1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <linux/module.h>
26 #include <asm/kvm_emulate.h>
32 * Opcode effective-address decode tables.
33 * Note that we only emulate instructions that have at least one memory
34 * operand (excluding implicit stack references). We assume that stack
35 * references and instruction fetches will never occur in special memory
36 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
40 /* Operand sizes: 8-bit operands or specified/overridden size. */
41 #define ByteOp (1<<0) /* 8-bit operands. */
42 /* Destination operand type. */
43 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
44 #define DstReg (2<<1) /* Register operand. */
45 #define DstMem (3<<1) /* Memory operand. */
46 #define DstAcc (4<<1) /* Destination Accumulator */
47 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
48 #define DstMem64 (6<<1) /* 64bit memory operand */
49 #define DstImmUByte (7<<1) /* 8-bit unsigned immediate operand */
50 #define DstMask (7<<1)
51 /* Source operand type. */
52 #define SrcNone (0<<4) /* No source operand. */
53 #define SrcReg (1<<4) /* Register operand. */
54 #define SrcMem (2<<4) /* Memory operand. */
55 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
56 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
57 #define SrcImm (5<<4) /* Immediate operand. */
58 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
59 #define SrcOne (7<<4) /* Implied '1' */
60 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
61 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
62 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
63 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
64 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
65 #define SrcAcc (0xd<<4) /* Source Accumulator */
66 #define SrcImmU16 (0xe<<4) /* Immediate operand, unsigned, 16 bits */
67 #define SrcMask (0xf<<4)
68 /* Generic ModRM decode. */
70 /* Destination is only written; never read. */
73 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
74 #define String (1<<12) /* String instruction (rep capable) */
75 #define Stack (1<<13) /* Stack instruction (push/pop) */
76 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
77 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
78 #define Prefix (1<<16) /* Instruction varies with 66/f2/f3 prefix */
79 #define Sse (1<<17) /* SSE Vector instruction */
81 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
82 #define VendorSpecific (1<<22) /* Vendor specific instruction */
83 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
84 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
85 #define Undefined (1<<25) /* No Such Instruction */
86 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
87 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
89 /* Source 2 operand type */
90 #define Src2None (0<<29)
91 #define Src2CL (1<<29)
92 #define Src2ImmByte (2<<29)
93 #define Src2One (3<<29)
94 #define Src2Imm (4<<29)
95 #define Src2Mask (7<<29)
98 #define X3(x...) X2(x), x
99 #define X4(x...) X2(x), X2(x)
100 #define X5(x...) X4(x), x
101 #define X6(x...) X4(x), X2(x)
102 #define X7(x...) X4(x), X3(x)
103 #define X8(x...) X4(x), X4(x)
104 #define X16(x...) X8(x), X8(x)
110 int (*execute)(struct x86_emulate_ctxt *ctxt);
111 struct opcode *group;
112 struct group_dual *gdual;
113 struct gprefix *gprefix;
115 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
119 struct opcode mod012[8];
120 struct opcode mod3[8];
124 struct opcode pfx_no;
125 struct opcode pfx_66;
126 struct opcode pfx_f2;
127 struct opcode pfx_f3;
130 /* EFLAGS bit definitions. */
131 #define EFLG_ID (1<<21)
132 #define EFLG_VIP (1<<20)
133 #define EFLG_VIF (1<<19)
134 #define EFLG_AC (1<<18)
135 #define EFLG_VM (1<<17)
136 #define EFLG_RF (1<<16)
137 #define EFLG_IOPL (3<<12)
138 #define EFLG_NT (1<<14)
139 #define EFLG_OF (1<<11)
140 #define EFLG_DF (1<<10)
141 #define EFLG_IF (1<<9)
142 #define EFLG_TF (1<<8)
143 #define EFLG_SF (1<<7)
144 #define EFLG_ZF (1<<6)
145 #define EFLG_AF (1<<4)
146 #define EFLG_PF (1<<2)
147 #define EFLG_CF (1<<0)
149 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
150 #define EFLG_RESERVED_ONE_MASK 2
153 * Instruction emulation:
154 * Most instructions are emulated directly via a fragment of inline assembly
155 * code. This allows us to save/restore EFLAGS and thus very easily pick up
156 * any modified flags.
159 #if defined(CONFIG_X86_64)
160 #define _LO32 "k" /* force 32-bit operand */
161 #define _STK "%%rsp" /* stack pointer */
162 #elif defined(__i386__)
163 #define _LO32 "" /* force 32-bit operand */
164 #define _STK "%%esp" /* stack pointer */
168 * These EFLAGS bits are restored from saved value during emulation, and
169 * any changes are written back to the saved value after emulation.
171 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
173 /* Before executing instruction: restore necessary bits in EFLAGS. */
174 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
175 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
176 "movl %"_sav",%"_LO32 _tmp"; " \
179 "movl %"_msk",%"_LO32 _tmp"; " \
180 "andl %"_LO32 _tmp",("_STK"); " \
182 "notl %"_LO32 _tmp"; " \
183 "andl %"_LO32 _tmp",("_STK"); " \
184 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
186 "orl %"_LO32 _tmp",("_STK"); " \
190 /* After executing instruction: write-back necessary bits in EFLAGS. */
191 #define _POST_EFLAGS(_sav, _msk, _tmp) \
192 /* _sav |= EFLAGS & _msk; */ \
195 "andl %"_msk",%"_LO32 _tmp"; " \
196 "orl %"_LO32 _tmp",%"_sav"; "
204 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
206 __asm__ __volatile__ ( \
207 _PRE_EFLAGS("0", "4", "2") \
208 _op _suffix " %"_x"3,%1; " \
209 _POST_EFLAGS("0", "4", "2") \
210 : "=m" (_eflags), "+q" (*(_dsttype*)&(_dst).val),\
212 : _y ((_src).val), "i" (EFLAGS_MASK)); \
216 /* Raw emulation: instruction has two explicit operands. */
217 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
219 unsigned long _tmp; \
221 switch ((_dst).bytes) { \
223 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
226 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l",u32);\
229 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q",u64)); \
234 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
236 unsigned long _tmp; \
237 switch ((_dst).bytes) { \
239 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
242 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
243 _wx, _wy, _lx, _ly, _qx, _qy); \
248 /* Source operand is byte-sized and may be restricted to just %cl. */
249 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
250 __emulate_2op(_op, _src, _dst, _eflags, \
251 "b", "c", "b", "c", "b", "c", "b", "c")
253 /* Source operand is byte, word, long or quad sized. */
254 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
255 __emulate_2op(_op, _src, _dst, _eflags, \
256 "b", "q", "w", "r", _LO32, "r", "", "r")
258 /* Source operand is word, long or quad sized. */
259 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
260 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
261 "w", "r", _LO32, "r", "", "r")
263 /* Instruction has three operands and one operand is stored in ECX register */
264 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
266 unsigned long _tmp; \
267 _type _clv = (_cl).val; \
268 _type _srcv = (_src).val; \
269 _type _dstv = (_dst).val; \
271 __asm__ __volatile__ ( \
272 _PRE_EFLAGS("0", "5", "2") \
273 _op _suffix " %4,%1 \n" \
274 _POST_EFLAGS("0", "5", "2") \
275 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
276 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
279 (_cl).val = (unsigned long) _clv; \
280 (_src).val = (unsigned long) _srcv; \
281 (_dst).val = (unsigned long) _dstv; \
284 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
286 switch ((_dst).bytes) { \
288 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
289 "w", unsigned short); \
292 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
293 "l", unsigned int); \
296 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
297 "q", unsigned long)); \
302 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
304 unsigned long _tmp; \
306 __asm__ __volatile__ ( \
307 _PRE_EFLAGS("0", "3", "2") \
308 _op _suffix " %1; " \
309 _POST_EFLAGS("0", "3", "2") \
310 : "=m" (_eflags), "+m" ((_dst).val), \
312 : "i" (EFLAGS_MASK)); \
315 /* Instruction has only one explicit operand (no source operand). */
316 #define emulate_1op(_op, _dst, _eflags) \
318 switch ((_dst).bytes) { \
319 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
320 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
321 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
322 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
326 #define __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, _suffix) \
328 unsigned long _tmp; \
330 __asm__ __volatile__ ( \
331 _PRE_EFLAGS("0", "4", "1") \
332 _op _suffix " %5; " \
333 _POST_EFLAGS("0", "4", "1") \
334 : "=m" (_eflags), "=&r" (_tmp), \
335 "+a" (_rax), "+d" (_rdx) \
336 : "i" (EFLAGS_MASK), "m" ((_src).val), \
337 "a" (_rax), "d" (_rdx)); \
340 #define __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _suffix, _ex) \
342 unsigned long _tmp; \
344 __asm__ __volatile__ ( \
345 _PRE_EFLAGS("0", "5", "1") \
347 _op _suffix " %6; " \
349 _POST_EFLAGS("0", "5", "1") \
350 ".pushsection .fixup,\"ax\" \n\t" \
351 "3: movb $1, %4 \n\t" \
354 _ASM_EXTABLE(1b, 3b) \
355 : "=m" (_eflags), "=&r" (_tmp), \
356 "+a" (_rax), "+d" (_rdx), "+qm"(_ex) \
357 : "i" (EFLAGS_MASK), "m" ((_src).val), \
358 "a" (_rax), "d" (_rdx)); \
361 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
362 #define emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags) \
364 switch((_src).bytes) { \
365 case 1: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "b"); break; \
366 case 2: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "w"); break; \
367 case 4: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "l"); break; \
368 case 8: ON64(__emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "q")); break; \
372 #define emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _ex) \
374 switch((_src).bytes) { \
376 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
377 _eflags, "b", _ex); \
380 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
381 _eflags, "w", _ex); \
384 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
385 _eflags, "l", _ex); \
388 __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
389 _eflags, "q", _ex)); \
394 /* Fetch next part of the instruction being emulated. */
395 #define insn_fetch(_type, _size, _eip) \
396 ({ unsigned long _x; \
397 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
398 if (rc != X86EMUL_CONTINUE) \
404 #define insn_fetch_arr(_arr, _size, _eip) \
405 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
406 if (rc != X86EMUL_CONTINUE) \
411 static inline unsigned long ad_mask(struct decode_cache *c)
413 return (1UL << (c->ad_bytes << 3)) - 1;
416 /* Access/update address held in a register, based on addressing mode. */
417 static inline unsigned long
418 address_mask(struct decode_cache *c, unsigned long reg)
420 if (c->ad_bytes == sizeof(unsigned long))
423 return reg & ad_mask(c);
426 static inline unsigned long
427 register_address(struct decode_cache *c, unsigned long reg)
429 return address_mask(c, reg);
433 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
435 if (c->ad_bytes == sizeof(unsigned long))
438 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
441 static inline void jmp_rel(struct decode_cache *c, int rel)
443 register_address_increment(c, &c->eip, rel);
446 static void set_seg_override(struct decode_cache *c, int seg)
448 c->has_seg_override = true;
449 c->seg_override = seg;
452 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
453 struct x86_emulate_ops *ops, int seg)
455 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
458 return ops->get_cached_segment_base(seg, ctxt->vcpu);
461 static unsigned seg_override(struct x86_emulate_ctxt *ctxt,
462 struct x86_emulate_ops *ops,
463 struct decode_cache *c)
465 if (!c->has_seg_override)
468 return c->seg_override;
471 static ulong linear(struct x86_emulate_ctxt *ctxt,
472 struct segmented_address addr)
474 struct decode_cache *c = &ctxt->decode;
477 la = seg_base(ctxt, ctxt->ops, addr.seg) + addr.ea;
478 if (c->ad_bytes != 8)
483 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
484 u32 error, bool valid)
486 ctxt->exception.vector = vec;
487 ctxt->exception.error_code = error;
488 ctxt->exception.error_code_valid = valid;
489 return X86EMUL_PROPAGATE_FAULT;
492 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
494 return emulate_exception(ctxt, GP_VECTOR, err, true);
497 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
499 return emulate_exception(ctxt, UD_VECTOR, 0, false);
502 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
504 return emulate_exception(ctxt, TS_VECTOR, err, true);
507 static int emulate_de(struct x86_emulate_ctxt *ctxt)
509 return emulate_exception(ctxt, DE_VECTOR, 0, false);
512 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
514 return emulate_exception(ctxt, NM_VECTOR, 0, false);
517 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
518 struct x86_emulate_ops *ops,
519 unsigned long eip, u8 *dest)
521 struct fetch_cache *fc = &ctxt->decode.fetch;
525 if (eip == fc->end) {
526 cur_size = fc->end - fc->start;
527 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
528 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
529 size, ctxt->vcpu, &ctxt->exception);
530 if (rc != X86EMUL_CONTINUE)
534 *dest = fc->data[eip - fc->start];
535 return X86EMUL_CONTINUE;
538 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
539 struct x86_emulate_ops *ops,
540 unsigned long eip, void *dest, unsigned size)
544 /* x86 instructions are limited to 15 bytes. */
545 if (eip + size - ctxt->eip > 15)
546 return X86EMUL_UNHANDLEABLE;
548 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
549 if (rc != X86EMUL_CONTINUE)
552 return X86EMUL_CONTINUE;
556 * Given the 'reg' portion of a ModRM byte, and a register block, return a
557 * pointer into the block that addresses the relevant register.
558 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
560 static void *decode_register(u8 modrm_reg, unsigned long *regs,
565 p = ®s[modrm_reg];
566 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
567 p = (unsigned char *)®s[modrm_reg & 3] + 1;
571 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
572 struct x86_emulate_ops *ops,
573 struct segmented_address addr,
574 u16 *size, unsigned long *address, int op_bytes)
581 rc = ops->read_std(linear(ctxt, addr), (unsigned long *)size, 2,
582 ctxt->vcpu, &ctxt->exception);
583 if (rc != X86EMUL_CONTINUE)
586 rc = ops->read_std(linear(ctxt, addr), address, op_bytes,
587 ctxt->vcpu, &ctxt->exception);
591 static int test_cc(unsigned int condition, unsigned int flags)
595 switch ((condition & 15) >> 1) {
597 rc |= (flags & EFLG_OF);
599 case 1: /* b/c/nae */
600 rc |= (flags & EFLG_CF);
603 rc |= (flags & EFLG_ZF);
606 rc |= (flags & (EFLG_CF|EFLG_ZF));
609 rc |= (flags & EFLG_SF);
612 rc |= (flags & EFLG_PF);
615 rc |= (flags & EFLG_ZF);
618 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
622 /* Odd condition identifiers (lsb == 1) have inverted sense. */
623 return (!!rc ^ (condition & 1));
626 static void fetch_register_operand(struct operand *op)
630 op->val = *(u8 *)op->addr.reg;
633 op->val = *(u16 *)op->addr.reg;
636 op->val = *(u32 *)op->addr.reg;
639 op->val = *(u64 *)op->addr.reg;
644 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
646 ctxt->ops->get_fpu(ctxt);
648 case 0: asm("movdqu %%xmm0, %0" : "=m"(*data)); break;
649 case 1: asm("movdqu %%xmm1, %0" : "=m"(*data)); break;
650 case 2: asm("movdqu %%xmm2, %0" : "=m"(*data)); break;
651 case 3: asm("movdqu %%xmm3, %0" : "=m"(*data)); break;
652 case 4: asm("movdqu %%xmm4, %0" : "=m"(*data)); break;
653 case 5: asm("movdqu %%xmm5, %0" : "=m"(*data)); break;
654 case 6: asm("movdqu %%xmm6, %0" : "=m"(*data)); break;
655 case 7: asm("movdqu %%xmm7, %0" : "=m"(*data)); break;
657 case 8: asm("movdqu %%xmm8, %0" : "=m"(*data)); break;
658 case 9: asm("movdqu %%xmm9, %0" : "=m"(*data)); break;
659 case 10: asm("movdqu %%xmm10, %0" : "=m"(*data)); break;
660 case 11: asm("movdqu %%xmm11, %0" : "=m"(*data)); break;
661 case 12: asm("movdqu %%xmm12, %0" : "=m"(*data)); break;
662 case 13: asm("movdqu %%xmm13, %0" : "=m"(*data)); break;
663 case 14: asm("movdqu %%xmm14, %0" : "=m"(*data)); break;
664 case 15: asm("movdqu %%xmm15, %0" : "=m"(*data)); break;
668 ctxt->ops->put_fpu(ctxt);
671 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
674 ctxt->ops->get_fpu(ctxt);
676 case 0: asm("movdqu %0, %%xmm0" : : "m"(*data)); break;
677 case 1: asm("movdqu %0, %%xmm1" : : "m"(*data)); break;
678 case 2: asm("movdqu %0, %%xmm2" : : "m"(*data)); break;
679 case 3: asm("movdqu %0, %%xmm3" : : "m"(*data)); break;
680 case 4: asm("movdqu %0, %%xmm4" : : "m"(*data)); break;
681 case 5: asm("movdqu %0, %%xmm5" : : "m"(*data)); break;
682 case 6: asm("movdqu %0, %%xmm6" : : "m"(*data)); break;
683 case 7: asm("movdqu %0, %%xmm7" : : "m"(*data)); break;
685 case 8: asm("movdqu %0, %%xmm8" : : "m"(*data)); break;
686 case 9: asm("movdqu %0, %%xmm9" : : "m"(*data)); break;
687 case 10: asm("movdqu %0, %%xmm10" : : "m"(*data)); break;
688 case 11: asm("movdqu %0, %%xmm11" : : "m"(*data)); break;
689 case 12: asm("movdqu %0, %%xmm12" : : "m"(*data)); break;
690 case 13: asm("movdqu %0, %%xmm13" : : "m"(*data)); break;
691 case 14: asm("movdqu %0, %%xmm14" : : "m"(*data)); break;
692 case 15: asm("movdqu %0, %%xmm15" : : "m"(*data)); break;
696 ctxt->ops->put_fpu(ctxt);
699 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
701 struct decode_cache *c,
704 unsigned reg = c->modrm_reg;
705 int highbyte_regs = c->rex_prefix == 0;
708 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
714 read_sse_reg(ctxt, &op->vec_val, reg);
719 if ((c->d & ByteOp) && !inhibit_bytereg) {
720 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
723 op->addr.reg = decode_register(reg, c->regs, 0);
724 op->bytes = c->op_bytes;
726 fetch_register_operand(op);
727 op->orig_val = op->val;
730 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
731 struct x86_emulate_ops *ops,
734 struct decode_cache *c = &ctxt->decode;
736 int index_reg = 0, base_reg = 0, scale;
737 int rc = X86EMUL_CONTINUE;
741 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
742 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
743 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
746 c->modrm = insn_fetch(u8, 1, c->eip);
747 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
748 c->modrm_reg |= (c->modrm & 0x38) >> 3;
749 c->modrm_rm |= (c->modrm & 0x07);
750 c->modrm_seg = VCPU_SREG_DS;
752 if (c->modrm_mod == 3) {
754 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
755 op->addr.reg = decode_register(c->modrm_rm,
756 c->regs, c->d & ByteOp);
760 op->addr.xmm = c->modrm_rm;
761 read_sse_reg(ctxt, &op->vec_val, c->modrm_rm);
764 fetch_register_operand(op);
770 if (c->ad_bytes == 2) {
771 unsigned bx = c->regs[VCPU_REGS_RBX];
772 unsigned bp = c->regs[VCPU_REGS_RBP];
773 unsigned si = c->regs[VCPU_REGS_RSI];
774 unsigned di = c->regs[VCPU_REGS_RDI];
776 /* 16-bit ModR/M decode. */
777 switch (c->modrm_mod) {
779 if (c->modrm_rm == 6)
780 modrm_ea += insn_fetch(u16, 2, c->eip);
783 modrm_ea += insn_fetch(s8, 1, c->eip);
786 modrm_ea += insn_fetch(u16, 2, c->eip);
789 switch (c->modrm_rm) {
809 if (c->modrm_mod != 0)
816 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
817 (c->modrm_rm == 6 && c->modrm_mod != 0))
818 c->modrm_seg = VCPU_SREG_SS;
819 modrm_ea = (u16)modrm_ea;
821 /* 32/64-bit ModR/M decode. */
822 if ((c->modrm_rm & 7) == 4) {
823 sib = insn_fetch(u8, 1, c->eip);
824 index_reg |= (sib >> 3) & 7;
828 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
829 modrm_ea += insn_fetch(s32, 4, c->eip);
831 modrm_ea += c->regs[base_reg];
833 modrm_ea += c->regs[index_reg] << scale;
834 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
835 if (ctxt->mode == X86EMUL_MODE_PROT64)
838 modrm_ea += c->regs[c->modrm_rm];
839 switch (c->modrm_mod) {
841 if (c->modrm_rm == 5)
842 modrm_ea += insn_fetch(s32, 4, c->eip);
845 modrm_ea += insn_fetch(s8, 1, c->eip);
848 modrm_ea += insn_fetch(s32, 4, c->eip);
852 op->addr.mem.ea = modrm_ea;
857 static int decode_abs(struct x86_emulate_ctxt *ctxt,
858 struct x86_emulate_ops *ops,
861 struct decode_cache *c = &ctxt->decode;
862 int rc = X86EMUL_CONTINUE;
865 switch (c->ad_bytes) {
867 op->addr.mem.ea = insn_fetch(u16, 2, c->eip);
870 op->addr.mem.ea = insn_fetch(u32, 4, c->eip);
873 op->addr.mem.ea = insn_fetch(u64, 8, c->eip);
880 static void fetch_bit_operand(struct decode_cache *c)
884 if (c->dst.type == OP_MEM && c->src.type == OP_REG) {
885 mask = ~(c->dst.bytes * 8 - 1);
887 if (c->src.bytes == 2)
888 sv = (s16)c->src.val & (s16)mask;
889 else if (c->src.bytes == 4)
890 sv = (s32)c->src.val & (s32)mask;
892 c->dst.addr.mem.ea += (sv >> 3);
895 /* only subword offset */
896 c->src.val &= (c->dst.bytes << 3) - 1;
899 static int read_emulated(struct x86_emulate_ctxt *ctxt,
900 struct x86_emulate_ops *ops,
901 unsigned long addr, void *dest, unsigned size)
904 struct read_cache *mc = &ctxt->decode.mem_read;
907 int n = min(size, 8u);
909 if (mc->pos < mc->end)
912 rc = ops->read_emulated(addr, mc->data + mc->end, n,
913 &ctxt->exception, ctxt->vcpu);
914 if (rc != X86EMUL_CONTINUE)
919 memcpy(dest, mc->data + mc->pos, n);
924 return X86EMUL_CONTINUE;
927 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
928 struct x86_emulate_ops *ops,
929 unsigned int size, unsigned short port,
932 struct read_cache *rc = &ctxt->decode.io_read;
934 if (rc->pos == rc->end) { /* refill pio read ahead */
935 struct decode_cache *c = &ctxt->decode;
936 unsigned int in_page, n;
937 unsigned int count = c->rep_prefix ?
938 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
939 in_page = (ctxt->eflags & EFLG_DF) ?
940 offset_in_page(c->regs[VCPU_REGS_RDI]) :
941 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
942 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
946 rc->pos = rc->end = 0;
947 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
952 memcpy(dest, rc->data + rc->pos, size);
957 static u32 desc_limit_scaled(struct desc_struct *desc)
959 u32 limit = get_desc_limit(desc);
961 return desc->g ? (limit << 12) | 0xfff : limit;
964 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
965 struct x86_emulate_ops *ops,
966 u16 selector, struct desc_ptr *dt)
968 if (selector & 1 << 2) {
969 struct desc_struct desc;
970 memset (dt, 0, sizeof *dt);
971 if (!ops->get_cached_descriptor(&desc, NULL, VCPU_SREG_LDTR,
975 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
976 dt->address = get_desc_base(&desc);
978 ops->get_gdt(dt, ctxt->vcpu);
981 /* allowed just for 8 bytes segments */
982 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
983 struct x86_emulate_ops *ops,
984 u16 selector, struct desc_struct *desc)
987 u16 index = selector >> 3;
991 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
993 if (dt.size < index * 8 + 7)
994 return emulate_gp(ctxt, selector & 0xfffc);
995 addr = dt.address + index * 8;
996 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu,
1002 /* allowed just for 8 bytes segments */
1003 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1004 struct x86_emulate_ops *ops,
1005 u16 selector, struct desc_struct *desc)
1008 u16 index = selector >> 3;
1012 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1014 if (dt.size < index * 8 + 7)
1015 return emulate_gp(ctxt, selector & 0xfffc);
1017 addr = dt.address + index * 8;
1018 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu,
1024 /* Does not support long mode */
1025 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1026 struct x86_emulate_ops *ops,
1027 u16 selector, int seg)
1029 struct desc_struct seg_desc;
1031 unsigned err_vec = GP_VECTOR;
1033 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1036 memset(&seg_desc, 0, sizeof seg_desc);
1038 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1039 || ctxt->mode == X86EMUL_MODE_REAL) {
1040 /* set real mode segment descriptor */
1041 set_desc_base(&seg_desc, selector << 4);
1042 set_desc_limit(&seg_desc, 0xffff);
1049 /* NULL selector is not valid for TR, CS and SS */
1050 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1054 /* TR should be in GDT only */
1055 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1058 if (null_selector) /* for NULL selector skip all following checks */
1061 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1062 if (ret != X86EMUL_CONTINUE)
1065 err_code = selector & 0xfffc;
1066 err_vec = GP_VECTOR;
1068 /* can't load system descriptor into segment selecor */
1069 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1073 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1079 cpl = ops->cpl(ctxt->vcpu);
1084 * segment is not a writable data segment or segment
1085 * selector's RPL != CPL or segment selector's RPL != CPL
1087 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1091 if (!(seg_desc.type & 8))
1094 if (seg_desc.type & 4) {
1100 if (rpl > cpl || dpl != cpl)
1103 /* CS(RPL) <- CPL */
1104 selector = (selector & 0xfffc) | cpl;
1107 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1110 case VCPU_SREG_LDTR:
1111 if (seg_desc.s || seg_desc.type != 2)
1114 default: /* DS, ES, FS, or GS */
1116 * segment is not a data or readable code segment or
1117 * ((segment is a data or nonconforming code segment)
1118 * and (both RPL and CPL > DPL))
1120 if ((seg_desc.type & 0xa) == 0x8 ||
1121 (((seg_desc.type & 0xc) != 0xc) &&
1122 (rpl > dpl && cpl > dpl)))
1128 /* mark segment as accessed */
1130 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1131 if (ret != X86EMUL_CONTINUE)
1135 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1136 ops->set_cached_descriptor(&seg_desc, 0, seg, ctxt->vcpu);
1137 return X86EMUL_CONTINUE;
1139 emulate_exception(ctxt, err_vec, err_code, true);
1140 return X86EMUL_PROPAGATE_FAULT;
1143 static void write_register_operand(struct operand *op)
1145 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1146 switch (op->bytes) {
1148 *(u8 *)op->addr.reg = (u8)op->val;
1151 *(u16 *)op->addr.reg = (u16)op->val;
1154 *op->addr.reg = (u32)op->val;
1155 break; /* 64b: zero-extend */
1157 *op->addr.reg = op->val;
1162 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1163 struct x86_emulate_ops *ops)
1166 struct decode_cache *c = &ctxt->decode;
1168 switch (c->dst.type) {
1170 write_register_operand(&c->dst);
1174 rc = ops->cmpxchg_emulated(
1175 linear(ctxt, c->dst.addr.mem),
1182 rc = ops->write_emulated(
1183 linear(ctxt, c->dst.addr.mem),
1188 if (rc != X86EMUL_CONTINUE)
1192 write_sse_reg(ctxt, &c->dst.vec_val, c->dst.addr.xmm);
1200 return X86EMUL_CONTINUE;
1203 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1204 struct x86_emulate_ops *ops)
1206 struct decode_cache *c = &ctxt->decode;
1208 c->dst.type = OP_MEM;
1209 c->dst.bytes = c->op_bytes;
1210 c->dst.val = c->src.val;
1211 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1212 c->dst.addr.mem.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
1213 c->dst.addr.mem.seg = VCPU_SREG_SS;
1216 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1217 struct x86_emulate_ops *ops,
1218 void *dest, int len)
1220 struct decode_cache *c = &ctxt->decode;
1222 struct segmented_address addr;
1224 addr.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
1225 addr.seg = VCPU_SREG_SS;
1226 rc = read_emulated(ctxt, ops, linear(ctxt, addr), dest, len);
1227 if (rc != X86EMUL_CONTINUE)
1230 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1234 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1235 struct x86_emulate_ops *ops,
1236 void *dest, int len)
1239 unsigned long val, change_mask;
1240 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1241 int cpl = ops->cpl(ctxt->vcpu);
1243 rc = emulate_pop(ctxt, ops, &val, len);
1244 if (rc != X86EMUL_CONTINUE)
1247 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1248 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1250 switch(ctxt->mode) {
1251 case X86EMUL_MODE_PROT64:
1252 case X86EMUL_MODE_PROT32:
1253 case X86EMUL_MODE_PROT16:
1255 change_mask |= EFLG_IOPL;
1257 change_mask |= EFLG_IF;
1259 case X86EMUL_MODE_VM86:
1261 return emulate_gp(ctxt, 0);
1262 change_mask |= EFLG_IF;
1264 default: /* real mode */
1265 change_mask |= (EFLG_IOPL | EFLG_IF);
1269 *(unsigned long *)dest =
1270 (ctxt->eflags & ~change_mask) | (val & change_mask);
1275 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1276 struct x86_emulate_ops *ops, int seg)
1278 struct decode_cache *c = &ctxt->decode;
1280 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1282 emulate_push(ctxt, ops);
1285 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1286 struct x86_emulate_ops *ops, int seg)
1288 struct decode_cache *c = &ctxt->decode;
1289 unsigned long selector;
1292 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1293 if (rc != X86EMUL_CONTINUE)
1296 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1300 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1301 struct x86_emulate_ops *ops)
1303 struct decode_cache *c = &ctxt->decode;
1304 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1305 int rc = X86EMUL_CONTINUE;
1306 int reg = VCPU_REGS_RAX;
1308 while (reg <= VCPU_REGS_RDI) {
1309 (reg == VCPU_REGS_RSP) ?
1310 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1312 emulate_push(ctxt, ops);
1314 rc = writeback(ctxt, ops);
1315 if (rc != X86EMUL_CONTINUE)
1321 /* Disable writeback. */
1322 c->dst.type = OP_NONE;
1327 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1328 struct x86_emulate_ops *ops)
1330 struct decode_cache *c = &ctxt->decode;
1331 int rc = X86EMUL_CONTINUE;
1332 int reg = VCPU_REGS_RDI;
1334 while (reg >= VCPU_REGS_RAX) {
1335 if (reg == VCPU_REGS_RSP) {
1336 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1341 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1342 if (rc != X86EMUL_CONTINUE)
1349 int emulate_int_real(struct x86_emulate_ctxt *ctxt,
1350 struct x86_emulate_ops *ops, int irq)
1352 struct decode_cache *c = &ctxt->decode;
1359 /* TODO: Add limit checks */
1360 c->src.val = ctxt->eflags;
1361 emulate_push(ctxt, ops);
1362 rc = writeback(ctxt, ops);
1363 if (rc != X86EMUL_CONTINUE)
1366 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1368 c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1369 emulate_push(ctxt, ops);
1370 rc = writeback(ctxt, ops);
1371 if (rc != X86EMUL_CONTINUE)
1374 c->src.val = c->eip;
1375 emulate_push(ctxt, ops);
1376 rc = writeback(ctxt, ops);
1377 if (rc != X86EMUL_CONTINUE)
1380 c->dst.type = OP_NONE;
1382 ops->get_idt(&dt, ctxt->vcpu);
1384 eip_addr = dt.address + (irq << 2);
1385 cs_addr = dt.address + (irq << 2) + 2;
1387 rc = ops->read_std(cs_addr, &cs, 2, ctxt->vcpu, &ctxt->exception);
1388 if (rc != X86EMUL_CONTINUE)
1391 rc = ops->read_std(eip_addr, &eip, 2, ctxt->vcpu, &ctxt->exception);
1392 if (rc != X86EMUL_CONTINUE)
1395 rc = load_segment_descriptor(ctxt, ops, cs, VCPU_SREG_CS);
1396 if (rc != X86EMUL_CONTINUE)
1404 static int emulate_int(struct x86_emulate_ctxt *ctxt,
1405 struct x86_emulate_ops *ops, int irq)
1407 switch(ctxt->mode) {
1408 case X86EMUL_MODE_REAL:
1409 return emulate_int_real(ctxt, ops, irq);
1410 case X86EMUL_MODE_VM86:
1411 case X86EMUL_MODE_PROT16:
1412 case X86EMUL_MODE_PROT32:
1413 case X86EMUL_MODE_PROT64:
1415 /* Protected mode interrupts unimplemented yet */
1416 return X86EMUL_UNHANDLEABLE;
1420 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1421 struct x86_emulate_ops *ops)
1423 struct decode_cache *c = &ctxt->decode;
1424 int rc = X86EMUL_CONTINUE;
1425 unsigned long temp_eip = 0;
1426 unsigned long temp_eflags = 0;
1427 unsigned long cs = 0;
1428 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1429 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1430 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1431 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1433 /* TODO: Add stack limit check */
1435 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1437 if (rc != X86EMUL_CONTINUE)
1440 if (temp_eip & ~0xffff)
1441 return emulate_gp(ctxt, 0);
1443 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1445 if (rc != X86EMUL_CONTINUE)
1448 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1450 if (rc != X86EMUL_CONTINUE)
1453 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1455 if (rc != X86EMUL_CONTINUE)
1461 if (c->op_bytes == 4)
1462 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1463 else if (c->op_bytes == 2) {
1464 ctxt->eflags &= ~0xffff;
1465 ctxt->eflags |= temp_eflags;
1468 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1469 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1474 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1475 struct x86_emulate_ops* ops)
1477 switch(ctxt->mode) {
1478 case X86EMUL_MODE_REAL:
1479 return emulate_iret_real(ctxt, ops);
1480 case X86EMUL_MODE_VM86:
1481 case X86EMUL_MODE_PROT16:
1482 case X86EMUL_MODE_PROT32:
1483 case X86EMUL_MODE_PROT64:
1485 /* iret from protected mode unimplemented yet */
1486 return X86EMUL_UNHANDLEABLE;
1490 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1491 struct x86_emulate_ops *ops)
1493 struct decode_cache *c = &ctxt->decode;
1495 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1498 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1500 struct decode_cache *c = &ctxt->decode;
1501 switch (c->modrm_reg) {
1503 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1506 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1509 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1512 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1514 case 4: /* sal/shl */
1515 case 6: /* sal/shl */
1516 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1519 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1522 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1527 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1528 struct x86_emulate_ops *ops)
1530 struct decode_cache *c = &ctxt->decode;
1531 unsigned long *rax = &c->regs[VCPU_REGS_RAX];
1532 unsigned long *rdx = &c->regs[VCPU_REGS_RDX];
1535 switch (c->modrm_reg) {
1536 case 0 ... 1: /* test */
1537 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1540 c->dst.val = ~c->dst.val;
1543 emulate_1op("neg", c->dst, ctxt->eflags);
1546 emulate_1op_rax_rdx("mul", c->src, *rax, *rdx, ctxt->eflags);
1549 emulate_1op_rax_rdx("imul", c->src, *rax, *rdx, ctxt->eflags);
1552 emulate_1op_rax_rdx_ex("div", c->src, *rax, *rdx,
1556 emulate_1op_rax_rdx_ex("idiv", c->src, *rax, *rdx,
1560 return X86EMUL_UNHANDLEABLE;
1563 return emulate_de(ctxt);
1564 return X86EMUL_CONTINUE;
1567 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1568 struct x86_emulate_ops *ops)
1570 struct decode_cache *c = &ctxt->decode;
1572 switch (c->modrm_reg) {
1574 emulate_1op("inc", c->dst, ctxt->eflags);
1577 emulate_1op("dec", c->dst, ctxt->eflags);
1579 case 2: /* call near abs */ {
1582 c->eip = c->src.val;
1583 c->src.val = old_eip;
1584 emulate_push(ctxt, ops);
1587 case 4: /* jmp abs */
1588 c->eip = c->src.val;
1591 emulate_push(ctxt, ops);
1594 return X86EMUL_CONTINUE;
1597 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1598 struct x86_emulate_ops *ops)
1600 struct decode_cache *c = &ctxt->decode;
1601 u64 old = c->dst.orig_val64;
1603 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1604 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1605 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1606 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1607 ctxt->eflags &= ~EFLG_ZF;
1609 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1610 (u32) c->regs[VCPU_REGS_RBX];
1612 ctxt->eflags |= EFLG_ZF;
1614 return X86EMUL_CONTINUE;
1617 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1618 struct x86_emulate_ops *ops)
1620 struct decode_cache *c = &ctxt->decode;
1624 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1625 if (rc != X86EMUL_CONTINUE)
1627 if (c->op_bytes == 4)
1628 c->eip = (u32)c->eip;
1629 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1630 if (rc != X86EMUL_CONTINUE)
1632 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1636 static int emulate_load_segment(struct x86_emulate_ctxt *ctxt,
1637 struct x86_emulate_ops *ops, int seg)
1639 struct decode_cache *c = &ctxt->decode;
1643 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
1645 rc = load_segment_descriptor(ctxt, ops, sel, seg);
1646 if (rc != X86EMUL_CONTINUE)
1649 c->dst.val = c->src.val;
1654 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1655 struct x86_emulate_ops *ops, struct desc_struct *cs,
1656 struct desc_struct *ss)
1658 memset(cs, 0, sizeof(struct desc_struct));
1659 ops->get_cached_descriptor(cs, NULL, VCPU_SREG_CS, ctxt->vcpu);
1660 memset(ss, 0, sizeof(struct desc_struct));
1662 cs->l = 0; /* will be adjusted later */
1663 set_desc_base(cs, 0); /* flat segment */
1664 cs->g = 1; /* 4kb granularity */
1665 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1666 cs->type = 0x0b; /* Read, Execute, Accessed */
1668 cs->dpl = 0; /* will be adjusted later */
1672 set_desc_base(ss, 0); /* flat segment */
1673 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1674 ss->g = 1; /* 4kb granularity */
1676 ss->type = 0x03; /* Read/Write, Accessed */
1677 ss->d = 1; /* 32bit stack segment */
1683 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1685 struct decode_cache *c = &ctxt->decode;
1686 struct desc_struct cs, ss;
1690 /* syscall is not available in real mode */
1691 if (ctxt->mode == X86EMUL_MODE_REAL ||
1692 ctxt->mode == X86EMUL_MODE_VM86)
1693 return emulate_ud(ctxt);
1695 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1697 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1699 cs_sel = (u16)(msr_data & 0xfffc);
1700 ss_sel = (u16)(msr_data + 8);
1702 if (is_long_mode(ctxt->vcpu)) {
1706 ops->set_cached_descriptor(&cs, 0, VCPU_SREG_CS, ctxt->vcpu);
1707 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1708 ops->set_cached_descriptor(&ss, 0, VCPU_SREG_SS, ctxt->vcpu);
1709 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1711 c->regs[VCPU_REGS_RCX] = c->eip;
1712 if (is_long_mode(ctxt->vcpu)) {
1713 #ifdef CONFIG_X86_64
1714 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1716 ops->get_msr(ctxt->vcpu,
1717 ctxt->mode == X86EMUL_MODE_PROT64 ?
1718 MSR_LSTAR : MSR_CSTAR, &msr_data);
1721 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1722 ctxt->eflags &= ~(msr_data | EFLG_RF);
1726 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1727 c->eip = (u32)msr_data;
1729 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1732 return X86EMUL_CONTINUE;
1736 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1738 struct decode_cache *c = &ctxt->decode;
1739 struct desc_struct cs, ss;
1743 /* inject #GP if in real mode */
1744 if (ctxt->mode == X86EMUL_MODE_REAL)
1745 return emulate_gp(ctxt, 0);
1747 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1748 * Therefore, we inject an #UD.
1750 if (ctxt->mode == X86EMUL_MODE_PROT64)
1751 return emulate_ud(ctxt);
1753 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1755 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1756 switch (ctxt->mode) {
1757 case X86EMUL_MODE_PROT32:
1758 if ((msr_data & 0xfffc) == 0x0)
1759 return emulate_gp(ctxt, 0);
1761 case X86EMUL_MODE_PROT64:
1762 if (msr_data == 0x0)
1763 return emulate_gp(ctxt, 0);
1767 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1768 cs_sel = (u16)msr_data;
1769 cs_sel &= ~SELECTOR_RPL_MASK;
1770 ss_sel = cs_sel + 8;
1771 ss_sel &= ~SELECTOR_RPL_MASK;
1772 if (ctxt->mode == X86EMUL_MODE_PROT64
1773 || is_long_mode(ctxt->vcpu)) {
1778 ops->set_cached_descriptor(&cs, 0, VCPU_SREG_CS, ctxt->vcpu);
1779 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1780 ops->set_cached_descriptor(&ss, 0, VCPU_SREG_SS, ctxt->vcpu);
1781 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1783 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1786 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1787 c->regs[VCPU_REGS_RSP] = msr_data;
1789 return X86EMUL_CONTINUE;
1793 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1795 struct decode_cache *c = &ctxt->decode;
1796 struct desc_struct cs, ss;
1801 /* inject #GP if in real mode or Virtual 8086 mode */
1802 if (ctxt->mode == X86EMUL_MODE_REAL ||
1803 ctxt->mode == X86EMUL_MODE_VM86)
1804 return emulate_gp(ctxt, 0);
1806 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1808 if ((c->rex_prefix & 0x8) != 0x0)
1809 usermode = X86EMUL_MODE_PROT64;
1811 usermode = X86EMUL_MODE_PROT32;
1815 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1817 case X86EMUL_MODE_PROT32:
1818 cs_sel = (u16)(msr_data + 16);
1819 if ((msr_data & 0xfffc) == 0x0)
1820 return emulate_gp(ctxt, 0);
1821 ss_sel = (u16)(msr_data + 24);
1823 case X86EMUL_MODE_PROT64:
1824 cs_sel = (u16)(msr_data + 32);
1825 if (msr_data == 0x0)
1826 return emulate_gp(ctxt, 0);
1827 ss_sel = cs_sel + 8;
1832 cs_sel |= SELECTOR_RPL_MASK;
1833 ss_sel |= SELECTOR_RPL_MASK;
1835 ops->set_cached_descriptor(&cs, 0, VCPU_SREG_CS, ctxt->vcpu);
1836 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1837 ops->set_cached_descriptor(&ss, 0, VCPU_SREG_SS, ctxt->vcpu);
1838 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1840 c->eip = c->regs[VCPU_REGS_RDX];
1841 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1843 return X86EMUL_CONTINUE;
1846 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1847 struct x86_emulate_ops *ops)
1850 if (ctxt->mode == X86EMUL_MODE_REAL)
1852 if (ctxt->mode == X86EMUL_MODE_VM86)
1854 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1855 return ops->cpl(ctxt->vcpu) > iopl;
1858 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1859 struct x86_emulate_ops *ops,
1862 struct desc_struct tr_seg;
1865 u16 io_bitmap_ptr, perm, bit_idx = port & 0x7;
1866 unsigned mask = (1 << len) - 1;
1869 ops->get_cached_descriptor(&tr_seg, &base3, VCPU_SREG_TR, ctxt->vcpu);
1872 if (desc_limit_scaled(&tr_seg) < 103)
1874 base = get_desc_base(&tr_seg);
1875 #ifdef CONFIG_X86_64
1876 base |= ((u64)base3) << 32;
1878 r = ops->read_std(base + 102, &io_bitmap_ptr, 2, ctxt->vcpu, NULL);
1879 if (r != X86EMUL_CONTINUE)
1881 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1883 r = ops->read_std(base + io_bitmap_ptr + port/8, &perm, 2, ctxt->vcpu,
1885 if (r != X86EMUL_CONTINUE)
1887 if ((perm >> bit_idx) & mask)
1892 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1893 struct x86_emulate_ops *ops,
1899 if (emulator_bad_iopl(ctxt, ops))
1900 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1903 ctxt->perm_ok = true;
1908 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1909 struct x86_emulate_ops *ops,
1910 struct tss_segment_16 *tss)
1912 struct decode_cache *c = &ctxt->decode;
1915 tss->flag = ctxt->eflags;
1916 tss->ax = c->regs[VCPU_REGS_RAX];
1917 tss->cx = c->regs[VCPU_REGS_RCX];
1918 tss->dx = c->regs[VCPU_REGS_RDX];
1919 tss->bx = c->regs[VCPU_REGS_RBX];
1920 tss->sp = c->regs[VCPU_REGS_RSP];
1921 tss->bp = c->regs[VCPU_REGS_RBP];
1922 tss->si = c->regs[VCPU_REGS_RSI];
1923 tss->di = c->regs[VCPU_REGS_RDI];
1925 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1926 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1927 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1928 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1929 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1932 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1933 struct x86_emulate_ops *ops,
1934 struct tss_segment_16 *tss)
1936 struct decode_cache *c = &ctxt->decode;
1940 ctxt->eflags = tss->flag | 2;
1941 c->regs[VCPU_REGS_RAX] = tss->ax;
1942 c->regs[VCPU_REGS_RCX] = tss->cx;
1943 c->regs[VCPU_REGS_RDX] = tss->dx;
1944 c->regs[VCPU_REGS_RBX] = tss->bx;
1945 c->regs[VCPU_REGS_RSP] = tss->sp;
1946 c->regs[VCPU_REGS_RBP] = tss->bp;
1947 c->regs[VCPU_REGS_RSI] = tss->si;
1948 c->regs[VCPU_REGS_RDI] = tss->di;
1951 * SDM says that segment selectors are loaded before segment
1954 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1955 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1956 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1957 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1958 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1961 * Now load segment descriptors. If fault happenes at this stage
1962 * it is handled in a context of new task
1964 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1965 if (ret != X86EMUL_CONTINUE)
1967 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1968 if (ret != X86EMUL_CONTINUE)
1970 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1971 if (ret != X86EMUL_CONTINUE)
1973 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1974 if (ret != X86EMUL_CONTINUE)
1976 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1977 if (ret != X86EMUL_CONTINUE)
1980 return X86EMUL_CONTINUE;
1983 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1984 struct x86_emulate_ops *ops,
1985 u16 tss_selector, u16 old_tss_sel,
1986 ulong old_tss_base, struct desc_struct *new_desc)
1988 struct tss_segment_16 tss_seg;
1990 u32 new_tss_base = get_desc_base(new_desc);
1992 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1994 if (ret != X86EMUL_CONTINUE)
1995 /* FIXME: need to provide precise fault address */
1998 save_state_to_tss16(ctxt, ops, &tss_seg);
2000 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2002 if (ret != X86EMUL_CONTINUE)
2003 /* FIXME: need to provide precise fault address */
2006 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2008 if (ret != X86EMUL_CONTINUE)
2009 /* FIXME: need to provide precise fault address */
2012 if (old_tss_sel != 0xffff) {
2013 tss_seg.prev_task_link = old_tss_sel;
2015 ret = ops->write_std(new_tss_base,
2016 &tss_seg.prev_task_link,
2017 sizeof tss_seg.prev_task_link,
2018 ctxt->vcpu, &ctxt->exception);
2019 if (ret != X86EMUL_CONTINUE)
2020 /* FIXME: need to provide precise fault address */
2024 return load_state_from_tss16(ctxt, ops, &tss_seg);
2027 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2028 struct x86_emulate_ops *ops,
2029 struct tss_segment_32 *tss)
2031 struct decode_cache *c = &ctxt->decode;
2033 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2035 tss->eflags = ctxt->eflags;
2036 tss->eax = c->regs[VCPU_REGS_RAX];
2037 tss->ecx = c->regs[VCPU_REGS_RCX];
2038 tss->edx = c->regs[VCPU_REGS_RDX];
2039 tss->ebx = c->regs[VCPU_REGS_RBX];
2040 tss->esp = c->regs[VCPU_REGS_RSP];
2041 tss->ebp = c->regs[VCPU_REGS_RBP];
2042 tss->esi = c->regs[VCPU_REGS_RSI];
2043 tss->edi = c->regs[VCPU_REGS_RDI];
2045 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2046 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2047 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2048 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2049 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2050 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2051 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2054 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2055 struct x86_emulate_ops *ops,
2056 struct tss_segment_32 *tss)
2058 struct decode_cache *c = &ctxt->decode;
2061 if (ops->set_cr(3, tss->cr3, ctxt->vcpu))
2062 return emulate_gp(ctxt, 0);
2064 ctxt->eflags = tss->eflags | 2;
2065 c->regs[VCPU_REGS_RAX] = tss->eax;
2066 c->regs[VCPU_REGS_RCX] = tss->ecx;
2067 c->regs[VCPU_REGS_RDX] = tss->edx;
2068 c->regs[VCPU_REGS_RBX] = tss->ebx;
2069 c->regs[VCPU_REGS_RSP] = tss->esp;
2070 c->regs[VCPU_REGS_RBP] = tss->ebp;
2071 c->regs[VCPU_REGS_RSI] = tss->esi;
2072 c->regs[VCPU_REGS_RDI] = tss->edi;
2075 * SDM says that segment selectors are loaded before segment
2078 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2079 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2080 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2081 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2082 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2083 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2084 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2087 * Now load segment descriptors. If fault happenes at this stage
2088 * it is handled in a context of new task
2090 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2091 if (ret != X86EMUL_CONTINUE)
2093 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2094 if (ret != X86EMUL_CONTINUE)
2096 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2097 if (ret != X86EMUL_CONTINUE)
2099 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2100 if (ret != X86EMUL_CONTINUE)
2102 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2103 if (ret != X86EMUL_CONTINUE)
2105 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2106 if (ret != X86EMUL_CONTINUE)
2108 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2109 if (ret != X86EMUL_CONTINUE)
2112 return X86EMUL_CONTINUE;
2115 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2116 struct x86_emulate_ops *ops,
2117 u16 tss_selector, u16 old_tss_sel,
2118 ulong old_tss_base, struct desc_struct *new_desc)
2120 struct tss_segment_32 tss_seg;
2122 u32 new_tss_base = get_desc_base(new_desc);
2124 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2126 if (ret != X86EMUL_CONTINUE)
2127 /* FIXME: need to provide precise fault address */
2130 save_state_to_tss32(ctxt, ops, &tss_seg);
2132 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2134 if (ret != X86EMUL_CONTINUE)
2135 /* FIXME: need to provide precise fault address */
2138 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2140 if (ret != X86EMUL_CONTINUE)
2141 /* FIXME: need to provide precise fault address */
2144 if (old_tss_sel != 0xffff) {
2145 tss_seg.prev_task_link = old_tss_sel;
2147 ret = ops->write_std(new_tss_base,
2148 &tss_seg.prev_task_link,
2149 sizeof tss_seg.prev_task_link,
2150 ctxt->vcpu, &ctxt->exception);
2151 if (ret != X86EMUL_CONTINUE)
2152 /* FIXME: need to provide precise fault address */
2156 return load_state_from_tss32(ctxt, ops, &tss_seg);
2159 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2160 struct x86_emulate_ops *ops,
2161 u16 tss_selector, int reason,
2162 bool has_error_code, u32 error_code)
2164 struct desc_struct curr_tss_desc, next_tss_desc;
2166 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2167 ulong old_tss_base =
2168 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2171 /* FIXME: old_tss_base == ~0 ? */
2173 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2174 if (ret != X86EMUL_CONTINUE)
2176 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2177 if (ret != X86EMUL_CONTINUE)
2180 /* FIXME: check that next_tss_desc is tss */
2182 if (reason != TASK_SWITCH_IRET) {
2183 if ((tss_selector & 3) > next_tss_desc.dpl ||
2184 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl)
2185 return emulate_gp(ctxt, 0);
2188 desc_limit = desc_limit_scaled(&next_tss_desc);
2189 if (!next_tss_desc.p ||
2190 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2191 desc_limit < 0x2b)) {
2192 emulate_ts(ctxt, tss_selector & 0xfffc);
2193 return X86EMUL_PROPAGATE_FAULT;
2196 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2197 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2198 write_segment_descriptor(ctxt, ops, old_tss_sel,
2202 if (reason == TASK_SWITCH_IRET)
2203 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2205 /* set back link to prev task only if NT bit is set in eflags
2206 note that old_tss_sel is not used afetr this point */
2207 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2208 old_tss_sel = 0xffff;
2210 if (next_tss_desc.type & 8)
2211 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2212 old_tss_base, &next_tss_desc);
2214 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2215 old_tss_base, &next_tss_desc);
2216 if (ret != X86EMUL_CONTINUE)
2219 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2220 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2222 if (reason != TASK_SWITCH_IRET) {
2223 next_tss_desc.type |= (1 << 1); /* set busy flag */
2224 write_segment_descriptor(ctxt, ops, tss_selector,
2228 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2229 ops->set_cached_descriptor(&next_tss_desc, 0, VCPU_SREG_TR, ctxt->vcpu);
2230 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2232 if (has_error_code) {
2233 struct decode_cache *c = &ctxt->decode;
2235 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2237 c->src.val = (unsigned long) error_code;
2238 emulate_push(ctxt, ops);
2244 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2245 u16 tss_selector, int reason,
2246 bool has_error_code, u32 error_code)
2248 struct x86_emulate_ops *ops = ctxt->ops;
2249 struct decode_cache *c = &ctxt->decode;
2253 c->dst.type = OP_NONE;
2255 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2256 has_error_code, error_code);
2258 if (rc == X86EMUL_CONTINUE) {
2259 rc = writeback(ctxt, ops);
2260 if (rc == X86EMUL_CONTINUE)
2264 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2267 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned seg,
2268 int reg, struct operand *op)
2270 struct decode_cache *c = &ctxt->decode;
2271 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2273 register_address_increment(c, &c->regs[reg], df * op->bytes);
2274 op->addr.mem.ea = register_address(c, c->regs[reg]);
2275 op->addr.mem.seg = seg;
2278 static int em_push(struct x86_emulate_ctxt *ctxt)
2280 emulate_push(ctxt, ctxt->ops);
2281 return X86EMUL_CONTINUE;
2284 static int em_das(struct x86_emulate_ctxt *ctxt)
2286 struct decode_cache *c = &ctxt->decode;
2288 bool af, cf, old_cf;
2290 cf = ctxt->eflags & X86_EFLAGS_CF;
2296 af = ctxt->eflags & X86_EFLAGS_AF;
2297 if ((al & 0x0f) > 9 || af) {
2299 cf = old_cf | (al >= 250);
2304 if (old_al > 0x99 || old_cf) {
2310 /* Set PF, ZF, SF */
2311 c->src.type = OP_IMM;
2314 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2315 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2317 ctxt->eflags |= X86_EFLAGS_CF;
2319 ctxt->eflags |= X86_EFLAGS_AF;
2320 return X86EMUL_CONTINUE;
2323 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2325 struct decode_cache *c = &ctxt->decode;
2330 old_cs = ctxt->ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2333 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2334 if (load_segment_descriptor(ctxt, ctxt->ops, sel, VCPU_SREG_CS))
2335 return X86EMUL_CONTINUE;
2338 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2340 c->src.val = old_cs;
2341 emulate_push(ctxt, ctxt->ops);
2342 rc = writeback(ctxt, ctxt->ops);
2343 if (rc != X86EMUL_CONTINUE)
2346 c->src.val = old_eip;
2347 emulate_push(ctxt, ctxt->ops);
2348 rc = writeback(ctxt, ctxt->ops);
2349 if (rc != X86EMUL_CONTINUE)
2352 c->dst.type = OP_NONE;
2354 return X86EMUL_CONTINUE;
2357 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2359 struct decode_cache *c = &ctxt->decode;
2362 c->dst.type = OP_REG;
2363 c->dst.addr.reg = &c->eip;
2364 c->dst.bytes = c->op_bytes;
2365 rc = emulate_pop(ctxt, ctxt->ops, &c->dst.val, c->op_bytes);
2366 if (rc != X86EMUL_CONTINUE)
2368 register_address_increment(c, &c->regs[VCPU_REGS_RSP], c->src.val);
2369 return X86EMUL_CONTINUE;
2372 static int em_imul(struct x86_emulate_ctxt *ctxt)
2374 struct decode_cache *c = &ctxt->decode;
2376 emulate_2op_SrcV_nobyte("imul", c->src, c->dst, ctxt->eflags);
2377 return X86EMUL_CONTINUE;
2380 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2382 struct decode_cache *c = &ctxt->decode;
2384 c->dst.val = c->src2.val;
2385 return em_imul(ctxt);
2388 static int em_cwd(struct x86_emulate_ctxt *ctxt)
2390 struct decode_cache *c = &ctxt->decode;
2392 c->dst.type = OP_REG;
2393 c->dst.bytes = c->src.bytes;
2394 c->dst.addr.reg = &c->regs[VCPU_REGS_RDX];
2395 c->dst.val = ~((c->src.val >> (c->src.bytes * 8 - 1)) - 1);
2397 return X86EMUL_CONTINUE;
2400 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2402 unsigned cpl = ctxt->ops->cpl(ctxt->vcpu);
2403 struct decode_cache *c = &ctxt->decode;
2406 if (cpl > 0 && (ctxt->ops->get_cr(4, ctxt->vcpu) & X86_CR4_TSD))
2407 return emulate_gp(ctxt, 0);
2408 ctxt->ops->get_msr(ctxt->vcpu, MSR_IA32_TSC, &tsc);
2409 c->regs[VCPU_REGS_RAX] = (u32)tsc;
2410 c->regs[VCPU_REGS_RDX] = tsc >> 32;
2411 return X86EMUL_CONTINUE;
2414 static int em_mov(struct x86_emulate_ctxt *ctxt)
2416 struct decode_cache *c = &ctxt->decode;
2417 c->dst.val = c->src.val;
2418 return X86EMUL_CONTINUE;
2421 static int em_movdqu(struct x86_emulate_ctxt *ctxt)
2423 struct decode_cache *c = &ctxt->decode;
2424 memcpy(&c->dst.vec_val, &c->src.vec_val, c->op_bytes);
2425 return X86EMUL_CONTINUE;
2428 #define D(_y) { .flags = (_y) }
2429 #define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
2430 #define DIP(_y, _i, _p) { .flags = (_y), .intercept = x86_intercept_##_i, \
2431 .check_perm = (_p) }
2433 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2434 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2435 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2436 #define II(_f, _e, _i) \
2437 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
2438 #define IIP(_f, _e, _i, _p) \
2439 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i, \
2440 .check_perm = (_p) }
2441 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
2443 #define D2bv(_f) D((_f) | ByteOp), D(_f)
2444 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
2446 #define D6ALU(_f) D2bv((_f) | DstMem | SrcReg | ModRM), \
2447 D2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock), \
2448 D2bv(((_f) & ~Lock) | DstAcc | SrcImm)
2451 static struct opcode group1[] = {
2455 static struct opcode group1A[] = {
2456 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2459 static struct opcode group3[] = {
2460 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2461 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2462 X4(D(SrcMem | ModRM)),
2465 static struct opcode group4[] = {
2466 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2470 static struct opcode group5[] = {
2471 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2472 D(SrcMem | ModRM | Stack),
2473 I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
2474 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2475 D(SrcMem | ModRM | Stack), N,
2478 static struct group_dual group7 = { {
2479 N, N, DI(ModRM | SrcMem | Priv, lgdt), DI(ModRM | SrcMem | Priv, lidt),
2480 DI(SrcNone | ModRM | DstMem | Mov, smsw), N,
2481 DI(SrcMem16 | ModRM | Mov | Priv, lmsw),
2482 DI(SrcMem | ModRM | ByteOp | Priv | NoAccess, invlpg),
2484 D(SrcNone | ModRM | Priv | VendorSpecific), N,
2485 N, D(SrcNone | ModRM | Priv | VendorSpecific),
2486 DI(SrcNone | ModRM | DstMem | Mov, smsw), N,
2487 DI(SrcMem16 | ModRM | Mov | Priv, lmsw), N,
2490 static struct opcode group8[] = {
2492 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2493 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2496 static struct group_dual group9 = { {
2497 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2499 N, N, N, N, N, N, N, N,
2502 static struct opcode group11[] = {
2503 I(DstMem | SrcImm | ModRM | Mov, em_mov), X7(D(Undefined)),
2506 static struct gprefix pfx_0f_6f_0f_7f = {
2507 N, N, N, I(Sse, em_movdqu),
2510 static struct opcode opcode_table[256] = {
2513 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2516 D(ImplicitOps | Stack | No64), N,
2519 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2522 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2526 D6ALU(Lock), N, I(ByteOp | DstAcc | No64, em_das),
2534 X8(I(SrcReg | Stack, em_push)),
2536 X8(D(DstReg | Stack)),
2538 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2539 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2542 I(SrcImm | Mov | Stack, em_push),
2543 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
2544 I(SrcImmByte | Mov | Stack, em_push),
2545 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
2546 D2bv(DstDI | Mov | String), /* insb, insw/insd */
2547 D2bv(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2551 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2552 G(DstMem | SrcImm | ModRM | Group, group1),
2553 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2554 G(DstMem | SrcImmByte | ModRM | Group, group1),
2555 D2bv(DstMem | SrcReg | ModRM), D2bv(DstMem | SrcReg | ModRM | Lock),
2557 I2bv(DstMem | SrcReg | ModRM | Mov, em_mov),
2558 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
2559 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2560 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2562 X8(D(SrcAcc | DstReg)),
2564 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
2565 I(SrcImmFAddr | No64, em_call_far), N,
2566 DI(ImplicitOps | Stack, pushf), DI(ImplicitOps | Stack, popf), N, N,
2568 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
2569 I2bv(DstMem | SrcAcc | Mov | MemAbs, em_mov),
2570 I2bv(SrcSI | DstDI | Mov | String, em_mov),
2571 D2bv(SrcSI | DstDI | String),
2573 D2bv(DstAcc | SrcImm),
2574 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
2575 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
2576 D2bv(SrcAcc | DstDI | String),
2578 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
2580 X8(I(DstReg | SrcImm | Mov, em_mov)),
2582 D2bv(DstMem | SrcImmByte | ModRM),
2583 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
2584 D(ImplicitOps | Stack),
2585 D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr | ModRM | No64),
2586 G(ByteOp, group11), G(0, group11),
2588 N, N, N, D(ImplicitOps | Stack),
2589 D(ImplicitOps), DI(SrcImmByte, intn),
2590 D(ImplicitOps | No64), DI(ImplicitOps, iret),
2592 D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
2595 N, N, N, N, N, N, N, N,
2598 D2bv(SrcImmUByte | DstAcc), D2bv(SrcAcc | DstImmUByte),
2600 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2601 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2602 D2bv(SrcNone | DstAcc), D2bv(SrcAcc | ImplicitOps),
2605 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
2606 G(ByteOp, group3), G(0, group3),
2608 D(ImplicitOps), D(ImplicitOps), D(ImplicitOps), D(ImplicitOps),
2609 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2612 static struct opcode twobyte_table[256] = {
2614 N, GD(0, &group7), N, N,
2615 N, D(ImplicitOps | VendorSpecific), D(ImplicitOps | Priv), N,
2616 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
2617 N, D(ImplicitOps | ModRM), N, N,
2619 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2621 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2622 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2624 N, N, N, N, N, N, N, N,
2626 D(ImplicitOps | Priv), II(ImplicitOps, em_rdtsc, rdtsc),
2627 D(ImplicitOps | Priv), N,
2628 D(ImplicitOps | VendorSpecific), D(ImplicitOps | Priv | VendorSpecific),
2630 N, N, N, N, N, N, N, N,
2632 X16(D(DstReg | SrcMem | ModRM | Mov)),
2634 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2639 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
2644 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
2648 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
2650 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2651 N, D(DstMem | SrcReg | ModRM | BitOp),
2652 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2653 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2655 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2656 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2657 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2658 D(DstMem | SrcReg | Src2CL | ModRM),
2659 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
2661 D2bv(DstMem | SrcReg | ModRM | Lock),
2662 D(DstReg | SrcMemFAddr | ModRM), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2663 D(DstReg | SrcMemFAddr | ModRM), D(DstReg | SrcMemFAddr | ModRM),
2664 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2667 G(BitOp, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2668 D(DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2669 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2671 D2bv(DstMem | SrcReg | ModRM | Lock),
2672 N, D(DstMem | SrcReg | ModRM | Mov),
2673 N, N, N, GD(0, &group9),
2674 N, N, N, N, N, N, N, N,
2676 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2678 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2680 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2694 static unsigned imm_size(struct decode_cache *c)
2698 size = (c->d & ByteOp) ? 1 : c->op_bytes;
2704 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
2705 unsigned size, bool sign_extension)
2707 struct decode_cache *c = &ctxt->decode;
2708 struct x86_emulate_ops *ops = ctxt->ops;
2709 int rc = X86EMUL_CONTINUE;
2713 op->addr.mem.ea = c->eip;
2714 /* NB. Immediates are sign-extended as necessary. */
2715 switch (op->bytes) {
2717 op->val = insn_fetch(s8, 1, c->eip);
2720 op->val = insn_fetch(s16, 2, c->eip);
2723 op->val = insn_fetch(s32, 4, c->eip);
2726 if (!sign_extension) {
2727 switch (op->bytes) {
2735 op->val &= 0xffffffff;
2744 x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
2746 struct x86_emulate_ops *ops = ctxt->ops;
2747 struct decode_cache *c = &ctxt->decode;
2748 int rc = X86EMUL_CONTINUE;
2749 int mode = ctxt->mode;
2750 int def_op_bytes, def_ad_bytes, dual, goffset, simd_prefix;
2751 bool op_prefix = false;
2752 struct opcode opcode, *g_mod012, *g_mod3;
2753 struct operand memop = { .type = OP_NONE };
2756 c->fetch.start = c->eip;
2757 c->fetch.end = c->fetch.start + insn_len;
2759 memcpy(c->fetch.data, insn, insn_len);
2760 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2763 case X86EMUL_MODE_REAL:
2764 case X86EMUL_MODE_VM86:
2765 case X86EMUL_MODE_PROT16:
2766 def_op_bytes = def_ad_bytes = 2;
2768 case X86EMUL_MODE_PROT32:
2769 def_op_bytes = def_ad_bytes = 4;
2771 #ifdef CONFIG_X86_64
2772 case X86EMUL_MODE_PROT64:
2781 c->op_bytes = def_op_bytes;
2782 c->ad_bytes = def_ad_bytes;
2784 /* Legacy prefixes. */
2786 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2787 case 0x66: /* operand-size override */
2789 /* switch between 2/4 bytes */
2790 c->op_bytes = def_op_bytes ^ 6;
2792 case 0x67: /* address-size override */
2793 if (mode == X86EMUL_MODE_PROT64)
2794 /* switch between 4/8 bytes */
2795 c->ad_bytes = def_ad_bytes ^ 12;
2797 /* switch between 2/4 bytes */
2798 c->ad_bytes = def_ad_bytes ^ 6;
2800 case 0x26: /* ES override */
2801 case 0x2e: /* CS override */
2802 case 0x36: /* SS override */
2803 case 0x3e: /* DS override */
2804 set_seg_override(c, (c->b >> 3) & 3);
2806 case 0x64: /* FS override */
2807 case 0x65: /* GS override */
2808 set_seg_override(c, c->b & 7);
2810 case 0x40 ... 0x4f: /* REX */
2811 if (mode != X86EMUL_MODE_PROT64)
2813 c->rex_prefix = c->b;
2815 case 0xf0: /* LOCK */
2818 case 0xf2: /* REPNE/REPNZ */
2819 case 0xf3: /* REP/REPE/REPZ */
2820 c->rep_prefix = c->b;
2826 /* Any legacy prefix after a REX prefix nullifies its effect. */
2834 if (c->rex_prefix & 8)
2835 c->op_bytes = 8; /* REX.W */
2837 /* Opcode byte(s). */
2838 opcode = opcode_table[c->b];
2839 /* Two-byte opcode? */
2842 c->b = insn_fetch(u8, 1, c->eip);
2843 opcode = twobyte_table[c->b];
2845 c->d = opcode.flags;
2848 dual = c->d & GroupDual;
2849 c->modrm = insn_fetch(u8, 1, c->eip);
2852 if (c->d & GroupDual) {
2853 g_mod012 = opcode.u.gdual->mod012;
2854 g_mod3 = opcode.u.gdual->mod3;
2856 g_mod012 = g_mod3 = opcode.u.group;
2858 c->d &= ~(Group | GroupDual);
2860 goffset = (c->modrm >> 3) & 7;
2862 if ((c->modrm >> 6) == 3)
2863 opcode = g_mod3[goffset];
2865 opcode = g_mod012[goffset];
2866 c->d |= opcode.flags;
2869 if (c->d & Prefix) {
2870 if (c->rep_prefix && op_prefix)
2871 return X86EMUL_UNHANDLEABLE;
2872 simd_prefix = op_prefix ? 0x66 : c->rep_prefix;
2873 switch (simd_prefix) {
2874 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
2875 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
2876 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
2877 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
2879 c->d |= opcode.flags;
2882 c->execute = opcode.u.execute;
2883 c->check_perm = opcode.check_perm;
2884 c->intercept = opcode.intercept;
2887 if (c->d == 0 || (c->d & Undefined))
2890 if (!(c->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
2893 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2896 if (c->d & Op3264) {
2897 if (mode == X86EMUL_MODE_PROT64)
2906 /* ModRM and SIB bytes. */
2908 rc = decode_modrm(ctxt, ops, &memop);
2909 if (!c->has_seg_override)
2910 set_seg_override(c, c->modrm_seg);
2911 } else if (c->d & MemAbs)
2912 rc = decode_abs(ctxt, ops, &memop);
2913 if (rc != X86EMUL_CONTINUE)
2916 if (!c->has_seg_override)
2917 set_seg_override(c, VCPU_SREG_DS);
2919 memop.addr.mem.seg = seg_override(ctxt, ops, c);
2921 if (memop.type == OP_MEM && c->ad_bytes != 8)
2922 memop.addr.mem.ea = (u32)memop.addr.mem.ea;
2924 if (memop.type == OP_MEM && c->rip_relative)
2925 memop.addr.mem.ea += c->eip;
2928 * Decode and fetch the source operand: register, memory
2931 switch (c->d & SrcMask) {
2935 decode_register_operand(ctxt, &c->src, c, 0);
2944 memop.bytes = (c->d & ByteOp) ? 1 :
2950 rc = decode_imm(ctxt, &c->src, 2, false);
2953 rc = decode_imm(ctxt, &c->src, imm_size(c), true);
2956 rc = decode_imm(ctxt, &c->src, imm_size(c), false);
2959 rc = decode_imm(ctxt, &c->src, 1, true);
2962 rc = decode_imm(ctxt, &c->src, 1, false);
2965 c->src.type = OP_REG;
2966 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2967 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2968 fetch_register_operand(&c->src);
2975 c->src.type = OP_MEM;
2976 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2977 c->src.addr.mem.ea =
2978 register_address(c, c->regs[VCPU_REGS_RSI]);
2979 c->src.addr.mem.seg = seg_override(ctxt, ops, c),
2983 c->src.type = OP_IMM;
2984 c->src.addr.mem.ea = c->eip;
2985 c->src.bytes = c->op_bytes + 2;
2986 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2989 memop.bytes = c->op_bytes + 2;
2994 if (rc != X86EMUL_CONTINUE)
2998 * Decode and fetch the second source operand: register, memory
3001 switch (c->d & Src2Mask) {
3006 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
3009 rc = decode_imm(ctxt, &c->src2, 1, true);
3016 rc = decode_imm(ctxt, &c->src2, imm_size(c), true);
3020 if (rc != X86EMUL_CONTINUE)
3023 /* Decode and fetch the destination operand: register or memory. */
3024 switch (c->d & DstMask) {
3026 decode_register_operand(ctxt, &c->dst, c,
3027 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
3030 c->dst.type = OP_IMM;
3031 c->dst.addr.mem.ea = c->eip;
3033 c->dst.val = insn_fetch(u8, 1, c->eip);
3038 if ((c->d & DstMask) == DstMem64)
3041 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3043 fetch_bit_operand(c);
3044 c->dst.orig_val = c->dst.val;
3047 c->dst.type = OP_REG;
3048 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3049 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
3050 fetch_register_operand(&c->dst);
3051 c->dst.orig_val = c->dst.val;
3054 c->dst.type = OP_MEM;
3055 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
3056 c->dst.addr.mem.ea =
3057 register_address(c, c->regs[VCPU_REGS_RDI]);
3058 c->dst.addr.mem.seg = VCPU_SREG_ES;
3062 /* Special instructions do their own operand decoding. */
3064 c->dst.type = OP_NONE; /* Disable writeback. */
3069 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3072 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
3074 struct decode_cache *c = &ctxt->decode;
3076 /* The second termination condition only applies for REPE
3077 * and REPNE. Test if the repeat string operation prefix is
3078 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
3079 * corresponding termination condition according to:
3080 * - if REPE/REPZ and ZF = 0 then done
3081 * - if REPNE/REPNZ and ZF = 1 then done
3083 if (((c->b == 0xa6) || (c->b == 0xa7) ||
3084 (c->b == 0xae) || (c->b == 0xaf))
3085 && (((c->rep_prefix == REPE_PREFIX) &&
3086 ((ctxt->eflags & EFLG_ZF) == 0))
3087 || ((c->rep_prefix == REPNE_PREFIX) &&
3088 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
3095 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
3097 struct x86_emulate_ops *ops = ctxt->ops;
3099 struct decode_cache *c = &ctxt->decode;
3100 int rc = X86EMUL_CONTINUE;
3101 int saved_dst_type = c->dst.type;
3102 int irq; /* Used for int 3, int, and into */
3104 ctxt->decode.mem_read.pos = 0;
3106 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
3107 rc = emulate_ud(ctxt);
3111 /* LOCK prefix is allowed only with some instructions */
3112 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
3113 rc = emulate_ud(ctxt);
3117 if ((c->d & SrcMask) == SrcMemFAddr && c->src.type != OP_MEM) {
3118 rc = emulate_ud(ctxt);
3123 && ((ops->get_cr(0, ctxt->vcpu) & X86_CR0_EM)
3124 || !(ops->get_cr(4, ctxt->vcpu) & X86_CR4_OSFXSR))) {
3125 rc = emulate_ud(ctxt);
3129 if ((c->d & Sse) && (ops->get_cr(0, ctxt->vcpu) & X86_CR0_TS)) {
3130 rc = emulate_nm(ctxt);
3134 if (unlikely(ctxt->guest_mode) && c->intercept) {
3135 rc = ops->intercept(ctxt, c->intercept,
3136 X86_ICPT_PRE_EXCEPT);
3137 if (rc != X86EMUL_CONTINUE)
3141 /* Privileged instruction can be executed only in CPL=0 */
3142 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
3143 rc = emulate_gp(ctxt, 0);
3147 /* Instruction can only be executed in protected mode */
3148 if ((c->d & Prot) && !(ctxt->mode & X86EMUL_MODE_PROT)) {
3149 rc = emulate_ud(ctxt);
3153 /* Do instruction specific permission checks */
3154 if (c->check_perm) {
3155 rc = c->check_perm(ctxt);
3156 if (rc != X86EMUL_CONTINUE)
3160 if (unlikely(ctxt->guest_mode) && c->intercept) {
3161 rc = ops->intercept(ctxt, c->intercept,
3162 X86_ICPT_POST_EXCEPT);
3163 if (rc != X86EMUL_CONTINUE)
3167 if (c->rep_prefix && (c->d & String)) {
3168 /* All REP prefixes have the same first termination condition */
3169 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
3175 if ((c->src.type == OP_MEM) && !(c->d & NoAccess)) {
3176 rc = read_emulated(ctxt, ops, linear(ctxt, c->src.addr.mem),
3177 c->src.valptr, c->src.bytes);
3178 if (rc != X86EMUL_CONTINUE)
3180 c->src.orig_val64 = c->src.val64;
3183 if (c->src2.type == OP_MEM) {
3184 rc = read_emulated(ctxt, ops, linear(ctxt, c->src2.addr.mem),
3185 &c->src2.val, c->src2.bytes);
3186 if (rc != X86EMUL_CONTINUE)
3190 if ((c->d & DstMask) == ImplicitOps)
3194 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
3195 /* optimisation - avoid slow emulated read if Mov */
3196 rc = read_emulated(ctxt, ops, linear(ctxt, c->dst.addr.mem),
3197 &c->dst.val, c->dst.bytes);
3198 if (rc != X86EMUL_CONTINUE)
3201 c->dst.orig_val = c->dst.val;
3205 if (unlikely(ctxt->guest_mode) && c->intercept) {
3206 rc = ops->intercept(ctxt, c->intercept,
3207 X86_ICPT_POST_MEMACCESS);
3208 if (rc != X86EMUL_CONTINUE)
3213 rc = c->execute(ctxt);
3214 if (rc != X86EMUL_CONTINUE)
3225 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3227 case 0x06: /* push es */
3228 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
3230 case 0x07: /* pop es */
3231 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
3235 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
3237 case 0x0e: /* push cs */
3238 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
3242 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
3244 case 0x16: /* push ss */
3245 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
3247 case 0x17: /* pop ss */
3248 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
3252 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
3254 case 0x1e: /* push ds */
3255 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
3257 case 0x1f: /* pop ds */
3258 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
3262 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
3266 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
3270 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
3274 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3276 case 0x40 ... 0x47: /* inc r16/r32 */
3277 emulate_1op("inc", c->dst, ctxt->eflags);
3279 case 0x48 ... 0x4f: /* dec r16/r32 */
3280 emulate_1op("dec", c->dst, ctxt->eflags);
3282 case 0x58 ... 0x5f: /* pop reg */
3284 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
3286 case 0x60: /* pusha */
3287 rc = emulate_pusha(ctxt, ops);
3289 case 0x61: /* popa */
3290 rc = emulate_popa(ctxt, ops);
3292 case 0x63: /* movsxd */
3293 if (ctxt->mode != X86EMUL_MODE_PROT64)
3294 goto cannot_emulate;
3295 c->dst.val = (s32) c->src.val;
3297 case 0x6c: /* insb */
3298 case 0x6d: /* insw/insd */
3299 c->src.val = c->regs[VCPU_REGS_RDX];
3301 case 0x6e: /* outsb */
3302 case 0x6f: /* outsw/outsd */
3303 c->dst.val = c->regs[VCPU_REGS_RDX];
3306 case 0x70 ... 0x7f: /* jcc (short) */
3307 if (test_cc(c->b, ctxt->eflags))
3308 jmp_rel(c, c->src.val);
3310 case 0x80 ... 0x83: /* Grp1 */
3311 switch (c->modrm_reg) {
3332 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
3334 case 0x86 ... 0x87: /* xchg */
3336 /* Write back the register source. */
3337 c->src.val = c->dst.val;
3338 write_register_operand(&c->src);
3340 * Write back the memory destination with implicit LOCK
3343 c->dst.val = c->src.orig_val;
3346 case 0x8c: /* mov r/m, sreg */
3347 if (c->modrm_reg > VCPU_SREG_GS) {
3348 rc = emulate_ud(ctxt);
3351 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
3353 case 0x8d: /* lea r16/r32, m */
3354 c->dst.val = c->src.addr.mem.ea;
3356 case 0x8e: { /* mov seg, r/m16 */
3361 if (c->modrm_reg == VCPU_SREG_CS ||
3362 c->modrm_reg > VCPU_SREG_GS) {
3363 rc = emulate_ud(ctxt);
3367 if (c->modrm_reg == VCPU_SREG_SS)
3368 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3370 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
3372 c->dst.type = OP_NONE; /* Disable writeback. */
3375 case 0x8f: /* pop (sole member of Grp1a) */
3376 rc = emulate_grp1a(ctxt, ops);
3378 case 0x90 ... 0x97: /* nop / xchg reg, rax */
3379 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
3382 case 0x98: /* cbw/cwde/cdqe */
3383 switch (c->op_bytes) {
3384 case 2: c->dst.val = (s8)c->dst.val; break;
3385 case 4: c->dst.val = (s16)c->dst.val; break;
3386 case 8: c->dst.val = (s32)c->dst.val; break;
3389 case 0x9c: /* pushf */
3390 c->src.val = (unsigned long) ctxt->eflags;
3391 emulate_push(ctxt, ops);
3393 case 0x9d: /* popf */
3394 c->dst.type = OP_REG;
3395 c->dst.addr.reg = &ctxt->eflags;
3396 c->dst.bytes = c->op_bytes;
3397 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
3399 case 0xa6 ... 0xa7: /* cmps */
3400 c->dst.type = OP_NONE; /* Disable writeback. */
3402 case 0xa8 ... 0xa9: /* test ax, imm */
3404 case 0xae ... 0xaf: /* scas */
3409 case 0xc3: /* ret */
3410 c->dst.type = OP_REG;
3411 c->dst.addr.reg = &c->eip;
3412 c->dst.bytes = c->op_bytes;
3413 goto pop_instruction;
3414 case 0xc4: /* les */
3415 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_ES);
3417 case 0xc5: /* lds */
3418 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_DS);
3420 case 0xcb: /* ret far */
3421 rc = emulate_ret_far(ctxt, ops);
3423 case 0xcc: /* int3 */
3426 case 0xcd: /* int n */
3429 rc = emulate_int(ctxt, ops, irq);
3431 case 0xce: /* into */
3432 if (ctxt->eflags & EFLG_OF) {
3437 case 0xcf: /* iret */
3438 rc = emulate_iret(ctxt, ops);
3440 case 0xd0 ... 0xd1: /* Grp2 */
3443 case 0xd2 ... 0xd3: /* Grp2 */
3444 c->src.val = c->regs[VCPU_REGS_RCX];
3447 case 0xe0 ... 0xe2: /* loop/loopz/loopnz */
3448 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3449 if (address_mask(c, c->regs[VCPU_REGS_RCX]) != 0 &&
3450 (c->b == 0xe2 || test_cc(c->b ^ 0x5, ctxt->eflags)))
3451 jmp_rel(c, c->src.val);
3453 case 0xe3: /* jcxz/jecxz/jrcxz */
3454 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0)
3455 jmp_rel(c, c->src.val);
3457 case 0xe4: /* inb */
3460 case 0xe6: /* outb */
3461 case 0xe7: /* out */
3463 case 0xe8: /* call (near) */ {
3464 long int rel = c->src.val;
3465 c->src.val = (unsigned long) c->eip;
3467 emulate_push(ctxt, ops);
3470 case 0xe9: /* jmp rel */
3472 case 0xea: { /* jmp far */
3475 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3477 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3481 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3485 jmp: /* jmp rel short */
3486 jmp_rel(c, c->src.val);
3487 c->dst.type = OP_NONE; /* Disable writeback. */
3489 case 0xec: /* in al,dx */
3490 case 0xed: /* in (e/r)ax,dx */
3491 c->src.val = c->regs[VCPU_REGS_RDX];
3493 c->dst.bytes = min(c->dst.bytes, 4u);
3494 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3495 rc = emulate_gp(ctxt, 0);
3498 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3500 goto done; /* IO is needed */
3502 case 0xee: /* out dx,al */
3503 case 0xef: /* out dx,(e/r)ax */
3504 c->dst.val = c->regs[VCPU_REGS_RDX];
3506 c->src.bytes = min(c->src.bytes, 4u);
3507 if (!emulator_io_permited(ctxt, ops, c->dst.val,
3509 rc = emulate_gp(ctxt, 0);
3512 ops->pio_out_emulated(c->src.bytes, c->dst.val,
3513 &c->src.val, 1, ctxt->vcpu);
3514 c->dst.type = OP_NONE; /* Disable writeback. */
3516 case 0xf4: /* hlt */
3517 ctxt->vcpu->arch.halt_request = 1;
3519 case 0xf5: /* cmc */
3520 /* complement carry flag from eflags reg */
3521 ctxt->eflags ^= EFLG_CF;
3523 case 0xf6 ... 0xf7: /* Grp3 */
3524 rc = emulate_grp3(ctxt, ops);
3526 case 0xf8: /* clc */
3527 ctxt->eflags &= ~EFLG_CF;
3529 case 0xf9: /* stc */
3530 ctxt->eflags |= EFLG_CF;
3532 case 0xfa: /* cli */
3533 if (emulator_bad_iopl(ctxt, ops)) {
3534 rc = emulate_gp(ctxt, 0);
3537 ctxt->eflags &= ~X86_EFLAGS_IF;
3539 case 0xfb: /* sti */
3540 if (emulator_bad_iopl(ctxt, ops)) {
3541 rc = emulate_gp(ctxt, 0);
3544 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3545 ctxt->eflags |= X86_EFLAGS_IF;
3548 case 0xfc: /* cld */
3549 ctxt->eflags &= ~EFLG_DF;
3551 case 0xfd: /* std */
3552 ctxt->eflags |= EFLG_DF;
3554 case 0xfe: /* Grp4 */
3556 rc = emulate_grp45(ctxt, ops);
3558 case 0xff: /* Grp5 */
3559 if (c->modrm_reg == 5)
3563 goto cannot_emulate;
3566 if (rc != X86EMUL_CONTINUE)
3570 rc = writeback(ctxt, ops);
3571 if (rc != X86EMUL_CONTINUE)
3575 * restore dst type in case the decoding will be reused
3576 * (happens for string instruction )
3578 c->dst.type = saved_dst_type;
3580 if ((c->d & SrcMask) == SrcSI)
3581 string_addr_inc(ctxt, seg_override(ctxt, ops, c),
3582 VCPU_REGS_RSI, &c->src);
3584 if ((c->d & DstMask) == DstDI)
3585 string_addr_inc(ctxt, VCPU_SREG_ES, VCPU_REGS_RDI,
3588 if (c->rep_prefix && (c->d & String)) {
3589 struct read_cache *r = &ctxt->decode.io_read;
3590 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3592 if (!string_insn_completed(ctxt)) {
3594 * Re-enter guest when pio read ahead buffer is empty
3595 * or, if it is not used, after each 1024 iteration.
3597 if ((r->end != 0 || c->regs[VCPU_REGS_RCX] & 0x3ff) &&
3598 (r->end == 0 || r->end != r->pos)) {
3600 * Reset read cache. Usually happens before
3601 * decode, but since instruction is restarted
3602 * we have to do it here.
3604 ctxt->decode.mem_read.end = 0;
3605 return EMULATION_RESTART;
3607 goto done; /* skip rip writeback */
3614 if (rc == X86EMUL_PROPAGATE_FAULT)
3615 ctxt->have_exception = true;
3616 if (rc == X86EMUL_INTERCEPTED)
3617 return EMULATION_INTERCEPTED;
3619 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3623 case 0x01: /* lgdt, lidt, lmsw */
3624 switch (c->modrm_reg) {
3626 unsigned long address;
3628 case 0: /* vmcall */
3629 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3630 goto cannot_emulate;
3632 rc = kvm_fix_hypercall(ctxt->vcpu);
3633 if (rc != X86EMUL_CONTINUE)
3636 /* Let the processor re-execute the fixed hypercall */
3638 /* Disable writeback. */
3639 c->dst.type = OP_NONE;
3642 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3643 &size, &address, c->op_bytes);
3644 if (rc != X86EMUL_CONTINUE)
3646 realmode_lgdt(ctxt->vcpu, size, address);
3647 /* Disable writeback. */
3648 c->dst.type = OP_NONE;
3650 case 3: /* lidt/vmmcall */
3651 if (c->modrm_mod == 3) {
3652 switch (c->modrm_rm) {
3654 rc = kvm_fix_hypercall(ctxt->vcpu);
3657 goto cannot_emulate;
3660 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3663 if (rc != X86EMUL_CONTINUE)
3665 realmode_lidt(ctxt->vcpu, size, address);
3667 /* Disable writeback. */
3668 c->dst.type = OP_NONE;
3672 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3675 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3676 (c->src.val & 0x0f), ctxt->vcpu);
3677 c->dst.type = OP_NONE;
3679 case 5: /* not defined */
3681 rc = X86EMUL_PROPAGATE_FAULT;
3684 emulate_invlpg(ctxt->vcpu,
3685 linear(ctxt, c->src.addr.mem));
3686 /* Disable writeback. */
3687 c->dst.type = OP_NONE;
3690 goto cannot_emulate;
3693 case 0x05: /* syscall */
3694 rc = emulate_syscall(ctxt, ops);
3697 emulate_clts(ctxt->vcpu);
3699 case 0x09: /* wbinvd */
3700 kvm_emulate_wbinvd(ctxt->vcpu);
3702 case 0x08: /* invd */
3703 case 0x0d: /* GrpP (prefetch) */
3704 case 0x18: /* Grp16 (prefetch/nop) */
3706 case 0x20: /* mov cr, reg */
3707 switch (c->modrm_reg) {
3712 rc = X86EMUL_PROPAGATE_FAULT;
3715 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3717 case 0x21: /* mov from dr to reg */
3718 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3719 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3721 rc = X86EMUL_PROPAGATE_FAULT;
3724 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3726 case 0x22: /* mov reg, cr */
3727 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3728 emulate_gp(ctxt, 0);
3729 rc = X86EMUL_PROPAGATE_FAULT;
3732 c->dst.type = OP_NONE;
3734 case 0x23: /* mov from reg to dr */
3735 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3736 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3738 rc = X86EMUL_PROPAGATE_FAULT;
3742 if (ops->set_dr(c->modrm_reg, c->src.val &
3743 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3744 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3745 /* #UD condition is already handled by the code above */
3746 emulate_gp(ctxt, 0);
3747 rc = X86EMUL_PROPAGATE_FAULT;
3751 c->dst.type = OP_NONE; /* no writeback */
3755 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3756 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3757 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3758 emulate_gp(ctxt, 0);
3759 rc = X86EMUL_PROPAGATE_FAULT;
3762 rc = X86EMUL_CONTINUE;
3766 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3767 emulate_gp(ctxt, 0);
3768 rc = X86EMUL_PROPAGATE_FAULT;
3771 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3772 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3774 rc = X86EMUL_CONTINUE;
3776 case 0x34: /* sysenter */
3777 rc = emulate_sysenter(ctxt, ops);
3779 case 0x35: /* sysexit */
3780 rc = emulate_sysexit(ctxt, ops);
3782 case 0x40 ... 0x4f: /* cmov */
3783 c->dst.val = c->dst.orig_val = c->src.val;
3784 if (!test_cc(c->b, ctxt->eflags))
3785 c->dst.type = OP_NONE; /* no writeback */
3787 case 0x80 ... 0x8f: /* jnz rel, etc*/
3788 if (test_cc(c->b, ctxt->eflags))
3789 jmp_rel(c, c->src.val);
3791 case 0x90 ... 0x9f: /* setcc r/m8 */
3792 c->dst.val = test_cc(c->b, ctxt->eflags);
3794 case 0xa0: /* push fs */
3795 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3797 case 0xa1: /* pop fs */
3798 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3802 c->dst.type = OP_NONE;
3803 /* only subword offset */
3804 c->src.val &= (c->dst.bytes << 3) - 1;
3805 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3807 case 0xa4: /* shld imm8, r, r/m */
3808 case 0xa5: /* shld cl, r, r/m */
3809 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3811 case 0xa8: /* push gs */
3812 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3814 case 0xa9: /* pop gs */
3815 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3819 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3821 case 0xac: /* shrd imm8, r, r/m */
3822 case 0xad: /* shrd cl, r, r/m */
3823 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3825 case 0xae: /* clflush */
3827 case 0xb0 ... 0xb1: /* cmpxchg */
3829 * Save real source value, then compare EAX against
3832 c->src.orig_val = c->src.val;
3833 c->src.val = c->regs[VCPU_REGS_RAX];
3834 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3835 if (ctxt->eflags & EFLG_ZF) {
3836 /* Success: write back to memory. */
3837 c->dst.val = c->src.orig_val;
3839 /* Failure: write the value we saw to EAX. */
3840 c->dst.type = OP_REG;
3841 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3844 case 0xb2: /* lss */
3845 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_SS);
3849 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3851 case 0xb4: /* lfs */
3852 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_FS);
3854 case 0xb5: /* lgs */
3855 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_GS);
3857 case 0xb6 ... 0xb7: /* movzx */
3858 c->dst.bytes = c->op_bytes;
3859 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3862 case 0xba: /* Grp8 */
3863 switch (c->modrm_reg & 3) {
3876 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3878 case 0xbc: { /* bsf */
3880 __asm__ ("bsf %2, %0; setz %1"
3881 : "=r"(c->dst.val), "=q"(zf)
3883 ctxt->eflags &= ~X86_EFLAGS_ZF;
3885 ctxt->eflags |= X86_EFLAGS_ZF;
3886 c->dst.type = OP_NONE; /* Disable writeback. */
3890 case 0xbd: { /* bsr */
3892 __asm__ ("bsr %2, %0; setz %1"
3893 : "=r"(c->dst.val), "=q"(zf)
3895 ctxt->eflags &= ~X86_EFLAGS_ZF;
3897 ctxt->eflags |= X86_EFLAGS_ZF;
3898 c->dst.type = OP_NONE; /* Disable writeback. */
3902 case 0xbe ... 0xbf: /* movsx */
3903 c->dst.bytes = c->op_bytes;
3904 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3907 case 0xc0 ... 0xc1: /* xadd */
3908 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3909 /* Write back the register source. */
3910 c->src.val = c->dst.orig_val;
3911 write_register_operand(&c->src);
3913 case 0xc3: /* movnti */
3914 c->dst.bytes = c->op_bytes;
3915 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3918 case 0xc7: /* Grp9 (cmpxchg8b) */
3919 rc = emulate_grp9(ctxt, ops);
3922 goto cannot_emulate;
3925 if (rc != X86EMUL_CONTINUE)
projects / mv-sheeva.git / blob