1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <linux/module.h>
26 #include <asm/kvm_emulate.h>
32 * Opcode effective-address decode tables.
33 * Note that we only emulate instructions that have at least one memory
34 * operand (excluding implicit stack references). We assume that stack
35 * references and instruction fetches will never occur in special memory
36 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
40 /* Operand sizes: 8-bit operands or specified/overridden size. */
41 #define ByteOp (1<<0) /* 8-bit operands. */
42 /* Destination operand type. */
43 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
44 #define DstReg (2<<1) /* Register operand. */
45 #define DstMem (3<<1) /* Memory operand. */
46 #define DstAcc (4<<1) /* Destination Accumulator */
47 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
48 #define DstMem64 (6<<1) /* 64bit memory operand */
49 #define DstImmUByte (7<<1) /* 8-bit unsigned immediate operand */
50 #define DstMask (7<<1)
51 /* Source operand type. */
52 #define SrcNone (0<<4) /* No source operand. */
53 #define SrcReg (1<<4) /* Register operand. */
54 #define SrcMem (2<<4) /* Memory operand. */
55 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
56 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
57 #define SrcImm (5<<4) /* Immediate operand. */
58 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
59 #define SrcOne (7<<4) /* Implied '1' */
60 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
61 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
62 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
63 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
64 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
65 #define SrcAcc (0xd<<4) /* Source Accumulator */
66 #define SrcImmU16 (0xe<<4) /* Immediate operand, unsigned, 16 bits */
67 #define SrcMask (0xf<<4)
68 /* Generic ModRM decode. */
70 /* Destination is only written; never read. */
73 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
74 #define String (1<<12) /* String instruction (rep capable) */
75 #define Stack (1<<13) /* Stack instruction (push/pop) */
76 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
77 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
78 #define Prefix (1<<16) /* Instruction varies with 66/f2/f3 prefix */
79 #define Sse (1<<17) /* SSE Vector instruction */
81 #define VendorSpecific (1<<22) /* Vendor specific instruction */
82 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
83 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
84 #define Undefined (1<<25) /* No Such Instruction */
85 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
86 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
88 /* Source 2 operand type */
89 #define Src2None (0<<29)
90 #define Src2CL (1<<29)
91 #define Src2ImmByte (2<<29)
92 #define Src2One (3<<29)
93 #define Src2Imm (4<<29)
94 #define Src2Mask (7<<29)
97 #define X3(x...) X2(x), x
98 #define X4(x...) X2(x), X2(x)
99 #define X5(x...) X4(x), x
100 #define X6(x...) X4(x), X2(x)
101 #define X7(x...) X4(x), X3(x)
102 #define X8(x...) X4(x), X4(x)
103 #define X16(x...) X8(x), X8(x)
109 int (*execute)(struct x86_emulate_ctxt *ctxt);
110 struct opcode *group;
111 struct group_dual *gdual;
112 struct gprefix *gprefix;
117 struct opcode mod012[8];
118 struct opcode mod3[8];
122 struct opcode pfx_no;
123 struct opcode pfx_66;
124 struct opcode pfx_f2;
125 struct opcode pfx_f3;
128 /* EFLAGS bit definitions. */
129 #define EFLG_ID (1<<21)
130 #define EFLG_VIP (1<<20)
131 #define EFLG_VIF (1<<19)
132 #define EFLG_AC (1<<18)
133 #define EFLG_VM (1<<17)
134 #define EFLG_RF (1<<16)
135 #define EFLG_IOPL (3<<12)
136 #define EFLG_NT (1<<14)
137 #define EFLG_OF (1<<11)
138 #define EFLG_DF (1<<10)
139 #define EFLG_IF (1<<9)
140 #define EFLG_TF (1<<8)
141 #define EFLG_SF (1<<7)
142 #define EFLG_ZF (1<<6)
143 #define EFLG_AF (1<<4)
144 #define EFLG_PF (1<<2)
145 #define EFLG_CF (1<<0)
147 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
148 #define EFLG_RESERVED_ONE_MASK 2
151 * Instruction emulation:
152 * Most instructions are emulated directly via a fragment of inline assembly
153 * code. This allows us to save/restore EFLAGS and thus very easily pick up
154 * any modified flags.
157 #if defined(CONFIG_X86_64)
158 #define _LO32 "k" /* force 32-bit operand */
159 #define _STK "%%rsp" /* stack pointer */
160 #elif defined(__i386__)
161 #define _LO32 "" /* force 32-bit operand */
162 #define _STK "%%esp" /* stack pointer */
166 * These EFLAGS bits are restored from saved value during emulation, and
167 * any changes are written back to the saved value after emulation.
169 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
171 /* Before executing instruction: restore necessary bits in EFLAGS. */
172 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
173 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
174 "movl %"_sav",%"_LO32 _tmp"; " \
177 "movl %"_msk",%"_LO32 _tmp"; " \
178 "andl %"_LO32 _tmp",("_STK"); " \
180 "notl %"_LO32 _tmp"; " \
181 "andl %"_LO32 _tmp",("_STK"); " \
182 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
184 "orl %"_LO32 _tmp",("_STK"); " \
188 /* After executing instruction: write-back necessary bits in EFLAGS. */
189 #define _POST_EFLAGS(_sav, _msk, _tmp) \
190 /* _sav |= EFLAGS & _msk; */ \
193 "andl %"_msk",%"_LO32 _tmp"; " \
194 "orl %"_LO32 _tmp",%"_sav"; "
202 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
204 __asm__ __volatile__ ( \
205 _PRE_EFLAGS("0", "4", "2") \
206 _op _suffix " %"_x"3,%1; " \
207 _POST_EFLAGS("0", "4", "2") \
208 : "=m" (_eflags), "+q" (*(_dsttype*)&(_dst).val),\
210 : _y ((_src).val), "i" (EFLAGS_MASK)); \
214 /* Raw emulation: instruction has two explicit operands. */
215 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
217 unsigned long _tmp; \
219 switch ((_dst).bytes) { \
221 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
224 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l",u32);\
227 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q",u64)); \
232 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
234 unsigned long _tmp; \
235 switch ((_dst).bytes) { \
237 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
240 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
241 _wx, _wy, _lx, _ly, _qx, _qy); \
246 /* Source operand is byte-sized and may be restricted to just %cl. */
247 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
248 __emulate_2op(_op, _src, _dst, _eflags, \
249 "b", "c", "b", "c", "b", "c", "b", "c")
251 /* Source operand is byte, word, long or quad sized. */
252 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
253 __emulate_2op(_op, _src, _dst, _eflags, \
254 "b", "q", "w", "r", _LO32, "r", "", "r")
256 /* Source operand is word, long or quad sized. */
257 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
258 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
259 "w", "r", _LO32, "r", "", "r")
261 /* Instruction has three operands and one operand is stored in ECX register */
262 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
264 unsigned long _tmp; \
265 _type _clv = (_cl).val; \
266 _type _srcv = (_src).val; \
267 _type _dstv = (_dst).val; \
269 __asm__ __volatile__ ( \
270 _PRE_EFLAGS("0", "5", "2") \
271 _op _suffix " %4,%1 \n" \
272 _POST_EFLAGS("0", "5", "2") \
273 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
274 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
277 (_cl).val = (unsigned long) _clv; \
278 (_src).val = (unsigned long) _srcv; \
279 (_dst).val = (unsigned long) _dstv; \
282 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
284 switch ((_dst).bytes) { \
286 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
287 "w", unsigned short); \
290 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
291 "l", unsigned int); \
294 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
295 "q", unsigned long)); \
300 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
302 unsigned long _tmp; \
304 __asm__ __volatile__ ( \
305 _PRE_EFLAGS("0", "3", "2") \
306 _op _suffix " %1; " \
307 _POST_EFLAGS("0", "3", "2") \
308 : "=m" (_eflags), "+m" ((_dst).val), \
310 : "i" (EFLAGS_MASK)); \
313 /* Instruction has only one explicit operand (no source operand). */
314 #define emulate_1op(_op, _dst, _eflags) \
316 switch ((_dst).bytes) { \
317 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
318 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
319 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
320 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
324 #define __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, _suffix) \
326 unsigned long _tmp; \
328 __asm__ __volatile__ ( \
329 _PRE_EFLAGS("0", "4", "1") \
330 _op _suffix " %5; " \
331 _POST_EFLAGS("0", "4", "1") \
332 : "=m" (_eflags), "=&r" (_tmp), \
333 "+a" (_rax), "+d" (_rdx) \
334 : "i" (EFLAGS_MASK), "m" ((_src).val), \
335 "a" (_rax), "d" (_rdx)); \
338 #define __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _suffix, _ex) \
340 unsigned long _tmp; \
342 __asm__ __volatile__ ( \
343 _PRE_EFLAGS("0", "5", "1") \
345 _op _suffix " %6; " \
347 _POST_EFLAGS("0", "5", "1") \
348 ".pushsection .fixup,\"ax\" \n\t" \
349 "3: movb $1, %4 \n\t" \
352 _ASM_EXTABLE(1b, 3b) \
353 : "=m" (_eflags), "=&r" (_tmp), \
354 "+a" (_rax), "+d" (_rdx), "+qm"(_ex) \
355 : "i" (EFLAGS_MASK), "m" ((_src).val), \
356 "a" (_rax), "d" (_rdx)); \
359 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
360 #define emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags) \
362 switch((_src).bytes) { \
363 case 1: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "b"); break; \
364 case 2: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "w"); break; \
365 case 4: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "l"); break; \
366 case 8: ON64(__emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "q")); break; \
370 #define emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _ex) \
372 switch((_src).bytes) { \
374 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
375 _eflags, "b", _ex); \
378 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
379 _eflags, "w", _ex); \
382 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
383 _eflags, "l", _ex); \
386 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
387 _eflags, "q", _ex)); \
392 /* Fetch next part of the instruction being emulated. */
393 #define insn_fetch(_type, _size, _eip) \
394 ({ unsigned long _x; \
395 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
396 if (rc != X86EMUL_CONTINUE) \
402 #define insn_fetch_arr(_arr, _size, _eip) \
403 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
404 if (rc != X86EMUL_CONTINUE) \
409 static inline unsigned long ad_mask(struct decode_cache *c)
411 return (1UL << (c->ad_bytes << 3)) - 1;
414 /* Access/update address held in a register, based on addressing mode. */
415 static inline unsigned long
416 address_mask(struct decode_cache *c, unsigned long reg)
418 if (c->ad_bytes == sizeof(unsigned long))
421 return reg & ad_mask(c);
424 static inline unsigned long
425 register_address(struct decode_cache *c, unsigned long reg)
427 return address_mask(c, reg);
431 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
433 if (c->ad_bytes == sizeof(unsigned long))
436 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
439 static inline void jmp_rel(struct decode_cache *c, int rel)
441 register_address_increment(c, &c->eip, rel);
444 static void set_seg_override(struct decode_cache *c, int seg)
446 c->has_seg_override = true;
447 c->seg_override = seg;
450 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
451 struct x86_emulate_ops *ops, int seg)
453 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
456 return ops->get_cached_segment_base(seg, ctxt->vcpu);
459 static unsigned seg_override(struct x86_emulate_ctxt *ctxt,
460 struct x86_emulate_ops *ops,
461 struct decode_cache *c)
463 if (!c->has_seg_override)
466 return c->seg_override;
469 static ulong linear(struct x86_emulate_ctxt *ctxt,
470 struct segmented_address addr)
472 struct decode_cache *c = &ctxt->decode;
475 la = seg_base(ctxt, ctxt->ops, addr.seg) + addr.ea;
476 if (c->ad_bytes != 8)
481 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
482 u32 error, bool valid)
484 ctxt->exception.vector = vec;
485 ctxt->exception.error_code = error;
486 ctxt->exception.error_code_valid = valid;
487 return X86EMUL_PROPAGATE_FAULT;
490 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
492 return emulate_exception(ctxt, GP_VECTOR, err, true);
495 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
497 return emulate_exception(ctxt, UD_VECTOR, 0, false);
500 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
502 return emulate_exception(ctxt, TS_VECTOR, err, true);
505 static int emulate_de(struct x86_emulate_ctxt *ctxt)
507 return emulate_exception(ctxt, DE_VECTOR, 0, false);
510 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
512 return emulate_exception(ctxt, NM_VECTOR, 0, false);
515 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
516 struct x86_emulate_ops *ops,
517 unsigned long eip, u8 *dest)
519 struct fetch_cache *fc = &ctxt->decode.fetch;
523 if (eip == fc->end) {
524 cur_size = fc->end - fc->start;
525 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
526 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
527 size, ctxt->vcpu, &ctxt->exception);
528 if (rc != X86EMUL_CONTINUE)
532 *dest = fc->data[eip - fc->start];
533 return X86EMUL_CONTINUE;
536 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
537 struct x86_emulate_ops *ops,
538 unsigned long eip, void *dest, unsigned size)
542 /* x86 instructions are limited to 15 bytes. */
543 if (eip + size - ctxt->eip > 15)
544 return X86EMUL_UNHANDLEABLE;
546 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
547 if (rc != X86EMUL_CONTINUE)
550 return X86EMUL_CONTINUE;
554 * Given the 'reg' portion of a ModRM byte, and a register block, return a
555 * pointer into the block that addresses the relevant register.
556 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
558 static void *decode_register(u8 modrm_reg, unsigned long *regs,
563 p = ®s[modrm_reg];
564 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
565 p = (unsigned char *)®s[modrm_reg & 3] + 1;
569 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
570 struct x86_emulate_ops *ops,
571 struct segmented_address addr,
572 u16 *size, unsigned long *address, int op_bytes)
579 rc = ops->read_std(linear(ctxt, addr), (unsigned long *)size, 2,
580 ctxt->vcpu, &ctxt->exception);
581 if (rc != X86EMUL_CONTINUE)
584 rc = ops->read_std(linear(ctxt, addr), address, op_bytes,
585 ctxt->vcpu, &ctxt->exception);
589 static int test_cc(unsigned int condition, unsigned int flags)
593 switch ((condition & 15) >> 1) {
595 rc |= (flags & EFLG_OF);
597 case 1: /* b/c/nae */
598 rc |= (flags & EFLG_CF);
601 rc |= (flags & EFLG_ZF);
604 rc |= (flags & (EFLG_CF|EFLG_ZF));
607 rc |= (flags & EFLG_SF);
610 rc |= (flags & EFLG_PF);
613 rc |= (flags & EFLG_ZF);
616 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
620 /* Odd condition identifiers (lsb == 1) have inverted sense. */
621 return (!!rc ^ (condition & 1));
624 static void fetch_register_operand(struct operand *op)
628 op->val = *(u8 *)op->addr.reg;
631 op->val = *(u16 *)op->addr.reg;
634 op->val = *(u32 *)op->addr.reg;
637 op->val = *(u64 *)op->addr.reg;
642 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
644 ctxt->ops->get_fpu(ctxt);
646 case 0: asm("movdqu %%xmm0, %0" : "=m"(*data)); break;
647 case 1: asm("movdqu %%xmm1, %0" : "=m"(*data)); break;
648 case 2: asm("movdqu %%xmm2, %0" : "=m"(*data)); break;
649 case 3: asm("movdqu %%xmm3, %0" : "=m"(*data)); break;
650 case 4: asm("movdqu %%xmm4, %0" : "=m"(*data)); break;
651 case 5: asm("movdqu %%xmm5, %0" : "=m"(*data)); break;
652 case 6: asm("movdqu %%xmm6, %0" : "=m"(*data)); break;
653 case 7: asm("movdqu %%xmm7, %0" : "=m"(*data)); break;
655 case 8: asm("movdqu %%xmm8, %0" : "=m"(*data)); break;
656 case 9: asm("movdqu %%xmm9, %0" : "=m"(*data)); break;
657 case 10: asm("movdqu %%xmm10, %0" : "=m"(*data)); break;
658 case 11: asm("movdqu %%xmm11, %0" : "=m"(*data)); break;
659 case 12: asm("movdqu %%xmm12, %0" : "=m"(*data)); break;
660 case 13: asm("movdqu %%xmm13, %0" : "=m"(*data)); break;
661 case 14: asm("movdqu %%xmm14, %0" : "=m"(*data)); break;
662 case 15: asm("movdqu %%xmm15, %0" : "=m"(*data)); break;
666 ctxt->ops->put_fpu(ctxt);
669 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
672 ctxt->ops->get_fpu(ctxt);
674 case 0: asm("movdqu %0, %%xmm0" : : "m"(*data)); break;
675 case 1: asm("movdqu %0, %%xmm1" : : "m"(*data)); break;
676 case 2: asm("movdqu %0, %%xmm2" : : "m"(*data)); break;
677 case 3: asm("movdqu %0, %%xmm3" : : "m"(*data)); break;
678 case 4: asm("movdqu %0, %%xmm4" : : "m"(*data)); break;
679 case 5: asm("movdqu %0, %%xmm5" : : "m"(*data)); break;
680 case 6: asm("movdqu %0, %%xmm6" : : "m"(*data)); break;
681 case 7: asm("movdqu %0, %%xmm7" : : "m"(*data)); break;
683 case 8: asm("movdqu %0, %%xmm8" : : "m"(*data)); break;
684 case 9: asm("movdqu %0, %%xmm9" : : "m"(*data)); break;
685 case 10: asm("movdqu %0, %%xmm10" : : "m"(*data)); break;
686 case 11: asm("movdqu %0, %%xmm11" : : "m"(*data)); break;
687 case 12: asm("movdqu %0, %%xmm12" : : "m"(*data)); break;
688 case 13: asm("movdqu %0, %%xmm13" : : "m"(*data)); break;
689 case 14: asm("movdqu %0, %%xmm14" : : "m"(*data)); break;
690 case 15: asm("movdqu %0, %%xmm15" : : "m"(*data)); break;
694 ctxt->ops->put_fpu(ctxt);
697 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
699 struct decode_cache *c,
702 unsigned reg = c->modrm_reg;
703 int highbyte_regs = c->rex_prefix == 0;
706 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
712 read_sse_reg(ctxt, &op->vec_val, reg);
717 if ((c->d & ByteOp) && !inhibit_bytereg) {
718 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
721 op->addr.reg = decode_register(reg, c->regs, 0);
722 op->bytes = c->op_bytes;
724 fetch_register_operand(op);
725 op->orig_val = op->val;
728 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
729 struct x86_emulate_ops *ops,
732 struct decode_cache *c = &ctxt->decode;
734 int index_reg = 0, base_reg = 0, scale;
735 int rc = X86EMUL_CONTINUE;
739 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
740 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
741 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
744 c->modrm = insn_fetch(u8, 1, c->eip);
745 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
746 c->modrm_reg |= (c->modrm & 0x38) >> 3;
747 c->modrm_rm |= (c->modrm & 0x07);
748 c->modrm_seg = VCPU_SREG_DS;
750 if (c->modrm_mod == 3) {
752 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
753 op->addr.reg = decode_register(c->modrm_rm,
754 c->regs, c->d & ByteOp);
758 op->addr.xmm = c->modrm_rm;
759 read_sse_reg(ctxt, &op->vec_val, c->modrm_rm);
762 fetch_register_operand(op);
768 if (c->ad_bytes == 2) {
769 unsigned bx = c->regs[VCPU_REGS_RBX];
770 unsigned bp = c->regs[VCPU_REGS_RBP];
771 unsigned si = c->regs[VCPU_REGS_RSI];
772 unsigned di = c->regs[VCPU_REGS_RDI];
774 /* 16-bit ModR/M decode. */
775 switch (c->modrm_mod) {
777 if (c->modrm_rm == 6)
778 modrm_ea += insn_fetch(u16, 2, c->eip);
781 modrm_ea += insn_fetch(s8, 1, c->eip);
784 modrm_ea += insn_fetch(u16, 2, c->eip);
787 switch (c->modrm_rm) {
807 if (c->modrm_mod != 0)
814 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
815 (c->modrm_rm == 6 && c->modrm_mod != 0))
816 c->modrm_seg = VCPU_SREG_SS;
817 modrm_ea = (u16)modrm_ea;
819 /* 32/64-bit ModR/M decode. */
820 if ((c->modrm_rm & 7) == 4) {
821 sib = insn_fetch(u8, 1, c->eip);
822 index_reg |= (sib >> 3) & 7;
826 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
827 modrm_ea += insn_fetch(s32, 4, c->eip);
829 modrm_ea += c->regs[base_reg];
831 modrm_ea += c->regs[index_reg] << scale;
832 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
833 if (ctxt->mode == X86EMUL_MODE_PROT64)
836 modrm_ea += c->regs[c->modrm_rm];
837 switch (c->modrm_mod) {
839 if (c->modrm_rm == 5)
840 modrm_ea += insn_fetch(s32, 4, c->eip);
843 modrm_ea += insn_fetch(s8, 1, c->eip);
846 modrm_ea += insn_fetch(s32, 4, c->eip);
850 op->addr.mem.ea = modrm_ea;
855 static int decode_abs(struct x86_emulate_ctxt *ctxt,
856 struct x86_emulate_ops *ops,
859 struct decode_cache *c = &ctxt->decode;
860 int rc = X86EMUL_CONTINUE;
863 switch (c->ad_bytes) {
865 op->addr.mem.ea = insn_fetch(u16, 2, c->eip);
868 op->addr.mem.ea = insn_fetch(u32, 4, c->eip);
871 op->addr.mem.ea = insn_fetch(u64, 8, c->eip);
878 static void fetch_bit_operand(struct decode_cache *c)
882 if (c->dst.type == OP_MEM && c->src.type == OP_REG) {
883 mask = ~(c->dst.bytes * 8 - 1);
885 if (c->src.bytes == 2)
886 sv = (s16)c->src.val & (s16)mask;
887 else if (c->src.bytes == 4)
888 sv = (s32)c->src.val & (s32)mask;
890 c->dst.addr.mem.ea += (sv >> 3);
893 /* only subword offset */
894 c->src.val &= (c->dst.bytes << 3) - 1;
897 static int read_emulated(struct x86_emulate_ctxt *ctxt,
898 struct x86_emulate_ops *ops,
899 unsigned long addr, void *dest, unsigned size)
902 struct read_cache *mc = &ctxt->decode.mem_read;
905 int n = min(size, 8u);
907 if (mc->pos < mc->end)
910 rc = ops->read_emulated(addr, mc->data + mc->end, n,
911 &ctxt->exception, ctxt->vcpu);
912 if (rc != X86EMUL_CONTINUE)
917 memcpy(dest, mc->data + mc->pos, n);
922 return X86EMUL_CONTINUE;
925 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
926 struct x86_emulate_ops *ops,
927 unsigned int size, unsigned short port,
930 struct read_cache *rc = &ctxt->decode.io_read;
932 if (rc->pos == rc->end) { /* refill pio read ahead */
933 struct decode_cache *c = &ctxt->decode;
934 unsigned int in_page, n;
935 unsigned int count = c->rep_prefix ?
936 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
937 in_page = (ctxt->eflags & EFLG_DF) ?
938 offset_in_page(c->regs[VCPU_REGS_RDI]) :
939 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
940 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
944 rc->pos = rc->end = 0;
945 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
950 memcpy(dest, rc->data + rc->pos, size);
955 static u32 desc_limit_scaled(struct desc_struct *desc)
957 u32 limit = get_desc_limit(desc);
959 return desc->g ? (limit << 12) | 0xfff : limit;
962 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
963 struct x86_emulate_ops *ops,
964 u16 selector, struct desc_ptr *dt)
966 if (selector & 1 << 2) {
967 struct desc_struct desc;
968 memset (dt, 0, sizeof *dt);
969 if (!ops->get_cached_descriptor(&desc, NULL, VCPU_SREG_LDTR,
973 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
974 dt->address = get_desc_base(&desc);
976 ops->get_gdt(dt, ctxt->vcpu);
979 /* allowed just for 8 bytes segments */
980 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
981 struct x86_emulate_ops *ops,
982 u16 selector, struct desc_struct *desc)
985 u16 index = selector >> 3;
989 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
991 if (dt.size < index * 8 + 7)
992 return emulate_gp(ctxt, selector & 0xfffc);
993 addr = dt.address + index * 8;
994 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu,
1000 /* allowed just for 8 bytes segments */
1001 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1002 struct x86_emulate_ops *ops,
1003 u16 selector, struct desc_struct *desc)
1006 u16 index = selector >> 3;
1010 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1012 if (dt.size < index * 8 + 7)
1013 return emulate_gp(ctxt, selector & 0xfffc);
1015 addr = dt.address + index * 8;
1016 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu,
1022 /* Does not support long mode */
1023 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1024 struct x86_emulate_ops *ops,
1025 u16 selector, int seg)
1027 struct desc_struct seg_desc;
1029 unsigned err_vec = GP_VECTOR;
1031 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1034 memset(&seg_desc, 0, sizeof seg_desc);
1036 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1037 || ctxt->mode == X86EMUL_MODE_REAL) {
1038 /* set real mode segment descriptor */
1039 set_desc_base(&seg_desc, selector << 4);
1040 set_desc_limit(&seg_desc, 0xffff);
1047 /* NULL selector is not valid for TR, CS and SS */
1048 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1052 /* TR should be in GDT only */
1053 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1056 if (null_selector) /* for NULL selector skip all following checks */
1059 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1060 if (ret != X86EMUL_CONTINUE)
1063 err_code = selector & 0xfffc;
1064 err_vec = GP_VECTOR;
1066 /* can't load system descriptor into segment selecor */
1067 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1071 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1077 cpl = ops->cpl(ctxt->vcpu);
1082 * segment is not a writable data segment or segment
1083 * selector's RPL != CPL or segment selector's RPL != CPL
1085 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1089 if (!(seg_desc.type & 8))
1092 if (seg_desc.type & 4) {
1098 if (rpl > cpl || dpl != cpl)
1101 /* CS(RPL) <- CPL */
1102 selector = (selector & 0xfffc) | cpl;
1105 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1108 case VCPU_SREG_LDTR:
1109 if (seg_desc.s || seg_desc.type != 2)
1112 default: /* DS, ES, FS, or GS */
1114 * segment is not a data or readable code segment or
1115 * ((segment is a data or nonconforming code segment)
1116 * and (both RPL and CPL > DPL))
1118 if ((seg_desc.type & 0xa) == 0x8 ||
1119 (((seg_desc.type & 0xc) != 0xc) &&
1120 (rpl > dpl && cpl > dpl)))
1126 /* mark segment as accessed */
1128 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1129 if (ret != X86EMUL_CONTINUE)
1133 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1134 ops->set_cached_descriptor(&seg_desc, 0, seg, ctxt->vcpu);
1135 return X86EMUL_CONTINUE;
1137 emulate_exception(ctxt, err_vec, err_code, true);
1138 return X86EMUL_PROPAGATE_FAULT;
1141 static void write_register_operand(struct operand *op)
1143 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1144 switch (op->bytes) {
1146 *(u8 *)op->addr.reg = (u8)op->val;
1149 *(u16 *)op->addr.reg = (u16)op->val;
1152 *op->addr.reg = (u32)op->val;
1153 break; /* 64b: zero-extend */
1155 *op->addr.reg = op->val;
1160 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1161 struct x86_emulate_ops *ops)
1164 struct decode_cache *c = &ctxt->decode;
1166 switch (c->dst.type) {
1168 write_register_operand(&c->dst);
1172 rc = ops->cmpxchg_emulated(
1173 linear(ctxt, c->dst.addr.mem),
1180 rc = ops->write_emulated(
1181 linear(ctxt, c->dst.addr.mem),
1186 if (rc != X86EMUL_CONTINUE)
1190 write_sse_reg(ctxt, &c->dst.vec_val, c->dst.addr.xmm);
1198 return X86EMUL_CONTINUE;
1201 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1202 struct x86_emulate_ops *ops)
1204 struct decode_cache *c = &ctxt->decode;
1206 c->dst.type = OP_MEM;
1207 c->dst.bytes = c->op_bytes;
1208 c->dst.val = c->src.val;
1209 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1210 c->dst.addr.mem.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
1211 c->dst.addr.mem.seg = VCPU_SREG_SS;
1214 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1215 struct x86_emulate_ops *ops,
1216 void *dest, int len)
1218 struct decode_cache *c = &ctxt->decode;
1220 struct segmented_address addr;
1222 addr.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
1223 addr.seg = VCPU_SREG_SS;
1224 rc = read_emulated(ctxt, ops, linear(ctxt, addr), dest, len);
1225 if (rc != X86EMUL_CONTINUE)
1228 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1232 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1233 struct x86_emulate_ops *ops,
1234 void *dest, int len)
1237 unsigned long val, change_mask;
1238 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1239 int cpl = ops->cpl(ctxt->vcpu);
1241 rc = emulate_pop(ctxt, ops, &val, len);
1242 if (rc != X86EMUL_CONTINUE)
1245 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1246 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1248 switch(ctxt->mode) {
1249 case X86EMUL_MODE_PROT64:
1250 case X86EMUL_MODE_PROT32:
1251 case X86EMUL_MODE_PROT16:
1253 change_mask |= EFLG_IOPL;
1255 change_mask |= EFLG_IF;
1257 case X86EMUL_MODE_VM86:
1259 return emulate_gp(ctxt, 0);
1260 change_mask |= EFLG_IF;
1262 default: /* real mode */
1263 change_mask |= (EFLG_IOPL | EFLG_IF);
1267 *(unsigned long *)dest =
1268 (ctxt->eflags & ~change_mask) | (val & change_mask);
1273 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1274 struct x86_emulate_ops *ops, int seg)
1276 struct decode_cache *c = &ctxt->decode;
1278 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1280 emulate_push(ctxt, ops);
1283 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1284 struct x86_emulate_ops *ops, int seg)
1286 struct decode_cache *c = &ctxt->decode;
1287 unsigned long selector;
1290 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1291 if (rc != X86EMUL_CONTINUE)
1294 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1298 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1299 struct x86_emulate_ops *ops)
1301 struct decode_cache *c = &ctxt->decode;
1302 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1303 int rc = X86EMUL_CONTINUE;
1304 int reg = VCPU_REGS_RAX;
1306 while (reg <= VCPU_REGS_RDI) {
1307 (reg == VCPU_REGS_RSP) ?
1308 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1310 emulate_push(ctxt, ops);
1312 rc = writeback(ctxt, ops);
1313 if (rc != X86EMUL_CONTINUE)
1319 /* Disable writeback. */
1320 c->dst.type = OP_NONE;
1325 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1326 struct x86_emulate_ops *ops)
1328 struct decode_cache *c = &ctxt->decode;
1329 int rc = X86EMUL_CONTINUE;
1330 int reg = VCPU_REGS_RDI;
1332 while (reg >= VCPU_REGS_RAX) {
1333 if (reg == VCPU_REGS_RSP) {
1334 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1339 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1340 if (rc != X86EMUL_CONTINUE)
1347 int emulate_int_real(struct x86_emulate_ctxt *ctxt,
1348 struct x86_emulate_ops *ops, int irq)
1350 struct decode_cache *c = &ctxt->decode;
1357 /* TODO: Add limit checks */
1358 c->src.val = ctxt->eflags;
1359 emulate_push(ctxt, ops);
1360 rc = writeback(ctxt, ops);
1361 if (rc != X86EMUL_CONTINUE)
1364 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1366 c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1367 emulate_push(ctxt, ops);
1368 rc = writeback(ctxt, ops);
1369 if (rc != X86EMUL_CONTINUE)
1372 c->src.val = c->eip;
1373 emulate_push(ctxt, ops);
1374 rc = writeback(ctxt, ops);
1375 if (rc != X86EMUL_CONTINUE)
1378 c->dst.type = OP_NONE;
1380 ops->get_idt(&dt, ctxt->vcpu);
1382 eip_addr = dt.address + (irq << 2);
1383 cs_addr = dt.address + (irq << 2) + 2;
1385 rc = ops->read_std(cs_addr, &cs, 2, ctxt->vcpu, &ctxt->exception);
1386 if (rc != X86EMUL_CONTINUE)
1389 rc = ops->read_std(eip_addr, &eip, 2, ctxt->vcpu, &ctxt->exception);
1390 if (rc != X86EMUL_CONTINUE)
1393 rc = load_segment_descriptor(ctxt, ops, cs, VCPU_SREG_CS);
1394 if (rc != X86EMUL_CONTINUE)
1402 static int emulate_int(struct x86_emulate_ctxt *ctxt,
1403 struct x86_emulate_ops *ops, int irq)
1405 switch(ctxt->mode) {
1406 case X86EMUL_MODE_REAL:
1407 return emulate_int_real(ctxt, ops, irq);
1408 case X86EMUL_MODE_VM86:
1409 case X86EMUL_MODE_PROT16:
1410 case X86EMUL_MODE_PROT32:
1411 case X86EMUL_MODE_PROT64:
1413 /* Protected mode interrupts unimplemented yet */
1414 return X86EMUL_UNHANDLEABLE;
1418 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1419 struct x86_emulate_ops *ops)
1421 struct decode_cache *c = &ctxt->decode;
1422 int rc = X86EMUL_CONTINUE;
1423 unsigned long temp_eip = 0;
1424 unsigned long temp_eflags = 0;
1425 unsigned long cs = 0;
1426 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1427 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1428 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1429 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1431 /* TODO: Add stack limit check */
1433 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1435 if (rc != X86EMUL_CONTINUE)
1438 if (temp_eip & ~0xffff)
1439 return emulate_gp(ctxt, 0);
1441 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1443 if (rc != X86EMUL_CONTINUE)
1446 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1448 if (rc != X86EMUL_CONTINUE)
1451 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1453 if (rc != X86EMUL_CONTINUE)
1459 if (c->op_bytes == 4)
1460 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1461 else if (c->op_bytes == 2) {
1462 ctxt->eflags &= ~0xffff;
1463 ctxt->eflags |= temp_eflags;
1466 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1467 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1472 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1473 struct x86_emulate_ops* ops)
1475 switch(ctxt->mode) {
1476 case X86EMUL_MODE_REAL:
1477 return emulate_iret_real(ctxt, ops);
1478 case X86EMUL_MODE_VM86:
1479 case X86EMUL_MODE_PROT16:
1480 case X86EMUL_MODE_PROT32:
1481 case X86EMUL_MODE_PROT64:
1483 /* iret from protected mode unimplemented yet */
1484 return X86EMUL_UNHANDLEABLE;
1488 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1489 struct x86_emulate_ops *ops)
1491 struct decode_cache *c = &ctxt->decode;
1493 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1496 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1498 struct decode_cache *c = &ctxt->decode;
1499 switch (c->modrm_reg) {
1501 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1504 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1507 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1510 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1512 case 4: /* sal/shl */
1513 case 6: /* sal/shl */
1514 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1517 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1520 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1525 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1526 struct x86_emulate_ops *ops)
1528 struct decode_cache *c = &ctxt->decode;
1529 unsigned long *rax = &c->regs[VCPU_REGS_RAX];
1530 unsigned long *rdx = &c->regs[VCPU_REGS_RDX];
1533 switch (c->modrm_reg) {
1534 case 0 ... 1: /* test */
1535 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1538 c->dst.val = ~c->dst.val;
1541 emulate_1op("neg", c->dst, ctxt->eflags);
1544 emulate_1op_rax_rdx("mul", c->src, *rax, *rdx, ctxt->eflags);
1547 emulate_1op_rax_rdx("imul", c->src, *rax, *rdx, ctxt->eflags);
1550 emulate_1op_rax_rdx_ex("div", c->src, *rax, *rdx,
1554 emulate_1op_rax_rdx_ex("idiv", c->src, *rax, *rdx,
1558 return X86EMUL_UNHANDLEABLE;
1561 return emulate_de(ctxt);
1562 return X86EMUL_CONTINUE;
1565 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1566 struct x86_emulate_ops *ops)
1568 struct decode_cache *c = &ctxt->decode;
1570 switch (c->modrm_reg) {
1572 emulate_1op("inc", c->dst, ctxt->eflags);
1575 emulate_1op("dec", c->dst, ctxt->eflags);
1577 case 2: /* call near abs */ {
1580 c->eip = c->src.val;
1581 c->src.val = old_eip;
1582 emulate_push(ctxt, ops);
1585 case 4: /* jmp abs */
1586 c->eip = c->src.val;
1589 emulate_push(ctxt, ops);
1592 return X86EMUL_CONTINUE;
1595 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1596 struct x86_emulate_ops *ops)
1598 struct decode_cache *c = &ctxt->decode;
1599 u64 old = c->dst.orig_val64;
1601 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1602 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1603 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1604 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1605 ctxt->eflags &= ~EFLG_ZF;
1607 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1608 (u32) c->regs[VCPU_REGS_RBX];
1610 ctxt->eflags |= EFLG_ZF;
1612 return X86EMUL_CONTINUE;
1615 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1616 struct x86_emulate_ops *ops)
1618 struct decode_cache *c = &ctxt->decode;
1622 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1623 if (rc != X86EMUL_CONTINUE)
1625 if (c->op_bytes == 4)
1626 c->eip = (u32)c->eip;
1627 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1628 if (rc != X86EMUL_CONTINUE)
1630 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1634 static int emulate_load_segment(struct x86_emulate_ctxt *ctxt,
1635 struct x86_emulate_ops *ops, int seg)
1637 struct decode_cache *c = &ctxt->decode;
1641 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
1643 rc = load_segment_descriptor(ctxt, ops, sel, seg);
1644 if (rc != X86EMUL_CONTINUE)
1647 c->dst.val = c->src.val;
1652 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1653 struct x86_emulate_ops *ops, struct desc_struct *cs,
1654 struct desc_struct *ss)
1656 memset(cs, 0, sizeof(struct desc_struct));
1657 ops->get_cached_descriptor(cs, NULL, VCPU_SREG_CS, ctxt->vcpu);
1658 memset(ss, 0, sizeof(struct desc_struct));
1660 cs->l = 0; /* will be adjusted later */
1661 set_desc_base(cs, 0); /* flat segment */
1662 cs->g = 1; /* 4kb granularity */
1663 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1664 cs->type = 0x0b; /* Read, Execute, Accessed */
1666 cs->dpl = 0; /* will be adjusted later */
1670 set_desc_base(ss, 0); /* flat segment */
1671 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1672 ss->g = 1; /* 4kb granularity */
1674 ss->type = 0x03; /* Read/Write, Accessed */
1675 ss->d = 1; /* 32bit stack segment */
1681 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1683 struct decode_cache *c = &ctxt->decode;
1684 struct desc_struct cs, ss;
1688 /* syscall is not available in real mode */
1689 if (ctxt->mode == X86EMUL_MODE_REAL ||
1690 ctxt->mode == X86EMUL_MODE_VM86)
1691 return emulate_ud(ctxt);
1693 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1695 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1697 cs_sel = (u16)(msr_data & 0xfffc);
1698 ss_sel = (u16)(msr_data + 8);
1700 if (is_long_mode(ctxt->vcpu)) {
1704 ops->set_cached_descriptor(&cs, 0, VCPU_SREG_CS, ctxt->vcpu);
1705 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1706 ops->set_cached_descriptor(&ss, 0, VCPU_SREG_SS, ctxt->vcpu);
1707 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1709 c->regs[VCPU_REGS_RCX] = c->eip;
1710 if (is_long_mode(ctxt->vcpu)) {
1711 #ifdef CONFIG_X86_64
1712 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1714 ops->get_msr(ctxt->vcpu,
1715 ctxt->mode == X86EMUL_MODE_PROT64 ?
1716 MSR_LSTAR : MSR_CSTAR, &msr_data);
1719 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1720 ctxt->eflags &= ~(msr_data | EFLG_RF);
1724 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1725 c->eip = (u32)msr_data;
1727 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1730 return X86EMUL_CONTINUE;
1734 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1736 struct decode_cache *c = &ctxt->decode;
1737 struct desc_struct cs, ss;
1741 /* inject #GP if in real mode */
1742 if (ctxt->mode == X86EMUL_MODE_REAL)
1743 return emulate_gp(ctxt, 0);
1745 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1746 * Therefore, we inject an #UD.
1748 if (ctxt->mode == X86EMUL_MODE_PROT64)
1749 return emulate_ud(ctxt);
1751 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1753 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1754 switch (ctxt->mode) {
1755 case X86EMUL_MODE_PROT32:
1756 if ((msr_data & 0xfffc) == 0x0)
1757 return emulate_gp(ctxt, 0);
1759 case X86EMUL_MODE_PROT64:
1760 if (msr_data == 0x0)
1761 return emulate_gp(ctxt, 0);
1765 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1766 cs_sel = (u16)msr_data;
1767 cs_sel &= ~SELECTOR_RPL_MASK;
1768 ss_sel = cs_sel + 8;
1769 ss_sel &= ~SELECTOR_RPL_MASK;
1770 if (ctxt->mode == X86EMUL_MODE_PROT64
1771 || is_long_mode(ctxt->vcpu)) {
1776 ops->set_cached_descriptor(&cs, 0, VCPU_SREG_CS, ctxt->vcpu);
1777 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1778 ops->set_cached_descriptor(&ss, 0, VCPU_SREG_SS, ctxt->vcpu);
1779 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1781 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1784 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1785 c->regs[VCPU_REGS_RSP] = msr_data;
1787 return X86EMUL_CONTINUE;
1791 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1793 struct decode_cache *c = &ctxt->decode;
1794 struct desc_struct cs, ss;
1799 /* inject #GP if in real mode or Virtual 8086 mode */
1800 if (ctxt->mode == X86EMUL_MODE_REAL ||
1801 ctxt->mode == X86EMUL_MODE_VM86)
1802 return emulate_gp(ctxt, 0);
1804 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1806 if ((c->rex_prefix & 0x8) != 0x0)
1807 usermode = X86EMUL_MODE_PROT64;
1809 usermode = X86EMUL_MODE_PROT32;
1813 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1815 case X86EMUL_MODE_PROT32:
1816 cs_sel = (u16)(msr_data + 16);
1817 if ((msr_data & 0xfffc) == 0x0)
1818 return emulate_gp(ctxt, 0);
1819 ss_sel = (u16)(msr_data + 24);
1821 case X86EMUL_MODE_PROT64:
1822 cs_sel = (u16)(msr_data + 32);
1823 if (msr_data == 0x0)
1824 return emulate_gp(ctxt, 0);
1825 ss_sel = cs_sel + 8;
1830 cs_sel |= SELECTOR_RPL_MASK;
1831 ss_sel |= SELECTOR_RPL_MASK;
1833 ops->set_cached_descriptor(&cs, 0, VCPU_SREG_CS, ctxt->vcpu);
1834 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1835 ops->set_cached_descriptor(&ss, 0, VCPU_SREG_SS, ctxt->vcpu);
1836 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1838 c->eip = c->regs[VCPU_REGS_RDX];
1839 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1841 return X86EMUL_CONTINUE;
1844 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1845 struct x86_emulate_ops *ops)
1848 if (ctxt->mode == X86EMUL_MODE_REAL)
1850 if (ctxt->mode == X86EMUL_MODE_VM86)
1852 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1853 return ops->cpl(ctxt->vcpu) > iopl;
1856 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1857 struct x86_emulate_ops *ops,
1860 struct desc_struct tr_seg;
1863 u16 io_bitmap_ptr, perm, bit_idx = port & 0x7;
1864 unsigned mask = (1 << len) - 1;
1867 ops->get_cached_descriptor(&tr_seg, &base3, VCPU_SREG_TR, ctxt->vcpu);
1870 if (desc_limit_scaled(&tr_seg) < 103)
1872 base = get_desc_base(&tr_seg);
1873 #ifdef CONFIG_X86_64
1874 base |= ((u64)base3) << 32;
1876 r = ops->read_std(base + 102, &io_bitmap_ptr, 2, ctxt->vcpu, NULL);
1877 if (r != X86EMUL_CONTINUE)
1879 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1881 r = ops->read_std(base + io_bitmap_ptr + port/8, &perm, 2, ctxt->vcpu,
1883 if (r != X86EMUL_CONTINUE)
1885 if ((perm >> bit_idx) & mask)
1890 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1891 struct x86_emulate_ops *ops,
1897 if (emulator_bad_iopl(ctxt, ops))
1898 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1901 ctxt->perm_ok = true;
1906 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1907 struct x86_emulate_ops *ops,
1908 struct tss_segment_16 *tss)
1910 struct decode_cache *c = &ctxt->decode;
1913 tss->flag = ctxt->eflags;
1914 tss->ax = c->regs[VCPU_REGS_RAX];
1915 tss->cx = c->regs[VCPU_REGS_RCX];
1916 tss->dx = c->regs[VCPU_REGS_RDX];
1917 tss->bx = c->regs[VCPU_REGS_RBX];
1918 tss->sp = c->regs[VCPU_REGS_RSP];
1919 tss->bp = c->regs[VCPU_REGS_RBP];
1920 tss->si = c->regs[VCPU_REGS_RSI];
1921 tss->di = c->regs[VCPU_REGS_RDI];
1923 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1924 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1925 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1926 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1927 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1930 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1931 struct x86_emulate_ops *ops,
1932 struct tss_segment_16 *tss)
1934 struct decode_cache *c = &ctxt->decode;
1938 ctxt->eflags = tss->flag | 2;
1939 c->regs[VCPU_REGS_RAX] = tss->ax;
1940 c->regs[VCPU_REGS_RCX] = tss->cx;
1941 c->regs[VCPU_REGS_RDX] = tss->dx;
1942 c->regs[VCPU_REGS_RBX] = tss->bx;
1943 c->regs[VCPU_REGS_RSP] = tss->sp;
1944 c->regs[VCPU_REGS_RBP] = tss->bp;
1945 c->regs[VCPU_REGS_RSI] = tss->si;
1946 c->regs[VCPU_REGS_RDI] = tss->di;
1949 * SDM says that segment selectors are loaded before segment
1952 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1953 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1954 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1955 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1956 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1959 * Now load segment descriptors. If fault happenes at this stage
1960 * it is handled in a context of new task
1962 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1963 if (ret != X86EMUL_CONTINUE)
1965 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1966 if (ret != X86EMUL_CONTINUE)
1968 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1969 if (ret != X86EMUL_CONTINUE)
1971 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1972 if (ret != X86EMUL_CONTINUE)
1974 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1975 if (ret != X86EMUL_CONTINUE)
1978 return X86EMUL_CONTINUE;
1981 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1982 struct x86_emulate_ops *ops,
1983 u16 tss_selector, u16 old_tss_sel,
1984 ulong old_tss_base, struct desc_struct *new_desc)
1986 struct tss_segment_16 tss_seg;
1988 u32 new_tss_base = get_desc_base(new_desc);
1990 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1992 if (ret != X86EMUL_CONTINUE)
1993 /* FIXME: need to provide precise fault address */
1996 save_state_to_tss16(ctxt, ops, &tss_seg);
1998 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2000 if (ret != X86EMUL_CONTINUE)
2001 /* FIXME: need to provide precise fault address */
2004 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2006 if (ret != X86EMUL_CONTINUE)
2007 /* FIXME: need to provide precise fault address */
2010 if (old_tss_sel != 0xffff) {
2011 tss_seg.prev_task_link = old_tss_sel;
2013 ret = ops->write_std(new_tss_base,
2014 &tss_seg.prev_task_link,
2015 sizeof tss_seg.prev_task_link,
2016 ctxt->vcpu, &ctxt->exception);
2017 if (ret != X86EMUL_CONTINUE)
2018 /* FIXME: need to provide precise fault address */
2022 return load_state_from_tss16(ctxt, ops, &tss_seg);
2025 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2026 struct x86_emulate_ops *ops,
2027 struct tss_segment_32 *tss)
2029 struct decode_cache *c = &ctxt->decode;
2031 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2033 tss->eflags = ctxt->eflags;
2034 tss->eax = c->regs[VCPU_REGS_RAX];
2035 tss->ecx = c->regs[VCPU_REGS_RCX];
2036 tss->edx = c->regs[VCPU_REGS_RDX];
2037 tss->ebx = c->regs[VCPU_REGS_RBX];
2038 tss->esp = c->regs[VCPU_REGS_RSP];
2039 tss->ebp = c->regs[VCPU_REGS_RBP];
2040 tss->esi = c->regs[VCPU_REGS_RSI];
2041 tss->edi = c->regs[VCPU_REGS_RDI];
2043 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2044 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2045 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2046 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2047 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2048 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2049 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2052 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2053 struct x86_emulate_ops *ops,
2054 struct tss_segment_32 *tss)
2056 struct decode_cache *c = &ctxt->decode;
2059 if (ops->set_cr(3, tss->cr3, ctxt->vcpu))
2060 return emulate_gp(ctxt, 0);
2062 ctxt->eflags = tss->eflags | 2;
2063 c->regs[VCPU_REGS_RAX] = tss->eax;
2064 c->regs[VCPU_REGS_RCX] = tss->ecx;
2065 c->regs[VCPU_REGS_RDX] = tss->edx;
2066 c->regs[VCPU_REGS_RBX] = tss->ebx;
2067 c->regs[VCPU_REGS_RSP] = tss->esp;
2068 c->regs[VCPU_REGS_RBP] = tss->ebp;
2069 c->regs[VCPU_REGS_RSI] = tss->esi;
2070 c->regs[VCPU_REGS_RDI] = tss->edi;
2073 * SDM says that segment selectors are loaded before segment
2076 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2077 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2078 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2079 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2080 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2081 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2082 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2085 * Now load segment descriptors. If fault happenes at this stage
2086 * it is handled in a context of new task
2088 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2089 if (ret != X86EMUL_CONTINUE)
2091 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2092 if (ret != X86EMUL_CONTINUE)
2094 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2095 if (ret != X86EMUL_CONTINUE)
2097 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2098 if (ret != X86EMUL_CONTINUE)
2100 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2101 if (ret != X86EMUL_CONTINUE)
2103 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2104 if (ret != X86EMUL_CONTINUE)
2106 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2107 if (ret != X86EMUL_CONTINUE)
2110 return X86EMUL_CONTINUE;
2113 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2114 struct x86_emulate_ops *ops,
2115 u16 tss_selector, u16 old_tss_sel,
2116 ulong old_tss_base, struct desc_struct *new_desc)
2118 struct tss_segment_32 tss_seg;
2120 u32 new_tss_base = get_desc_base(new_desc);
2122 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2124 if (ret != X86EMUL_CONTINUE)
2125 /* FIXME: need to provide precise fault address */
2128 save_state_to_tss32(ctxt, ops, &tss_seg);
2130 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2132 if (ret != X86EMUL_CONTINUE)
2133 /* FIXME: need to provide precise fault address */
2136 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2138 if (ret != X86EMUL_CONTINUE)
2139 /* FIXME: need to provide precise fault address */
2142 if (old_tss_sel != 0xffff) {
2143 tss_seg.prev_task_link = old_tss_sel;
2145 ret = ops->write_std(new_tss_base,
2146 &tss_seg.prev_task_link,
2147 sizeof tss_seg.prev_task_link,
2148 ctxt->vcpu, &ctxt->exception);
2149 if (ret != X86EMUL_CONTINUE)
2150 /* FIXME: need to provide precise fault address */
2154 return load_state_from_tss32(ctxt, ops, &tss_seg);
2157 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2158 struct x86_emulate_ops *ops,
2159 u16 tss_selector, int reason,
2160 bool has_error_code, u32 error_code)
2162 struct desc_struct curr_tss_desc, next_tss_desc;
2164 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2165 ulong old_tss_base =
2166 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2169 /* FIXME: old_tss_base == ~0 ? */
2171 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2172 if (ret != X86EMUL_CONTINUE)
2174 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2175 if (ret != X86EMUL_CONTINUE)
2178 /* FIXME: check that next_tss_desc is tss */
2180 if (reason != TASK_SWITCH_IRET) {
2181 if ((tss_selector & 3) > next_tss_desc.dpl ||
2182 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl)
2183 return emulate_gp(ctxt, 0);
2186 desc_limit = desc_limit_scaled(&next_tss_desc);
2187 if (!next_tss_desc.p ||
2188 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2189 desc_limit < 0x2b)) {
2190 emulate_ts(ctxt, tss_selector & 0xfffc);
2191 return X86EMUL_PROPAGATE_FAULT;
2194 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2195 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2196 write_segment_descriptor(ctxt, ops, old_tss_sel,
2200 if (reason == TASK_SWITCH_IRET)
2201 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2203 /* set back link to prev task only if NT bit is set in eflags
2204 note that old_tss_sel is not used afetr this point */
2205 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2206 old_tss_sel = 0xffff;
2208 if (next_tss_desc.type & 8)
2209 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2210 old_tss_base, &next_tss_desc);
2212 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2213 old_tss_base, &next_tss_desc);
2214 if (ret != X86EMUL_CONTINUE)
2217 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2218 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2220 if (reason != TASK_SWITCH_IRET) {
2221 next_tss_desc.type |= (1 << 1); /* set busy flag */
2222 write_segment_descriptor(ctxt, ops, tss_selector,
2226 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2227 ops->set_cached_descriptor(&next_tss_desc, 0, VCPU_SREG_TR, ctxt->vcpu);
2228 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2230 if (has_error_code) {
2231 struct decode_cache *c = &ctxt->decode;
2233 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2235 c->src.val = (unsigned long) error_code;
2236 emulate_push(ctxt, ops);
2242 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2243 u16 tss_selector, int reason,
2244 bool has_error_code, u32 error_code)
2246 struct x86_emulate_ops *ops = ctxt->ops;
2247 struct decode_cache *c = &ctxt->decode;
2251 c->dst.type = OP_NONE;
2253 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2254 has_error_code, error_code);
2256 if (rc == X86EMUL_CONTINUE) {
2257 rc = writeback(ctxt, ops);
2258 if (rc == X86EMUL_CONTINUE)
2262 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2265 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned seg,
2266 int reg, struct operand *op)
2268 struct decode_cache *c = &ctxt->decode;
2269 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2271 register_address_increment(c, &c->regs[reg], df * op->bytes);
2272 op->addr.mem.ea = register_address(c, c->regs[reg]);
2273 op->addr.mem.seg = seg;
2276 static int em_push(struct x86_emulate_ctxt *ctxt)
2278 emulate_push(ctxt, ctxt->ops);
2279 return X86EMUL_CONTINUE;
2282 static int em_das(struct x86_emulate_ctxt *ctxt)
2284 struct decode_cache *c = &ctxt->decode;
2286 bool af, cf, old_cf;
2288 cf = ctxt->eflags & X86_EFLAGS_CF;
2294 af = ctxt->eflags & X86_EFLAGS_AF;
2295 if ((al & 0x0f) > 9 || af) {
2297 cf = old_cf | (al >= 250);
2302 if (old_al > 0x99 || old_cf) {
2308 /* Set PF, ZF, SF */
2309 c->src.type = OP_IMM;
2312 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2313 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2315 ctxt->eflags |= X86_EFLAGS_CF;
2317 ctxt->eflags |= X86_EFLAGS_AF;
2318 return X86EMUL_CONTINUE;
2321 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2323 struct decode_cache *c = &ctxt->decode;
2328 old_cs = ctxt->ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2331 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2332 if (load_segment_descriptor(ctxt, ctxt->ops, sel, VCPU_SREG_CS))
2333 return X86EMUL_CONTINUE;
2336 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2338 c->src.val = old_cs;
2339 emulate_push(ctxt, ctxt->ops);
2340 rc = writeback(ctxt, ctxt->ops);
2341 if (rc != X86EMUL_CONTINUE)
2344 c->src.val = old_eip;
2345 emulate_push(ctxt, ctxt->ops);
2346 rc = writeback(ctxt, ctxt->ops);
2347 if (rc != X86EMUL_CONTINUE)
2350 c->dst.type = OP_NONE;
2352 return X86EMUL_CONTINUE;
2355 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2357 struct decode_cache *c = &ctxt->decode;
2360 c->dst.type = OP_REG;
2361 c->dst.addr.reg = &c->eip;
2362 c->dst.bytes = c->op_bytes;
2363 rc = emulate_pop(ctxt, ctxt->ops, &c->dst.val, c->op_bytes);
2364 if (rc != X86EMUL_CONTINUE)
2366 register_address_increment(c, &c->regs[VCPU_REGS_RSP], c->src.val);
2367 return X86EMUL_CONTINUE;
2370 static int em_imul(struct x86_emulate_ctxt *ctxt)
2372 struct decode_cache *c = &ctxt->decode;
2374 emulate_2op_SrcV_nobyte("imul", c->src, c->dst, ctxt->eflags);
2375 return X86EMUL_CONTINUE;
2378 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2380 struct decode_cache *c = &ctxt->decode;
2382 c->dst.val = c->src2.val;
2383 return em_imul(ctxt);
2386 static int em_cwd(struct x86_emulate_ctxt *ctxt)
2388 struct decode_cache *c = &ctxt->decode;
2390 c->dst.type = OP_REG;
2391 c->dst.bytes = c->src.bytes;
2392 c->dst.addr.reg = &c->regs[VCPU_REGS_RDX];
2393 c->dst.val = ~((c->src.val >> (c->src.bytes * 8 - 1)) - 1);
2395 return X86EMUL_CONTINUE;
2398 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2400 unsigned cpl = ctxt->ops->cpl(ctxt->vcpu);
2401 struct decode_cache *c = &ctxt->decode;
2404 if (cpl > 0 && (ctxt->ops->get_cr(4, ctxt->vcpu) & X86_CR4_TSD))
2405 return emulate_gp(ctxt, 0);
2406 ctxt->ops->get_msr(ctxt->vcpu, MSR_IA32_TSC, &tsc);
2407 c->regs[VCPU_REGS_RAX] = (u32)tsc;
2408 c->regs[VCPU_REGS_RDX] = tsc >> 32;
2409 return X86EMUL_CONTINUE;
2412 static int em_mov(struct x86_emulate_ctxt *ctxt)
2414 struct decode_cache *c = &ctxt->decode;
2415 c->dst.val = c->src.val;
2416 return X86EMUL_CONTINUE;
2419 static int em_movdqu(struct x86_emulate_ctxt *ctxt)
2421 struct decode_cache *c = &ctxt->decode;
2422 memcpy(&c->dst.vec_val, &c->src.vec_val, c->op_bytes);
2423 return X86EMUL_CONTINUE;
2426 #define D(_y) { .flags = (_y) }
2427 #define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
2429 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2430 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2431 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2432 #define II(_f, _e, _i) \
2433 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
2434 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
2436 #define D2bv(_f) D((_f) | ByteOp), D(_f)
2437 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
2439 #define D6ALU(_f) D2bv((_f) | DstMem | SrcReg | ModRM), \
2440 D2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock), \
2441 D2bv(((_f) & ~Lock) | DstAcc | SrcImm)
2444 static struct opcode group1[] = {
2448 static struct opcode group1A[] = {
2449 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2452 static struct opcode group3[] = {
2453 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2454 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2455 X4(D(SrcMem | ModRM)),
2458 static struct opcode group4[] = {
2459 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2463 static struct opcode group5[] = {
2464 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2465 D(SrcMem | ModRM | Stack),
2466 I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
2467 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2468 D(SrcMem | ModRM | Stack), N,
2471 static struct group_dual group7 = { {
2472 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2473 D(SrcNone | ModRM | DstMem | Mov), N,
2474 D(SrcMem16 | ModRM | Mov | Priv),
2475 D(SrcMem | ModRM | ByteOp | Priv | NoAccess),
2477 D(SrcNone | ModRM | Priv | VendorSpecific), N,
2478 N, D(SrcNone | ModRM | Priv | VendorSpecific),
2479 D(SrcNone | ModRM | DstMem | Mov), N,
2480 D(SrcMem16 | ModRM | Mov | Priv), N,
2483 static struct opcode group8[] = {
2485 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2486 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2489 static struct group_dual group9 = { {
2490 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2492 N, N, N, N, N, N, N, N,
2495 static struct opcode group11[] = {
2496 I(DstMem | SrcImm | ModRM | Mov, em_mov), X7(D(Undefined)),
2499 static struct gprefix pfx_0f_6f_0f_7f = {
2500 N, N, N, I(Sse, em_movdqu),
2503 static struct opcode opcode_table[256] = {
2506 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2509 D(ImplicitOps | Stack | No64), N,
2512 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2515 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2519 D6ALU(Lock), N, I(ByteOp | DstAcc | No64, em_das),
2527 X8(I(SrcReg | Stack, em_push)),
2529 X8(D(DstReg | Stack)),
2531 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2532 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2535 I(SrcImm | Mov | Stack, em_push),
2536 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
2537 I(SrcImmByte | Mov | Stack, em_push),
2538 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
2539 D2bv(DstDI | Mov | String), /* insb, insw/insd */
2540 D2bv(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2544 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2545 G(DstMem | SrcImm | ModRM | Group, group1),
2546 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2547 G(DstMem | SrcImmByte | ModRM | Group, group1),
2548 D2bv(DstMem | SrcReg | ModRM), D2bv(DstMem | SrcReg | ModRM | Lock),
2550 I2bv(DstMem | SrcReg | ModRM | Mov, em_mov),
2551 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
2552 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2553 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2555 X8(D(SrcAcc | DstReg)),
2557 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
2558 I(SrcImmFAddr | No64, em_call_far), N,
2559 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2561 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
2562 I2bv(DstMem | SrcAcc | Mov | MemAbs, em_mov),
2563 I2bv(SrcSI | DstDI | Mov | String, em_mov),
2564 D2bv(SrcSI | DstDI | String),
2566 D2bv(DstAcc | SrcImm),
2567 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
2568 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
2569 D2bv(SrcAcc | DstDI | String),
2571 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
2573 X8(I(DstReg | SrcImm | Mov, em_mov)),
2575 D2bv(DstMem | SrcImmByte | ModRM),
2576 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
2577 D(ImplicitOps | Stack),
2578 D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr | ModRM | No64),
2579 G(ByteOp, group11), G(0, group11),
2581 N, N, N, D(ImplicitOps | Stack),
2582 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2584 D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
2587 N, N, N, N, N, N, N, N,
2590 D2bv(SrcImmUByte | DstAcc), D2bv(SrcAcc | DstImmUByte),
2592 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2593 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2594 D2bv(SrcNone | DstAcc), D2bv(SrcAcc | ImplicitOps),
2597 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2599 D(ImplicitOps), D(ImplicitOps), D(ImplicitOps), D(ImplicitOps),
2600 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2603 static struct opcode twobyte_table[256] = {
2605 N, GD(0, &group7), N, N,
2606 N, D(ImplicitOps | VendorSpecific), D(ImplicitOps | Priv), N,
2607 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2608 N, D(ImplicitOps | ModRM), N, N,
2610 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2612 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2613 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2615 N, N, N, N, N, N, N, N,
2617 D(ImplicitOps | Priv), I(ImplicitOps, em_rdtsc),
2618 D(ImplicitOps | Priv), N,
2619 D(ImplicitOps | VendorSpecific), D(ImplicitOps | Priv | VendorSpecific),
2621 N, N, N, N, N, N, N, N,
2623 X16(D(DstReg | SrcMem | ModRM | Mov)),
2625 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2630 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
2635 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
2639 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
2641 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2642 N, D(DstMem | SrcReg | ModRM | BitOp),
2643 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2644 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2646 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2647 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2648 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2649 D(DstMem | SrcReg | Src2CL | ModRM),
2650 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
2652 D2bv(DstMem | SrcReg | ModRM | Lock),
2653 D(DstReg | SrcMemFAddr | ModRM), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2654 D(DstReg | SrcMemFAddr | ModRM), D(DstReg | SrcMemFAddr | ModRM),
2655 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2658 G(BitOp, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2659 D(DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2660 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2662 D2bv(DstMem | SrcReg | ModRM | Lock),
2663 N, D(DstMem | SrcReg | ModRM | Mov),
2664 N, N, N, GD(0, &group9),
2665 N, N, N, N, N, N, N, N,
2667 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2669 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2671 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2685 static unsigned imm_size(struct decode_cache *c)
2689 size = (c->d & ByteOp) ? 1 : c->op_bytes;
2695 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
2696 unsigned size, bool sign_extension)
2698 struct decode_cache *c = &ctxt->decode;
2699 struct x86_emulate_ops *ops = ctxt->ops;
2700 int rc = X86EMUL_CONTINUE;
2704 op->addr.mem.ea = c->eip;
2705 /* NB. Immediates are sign-extended as necessary. */
2706 switch (op->bytes) {
2708 op->val = insn_fetch(s8, 1, c->eip);
2711 op->val = insn_fetch(s16, 2, c->eip);
2714 op->val = insn_fetch(s32, 4, c->eip);
2717 if (!sign_extension) {
2718 switch (op->bytes) {
2726 op->val &= 0xffffffff;
2735 x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
2737 struct x86_emulate_ops *ops = ctxt->ops;
2738 struct decode_cache *c = &ctxt->decode;
2739 int rc = X86EMUL_CONTINUE;
2740 int mode = ctxt->mode;
2741 int def_op_bytes, def_ad_bytes, dual, goffset, simd_prefix;
2742 bool op_prefix = false;
2743 struct opcode opcode, *g_mod012, *g_mod3;
2744 struct operand memop = { .type = OP_NONE };
2747 c->fetch.start = c->eip;
2748 c->fetch.end = c->fetch.start + insn_len;
2750 memcpy(c->fetch.data, insn, insn_len);
2751 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2754 case X86EMUL_MODE_REAL:
2755 case X86EMUL_MODE_VM86:
2756 case X86EMUL_MODE_PROT16:
2757 def_op_bytes = def_ad_bytes = 2;
2759 case X86EMUL_MODE_PROT32:
2760 def_op_bytes = def_ad_bytes = 4;
2762 #ifdef CONFIG_X86_64
2763 case X86EMUL_MODE_PROT64:
2772 c->op_bytes = def_op_bytes;
2773 c->ad_bytes = def_ad_bytes;
2775 /* Legacy prefixes. */
2777 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2778 case 0x66: /* operand-size override */
2780 /* switch between 2/4 bytes */
2781 c->op_bytes = def_op_bytes ^ 6;
2783 case 0x67: /* address-size override */
2784 if (mode == X86EMUL_MODE_PROT64)
2785 /* switch between 4/8 bytes */
2786 c->ad_bytes = def_ad_bytes ^ 12;
2788 /* switch between 2/4 bytes */
2789 c->ad_bytes = def_ad_bytes ^ 6;
2791 case 0x26: /* ES override */
2792 case 0x2e: /* CS override */
2793 case 0x36: /* SS override */
2794 case 0x3e: /* DS override */
2795 set_seg_override(c, (c->b >> 3) & 3);
2797 case 0x64: /* FS override */
2798 case 0x65: /* GS override */
2799 set_seg_override(c, c->b & 7);
2801 case 0x40 ... 0x4f: /* REX */
2802 if (mode != X86EMUL_MODE_PROT64)
2804 c->rex_prefix = c->b;
2806 case 0xf0: /* LOCK */
2809 case 0xf2: /* REPNE/REPNZ */
2810 case 0xf3: /* REP/REPE/REPZ */
2811 c->rep_prefix = c->b;
2817 /* Any legacy prefix after a REX prefix nullifies its effect. */
2825 if (c->rex_prefix & 8)
2826 c->op_bytes = 8; /* REX.W */
2828 /* Opcode byte(s). */
2829 opcode = opcode_table[c->b];
2830 /* Two-byte opcode? */
2833 c->b = insn_fetch(u8, 1, c->eip);
2834 opcode = twobyte_table[c->b];
2836 c->d = opcode.flags;
2839 dual = c->d & GroupDual;
2840 c->modrm = insn_fetch(u8, 1, c->eip);
2843 if (c->d & GroupDual) {
2844 g_mod012 = opcode.u.gdual->mod012;
2845 g_mod3 = opcode.u.gdual->mod3;
2847 g_mod012 = g_mod3 = opcode.u.group;
2849 c->d &= ~(Group | GroupDual);
2851 goffset = (c->modrm >> 3) & 7;
2853 if ((c->modrm >> 6) == 3)
2854 opcode = g_mod3[goffset];
2856 opcode = g_mod012[goffset];
2857 c->d |= opcode.flags;
2860 if (c->d & Prefix) {
2861 if (c->rep_prefix && op_prefix)
2862 return X86EMUL_UNHANDLEABLE;
2863 simd_prefix = op_prefix ? 0x66 : c->rep_prefix;
2864 switch (simd_prefix) {
2865 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
2866 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
2867 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
2868 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
2870 c->d |= opcode.flags;
2873 c->execute = opcode.u.execute;
2874 c->intercept = opcode.intercept;
2877 if (c->d == 0 || (c->d & Undefined))
2880 if (!(c->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
2883 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2886 if (c->d & Op3264) {
2887 if (mode == X86EMUL_MODE_PROT64)
2896 /* ModRM and SIB bytes. */
2898 rc = decode_modrm(ctxt, ops, &memop);
2899 if (!c->has_seg_override)
2900 set_seg_override(c, c->modrm_seg);
2901 } else if (c->d & MemAbs)
2902 rc = decode_abs(ctxt, ops, &memop);
2903 if (rc != X86EMUL_CONTINUE)
2906 if (!c->has_seg_override)
2907 set_seg_override(c, VCPU_SREG_DS);
2909 memop.addr.mem.seg = seg_override(ctxt, ops, c);
2911 if (memop.type == OP_MEM && c->ad_bytes != 8)
2912 memop.addr.mem.ea = (u32)memop.addr.mem.ea;
2914 if (memop.type == OP_MEM && c->rip_relative)
2915 memop.addr.mem.ea += c->eip;
2918 * Decode and fetch the source operand: register, memory
2921 switch (c->d & SrcMask) {
2925 decode_register_operand(ctxt, &c->src, c, 0);
2934 memop.bytes = (c->d & ByteOp) ? 1 :
2940 rc = decode_imm(ctxt, &c->src, 2, false);
2943 rc = decode_imm(ctxt, &c->src, imm_size(c), true);
2946 rc = decode_imm(ctxt, &c->src, imm_size(c), false);
2949 rc = decode_imm(ctxt, &c->src, 1, true);
2952 rc = decode_imm(ctxt, &c->src, 1, false);
2955 c->src.type = OP_REG;
2956 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2957 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2958 fetch_register_operand(&c->src);
2965 c->src.type = OP_MEM;
2966 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2967 c->src.addr.mem.ea =
2968 register_address(c, c->regs[VCPU_REGS_RSI]);
2969 c->src.addr.mem.seg = seg_override(ctxt, ops, c),
2973 c->src.type = OP_IMM;
2974 c->src.addr.mem.ea = c->eip;
2975 c->src.bytes = c->op_bytes + 2;
2976 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2979 memop.bytes = c->op_bytes + 2;
2984 if (rc != X86EMUL_CONTINUE)
2988 * Decode and fetch the second source operand: register, memory
2991 switch (c->d & Src2Mask) {
2996 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2999 rc = decode_imm(ctxt, &c->src2, 1, true);
3006 rc = decode_imm(ctxt, &c->src2, imm_size(c), true);
3010 if (rc != X86EMUL_CONTINUE)
3013 /* Decode and fetch the destination operand: register or memory. */
3014 switch (c->d & DstMask) {
3016 decode_register_operand(ctxt, &c->dst, c,
3017 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
3020 c->dst.type = OP_IMM;
3021 c->dst.addr.mem.ea = c->eip;
3023 c->dst.val = insn_fetch(u8, 1, c->eip);
3028 if ((c->d & DstMask) == DstMem64)
3031 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3033 fetch_bit_operand(c);
3034 c->dst.orig_val = c->dst.val;
3037 c->dst.type = OP_REG;
3038 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3039 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
3040 fetch_register_operand(&c->dst);
3041 c->dst.orig_val = c->dst.val;
3044 c->dst.type = OP_MEM;
3045 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3046 c->dst.addr.mem.ea =
3047 register_address(c, c->regs[VCPU_REGS_RDI]);
3048 c->dst.addr.mem.seg = VCPU_SREG_ES;
3052 /* Special instructions do their own operand decoding. */
3054 c->dst.type = OP_NONE; /* Disable writeback. */
3059 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3062 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
3064 struct decode_cache *c = &ctxt->decode;
3066 /* The second termination condition only applies for REPE
3067 * and REPNE. Test if the repeat string operation prefix is
3068 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
3069 * corresponding termination condition according to:
3070 * - if REPE/REPZ and ZF = 0 then done
3071 * - if REPNE/REPNZ and ZF = 1 then done
3073 if (((c->b == 0xa6) || (c->b == 0xa7) ||
3074 (c->b == 0xae) || (c->b == 0xaf))
3075 && (((c->rep_prefix == REPE_PREFIX) &&
3076 ((ctxt->eflags & EFLG_ZF) == 0))
3077 || ((c->rep_prefix == REPNE_PREFIX) &&
3078 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
3085 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
3087 struct x86_emulate_ops *ops = ctxt->ops;
3089 struct decode_cache *c = &ctxt->decode;
3090 int rc = X86EMUL_CONTINUE;
3091 int saved_dst_type = c->dst.type;
3092 int irq; /* Used for int 3, int, and into */
3094 ctxt->decode.mem_read.pos = 0;
3096 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
3097 rc = emulate_ud(ctxt);
3101 /* LOCK prefix is allowed only with some instructions */
3102 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
3103 rc = emulate_ud(ctxt);
3107 if ((c->d & SrcMask) == SrcMemFAddr && c->src.type != OP_MEM) {
3108 rc = emulate_ud(ctxt);
3113 && ((ops->get_cr(0, ctxt->vcpu) & X86_CR0_EM)
3114 || !(ops->get_cr(4, ctxt->vcpu) & X86_CR4_OSFXSR))) {
3115 rc = emulate_ud(ctxt);
3119 if ((c->d & Sse) && (ops->get_cr(0, ctxt->vcpu) & X86_CR0_TS)) {
3120 rc = emulate_nm(ctxt);
3124 if (unlikely(ctxt->guest_mode) && c->intercept) {
3125 rc = ops->intercept(ctxt, c->intercept,
3126 X86_ICPT_PRE_EXCEPT);
3127 if (rc != X86EMUL_CONTINUE)
3131 /* Privileged instruction can be executed only in CPL=0 */
3132 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
3133 rc = emulate_gp(ctxt, 0);
3137 if (unlikely(ctxt->guest_mode) && c->intercept) {
3138 rc = ops->intercept(ctxt, c->intercept,
3139 X86_ICPT_POST_EXCEPT);
3140 if (rc != X86EMUL_CONTINUE)
3144 if (c->rep_prefix && (c->d & String)) {
3145 /* All REP prefixes have the same first termination condition */
3146 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
3152 if ((c->src.type == OP_MEM) && !(c->d & NoAccess)) {
3153 rc = read_emulated(ctxt, ops, linear(ctxt, c->src.addr.mem),
3154 c->src.valptr, c->src.bytes);
3155 if (rc != X86EMUL_CONTINUE)
3157 c->src.orig_val64 = c->src.val64;
3160 if (c->src2.type == OP_MEM) {
3161 rc = read_emulated(ctxt, ops, linear(ctxt, c->src2.addr.mem),
3162 &c->src2.val, c->src2.bytes);
3163 if (rc != X86EMUL_CONTINUE)
3167 if ((c->d & DstMask) == ImplicitOps)
3171 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
3172 /* optimisation - avoid slow emulated read if Mov */
3173 rc = read_emulated(ctxt, ops, linear(ctxt, c->dst.addr.mem),
3174 &c->dst.val, c->dst.bytes);
3175 if (rc != X86EMUL_CONTINUE)
3178 c->dst.orig_val = c->dst.val;
3182 if (unlikely(ctxt->guest_mode) && c->intercept) {
3183 rc = ops->intercept(ctxt, c->intercept,
3184 X86_ICPT_POST_MEMACCESS);
3185 if (rc != X86EMUL_CONTINUE)
3190 rc = c->execute(ctxt);
3191 if (rc != X86EMUL_CONTINUE)
3202 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3204 case 0x06: /* push es */
3205 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
3207 case 0x07: /* pop es */
3208 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
3212 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
3214 case 0x0e: /* push cs */
3215 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
3219 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
3221 case 0x16: /* push ss */
3222 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
3224 case 0x17: /* pop ss */
3225 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
3229 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
3231 case 0x1e: /* push ds */
3232 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
3234 case 0x1f: /* pop ds */
3235 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
3239 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
3243 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
3247 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
3251 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3253 case 0x40 ... 0x47: /* inc r16/r32 */
3254 emulate_1op("inc", c->dst, ctxt->eflags);
3256 case 0x48 ... 0x4f: /* dec r16/r32 */
3257 emulate_1op("dec", c->dst, ctxt->eflags);
3259 case 0x58 ... 0x5f: /* pop reg */
3261 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
3263 case 0x60: /* pusha */
3264 rc = emulate_pusha(ctxt, ops);
3266 case 0x61: /* popa */
3267 rc = emulate_popa(ctxt, ops);
3269 case 0x63: /* movsxd */
3270 if (ctxt->mode != X86EMUL_MODE_PROT64)
3271 goto cannot_emulate;
3272 c->dst.val = (s32) c->src.val;
3274 case 0x6c: /* insb */
3275 case 0x6d: /* insw/insd */
3276 c->src.val = c->regs[VCPU_REGS_RDX];
3278 case 0x6e: /* outsb */
3279 case 0x6f: /* outsw/outsd */
3280 c->dst.val = c->regs[VCPU_REGS_RDX];
3283 case 0x70 ... 0x7f: /* jcc (short) */
3284 if (test_cc(c->b, ctxt->eflags))
3285 jmp_rel(c, c->src.val);
3287 case 0x80 ... 0x83: /* Grp1 */
3288 switch (c->modrm_reg) {
3309 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
3311 case 0x86 ... 0x87: /* xchg */
3313 /* Write back the register source. */
3314 c->src.val = c->dst.val;
3315 write_register_operand(&c->src);
3317 * Write back the memory destination with implicit LOCK
3320 c->dst.val = c->src.orig_val;
3323 case 0x8c: /* mov r/m, sreg */
3324 if (c->modrm_reg > VCPU_SREG_GS) {
3325 rc = emulate_ud(ctxt);
3328 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
3330 case 0x8d: /* lea r16/r32, m */
3331 c->dst.val = c->src.addr.mem.ea;
3333 case 0x8e: { /* mov seg, r/m16 */
3338 if (c->modrm_reg == VCPU_SREG_CS ||
3339 c->modrm_reg > VCPU_SREG_GS) {
3340 rc = emulate_ud(ctxt);
3344 if (c->modrm_reg == VCPU_SREG_SS)
3345 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3347 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
3349 c->dst.type = OP_NONE; /* Disable writeback. */
3352 case 0x8f: /* pop (sole member of Grp1a) */
3353 rc = emulate_grp1a(ctxt, ops);
3355 case 0x90 ... 0x97: /* nop / xchg reg, rax */
3356 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
3359 case 0x98: /* cbw/cwde/cdqe */
3360 switch (c->op_bytes) {
3361 case 2: c->dst.val = (s8)c->dst.val; break;
3362 case 4: c->dst.val = (s16)c->dst.val; break;
3363 case 8: c->dst.val = (s32)c->dst.val; break;
3366 case 0x9c: /* pushf */
3367 c->src.val = (unsigned long) ctxt->eflags;
3368 emulate_push(ctxt, ops);
3370 case 0x9d: /* popf */
3371 c->dst.type = OP_REG;
3372 c->dst.addr.reg = &ctxt->eflags;
3373 c->dst.bytes = c->op_bytes;
3374 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
3376 case 0xa6 ... 0xa7: /* cmps */
3377 c->dst.type = OP_NONE; /* Disable writeback. */
3379 case 0xa8 ... 0xa9: /* test ax, imm */
3381 case 0xae ... 0xaf: /* scas */
3386 case 0xc3: /* ret */
3387 c->dst.type = OP_REG;
3388 c->dst.addr.reg = &c->eip;
3389 c->dst.bytes = c->op_bytes;
3390 goto pop_instruction;
3391 case 0xc4: /* les */
3392 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_ES);
3394 case 0xc5: /* lds */
3395 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_DS);
3397 case 0xcb: /* ret far */
3398 rc = emulate_ret_far(ctxt, ops);
3400 case 0xcc: /* int3 */
3403 case 0xcd: /* int n */
3406 rc = emulate_int(ctxt, ops, irq);
3408 case 0xce: /* into */
3409 if (ctxt->eflags & EFLG_OF) {
3414 case 0xcf: /* iret */
3415 rc = emulate_iret(ctxt, ops);
3417 case 0xd0 ... 0xd1: /* Grp2 */
3420 case 0xd2 ... 0xd3: /* Grp2 */
3421 c->src.val = c->regs[VCPU_REGS_RCX];
3424 case 0xe0 ... 0xe2: /* loop/loopz/loopnz */
3425 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3426 if (address_mask(c, c->regs[VCPU_REGS_RCX]) != 0 &&
3427 (c->b == 0xe2 || test_cc(c->b ^ 0x5, ctxt->eflags)))
3428 jmp_rel(c, c->src.val);
3430 case 0xe3: /* jcxz/jecxz/jrcxz */
3431 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0)
3432 jmp_rel(c, c->src.val);
3434 case 0xe4: /* inb */
3437 case 0xe6: /* outb */
3438 case 0xe7: /* out */
3440 case 0xe8: /* call (near) */ {
3441 long int rel = c->src.val;
3442 c->src.val = (unsigned long) c->eip;
3444 emulate_push(ctxt, ops);
3447 case 0xe9: /* jmp rel */
3449 case 0xea: { /* jmp far */
3452 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3454 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3458 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3462 jmp: /* jmp rel short */
3463 jmp_rel(c, c->src.val);
3464 c->dst.type = OP_NONE; /* Disable writeback. */
3466 case 0xec: /* in al,dx */
3467 case 0xed: /* in (e/r)ax,dx */
3468 c->src.val = c->regs[VCPU_REGS_RDX];
3470 c->dst.bytes = min(c->dst.bytes, 4u);
3471 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3472 rc = emulate_gp(ctxt, 0);
3475 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3477 goto done; /* IO is needed */
3479 case 0xee: /* out dx,al */
3480 case 0xef: /* out dx,(e/r)ax */
3481 c->dst.val = c->regs[VCPU_REGS_RDX];
3483 c->src.bytes = min(c->src.bytes, 4u);
3484 if (!emulator_io_permited(ctxt, ops, c->dst.val,
3486 rc = emulate_gp(ctxt, 0);
3489 ops->pio_out_emulated(c->src.bytes, c->dst.val,
3490 &c->src.val, 1, ctxt->vcpu);
3491 c->dst.type = OP_NONE; /* Disable writeback. */
3493 case 0xf4: /* hlt */
3494 ctxt->vcpu->arch.halt_request = 1;
3496 case 0xf5: /* cmc */
3497 /* complement carry flag from eflags reg */
3498 ctxt->eflags ^= EFLG_CF;
3500 case 0xf6 ... 0xf7: /* Grp3 */
3501 rc = emulate_grp3(ctxt, ops);
3503 case 0xf8: /* clc */
3504 ctxt->eflags &= ~EFLG_CF;
3506 case 0xf9: /* stc */
3507 ctxt->eflags |= EFLG_CF;
3509 case 0xfa: /* cli */
3510 if (emulator_bad_iopl(ctxt, ops)) {
3511 rc = emulate_gp(ctxt, 0);
3514 ctxt->eflags &= ~X86_EFLAGS_IF;
3516 case 0xfb: /* sti */
3517 if (emulator_bad_iopl(ctxt, ops)) {
3518 rc = emulate_gp(ctxt, 0);
3521 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3522 ctxt->eflags |= X86_EFLAGS_IF;
3525 case 0xfc: /* cld */
3526 ctxt->eflags &= ~EFLG_DF;
3528 case 0xfd: /* std */
3529 ctxt->eflags |= EFLG_DF;
3531 case 0xfe: /* Grp4 */
3533 rc = emulate_grp45(ctxt, ops);
3535 case 0xff: /* Grp5 */
3536 if (c->modrm_reg == 5)
3540 goto cannot_emulate;
3543 if (rc != X86EMUL_CONTINUE)
3547 rc = writeback(ctxt, ops);
3548 if (rc != X86EMUL_CONTINUE)
3552 * restore dst type in case the decoding will be reused
3553 * (happens for string instruction )
3555 c->dst.type = saved_dst_type;
3557 if ((c->d & SrcMask) == SrcSI)
3558 string_addr_inc(ctxt, seg_override(ctxt, ops, c),
3559 VCPU_REGS_RSI, &c->src);
3561 if ((c->d & DstMask) == DstDI)
3562 string_addr_inc(ctxt, VCPU_SREG_ES, VCPU_REGS_RDI,
3565 if (c->rep_prefix && (c->d & String)) {
3566 struct read_cache *r = &ctxt->decode.io_read;
3567 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3569 if (!string_insn_completed(ctxt)) {
3571 * Re-enter guest when pio read ahead buffer is empty
3572 * or, if it is not used, after each 1024 iteration.
3574 if ((r->end != 0 || c->regs[VCPU_REGS_RCX] & 0x3ff) &&
3575 (r->end == 0 || r->end != r->pos)) {
3577 * Reset read cache. Usually happens before
3578 * decode, but since instruction is restarted
3579 * we have to do it here.
3581 ctxt->decode.mem_read.end = 0;
3582 return EMULATION_RESTART;
3584 goto done; /* skip rip writeback */
3591 if (rc == X86EMUL_PROPAGATE_FAULT)
3592 ctxt->have_exception = true;
3593 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3597 case 0x01: /* lgdt, lidt, lmsw */
3598 switch (c->modrm_reg) {
3600 unsigned long address;
3602 case 0: /* vmcall */
3603 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3604 goto cannot_emulate;
3606 rc = kvm_fix_hypercall(ctxt->vcpu);
3607 if (rc != X86EMUL_CONTINUE)
3610 /* Let the processor re-execute the fixed hypercall */
3612 /* Disable writeback. */
3613 c->dst.type = OP_NONE;
3616 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3617 &size, &address, c->op_bytes);
3618 if (rc != X86EMUL_CONTINUE)
3620 realmode_lgdt(ctxt->vcpu, size, address);
3621 /* Disable writeback. */
3622 c->dst.type = OP_NONE;
3624 case 3: /* lidt/vmmcall */
3625 if (c->modrm_mod == 3) {
3626 switch (c->modrm_rm) {
3628 rc = kvm_fix_hypercall(ctxt->vcpu);
3631 goto cannot_emulate;
3634 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3637 if (rc != X86EMUL_CONTINUE)
3639 realmode_lidt(ctxt->vcpu, size, address);
3641 /* Disable writeback. */
3642 c->dst.type = OP_NONE;
3646 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3649 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3650 (c->src.val & 0x0f), ctxt->vcpu);
3651 c->dst.type = OP_NONE;
3653 case 5: /* not defined */
3655 rc = X86EMUL_PROPAGATE_FAULT;
3658 emulate_invlpg(ctxt->vcpu,
3659 linear(ctxt, c->src.addr.mem));
3660 /* Disable writeback. */
3661 c->dst.type = OP_NONE;
3664 goto cannot_emulate;
3667 case 0x05: /* syscall */
3668 rc = emulate_syscall(ctxt, ops);
3671 emulate_clts(ctxt->vcpu);
3673 case 0x09: /* wbinvd */
3674 kvm_emulate_wbinvd(ctxt->vcpu);
3676 case 0x08: /* invd */
3677 case 0x0d: /* GrpP (prefetch) */
3678 case 0x18: /* Grp16 (prefetch/nop) */
3680 case 0x20: /* mov cr, reg */
3681 switch (c->modrm_reg) {
3686 rc = X86EMUL_PROPAGATE_FAULT;
3689 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3691 case 0x21: /* mov from dr to reg */
3692 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3693 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3695 rc = X86EMUL_PROPAGATE_FAULT;
3698 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3700 case 0x22: /* mov reg, cr */
3701 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3702 emulate_gp(ctxt, 0);
3703 rc = X86EMUL_PROPAGATE_FAULT;
3706 c->dst.type = OP_NONE;
3708 case 0x23: /* mov from reg to dr */
3709 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3710 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3712 rc = X86EMUL_PROPAGATE_FAULT;
3716 if (ops->set_dr(c->modrm_reg, c->src.val &
3717 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3718 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3719 /* #UD condition is already handled by the code above */
3720 emulate_gp(ctxt, 0);
3721 rc = X86EMUL_PROPAGATE_FAULT;
3725 c->dst.type = OP_NONE; /* no writeback */
3729 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3730 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3731 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3732 emulate_gp(ctxt, 0);
3733 rc = X86EMUL_PROPAGATE_FAULT;
3736 rc = X86EMUL_CONTINUE;
3740 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3741 emulate_gp(ctxt, 0);
3742 rc = X86EMUL_PROPAGATE_FAULT;
3745 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3746 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3748 rc = X86EMUL_CONTINUE;
3750 case 0x34: /* sysenter */
3751 rc = emulate_sysenter(ctxt, ops);
3753 case 0x35: /* sysexit */
3754 rc = emulate_sysexit(ctxt, ops);
3756 case 0x40 ... 0x4f: /* cmov */
3757 c->dst.val = c->dst.orig_val = c->src.val;
3758 if (!test_cc(c->b, ctxt->eflags))
3759 c->dst.type = OP_NONE; /* no writeback */
3761 case 0x80 ... 0x8f: /* jnz rel, etc*/
3762 if (test_cc(c->b, ctxt->eflags))
3763 jmp_rel(c, c->src.val);
3765 case 0x90 ... 0x9f: /* setcc r/m8 */
3766 c->dst.val = test_cc(c->b, ctxt->eflags);
3768 case 0xa0: /* push fs */
3769 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3771 case 0xa1: /* pop fs */
3772 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3776 c->dst.type = OP_NONE;
3777 /* only subword offset */
3778 c->src.val &= (c->dst.bytes << 3) - 1;
3779 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3781 case 0xa4: /* shld imm8, r, r/m */
3782 case 0xa5: /* shld cl, r, r/m */
3783 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3785 case 0xa8: /* push gs */
3786 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3788 case 0xa9: /* pop gs */
3789 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3793 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3795 case 0xac: /* shrd imm8, r, r/m */
3796 case 0xad: /* shrd cl, r, r/m */
3797 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3799 case 0xae: /* clflush */
3801 case 0xb0 ... 0xb1: /* cmpxchg */
3803 * Save real source value, then compare EAX against
3806 c->src.orig_val = c->src.val;
3807 c->src.val = c->regs[VCPU_REGS_RAX];
3808 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3809 if (ctxt->eflags & EFLG_ZF) {
3810 /* Success: write back to memory. */
3811 c->dst.val = c->src.orig_val;
3813 /* Failure: write the value we saw to EAX. */
3814 c->dst.type = OP_REG;
3815 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3818 case 0xb2: /* lss */
3819 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_SS);
3823 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3825 case 0xb4: /* lfs */
3826 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_FS);
3828 case 0xb5: /* lgs */
3829 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_GS);
3831 case 0xb6 ... 0xb7: /* movzx */
3832 c->dst.bytes = c->op_bytes;
3833 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3836 case 0xba: /* Grp8 */
3837 switch (c->modrm_reg & 3) {
3850 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3852 case 0xbc: { /* bsf */
3854 __asm__ ("bsf %2, %0; setz %1"
3855 : "=r"(c->dst.val), "=q"(zf)
3857 ctxt->eflags &= ~X86_EFLAGS_ZF;
3859 ctxt->eflags |= X86_EFLAGS_ZF;
3860 c->dst.type = OP_NONE; /* Disable writeback. */
3864 case 0xbd: { /* bsr */
3866 __asm__ ("bsr %2, %0; setz %1"
3867 : "=r"(c->dst.val), "=q"(zf)
3869 ctxt->eflags &= ~X86_EFLAGS_ZF;
3871 ctxt->eflags |= X86_EFLAGS_ZF;
3872 c->dst.type = OP_NONE; /* Disable writeback. */
3876 case 0xbe ... 0xbf: /* movsx */
3877 c->dst.bytes = c->op_bytes;
3878 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3881 case 0xc0 ... 0xc1: /* xadd */
3882 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3883 /* Write back the register source. */
3884 c->src.val = c->dst.orig_val;
3885 write_register_operand(&c->src);
3887 case 0xc3: /* movnti */
3888 c->dst.bytes = c->op_bytes;
3889 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3892 case 0xc7: /* Grp9 (cmpxchg8b) */
3893 rc = emulate_grp9(ctxt, ops);
3896 goto cannot_emulate;
3899 if (rc != X86EMUL_CONTINUE)