* stack pointer */
158 * These EFLAGS bits are restored from saved value during emulation, and
159 * any changes are written back to the saved value after emulation.
161 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
163 /* Before executing instruction: restore necessary bits in EFLAGS. */
164 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
165 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
166 "movl %"_sav",%"_LO32 _tmp"; " \
169 "movl %"_msk",%"_LO32 _tmp"; " \
170 "andl %"_LO32 _tmp",("_STK"); " \
172 "notl %"_LO32 _tmp"; " \
173 "andl %"_LO32 _tmp",("_STK"); " \
174 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
176 "orl %"_LO32 _tmp",("_STK"); " \
180 /* After executing instruction: write-back necessary bits in EFLAGS. */
181 #define _POST_EFLAGS(_sav, _msk, _tmp) \
182 /* _sav |= EFLAGS & _msk; */ \
185 "andl %"_msk",%"_LO32 _tmp"; " \
186 "orl %"_LO32 _tmp",%"_sav"; "
194 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
196 __asm__ __volatile__ ( \
197 _PRE_EFLAGS("0", "4", "2") \
198 _op _suffix " %"_x"3,%1; " \
199 _POST_EFLAGS("0", "4", "2") \
200 : "=m" (_eflags), "=m" ((_dst).val), \
202 : _y ((_src).val), "i" (EFLAGS_MASK)); \
206 /* Raw emulation: instruction has two explicit operands. */
207 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
209 unsigned long _tmp; \
211 switch ((_dst).bytes) { \
213 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
216 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
219 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
224 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
226 unsigned long _tmp; \
227 switch ((_dst).bytes) { \
229 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
232 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
233 _wx, _wy, _lx, _ly, _qx, _qy); \
238 /* Source operand is byte-sized and may be restricted to just %cl. */
239 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
240 __emulate_2op(_op, _src, _dst, _eflags, \
241 "b", "c", "b", "c", "b", "c", "b", "c")
243 /* Source operand is byte, word, long or quad sized. */
244 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
245 __emulate_2op(_op, _src, _dst, _eflags, \
246 "b", "q", "w", "r", _LO32, "r", "", "r")
248 /* Source operand is word, long or quad sized. */
249 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
250 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
251 "w", "r", _LO32, "r", "", "r")
253 /* Instruction has three operands and one operand is stored in ECX register */
254 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
256 unsigned long _tmp; \
257 _type _clv = (_cl).val; \
258 _type _srcv = (_src).val; \
259 _type _dstv = (_dst).val; \
261 __asm__ __volatile__ ( \
262 _PRE_EFLAGS("0", "5", "2") \
263 _op _suffix " %4,%1 \n" \
264 _POST_EFLAGS("0", "5", "2") \
265 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
266 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
269 (_cl).val = (unsigned long) _clv; \
270 (_src).val = (unsigned long) _srcv; \
271 (_dst).val = (unsigned long) _dstv; \
274 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
276 switch ((_dst).bytes) { \
278 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
279 "w", unsigned short); \
282 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
283 "l", unsigned int); \
286 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
287 "q", unsigned long)); \
292 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
294 unsigned long _tmp; \
296 __asm__ __volatile__ ( \
297 _PRE_EFLAGS("0", "3", "2") \
298 _op _suffix " %1; " \
299 _POST_EFLAGS("0", "3", "2") \
300 : "=m" (_eflags), "+m" ((_dst).val), \
302 : "i" (EFLAGS_MASK)); \
305 /* Instruction has only one explicit operand (no source operand). */
306 #define emulate_1op(_op, _dst, _eflags) \
308 switch ((_dst).bytes) { \
309 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
310 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
311 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
312 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
316 /* Fetch next part of the instruction being emulated. */
317 #define insn_fetch(_type, _size, _eip) \
318 ({ unsigned long _x; \
319 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
320 if (rc != X86EMUL_CONTINUE) \
326 #define insn_fetch_arr(_arr, _size, _eip) \
327 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
328 if (rc != X86EMUL_CONTINUE) \
333 static inline unsigned long ad_mask(struct decode_cache *c)
335 return (1UL << (c->ad_bytes << 3)) - 1;
338 /* Access/update address held in a register, based on addressing mode. */
339 static inline unsigned long
340 address_mask(struct decode_cache *c, unsigned long reg)
342 if (c->ad_bytes == sizeof(unsigned long))
345 return reg & ad_mask(c);
348 static inline unsigned long
349 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
351 return base + address_mask(c, reg);
355 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
357 if (c->ad_bytes == sizeof(unsigned long))
360 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
363 static inline void jmp_rel(struct decode_cache *c, int rel)
365 register_address_increment(c, &c->eip, rel);
368 static void set_seg_override(struct decode_cache *c, int seg)
370 c->has_seg_override = true;
371 c->seg_override = seg;
374 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
375 struct x86_emulate_ops *ops, int seg)
377 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
380 return ops->get_cached_segment_base(seg, ctxt->vcpu);
383 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
384 struct x86_emulate_ops *ops,
385 struct decode_cache *c)
387 if (!c->has_seg_override)
390 return seg_base(ctxt, ops, c->seg_override);
393 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
394 struct x86_emulate_ops *ops)
396 return seg_base(ctxt, ops, VCPU_SREG_ES);
399 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
400 struct x86_emulate_ops *ops)
402 return seg_base(ctxt, ops, VCPU_SREG_SS);
405 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
406 u32 error, bool valid)
408 ctxt->exception = vec;
409 ctxt->error_code = error;
410 ctxt->error_code_valid = valid;
411 ctxt->restart = false;
414 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
416 emulate_exception(ctxt, GP_VECTOR, err, true);
419 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
423 emulate_exception(ctxt, PF_VECTOR, err, true);
426 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
428 emulate_exception(ctxt, UD_VECTOR, 0, false);
431 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
433 emulate_exception(ctxt, TS_VECTOR, err, true);
436 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
437 struct x86_emulate_ops *ops,
438 unsigned long eip, u8 *dest)
440 struct fetch_cache *fc = &ctxt->decode.fetch;
444 if (eip == fc->end) {
445 cur_size = fc->end - fc->start;
446 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
447 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
448 size, ctxt->vcpu, NULL);
449 if (rc != X86EMUL_CONTINUE)
453 *dest = fc->data[eip - fc->start];
454 return X86EMUL_CONTINUE;
457 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
458 struct x86_emulate_ops *ops,
459 unsigned long eip, void *dest, unsigned size)
463 /* x86 instructions are limited to 15 bytes. */
464 if (eip + size - ctxt->eip > 15)
465 return X86EMUL_UNHANDLEABLE;
467 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
468 if (rc != X86EMUL_CONTINUE)
471 return X86EMUL_CONTINUE;
475 * Given the 'reg' portion of a ModRM byte, and a register block, return a
476 * pointer into the block that addresses the relevant register.
477 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
479 static void *decode_register(u8 modrm_reg, unsigned long *regs,
484 p = ®s[modrm_reg];
485 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
486 p = (unsigned char *)®s[modrm_reg & 3] + 1;
490 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
491 struct x86_emulate_ops *ops,
493 u16 *size, unsigned long *address, int op_bytes)
500 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
501 if (rc != X86EMUL_CONTINUE)
503 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
507 static int test_cc(unsigned int condition, unsigned int flags)
511 switch ((condition & 15) >> 1) {
513 rc |= (flags & EFLG_OF);
515 case 1: /* b/c/nae */
516 rc |= (flags & EFLG_CF);
519 rc |= (flags & EFLG_ZF);
522 rc |= (flags & (EFLG_CF|EFLG_ZF));
525 rc |= (flags & EFLG_SF);
528 rc |= (flags & EFLG_PF);
531 rc |= (flags & EFLG_ZF);
534 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
538 /* Odd condition identifiers (lsb == 1) have inverted sense. */
539 return (!!rc ^ (condition & 1));
542 static void fetch_register_operand(struct operand *op)
546 op->val = *(u8 *)op->addr.reg;
549 op->val = *(u16 *)op->addr.reg;
552 op->val = *(u32 *)op->addr.reg;
555 op->val = *(u64 *)op->addr.reg;
560 static void decode_register_operand(struct operand *op,
561 struct decode_cache *c,
564 unsigned reg = c->modrm_reg;
565 int highbyte_regs = c->rex_prefix == 0;
568 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
570 if ((c->d & ByteOp) && !inhibit_bytereg) {
571 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
574 op->addr.reg = decode_register(reg, c->regs, 0);
575 op->bytes = c->op_bytes;
577 fetch_register_operand(op);
578 op->orig_val = op->val;
581 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
582 struct x86_emulate_ops *ops)
584 struct decode_cache *c = &ctxt->decode;
586 int index_reg = 0, base_reg = 0, scale;
587 int rc = X86EMUL_CONTINUE;
590 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
591 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
592 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
595 c->modrm = insn_fetch(u8, 1, c->eip);
596 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
597 c->modrm_reg |= (c->modrm & 0x38) >> 3;
598 c->modrm_rm |= (c->modrm & 0x07);
601 c->modrm_seg = VCPU_SREG_DS;
603 if (c->modrm_mod == 3) {
604 c->modrm_ptr = decode_register(c->modrm_rm,
605 c->regs, c->d & ByteOp);
606 c->modrm_val = *(unsigned long *)c->modrm_ptr;
610 if (c->ad_bytes == 2) {
611 unsigned bx = c->regs[VCPU_REGS_RBX];
612 unsigned bp = c->regs[VCPU_REGS_RBP];
613 unsigned si = c->regs[VCPU_REGS_RSI];
614 unsigned di = c->regs[VCPU_REGS_RDI];
616 /* 16-bit ModR/M decode. */
617 switch (c->modrm_mod) {
619 if (c->modrm_rm == 6)
620 c->modrm_ea += insn_fetch(u16, 2, c->eip);
623 c->modrm_ea += insn_fetch(s8, 1, c->eip);
626 c->modrm_ea += insn_fetch(u16, 2, c->eip);
629 switch (c->modrm_rm) {
631 c->modrm_ea += bx + si;
634 c->modrm_ea += bx + di;
637 c->modrm_ea += bp + si;
640 c->modrm_ea += bp + di;
649 if (c->modrm_mod != 0)
656 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
657 (c->modrm_rm == 6 && c->modrm_mod != 0))
658 c->modrm_seg = VCPU_SREG_SS;
659 c->modrm_ea = (u16)c->modrm_ea;
661 /* 32/64-bit ModR/M decode. */
662 if ((c->modrm_rm & 7) == 4) {
663 sib = insn_fetch(u8, 1, c->eip);
664 index_reg |= (sib >> 3) & 7;
668 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
669 c->modrm_ea += insn_fetch(s32, 4, c->eip);
671 c->modrm_ea += c->regs[base_reg];
673 c->modrm_ea += c->regs[index_reg] << scale;
674 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
675 if (ctxt->mode == X86EMUL_MODE_PROT64)
678 c->modrm_ea += c->regs[c->modrm_rm];
679 switch (c->modrm_mod) {
681 if (c->modrm_rm == 5)
682 c->modrm_ea += insn_fetch(s32, 4, c->eip);
685 c->modrm_ea += insn_fetch(s8, 1, c->eip);
688 c->modrm_ea += insn_fetch(s32, 4, c->eip);
696 static int decode_abs(struct x86_emulate_ctxt *ctxt,
697 struct x86_emulate_ops *ops)
699 struct decode_cache *c = &ctxt->decode;
700 int rc = X86EMUL_CONTINUE;
702 switch (c->ad_bytes) {
704 c->modrm_ea = insn_fetch(u16, 2, c->eip);
707 c->modrm_ea = insn_fetch(u32, 4, c->eip);
710 c->modrm_ea = insn_fetch(u64, 8, c->eip);
717 static int read_emulated(struct x86_emulate_ctxt *ctxt,
718 struct x86_emulate_ops *ops,
719 unsigned long addr, void *dest, unsigned size)
722 struct read_cache *mc = &ctxt->decode.mem_read;
726 int n = min(size, 8u);
728 if (mc->pos < mc->end)
731 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
733 if (rc == X86EMUL_PROPAGATE_FAULT)
734 emulate_pf(ctxt, addr, err);
735 if (rc != X86EMUL_CONTINUE)
740 memcpy(dest, mc->data + mc->pos, n);
745 return X86EMUL_CONTINUE;
748 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
749 struct x86_emulate_ops *ops,
750 unsigned int size, unsigned short port,
753 struct read_cache *rc = &ctxt->decode.io_read;
755 if (rc->pos == rc->end) { /* refill pio read ahead */
756 struct decode_cache *c = &ctxt->decode;
757 unsigned int in_page, n;
758 unsigned int count = c->rep_prefix ?
759 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
760 in_page = (ctxt->eflags & EFLG_DF) ?
761 offset_in_page(c->regs[VCPU_REGS_RDI]) :
762 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
763 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
767 rc->pos = rc->end = 0;
768 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
773 memcpy(dest, rc->data + rc->pos, size);
778 static u32 desc_limit_scaled(struct desc_struct *desc)
780 u32 limit = get_desc_limit(desc);
782 return desc->g ? (limit << 12) | 0xfff : limit;
785 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
786 struct x86_emulate_ops *ops,
787 u16 selector, struct desc_ptr *dt)
789 if (selector & 1 << 2) {
790 struct desc_struct desc;
791 memset (dt, 0, sizeof *dt);
792 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
795 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
796 dt->address = get_desc_base(&desc);
798 ops->get_gdt(dt, ctxt->vcpu);
801 /* allowed just for 8 bytes segments */
802 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
803 struct x86_emulate_ops *ops,
804 u16 selector, struct desc_struct *desc)
807 u16 index = selector >> 3;
812 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
814 if (dt.size < index * 8 + 7) {
815 emulate_gp(ctxt, selector & 0xfffc);
816 return X86EMUL_PROPAGATE_FAULT;
818 addr = dt.address + index * 8;
819 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
820 if (ret == X86EMUL_PROPAGATE_FAULT)
821 emulate_pf(ctxt, addr, err);
826 /* allowed just for 8 bytes segments */
827 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
828 struct x86_emulate_ops *ops,
829 u16 selector, struct desc_struct *desc)
832 u16 index = selector >> 3;
837 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
839 if (dt.size < index * 8 + 7) {
840 emulate_gp(ctxt, selector & 0xfffc);
841 return X86EMUL_PROPAGATE_FAULT;
844 addr = dt.address + index * 8;
845 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
846 if (ret == X86EMUL_PROPAGATE_FAULT)
847 emulate_pf(ctxt, addr, err);
852 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
853 struct x86_emulate_ops *ops,
854 u16 selector, int seg)
856 struct desc_struct seg_desc;
858 unsigned err_vec = GP_VECTOR;
860 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
863 memset(&seg_desc, 0, sizeof seg_desc);
865 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
866 || ctxt->mode == X86EMUL_MODE_REAL) {
867 /* set real mode segment descriptor */
868 set_desc_base(&seg_desc, selector << 4);
869 set_desc_limit(&seg_desc, 0xffff);
876 /* NULL selector is not valid for TR, CS and SS */
877 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
881 /* TR should be in GDT only */
882 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
885 if (null_selector) /* for NULL selector skip all following checks */
888 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
889 if (ret != X86EMUL_CONTINUE)
892 err_code = selector & 0xfffc;
895 /* can't load system descriptor into segment selecor */
896 if (seg <= VCPU_SREG_GS && !seg_desc.s)
900 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
906 cpl = ops->cpl(ctxt->vcpu);
911 * segment is not a writable data segment or segment
912 * selector's RPL != CPL or segment selector's RPL != CPL
914 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
918 if (!(seg_desc.type & 8))
921 if (seg_desc.type & 4) {
927 if (rpl > cpl || dpl != cpl)
931 selector = (selector & 0xfffc) | cpl;
934 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
938 if (seg_desc.s || seg_desc.type != 2)
941 default: /* DS, ES, FS, or GS */
943 * segment is not a data or readable code segment or
944 * ((segment is a data or nonconforming code segment)
945 * and (both RPL and CPL > DPL))
947 if ((seg_desc.type & 0xa) == 0x8 ||
948 (((seg_desc.type & 0xc) != 0xc) &&
949 (rpl > dpl && cpl > dpl)))
955 /* mark segment as accessed */
957 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
958 if (ret != X86EMUL_CONTINUE)
962 ops->set_segment_selector(selector, seg, ctxt->vcpu);
963 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
964 return X86EMUL_CONTINUE;
966 emulate_exception(ctxt, err_vec, err_code, true);
967 return X86EMUL_PROPAGATE_FAULT;
970 static inline int writeback(struct x86_emulate_ctxt *ctxt,
971 struct x86_emulate_ops *ops)
974 struct decode_cache *c = &ctxt->decode;
977 switch (c->dst.type) {
979 /* The 4-byte case *is* correct:
980 * in 64-bit mode we zero-extend.
982 switch (c->dst.bytes) {
984 *(u8 *)c->dst.addr.reg = (u8)c->dst.val;
987 *(u16 *)c->dst.addr.reg = (u16)c->dst.val;
990 *c->dst.addr.reg = (u32)c->dst.val;
991 break; /* 64b: zero-ext */
993 *c->dst.addr.reg = c->dst.val;
999 rc = ops->cmpxchg_emulated(
1007 rc = ops->write_emulated(
1013 if (rc == X86EMUL_PROPAGATE_FAULT)
1014 emulate_pf(ctxt, c->dst.addr.mem, err);
1015 if (rc != X86EMUL_CONTINUE)
1024 return X86EMUL_CONTINUE;
1027 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1028 struct x86_emulate_ops *ops)
1030 struct decode_cache *c = &ctxt->decode;
1032 c->dst.type = OP_MEM;
1033 c->dst.bytes = c->op_bytes;
1034 c->dst.val = c->src.val;
1035 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1036 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1037 c->regs[VCPU_REGS_RSP]);
1040 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1041 struct x86_emulate_ops *ops,
1042 void *dest, int len)
1044 struct decode_cache *c = &ctxt->decode;
1047 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1048 c->regs[VCPU_REGS_RSP]),
1050 if (rc != X86EMUL_CONTINUE)
1053 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1057 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1058 struct x86_emulate_ops *ops,
1059 void *dest, int len)
1062 unsigned long val, change_mask;
1063 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1064 int cpl = ops->cpl(ctxt->vcpu);
1066 rc = emulate_pop(ctxt, ops, &val, len);
1067 if (rc != X86EMUL_CONTINUE)
1070 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1071 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1073 switch(ctxt->mode) {
1074 case X86EMUL_MODE_PROT64:
1075 case X86EMUL_MODE_PROT32:
1076 case X86EMUL_MODE_PROT16:
1078 change_mask |= EFLG_IOPL;
1080 change_mask |= EFLG_IF;
1082 case X86EMUL_MODE_VM86:
1084 emulate_gp(ctxt, 0);
1085 return X86EMUL_PROPAGATE_FAULT;
1087 change_mask |= EFLG_IF;
1089 default: /* real mode */
1090 change_mask |= (EFLG_IOPL | EFLG_IF);
1094 *(unsigned long *)dest =
1095 (ctxt->eflags & ~change_mask) | (val & change_mask);
1100 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1101 struct x86_emulate_ops *ops, int seg)
1103 struct decode_cache *c = &ctxt->decode;
1105 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1107 emulate_push(ctxt, ops);
1110 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1111 struct x86_emulate_ops *ops, int seg)
1113 struct decode_cache *c = &ctxt->decode;
1114 unsigned long selector;
1117 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1118 if (rc != X86EMUL_CONTINUE)
1121 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1125 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1126 struct x86_emulate_ops *ops)
1128 struct decode_cache *c = &ctxt->decode;
1129 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1130 int rc = X86EMUL_CONTINUE;
1131 int reg = VCPU_REGS_RAX;
1133 while (reg <= VCPU_REGS_RDI) {
1134 (reg == VCPU_REGS_RSP) ?
1135 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1137 emulate_push(ctxt, ops);
1139 rc = writeback(ctxt, ops);
1140 if (rc != X86EMUL_CONTINUE)
1146 /* Disable writeback. */
1147 c->dst.type = OP_NONE;
1152 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1153 struct x86_emulate_ops *ops)
1155 struct decode_cache *c = &ctxt->decode;
1156 int rc = X86EMUL_CONTINUE;
1157 int reg = VCPU_REGS_RDI;
1159 while (reg >= VCPU_REGS_RAX) {
1160 if (reg == VCPU_REGS_RSP) {
1161 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1166 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1167 if (rc != X86EMUL_CONTINUE)
1174 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1175 struct x86_emulate_ops *ops)
1177 struct decode_cache *c = &ctxt->decode;
1178 int rc = X86EMUL_CONTINUE;
1179 unsigned long temp_eip = 0;
1180 unsigned long temp_eflags = 0;
1181 unsigned long cs = 0;
1182 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1183 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1184 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1185 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1187 /* TODO: Add stack limit check */
1189 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1191 if (rc != X86EMUL_CONTINUE)
1194 if (temp_eip & ~0xffff) {
1195 emulate_gp(ctxt, 0);
1196 return X86EMUL_PROPAGATE_FAULT;
1199 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1201 if (rc != X86EMUL_CONTINUE)
1204 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1206 if (rc != X86EMUL_CONTINUE)
1209 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1211 if (rc != X86EMUL_CONTINUE)
1217 if (c->op_bytes == 4)
1218 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1219 else if (c->op_bytes == 2) {
1220 ctxt->eflags &= ~0xffff;
1221 ctxt->eflags |= temp_eflags;
1224 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1225 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1230 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1231 struct x86_emulate_ops* ops)
1233 switch(ctxt->mode) {
1234 case X86EMUL_MODE_REAL:
1235 return emulate_iret_real(ctxt, ops);
1236 case X86EMUL_MODE_VM86:
1237 case X86EMUL_MODE_PROT16:
1238 case X86EMUL_MODE_PROT32:
1239 case X86EMUL_MODE_PROT64:
1241 /* iret from protected mode unimplemented yet */
1242 return X86EMUL_UNHANDLEABLE;
1246 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1247 struct x86_emulate_ops *ops)
1249 struct decode_cache *c = &ctxt->decode;
1251 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1254 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1256 struct decode_cache *c = &ctxt->decode;
1257 switch (c->modrm_reg) {
1259 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1262 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1265 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1268 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1270 case 4: /* sal/shl */
1271 case 6: /* sal/shl */
1272 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1275 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1278 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1283 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1284 struct x86_emulate_ops *ops)
1286 struct decode_cache *c = &ctxt->decode;
1288 switch (c->modrm_reg) {
1289 case 0 ... 1: /* test */
1290 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1293 c->dst.val = ~c->dst.val;
1296 emulate_1op("neg", c->dst, ctxt->eflags);
1304 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1305 struct x86_emulate_ops *ops)
1307 struct decode_cache *c = &ctxt->decode;
1309 switch (c->modrm_reg) {
1311 emulate_1op("inc", c->dst, ctxt->eflags);
1314 emulate_1op("dec", c->dst, ctxt->eflags);
1316 case 2: /* call near abs */ {
1319 c->eip = c->src.val;
1320 c->src.val = old_eip;
1321 emulate_push(ctxt, ops);
1324 case 4: /* jmp abs */
1325 c->eip = c->src.val;
1328 emulate_push(ctxt, ops);
1331 return X86EMUL_CONTINUE;
1334 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1335 struct x86_emulate_ops *ops)
1337 struct decode_cache *c = &ctxt->decode;
1338 u64 old = c->dst.orig_val64;
1340 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1341 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1342 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1343 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1344 ctxt->eflags &= ~EFLG_ZF;
1346 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1347 (u32) c->regs[VCPU_REGS_RBX];
1349 ctxt->eflags |= EFLG_ZF;
1351 return X86EMUL_CONTINUE;
1354 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1355 struct x86_emulate_ops *ops)
1357 struct decode_cache *c = &ctxt->decode;
1361 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1362 if (rc != X86EMUL_CONTINUE)
1364 if (c->op_bytes == 4)
1365 c->eip = (u32)c->eip;
1366 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1367 if (rc != X86EMUL_CONTINUE)
1369 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1374 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1375 struct x86_emulate_ops *ops, struct desc_struct *cs,
1376 struct desc_struct *ss)
1378 memset(cs, 0, sizeof(struct desc_struct));
1379 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1380 memset(ss, 0, sizeof(struct desc_struct));
1382 cs->l = 0; /* will be adjusted later */
1383 set_desc_base(cs, 0); /* flat segment */
1384 cs->g = 1; /* 4kb granularity */
1385 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1386 cs->type = 0x0b; /* Read, Execute, Accessed */
1388 cs->dpl = 0; /* will be adjusted later */
1392 set_desc_base(ss, 0); /* flat segment */
1393 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1394 ss->g = 1; /* 4kb granularity */
1396 ss->type = 0x03; /* Read/Write, Accessed */
1397 ss->d = 1; /* 32bit stack segment */
1403 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1405 struct decode_cache *c = &ctxt->decode;
1406 struct desc_struct cs, ss;
1410 /* syscall is not available in real mode */
1411 if (ctxt->mode == X86EMUL_MODE_REAL ||
1412 ctxt->mode == X86EMUL_MODE_VM86) {
1414 return X86EMUL_PROPAGATE_FAULT;
1417 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1419 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1421 cs_sel = (u16)(msr_data & 0xfffc);
1422 ss_sel = (u16)(msr_data + 8);
1424 if (is_long_mode(ctxt->vcpu)) {
1428 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1429 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1430 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1431 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1433 c->regs[VCPU_REGS_RCX] = c->eip;
1434 if (is_long_mode(ctxt->vcpu)) {
1435 #ifdef CONFIG_X86_64
1436 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1438 ops->get_msr(ctxt->vcpu,
1439 ctxt->mode == X86EMUL_MODE_PROT64 ?
1440 MSR_LSTAR : MSR_CSTAR, &msr_data);
1443 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1444 ctxt->eflags &= ~(msr_data | EFLG_RF);
1448 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1449 c->eip = (u32)msr_data;
1451 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1454 return X86EMUL_CONTINUE;
1458 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1460 struct decode_cache *c = &ctxt->decode;
1461 struct desc_struct cs, ss;
1465 /* inject #GP if in real mode */
1466 if (ctxt->mode == X86EMUL_MODE_REAL) {
1467 emulate_gp(ctxt, 0);
1468 return X86EMUL_PROPAGATE_FAULT;
1471 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1472 * Therefore, we inject an #UD.
1474 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1476 return X86EMUL_PROPAGATE_FAULT;
1479 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1481 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1482 switch (ctxt->mode) {
1483 case X86EMUL_MODE_PROT32:
1484 if ((msr_data & 0xfffc) == 0x0) {
1485 emulate_gp(ctxt, 0);
1486 return X86EMUL_PROPAGATE_FAULT;
1489 case X86EMUL_MODE_PROT64:
1490 if (msr_data == 0x0) {
1491 emulate_gp(ctxt, 0);
1492 return X86EMUL_PROPAGATE_FAULT;
1497 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1498 cs_sel = (u16)msr_data;
1499 cs_sel &= ~SELECTOR_RPL_MASK;
1500 ss_sel = cs_sel + 8;
1501 ss_sel &= ~SELECTOR_RPL_MASK;
1502 if (ctxt->mode == X86EMUL_MODE_PROT64
1503 || is_long_mode(ctxt->vcpu)) {
1508 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1509 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1510 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1511 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1513 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1516 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1517 c->regs[VCPU_REGS_RSP] = msr_data;
1519 return X86EMUL_CONTINUE;
1523 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1525 struct decode_cache *c = &ctxt->decode;
1526 struct desc_struct cs, ss;
1531 /* inject #GP if in real mode or Virtual 8086 mode */
1532 if (ctxt->mode == X86EMUL_MODE_REAL ||
1533 ctxt->mode == X86EMUL_MODE_VM86) {
1534 emulate_gp(ctxt, 0);
1535 return X86EMUL_PROPAGATE_FAULT;
1538 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1540 if ((c->rex_prefix & 0x8) != 0x0)
1541 usermode = X86EMUL_MODE_PROT64;
1543 usermode = X86EMUL_MODE_PROT32;
1547 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1549 case X86EMUL_MODE_PROT32:
1550 cs_sel = (u16)(msr_data + 16);
1551 if ((msr_data & 0xfffc) == 0x0) {
1552 emulate_gp(ctxt, 0);
1553 return X86EMUL_PROPAGATE_FAULT;
1555 ss_sel = (u16)(msr_data + 24);
1557 case X86EMUL_MODE_PROT64:
1558 cs_sel = (u16)(msr_data + 32);
1559 if (msr_data == 0x0) {
1560 emulate_gp(ctxt, 0);
1561 return X86EMUL_PROPAGATE_FAULT;
1563 ss_sel = cs_sel + 8;
1568 cs_sel |= SELECTOR_RPL_MASK;
1569 ss_sel |= SELECTOR_RPL_MASK;
1571 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1572 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1573 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1574 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1576 c->eip = c->regs[VCPU_REGS_RDX];
1577 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1579 return X86EMUL_CONTINUE;
1582 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1583 struct x86_emulate_ops *ops)
1586 if (ctxt->mode == X86EMUL_MODE_REAL)
1588 if (ctxt->mode == X86EMUL_MODE_VM86)
1590 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1591 return ops->cpl(ctxt->vcpu) > iopl;
1594 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1595 struct x86_emulate_ops *ops,
1598 struct desc_struct tr_seg;
1601 u8 perm, bit_idx = port & 0x7;
1602 unsigned mask = (1 << len) - 1;
1604 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1607 if (desc_limit_scaled(&tr_seg) < 103)
1609 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1611 if (r != X86EMUL_CONTINUE)
1613 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1615 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1616 &perm, 1, ctxt->vcpu, NULL);
1617 if (r != X86EMUL_CONTINUE)
1619 if ((perm >> bit_idx) & mask)
1624 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1625 struct x86_emulate_ops *ops,
1631 if (emulator_bad_iopl(ctxt, ops))
1632 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1635 ctxt->perm_ok = true;
1640 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1641 struct x86_emulate_ops *ops,
1642 struct tss_segment_16 *tss)
1644 struct decode_cache *c = &ctxt->decode;
1647 tss->flag = ctxt->eflags;
1648 tss->ax = c->regs[VCPU_REGS_RAX];
1649 tss->cx = c->regs[VCPU_REGS_RCX];
1650 tss->dx = c->regs[VCPU_REGS_RDX];
1651 tss->bx = c->regs[VCPU_REGS_RBX];
1652 tss->sp = c->regs[VCPU_REGS_RSP];
1653 tss->bp = c->regs[VCPU_REGS_RBP];
1654 tss->si = c->regs[VCPU_REGS_RSI];
1655 tss->di = c->regs[VCPU_REGS_RDI];
1657 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1658 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1659 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1660 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1661 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1664 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1665 struct x86_emulate_ops *ops,
1666 struct tss_segment_16 *tss)
1668 struct decode_cache *c = &ctxt->decode;
1672 ctxt->eflags = tss->flag | 2;
1673 c->regs[VCPU_REGS_RAX] = tss->ax;
1674 c->regs[VCPU_REGS_RCX] = tss->cx;
1675 c->regs[VCPU_REGS_RDX] = tss->dx;
1676 c->regs[VCPU_REGS_RBX] = tss->bx;
1677 c->regs[VCPU_REGS_RSP] = tss->sp;
1678 c->regs[VCPU_REGS_RBP] = tss->bp;
1679 c->regs[VCPU_REGS_RSI] = tss->si;
1680 c->regs[VCPU_REGS_RDI] = tss->di;
1683 * SDM says that segment selectors are loaded before segment
1686 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1687 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1688 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1689 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1690 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1693 * Now load segment descriptors. If fault happenes at this stage
1694 * it is handled in a context of new task
1696 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1697 if (ret != X86EMUL_CONTINUE)
1699 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1700 if (ret != X86EMUL_CONTINUE)
1702 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1703 if (ret != X86EMUL_CONTINUE)
1705 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1706 if (ret != X86EMUL_CONTINUE)
1708 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1709 if (ret != X86EMUL_CONTINUE)
1712 return X86EMUL_CONTINUE;
1715 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1716 struct x86_emulate_ops *ops,
1717 u16 tss_selector, u16 old_tss_sel,
1718 ulong old_tss_base, struct desc_struct *new_desc)
1720 struct tss_segment_16 tss_seg;
1722 u32 err, new_tss_base = get_desc_base(new_desc);
1724 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1726 if (ret == X86EMUL_PROPAGATE_FAULT) {
1727 /* FIXME: need to provide precise fault address */
1728 emulate_pf(ctxt, old_tss_base, err);
1732 save_state_to_tss16(ctxt, ops, &tss_seg);
1734 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1736 if (ret == X86EMUL_PROPAGATE_FAULT) {
1737 /* FIXME: need to provide precise fault address */
1738 emulate_pf(ctxt, old_tss_base, err);
1742 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1744 if (ret == X86EMUL_PROPAGATE_FAULT) {
1745 /* FIXME: need to provide precise fault address */
1746 emulate_pf(ctxt, new_tss_base, err);
1750 if (old_tss_sel != 0xffff) {
1751 tss_seg.prev_task_link = old_tss_sel;
1753 ret = ops->write_std(new_tss_base,
1754 &tss_seg.prev_task_link,
1755 sizeof tss_seg.prev_task_link,
1757 if (ret == X86EMUL_PROPAGATE_FAULT) {
1758 /* FIXME: need to provide precise fault address */
1759 emulate_pf(ctxt, new_tss_base, err);
1764 return load_state_from_tss16(ctxt, ops, &tss_seg);
1767 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1768 struct x86_emulate_ops *ops,
1769 struct tss_segment_32 *tss)
1771 struct decode_cache *c = &ctxt->decode;
1773 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1775 tss->eflags = ctxt->eflags;
1776 tss->eax = c->regs[VCPU_REGS_RAX];
1777 tss->ecx = c->regs[VCPU_REGS_RCX];
1778 tss->edx = c->regs[VCPU_REGS_RDX];
1779 tss->ebx = c->regs[VCPU_REGS_RBX];
1780 tss->esp = c->regs[VCPU_REGS_RSP];
1781 tss->ebp = c->regs[VCPU_REGS_RBP];
1782 tss->esi = c->regs[VCPU_REGS_RSI];
1783 tss->edi = c->regs[VCPU_REGS_RDI];
1785 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1786 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1787 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1788 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1789 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1790 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1791 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1794 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1795 struct x86_emulate_ops *ops,
1796 struct tss_segment_32 *tss)
1798 struct decode_cache *c = &ctxt->decode;
1801 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1802 emulate_gp(ctxt, 0);
1803 return X86EMUL_PROPAGATE_FAULT;
1806 ctxt->eflags = tss->eflags | 2;
1807 c->regs[VCPU_REGS_RAX] = tss->eax;
1808 c->regs[VCPU_REGS_RCX] = tss->ecx;
1809 c->regs[VCPU_REGS_RDX] = tss->edx;
1810 c->regs[VCPU_REGS_RBX] = tss->ebx;
1811 c->regs[VCPU_REGS_RSP] = tss->esp;
1812 c->regs[VCPU_REGS_RBP] = tss->ebp;
1813 c->regs[VCPU_REGS_RSI] = tss->esi;
1814 c->regs[VCPU_REGS_RDI] = tss->edi;
1817 * SDM says that segment selectors are loaded before segment
1820 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1821 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1822 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1823 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1824 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1825 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1826 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1829 * Now load segment descriptors. If fault happenes at this stage
1830 * it is handled in a context of new task
1832 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1833 if (ret != X86EMUL_CONTINUE)
1835 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1836 if (ret != X86EMUL_CONTINUE)
1838 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1839 if (ret != X86EMUL_CONTINUE)
1841 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1842 if (ret != X86EMUL_CONTINUE)
1844 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1845 if (ret != X86EMUL_CONTINUE)
1847 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1848 if (ret != X86EMUL_CONTINUE)
1850 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1851 if (ret != X86EMUL_CONTINUE)
1854 return X86EMUL_CONTINUE;
1857 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
1858 struct x86_emulate_ops *ops,
1859 u16 tss_selector, u16 old_tss_sel,
1860 ulong old_tss_base, struct desc_struct *new_desc)
1862 struct tss_segment_32 tss_seg;
1864 u32 err, new_tss_base = get_desc_base(new_desc);
1866 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1868 if (ret == X86EMUL_PROPAGATE_FAULT) {
1869 /* FIXME: need to provide precise fault address */
1870 emulate_pf(ctxt, old_tss_base, err);
1874 save_state_to_tss32(ctxt, ops, &tss_seg);
1876 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1878 if (ret == X86EMUL_PROPAGATE_FAULT) {
1879 /* FIXME: need to provide precise fault address */
1880 emulate_pf(ctxt, old_tss_base, err);
1884 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1886 if (ret == X86EMUL_PROPAGATE_FAULT) {
1887 /* FIXME: need to provide precise fault address */
1888 emulate_pf(ctxt, new_tss_base, err);
1892 if (old_tss_sel != 0xffff) {
1893 tss_seg.prev_task_link = old_tss_sel;
1895 ret = ops->write_std(new_tss_base,
1896 &tss_seg.prev_task_link,
1897 sizeof tss_seg.prev_task_link,
1899 if (ret == X86EMUL_PROPAGATE_FAULT) {
1900 /* FIXME: need to provide precise fault address */
1901 emulate_pf(ctxt, new_tss_base, err);
1906 return load_state_from_tss32(ctxt, ops, &tss_seg);
1909 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
1910 struct x86_emulate_ops *ops,
1911 u16 tss_selector, int reason,
1912 bool has_error_code, u32 error_code)
1914 struct desc_struct curr_tss_desc, next_tss_desc;
1916 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
1917 ulong old_tss_base =
1918 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
1921 /* FIXME: old_tss_base == ~0 ? */
1923 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
1924 if (ret != X86EMUL_CONTINUE)
1926 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
1927 if (ret != X86EMUL_CONTINUE)
1930 /* FIXME: check that next_tss_desc is tss */
1932 if (reason != TASK_SWITCH_IRET) {
1933 if ((tss_selector & 3) > next_tss_desc.dpl ||
1934 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
1935 emulate_gp(ctxt, 0);
1936 return X86EMUL_PROPAGATE_FAULT;
1940 desc_limit = desc_limit_scaled(&next_tss_desc);
1941 if (!next_tss_desc.p ||
1942 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
1943 desc_limit < 0x2b)) {
1944 emulate_ts(ctxt, tss_selector & 0xfffc);
1945 return X86EMUL_PROPAGATE_FAULT;
1948 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
1949 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
1950 write_segment_descriptor(ctxt, ops, old_tss_sel,
1954 if (reason == TASK_SWITCH_IRET)
1955 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
1957 /* set back link to prev task only if NT bit is set in eflags
1958 note that old_tss_sel is not used afetr this point */
1959 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
1960 old_tss_sel = 0xffff;
1962 if (next_tss_desc.type & 8)
1963 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
1964 old_tss_base, &next_tss_desc);
1966 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
1967 old_tss_base, &next_tss_desc);
1968 if (ret != X86EMUL_CONTINUE)
1971 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
1972 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
1974 if (reason != TASK_SWITCH_IRET) {
1975 next_tss_desc.type |= (1 << 1); /* set busy flag */
1976 write_segment_descriptor(ctxt, ops, tss_selector,
1980 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
1981 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
1982 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
1984 if (has_error_code) {
1985 struct decode_cache *c = &ctxt->decode;
1987 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
1989 c->src.val = (unsigned long) error_code;
1990 emulate_push(ctxt, ops);
1996 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
1997 u16 tss_selector, int reason,
1998 bool has_error_code, u32 error_code)
2000 struct x86_emulate_ops *ops = ctxt->ops;
2001 struct decode_cache *c = &ctxt->decode;
2005 c->dst.type = OP_NONE;
2007 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2008 has_error_code, error_code);
2010 if (rc == X86EMUL_CONTINUE) {
2011 rc = writeback(ctxt, ops);
2012 if (rc == X86EMUL_CONTINUE)
2016 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2019 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2020 int reg, struct operand *op)
2022 struct decode_cache *c = &ctxt->decode;
2023 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2025 register_address_increment(c, &c->regs[reg], df * op->bytes);
2026 op->addr.mem = register_address(c, base, c->regs[reg]);
2029 static int em_push(struct x86_emulate_ctxt *ctxt)
2031 emulate_push(ctxt, ctxt->ops);
2032 return X86EMUL_CONTINUE;
2035 #define D(_y) { .flags = (_y) }
2037 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2038 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2039 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2041 static struct opcode group1[] = {
2045 static struct opcode group1A[] = {
2046 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2049 static struct opcode group3[] = {
2050 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2051 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2055 static struct opcode group4[] = {
2056 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2060 static struct opcode group5[] = {
2061 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2062 D(SrcMem | ModRM | Stack), N,
2063 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2064 D(SrcMem | ModRM | Stack), N,
2067 static struct group_dual group7 = { {
2068 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2069 D(SrcNone | ModRM | DstMem | Mov), N,
2070 D(SrcMem16 | ModRM | Mov | Priv), D(SrcMem | ModRM | ByteOp | Priv),
2072 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2073 D(SrcNone | ModRM | DstMem | Mov), N,
2074 D(SrcMem16 | ModRM | Mov | Priv), N,
2077 static struct opcode group8[] = {
2079 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2080 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2083 static struct group_dual group9 = { {
2084 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2086 N, N, N, N, N, N, N, N,
2089 static struct opcode opcode_table[256] = {
2091 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2092 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2093 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2094 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2096 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2097 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2098 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2099 D(ImplicitOps | Stack | No64), N,
2101 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2102 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2103 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2104 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2106 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2107 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2108 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2109 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2111 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2112 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2113 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2115 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2116 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2117 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2119 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2120 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2121 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2123 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2124 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2125 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2130 X8(I(SrcReg | Stack, em_push)),
2132 X8(D(DstReg | Stack)),
2134 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2135 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2138 I(SrcImm | Mov | Stack, em_push), N,
2139 I(SrcImmByte | Mov | Stack, em_push), N,
2140 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2141 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2145 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2146 G(DstMem | SrcImm | ModRM | Group, group1),
2147 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2148 G(DstMem | SrcImmByte | ModRM | Group, group1),
2149 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2150 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2152 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2153 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2154 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | DstReg),
2155 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2157 X8(D(SrcAcc | DstReg)),
2159 N, N, D(SrcImmFAddr | No64), N,
2160 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2162 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2163 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2164 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2165 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2167 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm), D(ByteOp | DstDI | Mov | String), D(DstDI | Mov | String),
2168 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2169 D(ByteOp | DstDI | String), D(DstDI | String),
2171 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2173 X8(D(DstReg | SrcImm | Mov)),
2175 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2176 N, D(ImplicitOps | Stack), N, N,
2177 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2179 N, N, N, D(ImplicitOps | Stack),
2180 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2182 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2183 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2186 N, N, N, N, N, N, N, N,
2189 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2190 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2192 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2193 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2194 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2195 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2198 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2200 D(ImplicitOps), N, D(ImplicitOps), D(ImplicitOps),
2201 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2204 static struct opcode twobyte_table[256] = {
2206 N, GD(0, &group7), N, N,
2207 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2208 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2209 N, D(ImplicitOps | ModRM), N, N,
2211 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2213 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
2214 D(ModRM | ImplicitOps | Priv), D(ModRM | Priv),
2216 N, N, N, N, N, N, N, N,
2218 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
2219 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2220 N, N, N, N, N, N, N, N,
2222 X16(D(DstReg | SrcMem | ModRM | Mov)),
2224 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2226 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2228 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2232 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2234 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2235 N, D(DstMem | SrcReg | ModRM | BitOp),
2236 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2237 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2239 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2240 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2241 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2242 D(DstMem | SrcReg | Src2CL | ModRM),
2245 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2246 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2247 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2248 D(DstReg | SrcMem16 | ModRM | Mov),
2251 G(0, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2252 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2253 D(DstReg | SrcMem16 | ModRM | Mov),
2255 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
2256 N, N, N, GD(0, &group9),
2257 N, N, N, N, N, N, N, N,
2259 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2261 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2263 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2273 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2275 struct x86_emulate_ops *ops = ctxt->ops;
2276 struct decode_cache *c = &ctxt->decode;
2277 int rc = X86EMUL_CONTINUE;
2278 int mode = ctxt->mode;
2279 int def_op_bytes, def_ad_bytes, dual, goffset;
2280 struct opcode opcode, *g_mod012, *g_mod3;
2282 /* we cannot decode insn before we complete previous rep insn */
2283 WARN_ON(ctxt->restart);
2286 c->fetch.start = c->fetch.end = c->eip;
2287 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2290 case X86EMUL_MODE_REAL:
2291 case X86EMUL_MODE_VM86:
2292 case X86EMUL_MODE_PROT16:
2293 def_op_bytes = def_ad_bytes = 2;
2295 case X86EMUL_MODE_PROT32:
2296 def_op_bytes = def_ad_bytes = 4;
2298 #ifdef CONFIG_X86_64
2299 case X86EMUL_MODE_PROT64:
2308 c->op_bytes = def_op_bytes;
2309 c->ad_bytes = def_ad_bytes;
2311 /* Legacy prefixes. */
2313 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2314 case 0x66: /* operand-size override */
2315 /* switch between 2/4 bytes */
2316 c->op_bytes = def_op_bytes ^ 6;
2318 case 0x67: /* address-size override */
2319 if (mode == X86EMUL_MODE_PROT64)
2320 /* switch between 4/8 bytes */
2321 c->ad_bytes = def_ad_bytes ^ 12;
2323 /* switch between 2/4 bytes */
2324 c->ad_bytes = def_ad_bytes ^ 6;
2326 case 0x26: /* ES override */
2327 case 0x2e: /* CS override */
2328 case 0x36: /* SS override */
2329 case 0x3e: /* DS override */
2330 set_seg_override(c, (c->b >> 3) & 3);
2332 case 0x64: /* FS override */
2333 case 0x65: /* GS override */
2334 set_seg_override(c, c->b & 7);
2336 case 0x40 ... 0x4f: /* REX */
2337 if (mode != X86EMUL_MODE_PROT64)
2339 c->rex_prefix = c->b;
2341 case 0xf0: /* LOCK */
2344 case 0xf2: /* REPNE/REPNZ */
2345 c->rep_prefix = REPNE_PREFIX;
2347 case 0xf3: /* REP/REPE/REPZ */
2348 c->rep_prefix = REPE_PREFIX;
2354 /* Any legacy prefix after a REX prefix nullifies its effect. */
2363 if (c->rex_prefix & 8)
2364 c->op_bytes = 8; /* REX.W */
2366 /* Opcode byte(s). */
2367 opcode = opcode_table[c->b];
2368 if (opcode.flags == 0) {
2369 /* Two-byte opcode? */
2372 c->b = insn_fetch(u8, 1, c->eip);
2373 opcode = twobyte_table[c->b];
2376 c->d = opcode.flags;
2379 dual = c->d & GroupDual;
2380 c->modrm = insn_fetch(u8, 1, c->eip);
2383 if (c->d & GroupDual) {
2384 g_mod012 = opcode.u.gdual->mod012;
2385 g_mod3 = opcode.u.gdual->mod3;
2387 g_mod012 = g_mod3 = opcode.u.group;
2389 c->d &= ~(Group | GroupDual);
2391 goffset = (c->modrm >> 3) & 7;
2393 if ((c->modrm >> 6) == 3)
2394 opcode = g_mod3[goffset];
2396 opcode = g_mod012[goffset];
2397 c->d |= opcode.flags;
2400 c->execute = opcode.u.execute;
2403 if (c->d == 0 || (c->d & Undefined)) {
2404 DPRINTF("Cannot emulate %02x\n", c->b);
2408 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2411 /* ModRM and SIB bytes. */
2413 rc = decode_modrm(ctxt, ops);
2414 if (!c->has_seg_override)
2415 set_seg_override(c, c->modrm_seg);
2416 } else if (c->d & MemAbs)
2417 rc = decode_abs(ctxt, ops);
2418 if (rc != X86EMUL_CONTINUE)
2421 if (!c->has_seg_override)
2422 set_seg_override(c, VCPU_SREG_DS);
2424 if (!(!c->twobyte && c->b == 0x8d))
2425 c->modrm_ea += seg_override_base(ctxt, ops, c);
2427 if (c->ad_bytes != 8)
2428 c->modrm_ea = (u32)c->modrm_ea;
2430 if (c->rip_relative)
2431 c->modrm_ea += c->eip;
2434 * Decode and fetch the source operand: register, memory
2437 switch (c->d & SrcMask) {
2441 decode_register_operand(&c->src, c, 0);
2450 c->src.bytes = (c->d & ByteOp) ? 1 :
2452 /* Don't fetch the address for invlpg: it could be unmapped. */
2453 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
2457 * For instructions with a ModR/M byte, switch to register
2458 * access if Mod = 3.
2460 if ((c->d & ModRM) && c->modrm_mod == 3) {
2461 c->src.type = OP_REG;
2462 c->src.val = c->modrm_val;
2463 c->src.addr.reg = c->modrm_ptr;
2466 c->src.type = OP_MEM;
2467 c->src.addr.mem = c->modrm_ea;
2472 c->src.type = OP_IMM;
2473 c->src.addr.mem = c->eip;
2474 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2475 if (c->src.bytes == 8)
2477 /* NB. Immediates are sign-extended as necessary. */
2478 switch (c->src.bytes) {
2480 c->src.val = insn_fetch(s8, 1, c->eip);
2483 c->src.val = insn_fetch(s16, 2, c->eip);
2486 c->src.val = insn_fetch(s32, 4, c->eip);
2489 if ((c->d & SrcMask) == SrcImmU) {
2490 switch (c->src.bytes) {
2495 c->src.val &= 0xffff;
2498 c->src.val &= 0xffffffff;
2505 c->src.type = OP_IMM;
2506 c->src.addr.mem = c->eip;
2508 if ((c->d & SrcMask) == SrcImmByte)
2509 c->src.val = insn_fetch(s8, 1, c->eip);
2511 c->src.val = insn_fetch(u8, 1, c->eip);
2514 c->src.type = OP_REG;
2515 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2516 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2517 fetch_register_operand(&c->src);
2524 c->src.type = OP_MEM;
2525 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2527 register_address(c, seg_override_base(ctxt, ops, c),
2528 c->regs[VCPU_REGS_RSI]);
2532 c->src.type = OP_IMM;
2533 c->src.addr.mem = c->eip;
2534 c->src.bytes = c->op_bytes + 2;
2535 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2538 c->src.type = OP_MEM;
2539 c->src.addr.mem = c->modrm_ea;
2540 c->src.bytes = c->op_bytes + 2;
2545 * Decode and fetch the second source operand: register, memory
2548 switch (c->d & Src2Mask) {
2553 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2556 c->src2.type = OP_IMM;
2557 c->src2.addr.mem = c->eip;
2559 c->src2.val = insn_fetch(u8, 1, c->eip);
2567 /* Decode and fetch the destination operand: register or memory. */
2568 switch (c->d & DstMask) {
2570 /* Special instructions do their own operand decoding. */
2573 decode_register_operand(&c->dst, c,
2574 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2578 if ((c->d & ModRM) && c->modrm_mod == 3) {
2579 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2580 c->dst.type = OP_REG;
2581 c->dst.val = c->dst.orig_val = c->modrm_val;
2582 c->dst.addr.reg = c->modrm_ptr;
2585 c->dst.type = OP_MEM;
2586 c->dst.addr.mem = c->modrm_ea;
2587 if ((c->d & DstMask) == DstMem64)
2590 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2593 unsigned long mask = ~(c->dst.bytes * 8 - 1);
2595 c->dst.addr.mem = c->dst.addr.mem +
2596 (c->src.val & mask) / 8;
2600 c->dst.type = OP_REG;
2601 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2602 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2603 fetch_register_operand(&c->dst);
2604 c->dst.orig_val = c->dst.val;
2607 c->dst.type = OP_MEM;
2608 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2610 register_address(c, es_base(ctxt, ops),
2611 c->regs[VCPU_REGS_RDI]);
2617 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2621 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2623 struct x86_emulate_ops *ops = ctxt->ops;
2625 struct decode_cache *c = &ctxt->decode;
2626 int rc = X86EMUL_CONTINUE;
2627 int saved_dst_type = c->dst.type;
2629 ctxt->decode.mem_read.pos = 0;
2631 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2636 /* LOCK prefix is allowed only with some instructions */
2637 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2642 /* Privileged instruction can be executed only in CPL=0 */
2643 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2644 emulate_gp(ctxt, 0);
2648 if (c->rep_prefix && (c->d & String)) {
2649 ctxt->restart = true;
2650 /* All REP prefixes have the same first termination condition */
2651 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2653 ctxt->restart = false;
2657 /* The second termination condition only applies for REPE
2658 * and REPNE. Test if the repeat string operation prefix is
2659 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2660 * corresponding termination condition according to:
2661 * - if REPE/REPZ and ZF = 0 then done
2662 * - if REPNE/REPNZ and ZF = 1 then done
2664 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2665 (c->b == 0xae) || (c->b == 0xaf)) {
2666 if ((c->rep_prefix == REPE_PREFIX) &&
2667 ((ctxt->eflags & EFLG_ZF) == 0))
2669 if ((c->rep_prefix == REPNE_PREFIX) &&
2670 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2676 if (c->src.type == OP_MEM) {
2677 rc = read_emulated(ctxt, ops, c->src.addr.mem,
2678 c->src.valptr, c->src.bytes);
2679 if (rc != X86EMUL_CONTINUE)
2681 c->src.orig_val64 = c->src.val64;
2684 if (c->src2.type == OP_MEM) {
2685 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
2686 &c->src2.val, c->src2.bytes);
2687 if (rc != X86EMUL_CONTINUE)
2691 if ((c->d & DstMask) == ImplicitOps)
2695 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2696 /* optimisation - avoid slow emulated read if Mov */
2697 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
2698 &c->dst.val, c->dst.bytes);
2699 if (rc != X86EMUL_CONTINUE)
2702 c->dst.orig_val = c->dst.val;
2707 rc = c->execute(ctxt);
2708 if (rc != X86EMUL_CONTINUE)
2719 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2721 case 0x06: /* push es */
2722 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2724 case 0x07: /* pop es */
2725 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2726 if (rc != X86EMUL_CONTINUE)
2731 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2733 case 0x0e: /* push cs */
2734 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2738 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2740 case 0x16: /* push ss */
2741 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2743 case 0x17: /* pop ss */
2744 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2745 if (rc != X86EMUL_CONTINUE)
2750 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2752 case 0x1e: /* push ds */
2753 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2755 case 0x1f: /* pop ds */
2756 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2757 if (rc != X86EMUL_CONTINUE)
2762 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2766 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2770 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2774 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2776 case 0x40 ... 0x47: /* inc r16/r32 */
2777 emulate_1op("inc", c->dst, ctxt->eflags);
2779 case 0x48 ... 0x4f: /* dec r16/r32 */
2780 emulate_1op("dec", c->dst, ctxt->eflags);
2782 case 0x58 ... 0x5f: /* pop reg */
2784 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2785 if (rc != X86EMUL_CONTINUE)
2788 case 0x60: /* pusha */
2789 rc = emulate_pusha(ctxt, ops);
2790 if (rc != X86EMUL_CONTINUE)
2793 case 0x61: /* popa */
2794 rc = emulate_popa(ctxt, ops);
2795 if (rc != X86EMUL_CONTINUE)
2798 case 0x63: /* movsxd */
2799 if (ctxt->mode != X86EMUL_MODE_PROT64)
2800 goto cannot_emulate;
2801 c->dst.val = (s32) c->src.val;
2803 case 0x6c: /* insb */
2804 case 0x6d: /* insw/insd */
2805 c->dst.bytes = min(c->dst.bytes, 4u);
2806 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2808 emulate_gp(ctxt, 0);
2811 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2812 c->regs[VCPU_REGS_RDX], &c->dst.val))
2813 goto done; /* IO is needed, skip writeback */
2815 case 0x6e: /* outsb */
2816 case 0x6f: /* outsw/outsd */
2817 c->src.bytes = min(c->src.bytes, 4u);
2818 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2820 emulate_gp(ctxt, 0);
2823 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2824 &c->src.val, 1, ctxt->vcpu);
2826 c->dst.type = OP_NONE; /* nothing to writeback */
2828 case 0x70 ... 0x7f: /* jcc (short) */
2829 if (test_cc(c->b, ctxt->eflags))
2830 jmp_rel(c, c->src.val);
2832 case 0x80 ... 0x83: /* Grp1 */
2833 switch (c->modrm_reg) {
2854 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2856 case 0x86 ... 0x87: /* xchg */
2858 /* Write back the register source. */
2859 switch (c->dst.bytes) {
2861 *(u8 *) c->src.addr.reg = (u8) c->dst.val;
2864 *(u16 *) c->src.addr.reg = (u16) c->dst.val;
2867 *c->src.addr.reg = (u32) c->dst.val;
2868 break; /* 64b reg: zero-extend */
2870 *c->src.addr.reg = c->dst.val;
2874 * Write back the memory destination with implicit LOCK
2877 c->dst.val = c->src.val;
2880 case 0x88 ... 0x8b: /* mov */
2882 case 0x8c: /* mov r/m, sreg */
2883 if (c->modrm_reg > VCPU_SREG_GS) {
2887 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2889 case 0x8d: /* lea r16/r32, m */
2890 c->dst.val = c->modrm_ea;
2892 case 0x8e: { /* mov seg, r/m16 */
2897 if (c->modrm_reg == VCPU_SREG_CS ||
2898 c->modrm_reg > VCPU_SREG_GS) {
2903 if (c->modrm_reg == VCPU_SREG_SS)
2904 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2906 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2908 c->dst.type = OP_NONE; /* Disable writeback. */
2911 case 0x8f: /* pop (sole member of Grp1a) */
2912 rc = emulate_grp1a(ctxt, ops);
2913 if (rc != X86EMUL_CONTINUE)
2916 case 0x90 ... 0x97: /* nop / xchg reg, rax */
2917 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
2920 case 0x9c: /* pushf */
2921 c->src.val = (unsigned long) ctxt->eflags;
2922 emulate_push(ctxt, ops);
2924 case 0x9d: /* popf */
2925 c->dst.type = OP_REG;
2926 c->dst.addr.reg = &ctxt->eflags;
2927 c->dst.bytes = c->op_bytes;
2928 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2929 if (rc != X86EMUL_CONTINUE)
2932 case 0xa0 ... 0xa3: /* mov */
2933 case 0xa4 ... 0xa5: /* movs */
2935 case 0xa6 ... 0xa7: /* cmps */
2936 c->dst.type = OP_NONE; /* Disable writeback. */
2937 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
2939 case 0xa8 ... 0xa9: /* test ax, imm */
2941 case 0xaa ... 0xab: /* stos */
2942 c->dst.val = c->regs[VCPU_REGS_RAX];
2944 case 0xac ... 0xad: /* lods */
2946 case 0xae ... 0xaf: /* scas */
2947 DPRINTF("Urk! I don't handle SCAS.\n");
2948 goto cannot_emulate;
2949 case 0xb0 ... 0xbf: /* mov r, imm */
2954 case 0xc3: /* ret */
2955 c->dst.type = OP_REG;
2956 c->dst.addr.reg = &c->eip;
2957 c->dst.bytes = c->op_bytes;
2958 goto pop_instruction;
2959 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2961 c->dst.val = c->src.val;
2963 case 0xcb: /* ret far */
2964 rc = emulate_ret_far(ctxt, ops);
2965 if (rc != X86EMUL_CONTINUE)
2968 case 0xcf: /* iret */
2969 rc = emulate_iret(ctxt, ops);
2971 if (rc != X86EMUL_CONTINUE)
2974 case 0xd0 ... 0xd1: /* Grp2 */
2978 case 0xd2 ... 0xd3: /* Grp2 */
2979 c->src.val = c->regs[VCPU_REGS_RCX];
2982 case 0xe4: /* inb */
2985 case 0xe6: /* outb */
2986 case 0xe7: /* out */
2988 case 0xe8: /* call (near) */ {
2989 long int rel = c->src.val;
2990 c->src.val = (unsigned long) c->eip;
2992 emulate_push(ctxt, ops);
2995 case 0xe9: /* jmp rel */
2997 case 0xea: { /* jmp far */
3000 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3002 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3006 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3010 jmp: /* jmp rel short */
3011 jmp_rel(c, c->src.val);
3012 c->dst.type = OP_NONE; /* Disable writeback. */
3014 case 0xec: /* in al,dx */
3015 case 0xed: /* in (e/r)ax,dx */
3016 c->src.val = c->regs[VCPU_REGS_RDX];
3018 c->dst.bytes = min(c->dst.bytes, 4u);
3019 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3020 emulate_gp(ctxt, 0);
3023 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3025 goto done; /* IO is needed */
3027 case 0xee: /* out dx,al */
3028 case 0xef: /* out dx,(e/r)ax */
3029 c->src.val = c->regs[VCPU_REGS_RDX];
3031 c->dst.bytes = min(c->dst.bytes, 4u);
3032 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3033 emulate_gp(ctxt, 0);
3036 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3038 c->dst.type = OP_NONE; /* Disable writeback. */
3040 case 0xf4: /* hlt */
3041 ctxt->vcpu->arch.halt_request = 1;
3043 case 0xf5: /* cmc */
3044 /* complement carry flag from eflags reg */
3045 ctxt->eflags ^= EFLG_CF;
3046 c->dst.type = OP_NONE; /* Disable writeback. */
3048 case 0xf6 ... 0xf7: /* Grp3 */
3049 if (!emulate_grp3(ctxt, ops))
3050 goto cannot_emulate;
3052 case 0xf8: /* clc */
3053 ctxt->eflags &= ~EFLG_CF;
3054 c->dst.type = OP_NONE; /* Disable writeback. */
3056 case 0xfa: /* cli */
3057 if (emulator_bad_iopl(ctxt, ops)) {
3058 emulate_gp(ctxt, 0);
3061 ctxt->eflags &= ~X86_EFLAGS_IF;
3062 c->dst.type = OP_NONE; /* Disable writeback. */
3065 case 0xfb: /* sti */
3066 if (emulator_bad_iopl(ctxt, ops)) {
3067 emulate_gp(ctxt, 0);
3070 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3071 ctxt->eflags |= X86_EFLAGS_IF;
3072 c->dst.type = OP_NONE; /* Disable writeback. */
3075 case 0xfc: /* cld */
3076 ctxt->eflags &= ~EFLG_DF;
3077 c->dst.type = OP_NONE; /* Disable writeback. */
3079 case 0xfd: /* std */
3080 ctxt->eflags |= EFLG_DF;
3081 c->dst.type = OP_NONE; /* Disable writeback. */
3083 case 0xfe: /* Grp4 */
3085 rc = emulate_grp45(ctxt, ops);
3086 if (rc != X86EMUL_CONTINUE)
3089 case 0xff: /* Grp5 */
3090 if (c->modrm_reg == 5)
3094 goto cannot_emulate;
3098 rc = writeback(ctxt, ops);
3099 if (rc != X86EMUL_CONTINUE)
3103 * restore dst type in case the decoding will be reused
3104 * (happens for string instruction )
3106 c->dst.type = saved_dst_type;
3108 if ((c->d & SrcMask) == SrcSI)
3109 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3110 VCPU_REGS_RSI, &c->src);
3112 if ((c->d & DstMask) == DstDI)
3113 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3116 if (c->rep_prefix && (c->d & String)) {
3117 struct read_cache *rc = &ctxt->decode.io_read;
3118 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3120 * Re-enter guest when pio read ahead buffer is empty or,
3121 * if it is not used, after each 1024 iteration.
3123 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3124 (rc->end != 0 && rc->end == rc->pos))
3125 ctxt->restart = false;
3128 * reset read cache here in case string instruction is restared
3131 ctxt->decode.mem_read.end = 0;
3135 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3139 case 0x01: /* lgdt, lidt, lmsw */
3140 switch (c->modrm_reg) {
3142 unsigned long address;
3144 case 0: /* vmcall */
3145 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3146 goto cannot_emulate;
3148 rc = kvm_fix_hypercall(ctxt->vcpu);
3149 if (rc != X86EMUL_CONTINUE)
3152 /* Let the processor re-execute the fixed hypercall */
3154 /* Disable writeback. */
3155 c->dst.type = OP_NONE;
3158 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3159 &size, &address, c->op_bytes);
3160 if (rc != X86EMUL_CONTINUE)
3162 realmode_lgdt(ctxt->vcpu, size, address);
3163 /* Disable writeback. */
3164 c->dst.type = OP_NONE;
3166 case 3: /* lidt/vmmcall */
3167 if (c->modrm_mod == 3) {
3168 switch (c->modrm_rm) {
3170 rc = kvm_fix_hypercall(ctxt->vcpu);
3171 if (rc != X86EMUL_CONTINUE)
3175 goto cannot_emulate;
3178 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3181 if (rc != X86EMUL_CONTINUE)
3183 realmode_lidt(ctxt->vcpu, size, address);
3185 /* Disable writeback. */
3186 c->dst.type = OP_NONE;
3190 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3193 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3194 (c->src.val & 0x0f), ctxt->vcpu);
3195 c->dst.type = OP_NONE;
3197 case 5: /* not defined */
3201 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3202 /* Disable writeback. */
3203 c->dst.type = OP_NONE;
3206 goto cannot_emulate;
3209 case 0x05: /* syscall */
3210 rc = emulate_syscall(ctxt, ops);
3211 if (rc != X86EMUL_CONTINUE)
3217 emulate_clts(ctxt->vcpu);
3218 c->dst.type = OP_NONE;
3220 case 0x09: /* wbinvd */
3221 kvm_emulate_wbinvd(ctxt->vcpu);
3222 c->dst.type = OP_NONE;
3224 case 0x08: /* invd */
3225 case 0x0d: /* GrpP (prefetch) */
3226 case 0x18: /* Grp16 (prefetch/nop) */
3227 c->dst.type = OP_NONE;
3229 case 0x20: /* mov cr, reg */
3230 switch (c->modrm_reg) {
3237 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3238 c->dst.type = OP_NONE; /* no writeback */
3240 case 0x21: /* mov from dr to reg */
3241 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3242 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3246 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3247 c->dst.type = OP_NONE; /* no writeback */
3249 case 0x22: /* mov reg, cr */
3250 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3251 emulate_gp(ctxt, 0);
3254 c->dst.type = OP_NONE;
3256 case 0x23: /* mov from reg to dr */
3257 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3258 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3263 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3264 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3265 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3266 /* #UD condition is already handled by the code above */
3267 emulate_gp(ctxt, 0);
3271 c->dst.type = OP_NONE; /* no writeback */
3275 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3276 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3277 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3278 emulate_gp(ctxt, 0);
3281 rc = X86EMUL_CONTINUE;
3282 c->dst.type = OP_NONE;
3286 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3287 emulate_gp(ctxt, 0);
3290 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3291 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3293 rc = X86EMUL_CONTINUE;
3294 c->dst.type = OP_NONE;
3296 case 0x34: /* sysenter */
3297 rc = emulate_sysenter(ctxt, ops);
3298 if (rc != X86EMUL_CONTINUE)
3303 case 0x35: /* sysexit */
3304 rc = emulate_sysexit(ctxt, ops);
3305 if (rc != X86EMUL_CONTINUE)
3310 case 0x40 ... 0x4f: /* cmov */
3311 c->dst.val = c->dst.orig_val = c->src.val;
3312 if (!test_cc(c->b, ctxt->eflags))
3313 c->dst.type = OP_NONE; /* no writeback */
3315 case 0x80 ... 0x8f: /* jnz rel, etc*/
3316 if (test_cc(c->b, ctxt->eflags))
3317 jmp_rel(c, c->src.val);
3318 c->dst.type = OP_NONE;
3320 case 0xa0: /* push fs */
3321 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3323 case 0xa1: /* pop fs */
3324 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3325 if (rc != X86EMUL_CONTINUE)
3330 c->dst.type = OP_NONE;
3331 /* only subword offset */
3332 c->src.val &= (c->dst.bytes << 3) - 1;
3333 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3335 case 0xa4: /* shld imm8, r, r/m */
3336 case 0xa5: /* shld cl, r, r/m */
3337 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3339 case 0xa8: /* push gs */
3340 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3342 case 0xa9: /* pop gs */
3343 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3344 if (rc != X86EMUL_CONTINUE)
3349 /* only subword offset */
3350 c->src.val &= (c->dst.bytes << 3) - 1;
3351 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3353 case 0xac: /* shrd imm8, r, r/m */
3354 case 0xad: /* shrd cl, r, r/m */
3355 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3357 case 0xae: /* clflush */
3359 case 0xb0 ... 0xb1: /* cmpxchg */
3361 * Save real source value, then compare EAX against
3364 c->src.orig_val = c->src.val;
3365 c->src.val = c->regs[VCPU_REGS_RAX];
3366 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3367 if (ctxt->eflags & EFLG_ZF) {
3368 /* Success: write back to memory. */
3369 c->dst.val = c->src.orig_val;
3371 /* Failure: write the value we saw to EAX. */
3372 c->dst.type = OP_REG;
3373 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3378 /* only subword offset */
3379 c->src.val &= (c->dst.bytes << 3) - 1;
3380 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3382 case 0xb6 ... 0xb7: /* movzx */
3383 c->dst.bytes = c->op_bytes;
3384 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3387 case 0xba: /* Grp8 */
3388 switch (c->modrm_reg & 3) {
3401 /* only subword offset */
3402 c->src.val &= (c->dst.bytes << 3) - 1;
3403 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3405 case 0xbe ... 0xbf: /* movsx */
3406 c->dst.bytes = c->op_bytes;
3407 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3410 case 0xc3: /* movnti */
3411 c->dst.bytes = c->op_bytes;
3412 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3415 case 0xc7: /* Grp9 (cmpxchg8b) */
3416 rc = emulate_grp9(ctxt, ops);
3417 if (rc != X86EMUL_CONTINUE)
3421 goto cannot_emulate;
3426 DPRINTF("Cannot emulate %02x\n", c->b);
projects / mv-sheeva.git / blob