1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <linux/module.h>
26 #include <asm/kvm_emulate.h>
32 * Opcode effective-address decode tables.
33 * Note that we only emulate instructions that have at least one memory
34 * operand (excluding implicit stack references). We assume that stack
35 * references and instruction fetches will never occur in special memory
36 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
40 /* Operand sizes: 8-bit operands or specified/overridden size. */
41 #define ByteOp (1<<0) /* 8-bit operands. */
42 /* Destination operand type. */
43 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
44 #define DstReg (2<<1) /* Register operand. */
45 #define DstMem (3<<1) /* Memory operand. */
46 #define DstAcc (4<<1) /* Destination Accumulator */
47 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
48 #define DstMem64 (6<<1) /* 64bit memory operand */
49 #define DstImmUByte (7<<1) /* 8-bit unsigned immediate operand */
50 #define DstMask (7<<1)
51 /* Source operand type. */
52 #define SrcNone (0<<4) /* No source operand. */
53 #define SrcReg (1<<4) /* Register operand. */
54 #define SrcMem (2<<4) /* Memory operand. */
55 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
56 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
57 #define SrcImm (5<<4) /* Immediate operand. */
58 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
59 #define SrcOne (7<<4) /* Implied '1' */
60 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
61 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
62 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
63 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
64 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
65 #define SrcAcc (0xd<<4) /* Source Accumulator */
66 #define SrcImmU16 (0xe<<4) /* Immediate operand, unsigned, 16 bits */
67 #define SrcMask (0xf<<4)
68 /* Generic ModRM decode. */
70 /* Destination is only written; never read. */
73 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
74 #define String (1<<12) /* String instruction (rep capable) */
75 #define Stack (1<<13) /* Stack instruction (push/pop) */
76 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
77 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
78 #define Prefix (1<<16) /* Instruction varies with 66/f2/f3 prefix */
79 #define Sse (1<<17) /* SSE Vector instruction */
81 #define VendorSpecific (1<<22) /* Vendor specific instruction */
82 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
83 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
84 #define Undefined (1<<25) /* No Such Instruction */
85 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
86 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
88 /* Source 2 operand type */
89 #define Src2None (0<<29)
90 #define Src2CL (1<<29)
91 #define Src2ImmByte (2<<29)
92 #define Src2One (3<<29)
93 #define Src2Imm (4<<29)
94 #define Src2Mask (7<<29)
97 #define X3(x...) X2(x), x
98 #define X4(x...) X2(x), X2(x)
99 #define X5(x...) X4(x), x
100 #define X6(x...) X4(x), X2(x)
101 #define X7(x...) X4(x), X3(x)
102 #define X8(x...) X4(x), X4(x)
103 #define X16(x...) X8(x), X8(x)
109 int (*execute)(struct x86_emulate_ctxt *ctxt);
110 struct opcode *group;
111 struct group_dual *gdual;
112 struct gprefix *gprefix;
117 struct opcode mod012[8];
118 struct opcode mod3[8];
122 struct opcode pfx_no;
123 struct opcode pfx_66;
124 struct opcode pfx_f2;
125 struct opcode pfx_f3;
128 /* EFLAGS bit definitions. */
129 #define EFLG_ID (1<<21)
130 #define EFLG_VIP (1<<20)
131 #define EFLG_VIF (1<<19)
132 #define EFLG_AC (1<<18)
133 #define EFLG_VM (1<<17)
134 #define EFLG_RF (1<<16)
135 #define EFLG_IOPL (3<<12)
136 #define EFLG_NT (1<<14)
137 #define EFLG_OF (1<<11)
138 #define EFLG_DF (1<<10)
139 #define EFLG_IF (1<<9)
140 #define EFLG_TF (1<<8)
141 #define EFLG_SF (1<<7)
142 #define EFLG_ZF (1<<6)
143 #define EFLG_AF (1<<4)
144 #define EFLG_PF (1<<2)
145 #define EFLG_CF (1<<0)
147 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
148 #define EFLG_RESERVED_ONE_MASK 2
151 * Instruction emulation:
152 * Most instructions are emulated directly via a fragment of inline assembly
153 * code. This allows us to save/restore EFLAGS and thus very easily pick up
154 * any modified flags.
157 #if defined(CONFIG_X86_64)
158 #define _LO32 "k" /* force 32-bit operand */
159 #define _STK "%%rsp" /* stack pointer */
160 #elif defined(__i386__)
161 #define _LO32 "" /* force 32-bit operand */
162 #define _STK "%%esp" /* stack pointer */
166 * These EFLAGS bits are restored from saved value during emulation, and
167 * any changes are written back to the saved value after emulation.
169 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
171 /* Before executing instruction: restore necessary bits in EFLAGS. */
172 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
173 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
174 "movl %"_sav",%"_LO32 _tmp"; " \
177 "movl %"_msk",%"_LO32 _tmp"; " \
178 "andl %"_LO32 _tmp",("_STK"); " \
180 "notl %"_LO32 _tmp"; " \
181 "andl %"_LO32 _tmp",("_STK"); " \
182 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
184 "orl %"_LO32 _tmp",("_STK"); " \
188 /* After executing instruction: write-back necessary bits in EFLAGS. */
189 #define _POST_EFLAGS(_sav, _msk, _tmp) \
190 /* _sav |= EFLAGS & _msk; */ \
193 "andl %"_msk",%"_LO32 _tmp"; " \
194 "orl %"_LO32 _tmp",%"_sav"; "
202 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
204 __asm__ __volatile__ ( \
205 _PRE_EFLAGS("0", "4", "2") \
206 _op _suffix " %"_x"3,%1; " \
207 _POST_EFLAGS("0", "4", "2") \
208 : "=m" (_eflags), "+q" (*(_dsttype*)&(_dst).val),\
210 : _y ((_src).val), "i" (EFLAGS_MASK)); \
214 /* Raw emulation: instruction has two explicit operands. */
215 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
217 unsigned long _tmp; \
219 switch ((_dst).bytes) { \
221 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
224 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l",u32);\
227 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q",u64)); \
232 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
234 unsigned long _tmp; \
235 switch ((_dst).bytes) { \
237 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
240 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
241 _wx, _wy, _lx, _ly, _qx, _qy); \
246 /* Source operand is byte-sized and may be restricted to just %cl. */
247 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
248 __emulate_2op(_op, _src, _dst, _eflags, \
249 "b", "c", "b", "c", "b", "c", "b", "c")
251 /* Source operand is byte, word, long or quad sized. */
252 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
253 __emulate_2op(_op, _src, _dst, _eflags, \
254 "b", "q", "w", "r", _LO32, "r", "", "r")
256 /* Source operand is word, long or quad sized. */
257 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
258 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
259 "w", "r", _LO32, "r", "", "r")
261 /* Instruction has three operands and one operand is stored in ECX register */
262 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
264 unsigned long _tmp; \
265 _type _clv = (_cl).val; \
266 _type _srcv = (_src).val; \
267 _type _dstv = (_dst).val; \
269 __asm__ __volatile__ ( \
270 _PRE_EFLAGS("0", "5", "2") \
271 _op _suffix " %4,%1 \n" \
272 _POST_EFLAGS("0", "5", "2") \
273 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
274 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
277 (_cl).val = (unsigned long) _clv; \
278 (_src).val = (unsigned long) _srcv; \
279 (_dst).val = (unsigned long) _dstv; \
282 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
284 switch ((_dst).bytes) { \
286 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
287 "w", unsigned short); \
290 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
291 "l", unsigned int); \
294 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
295 "q", unsigned long)); \
300 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
302 unsigned long _tmp; \
304 __asm__ __volatile__ ( \
305 _PRE_EFLAGS("0", "3", "2") \
306 _op _suffix " %1; " \
307 _POST_EFLAGS("0", "3", "2") \
308 : "=m" (_eflags), "+m" ((_dst).val), \
310 : "i" (EFLAGS_MASK)); \
313 /* Instruction has only one explicit operand (no source operand). */
314 #define emulate_1op(_op, _dst, _eflags) \
316 switch ((_dst).bytes) { \
317 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
318 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
319 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
320 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
324 #define __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, _suffix) \
326 unsigned long _tmp; \
328 __asm__ __volatile__ ( \
329 _PRE_EFLAGS("0", "4", "1") \
330 _op _suffix " %5; " \
331 _POST_EFLAGS("0", "4", "1") \
332 : "=m" (_eflags), "=&r" (_tmp), \
333 "+a" (_rax), "+d" (_rdx) \
334 : "i" (EFLAGS_MASK), "m" ((_src).val), \
335 "a" (_rax), "d" (_rdx)); \
338 #define __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _suffix, _ex) \
340 unsigned long _tmp; \
342 __asm__ __volatile__ ( \
343 _PRE_EFLAGS("0", "5", "1") \
345 _op _suffix " %6; " \
347 _POST_EFLAGS("0", "5", "1") \
348 ".pushsection .fixup,\"ax\" \n\t" \
349 "3: movb $1, %4 \n\t" \
352 _ASM_EXTABLE(1b, 3b) \
353 : "=m" (_eflags), "=&r" (_tmp), \
354 "+a" (_rax), "+d" (_rdx), "+qm"(_ex) \
355 : "i" (EFLAGS_MASK), "m" ((_src).val), \
356 "a" (_rax), "d" (_rdx)); \
359 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
360 #define emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags) \
362 switch((_src).bytes) { \
363 case 1: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "b"); break; \
364 case 2: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "w"); break; \
365 case 4: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "l"); break; \
366 case 8: ON64(__emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "q")); break; \
370 #define emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _ex) \
372 switch((_src).bytes) { \
374 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
375 _eflags, "b", _ex); \
378 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
379 _eflags, "w", _ex); \
382 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
383 _eflags, "l", _ex); \
386 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
387 _eflags, "q", _ex)); \
392 /* Fetch next part of the instruction being emulated. */
393 #define insn_fetch(_type, _size, _eip) \
394 ({ unsigned long _x; \
395 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
396 if (rc != X86EMUL_CONTINUE) \
402 #define insn_fetch_arr(_arr, _size, _eip) \
403 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
404 if (rc != X86EMUL_CONTINUE) \
409 static inline unsigned long ad_mask(struct decode_cache *c)
411 return (1UL << (c->ad_bytes << 3)) - 1;
414 /* Access/update address held in a register, based on addressing mode. */
415 static inline unsigned long
416 address_mask(struct decode_cache *c, unsigned long reg)
418 if (c->ad_bytes == sizeof(unsigned long))
421 return reg & ad_mask(c);
424 static inline unsigned long
425 register_address(struct decode_cache *c, unsigned long reg)
427 return address_mask(c, reg);
431 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
433 if (c->ad_bytes == sizeof(unsigned long))
436 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
439 static inline void jmp_rel(struct decode_cache *c, int rel)
441 register_address_increment(c, &c->eip, rel);
444 static void set_seg_override(struct decode_cache *c, int seg)
446 c->has_seg_override = true;
447 c->seg_override = seg;
450 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
451 struct x86_emulate_ops *ops, int seg)
453 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
456 return ops->get_cached_segment_base(seg, ctxt->vcpu);
459 static unsigned seg_override(struct x86_emulate_ctxt *ctxt,
460 struct x86_emulate_ops *ops,
461 struct decode_cache *c)
463 if (!c->has_seg_override)
466 return c->seg_override;
469 static ulong linear(struct x86_emulate_ctxt *ctxt,
470 struct segmented_address addr)
472 struct decode_cache *c = &ctxt->decode;
475 la = seg_base(ctxt, ctxt->ops, addr.seg) + addr.ea;
476 if (c->ad_bytes != 8)
481 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
482 u32 error, bool valid)
484 ctxt->exception.vector = vec;
485 ctxt->exception.error_code = error;
486 ctxt->exception.error_code_valid = valid;
487 return X86EMUL_PROPAGATE_FAULT;
490 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
492 return emulate_exception(ctxt, GP_VECTOR, err, true);
495 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
497 return emulate_exception(ctxt, UD_VECTOR, 0, false);
500 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
502 return emulate_exception(ctxt, TS_VECTOR, err, true);
505 static int emulate_de(struct x86_emulate_ctxt *ctxt)
507 return emulate_exception(ctxt, DE_VECTOR, 0, false);
510 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
512 return emulate_exception(ctxt, NM_VECTOR, 0, false);
515 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
516 struct x86_emulate_ops *ops,
517 unsigned long eip, u8 *dest)
519 struct fetch_cache *fc = &ctxt->decode.fetch;
523 if (eip == fc->end) {
524 cur_size = fc->end - fc->start;
525 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
526 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
527 size, ctxt->vcpu, &ctxt->exception);
528 if (rc != X86EMUL_CONTINUE)
532 *dest = fc->data[eip - fc->start];
533 return X86EMUL_CONTINUE;
536 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
537 struct x86_emulate_ops *ops,
538 unsigned long eip, void *dest, unsigned size)
542 /* x86 instructions are limited to 15 bytes. */
543 if (eip + size - ctxt->eip > 15)
544 return X86EMUL_UNHANDLEABLE;
546 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
547 if (rc != X86EMUL_CONTINUE)
550 return X86EMUL_CONTINUE;
554 * Given the 'reg' portion of a ModRM byte, and a register block, return a
555 * pointer into the block that addresses the relevant register.
556 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
558 static void *decode_register(u8 modrm_reg, unsigned long *regs,
563 p = ®s[modrm_reg];
564 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
565 p = (unsigned char *)®s[modrm_reg & 3] + 1;
569 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
570 struct x86_emulate_ops *ops,
571 struct segmented_address addr,
572 u16 *size, unsigned long *address, int op_bytes)
579 rc = ops->read_std(linear(ctxt, addr), (unsigned long *)size, 2,
580 ctxt->vcpu, &ctxt->exception);
581 if (rc != X86EMUL_CONTINUE)
584 rc = ops->read_std(linear(ctxt, addr), address, op_bytes,
585 ctxt->vcpu, &ctxt->exception);
589 static int test_cc(unsigned int condition, unsigned int flags)
593 switch ((condition & 15) >> 1) {
595 rc |= (flags & EFLG_OF);
597 case 1: /* b/c/nae */
598 rc |= (flags & EFLG_CF);
601 rc |= (flags & EFLG_ZF);
604 rc |= (flags & (EFLG_CF|EFLG_ZF));
607 rc |= (flags & EFLG_SF);
610 rc |= (flags & EFLG_PF);
613 rc |= (flags & EFLG_ZF);
616 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
620 /* Odd condition identifiers (lsb == 1) have inverted sense. */
621 return (!!rc ^ (condition & 1));
624 static void fetch_register_operand(struct operand *op)
628 op->val = *(u8 *)op->addr.reg;
631 op->val = *(u16 *)op->addr.reg;
634 op->val = *(u32 *)op->addr.reg;
637 op->val = *(u64 *)op->addr.reg;
642 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
644 ctxt->ops->get_fpu(ctxt);
646 case 0: asm("movdqu %%xmm0, %0" : "=m"(*data)); break;
647 case 1: asm("movdqu %%xmm1, %0" : "=m"(*data)); break;
648 case 2: asm("movdqu %%xmm2, %0" : "=m"(*data)); break;
649 case 3: asm("movdqu %%xmm3, %0" : "=m"(*data)); break;
650 case 4: asm("movdqu %%xmm4, %0" : "=m"(*data)); break;
651 case 5: asm("movdqu %%xmm5, %0" : "=m"(*data)); break;
652 case 6: asm("movdqu %%xmm6, %0" : "=m"(*data)); break;
653 case 7: asm("movdqu %%xmm7, %0" : "=m"(*data)); break;
655 case 8: asm("movdqu %%xmm8, %0" : "=m"(*data)); break;
656 case 9: asm("movdqu %%xmm9, %0" : "=m"(*data)); break;
657 case 10: asm("movdqu %%xmm10, %0" : "=m"(*data)); break;
658 case 11: asm("movdqu %%xmm11, %0" : "=m"(*data)); break;
659 case 12: asm("movdqu %%xmm12, %0" : "=m"(*data)); break;
660 case 13: asm("movdqu %%xmm13, %0" : "=m"(*data)); break;
661 case 14: asm("movdqu %%xmm14, %0" : "=m"(*data)); break;
662 case 15: asm("movdqu %%xmm15, %0" : "=m"(*data)); break;
666 ctxt->ops->put_fpu(ctxt);
669 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
672 ctxt->ops->get_fpu(ctxt);
674 case 0: asm("movdqu %0, %%xmm0" : : "m"(*data)); break;
675 case 1: asm("movdqu %0, %%xmm1" : : "m"(*data)); break;
676 case 2: asm("movdqu %0, %%xmm2" : : "m"(*data)); break;
677 case 3: asm("movdqu %0, %%xmm3" : : "m"(*data)); break;
678 case 4: asm("movdqu %0, %%xmm4" : : "m"(*data)); break;
679 case 5: asm("movdqu %0, %%xmm5" : : "m"(*data)); break;
680 case 6: asm("movdqu %0, %%xmm6" : : "m"(*data)); break;
681 case 7: asm("movdqu %0, %%xmm7" : : "m"(*data)); break;
683 case 8: asm("movdqu %0, %%xmm8" : : "m"(*data)); break;
684 case 9: asm("movdqu %0, %%xmm9" : : "m"(*data)); break;
685 case 10: asm("movdqu %0, %%xmm10" : : "m"(*data)); break;
686 case 11: asm("movdqu %0, %%xmm11" : : "m"(*data)); break;
687 case 12: asm("movdqu %0, %%xmm12" : : "m"(*data)); break;
688 case 13: asm("movdqu %0, %%xmm13" : : "m"(*data)); break;
689 case 14: asm("movdqu %0, %%xmm14" : : "m"(*data)); break;
690 case 15: asm("movdqu %0, %%xmm15" : : "m"(*data)); break;
694 ctxt->ops->put_fpu(ctxt);
697 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
699 struct decode_cache *c,
702 unsigned reg = c->modrm_reg;
703 int highbyte_regs = c->rex_prefix == 0;
706 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
712 read_sse_reg(ctxt, &op->vec_val, reg);
717 if ((c->d & ByteOp) && !inhibit_bytereg) {
718 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
721 op->addr.reg = decode_register(reg, c->regs, 0);
722 op->bytes = c->op_bytes;
724 fetch_register_operand(op);
725 op->orig_val = op->val;
728 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
729 struct x86_emulate_ops *ops,
732 struct decode_cache *c = &ctxt->decode;
734 int index_reg = 0, base_reg = 0, scale;
735 int rc = X86EMUL_CONTINUE;
739 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
740 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
741 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
744 c->modrm = insn_fetch(u8, 1, c->eip);
745 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
746 c->modrm_reg |= (c->modrm & 0x38) >> 3;
747 c->modrm_rm |= (c->modrm & 0x07);
748 c->modrm_seg = VCPU_SREG_DS;
750 if (c->modrm_mod == 3) {
752 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
753 op->addr.reg = decode_register(c->modrm_rm,
754 c->regs, c->d & ByteOp);
758 op->addr.xmm = c->modrm_rm;
759 read_sse_reg(ctxt, &op->vec_val, c->modrm_rm);
762 fetch_register_operand(op);
768 if (c->ad_bytes == 2) {
769 unsigned bx = c->regs[VCPU_REGS_RBX];
770 unsigned bp = c->regs[VCPU_REGS_RBP];
771 unsigned si = c->regs[VCPU_REGS_RSI];
772 unsigned di = c->regs[VCPU_REGS_RDI];
774 /* 16-bit ModR/M decode. */
775 switch (c->modrm_mod) {
777 if (c->modrm_rm == 6)
778 modrm_ea += insn_fetch(u16, 2, c->eip);
781 modrm_ea += insn_fetch(s8, 1, c->eip);
784 modrm_ea += insn_fetch(u16, 2, c->eip);
787 switch (c->modrm_rm) {
807 if (c->modrm_mod != 0)
814 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
815 (c->modrm_rm == 6 && c->modrm_mod != 0))
816 c->modrm_seg = VCPU_SREG_SS;
817 modrm_ea = (u16)modrm_ea;
819 /* 32/64-bit ModR/M decode. */
820 if ((c->modrm_rm & 7) == 4) {
821 sib = insn_fetch(u8, 1, c->eip);
822 index_reg |= (sib >> 3) & 7;
826 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
827 modrm_ea += insn_fetch(s32, 4, c->eip);
829 modrm_ea += c->regs[base_reg];
831 modrm_ea += c->regs[index_reg] << scale;
832 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
833 if (ctxt->mode == X86EMUL_MODE_PROT64)
836 modrm_ea += c->regs[c->modrm_rm];
837 switch (c->modrm_mod) {
839 if (c->modrm_rm == 5)
840 modrm_ea += insn_fetch(s32, 4, c->eip);
843 modrm_ea += insn_fetch(s8, 1, c->eip);
846 modrm_ea += insn_fetch(s32, 4, c->eip);
850 op->addr.mem.ea = modrm_ea;
855 static int decode_abs(struct x86_emulate_ctxt *ctxt,
856 struct x86_emulate_ops *ops,
859 struct decode_cache *c = &ctxt->decode;
860 int rc = X86EMUL_CONTINUE;
863 switch (c->ad_bytes) {
865 op->addr.mem.ea = insn_fetch(u16, 2, c->eip);
868 op->addr.mem.ea = insn_fetch(u32, 4, c->eip);
871 op->addr.mem.ea = insn_fetch(u64, 8, c->eip);
878 static void fetch_bit_operand(struct decode_cache *c)
882 if (c->dst.type == OP_MEM && c->src.type == OP_REG) {
883 mask = ~(c->dst.bytes * 8 - 1);
885 if (c->src.bytes == 2)
886 sv = (s16)c->src.val & (s16)mask;
887 else if (c->src.bytes == 4)
888 sv = (s32)c->src.val & (s32)mask;
890 c->dst.addr.mem.ea += (sv >> 3);
893 /* only subword offset */
894 c->src.val &= (c->dst.bytes << 3) - 1;
897 static int read_emulated(struct x86_emulate_ctxt *ctxt,
898 struct x86_emulate_ops *ops,
899 unsigned long addr, void *dest, unsigned size)
902 struct read_cache *mc = &ctxt->decode.mem_read;
905 int n = min(size, 8u);
907 if (mc->pos < mc->end)
910 rc = ops->read_emulated(addr, mc->data + mc->end, n,
911 &ctxt->exception, ctxt->vcpu);
912 if (rc != X86EMUL_CONTINUE)
917 memcpy(dest, mc->data + mc->pos, n);
922 return X86EMUL_CONTINUE;
925 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
926 struct x86_emulate_ops *ops,
927 unsigned int size, unsigned short port,
930 struct read_cache *rc = &ctxt->decode.io_read;
932 if (rc->pos == rc->end) { /* refill pio read ahead */
933 struct decode_cache *c = &ctxt->decode;
934 unsigned int in_page, n;
935 unsigned int count = c->rep_prefix ?
936 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
937 in_page = (ctxt->eflags & EFLG_DF) ?
938 offset_in_page(c->regs[VCPU_REGS_RDI]) :
939 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
940 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
944 rc->pos = rc->end = 0;
945 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
950 memcpy(dest, rc->data + rc->pos, size);
955 static u32 desc_limit_scaled(struct desc_struct *desc)
957 u32 limit = get_desc_limit(desc);
959 return desc->g ? (limit << 12) | 0xfff : limit;
962 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
963 struct x86_emulate_ops *ops,
964 u16 selector, struct desc_ptr *dt)
966 if (selector & 1 << 2) {
967 struct desc_struct desc;
968 memset (dt, 0, sizeof *dt);
969 if (!ops->get_cached_descriptor(&desc, NULL, VCPU_SREG_LDTR,
973 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
974 dt->address = get_desc_base(&desc);
976 ops->get_gdt(dt, ctxt->vcpu);
979 /* allowed just for 8 bytes segments */
980 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
981 struct x86_emulate_ops *ops,
982 u16 selector, struct desc_struct *desc)
985 u16 index = selector >> 3;
989 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
991 if (dt.size < index * 8 + 7)
992 return emulate_gp(ctxt, selector & 0xfffc);
993 addr = dt.address + index * 8;
994 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu,
1000 /* allowed just for 8 bytes segments */
1001 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1002 struct x86_emulate_ops *ops,
1003 u16 selector, struct desc_struct *desc)
1006 u16 index = selector >> 3;
1010 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1012 if (dt.size < index * 8 + 7)
1013 return emulate_gp(ctxt, selector & 0xfffc);
1015 addr = dt.address + index * 8;
1016 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu,
1022 /* Does not support long mode */
1023 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1024 struct x86_emulate_ops *ops,
1025 u16 selector, int seg)
1027 struct desc_struct seg_desc;
1029 unsigned err_vec = GP_VECTOR;
1031 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1034 memset(&seg_desc, 0, sizeof seg_desc);
1036 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1037 || ctxt->mode == X86EMUL_MODE_REAL) {
1038 /* set real mode segment descriptor */
1039 set_desc_base(&seg_desc, selector << 4);
1040 set_desc_limit(&seg_desc, 0xffff);
1047 /* NULL selector is not valid for TR, CS and SS */
1048 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1052 /* TR should be in GDT only */
1053 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1056 if (null_selector) /* for NULL selector skip all following checks */
1059 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1060 if (ret != X86EMUL_CONTINUE)
1063 err_code = selector & 0xfffc;
1064 err_vec = GP_VECTOR;
1066 /* can't load system descriptor into segment selecor */
1067 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1071 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1077 cpl = ops->cpl(ctxt->vcpu);
1082 * segment is not a writable data segment or segment
1083 * selector's RPL != CPL or segment selector's RPL != CPL
1085 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1089 if (!(seg_desc.type & 8))
1092 if (seg_desc.type & 4) {
1098 if (rpl > cpl || dpl != cpl)
1101 /* CS(RPL) <- CPL */
1102 selector = (selector & 0xfffc) | cpl;
1105 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1108 case VCPU_SREG_LDTR:
1109 if (seg_desc.s || seg_desc.type != 2)
1112 default: /* DS, ES, FS, or GS */
1114 * segment is not a data or readable code segment or
1115 * ((segment is a data or nonconforming code segment)
1116 * and (both RPL and CPL > DPL))
1118 if ((seg_desc.type & 0xa) == 0x8 ||
1119 (((seg_desc.type & 0xc) != 0xc) &&
1120 (rpl > dpl && cpl > dpl)))
1126 /* mark segment as accessed */
1128 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1129 if (ret != X86EMUL_CONTINUE)
1133 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1134 ops->set_cached_descriptor(&seg_desc, 0, seg, ctxt->vcpu);
1135 return X86EMUL_CONTINUE;
1137 emulate_exception(ctxt, err_vec, err_code, true);
1138 return X86EMUL_PROPAGATE_FAULT;
1141 static void write_register_operand(struct operand *op)
1143 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1144 switch (op->bytes) {
1146 *(u8 *)op->addr.reg = (u8)op->val;
1149 *(u16 *)op->addr.reg = (u16)op->val;
1152 *op->addr.reg = (u32)op->val;
1153 break; /* 64b: zero-extend */
1155 *op->addr.reg = op->val;
1160 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1161 struct x86_emulate_ops *ops)
1164 struct decode_cache *c = &ctxt->decode;
1166 switch (c->dst.type) {
1168 write_register_operand(&c->dst);
1172 rc = ops->cmpxchg_emulated(
1173 linear(ctxt, c->dst.addr.mem),
1180 rc = ops->write_emulated(
1181 linear(ctxt, c->dst.addr.mem),
1186 if (rc != X86EMUL_CONTINUE)
1190 write_sse_reg(ctxt, &c->dst.vec_val, c->dst.addr.xmm);
1198 return X86EMUL_CONTINUE;
1201 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1202 struct x86_emulate_ops *ops)
1204 struct decode_cache *c = &ctxt->decode;
1206 c->dst.type = OP_MEM;
1207 c->dst.bytes = c->op_bytes;
1208 c->dst.val = c->src.val;
1209 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1210 c->dst.addr.mem.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
1211 c->dst.addr.mem.seg = VCPU_SREG_SS;
1214 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1215 struct x86_emulate_ops *ops,
1216 void *dest, int len)
1218 struct decode_cache *c = &ctxt->decode;
1220 struct segmented_address addr;
1222 addr.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
1223 addr.seg = VCPU_SREG_SS;
1224 rc = read_emulated(ctxt, ops, linear(ctxt, addr), dest, len);
1225 if (rc != X86EMUL_CONTINUE)
1228 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1232 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1233 struct x86_emulate_ops *ops,
1234 void *dest, int len)
1237 unsigned long val, change_mask;
1238 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1239 int cpl = ops->cpl(ctxt->vcpu);
1241 rc = emulate_pop(ctxt, ops, &val, len);
1242 if (rc != X86EMUL_CONTINUE)
1245 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1246 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1248 switch(ctxt->mode) {
1249 case X86EMUL_MODE_PROT64:
1250 case X86EMUL_MODE_PROT32:
1251 case X86EMUL_MODE_PROT16:
1253 change_mask |= EFLG_IOPL;
1255 change_mask |= EFLG_IF;
1257 case X86EMUL_MODE_VM86:
1259 return emulate_gp(ctxt, 0);
1260 change_mask |= EFLG_IF;
1262 default: /* real mode */
1263 change_mask |= (EFLG_IOPL | EFLG_IF);
1267 *(unsigned long *)dest =
1268 (ctxt->eflags & ~change_mask) | (val & change_mask);
1273 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1274 struct x86_emulate_ops *ops, int seg)
1276 struct decode_cache *c = &ctxt->decode;
1278 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1280 emulate_push(ctxt, ops);
1283 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1284 struct x86_emulate_ops *ops, int seg)
1286 struct decode_cache *c = &ctxt->decode;
1287 unsigned long selector;
1290 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1291 if (rc != X86EMUL_CONTINUE)
1294 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1298 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1299 struct x86_emulate_ops *ops)
1301 struct decode_cache *c = &ctxt->decode;
1302 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1303 int rc = X86EMUL_CONTINUE;
1304 int reg = VCPU_REGS_RAX;
1306 while (reg <= VCPU_REGS_RDI) {
1307 (reg == VCPU_REGS_RSP) ?
1308 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1310 emulate_push(ctxt, ops);
1312 rc = writeback(ctxt, ops);
1313 if (rc != X86EMUL_CONTINUE)
1319 /* Disable writeback. */
1320 c->dst.type = OP_NONE;
1325 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1326 struct x86_emulate_ops *ops)
1328 struct decode_cache *c = &ctxt->decode;
1329 int rc = X86EMUL_CONTINUE;
1330 int reg = VCPU_REGS_RDI;
1332 while (reg >= VCPU_REGS_RAX) {
1333 if (reg == VCPU_REGS_RSP) {
1334 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1339 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1340 if (rc != X86EMUL_CONTINUE)
1347 int emulate_int_real(struct x86_emulate_ctxt *ctxt,
1348 struct x86_emulate_ops *ops, int irq)
1350 struct decode_cache *c = &ctxt->decode;
1357 /* TODO: Add limit checks */
1358 c->src.val = ctxt->eflags;
1359 emulate_push(ctxt, ops);
1360 rc = writeback(ctxt, ops);
1361 if (rc != X86EMUL_CONTINUE)
1364 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1366 c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1367 emulate_push(ctxt, ops);
1368 rc = writeback(ctxt, ops);
1369 if (rc != X86EMUL_CONTINUE)
1372 c->src.val = c->eip;
1373 emulate_push(ctxt, ops);
1374 rc = writeback(ctxt, ops);
1375 if (rc != X86EMUL_CONTINUE)
1378 c->dst.type = OP_NONE;
1380 ops->get_idt(&dt, ctxt->vcpu);
1382 eip_addr = dt.address + (irq << 2);
1383 cs_addr = dt.address + (irq << 2) + 2;
1385 rc = ops->read_std(cs_addr, &cs, 2, ctxt->vcpu, &ctxt->exception);
1386 if (rc != X86EMUL_CONTINUE)
1389 rc = ops->read_std(eip_addr, &eip, 2, ctxt->vcpu, &ctxt->exception);
1390 if (rc != X86EMUL_CONTINUE)
1393 rc = load_segment_descriptor(ctxt, ops, cs, VCPU_SREG_CS);
1394 if (rc != X86EMUL_CONTINUE)
1402 static int emulate_int(struct x86_emulate_ctxt *ctxt,
1403 struct x86_emulate_ops *ops, int irq)
1405 switch(ctxt->mode) {
1406 case X86EMUL_MODE_REAL:
1407 return emulate_int_real(ctxt, ops, irq);
1408 case X86EMUL_MODE_VM86:
1409 case X86EMUL_MODE_PROT16:
1410 case X86EMUL_MODE_PROT32:
1411 case X86EMUL_MODE_PROT64:
1413 /* Protected mode interrupts unimplemented yet */
1414 return X86EMUL_UNHANDLEABLE;
1418 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1419 struct x86_emulate_ops *ops)
1421 struct decode_cache *c = &ctxt->decode;
1422 int rc = X86EMUL_CONTINUE;
1423 unsigned long temp_eip = 0;
1424 unsigned long temp_eflags = 0;
1425 unsigned long cs = 0;
1426 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1427 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1428 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1429 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1431 /* TODO: Add stack limit check */
1433 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1435 if (rc != X86EMUL_CONTINUE)
1438 if (temp_eip & ~0xffff)
1439 return emulate_gp(ctxt, 0);
1441 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1443 if (rc != X86EMUL_CONTINUE)
1446 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1448 if (rc != X86EMUL_CONTINUE)
1451 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1453 if (rc != X86EMUL_CONTINUE)
1459 if (c->op_bytes == 4)
1460 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1461 else if (c->op_bytes == 2) {
1462 ctxt->eflags &= ~0xffff;
1463 ctxt->eflags |= temp_eflags;
1466 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1467 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1472 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1473 struct x86_emulate_ops* ops)
1475 switch(ctxt->mode) {
1476 case X86EMUL_MODE_REAL:
1477 return emulate_iret_real(ctxt, ops);
1478 case X86EMUL_MODE_VM86:
1479 case X86EMUL_MODE_PROT16:
1480 case X86EMUL_MODE_PROT32:
1481 case X86EMUL_MODE_PROT64:
1483 /* iret from protected mode unimplemented yet */
1484 return X86EMUL_UNHANDLEABLE;
1488 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1489 struct x86_emulate_ops *ops)
1491 struct decode_cache *c = &ctxt->decode;
1493 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1496 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1498 struct decode_cache *c = &ctxt->decode;
1499 switch (c->modrm_reg) {
1501 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1504 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1507 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1510 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1512 case 4: /* sal/shl */
1513 case 6: /* sal/shl */
1514 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1517 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1520 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1525 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1526 struct x86_emulate_ops *ops)
1528 struct decode_cache *c = &ctxt->decode;
1529 unsigned long *rax = &c->regs[VCPU_REGS_RAX];
1530 unsigned long *rdx = &c->regs[VCPU_REGS_RDX];
1533 switch (c->modrm_reg) {
1534 case 0 ... 1: /* test */
1535 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1538 c->dst.val = ~c->dst.val;
1541 emulate_1op("neg", c->dst, ctxt->eflags);
1544 emulate_1op_rax_rdx("mul", c->src, *rax, *rdx, ctxt->eflags);
1547 emulate_1op_rax_rdx("imul", c->src, *rax, *rdx, ctxt->eflags);
1550 emulate_1op_rax_rdx_ex("div", c->src, *rax, *rdx,
1554 emulate_1op_rax_rdx_ex("idiv", c->src, *rax, *rdx,
1558 return X86EMUL_UNHANDLEABLE;
1561 return emulate_de(ctxt);
1562 return X86EMUL_CONTINUE;
1565 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1566 struct x86_emulate_ops *ops)
1568 struct decode_cache *c = &ctxt->decode;
1570 switch (c->modrm_reg) {
1572 emulate_1op("inc", c->dst, ctxt->eflags);
1575 emulate_1op("dec", c->dst, ctxt->eflags);
1577 case 2: /* call near abs */ {
1580 c->eip = c->src.val;
1581 c->src.val = old_eip;
1582 emulate_push(ctxt, ops);
1585 case 4: /* jmp abs */
1586 c->eip = c->src.val;
1589 emulate_push(ctxt, ops);
1592 return X86EMUL_CONTINUE;
1595 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1596 struct x86_emulate_ops *ops)
1598 struct decode_cache *c = &ctxt->decode;
1599 u64 old = c->dst.orig_val64;
1601 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1602 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1603 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1604 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1605 ctxt->eflags &= ~EFLG_ZF;
1607 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1608 (u32) c->regs[VCPU_REGS_RBX];
1610 ctxt->eflags |= EFLG_ZF;
1612 return X86EMUL_CONTINUE;
1615 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1616 struct x86_emulate_ops *ops)
1618 struct decode_cache *c = &ctxt->decode;
1622 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1623 if (rc != X86EMUL_CONTINUE)
1625 if (c->op_bytes == 4)
1626 c->eip = (u32)c->eip;
1627 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1628 if (rc != X86EMUL_CONTINUE)
1630 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1634 static int emulate_load_segment(struct x86_emulate_ctxt *ctxt,
1635 struct x86_emulate_ops *ops, int seg)
1637 struct decode_cache *c = &ctxt->decode;
1641 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
1643 rc = load_segment_descriptor(ctxt, ops, sel, seg);
1644 if (rc != X86EMUL_CONTINUE)
1647 c->dst.val = c->src.val;
1652 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1653 struct x86_emulate_ops *ops, struct desc_struct *cs,
1654 struct desc_struct *ss)
1656 memset(cs, 0, sizeof(struct desc_struct));
1657 ops->get_cached_descriptor(cs, NULL, VCPU_SREG_CS, ctxt->vcpu);
1658 memset(ss, 0, sizeof(struct desc_struct));
1660 cs->l = 0; /* will be adjusted later */
1661 set_desc_base(cs, 0); /* flat segment */
1662 cs->g = 1; /* 4kb granularity */
1663 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1664 cs->type = 0x0b; /* Read, Execute, Accessed */
1666 cs->dpl = 0; /* will be adjusted later */
1670 set_desc_base(ss, 0); /* flat segment */
1671 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1672 ss->g = 1; /* 4kb granularity */
1674 ss->type = 0x03; /* Read/Write, Accessed */
1675 ss->d = 1; /* 32bit stack segment */
1681 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1683 struct decode_cache *c = &ctxt->decode;
1684 struct desc_struct cs, ss;
1688 /* syscall is not available in real mode */
1689 if (ctxt->mode == X86EMUL_MODE_REAL ||
1690 ctxt->mode == X86EMUL_MODE_VM86)
1691 return emulate_ud(ctxt);
1693 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1695 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1697 cs_sel = (u16)(msr_data & 0xfffc);
1698 ss_sel = (u16)(msr_data + 8);
1700 if (is_long_mode(ctxt->vcpu)) {
1704 ops->set_cached_descriptor(&cs, 0, VCPU_SREG_CS, ctxt->vcpu);
1705 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1706 ops->set_cached_descriptor(&ss, 0, VCPU_SREG_SS, ctxt->vcpu);
1707 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1709 c->regs[VCPU_REGS_RCX] = c->eip;
1710 if (is_long_mode(ctxt->vcpu)) {
1711 #ifdef CONFIG_X86_64
1712 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1714 ops->get_msr(ctxt->vcpu,
1715 ctxt->mode == X86EMUL_MODE_PROT64 ?
1716 MSR_LSTAR : MSR_CSTAR, &msr_data);
1719 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1720 ctxt->eflags &= ~(msr_data | EFLG_RF);
1724 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1725 c->eip = (u32)msr_data;
1727 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1730 return X86EMUL_CONTINUE;
1734 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1736 struct decode_cache *c = &ctxt->decode;
1737 struct desc_struct cs, ss;
1741 /* inject #GP if in real mode */
1742 if (ctxt->mode == X86EMUL_MODE_REAL)
1743 return emulate_gp(ctxt, 0);
1745 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1746 * Therefore, we inject an #UD.
1748 if (ctxt->mode == X86EMUL_MODE_PROT64)
1749 return emulate_ud(ctxt);
1751 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1753 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1754 switch (ctxt->mode) {
1755 case X86EMUL_MODE_PROT32:
1756 if ((msr_data & 0xfffc) == 0x0)
1757 return emulate_gp(ctxt, 0);
1759 case X86EMUL_MODE_PROT64:
1760 if (msr_data == 0x0)
1761 return emulate_gp(ctxt, 0);
1765 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1766 cs_sel = (u16)msr_data;
1767 cs_sel &= ~SELECTOR_RPL_MASK;
1768 ss_sel = cs_sel + 8;
1769 ss_sel &= ~SELECTOR_RPL_MASK;
1770 if (ctxt->mode == X86EMUL_MODE_PROT64
1771 || is_long_mode(ctxt->vcpu)) {
1776 ops->set_cached_descriptor(&cs, 0, VCPU_SREG_CS, ctxt->vcpu);
1777 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1778 ops->set_cached_descriptor(&ss, 0, VCPU_SREG_SS, ctxt->vcpu);
1779 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1781 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1784 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1785 c->regs[VCPU_REGS_RSP] = msr_data;
1787 return X86EMUL_CONTINUE;
1791 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1793 struct decode_cache *c = &ctxt->decode;
1794 struct desc_struct cs, ss;
1799 /* inject #GP if in real mode or Virtual 8086 mode */
1800 if (ctxt->mode == X86EMUL_MODE_REAL ||
1801 ctxt->mode == X86EMUL_MODE_VM86)
1802 return emulate_gp(ctxt, 0);
1804 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1806 if ((c->rex_prefix & 0x8) != 0x0)
1807 usermode = X86EMUL_MODE_PROT64;
1809 usermode = X86EMUL_MODE_PROT32;
1813 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1815 case X86EMUL_MODE_PROT32:
1816 cs_sel = (u16)(msr_data + 16);
1817 if ((msr_data & 0xfffc) == 0x0)
1818 return emulate_gp(ctxt, 0);
1819 ss_sel = (u16)(msr_data + 24);
1821 case X86EMUL_MODE_PROT64:
1822 cs_sel = (u16)(msr_data + 32);
1823 if (msr_data == 0x0)
1824 return emulate_gp(ctxt, 0);
1825 ss_sel = cs_sel + 8;
1830 cs_sel |= SELECTOR_RPL_MASK;
1831 ss_sel |= SELECTOR_RPL_MASK;
1833 ops->set_cached_descriptor(&cs, 0, VCPU_SREG_CS, ctxt->vcpu);
1834 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1835 ops->set_cached_descriptor(&ss, 0, VCPU_SREG_SS, ctxt->vcpu);
1836 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1838 c->eip = c->regs[VCPU_REGS_RDX];
1839 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1841 return X86EMUL_CONTINUE;
1844 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1845 struct x86_emulate_ops *ops)
1848 if (ctxt->mode == X86EMUL_MODE_REAL)
1850 if (ctxt->mode == X86EMUL_MODE_VM86)
1852 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1853 return ops->cpl(ctxt->vcpu) > iopl;
1856 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1857 struct x86_emulate_ops *ops,
1860 struct desc_struct tr_seg;
1863 u16 io_bitmap_ptr, perm, bit_idx = port & 0x7;
1864 unsigned mask = (1 << len) - 1;
1867 ops->get_cached_descriptor(&tr_seg, &base3, VCPU_SREG_TR, ctxt->vcpu);
1870 if (desc_limit_scaled(&tr_seg) < 103)
1872 base = get_desc_base(&tr_seg);
1873 #ifdef CONFIG_X86_64
1874 base |= ((u64)base3) << 32;
1876 r = ops->read_std(base + 102, &io_bitmap_ptr, 2, ctxt->vcpu, NULL);
1877 if (r != X86EMUL_CONTINUE)
1879 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1881 r = ops->read_std(base + io_bitmap_ptr + port/8, &perm, 2, ctxt->vcpu,
1883 if (r != X86EMUL_CONTINUE)
1885 if ((perm >> bit_idx) & mask)
1890 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1891 struct x86_emulate_ops *ops,
1897 if (emulator_bad_iopl(ctxt, ops))
1898 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1901 ctxt->perm_ok = true;
1906 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1907 struct x86_emulate_ops *ops,
1908 struct tss_segment_16 *tss)
1910 struct decode_cache *c = &ctxt->decode;
1913 tss->flag = ctxt->eflags;
1914 tss->ax = c->regs[VCPU_REGS_RAX];
1915 tss->cx = c->regs[VCPU_REGS_RCX];
1916 tss->dx = c->regs[VCPU_REGS_RDX];
1917 tss->bx = c->regs[VCPU_REGS_RBX];
1918 tss->sp = c->regs[VCPU_REGS_RSP];
1919 tss->bp = c->regs[VCPU_REGS_RBP];
1920 tss->si = c->regs[VCPU_REGS_RSI];
1921 tss->di = c->regs[VCPU_REGS_RDI];
1923 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1924 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1925 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1926 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1927 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1930 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1931 struct x86_emulate_ops *ops,
1932 struct tss_segment_16 *tss)
1934 struct decode_cache *c = &ctxt->decode;
1938 ctxt->eflags = tss->flag | 2;
1939 c->regs[VCPU_REGS_RAX] = tss->ax;
1940 c->regs[VCPU_REGS_RCX] = tss->cx;
1941 c->regs[VCPU_REGS_RDX] = tss->dx;
1942 c->regs[VCPU_REGS_RBX] = tss->bx;
1943 c->regs[VCPU_REGS_RSP] = tss->sp;
1944 c->regs[VCPU_REGS_RBP] = tss->bp;
1945 c->regs[VCPU_REGS_RSI] = tss->si;
1946 c->regs[VCPU_REGS_RDI] = tss->di;
1949 * SDM says that segment selectors are loaded before segment
1952 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1953 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1954 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1955 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1956 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1959 * Now load segment descriptors. If fault happenes at this stage
1960 * it is handled in a context of new task
1962 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1963 if (ret != X86EMUL_CONTINUE)
1965 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1966 if (ret != X86EMUL_CONTINUE)
1968 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1969 if (ret != X86EMUL_CONTINUE)
1971 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1972 if (ret != X86EMUL_CONTINUE)
1974 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1975 if (ret != X86EMUL_CONTINUE)
1978 return X86EMUL_CONTINUE;
1981 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1982 struct x86_emulate_ops *ops,
1983 u16 tss_selector, u16 old_tss_sel,
1984 ulong old_tss_base, struct desc_struct *new_desc)
1986 struct tss_segment_16 tss_seg;
1988 u32 new_tss_base = get_desc_base(new_desc);
1990 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1992 if (ret != X86EMUL_CONTINUE)
1993 /* FIXME: need to provide precise fault address */
1996 save_state_to_tss16(ctxt, ops, &tss_seg);
1998 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2000 if (ret != X86EMUL_CONTINUE)
2001 /* FIXME: need to provide precise fault address */
2004 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2006 if (ret != X86EMUL_CONTINUE)
2007 /* FIXME: need to provide precise fault address */
2010 if (old_tss_sel != 0xffff) {
2011 tss_seg.prev_task_link = old_tss_sel;
2013 ret = ops->write_std(new_tss_base,
2014 &tss_seg.prev_task_link,
2015 sizeof tss_seg.prev_task_link,
2016 ctxt->vcpu, &ctxt->exception);
2017 if (ret != X86EMUL_CONTINUE)
2018 /* FIXME: need to provide precise fault address */
2022 return load_state_from_tss16(ctxt, ops, &tss_seg);
2025 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2026 struct x86_emulate_ops *ops,
2027 struct tss_segment_32 *tss)
2029 struct decode_cache *c = &ctxt->decode;
2031 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2033 tss->eflags = ctxt->eflags;
2034 tss->eax = c->regs[VCPU_REGS_RAX];
2035 tss->ecx = c->regs[VCPU_REGS_RCX];
2036 tss->edx = c->regs[VCPU_REGS_RDX];
2037 tss->ebx = c->regs[VCPU_REGS_RBX];
2038 tss->esp = c->regs[VCPU_REGS_RSP];
2039 tss->ebp = c->regs[VCPU_REGS_RBP];
2040 tss->esi = c->regs[VCPU_REGS_RSI];
2041 tss->edi = c->regs[VCPU_REGS_RDI];
2043 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2044 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2045 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2046 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2047 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2048 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2049 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2052 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2053 struct x86_emulate_ops *ops,
2054 struct tss_segment_32 *tss)
2056 struct decode_cache *c = &ctxt->decode;
2059 if (ops->set_cr(3, tss->cr3, ctxt->vcpu))
2060 return emulate_gp(ctxt, 0);
2062 ctxt->eflags = tss->eflags | 2;
2063 c->regs[VCPU_REGS_RAX] = tss->eax;
2064 c->regs[VCPU_REGS_RCX] = tss->ecx;
2065 c->regs[VCPU_REGS_RDX] = tss->edx;
2066 c->regs[VCPU_REGS_RBX] = tss->ebx;
2067 c->regs[VCPU_REGS_RSP] = tss->esp;
2068 c->regs[VCPU_REGS_RBP] = tss->ebp;
2069 c->regs[VCPU_REGS_RSI] = tss->esi;
2070 c->regs[VCPU_REGS_RDI] = tss->edi;
2073 * SDM says that segment selectors are loaded before segment
2076 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2077 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2078 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2079 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2080 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2081 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2082 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2085 * Now load segment descriptors. If fault happenes at this stage
2086 * it is handled in a context of new task
2088 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2089 if (ret != X86EMUL_CONTINUE)
2091 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2092 if (ret != X86EMUL_CONTINUE)
2094 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2095 if (ret != X86EMUL_CONTINUE)
2097 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2098 if (ret != X86EMUL_CONTINUE)
2100 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2101 if (ret != X86EMUL_CONTINUE)
2103 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2104 if (ret != X86EMUL_CONTINUE)
2106 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2107 if (ret != X86EMUL_CONTINUE)
2110 return X86EMUL_CONTINUE;
2113 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2114 struct x86_emulate_ops *ops,
2115 u16 tss_selector, u16 old_tss_sel,
2116 ulong old_tss_base, struct desc_struct *new_desc)
2118 struct tss_segment_32 tss_seg;
2120 u32 new_tss_base = get_desc_base(new_desc);
2122 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2124 if (ret != X86EMUL_CONTINUE)
2125 /* FIXME: need to provide precise fault address */
2128 save_state_to_tss32(ctxt, ops, &tss_seg);
2130 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2132 if (ret != X86EMUL_CONTINUE)
2133 /* FIXME: need to provide precise fault address */
2136 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2138 if (ret != X86EMUL_CONTINUE)
2139 /* FIXME: need to provide precise fault address */
2142 if (old_tss_sel != 0xffff) {
2143 tss_seg.prev_task_link = old_tss_sel;
2145 ret = ops->write_std(new_tss_base,
2146 &tss_seg.prev_task_link,
2147 sizeof tss_seg.prev_task_link,
2148 ctxt->vcpu, &ctxt->exception);
2149 if (ret != X86EMUL_CONTINUE)
2150 /* FIXME: need to provide precise fault address */
2154 return load_state_from_tss32(ctxt, ops, &tss_seg);
2157 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2158 struct x86_emulate_ops *ops,
2159 u16 tss_selector, int reason,
2160 bool has_error_code, u32 error_code)
2162 struct desc_struct curr_tss_desc, next_tss_desc;
2164 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2165 ulong old_tss_base =
2166 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2169 /* FIXME: old_tss_base == ~0 ? */
2171 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2172 if (ret != X86EMUL_CONTINUE)
2174 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2175 if (ret != X86EMUL_CONTINUE)
2178 /* FIXME: check that next_tss_desc is tss */
2180 if (reason != TASK_SWITCH_IRET) {
2181 if ((tss_selector & 3) > next_tss_desc.dpl ||
2182 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl)
2183 return emulate_gp(ctxt, 0);
2186 desc_limit = desc_limit_scaled(&next_tss_desc);
2187 if (!next_tss_desc.p ||
2188 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2189 desc_limit < 0x2b)) {
2190 emulate_ts(ctxt, tss_selector & 0xfffc);
2191 return X86EMUL_PROPAGATE_FAULT;
2194 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2195 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2196 write_segment_descriptor(ctxt, ops, old_tss_sel,
2200 if (reason == TASK_SWITCH_IRET)
2201 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2203 /* set back link to prev task only if NT bit is set in eflags
2204 note that old_tss_sel is not used afetr this point */
2205 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2206 old_tss_sel = 0xffff;
2208 if (next_tss_desc.type & 8)
2209 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2210 old_tss_base, &next_tss_desc);
2212 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2213 old_tss_base, &next_tss_desc);
2214 if (ret != X86EMUL_CONTINUE)
2217 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2218 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2220 if (reason != TASK_SWITCH_IRET) {
2221 next_tss_desc.type |= (1 << 1); /* set busy flag */
2222 write_segment_descriptor(ctxt, ops, tss_selector,
2226 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2227 ops->set_cached_descriptor(&next_tss_desc, 0, VCPU_SREG_TR, ctxt->vcpu);
2228 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2230 if (has_error_code) {
2231 struct decode_cache *c = &ctxt->decode;
2233 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2235 c->src.val = (unsigned long) error_code;
2236 emulate_push(ctxt, ops);
2242 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2243 u16 tss_selector, int reason,
2244 bool has_error_code, u32 error_code)
2246 struct x86_emulate_ops *ops = ctxt->ops;
2247 struct decode_cache *c = &ctxt->decode;
2251 c->dst.type = OP_NONE;
2253 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2254 has_error_code, error_code);
2256 if (rc == X86EMUL_CONTINUE) {
2257 rc = writeback(ctxt, ops);
2258 if (rc == X86EMUL_CONTINUE)
2262 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2265 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned seg,
2266 int reg, struct operand *op)
2268 struct decode_cache *c = &ctxt->decode;
2269 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2271 register_address_increment(c, &c->regs[reg], df * op->bytes);
2272 op->addr.mem.ea = register_address(c, c->regs[reg]);
2273 op->addr.mem.seg = seg;
2276 static int em_push(struct x86_emulate_ctxt *ctxt)
2278 emulate_push(ctxt, ctxt->ops);
2279 return X86EMUL_CONTINUE;
2282 static int em_das(struct x86_emulate_ctxt *ctxt)
2284 struct decode_cache *c = &ctxt->decode;
2286 bool af, cf, old_cf;
2288 cf = ctxt->eflags & X86_EFLAGS_CF;
2294 af = ctxt->eflags & X86_EFLAGS_AF;
2295 if ((al & 0x0f) > 9 || af) {
2297 cf = old_cf | (al >= 250);
2302 if (old_al > 0x99 || old_cf) {
2308 /* Set PF, ZF, SF */
2309 c->src.type = OP_IMM;
2312 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2313 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2315 ctxt->eflags |= X86_EFLAGS_CF;
2317 ctxt->eflags |= X86_EFLAGS_AF;
2318 return X86EMUL_CONTINUE;
2321 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2323 struct decode_cache *c = &ctxt->decode;
2328 old_cs = ctxt->ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2331 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2332 if (load_segment_descriptor(ctxt, ctxt->ops, sel, VCPU_SREG_CS))
2333 return X86EMUL_CONTINUE;
2336 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2338 c->src.val = old_cs;
2339 emulate_push(ctxt, ctxt->ops);
2340 rc = writeback(ctxt, ctxt->ops);
2341 if (rc != X86EMUL_CONTINUE)
2344 c->src.val = old_eip;
2345 emulate_push(ctxt, ctxt->ops);
2346 rc = writeback(ctxt, ctxt->ops);
2347 if (rc != X86EMUL_CONTINUE)
2350 c->dst.type = OP_NONE;
2352 return X86EMUL_CONTINUE;
2355 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2357 struct decode_cache *c = &ctxt->decode;
2360 c->dst.type = OP_REG;
2361 c->dst.addr.reg = &c->eip;
2362 c->dst.bytes = c->op_bytes;
2363 rc = emulate_pop(ctxt, ctxt->ops, &c->dst.val, c->op_bytes);
2364 if (rc != X86EMUL_CONTINUE)
2366 register_address_increment(c, &c->regs[VCPU_REGS_RSP], c->src.val);
2367 return X86EMUL_CONTINUE;
2370 static int em_imul(struct x86_emulate_ctxt *ctxt)
2372 struct decode_cache *c = &ctxt->decode;
2374 emulate_2op_SrcV_nobyte("imul", c->src, c->dst, ctxt->eflags);
2375 return X86EMUL_CONTINUE;
2378 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2380 struct decode_cache *c = &ctxt->decode;
2382 c->dst.val = c->src2.val;
2383 return em_imul(ctxt);
2386 static int em_cwd(struct x86_emulate_ctxt *ctxt)
2388 struct decode_cache *c = &ctxt->decode;
2390 c->dst.type = OP_REG;
2391 c->dst.bytes = c->src.bytes;
2392 c->dst.addr.reg = &c->regs[VCPU_REGS_RDX];
2393 c->dst.val = ~((c->src.val >> (c->src.bytes * 8 - 1)) - 1);
2395 return X86EMUL_CONTINUE;
2398 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2400 unsigned cpl = ctxt->ops->cpl(ctxt->vcpu);
2401 struct decode_cache *c = &ctxt->decode;
2404 if (cpl > 0 && (ctxt->ops->get_cr(4, ctxt->vcpu) & X86_CR4_TSD))
2405 return emulate_gp(ctxt, 0);
2406 ctxt->ops->get_msr(ctxt->vcpu, MSR_IA32_TSC, &tsc);
2407 c->regs[VCPU_REGS_RAX] = (u32)tsc;
2408 c->regs[VCPU_REGS_RDX] = tsc >> 32;
2409 return X86EMUL_CONTINUE;
2412 static int em_mov(struct x86_emulate_ctxt *ctxt)
2414 struct decode_cache *c = &ctxt->decode;
2415 c->dst.val = c->src.val;
2416 return X86EMUL_CONTINUE;
2419 static int em_movdqu(struct x86_emulate_ctxt *ctxt)
2421 struct decode_cache *c = &ctxt->decode;
2422 memcpy(&c->dst.vec_val, &c->src.vec_val, c->op_bytes);
2423 return X86EMUL_CONTINUE;
2426 #define D(_y) { .flags = (_y) }
2427 #define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
2429 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2430 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2431 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2432 #define II(_f, _e, _i) \
2433 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
2434 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
2436 #define D2bv(_f) D((_f) | ByteOp), D(_f)
2437 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
2439 #define D6ALU(_f) D2bv((_f) | DstMem | SrcReg | ModRM), \
2440 D2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock), \
2441 D2bv(((_f) & ~Lock) | DstAcc | SrcImm)
2444 static struct opcode group1[] = {
2448 static struct opcode group1A[] = {
2449 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2452 static struct opcode group3[] = {
2453 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2454 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2455 X4(D(SrcMem | ModRM)),
2458 static struct opcode group4[] = {
2459 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2463 static struct opcode group5[] = {
2464 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2465 D(SrcMem | ModRM | Stack),
2466 I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
2467 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2468 D(SrcMem | ModRM | Stack), N,
2471 static struct group_dual group7 = { {
2472 N, N, DI(ModRM | SrcMem | Priv, lgdt), DI(ModRM | SrcMem | Priv, lidt),
2473 DI(SrcNone | ModRM | DstMem | Mov, smsw), N,
2474 DI(SrcMem16 | ModRM | Mov | Priv, lmsw),
2475 DI(SrcMem | ModRM | ByteOp | Priv | NoAccess, invlpg),
2477 D(SrcNone | ModRM | Priv | VendorSpecific), N,
2478 N, D(SrcNone | ModRM | Priv | VendorSpecific),
2479 DI(SrcNone | ModRM | DstMem | Mov, smsw), N,
2480 DI(SrcMem16 | ModRM | Mov | Priv, lmsw), N,
2483 static struct opcode group8[] = {
2485 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2486 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2489 static struct group_dual group9 = { {
2490 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2492 N, N, N, N, N, N, N, N,
2495 static struct opcode group11[] = {
2496 I(DstMem | SrcImm | ModRM | Mov, em_mov), X7(D(Undefined)),
2499 static struct gprefix pfx_0f_6f_0f_7f = {
2500 N, N, N, I(Sse, em_movdqu),
2503 static struct opcode opcode_table[256] = {
2506 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2509 D(ImplicitOps | Stack | No64), N,
2512 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2515 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2519 D6ALU(Lock), N, I(ByteOp | DstAcc | No64, em_das),
2527 X8(I(SrcReg | Stack, em_push)),
2529 X8(D(DstReg | Stack)),
2531 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2532 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2535 I(SrcImm | Mov | Stack, em_push),
2536 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
2537 I(SrcImmByte | Mov | Stack, em_push),
2538 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
2539 D2bv(DstDI | Mov | String), /* insb, insw/insd */
2540 D2bv(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2544 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2545 G(DstMem | SrcImm | ModRM | Group, group1),
2546 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2547 G(DstMem | SrcImmByte | ModRM | Group, group1),
2548 D2bv(DstMem | SrcReg | ModRM), D2bv(DstMem | SrcReg | ModRM | Lock),
2550 I2bv(DstMem | SrcReg | ModRM | Mov, em_mov),
2551 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
2552 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2553 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2555 X8(D(SrcAcc | DstReg)),
2557 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
2558 I(SrcImmFAddr | No64, em_call_far), N,
2559 DI(ImplicitOps | Stack, pushf), DI(ImplicitOps | Stack, popf), N, N,
2561 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
2562 I2bv(DstMem | SrcAcc | Mov | MemAbs, em_mov),
2563 I2bv(SrcSI | DstDI | Mov | String, em_mov),
2564 D2bv(SrcSI | DstDI | String),
2566 D2bv(DstAcc | SrcImm),
2567 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
2568 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
2569 D2bv(SrcAcc | DstDI | String),
2571 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
2573 X8(I(DstReg | SrcImm | Mov, em_mov)),
2575 D2bv(DstMem | SrcImmByte | ModRM),
2576 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
2577 D(ImplicitOps | Stack),
2578 D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr | ModRM | No64),
2579 G(ByteOp, group11), G(0, group11),
2581 N, N, N, D(ImplicitOps | Stack),
2582 D(ImplicitOps), DI(SrcImmByte, intn),
2583 D(ImplicitOps | No64), DI(ImplicitOps, iret),
2585 D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
2588 N, N, N, N, N, N, N, N,
2591 D2bv(SrcImmUByte | DstAcc), D2bv(SrcAcc | DstImmUByte),
2593 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2594 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2595 D2bv(SrcNone | DstAcc), D2bv(SrcAcc | ImplicitOps),
2598 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
2599 G(ByteOp, group3), G(0, group3),
2601 D(ImplicitOps), D(ImplicitOps), D(ImplicitOps), D(ImplicitOps),
2602 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2605 static struct opcode twobyte_table[256] = {
2607 N, GD(0, &group7), N, N,
2608 N, D(ImplicitOps | VendorSpecific), D(ImplicitOps | Priv), N,
2609 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
2610 N, D(ImplicitOps | ModRM), N, N,
2612 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2614 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2615 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2617 N, N, N, N, N, N, N, N,
2619 D(ImplicitOps | Priv), II(ImplicitOps, em_rdtsc, rdtsc),
2620 D(ImplicitOps | Priv), N,
2621 D(ImplicitOps | VendorSpecific), D(ImplicitOps | Priv | VendorSpecific),
2623 N, N, N, N, N, N, N, N,
2625 X16(D(DstReg | SrcMem | ModRM | Mov)),
2627 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2632 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
2637 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
2641 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
2643 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2644 N, D(DstMem | SrcReg | ModRM | BitOp),
2645 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2646 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2648 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2649 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2650 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2651 D(DstMem | SrcReg | Src2CL | ModRM),
2652 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
2654 D2bv(DstMem | SrcReg | ModRM | Lock),
2655 D(DstReg | SrcMemFAddr | ModRM), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2656 D(DstReg | SrcMemFAddr | ModRM), D(DstReg | SrcMemFAddr | ModRM),
2657 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2660 G(BitOp, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2661 D(DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2662 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2664 D2bv(DstMem | SrcReg | ModRM | Lock),
2665 N, D(DstMem | SrcReg | ModRM | Mov),
2666 N, N, N, GD(0, &group9),
2667 N, N, N, N, N, N, N, N,
2669 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2671 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2673 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2687 static unsigned imm_size(struct decode_cache *c)
2691 size = (c->d & ByteOp) ? 1 : c->op_bytes;
2697 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
2698 unsigned size, bool sign_extension)
2700 struct decode_cache *c = &ctxt->decode;
2701 struct x86_emulate_ops *ops = ctxt->ops;
2702 int rc = X86EMUL_CONTINUE;
2706 op->addr.mem.ea = c->eip;
2707 /* NB. Immediates are sign-extended as necessary. */
2708 switch (op->bytes) {
2710 op->val = insn_fetch(s8, 1, c->eip);
2713 op->val = insn_fetch(s16, 2, c->eip);
2716 op->val = insn_fetch(s32, 4, c->eip);
2719 if (!sign_extension) {
2720 switch (op->bytes) {
2728 op->val &= 0xffffffff;
2737 x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
2739 struct x86_emulate_ops *ops = ctxt->ops;
2740 struct decode_cache *c = &ctxt->decode;
2741 int rc = X86EMUL_CONTINUE;
2742 int mode = ctxt->mode;
2743 int def_op_bytes, def_ad_bytes, dual, goffset, simd_prefix;
2744 bool op_prefix = false;
2745 struct opcode opcode, *g_mod012, *g_mod3;
2746 struct operand memop = { .type = OP_NONE };
2749 c->fetch.start = c->eip;
2750 c->fetch.end = c->fetch.start + insn_len;
2752 memcpy(c->fetch.data, insn, insn_len);
2753 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2756 case X86EMUL_MODE_REAL:
2757 case X86EMUL_MODE_VM86:
2758 case X86EMUL_MODE_PROT16:
2759 def_op_bytes = def_ad_bytes = 2;
2761 case X86EMUL_MODE_PROT32:
2762 def_op_bytes = def_ad_bytes = 4;
2764 #ifdef CONFIG_X86_64
2765 case X86EMUL_MODE_PROT64:
2774 c->op_bytes = def_op_bytes;
2775 c->ad_bytes = def_ad_bytes;
2777 /* Legacy prefixes. */
2779 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2780 case 0x66: /* operand-size override */
2782 /* switch between 2/4 bytes */
2783 c->op_bytes = def_op_bytes ^ 6;
2785 case 0x67: /* address-size override */
2786 if (mode == X86EMUL_MODE_PROT64)
2787 /* switch between 4/8 bytes */
2788 c->ad_bytes = def_ad_bytes ^ 12;
2790 /* switch between 2/4 bytes */
2791 c->ad_bytes = def_ad_bytes ^ 6;
2793 case 0x26: /* ES override */
2794 case 0x2e: /* CS override */
2795 case 0x36: /* SS override */
2796 case 0x3e: /* DS override */
2797 set_seg_override(c, (c->b >> 3) & 3);
2799 case 0x64: /* FS override */
2800 case 0x65: /* GS override */
2801 set_seg_override(c, c->b & 7);
2803 case 0x40 ... 0x4f: /* REX */
2804 if (mode != X86EMUL_MODE_PROT64)
2806 c->rex_prefix = c->b;
2808 case 0xf0: /* LOCK */
2811 case 0xf2: /* REPNE/REPNZ */
2812 case 0xf3: /* REP/REPE/REPZ */
2813 c->rep_prefix = c->b;
2819 /* Any legacy prefix after a REX prefix nullifies its effect. */
2827 if (c->rex_prefix & 8)
2828 c->op_bytes = 8; /* REX.W */
2830 /* Opcode byte(s). */
2831 opcode = opcode_table[c->b];
2832 /* Two-byte opcode? */
2835 c->b = insn_fetch(u8, 1, c->eip);
2836 opcode = twobyte_table[c->b];
2838 c->d = opcode.flags;
2841 dual = c->d & GroupDual;
2842 c->modrm = insn_fetch(u8, 1, c->eip);
2845 if (c->d & GroupDual) {
2846 g_mod012 = opcode.u.gdual->mod012;
2847 g_mod3 = opcode.u.gdual->mod3;
2849 g_mod012 = g_mod3 = opcode.u.group;
2851 c->d &= ~(Group | GroupDual);
2853 goffset = (c->modrm >> 3) & 7;
2855 if ((c->modrm >> 6) == 3)
2856 opcode = g_mod3[goffset];
2858 opcode = g_mod012[goffset];
2859 c->d |= opcode.flags;
2862 if (c->d & Prefix) {
2863 if (c->rep_prefix && op_prefix)
2864 return X86EMUL_UNHANDLEABLE;
2865 simd_prefix = op_prefix ? 0x66 : c->rep_prefix;
2866 switch (simd_prefix) {
2867 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
2868 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
2869 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
2870 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
2872 c->d |= opcode.flags;
2875 c->execute = opcode.u.execute;
2876 c->intercept = opcode.intercept;
2879 if (c->d == 0 || (c->d & Undefined))
2882 if (!(c->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
2885 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2888 if (c->d & Op3264) {
2889 if (mode == X86EMUL_MODE_PROT64)
2898 /* ModRM and SIB bytes. */
2900 rc = decode_modrm(ctxt, ops, &memop);
2901 if (!c->has_seg_override)
2902 set_seg_override(c, c->modrm_seg);
2903 } else if (c->d & MemAbs)
2904 rc = decode_abs(ctxt, ops, &memop);
2905 if (rc != X86EMUL_CONTINUE)
2908 if (!c->has_seg_override)
2909 set_seg_override(c, VCPU_SREG_DS);
2911 memop.addr.mem.seg = seg_override(ctxt, ops, c);
2913 if (memop.type == OP_MEM && c->ad_bytes != 8)
2914 memop.addr.mem.ea = (u32)memop.addr.mem.ea;
2916 if (memop.type == OP_MEM && c->rip_relative)
2917 memop.addr.mem.ea += c->eip;
2920 * Decode and fetch the source operand: register, memory
2923 switch (c->d & SrcMask) {
2927 decode_register_operand(ctxt, &c->src, c, 0);
2936 memop.bytes = (c->d & ByteOp) ? 1 :
2942 rc = decode_imm(ctxt, &c->src, 2, false);
2945 rc = decode_imm(ctxt, &c->src, imm_size(c), true);
2948 rc = decode_imm(ctxt, &c->src, imm_size(c), false);
2951 rc = decode_imm(ctxt, &c->src, 1, true);
2954 rc = decode_imm(ctxt, &c->src, 1, false);
2957 c->src.type = OP_REG;
2958 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2959 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2960 fetch_register_operand(&c->src);
2967 c->src.type = OP_MEM;
2968 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2969 c->src.addr.mem.ea =
2970 register_address(c, c->regs[VCPU_REGS_RSI]);
2971 c->src.addr.mem.seg = seg_override(ctxt, ops, c),
2975 c->src.type = OP_IMM;
2976 c->src.addr.mem.ea = c->eip;
2977 c->src.bytes = c->op_bytes + 2;
2978 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2981 memop.bytes = c->op_bytes + 2;
2986 if (rc != X86EMUL_CONTINUE)
2990 * Decode and fetch the second source operand: register, memory
2993 switch (c->d & Src2Mask) {
2998 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
3001 rc = decode_imm(ctxt, &c->src2, 1, true);
3008 rc = decode_imm(ctxt, &c->src2, imm_size(c), true);
3012 if (rc != X86EMUL_CONTINUE)
3015 /* Decode and fetch the destination operand: register or memory. */
3016 switch (c->d & DstMask) {
3018 decode_register_operand(ctxt, &c->dst, c,
3019 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
3022 c->dst.type = OP_IMM;
3023 c->dst.addr.mem.ea = c->eip;
3025 c->dst.val = insn_fetch(u8, 1, c->eip);
3030 if ((c->d & DstMask) == DstMem64)
3033 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3035 fetch_bit_operand(c);
3036 c->dst.orig_val = c->dst.val;
3039 c->dst.type = OP_REG;
3040 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3041 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
3042 fetch_register_operand(&c->dst);
3043 c->dst.orig_val = c->dst.val;
3046 c->dst.type = OP_MEM;
3047 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3048 c->dst.addr.mem.ea =
3049 register_address(c, c->regs[VCPU_REGS_RDI]);
3050 c->dst.addr.mem.seg = VCPU_SREG_ES;
3054 /* Special instructions do their own operand decoding. */
3056 c->dst.type = OP_NONE; /* Disable writeback. */
3061 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3064 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
3066 struct decode_cache *c = &ctxt->decode;
3068 /* The second termination condition only applies for REPE
3069 * and REPNE. Test if the repeat string operation prefix is
3070 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
3071 * corresponding termination condition according to:
3072 * - if REPE/REPZ and ZF = 0 then done
3073 * - if REPNE/REPNZ and ZF = 1 then done
3075 if (((c->b == 0xa6) || (c->b == 0xa7) ||
3076 (c->b == 0xae) || (c->b == 0xaf))
3077 && (((c->rep_prefix == REPE_PREFIX) &&
3078 ((ctxt->eflags & EFLG_ZF) == 0))
3079 || ((c->rep_prefix == REPNE_PREFIX) &&
3080 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
3087 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
3089 struct x86_emulate_ops *ops = ctxt->ops;
3091 struct decode_cache *c = &ctxt->decode;
3092 int rc = X86EMUL_CONTINUE;
3093 int saved_dst_type = c->dst.type;
3094 int irq; /* Used for int 3, int, and into */
3096 ctxt->decode.mem_read.pos = 0;
3098 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
3099 rc = emulate_ud(ctxt);
3103 /* LOCK prefix is allowed only with some instructions */
3104 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
3105 rc = emulate_ud(ctxt);
3109 if ((c->d & SrcMask) == SrcMemFAddr && c->src.type != OP_MEM) {
3110 rc = emulate_ud(ctxt);
3115 && ((ops->get_cr(0, ctxt->vcpu) & X86_CR0_EM)
3116 || !(ops->get_cr(4, ctxt->vcpu) & X86_CR4_OSFXSR))) {
3117 rc = emulate_ud(ctxt);
3121 if ((c->d & Sse) && (ops->get_cr(0, ctxt->vcpu) & X86_CR0_TS)) {
3122 rc = emulate_nm(ctxt);
3126 if (unlikely(ctxt->guest_mode) && c->intercept) {
3127 rc = ops->intercept(ctxt, c->intercept,
3128 X86_ICPT_PRE_EXCEPT);
3129 if (rc != X86EMUL_CONTINUE)
3133 /* Privileged instruction can be executed only in CPL=0 */
3134 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
3135 rc = emulate_gp(ctxt, 0);
3139 if (unlikely(ctxt->guest_mode) && c->intercept) {
3140 rc = ops->intercept(ctxt, c->intercept,
3141 X86_ICPT_POST_EXCEPT);
3142 if (rc != X86EMUL_CONTINUE)
3146 if (c->rep_prefix && (c->d & String)) {
3147 /* All REP prefixes have the same first termination condition */
3148 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
3154 if ((c->src.type == OP_MEM) && !(c->d & NoAccess)) {
3155 rc = read_emulated(ctxt, ops, linear(ctxt, c->src.addr.mem),
3156 c->src.valptr, c->src.bytes);
3157 if (rc != X86EMUL_CONTINUE)
3159 c->src.orig_val64 = c->src.val64;
3162 if (c->src2.type == OP_MEM) {
3163 rc = read_emulated(ctxt, ops, linear(ctxt, c->src2.addr.mem),
3164 &c->src2.val, c->src2.bytes);
3165 if (rc != X86EMUL_CONTINUE)
3169 if ((c->d & DstMask) == ImplicitOps)
3173 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
3174 /* optimisation - avoid slow emulated read if Mov */
3175 rc = read_emulated(ctxt, ops, linear(ctxt, c->dst.addr.mem),
3176 &c->dst.val, c->dst.bytes);
3177 if (rc != X86EMUL_CONTINUE)
3180 c->dst.orig_val = c->dst.val;
3184 if (unlikely(ctxt->guest_mode) && c->intercept) {
3185 rc = ops->intercept(ctxt, c->intercept,
3186 X86_ICPT_POST_MEMACCESS);
3187 if (rc != X86EMUL_CONTINUE)
3192 rc = c->execute(ctxt);
3193 if (rc != X86EMUL_CONTINUE)
3204 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3206 case 0x06: /* push es */
3207 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
3209 case 0x07: /* pop es */
3210 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
3214 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
3216 case 0x0e: /* push cs */
3217 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
3221 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
3223 case 0x16: /* push ss */
3224 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
3226 case 0x17: /* pop ss */
3227 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
3231 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
3233 case 0x1e: /* push ds */
3234 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
3236 case 0x1f: /* pop ds */
3237 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
3241 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
3245 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
3249 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
3253 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3255 case 0x40 ... 0x47: /* inc r16/r32 */
3256 emulate_1op("inc", c->dst, ctxt->eflags);
3258 case 0x48 ... 0x4f: /* dec r16/r32 */
3259 emulate_1op("dec", c->dst, ctxt->eflags);
3261 case 0x58 ... 0x5f: /* pop reg */
3263 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
3265 case 0x60: /* pusha */
3266 rc = emulate_pusha(ctxt, ops);
3268 case 0x61: /* popa */
3269 rc = emulate_popa(ctxt, ops);
3271 case 0x63: /* movsxd */
3272 if (ctxt->mode != X86EMUL_MODE_PROT64)
3273 goto cannot_emulate;
3274 c->dst.val = (s32) c->src.val;
3276 case 0x6c: /* insb */
3277 case 0x6d: /* insw/insd */
3278 c->src.val = c->regs[VCPU_REGS_RDX];
3280 case 0x6e: /* outsb */
3281 case 0x6f: /* outsw/outsd */
3282 c->dst.val = c->regs[VCPU_REGS_RDX];
3285 case 0x70 ... 0x7f: /* jcc (short) */
3286 if (test_cc(c->b, ctxt->eflags))
3287 jmp_rel(c, c->src.val);
3289 case 0x80 ... 0x83: /* Grp1 */
3290 switch (c->modrm_reg) {
3311 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
3313 case 0x86 ... 0x87: /* xchg */
3315 /* Write back the register source. */
3316 c->src.val = c->dst.val;
3317 write_register_operand(&c->src);
3319 * Write back the memory destination with implicit LOCK
3322 c->dst.val = c->src.orig_val;
3325 case 0x8c: /* mov r/m, sreg */
3326 if (c->modrm_reg > VCPU_SREG_GS) {
3327 rc = emulate_ud(ctxt);
3330 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
3332 case 0x8d: /* lea r16/r32, m */
3333 c->dst.val = c->src.addr.mem.ea;
3335 case 0x8e: { /* mov seg, r/m16 */
3340 if (c->modrm_reg == VCPU_SREG_CS ||
3341 c->modrm_reg > VCPU_SREG_GS) {
3342 rc = emulate_ud(ctxt);
3346 if (c->modrm_reg == VCPU_SREG_SS)
3347 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3349 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
3351 c->dst.type = OP_NONE; /* Disable writeback. */
3354 case 0x8f: /* pop (sole member of Grp1a) */
3355 rc = emulate_grp1a(ctxt, ops);
3357 case 0x90 ... 0x97: /* nop / xchg reg, rax */
3358 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
3361 case 0x98: /* cbw/cwde/cdqe */
3362 switch (c->op_bytes) {
3363 case 2: c->dst.val = (s8)c->dst.val; break;
3364 case 4: c->dst.val = (s16)c->dst.val; break;
3365 case 8: c->dst.val = (s32)c->dst.val; break;
3368 case 0x9c: /* pushf */
3369 c->src.val = (unsigned long) ctxt->eflags;
3370 emulate_push(ctxt, ops);
3372 case 0x9d: /* popf */
3373 c->dst.type = OP_REG;
3374 c->dst.addr.reg = &ctxt->eflags;
3375 c->dst.bytes = c->op_bytes;
3376 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
3378 case 0xa6 ... 0xa7: /* cmps */
3379 c->dst.type = OP_NONE; /* Disable writeback. */
3381 case 0xa8 ... 0xa9: /* test ax, imm */
3383 case 0xae ... 0xaf: /* scas */
3388 case 0xc3: /* ret */
3389 c->dst.type = OP_REG;
3390 c->dst.addr.reg = &c->eip;
3391 c->dst.bytes = c->op_bytes;
3392 goto pop_instruction;
3393 case 0xc4: /* les */
3394 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_ES);
3396 case 0xc5: /* lds */
3397 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_DS);
3399 case 0xcb: /* ret far */
3400 rc = emulate_ret_far(ctxt, ops);
3402 case 0xcc: /* int3 */
3405 case 0xcd: /* int n */
3408 rc = emulate_int(ctxt, ops, irq);
3410 case 0xce: /* into */
3411 if (ctxt->eflags & EFLG_OF) {
3416 case 0xcf: /* iret */
3417 rc = emulate_iret(ctxt, ops);
3419 case 0xd0 ... 0xd1: /* Grp2 */
3422 case 0xd2 ... 0xd3: /* Grp2 */
3423 c->src.val = c->regs[VCPU_REGS_RCX];
3426 case 0xe0 ... 0xe2: /* loop/loopz/loopnz */
3427 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3428 if (address_mask(c, c->regs[VCPU_REGS_RCX]) != 0 &&
3429 (c->b == 0xe2 || test_cc(c->b ^ 0x5, ctxt->eflags)))
3430 jmp_rel(c, c->src.val);
3432 case 0xe3: /* jcxz/jecxz/jrcxz */
3433 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0)
3434 jmp_rel(c, c->src.val);
3436 case 0xe4: /* inb */
3439 case 0xe6: /* outb */
3440 case 0xe7: /* out */
3442 case 0xe8: /* call (near) */ {
3443 long int rel = c->src.val;
3444 c->src.val = (unsigned long) c->eip;
3446 emulate_push(ctxt, ops);
3449 case 0xe9: /* jmp rel */
3451 case 0xea: { /* jmp far */
3454 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3456 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3460 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3464 jmp: /* jmp rel short */
3465 jmp_rel(c, c->src.val);
3466 c->dst.type = OP_NONE; /* Disable writeback. */
3468 case 0xec: /* in al,dx */
3469 case 0xed: /* in (e/r)ax,dx */
3470 c->src.val = c->regs[VCPU_REGS_RDX];
3472 c->dst.bytes = min(c->dst.bytes, 4u);
3473 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3474 rc = emulate_gp(ctxt, 0);
3477 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3479 goto done; /* IO is needed */
3481 case 0xee: /* out dx,al */
3482 case 0xef: /* out dx,(e/r)ax */
3483 c->dst.val = c->regs[VCPU_REGS_RDX];
3485 c->src.bytes = min(c->src.bytes, 4u);
3486 if (!emulator_io_permited(ctxt, ops, c->dst.val,
3488 rc = emulate_gp(ctxt, 0);
3491 ops->pio_out_emulated(c->src.bytes, c->dst.val,
3492 &c->src.val, 1, ctxt->vcpu);
3493 c->dst.type = OP_NONE; /* Disable writeback. */
3495 case 0xf4: /* hlt */
3496 ctxt->vcpu->arch.halt_request = 1;
3498 case 0xf5: /* cmc */
3499 /* complement carry flag from eflags reg */
3500 ctxt->eflags ^= EFLG_CF;
3502 case 0xf6 ... 0xf7: /* Grp3 */
3503 rc = emulate_grp3(ctxt, ops);
3505 case 0xf8: /* clc */
3506 ctxt->eflags &= ~EFLG_CF;
3508 case 0xf9: /* stc */
3509 ctxt->eflags |= EFLG_CF;
3511 case 0xfa: /* cli */
3512 if (emulator_bad_iopl(ctxt, ops)) {
3513 rc = emulate_gp(ctxt, 0);
3516 ctxt->eflags &= ~X86_EFLAGS_IF;
3518 case 0xfb: /* sti */
3519 if (emulator_bad_iopl(ctxt, ops)) {
3520 rc = emulate_gp(ctxt, 0);
3523 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3524 ctxt->eflags |= X86_EFLAGS_IF;
3527 case 0xfc: /* cld */
3528 ctxt->eflags &= ~EFLG_DF;
3530 case 0xfd: /* std */
3531 ctxt->eflags |= EFLG_DF;
3533 case 0xfe: /* Grp4 */
3535 rc = emulate_grp45(ctxt, ops);
3537 case 0xff: /* Grp5 */
3538 if (c->modrm_reg == 5)
3542 goto cannot_emulate;
3545 if (rc != X86EMUL_CONTINUE)
3549 rc = writeback(ctxt, ops);
3550 if (rc != X86EMUL_CONTINUE)
3554 * restore dst type in case the decoding will be reused
3555 * (happens for string instruction )
3557 c->dst.type = saved_dst_type;
3559 if ((c->d & SrcMask) == SrcSI)
3560 string_addr_inc(ctxt, seg_override(ctxt, ops, c),
3561 VCPU_REGS_RSI, &c->src);
3563 if ((c->d & DstMask) == DstDI)
3564 string_addr_inc(ctxt, VCPU_SREG_ES, VCPU_REGS_RDI,
3567 if (c->rep_prefix && (c->d & String)) {
3568 struct read_cache *r = &ctxt->decode.io_read;
3569 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3571 if (!string_insn_completed(ctxt)) {
3573 * Re-enter guest when pio read ahead buffer is empty
3574 * or, if it is not used, after each 1024 iteration.
3576 if ((r->end != 0 || c->regs[VCPU_REGS_RCX] & 0x3ff) &&
3577 (r->end == 0 || r->end != r->pos)) {
3579 * Reset read cache. Usually happens before
3580 * decode, but since instruction is restarted
3581 * we have to do it here.
3583 ctxt->decode.mem_read.end = 0;
3584 return EMULATION_RESTART;
3586 goto done; /* skip rip writeback */
3593 if (rc == X86EMUL_PROPAGATE_FAULT)
3594 ctxt->have_exception = true;
3595 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3599 case 0x01: /* lgdt, lidt, lmsw */
3600 switch (c->modrm_reg) {
3602 unsigned long address;
3604 case 0: /* vmcall */
3605 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3606 goto cannot_emulate;
3608 rc = kvm_fix_hypercall(ctxt->vcpu);
3609 if (rc != X86EMUL_CONTINUE)
3612 /* Let the processor re-execute the fixed hypercall */
3614 /* Disable writeback. */
3615 c->dst.type = OP_NONE;
3618 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3619 &size, &address, c->op_bytes);
3620 if (rc != X86EMUL_CONTINUE)
3622 realmode_lgdt(ctxt->vcpu, size, address);
3623 /* Disable writeback. */
3624 c->dst.type = OP_NONE;
3626 case 3: /* lidt/vmmcall */
3627 if (c->modrm_mod == 3) {
3628 switch (c->modrm_rm) {
3630 rc = kvm_fix_hypercall(ctxt->vcpu);
3633 goto cannot_emulate;
3636 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3639 if (rc != X86EMUL_CONTINUE)
3641 realmode_lidt(ctxt->vcpu, size, address);
3643 /* Disable writeback. */
3644 c->dst.type = OP_NONE;
3648 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3651 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3652 (c->src.val & 0x0f), ctxt->vcpu);
3653 c->dst.type = OP_NONE;
3655 case 5: /* not defined */
3657 rc = X86EMUL_PROPAGATE_FAULT;
3660 emulate_invlpg(ctxt->vcpu,
3661 linear(ctxt, c->src.addr.mem));
3662 /* Disable writeback. */
3663 c->dst.type = OP_NONE;
3666 goto cannot_emulate;
3669 case 0x05: /* syscall */
3670 rc = emulate_syscall(ctxt, ops);
3673 emulate_clts(ctxt->vcpu);
3675 case 0x09: /* wbinvd */
3676 kvm_emulate_wbinvd(ctxt->vcpu);
3678 case 0x08: /* invd */
3679 case 0x0d: /* GrpP (prefetch) */
3680 case 0x18: /* Grp16 (prefetch/nop) */
3682 case 0x20: /* mov cr, reg */
3683 switch (c->modrm_reg) {
3688 rc = X86EMUL_PROPAGATE_FAULT;
3691 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3693 case 0x21: /* mov from dr to reg */
3694 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3695 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3697 rc = X86EMUL_PROPAGATE_FAULT;
3700 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3702 case 0x22: /* mov reg, cr */
3703 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3704 emulate_gp(ctxt, 0);
3705 rc = X86EMUL_PROPAGATE_FAULT;
3708 c->dst.type = OP_NONE;
3710 case 0x23: /* mov from reg to dr */
3711 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3712 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3714 rc = X86EMUL_PROPAGATE_FAULT;
3718 if (ops->set_dr(c->modrm_reg, c->src.val &
3719 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3720 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3721 /* #UD condition is already handled by the code above */
3722 emulate_gp(ctxt, 0);
3723 rc = X86EMUL_PROPAGATE_FAULT;
3727 c->dst.type = OP_NONE; /* no writeback */
3731 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3732 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3733 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3734 emulate_gp(ctxt, 0);
3735 rc = X86EMUL_PROPAGATE_FAULT;
3738 rc = X86EMUL_CONTINUE;
3742 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3743 emulate_gp(ctxt, 0);
3744 rc = X86EMUL_PROPAGATE_FAULT;
3747 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3748 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3750 rc = X86EMUL_CONTINUE;
3752 case 0x34: /* sysenter */
3753 rc = emulate_sysenter(ctxt, ops);
3755 case 0x35: /* sysexit */
3756 rc = emulate_sysexit(ctxt, ops);
3758 case 0x40 ... 0x4f: /* cmov */
3759 c->dst.val = c->dst.orig_val = c->src.val;
3760 if (!test_cc(c->b, ctxt->eflags))
3761 c->dst.type = OP_NONE; /* no writeback */
3763 case 0x80 ... 0x8f: /* jnz rel, etc*/
3764 if (test_cc(c->b, ctxt->eflags))
3765 jmp_rel(c, c->src.val);
3767 case 0x90 ... 0x9f: /* setcc r/m8 */
3768 c->dst.val = test_cc(c->b, ctxt->eflags);
3770 case 0xa0: /* push fs */
3771 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3773 case 0xa1: /* pop fs */
3774 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3778 c->dst.type = OP_NONE;
3779 /* only subword offset */
3780 c->src.val &= (c->dst.bytes << 3) - 1;
3781 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3783 case 0xa4: /* shld imm8, r, r/m */
3784 case 0xa5: /* shld cl, r, r/m */
3785 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3787 case 0xa8: /* push gs */
3788 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3790 case 0xa9: /* pop gs */
3791 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3795 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3797 case 0xac: /* shrd imm8, r, r/m */
3798 case 0xad: /* shrd cl, r, r/m */
3799 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3801 case 0xae: /* clflush */
3803 case 0xb0 ... 0xb1: /* cmpxchg */
3805 * Save real source value, then compare EAX against
3808 c->src.orig_val = c->src.val;
3809 c->src.val = c->regs[VCPU_REGS_RAX];
3810 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3811 if (ctxt->eflags & EFLG_ZF) {
3812 /* Success: write back to memory. */
3813 c->dst.val = c->src.orig_val;
3815 /* Failure: write the value we saw to EAX. */
3816 c->dst.type = OP_REG;
3817 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3820 case 0xb2: /* lss */
3821 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_SS);
3825 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3827 case 0xb4: /* lfs */
3828 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_FS);
3830 case 0xb5: /* lgs */
3831 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_GS);
3833 case 0xb6 ... 0xb7: /* movzx */
3834 c->dst.bytes = c->op_bytes;
3835 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3838 case 0xba: /* Grp8 */
3839 switch (c->modrm_reg & 3) {
3852 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3854 case 0xbc: { /* bsf */
3856 __asm__ ("bsf %2, %0; setz %1"
3857 : "=r"(c->dst.val), "=q"(zf)
3859 ctxt->eflags &= ~X86_EFLAGS_ZF;
3861 ctxt->eflags |= X86_EFLAGS_ZF;
3862 c->dst.type = OP_NONE; /* Disable writeback. */
3866 case 0xbd: { /* bsr */
3868 __asm__ ("bsr %2, %0; setz %1"
3869 : "=r"(c->dst.val), "=q"(zf)
3871 ctxt->eflags &= ~X86_EFLAGS_ZF;
3873 ctxt->eflags |= X86_EFLAGS_ZF;
3874 c->dst.type = OP_NONE; /* Disable writeback. */
3878 case 0xbe ... 0xbf: /* movsx */
3879 c->dst.bytes = c->op_bytes;
3880 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3883 case 0xc0 ... 0xc1: /* xadd */
3884 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3885 /* Write back the register source. */
3886 c->src.val = c->dst.orig_val;
3887 write_register_operand(&c->src);
3889 case 0xc3: /* movnti */
3890 c->dst.bytes = c->op_bytes;
3891 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3894 case 0xc7: /* Grp9 (cmpxchg8b) */
3895 rc = emulate_grp9(ctxt, ops);
3898 goto cannot_emulate;
3901 if (rc != X86EMUL_CONTINUE)