1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
86 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
87 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
88 #define Undefined (1<<25) /* No Such Instruction */
89 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
90 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
92 /* Source 2 operand type */
93 #define Src2None (0<<29)
94 #define Src2CL (1<<29)
95 #define Src2ImmByte (2<<29)
96 #define Src2One (3<<29)
97 #define Src2Mask (7<<29)
100 #define X3(x...) X2(x), x
101 #define X4(x...) X2(x), X2(x)
102 #define X5(x...) X4(x), x
103 #define X6(x...) X4(x), X2(x)
104 #define X7(x...) X4(x), X3(x)
105 #define X8(x...) X4(x), X4(x)
106 #define X16(x...) X8(x), X8(x)
111 int (*execute)(struct x86_emulate_ctxt *ctxt);
112 struct opcode *group;
113 struct group_dual *gdual;
118 struct opcode mod012[8];
119 struct opcode mod3[8];
122 /* EFLAGS bit definitions. */
123 #define EFLG_ID (1<<21)
124 #define EFLG_VIP (1<<20)
125 #define EFLG_VIF (1<<19)
126 #define EFLG_AC (1<<18)
127 #define EFLG_VM (1<<17)
128 #define EFLG_RF (1<<16)
129 #define EFLG_IOPL (3<<12)
130 #define EFLG_NT (1<<14)
131 #define EFLG_OF (1<<11)
132 #define EFLG_DF (1<<10)
133 #define EFLG_IF (1<<9)
134 #define EFLG_TF (1<<8)
135 #define EFLG_SF (1<<7)
136 #define EFLG_ZF (1<<6)
137 #define EFLG_AF (1<<4)
138 #define EFLG_PF (1<<2)
139 #define EFLG_CF (1<<0)
141 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
142 #define EFLG_RESERVED_ONE_MASK 2
145 * Instruction emulation:
146 * Most instructions are emulated directly via a fragment of inline assembly
147 * code. This allows us to save/restore EFLAGS and thus very easily pick up
148 * any modified flags.
151 #if defined(CONFIG_X86_64)
152 #define _LO32 "k" /* force 32-bit operand */
153 #define _STK "%%rsp" /* stack pointer */
154 #elif defined(__i386__)
155 #define _LO32 "" /* force 32-bit operand */
156 #define _STK "%%esp" /* stack pointer */
160 * These EFLAGS bits are restored from saved value during emulation, and
161 * any changes are written back to the saved value after emulation.
163 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
165 /* Before executing instruction: restore necessary bits in EFLAGS. */
166 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
167 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
168 "movl %"_sav",%"_LO32 _tmp"; " \
171 "movl %"_msk",%"_LO32 _tmp"; " \
172 "andl %"_LO32 _tmp",("_STK"); " \
174 "notl %"_LO32 _tmp"; " \
175 "andl %"_LO32 _tmp",("_STK"); " \
176 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
178 "orl %"_LO32 _tmp",("_STK"); " \
182 /* After executing instruction: write-back necessary bits in EFLAGS. */
183 #define _POST_EFLAGS(_sav, _msk, _tmp) \
184 /* _sav |= EFLAGS & _msk; */ \
187 "andl %"_msk",%"_LO32 _tmp"; " \
188 "orl %"_LO32 _tmp",%"_sav"; "
196 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
198 __asm__ __volatile__ ( \
199 _PRE_EFLAGS("0", "4", "2") \
200 _op _suffix " %"_x"3,%1; " \
201 _POST_EFLAGS("0", "4", "2") \
202 : "=m" (_eflags), "=m" ((_dst).val), \
204 : _y ((_src).val), "i" (EFLAGS_MASK)); \
208 /* Raw emulation: instruction has two explicit operands. */
209 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
211 unsigned long _tmp; \
213 switch ((_dst).bytes) { \
215 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
218 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
221 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
226 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
228 unsigned long _tmp; \
229 switch ((_dst).bytes) { \
231 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
234 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
235 _wx, _wy, _lx, _ly, _qx, _qy); \
240 /* Source operand is byte-sized and may be restricted to just %cl. */
241 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
242 __emulate_2op(_op, _src, _dst, _eflags, \
243 "b", "c", "b", "c", "b", "c", "b", "c")
245 /* Source operand is byte, word, long or quad sized. */
246 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
247 __emulate_2op(_op, _src, _dst, _eflags, \
248 "b", "q", "w", "r", _LO32, "r", "", "r")
250 /* Source operand is word, long or quad sized. */
251 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
252 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
253 "w", "r", _LO32, "r", "", "r")
255 /* Instruction has three operands and one operand is stored in ECX register */
256 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
258 unsigned long _tmp; \
259 _type _clv = (_cl).val; \
260 _type _srcv = (_src).val; \
261 _type _dstv = (_dst).val; \
263 __asm__ __volatile__ ( \
264 _PRE_EFLAGS("0", "5", "2") \
265 _op _suffix " %4,%1 \n" \
266 _POST_EFLAGS("0", "5", "2") \
267 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
268 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
271 (_cl).val = (unsigned long) _clv; \
272 (_src).val = (unsigned long) _srcv; \
273 (_dst).val = (unsigned long) _dstv; \
276 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
278 switch ((_dst).bytes) { \
280 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
281 "w", unsigned short); \
284 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
285 "l", unsigned int); \
288 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
289 "q", unsigned long)); \
294 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
296 unsigned long _tmp; \
298 __asm__ __volatile__ ( \
299 _PRE_EFLAGS("0", "3", "2") \
300 _op _suffix " %1; " \
301 _POST_EFLAGS("0", "3", "2") \
302 : "=m" (_eflags), "+m" ((_dst).val), \
304 : "i" (EFLAGS_MASK)); \
307 /* Instruction has only one explicit operand (no source operand). */
308 #define emulate_1op(_op, _dst, _eflags) \
310 switch ((_dst).bytes) { \
311 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
312 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
313 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
314 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
318 /* Fetch next part of the instruction being emulated. */
319 #define insn_fetch(_type, _size, _eip) \
320 ({ unsigned long _x; \
321 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
322 if (rc != X86EMUL_CONTINUE) \
328 #define insn_fetch_arr(_arr, _size, _eip) \
329 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
330 if (rc != X86EMUL_CONTINUE) \
335 static inline unsigned long ad_mask(struct decode_cache *c)
337 return (1UL << (c->ad_bytes << 3)) - 1;
340 /* Access/update address held in a register, based on addressing mode. */
341 static inline unsigned long
342 address_mask(struct decode_cache *c, unsigned long reg)
344 if (c->ad_bytes == sizeof(unsigned long))
347 return reg & ad_mask(c);
350 static inline unsigned long
351 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
353 return base + address_mask(c, reg);
357 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
359 if (c->ad_bytes == sizeof(unsigned long))
362 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
365 static inline void jmp_rel(struct decode_cache *c, int rel)
367 register_address_increment(c, &c->eip, rel);
370 static void set_seg_override(struct decode_cache *c, int seg)
372 c->has_seg_override = true;
373 c->seg_override = seg;
376 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
377 struct x86_emulate_ops *ops, int seg)
379 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
382 return ops->get_cached_segment_base(seg, ctxt->vcpu);
385 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
386 struct x86_emulate_ops *ops,
387 struct decode_cache *c)
389 if (!c->has_seg_override)
392 return seg_base(ctxt, ops, c->seg_override);
395 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
396 struct x86_emulate_ops *ops)
398 return seg_base(ctxt, ops, VCPU_SREG_ES);
401 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
402 struct x86_emulate_ops *ops)
404 return seg_base(ctxt, ops, VCPU_SREG_SS);
407 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
408 u32 error, bool valid)
410 ctxt->exception = vec;
411 ctxt->error_code = error;
412 ctxt->error_code_valid = valid;
413 ctxt->restart = false;
416 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
418 emulate_exception(ctxt, GP_VECTOR, err, true);
421 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
425 emulate_exception(ctxt, PF_VECTOR, err, true);
428 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
430 emulate_exception(ctxt, UD_VECTOR, 0, false);
433 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
435 emulate_exception(ctxt, TS_VECTOR, err, true);
438 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
439 struct x86_emulate_ops *ops,
440 unsigned long eip, u8 *dest)
442 struct fetch_cache *fc = &ctxt->decode.fetch;
446 if (eip == fc->end) {
447 cur_size = fc->end - fc->start;
448 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
449 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
450 size, ctxt->vcpu, NULL);
451 if (rc != X86EMUL_CONTINUE)
455 *dest = fc->data[eip - fc->start];
456 return X86EMUL_CONTINUE;
459 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
460 struct x86_emulate_ops *ops,
461 unsigned long eip, void *dest, unsigned size)
465 /* x86 instructions are limited to 15 bytes. */
466 if (eip + size - ctxt->eip > 15)
467 return X86EMUL_UNHANDLEABLE;
469 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
470 if (rc != X86EMUL_CONTINUE)
473 return X86EMUL_CONTINUE;
477 * Given the 'reg' portion of a ModRM byte, and a register block, return a
478 * pointer into the block that addresses the relevant register.
479 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
481 static void *decode_register(u8 modrm_reg, unsigned long *regs,
486 p = ®s[modrm_reg];
487 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
488 p = (unsigned char *)®s[modrm_reg & 3] + 1;
492 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
493 struct x86_emulate_ops *ops,
495 u16 *size, unsigned long *address, int op_bytes)
502 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
503 if (rc != X86EMUL_CONTINUE)
505 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
509 static int test_cc(unsigned int condition, unsigned int flags)
513 switch ((condition & 15) >> 1) {
515 rc |= (flags & EFLG_OF);
517 case 1: /* b/c/nae */
518 rc |= (flags & EFLG_CF);
521 rc |= (flags & EFLG_ZF);
524 rc |= (flags & (EFLG_CF|EFLG_ZF));
527 rc |= (flags & EFLG_SF);
530 rc |= (flags & EFLG_PF);
533 rc |= (flags & EFLG_ZF);
536 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
540 /* Odd condition identifiers (lsb == 1) have inverted sense. */
541 return (!!rc ^ (condition & 1));
544 static void fetch_register_operand(struct operand *op)
548 op->val = *(u8 *)op->addr.reg;
551 op->val = *(u16 *)op->addr.reg;
554 op->val = *(u32 *)op->addr.reg;
557 op->val = *(u64 *)op->addr.reg;
562 static void decode_register_operand(struct operand *op,
563 struct decode_cache *c,
566 unsigned reg = c->modrm_reg;
567 int highbyte_regs = c->rex_prefix == 0;
570 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
572 if ((c->d & ByteOp) && !inhibit_bytereg) {
573 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
576 op->addr.reg = decode_register(reg, c->regs, 0);
577 op->bytes = c->op_bytes;
579 fetch_register_operand(op);
580 op->orig_val = op->val;
583 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
584 struct x86_emulate_ops *ops,
587 struct decode_cache *c = &ctxt->decode;
589 int index_reg = 0, base_reg = 0, scale;
590 int rc = X86EMUL_CONTINUE;
594 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
595 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
596 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
599 c->modrm = insn_fetch(u8, 1, c->eip);
600 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
601 c->modrm_reg |= (c->modrm & 0x38) >> 3;
602 c->modrm_rm |= (c->modrm & 0x07);
603 c->modrm_seg = VCPU_SREG_DS;
605 if (c->modrm_mod == 3) {
607 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
608 op->addr.reg = decode_register(c->modrm_rm,
609 c->regs, c->d & ByteOp);
610 fetch_register_operand(op);
616 if (c->ad_bytes == 2) {
617 unsigned bx = c->regs[VCPU_REGS_RBX];
618 unsigned bp = c->regs[VCPU_REGS_RBP];
619 unsigned si = c->regs[VCPU_REGS_RSI];
620 unsigned di = c->regs[VCPU_REGS_RDI];
622 /* 16-bit ModR/M decode. */
623 switch (c->modrm_mod) {
625 if (c->modrm_rm == 6)
626 modrm_ea += insn_fetch(u16, 2, c->eip);
629 modrm_ea += insn_fetch(s8, 1, c->eip);
632 modrm_ea += insn_fetch(u16, 2, c->eip);
635 switch (c->modrm_rm) {
655 if (c->modrm_mod != 0)
662 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
663 (c->modrm_rm == 6 && c->modrm_mod != 0))
664 c->modrm_seg = VCPU_SREG_SS;
665 modrm_ea = (u16)modrm_ea;
667 /* 32/64-bit ModR/M decode. */
668 if ((c->modrm_rm & 7) == 4) {
669 sib = insn_fetch(u8, 1, c->eip);
670 index_reg |= (sib >> 3) & 7;
674 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
675 modrm_ea += insn_fetch(s32, 4, c->eip);
677 modrm_ea += c->regs[base_reg];
679 modrm_ea += c->regs[index_reg] << scale;
680 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
681 if (ctxt->mode == X86EMUL_MODE_PROT64)
684 modrm_ea += c->regs[c->modrm_rm];
685 switch (c->modrm_mod) {
687 if (c->modrm_rm == 5)
688 modrm_ea += insn_fetch(s32, 4, c->eip);
691 modrm_ea += insn_fetch(s8, 1, c->eip);
694 modrm_ea += insn_fetch(s32, 4, c->eip);
698 op->addr.mem = modrm_ea;
703 static int decode_abs(struct x86_emulate_ctxt *ctxt,
704 struct x86_emulate_ops *ops,
707 struct decode_cache *c = &ctxt->decode;
708 int rc = X86EMUL_CONTINUE;
711 switch (c->ad_bytes) {
713 op->addr.mem = insn_fetch(u16, 2, c->eip);
716 op->addr.mem = insn_fetch(u32, 4, c->eip);
719 op->addr.mem = insn_fetch(u64, 8, c->eip);
726 static int read_emulated(struct x86_emulate_ctxt *ctxt,
727 struct x86_emulate_ops *ops,
728 unsigned long addr, void *dest, unsigned size)
731 struct read_cache *mc = &ctxt->decode.mem_read;
735 int n = min(size, 8u);
737 if (mc->pos < mc->end)
740 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
742 if (rc == X86EMUL_PROPAGATE_FAULT)
743 emulate_pf(ctxt, addr, err);
744 if (rc != X86EMUL_CONTINUE)
749 memcpy(dest, mc->data + mc->pos, n);
754 return X86EMUL_CONTINUE;
757 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
758 struct x86_emulate_ops *ops,
759 unsigned int size, unsigned short port,
762 struct read_cache *rc = &ctxt->decode.io_read;
764 if (rc->pos == rc->end) { /* refill pio read ahead */
765 struct decode_cache *c = &ctxt->decode;
766 unsigned int in_page, n;
767 unsigned int count = c->rep_prefix ?
768 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
769 in_page = (ctxt->eflags & EFLG_DF) ?
770 offset_in_page(c->regs[VCPU_REGS_RDI]) :
771 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
772 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
776 rc->pos = rc->end = 0;
777 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
782 memcpy(dest, rc->data + rc->pos, size);
787 static u32 desc_limit_scaled(struct desc_struct *desc)
789 u32 limit = get_desc_limit(desc);
791 return desc->g ? (limit << 12) | 0xfff : limit;
794 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
795 struct x86_emulate_ops *ops,
796 u16 selector, struct desc_ptr *dt)
798 if (selector & 1 << 2) {
799 struct desc_struct desc;
800 memset (dt, 0, sizeof *dt);
801 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
804 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
805 dt->address = get_desc_base(&desc);
807 ops->get_gdt(dt, ctxt->vcpu);
810 /* allowed just for 8 bytes segments */
811 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
812 struct x86_emulate_ops *ops,
813 u16 selector, struct desc_struct *desc)
816 u16 index = selector >> 3;
821 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
823 if (dt.size < index * 8 + 7) {
824 emulate_gp(ctxt, selector & 0xfffc);
825 return X86EMUL_PROPAGATE_FAULT;
827 addr = dt.address + index * 8;
828 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
829 if (ret == X86EMUL_PROPAGATE_FAULT)
830 emulate_pf(ctxt, addr, err);
835 /* allowed just for 8 bytes segments */
836 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
837 struct x86_emulate_ops *ops,
838 u16 selector, struct desc_struct *desc)
841 u16 index = selector >> 3;
846 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
848 if (dt.size < index * 8 + 7) {
849 emulate_gp(ctxt, selector & 0xfffc);
850 return X86EMUL_PROPAGATE_FAULT;
853 addr = dt.address + index * 8;
854 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
855 if (ret == X86EMUL_PROPAGATE_FAULT)
856 emulate_pf(ctxt, addr, err);
861 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
862 struct x86_emulate_ops *ops,
863 u16 selector, int seg)
865 struct desc_struct seg_desc;
867 unsigned err_vec = GP_VECTOR;
869 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
872 memset(&seg_desc, 0, sizeof seg_desc);
874 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
875 || ctxt->mode == X86EMUL_MODE_REAL) {
876 /* set real mode segment descriptor */
877 set_desc_base(&seg_desc, selector << 4);
878 set_desc_limit(&seg_desc, 0xffff);
885 /* NULL selector is not valid for TR, CS and SS */
886 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
890 /* TR should be in GDT only */
891 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
894 if (null_selector) /* for NULL selector skip all following checks */
897 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
898 if (ret != X86EMUL_CONTINUE)
901 err_code = selector & 0xfffc;
904 /* can't load system descriptor into segment selecor */
905 if (seg <= VCPU_SREG_GS && !seg_desc.s)
909 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
915 cpl = ops->cpl(ctxt->vcpu);
920 * segment is not a writable data segment or segment
921 * selector's RPL != CPL or segment selector's RPL != CPL
923 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
927 if (!(seg_desc.type & 8))
930 if (seg_desc.type & 4) {
936 if (rpl > cpl || dpl != cpl)
940 selector = (selector & 0xfffc) | cpl;
943 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
947 if (seg_desc.s || seg_desc.type != 2)
950 default: /* DS, ES, FS, or GS */
952 * segment is not a data or readable code segment or
953 * ((segment is a data or nonconforming code segment)
954 * and (both RPL and CPL > DPL))
956 if ((seg_desc.type & 0xa) == 0x8 ||
957 (((seg_desc.type & 0xc) != 0xc) &&
958 (rpl > dpl && cpl > dpl)))
964 /* mark segment as accessed */
966 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
967 if (ret != X86EMUL_CONTINUE)
971 ops->set_segment_selector(selector, seg, ctxt->vcpu);
972 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
973 return X86EMUL_CONTINUE;
975 emulate_exception(ctxt, err_vec, err_code, true);
976 return X86EMUL_PROPAGATE_FAULT;
979 static inline int writeback(struct x86_emulate_ctxt *ctxt,
980 struct x86_emulate_ops *ops)
983 struct decode_cache *c = &ctxt->decode;
986 switch (c->dst.type) {
988 /* The 4-byte case *is* correct:
989 * in 64-bit mode we zero-extend.
991 switch (c->dst.bytes) {
993 *(u8 *)c->dst.addr.reg = (u8)c->dst.val;
996 *(u16 *)c->dst.addr.reg = (u16)c->dst.val;
999 *c->dst.addr.reg = (u32)c->dst.val;
1000 break; /* 64b: zero-ext */
1002 *c->dst.addr.reg = c->dst.val;
1008 rc = ops->cmpxchg_emulated(
1016 rc = ops->write_emulated(
1022 if (rc == X86EMUL_PROPAGATE_FAULT)
1023 emulate_pf(ctxt, c->dst.addr.mem, err);
1024 if (rc != X86EMUL_CONTINUE)
1033 return X86EMUL_CONTINUE;
1036 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1037 struct x86_emulate_ops *ops)
1039 struct decode_cache *c = &ctxt->decode;
1041 c->dst.type = OP_MEM;
1042 c->dst.bytes = c->op_bytes;
1043 c->dst.val = c->src.val;
1044 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1045 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1046 c->regs[VCPU_REGS_RSP]);
1049 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1050 struct x86_emulate_ops *ops,
1051 void *dest, int len)
1053 struct decode_cache *c = &ctxt->decode;
1056 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1057 c->regs[VCPU_REGS_RSP]),
1059 if (rc != X86EMUL_CONTINUE)
1062 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1066 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1067 struct x86_emulate_ops *ops,
1068 void *dest, int len)
1071 unsigned long val, change_mask;
1072 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1073 int cpl = ops->cpl(ctxt->vcpu);
1075 rc = emulate_pop(ctxt, ops, &val, len);
1076 if (rc != X86EMUL_CONTINUE)
1079 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1080 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1082 switch(ctxt->mode) {
1083 case X86EMUL_MODE_PROT64:
1084 case X86EMUL_MODE_PROT32:
1085 case X86EMUL_MODE_PROT16:
1087 change_mask |= EFLG_IOPL;
1089 change_mask |= EFLG_IF;
1091 case X86EMUL_MODE_VM86:
1093 emulate_gp(ctxt, 0);
1094 return X86EMUL_PROPAGATE_FAULT;
1096 change_mask |= EFLG_IF;
1098 default: /* real mode */
1099 change_mask |= (EFLG_IOPL | EFLG_IF);
1103 *(unsigned long *)dest =
1104 (ctxt->eflags & ~change_mask) | (val & change_mask);
1109 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1110 struct x86_emulate_ops *ops, int seg)
1112 struct decode_cache *c = &ctxt->decode;
1114 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1116 emulate_push(ctxt, ops);
1119 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1120 struct x86_emulate_ops *ops, int seg)
1122 struct decode_cache *c = &ctxt->decode;
1123 unsigned long selector;
1126 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1127 if (rc != X86EMUL_CONTINUE)
1130 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1134 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1135 struct x86_emulate_ops *ops)
1137 struct decode_cache *c = &ctxt->decode;
1138 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1139 int rc = X86EMUL_CONTINUE;
1140 int reg = VCPU_REGS_RAX;
1142 while (reg <= VCPU_REGS_RDI) {
1143 (reg == VCPU_REGS_RSP) ?
1144 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1146 emulate_push(ctxt, ops);
1148 rc = writeback(ctxt, ops);
1149 if (rc != X86EMUL_CONTINUE)
1155 /* Disable writeback. */
1156 c->dst.type = OP_NONE;
1161 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1162 struct x86_emulate_ops *ops)
1164 struct decode_cache *c = &ctxt->decode;
1165 int rc = X86EMUL_CONTINUE;
1166 int reg = VCPU_REGS_RDI;
1168 while (reg >= VCPU_REGS_RAX) {
1169 if (reg == VCPU_REGS_RSP) {
1170 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1175 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1176 if (rc != X86EMUL_CONTINUE)
1183 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1184 struct x86_emulate_ops *ops)
1186 struct decode_cache *c = &ctxt->decode;
1187 int rc = X86EMUL_CONTINUE;
1188 unsigned long temp_eip = 0;
1189 unsigned long temp_eflags = 0;
1190 unsigned long cs = 0;
1191 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1192 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1193 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1194 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1196 /* TODO: Add stack limit check */
1198 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1200 if (rc != X86EMUL_CONTINUE)
1203 if (temp_eip & ~0xffff) {
1204 emulate_gp(ctxt, 0);
1205 return X86EMUL_PROPAGATE_FAULT;
1208 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1210 if (rc != X86EMUL_CONTINUE)
1213 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1215 if (rc != X86EMUL_CONTINUE)
1218 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1220 if (rc != X86EMUL_CONTINUE)
1226 if (c->op_bytes == 4)
1227 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1228 else if (c->op_bytes == 2) {
1229 ctxt->eflags &= ~0xffff;
1230 ctxt->eflags |= temp_eflags;
1233 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1234 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1239 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1240 struct x86_emulate_ops* ops)
1242 switch(ctxt->mode) {
1243 case X86EMUL_MODE_REAL:
1244 return emulate_iret_real(ctxt, ops);
1245 case X86EMUL_MODE_VM86:
1246 case X86EMUL_MODE_PROT16:
1247 case X86EMUL_MODE_PROT32:
1248 case X86EMUL_MODE_PROT64:
1250 /* iret from protected mode unimplemented yet */
1251 return X86EMUL_UNHANDLEABLE;
1255 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1256 struct x86_emulate_ops *ops)
1258 struct decode_cache *c = &ctxt->decode;
1260 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1263 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1265 struct decode_cache *c = &ctxt->decode;
1266 switch (c->modrm_reg) {
1268 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1271 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1274 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1277 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1279 case 4: /* sal/shl */
1280 case 6: /* sal/shl */
1281 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1284 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1287 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1292 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1293 struct x86_emulate_ops *ops)
1295 struct decode_cache *c = &ctxt->decode;
1297 switch (c->modrm_reg) {
1298 case 0 ... 1: /* test */
1299 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1302 c->dst.val = ~c->dst.val;
1305 emulate_1op("neg", c->dst, ctxt->eflags);
1313 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1314 struct x86_emulate_ops *ops)
1316 struct decode_cache *c = &ctxt->decode;
1318 switch (c->modrm_reg) {
1320 emulate_1op("inc", c->dst, ctxt->eflags);
1323 emulate_1op("dec", c->dst, ctxt->eflags);
1325 case 2: /* call near abs */ {
1328 c->eip = c->src.val;
1329 c->src.val = old_eip;
1330 emulate_push(ctxt, ops);
1333 case 4: /* jmp abs */
1334 c->eip = c->src.val;
1337 emulate_push(ctxt, ops);
1340 return X86EMUL_CONTINUE;
1343 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1344 struct x86_emulate_ops *ops)
1346 struct decode_cache *c = &ctxt->decode;
1347 u64 old = c->dst.orig_val64;
1349 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1350 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1351 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1352 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1353 ctxt->eflags &= ~EFLG_ZF;
1355 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1356 (u32) c->regs[VCPU_REGS_RBX];
1358 ctxt->eflags |= EFLG_ZF;
1360 return X86EMUL_CONTINUE;
1363 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1364 struct x86_emulate_ops *ops)
1366 struct decode_cache *c = &ctxt->decode;
1370 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1371 if (rc != X86EMUL_CONTINUE)
1373 if (c->op_bytes == 4)
1374 c->eip = (u32)c->eip;
1375 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1376 if (rc != X86EMUL_CONTINUE)
1378 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1383 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1384 struct x86_emulate_ops *ops, struct desc_struct *cs,
1385 struct desc_struct *ss)
1387 memset(cs, 0, sizeof(struct desc_struct));
1388 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1389 memset(ss, 0, sizeof(struct desc_struct));
1391 cs->l = 0; /* will be adjusted later */
1392 set_desc_base(cs, 0); /* flat segment */
1393 cs->g = 1; /* 4kb granularity */
1394 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1395 cs->type = 0x0b; /* Read, Execute, Accessed */
1397 cs->dpl = 0; /* will be adjusted later */
1401 set_desc_base(ss, 0); /* flat segment */
1402 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1403 ss->g = 1; /* 4kb granularity */
1405 ss->type = 0x03; /* Read/Write, Accessed */
1406 ss->d = 1; /* 32bit stack segment */
1412 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1414 struct decode_cache *c = &ctxt->decode;
1415 struct desc_struct cs, ss;
1419 /* syscall is not available in real mode */
1420 if (ctxt->mode == X86EMUL_MODE_REAL ||
1421 ctxt->mode == X86EMUL_MODE_VM86) {
1423 return X86EMUL_PROPAGATE_FAULT;
1426 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1428 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1430 cs_sel = (u16)(msr_data & 0xfffc);
1431 ss_sel = (u16)(msr_data + 8);
1433 if (is_long_mode(ctxt->vcpu)) {
1437 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1438 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1439 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1440 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1442 c->regs[VCPU_REGS_RCX] = c->eip;
1443 if (is_long_mode(ctxt->vcpu)) {
1444 #ifdef CONFIG_X86_64
1445 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1447 ops->get_msr(ctxt->vcpu,
1448 ctxt->mode == X86EMUL_MODE_PROT64 ?
1449 MSR_LSTAR : MSR_CSTAR, &msr_data);
1452 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1453 ctxt->eflags &= ~(msr_data | EFLG_RF);
1457 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1458 c->eip = (u32)msr_data;
1460 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1463 return X86EMUL_CONTINUE;
1467 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1469 struct decode_cache *c = &ctxt->decode;
1470 struct desc_struct cs, ss;
1474 /* inject #GP if in real mode */
1475 if (ctxt->mode == X86EMUL_MODE_REAL) {
1476 emulate_gp(ctxt, 0);
1477 return X86EMUL_PROPAGATE_FAULT;
1480 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1481 * Therefore, we inject an #UD.
1483 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1485 return X86EMUL_PROPAGATE_FAULT;
1488 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1490 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1491 switch (ctxt->mode) {
1492 case X86EMUL_MODE_PROT32:
1493 if ((msr_data & 0xfffc) == 0x0) {
1494 emulate_gp(ctxt, 0);
1495 return X86EMUL_PROPAGATE_FAULT;
1498 case X86EMUL_MODE_PROT64:
1499 if (msr_data == 0x0) {
1500 emulate_gp(ctxt, 0);
1501 return X86EMUL_PROPAGATE_FAULT;
1506 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1507 cs_sel = (u16)msr_data;
1508 cs_sel &= ~SELECTOR_RPL_MASK;
1509 ss_sel = cs_sel + 8;
1510 ss_sel &= ~SELECTOR_RPL_MASK;
1511 if (ctxt->mode == X86EMUL_MODE_PROT64
1512 || is_long_mode(ctxt->vcpu)) {
1517 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1518 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1519 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1520 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1522 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1525 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1526 c->regs[VCPU_REGS_RSP] = msr_data;
1528 return X86EMUL_CONTINUE;
1532 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1534 struct decode_cache *c = &ctxt->decode;
1535 struct desc_struct cs, ss;
1540 /* inject #GP if in real mode or Virtual 8086 mode */
1541 if (ctxt->mode == X86EMUL_MODE_REAL ||
1542 ctxt->mode == X86EMUL_MODE_VM86) {
1543 emulate_gp(ctxt, 0);
1544 return X86EMUL_PROPAGATE_FAULT;
1547 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1549 if ((c->rex_prefix & 0x8) != 0x0)
1550 usermode = X86EMUL_MODE_PROT64;
1552 usermode = X86EMUL_MODE_PROT32;
1556 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1558 case X86EMUL_MODE_PROT32:
1559 cs_sel = (u16)(msr_data + 16);
1560 if ((msr_data & 0xfffc) == 0x0) {
1561 emulate_gp(ctxt, 0);
1562 return X86EMUL_PROPAGATE_FAULT;
1564 ss_sel = (u16)(msr_data + 24);
1566 case X86EMUL_MODE_PROT64:
1567 cs_sel = (u16)(msr_data + 32);
1568 if (msr_data == 0x0) {
1569 emulate_gp(ctxt, 0);
1570 return X86EMUL_PROPAGATE_FAULT;
1572 ss_sel = cs_sel + 8;
1577 cs_sel |= SELECTOR_RPL_MASK;
1578 ss_sel |= SELECTOR_RPL_MASK;
1580 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1581 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1582 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1583 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1585 c->eip = c->regs[VCPU_REGS_RDX];
1586 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1588 return X86EMUL_CONTINUE;
1591 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1592 struct x86_emulate_ops *ops)
1595 if (ctxt->mode == X86EMUL_MODE_REAL)
1597 if (ctxt->mode == X86EMUL_MODE_VM86)
1599 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1600 return ops->cpl(ctxt->vcpu) > iopl;
1603 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1604 struct x86_emulate_ops *ops,
1607 struct desc_struct tr_seg;
1610 u8 perm, bit_idx = port & 0x7;
1611 unsigned mask = (1 << len) - 1;
1613 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1616 if (desc_limit_scaled(&tr_seg) < 103)
1618 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1620 if (r != X86EMUL_CONTINUE)
1622 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1624 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1625 &perm, 1, ctxt->vcpu, NULL);
1626 if (r != X86EMUL_CONTINUE)
1628 if ((perm >> bit_idx) & mask)
1633 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1634 struct x86_emulate_ops *ops,
1640 if (emulator_bad_iopl(ctxt, ops))
1641 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1644 ctxt->perm_ok = true;
1649 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1650 struct x86_emulate_ops *ops,
1651 struct tss_segment_16 *tss)
1653 struct decode_cache *c = &ctxt->decode;
1656 tss->flag = ctxt->eflags;
1657 tss->ax = c->regs[VCPU_REGS_RAX];
1658 tss->cx = c->regs[VCPU_REGS_RCX];
1659 tss->dx = c->regs[VCPU_REGS_RDX];
1660 tss->bx = c->regs[VCPU_REGS_RBX];
1661 tss->sp = c->regs[VCPU_REGS_RSP];
1662 tss->bp = c->regs[VCPU_REGS_RBP];
1663 tss->si = c->regs[VCPU_REGS_RSI];
1664 tss->di = c->regs[VCPU_REGS_RDI];
1666 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1667 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1668 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1669 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1670 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1673 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1674 struct x86_emulate_ops *ops,
1675 struct tss_segment_16 *tss)
1677 struct decode_cache *c = &ctxt->decode;
1681 ctxt->eflags = tss->flag | 2;
1682 c->regs[VCPU_REGS_RAX] = tss->ax;
1683 c->regs[VCPU_REGS_RCX] = tss->cx;
1684 c->regs[VCPU_REGS_RDX] = tss->dx;
1685 c->regs[VCPU_REGS_RBX] = tss->bx;
1686 c->regs[VCPU_REGS_RSP] = tss->sp;
1687 c->regs[VCPU_REGS_RBP] = tss->bp;
1688 c->regs[VCPU_REGS_RSI] = tss->si;
1689 c->regs[VCPU_REGS_RDI] = tss->di;
1692 * SDM says that segment selectors are loaded before segment
1695 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1696 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1697 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1698 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1699 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1702 * Now load segment descriptors. If fault happenes at this stage
1703 * it is handled in a context of new task
1705 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1706 if (ret != X86EMUL_CONTINUE)
1708 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1709 if (ret != X86EMUL_CONTINUE)
1711 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1712 if (ret != X86EMUL_CONTINUE)
1714 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1715 if (ret != X86EMUL_CONTINUE)
1717 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1718 if (ret != X86EMUL_CONTINUE)
1721 return X86EMUL_CONTINUE;
1724 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1725 struct x86_emulate_ops *ops,
1726 u16 tss_selector, u16 old_tss_sel,
1727 ulong old_tss_base, struct desc_struct *new_desc)
1729 struct tss_segment_16 tss_seg;
1731 u32 err, new_tss_base = get_desc_base(new_desc);
1733 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1735 if (ret == X86EMUL_PROPAGATE_FAULT) {
1736 /* FIXME: need to provide precise fault address */
1737 emulate_pf(ctxt, old_tss_base, err);
1741 save_state_to_tss16(ctxt, ops, &tss_seg);
1743 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1745 if (ret == X86EMUL_PROPAGATE_FAULT) {
1746 /* FIXME: need to provide precise fault address */
1747 emulate_pf(ctxt, old_tss_base, err);
1751 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1753 if (ret == X86EMUL_PROPAGATE_FAULT) {
1754 /* FIXME: need to provide precise fault address */
1755 emulate_pf(ctxt, new_tss_base, err);
1759 if (old_tss_sel != 0xffff) {
1760 tss_seg.prev_task_link = old_tss_sel;
1762 ret = ops->write_std(new_tss_base,
1763 &tss_seg.prev_task_link,
1764 sizeof tss_seg.prev_task_link,
1766 if (ret == X86EMUL_PROPAGATE_FAULT) {
1767 /* FIXME: need to provide precise fault address */
1768 emulate_pf(ctxt, new_tss_base, err);
1773 return load_state_from_tss16(ctxt, ops, &tss_seg);
1776 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1777 struct x86_emulate_ops *ops,
1778 struct tss_segment_32 *tss)
1780 struct decode_cache *c = &ctxt->decode;
1782 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1784 tss->eflags = ctxt->eflags;
1785 tss->eax = c->regs[VCPU_REGS_RAX];
1786 tss->ecx = c->regs[VCPU_REGS_RCX];
1787 tss->edx = c->regs[VCPU_REGS_RDX];
1788 tss->ebx = c->regs[VCPU_REGS_RBX];
1789 tss->esp = c->regs[VCPU_REGS_RSP];
1790 tss->ebp = c->regs[VCPU_REGS_RBP];
1791 tss->esi = c->regs[VCPU_REGS_RSI];
1792 tss->edi = c->regs[VCPU_REGS_RDI];
1794 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1795 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1796 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1797 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1798 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1799 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1800 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1803 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1804 struct x86_emulate_ops *ops,
1805 struct tss_segment_32 *tss)
1807 struct decode_cache *c = &ctxt->decode;
1810 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1811 emulate_gp(ctxt, 0);
1812 return X86EMUL_PROPAGATE_FAULT;
1815 ctxt->eflags = tss->eflags | 2;
1816 c->regs[VCPU_REGS_RAX] = tss->eax;
1817 c->regs[VCPU_REGS_RCX] = tss->ecx;
1818 c->regs[VCPU_REGS_RDX] = tss->edx;
1819 c->regs[VCPU_REGS_RBX] = tss->ebx;
1820 c->regs[VCPU_REGS_RSP] = tss->esp;
1821 c->regs[VCPU_REGS_RBP] = tss->ebp;
1822 c->regs[VCPU_REGS_RSI] = tss->esi;
1823 c->regs[VCPU_REGS_RDI] = tss->edi;
1826 * SDM says that segment selectors are loaded before segment
1829 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1830 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1831 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1832 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1833 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1834 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1835 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1838 * Now load segment descriptors. If fault happenes at this stage
1839 * it is handled in a context of new task
1841 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1842 if (ret != X86EMUL_CONTINUE)
1844 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1845 if (ret != X86EMUL_CONTINUE)
1847 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1848 if (ret != X86EMUL_CONTINUE)
1850 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1851 if (ret != X86EMUL_CONTINUE)
1853 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1854 if (ret != X86EMUL_CONTINUE)
1856 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1857 if (ret != X86EMUL_CONTINUE)
1859 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1860 if (ret != X86EMUL_CONTINUE)
1863 return X86EMUL_CONTINUE;
1866 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
1867 struct x86_emulate_ops *ops,
1868 u16 tss_selector, u16 old_tss_sel,
1869 ulong old_tss_base, struct desc_struct *new_desc)
1871 struct tss_segment_32 tss_seg;
1873 u32 err, new_tss_base = get_desc_base(new_desc);
1875 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1877 if (ret == X86EMUL_PROPAGATE_FAULT) {
1878 /* FIXME: need to provide precise fault address */
1879 emulate_pf(ctxt, old_tss_base, err);
1883 save_state_to_tss32(ctxt, ops, &tss_seg);
1885 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1887 if (ret == X86EMUL_PROPAGATE_FAULT) {
1888 /* FIXME: need to provide precise fault address */
1889 emulate_pf(ctxt, old_tss_base, err);
1893 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1895 if (ret == X86EMUL_PROPAGATE_FAULT) {
1896 /* FIXME: need to provide precise fault address */
1897 emulate_pf(ctxt, new_tss_base, err);
1901 if (old_tss_sel != 0xffff) {
1902 tss_seg.prev_task_link = old_tss_sel;
1904 ret = ops->write_std(new_tss_base,
1905 &tss_seg.prev_task_link,
1906 sizeof tss_seg.prev_task_link,
1908 if (ret == X86EMUL_PROPAGATE_FAULT) {
1909 /* FIXME: need to provide precise fault address */
1910 emulate_pf(ctxt, new_tss_base, err);
1915 return load_state_from_tss32(ctxt, ops, &tss_seg);
1918 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
1919 struct x86_emulate_ops *ops,
1920 u16 tss_selector, int reason,
1921 bool has_error_code, u32 error_code)
1923 struct desc_struct curr_tss_desc, next_tss_desc;
1925 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
1926 ulong old_tss_base =
1927 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
1930 /* FIXME: old_tss_base == ~0 ? */
1932 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
1933 if (ret != X86EMUL_CONTINUE)
1935 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
1936 if (ret != X86EMUL_CONTINUE)
1939 /* FIXME: check that next_tss_desc is tss */
1941 if (reason != TASK_SWITCH_IRET) {
1942 if ((tss_selector & 3) > next_tss_desc.dpl ||
1943 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
1944 emulate_gp(ctxt, 0);
1945 return X86EMUL_PROPAGATE_FAULT;
1949 desc_limit = desc_limit_scaled(&next_tss_desc);
1950 if (!next_tss_desc.p ||
1951 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
1952 desc_limit < 0x2b)) {
1953 emulate_ts(ctxt, tss_selector & 0xfffc);
1954 return X86EMUL_PROPAGATE_FAULT;
1957 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
1958 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
1959 write_segment_descriptor(ctxt, ops, old_tss_sel,
1963 if (reason == TASK_SWITCH_IRET)
1964 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
1966 /* set back link to prev task only if NT bit is set in eflags
1967 note that old_tss_sel is not used afetr this point */
1968 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
1969 old_tss_sel = 0xffff;
1971 if (next_tss_desc.type & 8)
1972 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
1973 old_tss_base, &next_tss_desc);
1975 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
1976 old_tss_base, &next_tss_desc);
1977 if (ret != X86EMUL_CONTINUE)
1980 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
1981 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
1983 if (reason != TASK_SWITCH_IRET) {
1984 next_tss_desc.type |= (1 << 1); /* set busy flag */
1985 write_segment_descriptor(ctxt, ops, tss_selector,
1989 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
1990 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
1991 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
1993 if (has_error_code) {
1994 struct decode_cache *c = &ctxt->decode;
1996 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
1998 c->src.val = (unsigned long) error_code;
1999 emulate_push(ctxt, ops);
2005 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2006 u16 tss_selector, int reason,
2007 bool has_error_code, u32 error_code)
2009 struct x86_emulate_ops *ops = ctxt->ops;
2010 struct decode_cache *c = &ctxt->decode;
2014 c->dst.type = OP_NONE;
2016 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2017 has_error_code, error_code);
2019 if (rc == X86EMUL_CONTINUE) {
2020 rc = writeback(ctxt, ops);
2021 if (rc == X86EMUL_CONTINUE)
2025 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2028 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2029 int reg, struct operand *op)
2031 struct decode_cache *c = &ctxt->decode;
2032 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2034 register_address_increment(c, &c->regs[reg], df * op->bytes);
2035 op->addr.mem = register_address(c, base, c->regs[reg]);
2038 static int em_push(struct x86_emulate_ctxt *ctxt)
2040 emulate_push(ctxt, ctxt->ops);
2041 return X86EMUL_CONTINUE;
2044 #define D(_y) { .flags = (_y) }
2046 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2047 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2048 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2050 static struct opcode group1[] = {
2054 static struct opcode group1A[] = {
2055 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2058 static struct opcode group3[] = {
2059 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2060 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2064 static struct opcode group4[] = {
2065 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2069 static struct opcode group5[] = {
2070 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2071 D(SrcMem | ModRM | Stack), N,
2072 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2073 D(SrcMem | ModRM | Stack), N,
2076 static struct group_dual group7 = { {
2077 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2078 D(SrcNone | ModRM | DstMem | Mov), N,
2079 D(SrcMem16 | ModRM | Mov | Priv),
2080 D(SrcMem | ModRM | ByteOp | Priv | NoAccess),
2082 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2083 D(SrcNone | ModRM | DstMem | Mov), N,
2084 D(SrcMem16 | ModRM | Mov | Priv), N,
2087 static struct opcode group8[] = {
2089 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2090 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2093 static struct group_dual group9 = { {
2094 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2096 N, N, N, N, N, N, N, N,
2099 static struct opcode opcode_table[256] = {
2101 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2102 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2103 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2104 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2106 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2107 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2108 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2109 D(ImplicitOps | Stack | No64), N,
2111 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2112 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2113 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2114 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2116 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2117 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2118 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2119 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2121 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2122 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2123 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2125 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2126 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2127 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2129 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2130 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2131 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2133 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2134 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2135 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2140 X8(I(SrcReg | Stack, em_push)),
2142 X8(D(DstReg | Stack)),
2144 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2145 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2148 I(SrcImm | Mov | Stack, em_push), N,
2149 I(SrcImmByte | Mov | Stack, em_push), N,
2150 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2151 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2155 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2156 G(DstMem | SrcImm | ModRM | Group, group1),
2157 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2158 G(DstMem | SrcImmByte | ModRM | Group, group1),
2159 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2160 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2162 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2163 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2164 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2165 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2167 X8(D(SrcAcc | DstReg)),
2169 N, N, D(SrcImmFAddr | No64), N,
2170 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2172 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2173 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2174 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2175 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2177 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm), D(ByteOp | DstDI | Mov | String), D(DstDI | Mov | String),
2178 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2179 D(ByteOp | DstDI | String), D(DstDI | String),
2181 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2183 X8(D(DstReg | SrcImm | Mov)),
2185 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2186 N, D(ImplicitOps | Stack), N, N,
2187 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2189 N, N, N, D(ImplicitOps | Stack),
2190 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2192 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2193 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2196 N, N, N, N, N, N, N, N,
2199 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2200 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2202 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2203 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2204 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2205 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2208 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2210 D(ImplicitOps), N, D(ImplicitOps), D(ImplicitOps),
2211 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2214 static struct opcode twobyte_table[256] = {
2216 N, GD(0, &group7), N, N,
2217 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2218 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2219 N, D(ImplicitOps | ModRM), N, N,
2221 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2223 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2224 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2226 N, N, N, N, N, N, N, N,
2228 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
2229 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2230 N, N, N, N, N, N, N, N,
2232 X16(D(DstReg | SrcMem | ModRM | Mov)),
2234 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2236 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2238 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2242 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2244 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2245 N, D(DstMem | SrcReg | ModRM | BitOp),
2246 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2247 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2249 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2250 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2251 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2252 D(DstMem | SrcReg | Src2CL | ModRM),
2255 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2256 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2257 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2258 D(DstReg | SrcMem16 | ModRM | Mov),
2261 G(0, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2262 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2263 D(DstReg | SrcMem16 | ModRM | Mov),
2265 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
2266 N, N, N, GD(0, &group9),
2267 N, N, N, N, N, N, N, N,
2269 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2271 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2273 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2283 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2285 struct x86_emulate_ops *ops = ctxt->ops;
2286 struct decode_cache *c = &ctxt->decode;
2287 int rc = X86EMUL_CONTINUE;
2288 int mode = ctxt->mode;
2289 int def_op_bytes, def_ad_bytes, dual, goffset;
2290 struct opcode opcode, *g_mod012, *g_mod3;
2291 struct operand memop = { .type = OP_NONE };
2293 /* we cannot decode insn before we complete previous rep insn */
2294 WARN_ON(ctxt->restart);
2297 c->fetch.start = c->fetch.end = c->eip;
2298 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2301 case X86EMUL_MODE_REAL:
2302 case X86EMUL_MODE_VM86:
2303 case X86EMUL_MODE_PROT16:
2304 def_op_bytes = def_ad_bytes = 2;
2306 case X86EMUL_MODE_PROT32:
2307 def_op_bytes = def_ad_bytes = 4;
2309 #ifdef CONFIG_X86_64
2310 case X86EMUL_MODE_PROT64:
2319 c->op_bytes = def_op_bytes;
2320 c->ad_bytes = def_ad_bytes;
2322 /* Legacy prefixes. */
2324 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2325 case 0x66: /* operand-size override */
2326 /* switch between 2/4 bytes */
2327 c->op_bytes = def_op_bytes ^ 6;
2329 case 0x67: /* address-size override */
2330 if (mode == X86EMUL_MODE_PROT64)
2331 /* switch between 4/8 bytes */
2332 c->ad_bytes = def_ad_bytes ^ 12;
2334 /* switch between 2/4 bytes */
2335 c->ad_bytes = def_ad_bytes ^ 6;
2337 case 0x26: /* ES override */
2338 case 0x2e: /* CS override */
2339 case 0x36: /* SS override */
2340 case 0x3e: /* DS override */
2341 set_seg_override(c, (c->b >> 3) & 3);
2343 case 0x64: /* FS override */
2344 case 0x65: /* GS override */
2345 set_seg_override(c, c->b & 7);
2347 case 0x40 ... 0x4f: /* REX */
2348 if (mode != X86EMUL_MODE_PROT64)
2350 c->rex_prefix = c->b;
2352 case 0xf0: /* LOCK */
2355 case 0xf2: /* REPNE/REPNZ */
2356 c->rep_prefix = REPNE_PREFIX;
2358 case 0xf3: /* REP/REPE/REPZ */
2359 c->rep_prefix = REPE_PREFIX;
2365 /* Any legacy prefix after a REX prefix nullifies its effect. */
2373 if (c->rex_prefix & 8)
2374 c->op_bytes = 8; /* REX.W */
2376 /* Opcode byte(s). */
2377 opcode = opcode_table[c->b];
2378 if (opcode.flags == 0) {
2379 /* Two-byte opcode? */
2382 c->b = insn_fetch(u8, 1, c->eip);
2383 opcode = twobyte_table[c->b];
2386 c->d = opcode.flags;
2389 dual = c->d & GroupDual;
2390 c->modrm = insn_fetch(u8, 1, c->eip);
2393 if (c->d & GroupDual) {
2394 g_mod012 = opcode.u.gdual->mod012;
2395 g_mod3 = opcode.u.gdual->mod3;
2397 g_mod012 = g_mod3 = opcode.u.group;
2399 c->d &= ~(Group | GroupDual);
2401 goffset = (c->modrm >> 3) & 7;
2403 if ((c->modrm >> 6) == 3)
2404 opcode = g_mod3[goffset];
2406 opcode = g_mod012[goffset];
2407 c->d |= opcode.flags;
2410 c->execute = opcode.u.execute;
2413 if (c->d == 0 || (c->d & Undefined)) {
2414 DPRINTF("Cannot emulate %02x\n", c->b);
2418 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2421 if (c->d & Op3264) {
2422 if (mode == X86EMUL_MODE_PROT64)
2428 /* ModRM and SIB bytes. */
2430 rc = decode_modrm(ctxt, ops, &memop);
2431 if (!c->has_seg_override)
2432 set_seg_override(c, c->modrm_seg);
2433 } else if (c->d & MemAbs)
2434 rc = decode_abs(ctxt, ops, &memop);
2435 if (rc != X86EMUL_CONTINUE)
2438 if (!c->has_seg_override)
2439 set_seg_override(c, VCPU_SREG_DS);
2441 if (memop.type == OP_MEM && !(!c->twobyte && c->b == 0x8d))
2442 memop.addr.mem += seg_override_base(ctxt, ops, c);
2444 if (memop.type == OP_MEM && c->ad_bytes != 8)
2445 memop.addr.mem = (u32)memop.addr.mem;
2447 if (memop.type == OP_MEM && c->rip_relative)
2448 memop.addr.mem += c->eip;
2451 * Decode and fetch the source operand: register, memory
2454 switch (c->d & SrcMask) {
2458 decode_register_operand(&c->src, c, 0);
2467 memop.bytes = (c->d & ByteOp) ? 1 :
2474 c->src.type = OP_IMM;
2475 c->src.addr.mem = c->eip;
2476 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2477 if (c->src.bytes == 8)
2479 /* NB. Immediates are sign-extended as necessary. */
2480 switch (c->src.bytes) {
2482 c->src.val = insn_fetch(s8, 1, c->eip);
2485 c->src.val = insn_fetch(s16, 2, c->eip);
2488 c->src.val = insn_fetch(s32, 4, c->eip);
2491 if ((c->d & SrcMask) == SrcImmU) {
2492 switch (c->src.bytes) {
2497 c->src.val &= 0xffff;
2500 c->src.val &= 0xffffffff;
2507 c->src.type = OP_IMM;
2508 c->src.addr.mem = c->eip;
2510 if ((c->d & SrcMask) == SrcImmByte)
2511 c->src.val = insn_fetch(s8, 1, c->eip);
2513 c->src.val = insn_fetch(u8, 1, c->eip);
2516 c->src.type = OP_REG;
2517 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2518 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2519 fetch_register_operand(&c->src);
2526 c->src.type = OP_MEM;
2527 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2529 register_address(c, seg_override_base(ctxt, ops, c),
2530 c->regs[VCPU_REGS_RSI]);
2534 c->src.type = OP_IMM;
2535 c->src.addr.mem = c->eip;
2536 c->src.bytes = c->op_bytes + 2;
2537 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2540 memop.bytes = c->op_bytes + 2;
2546 * Decode and fetch the second source operand: register, memory
2549 switch (c->d & Src2Mask) {
2554 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2557 c->src2.type = OP_IMM;
2558 c->src2.addr.mem = c->eip;
2560 c->src2.val = insn_fetch(u8, 1, c->eip);
2568 /* Decode and fetch the destination operand: register or memory. */
2569 switch (c->d & DstMask) {
2571 /* Special instructions do their own operand decoding. */
2574 decode_register_operand(&c->dst, c,
2575 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2580 if ((c->d & DstMask) == DstMem64)
2583 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2584 if (c->dst.type == OP_MEM && (c->d & BitOp)) {
2585 unsigned long mask = ~(c->dst.bytes * 8 - 1);
2587 c->dst.addr.mem = c->dst.addr.mem +
2588 (c->src.val & mask) / 8;
2590 c->dst.orig_val = c->dst.val;
2593 c->dst.type = OP_REG;
2594 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2595 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2596 fetch_register_operand(&c->dst);
2597 c->dst.orig_val = c->dst.val;
2600 c->dst.type = OP_MEM;
2601 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2603 register_address(c, es_base(ctxt, ops),
2604 c->regs[VCPU_REGS_RDI]);
2610 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2614 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2616 struct x86_emulate_ops *ops = ctxt->ops;
2618 struct decode_cache *c = &ctxt->decode;
2619 int rc = X86EMUL_CONTINUE;
2620 int saved_dst_type = c->dst.type;
2622 ctxt->decode.mem_read.pos = 0;
2624 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2629 /* LOCK prefix is allowed only with some instructions */
2630 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2635 /* Privileged instruction can be executed only in CPL=0 */
2636 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2637 emulate_gp(ctxt, 0);
2641 if (c->rep_prefix && (c->d & String)) {
2642 ctxt->restart = true;
2643 /* All REP prefixes have the same first termination condition */
2644 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2646 ctxt->restart = false;
2650 /* The second termination condition only applies for REPE
2651 * and REPNE. Test if the repeat string operation prefix is
2652 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2653 * corresponding termination condition according to:
2654 * - if REPE/REPZ and ZF = 0 then done
2655 * - if REPNE/REPNZ and ZF = 1 then done
2657 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2658 (c->b == 0xae) || (c->b == 0xaf)) {
2659 if ((c->rep_prefix == REPE_PREFIX) &&
2660 ((ctxt->eflags & EFLG_ZF) == 0))
2662 if ((c->rep_prefix == REPNE_PREFIX) &&
2663 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2669 if (c->src.type == OP_MEM) {
2670 if (c->d & NoAccess)
2672 rc = read_emulated(ctxt, ops, c->src.addr.mem,
2673 c->src.valptr, c->src.bytes);
2674 if (rc != X86EMUL_CONTINUE)
2676 c->src.orig_val64 = c->src.val64;
2681 if (c->src2.type == OP_MEM) {
2682 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
2683 &c->src2.val, c->src2.bytes);
2684 if (rc != X86EMUL_CONTINUE)
2688 if ((c->d & DstMask) == ImplicitOps)
2692 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2693 /* optimisation - avoid slow emulated read if Mov */
2694 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
2695 &c->dst.val, c->dst.bytes);
2696 if (rc != X86EMUL_CONTINUE)
2699 c->dst.orig_val = c->dst.val;
2704 rc = c->execute(ctxt);
2705 if (rc != X86EMUL_CONTINUE)
2716 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2718 case 0x06: /* push es */
2719 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2721 case 0x07: /* pop es */
2722 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2723 if (rc != X86EMUL_CONTINUE)
2728 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2730 case 0x0e: /* push cs */
2731 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2735 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2737 case 0x16: /* push ss */
2738 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2740 case 0x17: /* pop ss */
2741 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2742 if (rc != X86EMUL_CONTINUE)
2747 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2749 case 0x1e: /* push ds */
2750 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2752 case 0x1f: /* pop ds */
2753 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2754 if (rc != X86EMUL_CONTINUE)
2759 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2763 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2767 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2771 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2773 case 0x40 ... 0x47: /* inc r16/r32 */
2774 emulate_1op("inc", c->dst, ctxt->eflags);
2776 case 0x48 ... 0x4f: /* dec r16/r32 */
2777 emulate_1op("dec", c->dst, ctxt->eflags);
2779 case 0x58 ... 0x5f: /* pop reg */
2781 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2782 if (rc != X86EMUL_CONTINUE)
2785 case 0x60: /* pusha */
2786 rc = emulate_pusha(ctxt, ops);
2787 if (rc != X86EMUL_CONTINUE)
2790 case 0x61: /* popa */
2791 rc = emulate_popa(ctxt, ops);
2792 if (rc != X86EMUL_CONTINUE)
2795 case 0x63: /* movsxd */
2796 if (ctxt->mode != X86EMUL_MODE_PROT64)
2797 goto cannot_emulate;
2798 c->dst.val = (s32) c->src.val;
2800 case 0x6c: /* insb */
2801 case 0x6d: /* insw/insd */
2802 c->dst.bytes = min(c->dst.bytes, 4u);
2803 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2805 emulate_gp(ctxt, 0);
2808 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2809 c->regs[VCPU_REGS_RDX], &c->dst.val))
2810 goto done; /* IO is needed, skip writeback */
2812 case 0x6e: /* outsb */
2813 case 0x6f: /* outsw/outsd */
2814 c->src.bytes = min(c->src.bytes, 4u);
2815 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2817 emulate_gp(ctxt, 0);
2820 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2821 &c->src.val, 1, ctxt->vcpu);
2823 c->dst.type = OP_NONE; /* nothing to writeback */
2825 case 0x70 ... 0x7f: /* jcc (short) */
2826 if (test_cc(c->b, ctxt->eflags))
2827 jmp_rel(c, c->src.val);
2829 case 0x80 ... 0x83: /* Grp1 */
2830 switch (c->modrm_reg) {
2851 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2853 case 0x86 ... 0x87: /* xchg */
2855 /* Write back the register source. */
2856 switch (c->dst.bytes) {
2858 *(u8 *) c->src.addr.reg = (u8) c->dst.val;
2861 *(u16 *) c->src.addr.reg = (u16) c->dst.val;
2864 *c->src.addr.reg = (u32) c->dst.val;
2865 break; /* 64b reg: zero-extend */
2867 *c->src.addr.reg = c->dst.val;
2871 * Write back the memory destination with implicit LOCK
2874 c->dst.val = c->src.val;
2877 case 0x88 ... 0x8b: /* mov */
2879 case 0x8c: /* mov r/m, sreg */
2880 if (c->modrm_reg > VCPU_SREG_GS) {
2884 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2886 case 0x8d: /* lea r16/r32, m */
2887 c->dst.val = c->src.addr.mem;
2889 case 0x8e: { /* mov seg, r/m16 */
2894 if (c->modrm_reg == VCPU_SREG_CS ||
2895 c->modrm_reg > VCPU_SREG_GS) {
2900 if (c->modrm_reg == VCPU_SREG_SS)
2901 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2903 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2905 c->dst.type = OP_NONE; /* Disable writeback. */
2908 case 0x8f: /* pop (sole member of Grp1a) */
2909 rc = emulate_grp1a(ctxt, ops);
2910 if (rc != X86EMUL_CONTINUE)
2913 case 0x90 ... 0x97: /* nop / xchg reg, rax */
2914 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
2917 case 0x9c: /* pushf */
2918 c->src.val = (unsigned long) ctxt->eflags;
2919 emulate_push(ctxt, ops);
2921 case 0x9d: /* popf */
2922 c->dst.type = OP_REG;
2923 c->dst.addr.reg = &ctxt->eflags;
2924 c->dst.bytes = c->op_bytes;
2925 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2926 if (rc != X86EMUL_CONTINUE)
2929 case 0xa0 ... 0xa3: /* mov */
2930 case 0xa4 ... 0xa5: /* movs */
2932 case 0xa6 ... 0xa7: /* cmps */
2933 c->dst.type = OP_NONE; /* Disable writeback. */
2934 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
2936 case 0xa8 ... 0xa9: /* test ax, imm */
2938 case 0xaa ... 0xab: /* stos */
2939 c->dst.val = c->regs[VCPU_REGS_RAX];
2941 case 0xac ... 0xad: /* lods */
2943 case 0xae ... 0xaf: /* scas */
2944 DPRINTF("Urk! I don't handle SCAS.\n");
2945 goto cannot_emulate;
2946 case 0xb0 ... 0xbf: /* mov r, imm */
2951 case 0xc3: /* ret */
2952 c->dst.type = OP_REG;
2953 c->dst.addr.reg = &c->eip;
2954 c->dst.bytes = c->op_bytes;
2955 goto pop_instruction;
2956 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2958 c->dst.val = c->src.val;
2960 case 0xcb: /* ret far */
2961 rc = emulate_ret_far(ctxt, ops);
2962 if (rc != X86EMUL_CONTINUE)
2965 case 0xcf: /* iret */
2966 rc = emulate_iret(ctxt, ops);
2968 if (rc != X86EMUL_CONTINUE)
2971 case 0xd0 ... 0xd1: /* Grp2 */
2975 case 0xd2 ... 0xd3: /* Grp2 */
2976 c->src.val = c->regs[VCPU_REGS_RCX];
2979 case 0xe4: /* inb */
2982 case 0xe6: /* outb */
2983 case 0xe7: /* out */
2985 case 0xe8: /* call (near) */ {
2986 long int rel = c->src.val;
2987 c->src.val = (unsigned long) c->eip;
2989 emulate_push(ctxt, ops);
2992 case 0xe9: /* jmp rel */
2994 case 0xea: { /* jmp far */
2997 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2999 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3003 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3007 jmp: /* jmp rel short */
3008 jmp_rel(c, c->src.val);
3009 c->dst.type = OP_NONE; /* Disable writeback. */
3011 case 0xec: /* in al,dx */
3012 case 0xed: /* in (e/r)ax,dx */
3013 c->src.val = c->regs[VCPU_REGS_RDX];
3015 c->dst.bytes = min(c->dst.bytes, 4u);
3016 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3017 emulate_gp(ctxt, 0);
3020 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3022 goto done; /* IO is needed */
3024 case 0xee: /* out dx,al */
3025 case 0xef: /* out dx,(e/r)ax */
3026 c->src.val = c->regs[VCPU_REGS_RDX];
3028 c->dst.bytes = min(c->dst.bytes, 4u);
3029 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3030 emulate_gp(ctxt, 0);
3033 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3035 c->dst.type = OP_NONE; /* Disable writeback. */
3037 case 0xf4: /* hlt */
3038 ctxt->vcpu->arch.halt_request = 1;
3040 case 0xf5: /* cmc */
3041 /* complement carry flag from eflags reg */
3042 ctxt->eflags ^= EFLG_CF;
3043 c->dst.type = OP_NONE; /* Disable writeback. */
3045 case 0xf6 ... 0xf7: /* Grp3 */
3046 if (!emulate_grp3(ctxt, ops))
3047 goto cannot_emulate;
3049 case 0xf8: /* clc */
3050 ctxt->eflags &= ~EFLG_CF;
3051 c->dst.type = OP_NONE; /* Disable writeback. */
3053 case 0xfa: /* cli */
3054 if (emulator_bad_iopl(ctxt, ops)) {
3055 emulate_gp(ctxt, 0);
3058 ctxt->eflags &= ~X86_EFLAGS_IF;
3059 c->dst.type = OP_NONE; /* Disable writeback. */
3062 case 0xfb: /* sti */
3063 if (emulator_bad_iopl(ctxt, ops)) {
3064 emulate_gp(ctxt, 0);
3067 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3068 ctxt->eflags |= X86_EFLAGS_IF;
3069 c->dst.type = OP_NONE; /* Disable writeback. */
3072 case 0xfc: /* cld */
3073 ctxt->eflags &= ~EFLG_DF;
3074 c->dst.type = OP_NONE; /* Disable writeback. */
3076 case 0xfd: /* std */
3077 ctxt->eflags |= EFLG_DF;
3078 c->dst.type = OP_NONE; /* Disable writeback. */
3080 case 0xfe: /* Grp4 */
3082 rc = emulate_grp45(ctxt, ops);
3083 if (rc != X86EMUL_CONTINUE)
3086 case 0xff: /* Grp5 */
3087 if (c->modrm_reg == 5)
3091 goto cannot_emulate;
3095 rc = writeback(ctxt, ops);
3096 if (rc != X86EMUL_CONTINUE)
3100 * restore dst type in case the decoding will be reused
3101 * (happens for string instruction )
3103 c->dst.type = saved_dst_type;
3105 if ((c->d & SrcMask) == SrcSI)
3106 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3107 VCPU_REGS_RSI, &c->src);
3109 if ((c->d & DstMask) == DstDI)
3110 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3113 if (c->rep_prefix && (c->d & String)) {
3114 struct read_cache *rc = &ctxt->decode.io_read;
3115 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3117 * Re-enter guest when pio read ahead buffer is empty or,
3118 * if it is not used, after each 1024 iteration.
3120 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3121 (rc->end != 0 && rc->end == rc->pos))
3122 ctxt->restart = false;
3125 * reset read cache here in case string instruction is restared
3128 ctxt->decode.mem_read.end = 0;
3132 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3136 case 0x01: /* lgdt, lidt, lmsw */
3137 switch (c->modrm_reg) {
3139 unsigned long address;
3141 case 0: /* vmcall */
3142 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3143 goto cannot_emulate;
3145 rc = kvm_fix_hypercall(ctxt->vcpu);
3146 if (rc != X86EMUL_CONTINUE)
3149 /* Let the processor re-execute the fixed hypercall */
3151 /* Disable writeback. */
3152 c->dst.type = OP_NONE;
3155 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3156 &size, &address, c->op_bytes);
3157 if (rc != X86EMUL_CONTINUE)
3159 realmode_lgdt(ctxt->vcpu, size, address);
3160 /* Disable writeback. */
3161 c->dst.type = OP_NONE;
3163 case 3: /* lidt/vmmcall */
3164 if (c->modrm_mod == 3) {
3165 switch (c->modrm_rm) {
3167 rc = kvm_fix_hypercall(ctxt->vcpu);
3168 if (rc != X86EMUL_CONTINUE)
3172 goto cannot_emulate;
3175 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3178 if (rc != X86EMUL_CONTINUE)
3180 realmode_lidt(ctxt->vcpu, size, address);
3182 /* Disable writeback. */
3183 c->dst.type = OP_NONE;
3187 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3190 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3191 (c->src.val & 0x0f), ctxt->vcpu);
3192 c->dst.type = OP_NONE;
3194 case 5: /* not defined */
3198 emulate_invlpg(ctxt->vcpu, c->src.addr.mem);
3199 /* Disable writeback. */
3200 c->dst.type = OP_NONE;
3203 goto cannot_emulate;
3206 case 0x05: /* syscall */
3207 rc = emulate_syscall(ctxt, ops);
3208 if (rc != X86EMUL_CONTINUE)
3214 emulate_clts(ctxt->vcpu);
3215 c->dst.type = OP_NONE;
3217 case 0x09: /* wbinvd */
3218 kvm_emulate_wbinvd(ctxt->vcpu);
3219 c->dst.type = OP_NONE;
3221 case 0x08: /* invd */
3222 case 0x0d: /* GrpP (prefetch) */
3223 case 0x18: /* Grp16 (prefetch/nop) */
3224 c->dst.type = OP_NONE;
3226 case 0x20: /* mov cr, reg */
3227 switch (c->modrm_reg) {
3234 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3236 case 0x21: /* mov from dr to reg */
3237 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3238 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3242 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3244 case 0x22: /* mov reg, cr */
3245 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3246 emulate_gp(ctxt, 0);
3249 c->dst.type = OP_NONE;
3251 case 0x23: /* mov from reg to dr */
3252 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3253 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3258 if (ops->set_dr(c->modrm_reg, c->src.val &
3259 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3260 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3261 /* #UD condition is already handled by the code above */
3262 emulate_gp(ctxt, 0);
3266 c->dst.type = OP_NONE; /* no writeback */
3270 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3271 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3272 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3273 emulate_gp(ctxt, 0);
3276 rc = X86EMUL_CONTINUE;
3277 c->dst.type = OP_NONE;
3281 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3282 emulate_gp(ctxt, 0);
3285 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3286 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3288 rc = X86EMUL_CONTINUE;
3289 c->dst.type = OP_NONE;
3291 case 0x34: /* sysenter */
3292 rc = emulate_sysenter(ctxt, ops);
3293 if (rc != X86EMUL_CONTINUE)
3298 case 0x35: /* sysexit */
3299 rc = emulate_sysexit(ctxt, ops);
3300 if (rc != X86EMUL_CONTINUE)
3305 case 0x40 ... 0x4f: /* cmov */
3306 c->dst.val = c->dst.orig_val = c->src.val;
3307 if (!test_cc(c->b, ctxt->eflags))
3308 c->dst.type = OP_NONE; /* no writeback */
3310 case 0x80 ... 0x8f: /* jnz rel, etc*/
3311 if (test_cc(c->b, ctxt->eflags))
3312 jmp_rel(c, c->src.val);
3313 c->dst.type = OP_NONE;
3315 case 0xa0: /* push fs */
3316 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3318 case 0xa1: /* pop fs */
3319 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3320 if (rc != X86EMUL_CONTINUE)
3325 c->dst.type = OP_NONE;
3326 /* only subword offset */
3327 c->src.val &= (c->dst.bytes << 3) - 1;
3328 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3330 case 0xa4: /* shld imm8, r, r/m */
3331 case 0xa5: /* shld cl, r, r/m */
3332 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3334 case 0xa8: /* push gs */
3335 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3337 case 0xa9: /* pop gs */
3338 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3339 if (rc != X86EMUL_CONTINUE)
3344 /* only subword offset */
3345 c->src.val &= (c->dst.bytes << 3) - 1;
3346 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3348 case 0xac: /* shrd imm8, r, r/m */
3349 case 0xad: /* shrd cl, r, r/m */
3350 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3352 case 0xae: /* clflush */
3354 case 0xb0 ... 0xb1: /* cmpxchg */
3356 * Save real source value, then compare EAX against
3359 c->src.orig_val = c->src.val;
3360 c->src.val = c->regs[VCPU_REGS_RAX];
3361 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3362 if (ctxt->eflags & EFLG_ZF) {
3363 /* Success: write back to memory. */
3364 c->dst.val = c->src.orig_val;
3366 /* Failure: write the value we saw to EAX. */
3367 c->dst.type = OP_REG;
3368 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3373 /* only subword offset */
3374 c->src.val &= (c->dst.bytes << 3) - 1;
3375 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3377 case 0xb6 ... 0xb7: /* movzx */
3378 c->dst.bytes = c->op_bytes;
3379 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3382 case 0xba: /* Grp8 */
3383 switch (c->modrm_reg & 3) {
3396 /* only subword offset */
3397 c->src.val &= (c->dst.bytes << 3) - 1;
3398 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3400 case 0xbe ... 0xbf: /* movsx */
3401 c->dst.bytes = c->op_bytes;
3402 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3405 case 0xc3: /* movnti */
3406 c->dst.bytes = c->op_bytes;
3407 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3410 case 0xc7: /* Grp9 (cmpxchg8b) */
3411 rc = emulate_grp9(ctxt, ops);
3412 if (rc != X86EMUL_CONTINUE)
3416 goto cannot_emulate;
3421 DPRINTF("Cannot emulate %02x\n", c->b);