1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstImmUByte (7<<1) /* 8-bit unsigned immediate operand */
58 #define DstMask (7<<1)
59 /* Source operand type. */
60 #define SrcNone (0<<4) /* No source operand. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcImmU16 (0xe<<4) /* Immediate operand, unsigned, 16 bits */
75 #define SrcMask (0xf<<4)
76 /* Generic ModRM decode. */
78 /* Destination is only written; never read. */
81 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
82 #define String (1<<12) /* String instruction (rep capable) */
83 #define Stack (1<<13) /* Stack instruction (push/pop) */
84 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
85 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
87 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
88 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
89 #define Undefined (1<<25) /* No Such Instruction */
90 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
91 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
93 /* Source 2 operand type */
94 #define Src2None (0<<29)
95 #define Src2CL (1<<29)
96 #define Src2ImmByte (2<<29)
97 #define Src2One (3<<29)
98 #define Src2Imm (4<<29)
99 #define Src2Mask (7<<29)
101 #define X2(x...) x, x
102 #define X3(x...) X2(x), x
103 #define X4(x...) X2(x), X2(x)
104 #define X5(x...) X4(x), x
105 #define X6(x...) X4(x), X2(x)
106 #define X7(x...) X4(x), X3(x)
107 #define X8(x...) X4(x), X4(x)
108 #define X16(x...) X8(x), X8(x)
113 int (*execute)(struct x86_emulate_ctxt *ctxt);
114 struct opcode *group;
115 struct group_dual *gdual;
120 struct opcode mod012[8];
121 struct opcode mod3[8];
124 /* EFLAGS bit definitions. */
125 #define EFLG_ID (1<<21)
126 #define EFLG_VIP (1<<20)
127 #define EFLG_VIF (1<<19)
128 #define EFLG_AC (1<<18)
129 #define EFLG_VM (1<<17)
130 #define EFLG_RF (1<<16)
131 #define EFLG_IOPL (3<<12)
132 #define EFLG_NT (1<<14)
133 #define EFLG_OF (1<<11)
134 #define EFLG_DF (1<<10)
135 #define EFLG_IF (1<<9)
136 #define EFLG_TF (1<<8)
137 #define EFLG_SF (1<<7)
138 #define EFLG_ZF (1<<6)
139 #define EFLG_AF (1<<4)
140 #define EFLG_PF (1<<2)
141 #define EFLG_CF (1<<0)
143 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
144 #define EFLG_RESERVED_ONE_MASK 2
147 * Instruction emulation:
148 * Most instructions are emulated directly via a fragment of inline assembly
149 * code. This allows us to save/restore EFLAGS and thus very easily pick up
150 * any modified flags.
153 #if defined(CONFIG_X86_64)
154 #define _LO32 "k" /* force 32-bit operand */
155 #define _STK "%%rsp" /* stack pointer */
156 #elif defined(__i386__)
157 #define _LO32 "" /* force 32-bit operand */
158 #define _STK "%%esp" /* stack pointer */
162 * These EFLAGS bits are restored from saved value during emulation, and
163 * any changes are written back to the saved value after emulation.
165 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
167 /* Before executing instruction: restore necessary bits in EFLAGS. */
168 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
169 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
170 "movl %"_sav",%"_LO32 _tmp"; " \
173 "movl %"_msk",%"_LO32 _tmp"; " \
174 "andl %"_LO32 _tmp",("_STK"); " \
176 "notl %"_LO32 _tmp"; " \
177 "andl %"_LO32 _tmp",("_STK"); " \
178 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
180 "orl %"_LO32 _tmp",("_STK"); " \
184 /* After executing instruction: write-back necessary bits in EFLAGS. */
185 #define _POST_EFLAGS(_sav, _msk, _tmp) \
186 /* _sav |= EFLAGS & _msk; */ \
189 "andl %"_msk",%"_LO32 _tmp"; " \
190 "orl %"_LO32 _tmp",%"_sav"; "
198 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
200 __asm__ __volatile__ ( \
201 _PRE_EFLAGS("0", "4", "2") \
202 _op _suffix " %"_x"3,%1; " \
203 _POST_EFLAGS("0", "4", "2") \
204 : "=m" (_eflags), "+q" (*(_dsttype*)&(_dst).val),\
206 : _y ((_src).val), "i" (EFLAGS_MASK)); \
210 /* Raw emulation: instruction has two explicit operands. */
211 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
213 unsigned long _tmp; \
215 switch ((_dst).bytes) { \
217 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
220 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l",u32);\
223 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q",u64)); \
228 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
230 unsigned long _tmp; \
231 switch ((_dst).bytes) { \
233 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
236 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
237 _wx, _wy, _lx, _ly, _qx, _qy); \
242 /* Source operand is byte-sized and may be restricted to just %cl. */
243 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
244 __emulate_2op(_op, _src, _dst, _eflags, \
245 "b", "c", "b", "c", "b", "c", "b", "c")
247 /* Source operand is byte, word, long or quad sized. */
248 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
249 __emulate_2op(_op, _src, _dst, _eflags, \
250 "b", "q", "w", "r", _LO32, "r", "", "r")
252 /* Source operand is word, long or quad sized. */
253 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
254 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
255 "w", "r", _LO32, "r", "", "r")
257 /* Instruction has three operands and one operand is stored in ECX register */
258 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
260 unsigned long _tmp; \
261 _type _clv = (_cl).val; \
262 _type _srcv = (_src).val; \
263 _type _dstv = (_dst).val; \
265 __asm__ __volatile__ ( \
266 _PRE_EFLAGS("0", "5", "2") \
267 _op _suffix " %4,%1 \n" \
268 _POST_EFLAGS("0", "5", "2") \
269 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
270 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
273 (_cl).val = (unsigned long) _clv; \
274 (_src).val = (unsigned long) _srcv; \
275 (_dst).val = (unsigned long) _dstv; \
278 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
280 switch ((_dst).bytes) { \
282 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
283 "w", unsigned short); \
286 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
287 "l", unsigned int); \
290 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
291 "q", unsigned long)); \
296 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
298 unsigned long _tmp; \
300 __asm__ __volatile__ ( \
301 _PRE_EFLAGS("0", "3", "2") \
302 _op _suffix " %1; " \
303 _POST_EFLAGS("0", "3", "2") \
304 : "=m" (_eflags), "+m" ((_dst).val), \
306 : "i" (EFLAGS_MASK)); \
309 /* Instruction has only one explicit operand (no source operand). */
310 #define emulate_1op(_op, _dst, _eflags) \
312 switch ((_dst).bytes) { \
313 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
314 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
315 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
316 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
320 #define __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, _suffix) \
322 unsigned long _tmp; \
324 __asm__ __volatile__ ( \
325 _PRE_EFLAGS("0", "4", "1") \
326 _op _suffix " %5; " \
327 _POST_EFLAGS("0", "4", "1") \
328 : "=m" (_eflags), "=&r" (_tmp), \
329 "+a" (_rax), "+d" (_rdx) \
330 : "i" (EFLAGS_MASK), "m" ((_src).val), \
331 "a" (_rax), "d" (_rdx)); \
334 #define __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _suffix, _ex) \
336 unsigned long _tmp; \
338 __asm__ __volatile__ ( \
339 _PRE_EFLAGS("0", "5", "1") \
341 _op _suffix " %6; " \
343 _POST_EFLAGS("0", "5", "1") \
344 ".pushsection .fixup,\"ax\" \n\t" \
345 "3: movb $1, %4 \n\t" \
348 _ASM_EXTABLE(1b, 3b) \
349 : "=m" (_eflags), "=&r" (_tmp), \
350 "+a" (_rax), "+d" (_rdx), "+qm"(_ex) \
351 : "i" (EFLAGS_MASK), "m" ((_src).val), \
352 "a" (_rax), "d" (_rdx)); \
355 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
356 #define emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags) \
358 switch((_src).bytes) { \
359 case 1: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "b"); break; \
360 case 2: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "w"); break; \
361 case 4: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "l"); break; \
362 case 8: ON64(__emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "q")); break; \
366 #define emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _ex) \
368 switch((_src).bytes) { \
370 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
371 _eflags, "b", _ex); \
374 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
375 _eflags, "w", _ex); \
378 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
379 _eflags, "l", _ex); \
382 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
383 _eflags, "q", _ex)); \
388 /* Fetch next part of the instruction being emulated. */
389 #define insn_fetch(_type, _size, _eip) \
390 ({ unsigned long _x; \
391 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
392 if (rc != X86EMUL_CONTINUE) \
398 #define insn_fetch_arr(_arr, _size, _eip) \
399 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
400 if (rc != X86EMUL_CONTINUE) \
405 static inline unsigned long ad_mask(struct decode_cache *c)
407 return (1UL << (c->ad_bytes << 3)) - 1;
410 /* Access/update address held in a register, based on addressing mode. */
411 static inline unsigned long
412 address_mask(struct decode_cache *c, unsigned long reg)
414 if (c->ad_bytes == sizeof(unsigned long))
417 return reg & ad_mask(c);
420 static inline unsigned long
421 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
423 return base + address_mask(c, reg);
427 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
429 if (c->ad_bytes == sizeof(unsigned long))
432 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
435 static inline void jmp_rel(struct decode_cache *c, int rel)
437 register_address_increment(c, &c->eip, rel);
440 static void set_seg_override(struct decode_cache *c, int seg)
442 c->has_seg_override = true;
443 c->seg_override = seg;
446 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
447 struct x86_emulate_ops *ops, int seg)
449 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
452 return ops->get_cached_segment_base(seg, ctxt->vcpu);
455 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
456 struct x86_emulate_ops *ops,
457 struct decode_cache *c)
459 if (!c->has_seg_override)
462 return seg_base(ctxt, ops, c->seg_override);
465 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
466 struct x86_emulate_ops *ops)
468 return seg_base(ctxt, ops, VCPU_SREG_ES);
471 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
472 struct x86_emulate_ops *ops)
474 return seg_base(ctxt, ops, VCPU_SREG_SS);
477 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
478 u32 error, bool valid)
480 ctxt->exception = vec;
481 ctxt->error_code = error;
482 ctxt->error_code_valid = valid;
485 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
487 emulate_exception(ctxt, GP_VECTOR, err, true);
490 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
494 emulate_exception(ctxt, PF_VECTOR, err, true);
497 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
499 emulate_exception(ctxt, UD_VECTOR, 0, false);
502 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
504 emulate_exception(ctxt, TS_VECTOR, err, true);
507 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
508 struct x86_emulate_ops *ops,
509 unsigned long eip, u8 *dest)
511 struct fetch_cache *fc = &ctxt->decode.fetch;
515 if (eip == fc->end) {
516 cur_size = fc->end - fc->start;
517 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
518 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
519 size, ctxt->vcpu, NULL);
520 if (rc != X86EMUL_CONTINUE)
524 *dest = fc->data[eip - fc->start];
525 return X86EMUL_CONTINUE;
528 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
529 struct x86_emulate_ops *ops,
530 unsigned long eip, void *dest, unsigned size)
534 /* x86 instructions are limited to 15 bytes. */
535 if (eip + size - ctxt->eip > 15)
536 return X86EMUL_UNHANDLEABLE;
538 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
539 if (rc != X86EMUL_CONTINUE)
542 return X86EMUL_CONTINUE;
546 * Given the 'reg' portion of a ModRM byte, and a register block, return a
547 * pointer into the block that addresses the relevant register.
548 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
550 static void *decode_register(u8 modrm_reg, unsigned long *regs,
555 p = ®s[modrm_reg];
556 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
557 p = (unsigned char *)®s[modrm_reg & 3] + 1;
561 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
562 struct x86_emulate_ops *ops,
564 u16 *size, unsigned long *address, int op_bytes)
571 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
572 if (rc != X86EMUL_CONTINUE)
574 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
578 static int test_cc(unsigned int condition, unsigned int flags)
582 switch ((condition & 15) >> 1) {
584 rc |= (flags & EFLG_OF);
586 case 1: /* b/c/nae */
587 rc |= (flags & EFLG_CF);
590 rc |= (flags & EFLG_ZF);
593 rc |= (flags & (EFLG_CF|EFLG_ZF));
596 rc |= (flags & EFLG_SF);
599 rc |= (flags & EFLG_PF);
602 rc |= (flags & EFLG_ZF);
605 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
609 /* Odd condition identifiers (lsb == 1) have inverted sense. */
610 return (!!rc ^ (condition & 1));
613 static void fetch_register_operand(struct operand *op)
617 op->val = *(u8 *)op->addr.reg;
620 op->val = *(u16 *)op->addr.reg;
623 op->val = *(u32 *)op->addr.reg;
626 op->val = *(u64 *)op->addr.reg;
631 static void decode_register_operand(struct operand *op,
632 struct decode_cache *c,
635 unsigned reg = c->modrm_reg;
636 int highbyte_regs = c->rex_prefix == 0;
639 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
641 if ((c->d & ByteOp) && !inhibit_bytereg) {
642 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
645 op->addr.reg = decode_register(reg, c->regs, 0);
646 op->bytes = c->op_bytes;
648 fetch_register_operand(op);
649 op->orig_val = op->val;
652 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
653 struct x86_emulate_ops *ops,
656 struct decode_cache *c = &ctxt->decode;
658 int index_reg = 0, base_reg = 0, scale;
659 int rc = X86EMUL_CONTINUE;
663 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
664 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
665 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
668 c->modrm = insn_fetch(u8, 1, c->eip);
669 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
670 c->modrm_reg |= (c->modrm & 0x38) >> 3;
671 c->modrm_rm |= (c->modrm & 0x07);
672 c->modrm_seg = VCPU_SREG_DS;
674 if (c->modrm_mod == 3) {
676 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
677 op->addr.reg = decode_register(c->modrm_rm,
678 c->regs, c->d & ByteOp);
679 fetch_register_operand(op);
685 if (c->ad_bytes == 2) {
686 unsigned bx = c->regs[VCPU_REGS_RBX];
687 unsigned bp = c->regs[VCPU_REGS_RBP];
688 unsigned si = c->regs[VCPU_REGS_RSI];
689 unsigned di = c->regs[VCPU_REGS_RDI];
691 /* 16-bit ModR/M decode. */
692 switch (c->modrm_mod) {
694 if (c->modrm_rm == 6)
695 modrm_ea += insn_fetch(u16, 2, c->eip);
698 modrm_ea += insn_fetch(s8, 1, c->eip);
701 modrm_ea += insn_fetch(u16, 2, c->eip);
704 switch (c->modrm_rm) {
724 if (c->modrm_mod != 0)
731 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
732 (c->modrm_rm == 6 && c->modrm_mod != 0))
733 c->modrm_seg = VCPU_SREG_SS;
734 modrm_ea = (u16)modrm_ea;
736 /* 32/64-bit ModR/M decode. */
737 if ((c->modrm_rm & 7) == 4) {
738 sib = insn_fetch(u8, 1, c->eip);
739 index_reg |= (sib >> 3) & 7;
743 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
744 modrm_ea += insn_fetch(s32, 4, c->eip);
746 modrm_ea += c->regs[base_reg];
748 modrm_ea += c->regs[index_reg] << scale;
749 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
750 if (ctxt->mode == X86EMUL_MODE_PROT64)
753 modrm_ea += c->regs[c->modrm_rm];
754 switch (c->modrm_mod) {
756 if (c->modrm_rm == 5)
757 modrm_ea += insn_fetch(s32, 4, c->eip);
760 modrm_ea += insn_fetch(s8, 1, c->eip);
763 modrm_ea += insn_fetch(s32, 4, c->eip);
767 op->addr.mem = modrm_ea;
772 static int decode_abs(struct x86_emulate_ctxt *ctxt,
773 struct x86_emulate_ops *ops,
776 struct decode_cache *c = &ctxt->decode;
777 int rc = X86EMUL_CONTINUE;
780 switch (c->ad_bytes) {
782 op->addr.mem = insn_fetch(u16, 2, c->eip);
785 op->addr.mem = insn_fetch(u32, 4, c->eip);
788 op->addr.mem = insn_fetch(u64, 8, c->eip);
795 static void fetch_bit_operand(struct decode_cache *c)
799 if (c->dst.type == OP_MEM && c->src.type == OP_REG) {
800 mask = ~(c->dst.bytes * 8 - 1);
802 if (c->src.bytes == 2)
803 sv = (s16)c->src.val & (s16)mask;
804 else if (c->src.bytes == 4)
805 sv = (s32)c->src.val & (s32)mask;
807 c->dst.addr.mem += (sv >> 3);
810 /* only subword offset */
811 c->src.val &= (c->dst.bytes << 3) - 1;
814 static int read_emulated(struct x86_emulate_ctxt *ctxt,
815 struct x86_emulate_ops *ops,
816 unsigned long addr, void *dest, unsigned size)
819 struct read_cache *mc = &ctxt->decode.mem_read;
823 int n = min(size, 8u);
825 if (mc->pos < mc->end)
828 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
830 if (rc == X86EMUL_PROPAGATE_FAULT)
831 emulate_pf(ctxt, addr, err);
832 if (rc != X86EMUL_CONTINUE)
837 memcpy(dest, mc->data + mc->pos, n);
842 return X86EMUL_CONTINUE;
845 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
846 struct x86_emulate_ops *ops,
847 unsigned int size, unsigned short port,
850 struct read_cache *rc = &ctxt->decode.io_read;
852 if (rc->pos == rc->end) { /* refill pio read ahead */
853 struct decode_cache *c = &ctxt->decode;
854 unsigned int in_page, n;
855 unsigned int count = c->rep_prefix ?
856 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
857 in_page = (ctxt->eflags & EFLG_DF) ?
858 offset_in_page(c->regs[VCPU_REGS_RDI]) :
859 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
860 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
864 rc->pos = rc->end = 0;
865 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
870 memcpy(dest, rc->data + rc->pos, size);
875 static u32 desc_limit_scaled(struct desc_struct *desc)
877 u32 limit = get_desc_limit(desc);
879 return desc->g ? (limit << 12) | 0xfff : limit;
882 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
883 struct x86_emulate_ops *ops,
884 u16 selector, struct desc_ptr *dt)
886 if (selector & 1 << 2) {
887 struct desc_struct desc;
888 memset (dt, 0, sizeof *dt);
889 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
892 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
893 dt->address = get_desc_base(&desc);
895 ops->get_gdt(dt, ctxt->vcpu);
898 /* allowed just for 8 bytes segments */
899 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
900 struct x86_emulate_ops *ops,
901 u16 selector, struct desc_struct *desc)
904 u16 index = selector >> 3;
909 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
911 if (dt.size < index * 8 + 7) {
912 emulate_gp(ctxt, selector & 0xfffc);
913 return X86EMUL_PROPAGATE_FAULT;
915 addr = dt.address + index * 8;
916 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
917 if (ret == X86EMUL_PROPAGATE_FAULT)
918 emulate_pf(ctxt, addr, err);
923 /* allowed just for 8 bytes segments */
924 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
925 struct x86_emulate_ops *ops,
926 u16 selector, struct desc_struct *desc)
929 u16 index = selector >> 3;
934 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
936 if (dt.size < index * 8 + 7) {
937 emulate_gp(ctxt, selector & 0xfffc);
938 return X86EMUL_PROPAGATE_FAULT;
941 addr = dt.address + index * 8;
942 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
943 if (ret == X86EMUL_PROPAGATE_FAULT)
944 emulate_pf(ctxt, addr, err);
949 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
950 struct x86_emulate_ops *ops,
951 u16 selector, int seg)
953 struct desc_struct seg_desc;
955 unsigned err_vec = GP_VECTOR;
957 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
960 memset(&seg_desc, 0, sizeof seg_desc);
962 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
963 || ctxt->mode == X86EMUL_MODE_REAL) {
964 /* set real mode segment descriptor */
965 set_desc_base(&seg_desc, selector << 4);
966 set_desc_limit(&seg_desc, 0xffff);
973 /* NULL selector is not valid for TR, CS and SS */
974 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
978 /* TR should be in GDT only */
979 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
982 if (null_selector) /* for NULL selector skip all following checks */
985 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
986 if (ret != X86EMUL_CONTINUE)
989 err_code = selector & 0xfffc;
992 /* can't load system descriptor into segment selecor */
993 if (seg <= VCPU_SREG_GS && !seg_desc.s)
997 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1003 cpl = ops->cpl(ctxt->vcpu);
1008 * segment is not a writable data segment or segment
1009 * selector's RPL != CPL or segment selector's RPL != CPL
1011 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1015 if (!(seg_desc.type & 8))
1018 if (seg_desc.type & 4) {
1024 if (rpl > cpl || dpl != cpl)
1027 /* CS(RPL) <- CPL */
1028 selector = (selector & 0xfffc) | cpl;
1031 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1034 case VCPU_SREG_LDTR:
1035 if (seg_desc.s || seg_desc.type != 2)
1038 default: /* DS, ES, FS, or GS */
1040 * segment is not a data or readable code segment or
1041 * ((segment is a data or nonconforming code segment)
1042 * and (both RPL and CPL > DPL))
1044 if ((seg_desc.type & 0xa) == 0x8 ||
1045 (((seg_desc.type & 0xc) != 0xc) &&
1046 (rpl > dpl && cpl > dpl)))
1052 /* mark segment as accessed */
1054 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1055 if (ret != X86EMUL_CONTINUE)
1059 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1060 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1061 return X86EMUL_CONTINUE;
1063 emulate_exception(ctxt, err_vec, err_code, true);
1064 return X86EMUL_PROPAGATE_FAULT;
1067 static void write_register_operand(struct operand *op)
1069 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1070 switch (op->bytes) {
1072 *(u8 *)op->addr.reg = (u8)op->val;
1075 *(u16 *)op->addr.reg = (u16)op->val;
1078 *op->addr.reg = (u32)op->val;
1079 break; /* 64b: zero-extend */
1081 *op->addr.reg = op->val;
1086 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1087 struct x86_emulate_ops *ops)
1090 struct decode_cache *c = &ctxt->decode;
1093 switch (c->dst.type) {
1095 write_register_operand(&c->dst);
1099 rc = ops->cmpxchg_emulated(
1107 rc = ops->write_emulated(
1113 if (rc == X86EMUL_PROPAGATE_FAULT)
1114 emulate_pf(ctxt, c->dst.addr.mem, err);
1115 if (rc != X86EMUL_CONTINUE)
1124 return X86EMUL_CONTINUE;
1127 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1128 struct x86_emulate_ops *ops)
1130 struct decode_cache *c = &ctxt->decode;
1132 c->dst.type = OP_MEM;
1133 c->dst.bytes = c->op_bytes;
1134 c->dst.val = c->src.val;
1135 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1136 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1137 c->regs[VCPU_REGS_RSP]);
1140 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1141 struct x86_emulate_ops *ops,
1142 void *dest, int len)
1144 struct decode_cache *c = &ctxt->decode;
1147 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1148 c->regs[VCPU_REGS_RSP]),
1150 if (rc != X86EMUL_CONTINUE)
1153 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1157 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1158 struct x86_emulate_ops *ops,
1159 void *dest, int len)
1162 unsigned long val, change_mask;
1163 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1164 int cpl = ops->cpl(ctxt->vcpu);
1166 rc = emulate_pop(ctxt, ops, &val, len);
1167 if (rc != X86EMUL_CONTINUE)
1170 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1171 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1173 switch(ctxt->mode) {
1174 case X86EMUL_MODE_PROT64:
1175 case X86EMUL_MODE_PROT32:
1176 case X86EMUL_MODE_PROT16:
1178 change_mask |= EFLG_IOPL;
1180 change_mask |= EFLG_IF;
1182 case X86EMUL_MODE_VM86:
1184 emulate_gp(ctxt, 0);
1185 return X86EMUL_PROPAGATE_FAULT;
1187 change_mask |= EFLG_IF;
1189 default: /* real mode */
1190 change_mask |= (EFLG_IOPL | EFLG_IF);
1194 *(unsigned long *)dest =
1195 (ctxt->eflags & ~change_mask) | (val & change_mask);
1200 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1201 struct x86_emulate_ops *ops, int seg)
1203 struct decode_cache *c = &ctxt->decode;
1205 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1207 emulate_push(ctxt, ops);
1210 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1211 struct x86_emulate_ops *ops, int seg)
1213 struct decode_cache *c = &ctxt->decode;
1214 unsigned long selector;
1217 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1218 if (rc != X86EMUL_CONTINUE)
1221 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1225 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1226 struct x86_emulate_ops *ops)
1228 struct decode_cache *c = &ctxt->decode;
1229 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1230 int rc = X86EMUL_CONTINUE;
1231 int reg = VCPU_REGS_RAX;
1233 while (reg <= VCPU_REGS_RDI) {
1234 (reg == VCPU_REGS_RSP) ?
1235 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1237 emulate_push(ctxt, ops);
1239 rc = writeback(ctxt, ops);
1240 if (rc != X86EMUL_CONTINUE)
1246 /* Disable writeback. */
1247 c->dst.type = OP_NONE;
1252 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1253 struct x86_emulate_ops *ops)
1255 struct decode_cache *c = &ctxt->decode;
1256 int rc = X86EMUL_CONTINUE;
1257 int reg = VCPU_REGS_RDI;
1259 while (reg >= VCPU_REGS_RAX) {
1260 if (reg == VCPU_REGS_RSP) {
1261 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1266 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1267 if (rc != X86EMUL_CONTINUE)
1274 int emulate_int_real(struct x86_emulate_ctxt *ctxt,
1275 struct x86_emulate_ops *ops, int irq)
1277 struct decode_cache *c = &ctxt->decode;
1285 /* TODO: Add limit checks */
1286 c->src.val = ctxt->eflags;
1287 emulate_push(ctxt, ops);
1288 rc = writeback(ctxt, ops);
1289 if (rc != X86EMUL_CONTINUE)
1292 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1294 c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1295 emulate_push(ctxt, ops);
1296 rc = writeback(ctxt, ops);
1297 if (rc != X86EMUL_CONTINUE)
1300 c->src.val = c->eip;
1301 emulate_push(ctxt, ops);
1302 rc = writeback(ctxt, ops);
1303 if (rc != X86EMUL_CONTINUE)
1306 c->dst.type = OP_NONE;
1308 ops->get_idt(&dt, ctxt->vcpu);
1310 eip_addr = dt.address + (irq << 2);
1311 cs_addr = dt.address + (irq << 2) + 2;
1313 rc = ops->read_std(cs_addr, &cs, 2, ctxt->vcpu, &err);
1314 if (rc != X86EMUL_CONTINUE)
1317 rc = ops->read_std(eip_addr, &eip, 2, ctxt->vcpu, &err);
1318 if (rc != X86EMUL_CONTINUE)
1321 rc = load_segment_descriptor(ctxt, ops, cs, VCPU_SREG_CS);
1322 if (rc != X86EMUL_CONTINUE)
1330 static int emulate_int(struct x86_emulate_ctxt *ctxt,
1331 struct x86_emulate_ops *ops, int irq)
1333 switch(ctxt->mode) {
1334 case X86EMUL_MODE_REAL:
1335 return emulate_int_real(ctxt, ops, irq);
1336 case X86EMUL_MODE_VM86:
1337 case X86EMUL_MODE_PROT16:
1338 case X86EMUL_MODE_PROT32:
1339 case X86EMUL_MODE_PROT64:
1341 /* Protected mode interrupts unimplemented yet */
1342 return X86EMUL_UNHANDLEABLE;
1346 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1347 struct x86_emulate_ops *ops)
1349 struct decode_cache *c = &ctxt->decode;
1350 int rc = X86EMUL_CONTINUE;
1351 unsigned long temp_eip = 0;
1352 unsigned long temp_eflags = 0;
1353 unsigned long cs = 0;
1354 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1355 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1356 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1357 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1359 /* TODO: Add stack limit check */
1361 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1363 if (rc != X86EMUL_CONTINUE)
1366 if (temp_eip & ~0xffff) {
1367 emulate_gp(ctxt, 0);
1368 return X86EMUL_PROPAGATE_FAULT;
1371 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1373 if (rc != X86EMUL_CONTINUE)
1376 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1378 if (rc != X86EMUL_CONTINUE)
1381 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1383 if (rc != X86EMUL_CONTINUE)
1389 if (c->op_bytes == 4)
1390 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1391 else if (c->op_bytes == 2) {
1392 ctxt->eflags &= ~0xffff;
1393 ctxt->eflags |= temp_eflags;
1396 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1397 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1402 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1403 struct x86_emulate_ops* ops)
1405 switch(ctxt->mode) {
1406 case X86EMUL_MODE_REAL:
1407 return emulate_iret_real(ctxt, ops);
1408 case X86EMUL_MODE_VM86:
1409 case X86EMUL_MODE_PROT16:
1410 case X86EMUL_MODE_PROT32:
1411 case X86EMUL_MODE_PROT64:
1413 /* iret from protected mode unimplemented yet */
1414 return X86EMUL_UNHANDLEABLE;
1418 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1419 struct x86_emulate_ops *ops)
1421 struct decode_cache *c = &ctxt->decode;
1423 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1426 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1428 struct decode_cache *c = &ctxt->decode;
1429 switch (c->modrm_reg) {
1431 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1434 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1437 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1440 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1442 case 4: /* sal/shl */
1443 case 6: /* sal/shl */
1444 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1447 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1450 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1455 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1456 struct x86_emulate_ops *ops)
1458 struct decode_cache *c = &ctxt->decode;
1459 unsigned long *rax = &c->regs[VCPU_REGS_RAX];
1460 unsigned long *rdx = &c->regs[VCPU_REGS_RDX];
1462 switch (c->modrm_reg) {
1463 case 0 ... 1: /* test */
1464 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1467 c->dst.val = ~c->dst.val;
1470 emulate_1op("neg", c->dst, ctxt->eflags);
1473 emulate_1op_rax_rdx("mul", c->src, *rax, *rdx, ctxt->eflags);
1476 emulate_1op_rax_rdx("imul", c->src, *rax, *rdx, ctxt->eflags);
1479 emulate_1op_rax_rdx("div", c->src, *rax, *rdx, ctxt->eflags);
1482 emulate_1op_rax_rdx("idiv", c->src, *rax, *rdx, ctxt->eflags);
1485 return X86EMUL_UNHANDLEABLE;
1487 return X86EMUL_CONTINUE;
1490 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1491 struct x86_emulate_ops *ops)
1493 struct decode_cache *c = &ctxt->decode;
1495 switch (c->modrm_reg) {
1497 emulate_1op("inc", c->dst, ctxt->eflags);
1500 emulate_1op("dec", c->dst, ctxt->eflags);
1502 case 2: /* call near abs */ {
1505 c->eip = c->src.val;
1506 c->src.val = old_eip;
1507 emulate_push(ctxt, ops);
1510 case 4: /* jmp abs */
1511 c->eip = c->src.val;
1514 emulate_push(ctxt, ops);
1517 return X86EMUL_CONTINUE;
1520 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1521 struct x86_emulate_ops *ops)
1523 struct decode_cache *c = &ctxt->decode;
1524 u64 old = c->dst.orig_val64;
1526 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1527 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1528 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1529 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1530 ctxt->eflags &= ~EFLG_ZF;
1532 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1533 (u32) c->regs[VCPU_REGS_RBX];
1535 ctxt->eflags |= EFLG_ZF;
1537 return X86EMUL_CONTINUE;
1540 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1541 struct x86_emulate_ops *ops)
1543 struct decode_cache *c = &ctxt->decode;
1547 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1548 if (rc != X86EMUL_CONTINUE)
1550 if (c->op_bytes == 4)
1551 c->eip = (u32)c->eip;
1552 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1553 if (rc != X86EMUL_CONTINUE)
1555 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1559 static int emulate_load_segment(struct x86_emulate_ctxt *ctxt,
1560 struct x86_emulate_ops *ops, int seg)
1562 struct decode_cache *c = &ctxt->decode;
1566 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
1568 rc = load_segment_descriptor(ctxt, ops, sel, seg);
1569 if (rc != X86EMUL_CONTINUE)
1572 c->dst.val = c->src.val;
1577 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1578 struct x86_emulate_ops *ops, struct desc_struct *cs,
1579 struct desc_struct *ss)
1581 memset(cs, 0, sizeof(struct desc_struct));
1582 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1583 memset(ss, 0, sizeof(struct desc_struct));
1585 cs->l = 0; /* will be adjusted later */
1586 set_desc_base(cs, 0); /* flat segment */
1587 cs->g = 1; /* 4kb granularity */
1588 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1589 cs->type = 0x0b; /* Read, Execute, Accessed */
1591 cs->dpl = 0; /* will be adjusted later */
1595 set_desc_base(ss, 0); /* flat segment */
1596 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1597 ss->g = 1; /* 4kb granularity */
1599 ss->type = 0x03; /* Read/Write, Accessed */
1600 ss->d = 1; /* 32bit stack segment */
1606 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1608 struct decode_cache *c = &ctxt->decode;
1609 struct desc_struct cs, ss;
1613 /* syscall is not available in real mode */
1614 if (ctxt->mode == X86EMUL_MODE_REAL ||
1615 ctxt->mode == X86EMUL_MODE_VM86) {
1617 return X86EMUL_PROPAGATE_FAULT;
1620 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1622 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1624 cs_sel = (u16)(msr_data & 0xfffc);
1625 ss_sel = (u16)(msr_data + 8);
1627 if (is_long_mode(ctxt->vcpu)) {
1631 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1632 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1633 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1634 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1636 c->regs[VCPU_REGS_RCX] = c->eip;
1637 if (is_long_mode(ctxt->vcpu)) {
1638 #ifdef CONFIG_X86_64
1639 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1641 ops->get_msr(ctxt->vcpu,
1642 ctxt->mode == X86EMUL_MODE_PROT64 ?
1643 MSR_LSTAR : MSR_CSTAR, &msr_data);
1646 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1647 ctxt->eflags &= ~(msr_data | EFLG_RF);
1651 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1652 c->eip = (u32)msr_data;
1654 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1657 return X86EMUL_CONTINUE;
1661 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1663 struct decode_cache *c = &ctxt->decode;
1664 struct desc_struct cs, ss;
1668 /* inject #GP if in real mode */
1669 if (ctxt->mode == X86EMUL_MODE_REAL) {
1670 emulate_gp(ctxt, 0);
1671 return X86EMUL_PROPAGATE_FAULT;
1674 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1675 * Therefore, we inject an #UD.
1677 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1679 return X86EMUL_PROPAGATE_FAULT;
1682 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1684 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1685 switch (ctxt->mode) {
1686 case X86EMUL_MODE_PROT32:
1687 if ((msr_data & 0xfffc) == 0x0) {
1688 emulate_gp(ctxt, 0);
1689 return X86EMUL_PROPAGATE_FAULT;
1692 case X86EMUL_MODE_PROT64:
1693 if (msr_data == 0x0) {
1694 emulate_gp(ctxt, 0);
1695 return X86EMUL_PROPAGATE_FAULT;
1700 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1701 cs_sel = (u16)msr_data;
1702 cs_sel &= ~SELECTOR_RPL_MASK;
1703 ss_sel = cs_sel + 8;
1704 ss_sel &= ~SELECTOR_RPL_MASK;
1705 if (ctxt->mode == X86EMUL_MODE_PROT64
1706 || is_long_mode(ctxt->vcpu)) {
1711 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1712 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1713 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1714 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1716 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1719 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1720 c->regs[VCPU_REGS_RSP] = msr_data;
1722 return X86EMUL_CONTINUE;
1726 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1728 struct decode_cache *c = &ctxt->decode;
1729 struct desc_struct cs, ss;
1734 /* inject #GP if in real mode or Virtual 8086 mode */
1735 if (ctxt->mode == X86EMUL_MODE_REAL ||
1736 ctxt->mode == X86EMUL_MODE_VM86) {
1737 emulate_gp(ctxt, 0);
1738 return X86EMUL_PROPAGATE_FAULT;
1741 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1743 if ((c->rex_prefix & 0x8) != 0x0)
1744 usermode = X86EMUL_MODE_PROT64;
1746 usermode = X86EMUL_MODE_PROT32;
1750 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1752 case X86EMUL_MODE_PROT32:
1753 cs_sel = (u16)(msr_data + 16);
1754 if ((msr_data & 0xfffc) == 0x0) {
1755 emulate_gp(ctxt, 0);
1756 return X86EMUL_PROPAGATE_FAULT;
1758 ss_sel = (u16)(msr_data + 24);
1760 case X86EMUL_MODE_PROT64:
1761 cs_sel = (u16)(msr_data + 32);
1762 if (msr_data == 0x0) {
1763 emulate_gp(ctxt, 0);
1764 return X86EMUL_PROPAGATE_FAULT;
1766 ss_sel = cs_sel + 8;
1771 cs_sel |= SELECTOR_RPL_MASK;
1772 ss_sel |= SELECTOR_RPL_MASK;
1774 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1775 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1776 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1777 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1779 c->eip = c->regs[VCPU_REGS_RDX];
1780 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1782 return X86EMUL_CONTINUE;
1785 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1786 struct x86_emulate_ops *ops)
1789 if (ctxt->mode == X86EMUL_MODE_REAL)
1791 if (ctxt->mode == X86EMUL_MODE_VM86)
1793 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1794 return ops->cpl(ctxt->vcpu) > iopl;
1797 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1798 struct x86_emulate_ops *ops,
1801 struct desc_struct tr_seg;
1804 u8 perm, bit_idx = port & 0x7;
1805 unsigned mask = (1 << len) - 1;
1807 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1810 if (desc_limit_scaled(&tr_seg) < 103)
1812 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1814 if (r != X86EMUL_CONTINUE)
1816 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1818 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1819 &perm, 1, ctxt->vcpu, NULL);
1820 if (r != X86EMUL_CONTINUE)
1822 if ((perm >> bit_idx) & mask)
1827 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1828 struct x86_emulate_ops *ops,
1834 if (emulator_bad_iopl(ctxt, ops))
1835 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1838 ctxt->perm_ok = true;
1843 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1844 struct x86_emulate_ops *ops,
1845 struct tss_segment_16 *tss)
1847 struct decode_cache *c = &ctxt->decode;
1850 tss->flag = ctxt->eflags;
1851 tss->ax = c->regs[VCPU_REGS_RAX];
1852 tss->cx = c->regs[VCPU_REGS_RCX];
1853 tss->dx = c->regs[VCPU_REGS_RDX];
1854 tss->bx = c->regs[VCPU_REGS_RBX];
1855 tss->sp = c->regs[VCPU_REGS_RSP];
1856 tss->bp = c->regs[VCPU_REGS_RBP];
1857 tss->si = c->regs[VCPU_REGS_RSI];
1858 tss->di = c->regs[VCPU_REGS_RDI];
1860 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1861 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1862 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1863 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1864 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1867 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1868 struct x86_emulate_ops *ops,
1869 struct tss_segment_16 *tss)
1871 struct decode_cache *c = &ctxt->decode;
1875 ctxt->eflags = tss->flag | 2;
1876 c->regs[VCPU_REGS_RAX] = tss->ax;
1877 c->regs[VCPU_REGS_RCX] = tss->cx;
1878 c->regs[VCPU_REGS_RDX] = tss->dx;
1879 c->regs[VCPU_REGS_RBX] = tss->bx;
1880 c->regs[VCPU_REGS_RSP] = tss->sp;
1881 c->regs[VCPU_REGS_RBP] = tss->bp;
1882 c->regs[VCPU_REGS_RSI] = tss->si;
1883 c->regs[VCPU_REGS_RDI] = tss->di;
1886 * SDM says that segment selectors are loaded before segment
1889 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1890 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1891 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1892 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1893 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1896 * Now load segment descriptors. If fault happenes at this stage
1897 * it is handled in a context of new task
1899 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1900 if (ret != X86EMUL_CONTINUE)
1902 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1903 if (ret != X86EMUL_CONTINUE)
1905 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1906 if (ret != X86EMUL_CONTINUE)
1908 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1909 if (ret != X86EMUL_CONTINUE)
1911 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1912 if (ret != X86EMUL_CONTINUE)
1915 return X86EMUL_CONTINUE;
1918 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1919 struct x86_emulate_ops *ops,
1920 u16 tss_selector, u16 old_tss_sel,
1921 ulong old_tss_base, struct desc_struct *new_desc)
1923 struct tss_segment_16 tss_seg;
1925 u32 err, new_tss_base = get_desc_base(new_desc);
1927 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1929 if (ret == X86EMUL_PROPAGATE_FAULT) {
1930 /* FIXME: need to provide precise fault address */
1931 emulate_pf(ctxt, old_tss_base, err);
1935 save_state_to_tss16(ctxt, ops, &tss_seg);
1937 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1939 if (ret == X86EMUL_PROPAGATE_FAULT) {
1940 /* FIXME: need to provide precise fault address */
1941 emulate_pf(ctxt, old_tss_base, err);
1945 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1947 if (ret == X86EMUL_PROPAGATE_FAULT) {
1948 /* FIXME: need to provide precise fault address */
1949 emulate_pf(ctxt, new_tss_base, err);
1953 if (old_tss_sel != 0xffff) {
1954 tss_seg.prev_task_link = old_tss_sel;
1956 ret = ops->write_std(new_tss_base,
1957 &tss_seg.prev_task_link,
1958 sizeof tss_seg.prev_task_link,
1960 if (ret == X86EMUL_PROPAGATE_FAULT) {
1961 /* FIXME: need to provide precise fault address */
1962 emulate_pf(ctxt, new_tss_base, err);
1967 return load_state_from_tss16(ctxt, ops, &tss_seg);
1970 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1971 struct x86_emulate_ops *ops,
1972 struct tss_segment_32 *tss)
1974 struct decode_cache *c = &ctxt->decode;
1976 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1978 tss->eflags = ctxt->eflags;
1979 tss->eax = c->regs[VCPU_REGS_RAX];
1980 tss->ecx = c->regs[VCPU_REGS_RCX];
1981 tss->edx = c->regs[VCPU_REGS_RDX];
1982 tss->ebx = c->regs[VCPU_REGS_RBX];
1983 tss->esp = c->regs[VCPU_REGS_RSP];
1984 tss->ebp = c->regs[VCPU_REGS_RBP];
1985 tss->esi = c->regs[VCPU_REGS_RSI];
1986 tss->edi = c->regs[VCPU_REGS_RDI];
1988 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1989 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1990 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1991 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1992 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1993 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1994 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1997 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1998 struct x86_emulate_ops *ops,
1999 struct tss_segment_32 *tss)
2001 struct decode_cache *c = &ctxt->decode;
2004 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
2005 emulate_gp(ctxt, 0);
2006 return X86EMUL_PROPAGATE_FAULT;
2009 ctxt->eflags = tss->eflags | 2;
2010 c->regs[VCPU_REGS_RAX] = tss->eax;
2011 c->regs[VCPU_REGS_RCX] = tss->ecx;
2012 c->regs[VCPU_REGS_RDX] = tss->edx;
2013 c->regs[VCPU_REGS_RBX] = tss->ebx;
2014 c->regs[VCPU_REGS_RSP] = tss->esp;
2015 c->regs[VCPU_REGS_RBP] = tss->ebp;
2016 c->regs[VCPU_REGS_RSI] = tss->esi;
2017 c->regs[VCPU_REGS_RDI] = tss->edi;
2020 * SDM says that segment selectors are loaded before segment
2023 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2024 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2025 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2026 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2027 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2028 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2029 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2032 * Now load segment descriptors. If fault happenes at this stage
2033 * it is handled in a context of new task
2035 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2036 if (ret != X86EMUL_CONTINUE)
2038 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2039 if (ret != X86EMUL_CONTINUE)
2041 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2042 if (ret != X86EMUL_CONTINUE)
2044 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2045 if (ret != X86EMUL_CONTINUE)
2047 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2048 if (ret != X86EMUL_CONTINUE)
2050 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2051 if (ret != X86EMUL_CONTINUE)
2053 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2054 if (ret != X86EMUL_CONTINUE)
2057 return X86EMUL_CONTINUE;
2060 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2061 struct x86_emulate_ops *ops,
2062 u16 tss_selector, u16 old_tss_sel,
2063 ulong old_tss_base, struct desc_struct *new_desc)
2065 struct tss_segment_32 tss_seg;
2067 u32 err, new_tss_base = get_desc_base(new_desc);
2069 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2071 if (ret == X86EMUL_PROPAGATE_FAULT) {
2072 /* FIXME: need to provide precise fault address */
2073 emulate_pf(ctxt, old_tss_base, err);
2077 save_state_to_tss32(ctxt, ops, &tss_seg);
2079 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2081 if (ret == X86EMUL_PROPAGATE_FAULT) {
2082 /* FIXME: need to provide precise fault address */
2083 emulate_pf(ctxt, old_tss_base, err);
2087 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2089 if (ret == X86EMUL_PROPAGATE_FAULT) {
2090 /* FIXME: need to provide precise fault address */
2091 emulate_pf(ctxt, new_tss_base, err);
2095 if (old_tss_sel != 0xffff) {
2096 tss_seg.prev_task_link = old_tss_sel;
2098 ret = ops->write_std(new_tss_base,
2099 &tss_seg.prev_task_link,
2100 sizeof tss_seg.prev_task_link,
2102 if (ret == X86EMUL_PROPAGATE_FAULT) {
2103 /* FIXME: need to provide precise fault address */
2104 emulate_pf(ctxt, new_tss_base, err);
2109 return load_state_from_tss32(ctxt, ops, &tss_seg);
2112 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2113 struct x86_emulate_ops *ops,
2114 u16 tss_selector, int reason,
2115 bool has_error_code, u32 error_code)
2117 struct desc_struct curr_tss_desc, next_tss_desc;
2119 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2120 ulong old_tss_base =
2121 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2124 /* FIXME: old_tss_base == ~0 ? */
2126 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2127 if (ret != X86EMUL_CONTINUE)
2129 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2130 if (ret != X86EMUL_CONTINUE)
2133 /* FIXME: check that next_tss_desc is tss */
2135 if (reason != TASK_SWITCH_IRET) {
2136 if ((tss_selector & 3) > next_tss_desc.dpl ||
2137 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2138 emulate_gp(ctxt, 0);
2139 return X86EMUL_PROPAGATE_FAULT;
2143 desc_limit = desc_limit_scaled(&next_tss_desc);
2144 if (!next_tss_desc.p ||
2145 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2146 desc_limit < 0x2b)) {
2147 emulate_ts(ctxt, tss_selector & 0xfffc);
2148 return X86EMUL_PROPAGATE_FAULT;
2151 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2152 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2153 write_segment_descriptor(ctxt, ops, old_tss_sel,
2157 if (reason == TASK_SWITCH_IRET)
2158 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2160 /* set back link to prev task only if NT bit is set in eflags
2161 note that old_tss_sel is not used afetr this point */
2162 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2163 old_tss_sel = 0xffff;
2165 if (next_tss_desc.type & 8)
2166 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2167 old_tss_base, &next_tss_desc);
2169 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2170 old_tss_base, &next_tss_desc);
2171 if (ret != X86EMUL_CONTINUE)
2174 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2175 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2177 if (reason != TASK_SWITCH_IRET) {
2178 next_tss_desc.type |= (1 << 1); /* set busy flag */
2179 write_segment_descriptor(ctxt, ops, tss_selector,
2183 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2184 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2185 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2187 if (has_error_code) {
2188 struct decode_cache *c = &ctxt->decode;
2190 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2192 c->src.val = (unsigned long) error_code;
2193 emulate_push(ctxt, ops);
2199 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2200 u16 tss_selector, int reason,
2201 bool has_error_code, u32 error_code)
2203 struct x86_emulate_ops *ops = ctxt->ops;
2204 struct decode_cache *c = &ctxt->decode;
2208 c->dst.type = OP_NONE;
2210 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2211 has_error_code, error_code);
2213 if (rc == X86EMUL_CONTINUE) {
2214 rc = writeback(ctxt, ops);
2215 if (rc == X86EMUL_CONTINUE)
2219 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2222 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2223 int reg, struct operand *op)
2225 struct decode_cache *c = &ctxt->decode;
2226 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2228 register_address_increment(c, &c->regs[reg], df * op->bytes);
2229 op->addr.mem = register_address(c, base, c->regs[reg]);
2232 static int em_push(struct x86_emulate_ctxt *ctxt)
2234 emulate_push(ctxt, ctxt->ops);
2235 return X86EMUL_CONTINUE;
2238 static int em_das(struct x86_emulate_ctxt *ctxt)
2240 struct decode_cache *c = &ctxt->decode;
2242 bool af, cf, old_cf;
2244 cf = ctxt->eflags & X86_EFLAGS_CF;
2250 af = ctxt->eflags & X86_EFLAGS_AF;
2251 if ((al & 0x0f) > 9 || af) {
2253 cf = old_cf | (al >= 250);
2258 if (old_al > 0x99 || old_cf) {
2264 /* Set PF, ZF, SF */
2265 c->src.type = OP_IMM;
2268 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2269 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2271 ctxt->eflags |= X86_EFLAGS_CF;
2273 ctxt->eflags |= X86_EFLAGS_AF;
2274 return X86EMUL_CONTINUE;
2277 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2279 struct decode_cache *c = &ctxt->decode;
2284 old_cs = ctxt->ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2287 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2288 if (load_segment_descriptor(ctxt, ctxt->ops, sel, VCPU_SREG_CS))
2289 return X86EMUL_CONTINUE;
2292 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2294 c->src.val = old_cs;
2295 emulate_push(ctxt, ctxt->ops);
2296 rc = writeback(ctxt, ctxt->ops);
2297 if (rc != X86EMUL_CONTINUE)
2300 c->src.val = old_eip;
2301 emulate_push(ctxt, ctxt->ops);
2302 rc = writeback(ctxt, ctxt->ops);
2303 if (rc != X86EMUL_CONTINUE)
2306 c->dst.type = OP_NONE;
2308 return X86EMUL_CONTINUE;
2311 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2313 struct decode_cache *c = &ctxt->decode;
2316 c->dst.type = OP_REG;
2317 c->dst.addr.reg = &c->eip;
2318 c->dst.bytes = c->op_bytes;
2319 rc = emulate_pop(ctxt, ctxt->ops, &c->dst.val, c->op_bytes);
2320 if (rc != X86EMUL_CONTINUE)
2322 register_address_increment(c, &c->regs[VCPU_REGS_RSP], c->src.val);
2323 return X86EMUL_CONTINUE;
2326 static int em_imul(struct x86_emulate_ctxt *ctxt)
2328 struct decode_cache *c = &ctxt->decode;
2330 emulate_2op_SrcV_nobyte("imul", c->src, c->dst, ctxt->eflags);
2331 return X86EMUL_CONTINUE;
2334 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2336 struct decode_cache *c = &ctxt->decode;
2338 c->dst.val = c->src2.val;
2339 return em_imul(ctxt);
2342 static int em_cwd(struct x86_emulate_ctxt *ctxt)
2344 struct decode_cache *c = &ctxt->decode;
2346 c->dst.type = OP_REG;
2347 c->dst.bytes = c->src.bytes;
2348 c->dst.addr.reg = &c->regs[VCPU_REGS_RDX];
2349 c->dst.val = ~((c->src.val >> (c->src.bytes * 8 - 1)) - 1);
2351 return X86EMUL_CONTINUE;
2354 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2356 unsigned cpl = ctxt->ops->cpl(ctxt->vcpu);
2357 struct decode_cache *c = &ctxt->decode;
2360 if (cpl > 0 && (ctxt->ops->get_cr(4, ctxt->vcpu) & X86_CR4_TSD)) {
2361 emulate_gp(ctxt, 0);
2362 return X86EMUL_PROPAGATE_FAULT;
2364 ctxt->ops->get_msr(ctxt->vcpu, MSR_IA32_TSC, &tsc);
2365 c->regs[VCPU_REGS_RAX] = (u32)tsc;
2366 c->regs[VCPU_REGS_RDX] = tsc >> 32;
2367 return X86EMUL_CONTINUE;
2370 #define D(_y) { .flags = (_y) }
2372 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2373 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2374 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2376 #define D2bv(_f) D((_f) | ByteOp), D(_f)
2377 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
2379 static struct opcode group1[] = {
2383 static struct opcode group1A[] = {
2384 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2387 static struct opcode group3[] = {
2388 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2389 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2390 X4(D(SrcMem | ModRM)),
2393 static struct opcode group4[] = {
2394 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2398 static struct opcode group5[] = {
2399 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2400 D(SrcMem | ModRM | Stack),
2401 I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
2402 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2403 D(SrcMem | ModRM | Stack), N,
2406 static struct group_dual group7 = { {
2407 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2408 D(SrcNone | ModRM | DstMem | Mov), N,
2409 D(SrcMem16 | ModRM | Mov | Priv),
2410 D(SrcMem | ModRM | ByteOp | Priv | NoAccess),
2412 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2413 D(SrcNone | ModRM | DstMem | Mov), N,
2414 D(SrcMem16 | ModRM | Mov | Priv), N,
2417 static struct opcode group8[] = {
2419 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2420 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2423 static struct group_dual group9 = { {
2424 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2426 N, N, N, N, N, N, N, N,
2429 static struct opcode opcode_table[256] = {
2431 D2bv(DstMem | SrcReg | ModRM | Lock), D2bv(DstReg | SrcMem | ModRM),
2432 D2bv(DstAcc | SrcImm),
2433 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2435 D2bv(DstMem | SrcReg | ModRM | Lock), D2bv(DstReg | SrcMem | ModRM),
2436 D2bv(DstAcc | SrcImm),
2437 D(ImplicitOps | Stack | No64), N,
2439 D2bv(DstMem | SrcReg | ModRM | Lock), D2bv(DstReg | SrcMem | ModRM),
2440 D2bv(DstAcc | SrcImm),
2441 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2443 D2bv(DstMem | SrcReg | ModRM | Lock), D2bv(DstReg | SrcMem | ModRM),
2444 D2bv(DstAcc | SrcImm),
2445 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2447 D2bv(DstMem | SrcReg | ModRM | Lock), D2bv(DstReg | SrcMem | ModRM),
2448 D2bv(DstAcc | SrcImm), N, N,
2450 D2bv(DstMem | SrcReg | ModRM | Lock), D2bv(DstReg | SrcMem | ModRM),
2451 D2bv(DstAcc | SrcImm),
2452 N, I(ByteOp | DstAcc | No64, em_das),
2454 D2bv(DstMem | SrcReg | ModRM | Lock), D2bv(DstReg | SrcMem | ModRM),
2455 D2bv(DstAcc | SrcImm), N, N,
2457 D2bv(DstMem | SrcReg | ModRM), D2bv(DstReg | SrcMem | ModRM),
2458 D2bv(DstAcc | SrcImm),
2463 X8(I(SrcReg | Stack, em_push)),
2465 X8(D(DstReg | Stack)),
2467 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2468 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2471 I(SrcImm | Mov | Stack, em_push),
2472 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
2473 I(SrcImmByte | Mov | Stack, em_push),
2474 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
2475 D2bv(DstDI | Mov | String), /* insb, insw/insd */
2476 D2bv(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2480 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2481 G(DstMem | SrcImm | ModRM | Group, group1),
2482 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2483 G(DstMem | SrcImmByte | ModRM | Group, group1),
2484 D2bv(DstMem | SrcReg | ModRM), D2bv(DstMem | SrcReg | ModRM | Lock),
2486 D2bv(DstMem | SrcReg | ModRM | Mov),
2487 D2bv(DstReg | SrcMem | ModRM | Mov),
2488 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2489 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2491 X8(D(SrcAcc | DstReg)),
2493 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
2494 I(SrcImmFAddr | No64, em_call_far), N,
2495 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2497 D2bv(DstAcc | SrcMem | Mov | MemAbs),
2498 D2bv(DstMem | SrcAcc | Mov | MemAbs),
2499 D2bv(SrcSI | DstDI | Mov | String), D2bv(SrcSI | DstDI | String),
2501 D2bv(DstAcc | SrcImm),
2502 D2bv(SrcAcc | DstDI | Mov | String),
2503 D2bv(SrcSI | DstAcc | Mov | String),
2504 D2bv(SrcAcc | DstDI | String),
2506 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2508 X8(D(DstReg | SrcImm | Mov)),
2510 D2bv(DstMem | SrcImmByte | ModRM),
2511 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
2512 D(ImplicitOps | Stack),
2513 D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr | ModRM | No64),
2514 D2bv(DstMem | SrcImm | ModRM | Mov),
2516 N, N, N, D(ImplicitOps | Stack),
2517 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2519 D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
2522 N, N, N, N, N, N, N, N,
2525 D2bv(SrcImmUByte | DstAcc), D2bv(SrcAcc | DstImmUByte),
2527 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2528 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2529 D2bv(SrcNone | DstAcc), D2bv(SrcAcc | ImplicitOps),
2532 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2534 D(ImplicitOps), D(ImplicitOps), D(ImplicitOps), D(ImplicitOps),
2535 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2538 static struct opcode twobyte_table[256] = {
2540 N, GD(0, &group7), N, N,
2541 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2542 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2543 N, D(ImplicitOps | ModRM), N, N,
2545 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2547 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2548 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2550 N, N, N, N, N, N, N, N,
2552 D(ImplicitOps | Priv), I(ImplicitOps, em_rdtsc),
2553 D(ImplicitOps | Priv), N,
2554 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2555 N, N, N, N, N, N, N, N,
2557 X16(D(DstReg | SrcMem | ModRM | Mov)),
2559 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2561 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2563 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2567 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
2569 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2570 N, D(DstMem | SrcReg | ModRM | BitOp),
2571 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2572 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2574 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2575 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2576 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2577 D(DstMem | SrcReg | Src2CL | ModRM),
2578 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
2580 D2bv(DstMem | SrcReg | ModRM | Lock),
2581 D(DstReg | SrcMemFAddr | ModRM), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2582 D(DstReg | SrcMemFAddr | ModRM), D(DstReg | SrcMemFAddr | ModRM),
2583 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2586 G(BitOp, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2587 D(DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2588 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2590 D2bv(DstMem | SrcReg | ModRM | Lock),
2591 N, D(DstMem | SrcReg | ModRM | Mov),
2592 N, N, N, GD(0, &group9),
2593 N, N, N, N, N, N, N, N,
2595 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2597 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2599 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2611 static unsigned imm_size(struct decode_cache *c)
2615 size = (c->d & ByteOp) ? 1 : c->op_bytes;
2621 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
2622 unsigned size, bool sign_extension)
2624 struct decode_cache *c = &ctxt->decode;
2625 struct x86_emulate_ops *ops = ctxt->ops;
2626 int rc = X86EMUL_CONTINUE;
2630 op->addr.mem = c->eip;
2631 /* NB. Immediates are sign-extended as necessary. */
2632 switch (op->bytes) {
2634 op->val = insn_fetch(s8, 1, c->eip);
2637 op->val = insn_fetch(s16, 2, c->eip);
2640 op->val = insn_fetch(s32, 4, c->eip);
2643 if (!sign_extension) {
2644 switch (op->bytes) {
2652 op->val &= 0xffffffff;
2661 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2663 struct x86_emulate_ops *ops = ctxt->ops;
2664 struct decode_cache *c = &ctxt->decode;
2665 int rc = X86EMUL_CONTINUE;
2666 int mode = ctxt->mode;
2667 int def_op_bytes, def_ad_bytes, dual, goffset;
2668 struct opcode opcode, *g_mod012, *g_mod3;
2669 struct operand memop = { .type = OP_NONE };
2672 c->fetch.start = c->fetch.end = c->eip;
2673 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2676 case X86EMUL_MODE_REAL:
2677 case X86EMUL_MODE_VM86:
2678 case X86EMUL_MODE_PROT16:
2679 def_op_bytes = def_ad_bytes = 2;
2681 case X86EMUL_MODE_PROT32:
2682 def_op_bytes = def_ad_bytes = 4;
2684 #ifdef CONFIG_X86_64
2685 case X86EMUL_MODE_PROT64:
2694 c->op_bytes = def_op_bytes;
2695 c->ad_bytes = def_ad_bytes;
2697 /* Legacy prefixes. */
2699 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2700 case 0x66: /* operand-size override */
2701 /* switch between 2/4 bytes */
2702 c->op_bytes = def_op_bytes ^ 6;
2704 case 0x67: /* address-size override */
2705 if (mode == X86EMUL_MODE_PROT64)
2706 /* switch between 4/8 bytes */
2707 c->ad_bytes = def_ad_bytes ^ 12;
2709 /* switch between 2/4 bytes */
2710 c->ad_bytes = def_ad_bytes ^ 6;
2712 case 0x26: /* ES override */
2713 case 0x2e: /* CS override */
2714 case 0x36: /* SS override */
2715 case 0x3e: /* DS override */
2716 set_seg_override(c, (c->b >> 3) & 3);
2718 case 0x64: /* FS override */
2719 case 0x65: /* GS override */
2720 set_seg_override(c, c->b & 7);
2722 case 0x40 ... 0x4f: /* REX */
2723 if (mode != X86EMUL_MODE_PROT64)
2725 c->rex_prefix = c->b;
2727 case 0xf0: /* LOCK */
2730 case 0xf2: /* REPNE/REPNZ */
2731 c->rep_prefix = REPNE_PREFIX;
2733 case 0xf3: /* REP/REPE/REPZ */
2734 c->rep_prefix = REPE_PREFIX;
2740 /* Any legacy prefix after a REX prefix nullifies its effect. */
2748 if (c->rex_prefix & 8)
2749 c->op_bytes = 8; /* REX.W */
2751 /* Opcode byte(s). */
2752 opcode = opcode_table[c->b];
2753 /* Two-byte opcode? */
2756 c->b = insn_fetch(u8, 1, c->eip);
2757 opcode = twobyte_table[c->b];
2759 c->d = opcode.flags;
2762 dual = c->d & GroupDual;
2763 c->modrm = insn_fetch(u8, 1, c->eip);
2766 if (c->d & GroupDual) {
2767 g_mod012 = opcode.u.gdual->mod012;
2768 g_mod3 = opcode.u.gdual->mod3;
2770 g_mod012 = g_mod3 = opcode.u.group;
2772 c->d &= ~(Group | GroupDual);
2774 goffset = (c->modrm >> 3) & 7;
2776 if ((c->modrm >> 6) == 3)
2777 opcode = g_mod3[goffset];
2779 opcode = g_mod012[goffset];
2780 c->d |= opcode.flags;
2783 c->execute = opcode.u.execute;
2786 if (c->d == 0 || (c->d & Undefined)) {
2787 DPRINTF("Cannot emulate %02x\n", c->b);
2791 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2794 if (c->d & Op3264) {
2795 if (mode == X86EMUL_MODE_PROT64)
2801 /* ModRM and SIB bytes. */
2803 rc = decode_modrm(ctxt, ops, &memop);
2804 if (!c->has_seg_override)
2805 set_seg_override(c, c->modrm_seg);
2806 } else if (c->d & MemAbs)
2807 rc = decode_abs(ctxt, ops, &memop);
2808 if (rc != X86EMUL_CONTINUE)
2811 if (!c->has_seg_override)
2812 set_seg_override(c, VCPU_SREG_DS);
2814 if (memop.type == OP_MEM && !(!c->twobyte && c->b == 0x8d))
2815 memop.addr.mem += seg_override_base(ctxt, ops, c);
2817 if (memop.type == OP_MEM && c->ad_bytes != 8)
2818 memop.addr.mem = (u32)memop.addr.mem;
2820 if (memop.type == OP_MEM && c->rip_relative)
2821 memop.addr.mem += c->eip;
2824 * Decode and fetch the source operand: register, memory
2827 switch (c->d & SrcMask) {
2831 decode_register_operand(&c->src, c, 0);
2840 memop.bytes = (c->d & ByteOp) ? 1 :
2846 rc = decode_imm(ctxt, &c->src, 2, false);
2849 rc = decode_imm(ctxt, &c->src, imm_size(c), true);
2852 rc = decode_imm(ctxt, &c->src, imm_size(c), false);
2855 rc = decode_imm(ctxt, &c->src, 1, true);
2858 rc = decode_imm(ctxt, &c->src, 1, false);
2861 c->src.type = OP_REG;
2862 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2863 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2864 fetch_register_operand(&c->src);
2871 c->src.type = OP_MEM;
2872 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2874 register_address(c, seg_override_base(ctxt, ops, c),
2875 c->regs[VCPU_REGS_RSI]);
2879 c->src.type = OP_IMM;
2880 c->src.addr.mem = c->eip;
2881 c->src.bytes = c->op_bytes + 2;
2882 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2885 memop.bytes = c->op_bytes + 2;
2890 if (rc != X86EMUL_CONTINUE)
2894 * Decode and fetch the second source operand: register, memory
2897 switch (c->d & Src2Mask) {
2902 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2905 rc = decode_imm(ctxt, &c->src2, 1, true);
2912 rc = decode_imm(ctxt, &c->src2, imm_size(c), true);
2916 if (rc != X86EMUL_CONTINUE)
2919 /* Decode and fetch the destination operand: register or memory. */
2920 switch (c->d & DstMask) {
2922 decode_register_operand(&c->dst, c,
2923 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2926 c->dst.type = OP_IMM;
2927 c->dst.addr.mem = c->eip;
2929 c->dst.val = insn_fetch(u8, 1, c->eip);
2934 if ((c->d & DstMask) == DstMem64)
2937 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2939 fetch_bit_operand(c);
2940 c->dst.orig_val = c->dst.val;
2943 c->dst.type = OP_REG;
2944 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2945 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2946 fetch_register_operand(&c->dst);
2947 c->dst.orig_val = c->dst.val;
2950 c->dst.type = OP_MEM;
2951 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2953 register_address(c, es_base(ctxt, ops),
2954 c->regs[VCPU_REGS_RDI]);
2958 /* Special instructions do their own operand decoding. */
2960 c->dst.type = OP_NONE; /* Disable writeback. */
2965 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2968 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
2970 struct decode_cache *c = &ctxt->decode;
2972 /* The second termination condition only applies for REPE
2973 * and REPNE. Test if the repeat string operation prefix is
2974 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2975 * corresponding termination condition according to:
2976 * - if REPE/REPZ and ZF = 0 then done
2977 * - if REPNE/REPNZ and ZF = 1 then done
2979 if (((c->b == 0xa6) || (c->b == 0xa7) ||
2980 (c->b == 0xae) || (c->b == 0xaf))
2981 && (((c->rep_prefix == REPE_PREFIX) &&
2982 ((ctxt->eflags & EFLG_ZF) == 0))
2983 || ((c->rep_prefix == REPNE_PREFIX) &&
2984 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
2991 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2993 struct x86_emulate_ops *ops = ctxt->ops;
2995 struct decode_cache *c = &ctxt->decode;
2996 int rc = X86EMUL_CONTINUE;
2997 int saved_dst_type = c->dst.type;
2998 int irq; /* Used for int 3, int, and into */
3000 ctxt->decode.mem_read.pos = 0;
3002 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
3007 /* LOCK prefix is allowed only with some instructions */
3008 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
3013 if ((c->d & SrcMask) == SrcMemFAddr && c->src.type != OP_MEM) {
3018 /* Privileged instruction can be executed only in CPL=0 */
3019 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
3020 emulate_gp(ctxt, 0);
3024 if (c->rep_prefix && (c->d & String)) {
3025 /* All REP prefixes have the same first termination condition */
3026 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
3032 if ((c->src.type == OP_MEM) && !(c->d & NoAccess)) {
3033 rc = read_emulated(ctxt, ops, c->src.addr.mem,
3034 c->src.valptr, c->src.bytes);
3035 if (rc != X86EMUL_CONTINUE)
3037 c->src.orig_val64 = c->src.val64;
3040 if (c->src2.type == OP_MEM) {
3041 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
3042 &c->src2.val, c->src2.bytes);
3043 if (rc != X86EMUL_CONTINUE)
3047 if ((c->d & DstMask) == ImplicitOps)
3051 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
3052 /* optimisation - avoid slow emulated read if Mov */
3053 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
3054 &c->dst.val, c->dst.bytes);
3055 if (rc != X86EMUL_CONTINUE)
3058 c->dst.orig_val = c->dst.val;
3063 rc = c->execute(ctxt);
3064 if (rc != X86EMUL_CONTINUE)
3075 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3077 case 0x06: /* push es */
3078 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
3080 case 0x07: /* pop es */
3081 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
3082 if (rc != X86EMUL_CONTINUE)
3087 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
3089 case 0x0e: /* push cs */
3090 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
3094 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
3096 case 0x16: /* push ss */
3097 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
3099 case 0x17: /* pop ss */
3100 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
3101 if (rc != X86EMUL_CONTINUE)
3106 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
3108 case 0x1e: /* push ds */
3109 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
3111 case 0x1f: /* pop ds */
3112 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
3113 if (rc != X86EMUL_CONTINUE)
3118 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
3122 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
3126 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
3130 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3132 case 0x40 ... 0x47: /* inc r16/r32 */
3133 emulate_1op("inc", c->dst, ctxt->eflags);
3135 case 0x48 ... 0x4f: /* dec r16/r32 */
3136 emulate_1op("dec", c->dst, ctxt->eflags);
3138 case 0x58 ... 0x5f: /* pop reg */
3140 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
3141 if (rc != X86EMUL_CONTINUE)
3144 case 0x60: /* pusha */
3145 rc = emulate_pusha(ctxt, ops);
3146 if (rc != X86EMUL_CONTINUE)
3149 case 0x61: /* popa */
3150 rc = emulate_popa(ctxt, ops);
3151 if (rc != X86EMUL_CONTINUE)
3154 case 0x63: /* movsxd */
3155 if (ctxt->mode != X86EMUL_MODE_PROT64)
3156 goto cannot_emulate;
3157 c->dst.val = (s32) c->src.val;
3159 case 0x6c: /* insb */
3160 case 0x6d: /* insw/insd */
3161 c->src.val = c->regs[VCPU_REGS_RDX];
3163 case 0x6e: /* outsb */
3164 case 0x6f: /* outsw/outsd */
3165 c->dst.val = c->regs[VCPU_REGS_RDX];
3168 case 0x70 ... 0x7f: /* jcc (short) */
3169 if (test_cc(c->b, ctxt->eflags))
3170 jmp_rel(c, c->src.val);
3172 case 0x80 ... 0x83: /* Grp1 */
3173 switch (c->modrm_reg) {
3194 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
3196 case 0x86 ... 0x87: /* xchg */
3198 /* Write back the register source. */
3199 c->src.val = c->dst.val;
3200 write_register_operand(&c->src);
3202 * Write back the memory destination with implicit LOCK
3205 c->dst.val = c->src.orig_val;
3208 case 0x88 ... 0x8b: /* mov */
3210 case 0x8c: /* mov r/m, sreg */
3211 if (c->modrm_reg > VCPU_SREG_GS) {
3215 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
3217 case 0x8d: /* lea r16/r32, m */
3218 c->dst.val = c->src.addr.mem;
3220 case 0x8e: { /* mov seg, r/m16 */
3225 if (c->modrm_reg == VCPU_SREG_CS ||
3226 c->modrm_reg > VCPU_SREG_GS) {
3231 if (c->modrm_reg == VCPU_SREG_SS)
3232 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3234 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
3236 c->dst.type = OP_NONE; /* Disable writeback. */
3239 case 0x8f: /* pop (sole member of Grp1a) */
3240 rc = emulate_grp1a(ctxt, ops);
3241 if (rc != X86EMUL_CONTINUE)
3244 case 0x90 ... 0x97: /* nop / xchg reg, rax */
3245 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
3248 case 0x98: /* cbw/cwde/cdqe */
3249 switch (c->op_bytes) {
3250 case 2: c->dst.val = (s8)c->dst.val; break;
3251 case 4: c->dst.val = (s16)c->dst.val; break;
3252 case 8: c->dst.val = (s32)c->dst.val; break;
3255 case 0x9c: /* pushf */
3256 c->src.val = (unsigned long) ctxt->eflags;
3257 emulate_push(ctxt, ops);
3259 case 0x9d: /* popf */
3260 c->dst.type = OP_REG;
3261 c->dst.addr.reg = &ctxt->eflags;
3262 c->dst.bytes = c->op_bytes;
3263 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
3264 if (rc != X86EMUL_CONTINUE)
3267 case 0xa0 ... 0xa3: /* mov */
3268 case 0xa4 ... 0xa5: /* movs */
3270 case 0xa6 ... 0xa7: /* cmps */
3271 c->dst.type = OP_NONE; /* Disable writeback. */
3272 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
3274 case 0xa8 ... 0xa9: /* test ax, imm */
3276 case 0xaa ... 0xab: /* stos */
3277 case 0xac ... 0xad: /* lods */
3279 case 0xae ... 0xaf: /* scas */
3281 case 0xb0 ... 0xbf: /* mov r, imm */
3286 case 0xc3: /* ret */
3287 c->dst.type = OP_REG;
3288 c->dst.addr.reg = &c->eip;
3289 c->dst.bytes = c->op_bytes;
3290 goto pop_instruction;
3291 case 0xc4: /* les */
3292 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_ES);
3293 if (rc != X86EMUL_CONTINUE)
3296 case 0xc5: /* lds */
3297 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_DS);
3298 if (rc != X86EMUL_CONTINUE)
3301 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
3303 c->dst.val = c->src.val;
3305 case 0xcb: /* ret far */
3306 rc = emulate_ret_far(ctxt, ops);
3307 if (rc != X86EMUL_CONTINUE)
3310 case 0xcc: /* int3 */
3313 case 0xcd: /* int n */
3316 rc = emulate_int(ctxt, ops, irq);
3317 if (rc != X86EMUL_CONTINUE)
3320 case 0xce: /* into */
3321 if (ctxt->eflags & EFLG_OF) {
3326 case 0xcf: /* iret */
3327 rc = emulate_iret(ctxt, ops);
3329 if (rc != X86EMUL_CONTINUE)
3332 case 0xd0 ... 0xd1: /* Grp2 */
3335 case 0xd2 ... 0xd3: /* Grp2 */
3336 c->src.val = c->regs[VCPU_REGS_RCX];
3339 case 0xe0 ... 0xe2: /* loop/loopz/loopnz */
3340 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3341 if (address_mask(c, c->regs[VCPU_REGS_RCX]) != 0 &&
3342 (c->b == 0xe2 || test_cc(c->b ^ 0x5, ctxt->eflags)))
3343 jmp_rel(c, c->src.val);
3345 case 0xe3: /* jcxz/jecxz/jrcxz */
3346 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0)
3347 jmp_rel(c, c->src.val);
3349 case 0xe4: /* inb */
3352 case 0xe6: /* outb */
3353 case 0xe7: /* out */
3355 case 0xe8: /* call (near) */ {
3356 long int rel = c->src.val;
3357 c->src.val = (unsigned long) c->eip;
3359 emulate_push(ctxt, ops);
3362 case 0xe9: /* jmp rel */
3364 case 0xea: { /* jmp far */
3367 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3369 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3373 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3377 jmp: /* jmp rel short */
3378 jmp_rel(c, c->src.val);
3379 c->dst.type = OP_NONE; /* Disable writeback. */
3381 case 0xec: /* in al,dx */
3382 case 0xed: /* in (e/r)ax,dx */
3383 c->src.val = c->regs[VCPU_REGS_RDX];
3385 c->dst.bytes = min(c->dst.bytes, 4u);
3386 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3387 emulate_gp(ctxt, 0);
3390 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3392 goto done; /* IO is needed */
3394 case 0xee: /* out dx,al */
3395 case 0xef: /* out dx,(e/r)ax */
3396 c->dst.val = c->regs[VCPU_REGS_RDX];
3398 c->src.bytes = min(c->src.bytes, 4u);
3399 if (!emulator_io_permited(ctxt, ops, c->dst.val,
3401 emulate_gp(ctxt, 0);
3404 ops->pio_out_emulated(c->src.bytes, c->dst.val,
3405 &c->src.val, 1, ctxt->vcpu);
3406 c->dst.type = OP_NONE; /* Disable writeback. */
3408 case 0xf4: /* hlt */
3409 ctxt->vcpu->arch.halt_request = 1;
3411 case 0xf5: /* cmc */
3412 /* complement carry flag from eflags reg */
3413 ctxt->eflags ^= EFLG_CF;
3415 case 0xf6 ... 0xf7: /* Grp3 */
3416 if (emulate_grp3(ctxt, ops) != X86EMUL_CONTINUE)
3417 goto cannot_emulate;
3419 case 0xf8: /* clc */
3420 ctxt->eflags &= ~EFLG_CF;
3422 case 0xf9: /* stc */
3423 ctxt->eflags |= EFLG_CF;
3425 case 0xfa: /* cli */
3426 if (emulator_bad_iopl(ctxt, ops)) {
3427 emulate_gp(ctxt, 0);
3430 ctxt->eflags &= ~X86_EFLAGS_IF;
3432 case 0xfb: /* sti */
3433 if (emulator_bad_iopl(ctxt, ops)) {
3434 emulate_gp(ctxt, 0);
3437 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3438 ctxt->eflags |= X86_EFLAGS_IF;
3441 case 0xfc: /* cld */
3442 ctxt->eflags &= ~EFLG_DF;
3444 case 0xfd: /* std */
3445 ctxt->eflags |= EFLG_DF;
3447 case 0xfe: /* Grp4 */
3449 rc = emulate_grp45(ctxt, ops);
3450 if (rc != X86EMUL_CONTINUE)
3453 case 0xff: /* Grp5 */
3454 if (c->modrm_reg == 5)
3458 goto cannot_emulate;
3462 rc = writeback(ctxt, ops);
3463 if (rc != X86EMUL_CONTINUE)
3467 * restore dst type in case the decoding will be reused
3468 * (happens for string instruction )
3470 c->dst.type = saved_dst_type;
3472 if ((c->d & SrcMask) == SrcSI)
3473 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3474 VCPU_REGS_RSI, &c->src);
3476 if ((c->d & DstMask) == DstDI)
3477 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3480 if (c->rep_prefix && (c->d & String)) {
3481 struct read_cache *r = &ctxt->decode.io_read;
3482 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3484 if (!string_insn_completed(ctxt)) {
3486 * Re-enter guest when pio read ahead buffer is empty
3487 * or, if it is not used, after each 1024 iteration.
3489 if ((r->end != 0 || c->regs[VCPU_REGS_RCX] & 0x3ff) &&
3490 (r->end == 0 || r->end != r->pos)) {
3492 * Reset read cache. Usually happens before
3493 * decode, but since instruction is restarted
3494 * we have to do it here.
3496 ctxt->decode.mem_read.end = 0;
3497 return EMULATION_RESTART;
3499 goto done; /* skip rip writeback */
3506 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3510 case 0x01: /* lgdt, lidt, lmsw */
3511 switch (c->modrm_reg) {
3513 unsigned long address;
3515 case 0: /* vmcall */
3516 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3517 goto cannot_emulate;
3519 rc = kvm_fix_hypercall(ctxt->vcpu);
3520 if (rc != X86EMUL_CONTINUE)
3523 /* Let the processor re-execute the fixed hypercall */
3525 /* Disable writeback. */
3526 c->dst.type = OP_NONE;
3529 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3530 &size, &address, c->op_bytes);
3531 if (rc != X86EMUL_CONTINUE)
3533 realmode_lgdt(ctxt->vcpu, size, address);
3534 /* Disable writeback. */
3535 c->dst.type = OP_NONE;
3537 case 3: /* lidt/vmmcall */
3538 if (c->modrm_mod == 3) {
3539 switch (c->modrm_rm) {
3541 rc = kvm_fix_hypercall(ctxt->vcpu);
3542 if (rc != X86EMUL_CONTINUE)
3546 goto cannot_emulate;
3549 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3552 if (rc != X86EMUL_CONTINUE)
3554 realmode_lidt(ctxt->vcpu, size, address);
3556 /* Disable writeback. */
3557 c->dst.type = OP_NONE;
3561 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3564 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3565 (c->src.val & 0x0f), ctxt->vcpu);
3566 c->dst.type = OP_NONE;
3568 case 5: /* not defined */
3572 emulate_invlpg(ctxt->vcpu, c->src.addr.mem);
3573 /* Disable writeback. */
3574 c->dst.type = OP_NONE;
3577 goto cannot_emulate;
3580 case 0x05: /* syscall */
3581 rc = emulate_syscall(ctxt, ops);
3582 if (rc != X86EMUL_CONTINUE)
3588 emulate_clts(ctxt->vcpu);
3590 case 0x09: /* wbinvd */
3591 kvm_emulate_wbinvd(ctxt->vcpu);
3593 case 0x08: /* invd */
3594 case 0x0d: /* GrpP (prefetch) */
3595 case 0x18: /* Grp16 (prefetch/nop) */
3597 case 0x20: /* mov cr, reg */
3598 switch (c->modrm_reg) {
3605 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3607 case 0x21: /* mov from dr to reg */
3608 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3609 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3613 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3615 case 0x22: /* mov reg, cr */
3616 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3617 emulate_gp(ctxt, 0);
3620 c->dst.type = OP_NONE;
3622 case 0x23: /* mov from reg to dr */
3623 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3624 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3629 if (ops->set_dr(c->modrm_reg, c->src.val &
3630 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3631 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3632 /* #UD condition is already handled by the code above */
3633 emulate_gp(ctxt, 0);
3637 c->dst.type = OP_NONE; /* no writeback */
3641 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3642 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3643 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3644 emulate_gp(ctxt, 0);
3647 rc = X86EMUL_CONTINUE;
3651 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3652 emulate_gp(ctxt, 0);
3655 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3656 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3658 rc = X86EMUL_CONTINUE;
3660 case 0x34: /* sysenter */
3661 rc = emulate_sysenter(ctxt, ops);
3662 if (rc != X86EMUL_CONTINUE)
3667 case 0x35: /* sysexit */
3668 rc = emulate_sysexit(ctxt, ops);
3669 if (rc != X86EMUL_CONTINUE)
3674 case 0x40 ... 0x4f: /* cmov */
3675 c->dst.val = c->dst.orig_val = c->src.val;
3676 if (!test_cc(c->b, ctxt->eflags))
3677 c->dst.type = OP_NONE; /* no writeback */
3679 case 0x80 ... 0x8f: /* jnz rel, etc*/
3680 if (test_cc(c->b, ctxt->eflags))
3681 jmp_rel(c, c->src.val);
3683 case 0x90 ... 0x9f: /* setcc r/m8 */
3684 c->dst.val = test_cc(c->b, ctxt->eflags);
3686 case 0xa0: /* push fs */
3687 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3689 case 0xa1: /* pop fs */
3690 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3691 if (rc != X86EMUL_CONTINUE)
3696 c->dst.type = OP_NONE;
3697 /* only subword offset */
3698 c->src.val &= (c->dst.bytes << 3) - 1;
3699 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3701 case 0xa4: /* shld imm8, r, r/m */
3702 case 0xa5: /* shld cl, r, r/m */
3703 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3705 case 0xa8: /* push gs */
3706 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3708 case 0xa9: /* pop gs */
3709 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3710 if (rc != X86EMUL_CONTINUE)
3715 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3717 case 0xac: /* shrd imm8, r, r/m */
3718 case 0xad: /* shrd cl, r, r/m */
3719 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3721 case 0xae: /* clflush */
3723 case 0xb0 ... 0xb1: /* cmpxchg */
3725 * Save real source value, then compare EAX against
3728 c->src.orig_val = c->src.val;
3729 c->src.val = c->regs[VCPU_REGS_RAX];
3730 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3731 if (ctxt->eflags & EFLG_ZF) {
3732 /* Success: write back to memory. */
3733 c->dst.val = c->src.orig_val;
3735 /* Failure: write the value we saw to EAX. */
3736 c->dst.type = OP_REG;
3737 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3740 case 0xb2: /* lss */
3741 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_SS);
3742 if (rc != X86EMUL_CONTINUE)
3747 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3749 case 0xb4: /* lfs */
3750 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_FS);
3751 if (rc != X86EMUL_CONTINUE)
3754 case 0xb5: /* lgs */
3755 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_GS);
3756 if (rc != X86EMUL_CONTINUE)
3759 case 0xb6 ... 0xb7: /* movzx */
3760 c->dst.bytes = c->op_bytes;
3761 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3764 case 0xba: /* Grp8 */
3765 switch (c->modrm_reg & 3) {
3778 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3780 case 0xbc: { /* bsf */
3782 __asm__ ("bsf %2, %0; setz %1"
3783 : "=r"(c->dst.val), "=q"(zf)
3785 ctxt->eflags &= ~X86_EFLAGS_ZF;
3787 ctxt->eflags |= X86_EFLAGS_ZF;
3788 c->dst.type = OP_NONE; /* Disable writeback. */
3792 case 0xbd: { /* bsr */
3794 __asm__ ("bsr %2, %0; setz %1"
3795 : "=r"(c->dst.val), "=q"(zf)
3797 ctxt->eflags &= ~X86_EFLAGS_ZF;
3799 ctxt->eflags |= X86_EFLAGS_ZF;
3800 c->dst.type = OP_NONE; /* Disable writeback. */
3804 case 0xbe ... 0xbf: /* movsx */
3805 c->dst.bytes = c->op_bytes;
3806 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3809 case 0xc0 ... 0xc1: /* xadd */
3810 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3811 /* Write back the register source. */
3812 c->src.val = c->dst.orig_val;
3813 write_register_operand(&c->src);
3815 case 0xc3: /* movnti */
3816 c->dst.bytes = c->op_bytes;
3817 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3820 case 0xc7: /* Grp9 (cmpxchg8b) */
3821 rc = emulate_grp9(ctxt, ops);
3822 if (rc != X86EMUL_CONTINUE)
3826 goto cannot_emulate;
3831 DPRINTF("Cannot emulate %02x\n", c->b);
projects / mv-sheeva.git / blob