1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
85 #define GroupMask 0xff /* Group number stored in bits 0:7 */
87 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
88 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
90 /* Source 2 operand type */
91 #define Src2None (0<<29)
92 #define Src2CL (1<<29)
93 #define Src2ImmByte (2<<29)
94 #define Src2One (3<<29)
95 #define Src2Mask (7<<29)
98 Group1_80, Group1_81, Group1_82, Group1_83,
99 Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
103 static u32 opcode_table[256] = {
105 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
106 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
107 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
108 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
110 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
111 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
112 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
113 ImplicitOps | Stack | No64, 0,
115 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
116 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
117 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
118 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
120 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
121 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
122 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
123 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
125 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
126 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
127 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
129 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
130 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
131 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
133 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
134 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
135 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
137 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
138 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
139 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
142 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
144 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
146 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
147 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
149 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
150 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
152 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
153 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
156 SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
157 DstDI | ByteOp | Mov | String, DstDI | Mov | String, /* insb, insw/insd */
158 SrcSI | ByteOp | ImplicitOps | String, SrcSI | ImplicitOps | String, /* outsb, outsw/outsd */
160 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
161 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
163 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
164 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
166 Group | Group1_80, Group | Group1_81,
167 Group | Group1_82, Group | Group1_83,
168 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
169 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
171 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
172 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
173 DstMem | SrcNone | ModRM | Mov, ModRM | DstReg,
174 ImplicitOps | SrcMem16 | ModRM, Group | Group1A,
176 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
178 0, 0, SrcImmFAddr | No64, 0,
179 ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
181 ByteOp | DstAcc | SrcMem | Mov | MemAbs, DstAcc | SrcMem | Mov | MemAbs,
182 ByteOp | DstMem | SrcAcc | Mov | MemAbs, DstMem | SrcAcc | Mov | MemAbs,
183 ByteOp | SrcSI | DstDI | Mov | String, SrcSI | DstDI | Mov | String,
184 ByteOp | SrcSI | DstDI | String, SrcSI | DstDI | String,
186 DstAcc | SrcImmByte | ByteOp, DstAcc | SrcImm, ByteOp | DstDI | Mov | String, DstDI | Mov | String,
187 ByteOp | SrcSI | DstAcc | Mov | String, SrcSI | DstAcc | Mov | String,
188 ByteOp | DstDI | String, DstDI | String,
190 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
191 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
192 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
193 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
195 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
196 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
197 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
198 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
200 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
201 0, ImplicitOps | Stack, 0, 0,
202 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
204 0, 0, 0, ImplicitOps | Stack,
205 ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
207 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
208 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
211 0, 0, 0, 0, 0, 0, 0, 0,
214 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
215 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
217 SrcImm | Stack, SrcImm | ImplicitOps,
218 SrcImmFAddr | No64, SrcImmByte | ImplicitOps,
219 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
220 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
223 ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
225 ImplicitOps, 0, ImplicitOps, ImplicitOps,
226 ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
229 static u32 twobyte_table[256] = {
231 0, Group | GroupDual | Group7, 0, 0,
232 0, ImplicitOps, ImplicitOps | Priv, 0,
233 ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
234 0, ImplicitOps | ModRM, 0, 0,
236 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
238 ModRM | ImplicitOps | Priv, ModRM | Priv,
239 ModRM | ImplicitOps | Priv, ModRM | Priv,
241 0, 0, 0, 0, 0, 0, 0, 0,
243 ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
244 ImplicitOps, ImplicitOps | Priv, 0, 0,
245 0, 0, 0, 0, 0, 0, 0, 0,
247 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
248 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
249 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
250 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
252 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
253 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
254 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
255 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
257 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
259 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
261 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
263 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
264 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
266 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
268 ImplicitOps | Stack, ImplicitOps | Stack,
269 0, DstMem | SrcReg | ModRM | BitOp,
270 DstMem | SrcReg | Src2ImmByte | ModRM,
271 DstMem | SrcReg | Src2CL | ModRM, 0, 0,
273 ImplicitOps | Stack, ImplicitOps | Stack,
274 0, DstMem | SrcReg | ModRM | BitOp | Lock,
275 DstMem | SrcReg | Src2ImmByte | ModRM,
276 DstMem | SrcReg | Src2CL | ModRM,
279 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
280 0, DstMem | SrcReg | ModRM | BitOp | Lock,
281 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
282 DstReg | SrcMem16 | ModRM | Mov,
285 Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
286 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
287 DstReg | SrcMem16 | ModRM | Mov,
289 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
290 0, 0, 0, Group | GroupDual | Group9,
291 0, 0, 0, 0, 0, 0, 0, 0,
293 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
295 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
297 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
300 static u32 group_table[] = {
302 ByteOp | DstMem | SrcImm | ModRM | Lock,
303 ByteOp | DstMem | SrcImm | ModRM | Lock,
304 ByteOp | DstMem | SrcImm | ModRM | Lock,
305 ByteOp | DstMem | SrcImm | ModRM | Lock,
306 ByteOp | DstMem | SrcImm | ModRM | Lock,
307 ByteOp | DstMem | SrcImm | ModRM | Lock,
308 ByteOp | DstMem | SrcImm | ModRM | Lock,
309 ByteOp | DstMem | SrcImm | ModRM,
311 DstMem | SrcImm | ModRM | Lock,
312 DstMem | SrcImm | ModRM | Lock,
313 DstMem | SrcImm | ModRM | Lock,
314 DstMem | SrcImm | ModRM | Lock,
315 DstMem | SrcImm | ModRM | Lock,
316 DstMem | SrcImm | ModRM | Lock,
317 DstMem | SrcImm | ModRM | Lock,
318 DstMem | SrcImm | ModRM,
320 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
321 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
322 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
323 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
324 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
325 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
326 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
327 ByteOp | DstMem | SrcImm | ModRM | No64,
329 DstMem | SrcImmByte | ModRM | Lock,
330 DstMem | SrcImmByte | ModRM | Lock,
331 DstMem | SrcImmByte | ModRM | Lock,
332 DstMem | SrcImmByte | ModRM | Lock,
333 DstMem | SrcImmByte | ModRM | Lock,
334 DstMem | SrcImmByte | ModRM | Lock,
335 DstMem | SrcImmByte | ModRM | Lock,
336 DstMem | SrcImmByte | ModRM,
338 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
340 ByteOp | SrcImm | DstMem | ModRM, ByteOp | SrcImm | DstMem | ModRM,
341 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
344 DstMem | SrcImm | ModRM, DstMem | SrcImm | ModRM,
345 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
348 ByteOp | DstMem | SrcNone | ModRM | Lock, ByteOp | DstMem | SrcNone | ModRM | Lock,
351 DstMem | SrcNone | ModRM | Lock, DstMem | SrcNone | ModRM | Lock,
352 SrcMem | ModRM | Stack, 0,
353 SrcMem | ModRM | Stack, SrcMemFAddr | ModRM | ImplicitOps,
354 SrcMem | ModRM | Stack, 0,
356 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
357 SrcNone | ModRM | DstMem | Mov, 0,
358 SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
361 DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
362 DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
364 0, DstMem64 | ModRM | Lock, 0, 0, 0, 0, 0, 0,
367 static u32 group2_table[] = {
369 SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
370 SrcNone | ModRM | DstMem | Mov, 0,
371 SrcMem16 | ModRM | Mov | Priv, 0,
373 0, 0, 0, 0, 0, 0, 0, 0,
376 /* EFLAGS bit definitions. */
377 #define EFLG_ID (1<<21)
378 #define EFLG_VIP (1<<20)
379 #define EFLG_VIF (1<<19)
380 #define EFLG_AC (1<<18)
381 #define EFLG_VM (1<<17)
382 #define EFLG_RF (1<<16)
383 #define EFLG_IOPL (3<<12)
384 #define EFLG_NT (1<<14)
385 #define EFLG_OF (1<<11)
386 #define EFLG_DF (1<<10)
387 #define EFLG_IF (1<<9)
388 #define EFLG_TF (1<<8)
389 #define EFLG_SF (1<<7)
390 #define EFLG_ZF (1<<6)
391 #define EFLG_AF (1<<4)
392 #define EFLG_PF (1<<2)
393 #define EFLG_CF (1<<0)
396 * Instruction emulation:
397 * Most instructions are emulated directly via a fragment of inline assembly
398 * code. This allows us to save/restore EFLAGS and thus very easily pick up
399 * any modified flags.
402 #if defined(CONFIG_X86_64)
403 #define _LO32 "k" /* force 32-bit operand */
404 #define _STK "%%rsp" /* stack pointer */
405 #elif defined(__i386__)
406 #define _LO32 "" /* force 32-bit operand */
407 #define _STK "%%esp" /* stack pointer */
411 * These EFLAGS bits are restored from saved value during emulation, and
412 * any changes are written back to the saved value after emulation.
414 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
416 /* Before executing instruction: restore necessary bits in EFLAGS. */
417 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
418 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
419 "movl %"_sav",%"_LO32 _tmp"; " \
422 "movl %"_msk",%"_LO32 _tmp"; " \
423 "andl %"_LO32 _tmp",("_STK"); " \
425 "notl %"_LO32 _tmp"; " \
426 "andl %"_LO32 _tmp",("_STK"); " \
427 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
429 "orl %"_LO32 _tmp",("_STK"); " \
433 /* After executing instruction: write-back necessary bits in EFLAGS. */
434 #define _POST_EFLAGS(_sav, _msk, _tmp) \
435 /* _sav |= EFLAGS & _msk; */ \
438 "andl %"_msk",%"_LO32 _tmp"; " \
439 "orl %"_LO32 _tmp",%"_sav"; "
447 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
449 __asm__ __volatile__ ( \
450 _PRE_EFLAGS("0", "4", "2") \
451 _op _suffix " %"_x"3,%1; " \
452 _POST_EFLAGS("0", "4", "2") \
453 : "=m" (_eflags), "=m" ((_dst).val), \
455 : _y ((_src).val), "i" (EFLAGS_MASK)); \
459 /* Raw emulation: instruction has two explicit operands. */
460 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
462 unsigned long _tmp; \
464 switch ((_dst).bytes) { \
466 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
469 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
472 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
477 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
479 unsigned long _tmp; \
480 switch ((_dst).bytes) { \
482 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
485 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
486 _wx, _wy, _lx, _ly, _qx, _qy); \
491 /* Source operand is byte-sized and may be restricted to just %cl. */
492 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
493 __emulate_2op(_op, _src, _dst, _eflags, \
494 "b", "c", "b", "c", "b", "c", "b", "c")
496 /* Source operand is byte, word, long or quad sized. */
497 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
498 __emulate_2op(_op, _src, _dst, _eflags, \
499 "b", "q", "w", "r", _LO32, "r", "", "r")
501 /* Source operand is word, long or quad sized. */
502 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
503 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
504 "w", "r", _LO32, "r", "", "r")
506 /* Instruction has three operands and one operand is stored in ECX register */
507 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
509 unsigned long _tmp; \
510 _type _clv = (_cl).val; \
511 _type _srcv = (_src).val; \
512 _type _dstv = (_dst).val; \
514 __asm__ __volatile__ ( \
515 _PRE_EFLAGS("0", "5", "2") \
516 _op _suffix " %4,%1 \n" \
517 _POST_EFLAGS("0", "5", "2") \
518 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
519 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
522 (_cl).val = (unsigned long) _clv; \
523 (_src).val = (unsigned long) _srcv; \
524 (_dst).val = (unsigned long) _dstv; \
527 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
529 switch ((_dst).bytes) { \
531 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
532 "w", unsigned short); \
535 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
536 "l", unsigned int); \
539 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
540 "q", unsigned long)); \
545 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
547 unsigned long _tmp; \
549 __asm__ __volatile__ ( \
550 _PRE_EFLAGS("0", "3", "2") \
551 _op _suffix " %1; " \
552 _POST_EFLAGS("0", "3", "2") \
553 : "=m" (_eflags), "+m" ((_dst).val), \
555 : "i" (EFLAGS_MASK)); \
558 /* Instruction has only one explicit operand (no source operand). */
559 #define emulate_1op(_op, _dst, _eflags) \
561 switch ((_dst).bytes) { \
562 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
563 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
564 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
565 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
569 /* Fetch next part of the instruction being emulated. */
570 #define insn_fetch(_type, _size, _eip) \
571 ({ unsigned long _x; \
572 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
573 if (rc != X86EMUL_CONTINUE) \
579 #define insn_fetch_arr(_arr, _size, _eip) \
580 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
581 if (rc != X86EMUL_CONTINUE) \
586 static inline unsigned long ad_mask(struct decode_cache *c)
588 return (1UL << (c->ad_bytes << 3)) - 1;
591 /* Access/update address held in a register, based on addressing mode. */
592 static inline unsigned long
593 address_mask(struct decode_cache *c, unsigned long reg)
595 if (c->ad_bytes == sizeof(unsigned long))
598 return reg & ad_mask(c);
601 static inline unsigned long
602 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
604 return base + address_mask(c, reg);
608 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
610 if (c->ad_bytes == sizeof(unsigned long))
613 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
616 static inline void jmp_rel(struct decode_cache *c, int rel)
618 register_address_increment(c, &c->eip, rel);
621 static void set_seg_override(struct decode_cache *c, int seg)
623 c->has_seg_override = true;
624 c->seg_override = seg;
627 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
628 struct x86_emulate_ops *ops, int seg)
630 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
633 return ops->get_cached_segment_base(seg, ctxt->vcpu);
636 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
637 struct x86_emulate_ops *ops,
638 struct decode_cache *c)
640 if (!c->has_seg_override)
643 return seg_base(ctxt, ops, c->seg_override);
646 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
647 struct x86_emulate_ops *ops)
649 return seg_base(ctxt, ops, VCPU_SREG_ES);
652 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
653 struct x86_emulate_ops *ops)
655 return seg_base(ctxt, ops, VCPU_SREG_SS);
658 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
659 u32 error, bool valid)
661 ctxt->exception = vec;
662 ctxt->error_code = error;
663 ctxt->error_code_valid = valid;
664 ctxt->restart = false;
667 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
669 emulate_exception(ctxt, GP_VECTOR, err, true);
672 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
676 emulate_exception(ctxt, PF_VECTOR, err, true);
679 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
681 emulate_exception(ctxt, UD_VECTOR, 0, false);
684 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
686 emulate_exception(ctxt, TS_VECTOR, err, true);
689 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
690 struct x86_emulate_ops *ops,
691 unsigned long eip, u8 *dest)
693 struct fetch_cache *fc = &ctxt->decode.fetch;
697 if (eip == fc->end) {
698 cur_size = fc->end - fc->start;
699 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
700 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
701 size, ctxt->vcpu, NULL);
702 if (rc != X86EMUL_CONTINUE)
706 *dest = fc->data[eip - fc->start];
707 return X86EMUL_CONTINUE;
710 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
711 struct x86_emulate_ops *ops,
712 unsigned long eip, void *dest, unsigned size)
716 /* x86 instructions are limited to 15 bytes. */
717 if (eip + size - ctxt->eip > 15)
718 return X86EMUL_UNHANDLEABLE;
720 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
721 if (rc != X86EMUL_CONTINUE)
724 return X86EMUL_CONTINUE;
728 * Given the 'reg' portion of a ModRM byte, and a register block, return a
729 * pointer into the block that addresses the relevant register.
730 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
732 static void *decode_register(u8 modrm_reg, unsigned long *regs,
737 p = ®s[modrm_reg];
738 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
739 p = (unsigned char *)®s[modrm_reg & 3] + 1;
743 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
744 struct x86_emulate_ops *ops,
746 u16 *size, unsigned long *address, int op_bytes)
753 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
755 if (rc != X86EMUL_CONTINUE)
757 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
762 static int test_cc(unsigned int condition, unsigned int flags)
766 switch ((condition & 15) >> 1) {
768 rc |= (flags & EFLG_OF);
770 case 1: /* b/c/nae */
771 rc |= (flags & EFLG_CF);
774 rc |= (flags & EFLG_ZF);
777 rc |= (flags & (EFLG_CF|EFLG_ZF));
780 rc |= (flags & EFLG_SF);
783 rc |= (flags & EFLG_PF);
786 rc |= (flags & EFLG_ZF);
789 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
793 /* Odd condition identifiers (lsb == 1) have inverted sense. */
794 return (!!rc ^ (condition & 1));
797 static void decode_register_operand(struct operand *op,
798 struct decode_cache *c,
801 unsigned reg = c->modrm_reg;
802 int highbyte_regs = c->rex_prefix == 0;
805 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
807 if ((c->d & ByteOp) && !inhibit_bytereg) {
808 op->ptr = decode_register(reg, c->regs, highbyte_regs);
809 op->val = *(u8 *)op->ptr;
812 op->ptr = decode_register(reg, c->regs, 0);
813 op->bytes = c->op_bytes;
816 op->val = *(u16 *)op->ptr;
819 op->val = *(u32 *)op->ptr;
822 op->val = *(u64 *) op->ptr;
826 op->orig_val = op->val;
829 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
830 struct x86_emulate_ops *ops)
832 struct decode_cache *c = &ctxt->decode;
834 int index_reg = 0, base_reg = 0, scale;
835 int rc = X86EMUL_CONTINUE;
838 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
839 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
840 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
843 c->modrm = insn_fetch(u8, 1, c->eip);
844 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
845 c->modrm_reg |= (c->modrm & 0x38) >> 3;
846 c->modrm_rm |= (c->modrm & 0x07);
850 if (c->modrm_mod == 3) {
851 c->modrm_ptr = decode_register(c->modrm_rm,
852 c->regs, c->d & ByteOp);
853 c->modrm_val = *(unsigned long *)c->modrm_ptr;
857 if (c->ad_bytes == 2) {
858 unsigned bx = c->regs[VCPU_REGS_RBX];
859 unsigned bp = c->regs[VCPU_REGS_RBP];
860 unsigned si = c->regs[VCPU_REGS_RSI];
861 unsigned di = c->regs[VCPU_REGS_RDI];
863 /* 16-bit ModR/M decode. */
864 switch (c->modrm_mod) {
866 if (c->modrm_rm == 6)
867 c->modrm_ea += insn_fetch(u16, 2, c->eip);
870 c->modrm_ea += insn_fetch(s8, 1, c->eip);
873 c->modrm_ea += insn_fetch(u16, 2, c->eip);
876 switch (c->modrm_rm) {
878 c->modrm_ea += bx + si;
881 c->modrm_ea += bx + di;
884 c->modrm_ea += bp + si;
887 c->modrm_ea += bp + di;
896 if (c->modrm_mod != 0)
903 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
904 (c->modrm_rm == 6 && c->modrm_mod != 0))
905 if (!c->has_seg_override)
906 set_seg_override(c, VCPU_SREG_SS);
907 c->modrm_ea = (u16)c->modrm_ea;
909 /* 32/64-bit ModR/M decode. */
910 if ((c->modrm_rm & 7) == 4) {
911 sib = insn_fetch(u8, 1, c->eip);
912 index_reg |= (sib >> 3) & 7;
916 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
917 c->modrm_ea += insn_fetch(s32, 4, c->eip);
919 c->modrm_ea += c->regs[base_reg];
921 c->modrm_ea += c->regs[index_reg] << scale;
922 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
923 if (ctxt->mode == X86EMUL_MODE_PROT64)
926 c->modrm_ea += c->regs[c->modrm_rm];
927 switch (c->modrm_mod) {
929 if (c->modrm_rm == 5)
930 c->modrm_ea += insn_fetch(s32, 4, c->eip);
933 c->modrm_ea += insn_fetch(s8, 1, c->eip);
936 c->modrm_ea += insn_fetch(s32, 4, c->eip);
944 static int decode_abs(struct x86_emulate_ctxt *ctxt,
945 struct x86_emulate_ops *ops)
947 struct decode_cache *c = &ctxt->decode;
948 int rc = X86EMUL_CONTINUE;
950 switch (c->ad_bytes) {
952 c->modrm_ea = insn_fetch(u16, 2, c->eip);
955 c->modrm_ea = insn_fetch(u32, 4, c->eip);
958 c->modrm_ea = insn_fetch(u64, 8, c->eip);
966 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
968 struct decode_cache *c = &ctxt->decode;
969 int rc = X86EMUL_CONTINUE;
970 int mode = ctxt->mode;
971 int def_op_bytes, def_ad_bytes, group;
974 /* we cannot decode insn before we complete previous rep insn */
975 WARN_ON(ctxt->restart);
978 c->fetch.start = c->fetch.end = c->eip;
979 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
982 case X86EMUL_MODE_REAL:
983 case X86EMUL_MODE_VM86:
984 case X86EMUL_MODE_PROT16:
985 def_op_bytes = def_ad_bytes = 2;
987 case X86EMUL_MODE_PROT32:
988 def_op_bytes = def_ad_bytes = 4;
991 case X86EMUL_MODE_PROT64:
1000 c->op_bytes = def_op_bytes;
1001 c->ad_bytes = def_ad_bytes;
1003 /* Legacy prefixes. */
1005 switch (c->b = insn_fetch(u8, 1, c->eip)) {
1006 case 0x66: /* operand-size override */
1007 /* switch between 2/4 bytes */
1008 c->op_bytes = def_op_bytes ^ 6;
1010 case 0x67: /* address-size override */
1011 if (mode == X86EMUL_MODE_PROT64)
1012 /* switch between 4/8 bytes */
1013 c->ad_bytes = def_ad_bytes ^ 12;
1015 /* switch between 2/4 bytes */
1016 c->ad_bytes = def_ad_bytes ^ 6;
1018 case 0x26: /* ES override */
1019 case 0x2e: /* CS override */
1020 case 0x36: /* SS override */
1021 case 0x3e: /* DS override */
1022 set_seg_override(c, (c->b >> 3) & 3);
1024 case 0x64: /* FS override */
1025 case 0x65: /* GS override */
1026 set_seg_override(c, c->b & 7);
1028 case 0x40 ... 0x4f: /* REX */
1029 if (mode != X86EMUL_MODE_PROT64)
1031 c->rex_prefix = c->b;
1033 case 0xf0: /* LOCK */
1036 case 0xf2: /* REPNE/REPNZ */
1037 c->rep_prefix = REPNE_PREFIX;
1039 case 0xf3: /* REP/REPE/REPZ */
1040 c->rep_prefix = REPE_PREFIX;
1046 /* Any legacy prefix after a REX prefix nullifies its effect. */
1055 if (c->rex_prefix & 8)
1056 c->op_bytes = 8; /* REX.W */
1058 /* Opcode byte(s). */
1059 c->d = opcode_table[c->b];
1061 /* Two-byte opcode? */
1064 c->b = insn_fetch(u8, 1, c->eip);
1065 c->d = twobyte_table[c->b];
1070 group = c->d & GroupMask;
1071 c->modrm = insn_fetch(u8, 1, c->eip);
1074 group = (group << 3) + ((c->modrm >> 3) & 7);
1075 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
1076 c->d = group2_table[group];
1078 c->d = group_table[group];
1083 DPRINTF("Cannot emulate %02x\n", c->b);
1087 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1090 /* ModRM and SIB bytes. */
1092 rc = decode_modrm(ctxt, ops);
1093 else if (c->d & MemAbs)
1094 rc = decode_abs(ctxt, ops);
1095 if (rc != X86EMUL_CONTINUE)
1098 if (!c->has_seg_override)
1099 set_seg_override(c, VCPU_SREG_DS);
1101 if (!(!c->twobyte && c->b == 0x8d))
1102 c->modrm_ea += seg_override_base(ctxt, ops, c);
1104 if (c->ad_bytes != 8)
1105 c->modrm_ea = (u32)c->modrm_ea;
1107 if (c->rip_relative)
1108 c->modrm_ea += c->eip;
1111 * Decode and fetch the source operand: register, memory
1114 switch (c->d & SrcMask) {
1118 decode_register_operand(&c->src, c, 0);
1127 c->src.bytes = (c->d & ByteOp) ? 1 :
1129 /* Don't fetch the address for invlpg: it could be unmapped. */
1130 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1134 * For instructions with a ModR/M byte, switch to register
1135 * access if Mod = 3.
1137 if ((c->d & ModRM) && c->modrm_mod == 3) {
1138 c->src.type = OP_REG;
1139 c->src.val = c->modrm_val;
1140 c->src.ptr = c->modrm_ptr;
1143 c->src.type = OP_MEM;
1144 c->src.ptr = (unsigned long *)c->modrm_ea;
1149 c->src.type = OP_IMM;
1150 c->src.ptr = (unsigned long *)c->eip;
1151 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1152 if (c->src.bytes == 8)
1154 /* NB. Immediates are sign-extended as necessary. */
1155 switch (c->src.bytes) {
1157 c->src.val = insn_fetch(s8, 1, c->eip);
1160 c->src.val = insn_fetch(s16, 2, c->eip);
1163 c->src.val = insn_fetch(s32, 4, c->eip);
1166 if ((c->d & SrcMask) == SrcImmU) {
1167 switch (c->src.bytes) {
1172 c->src.val &= 0xffff;
1175 c->src.val &= 0xffffffff;
1182 c->src.type = OP_IMM;
1183 c->src.ptr = (unsigned long *)c->eip;
1185 if ((c->d & SrcMask) == SrcImmByte)
1186 c->src.val = insn_fetch(s8, 1, c->eip);
1188 c->src.val = insn_fetch(u8, 1, c->eip);
1191 c->src.type = OP_REG;
1192 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1193 c->src.ptr = &c->regs[VCPU_REGS_RAX];
1194 switch (c->src.bytes) {
1196 c->src.val = *(u8 *)c->src.ptr;
1199 c->src.val = *(u16 *)c->src.ptr;
1202 c->src.val = *(u32 *)c->src.ptr;
1205 c->src.val = *(u64 *)c->src.ptr;
1214 c->src.type = OP_MEM;
1215 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1216 c->src.ptr = (unsigned long *)
1217 register_address(c, seg_override_base(ctxt, ops, c),
1218 c->regs[VCPU_REGS_RSI]);
1222 c->src.type = OP_IMM;
1223 c->src.ptr = (unsigned long *)c->eip;
1224 c->src.bytes = c->op_bytes + 2;
1225 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
1228 c->src.type = OP_MEM;
1229 c->src.ptr = (unsigned long *)c->modrm_ea;
1230 c->src.bytes = c->op_bytes + 2;
1235 * Decode and fetch the second source operand: register, memory
1238 switch (c->d & Src2Mask) {
1243 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1246 c->src2.type = OP_IMM;
1247 c->src2.ptr = (unsigned long *)c->eip;
1249 c->src2.val = insn_fetch(u8, 1, c->eip);
1257 /* Decode and fetch the destination operand: register or memory. */
1258 switch (c->d & DstMask) {
1260 /* Special instructions do their own operand decoding. */
1263 decode_register_operand(&c->dst, c,
1264 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1268 if ((c->d & ModRM) && c->modrm_mod == 3) {
1269 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1270 c->dst.type = OP_REG;
1271 c->dst.val = c->dst.orig_val = c->modrm_val;
1272 c->dst.ptr = c->modrm_ptr;
1275 c->dst.type = OP_MEM;
1276 c->dst.ptr = (unsigned long *)c->modrm_ea;
1277 if ((c->d & DstMask) == DstMem64)
1280 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1283 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1285 c->dst.ptr = (void *)c->dst.ptr +
1286 (c->src.val & mask) / 8;
1290 c->dst.type = OP_REG;
1291 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1292 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1293 switch (c->dst.bytes) {
1295 c->dst.val = *(u8 *)c->dst.ptr;
1298 c->dst.val = *(u16 *)c->dst.ptr;
1301 c->dst.val = *(u32 *)c->dst.ptr;
1304 c->dst.val = *(u64 *)c->dst.ptr;
1307 c->dst.orig_val = c->dst.val;
1310 c->dst.type = OP_MEM;
1311 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1312 c->dst.ptr = (unsigned long *)
1313 register_address(c, es_base(ctxt, ops),
1314 c->regs[VCPU_REGS_RDI]);
1320 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1323 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1324 struct x86_emulate_ops *ops,
1325 unsigned long addr, void *dest, unsigned size)
1328 struct read_cache *mc = &ctxt->decode.mem_read;
1332 int n = min(size, 8u);
1334 if (mc->pos < mc->end)
1337 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
1339 if (rc == X86EMUL_PROPAGATE_FAULT)
1340 emulate_pf(ctxt, addr, err);
1341 if (rc != X86EMUL_CONTINUE)
1346 memcpy(dest, mc->data + mc->pos, n);
1351 return X86EMUL_CONTINUE;
1354 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1355 struct x86_emulate_ops *ops,
1356 unsigned int size, unsigned short port,
1359 struct read_cache *rc = &ctxt->decode.io_read;
1361 if (rc->pos == rc->end) { /* refill pio read ahead */
1362 struct decode_cache *c = &ctxt->decode;
1363 unsigned int in_page, n;
1364 unsigned int count = c->rep_prefix ?
1365 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
1366 in_page = (ctxt->eflags & EFLG_DF) ?
1367 offset_in_page(c->regs[VCPU_REGS_RDI]) :
1368 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
1369 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1373 rc->pos = rc->end = 0;
1374 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
1379 memcpy(dest, rc->data + rc->pos, size);
1384 static u32 desc_limit_scaled(struct desc_struct *desc)
1386 u32 limit = get_desc_limit(desc);
1388 return desc->g ? (limit << 12) | 0xfff : limit;
1391 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1392 struct x86_emulate_ops *ops,
1393 u16 selector, struct desc_ptr *dt)
1395 if (selector & 1 << 2) {
1396 struct desc_struct desc;
1397 memset (dt, 0, sizeof *dt);
1398 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1401 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1402 dt->address = get_desc_base(&desc);
1404 ops->get_gdt(dt, ctxt->vcpu);
1407 /* allowed just for 8 bytes segments */
1408 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1409 struct x86_emulate_ops *ops,
1410 u16 selector, struct desc_struct *desc)
1413 u16 index = selector >> 3;
1418 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1420 if (dt.size < index * 8 + 7) {
1421 emulate_gp(ctxt, selector & 0xfffc);
1422 return X86EMUL_PROPAGATE_FAULT;
1424 addr = dt.address + index * 8;
1425 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1426 if (ret == X86EMUL_PROPAGATE_FAULT)
1427 emulate_pf(ctxt, addr, err);
1432 /* allowed just for 8 bytes segments */
1433 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1434 struct x86_emulate_ops *ops,
1435 u16 selector, struct desc_struct *desc)
1438 u16 index = selector >> 3;
1443 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1445 if (dt.size < index * 8 + 7) {
1446 emulate_gp(ctxt, selector & 0xfffc);
1447 return X86EMUL_PROPAGATE_FAULT;
1450 addr = dt.address + index * 8;
1451 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1452 if (ret == X86EMUL_PROPAGATE_FAULT)
1453 emulate_pf(ctxt, addr, err);
1458 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1459 struct x86_emulate_ops *ops,
1460 u16 selector, int seg)
1462 struct desc_struct seg_desc;
1464 unsigned err_vec = GP_VECTOR;
1466 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1469 memset(&seg_desc, 0, sizeof seg_desc);
1471 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1472 || ctxt->mode == X86EMUL_MODE_REAL) {
1473 /* set real mode segment descriptor */
1474 set_desc_base(&seg_desc, selector << 4);
1475 set_desc_limit(&seg_desc, 0xffff);
1482 /* NULL selector is not valid for TR, CS and SS */
1483 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1487 /* TR should be in GDT only */
1488 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1491 if (null_selector) /* for NULL selector skip all following checks */
1494 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1495 if (ret != X86EMUL_CONTINUE)
1498 err_code = selector & 0xfffc;
1499 err_vec = GP_VECTOR;
1501 /* can't load system descriptor into segment selecor */
1502 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1506 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1512 cpl = ops->cpl(ctxt->vcpu);
1517 * segment is not a writable data segment or segment
1518 * selector's RPL != CPL or segment selector's RPL != CPL
1520 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1524 if (!(seg_desc.type & 8))
1527 if (seg_desc.type & 4) {
1533 if (rpl > cpl || dpl != cpl)
1536 /* CS(RPL) <- CPL */
1537 selector = (selector & 0xfffc) | cpl;
1540 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1543 case VCPU_SREG_LDTR:
1544 if (seg_desc.s || seg_desc.type != 2)
1547 default: /* DS, ES, FS, or GS */
1549 * segment is not a data or readable code segment or
1550 * ((segment is a data or nonconforming code segment)
1551 * and (both RPL and CPL > DPL))
1553 if ((seg_desc.type & 0xa) == 0x8 ||
1554 (((seg_desc.type & 0xc) != 0xc) &&
1555 (rpl > dpl && cpl > dpl)))
1561 /* mark segment as accessed */
1563 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1564 if (ret != X86EMUL_CONTINUE)
1568 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1569 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1570 return X86EMUL_CONTINUE;
1572 emulate_exception(ctxt, err_vec, err_code, true);
1573 return X86EMUL_PROPAGATE_FAULT;
1576 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1577 struct x86_emulate_ops *ops)
1580 struct decode_cache *c = &ctxt->decode;
1583 switch (c->dst.type) {
1585 /* The 4-byte case *is* correct:
1586 * in 64-bit mode we zero-extend.
1588 switch (c->dst.bytes) {
1590 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1593 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1596 *c->dst.ptr = (u32)c->dst.val;
1597 break; /* 64b: zero-ext */
1599 *c->dst.ptr = c->dst.val;
1605 rc = ops->cmpxchg_emulated(
1606 (unsigned long)c->dst.ptr,
1613 rc = ops->write_emulated(
1614 (unsigned long)c->dst.ptr,
1619 if (rc == X86EMUL_PROPAGATE_FAULT)
1621 (unsigned long)c->dst.ptr, err);
1622 if (rc != X86EMUL_CONTINUE)
1631 return X86EMUL_CONTINUE;
1634 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1635 struct x86_emulate_ops *ops)
1637 struct decode_cache *c = &ctxt->decode;
1639 c->dst.type = OP_MEM;
1640 c->dst.bytes = c->op_bytes;
1641 c->dst.val = c->src.val;
1642 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1643 c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1644 c->regs[VCPU_REGS_RSP]);
1647 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1648 struct x86_emulate_ops *ops,
1649 void *dest, int len)
1651 struct decode_cache *c = &ctxt->decode;
1654 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1655 c->regs[VCPU_REGS_RSP]),
1657 if (rc != X86EMUL_CONTINUE)
1660 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1664 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1665 struct x86_emulate_ops *ops,
1666 void *dest, int len)
1669 unsigned long val, change_mask;
1670 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1671 int cpl = ops->cpl(ctxt->vcpu);
1673 rc = emulate_pop(ctxt, ops, &val, len);
1674 if (rc != X86EMUL_CONTINUE)
1677 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1678 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1680 switch(ctxt->mode) {
1681 case X86EMUL_MODE_PROT64:
1682 case X86EMUL_MODE_PROT32:
1683 case X86EMUL_MODE_PROT16:
1685 change_mask |= EFLG_IOPL;
1687 change_mask |= EFLG_IF;
1689 case X86EMUL_MODE_VM86:
1691 emulate_gp(ctxt, 0);
1692 return X86EMUL_PROPAGATE_FAULT;
1694 change_mask |= EFLG_IF;
1696 default: /* real mode */
1697 change_mask |= (EFLG_IOPL | EFLG_IF);
1701 *(unsigned long *)dest =
1702 (ctxt->eflags & ~change_mask) | (val & change_mask);
1707 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1708 struct x86_emulate_ops *ops, int seg)
1710 struct decode_cache *c = &ctxt->decode;
1712 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1714 emulate_push(ctxt, ops);
1717 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1718 struct x86_emulate_ops *ops, int seg)
1720 struct decode_cache *c = &ctxt->decode;
1721 unsigned long selector;
1724 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1725 if (rc != X86EMUL_CONTINUE)
1728 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1732 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1733 struct x86_emulate_ops *ops)
1735 struct decode_cache *c = &ctxt->decode;
1736 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1737 int rc = X86EMUL_CONTINUE;
1738 int reg = VCPU_REGS_RAX;
1740 while (reg <= VCPU_REGS_RDI) {
1741 (reg == VCPU_REGS_RSP) ?
1742 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1744 emulate_push(ctxt, ops);
1746 rc = writeback(ctxt, ops);
1747 if (rc != X86EMUL_CONTINUE)
1753 /* Disable writeback. */
1754 c->dst.type = OP_NONE;
1759 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1760 struct x86_emulate_ops *ops)
1762 struct decode_cache *c = &ctxt->decode;
1763 int rc = X86EMUL_CONTINUE;
1764 int reg = VCPU_REGS_RDI;
1766 while (reg >= VCPU_REGS_RAX) {
1767 if (reg == VCPU_REGS_RSP) {
1768 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1773 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1774 if (rc != X86EMUL_CONTINUE)
1781 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1782 struct x86_emulate_ops *ops)
1784 struct decode_cache *c = &ctxt->decode;
1786 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1789 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1791 struct decode_cache *c = &ctxt->decode;
1792 switch (c->modrm_reg) {
1794 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1797 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1800 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1803 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1805 case 4: /* sal/shl */
1806 case 6: /* sal/shl */
1807 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1810 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1813 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1818 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1819 struct x86_emulate_ops *ops)
1821 struct decode_cache *c = &ctxt->decode;
1823 switch (c->modrm_reg) {
1824 case 0 ... 1: /* test */
1825 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1828 c->dst.val = ~c->dst.val;
1831 emulate_1op("neg", c->dst, ctxt->eflags);
1839 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1840 struct x86_emulate_ops *ops)
1842 struct decode_cache *c = &ctxt->decode;
1844 switch (c->modrm_reg) {
1846 emulate_1op("inc", c->dst, ctxt->eflags);
1849 emulate_1op("dec", c->dst, ctxt->eflags);
1851 case 2: /* call near abs */ {
1854 c->eip = c->src.val;
1855 c->src.val = old_eip;
1856 emulate_push(ctxt, ops);
1859 case 4: /* jmp abs */
1860 c->eip = c->src.val;
1863 emulate_push(ctxt, ops);
1866 return X86EMUL_CONTINUE;
1869 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1870 struct x86_emulate_ops *ops)
1872 struct decode_cache *c = &ctxt->decode;
1873 u64 old = c->dst.orig_val;
1875 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1876 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1878 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1879 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1880 ctxt->eflags &= ~EFLG_ZF;
1882 c->dst.val = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1883 (u32) c->regs[VCPU_REGS_RBX];
1885 ctxt->eflags |= EFLG_ZF;
1887 return X86EMUL_CONTINUE;
1890 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1891 struct x86_emulate_ops *ops)
1893 struct decode_cache *c = &ctxt->decode;
1897 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1898 if (rc != X86EMUL_CONTINUE)
1900 if (c->op_bytes == 4)
1901 c->eip = (u32)c->eip;
1902 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1903 if (rc != X86EMUL_CONTINUE)
1905 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1910 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1911 struct x86_emulate_ops *ops, struct desc_struct *cs,
1912 struct desc_struct *ss)
1914 memset(cs, 0, sizeof(struct desc_struct));
1915 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1916 memset(ss, 0, sizeof(struct desc_struct));
1918 cs->l = 0; /* will be adjusted later */
1919 set_desc_base(cs, 0); /* flat segment */
1920 cs->g = 1; /* 4kb granularity */
1921 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1922 cs->type = 0x0b; /* Read, Execute, Accessed */
1924 cs->dpl = 0; /* will be adjusted later */
1928 set_desc_base(ss, 0); /* flat segment */
1929 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1930 ss->g = 1; /* 4kb granularity */
1932 ss->type = 0x03; /* Read/Write, Accessed */
1933 ss->d = 1; /* 32bit stack segment */
1939 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1941 struct decode_cache *c = &ctxt->decode;
1942 struct desc_struct cs, ss;
1946 /* syscall is not available in real mode */
1947 if (ctxt->mode == X86EMUL_MODE_REAL ||
1948 ctxt->mode == X86EMUL_MODE_VM86) {
1950 return X86EMUL_PROPAGATE_FAULT;
1953 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1955 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1957 cs_sel = (u16)(msr_data & 0xfffc);
1958 ss_sel = (u16)(msr_data + 8);
1960 if (is_long_mode(ctxt->vcpu)) {
1964 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1965 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1966 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1967 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1969 c->regs[VCPU_REGS_RCX] = c->eip;
1970 if (is_long_mode(ctxt->vcpu)) {
1971 #ifdef CONFIG_X86_64
1972 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1974 ops->get_msr(ctxt->vcpu,
1975 ctxt->mode == X86EMUL_MODE_PROT64 ?
1976 MSR_LSTAR : MSR_CSTAR, &msr_data);
1979 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1980 ctxt->eflags &= ~(msr_data | EFLG_RF);
1984 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1985 c->eip = (u32)msr_data;
1987 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1990 return X86EMUL_CONTINUE;
1994 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1996 struct decode_cache *c = &ctxt->decode;
1997 struct desc_struct cs, ss;
2001 /* inject #GP if in real mode */
2002 if (ctxt->mode == X86EMUL_MODE_REAL) {
2003 emulate_gp(ctxt, 0);
2004 return X86EMUL_PROPAGATE_FAULT;
2007 /* XXX sysenter/sysexit have not been tested in 64bit mode.
2008 * Therefore, we inject an #UD.
2010 if (ctxt->mode == X86EMUL_MODE_PROT64) {
2012 return X86EMUL_PROPAGATE_FAULT;
2015 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2017 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2018 switch (ctxt->mode) {
2019 case X86EMUL_MODE_PROT32:
2020 if ((msr_data & 0xfffc) == 0x0) {
2021 emulate_gp(ctxt, 0);
2022 return X86EMUL_PROPAGATE_FAULT;
2025 case X86EMUL_MODE_PROT64:
2026 if (msr_data == 0x0) {
2027 emulate_gp(ctxt, 0);
2028 return X86EMUL_PROPAGATE_FAULT;
2033 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2034 cs_sel = (u16)msr_data;
2035 cs_sel &= ~SELECTOR_RPL_MASK;
2036 ss_sel = cs_sel + 8;
2037 ss_sel &= ~SELECTOR_RPL_MASK;
2038 if (ctxt->mode == X86EMUL_MODE_PROT64
2039 || is_long_mode(ctxt->vcpu)) {
2044 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2045 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2046 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2047 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2049 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
2052 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
2053 c->regs[VCPU_REGS_RSP] = msr_data;
2055 return X86EMUL_CONTINUE;
2059 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2061 struct decode_cache *c = &ctxt->decode;
2062 struct desc_struct cs, ss;
2067 /* inject #GP if in real mode or Virtual 8086 mode */
2068 if (ctxt->mode == X86EMUL_MODE_REAL ||
2069 ctxt->mode == X86EMUL_MODE_VM86) {
2070 emulate_gp(ctxt, 0);
2071 return X86EMUL_PROPAGATE_FAULT;
2074 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2076 if ((c->rex_prefix & 0x8) != 0x0)
2077 usermode = X86EMUL_MODE_PROT64;
2079 usermode = X86EMUL_MODE_PROT32;
2083 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2085 case X86EMUL_MODE_PROT32:
2086 cs_sel = (u16)(msr_data + 16);
2087 if ((msr_data & 0xfffc) == 0x0) {
2088 emulate_gp(ctxt, 0);
2089 return X86EMUL_PROPAGATE_FAULT;
2091 ss_sel = (u16)(msr_data + 24);
2093 case X86EMUL_MODE_PROT64:
2094 cs_sel = (u16)(msr_data + 32);
2095 if (msr_data == 0x0) {
2096 emulate_gp(ctxt, 0);
2097 return X86EMUL_PROPAGATE_FAULT;
2099 ss_sel = cs_sel + 8;
2104 cs_sel |= SELECTOR_RPL_MASK;
2105 ss_sel |= SELECTOR_RPL_MASK;
2107 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2108 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2109 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2110 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2112 c->eip = c->regs[VCPU_REGS_RDX];
2113 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
2115 return X86EMUL_CONTINUE;
2118 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
2119 struct x86_emulate_ops *ops)
2122 if (ctxt->mode == X86EMUL_MODE_REAL)
2124 if (ctxt->mode == X86EMUL_MODE_VM86)
2126 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2127 return ops->cpl(ctxt->vcpu) > iopl;
2130 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2131 struct x86_emulate_ops *ops,
2134 struct desc_struct tr_seg;
2137 u8 perm, bit_idx = port & 0x7;
2138 unsigned mask = (1 << len) - 1;
2140 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
2143 if (desc_limit_scaled(&tr_seg) < 103)
2145 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
2147 if (r != X86EMUL_CONTINUE)
2149 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2151 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
2152 &perm, 1, ctxt->vcpu, NULL);
2153 if (r != X86EMUL_CONTINUE)
2155 if ((perm >> bit_idx) & mask)
2160 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2161 struct x86_emulate_ops *ops,
2164 if (emulator_bad_iopl(ctxt, ops))
2165 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
2170 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2171 struct x86_emulate_ops *ops,
2172 struct tss_segment_16 *tss)
2174 struct decode_cache *c = &ctxt->decode;
2177 tss->flag = ctxt->eflags;
2178 tss->ax = c->regs[VCPU_REGS_RAX];
2179 tss->cx = c->regs[VCPU_REGS_RCX];
2180 tss->dx = c->regs[VCPU_REGS_RDX];
2181 tss->bx = c->regs[VCPU_REGS_RBX];
2182 tss->sp = c->regs[VCPU_REGS_RSP];
2183 tss->bp = c->regs[VCPU_REGS_RBP];
2184 tss->si = c->regs[VCPU_REGS_RSI];
2185 tss->di = c->regs[VCPU_REGS_RDI];
2187 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2188 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2189 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2190 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2191 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2194 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2195 struct x86_emulate_ops *ops,
2196 struct tss_segment_16 *tss)
2198 struct decode_cache *c = &ctxt->decode;
2202 ctxt->eflags = tss->flag | 2;
2203 c->regs[VCPU_REGS_RAX] = tss->ax;
2204 c->regs[VCPU_REGS_RCX] = tss->cx;
2205 c->regs[VCPU_REGS_RDX] = tss->dx;
2206 c->regs[VCPU_REGS_RBX] = tss->bx;
2207 c->regs[VCPU_REGS_RSP] = tss->sp;
2208 c->regs[VCPU_REGS_RBP] = tss->bp;
2209 c->regs[VCPU_REGS_RSI] = tss->si;
2210 c->regs[VCPU_REGS_RDI] = tss->di;
2213 * SDM says that segment selectors are loaded before segment
2216 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
2217 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2218 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2219 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2220 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2223 * Now load segment descriptors. If fault happenes at this stage
2224 * it is handled in a context of new task
2226 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
2227 if (ret != X86EMUL_CONTINUE)
2229 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2230 if (ret != X86EMUL_CONTINUE)
2232 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2233 if (ret != X86EMUL_CONTINUE)
2235 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2236 if (ret != X86EMUL_CONTINUE)
2238 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2239 if (ret != X86EMUL_CONTINUE)
2242 return X86EMUL_CONTINUE;
2245 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2246 struct x86_emulate_ops *ops,
2247 u16 tss_selector, u16 old_tss_sel,
2248 ulong old_tss_base, struct desc_struct *new_desc)
2250 struct tss_segment_16 tss_seg;
2252 u32 err, new_tss_base = get_desc_base(new_desc);
2254 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2256 if (ret == X86EMUL_PROPAGATE_FAULT) {
2257 /* FIXME: need to provide precise fault address */
2258 emulate_pf(ctxt, old_tss_base, err);
2262 save_state_to_tss16(ctxt, ops, &tss_seg);
2264 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2266 if (ret == X86EMUL_PROPAGATE_FAULT) {
2267 /* FIXME: need to provide precise fault address */
2268 emulate_pf(ctxt, old_tss_base, err);
2272 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2274 if (ret == X86EMUL_PROPAGATE_FAULT) {
2275 /* FIXME: need to provide precise fault address */
2276 emulate_pf(ctxt, new_tss_base, err);
2280 if (old_tss_sel != 0xffff) {
2281 tss_seg.prev_task_link = old_tss_sel;
2283 ret = ops->write_std(new_tss_base,
2284 &tss_seg.prev_task_link,
2285 sizeof tss_seg.prev_task_link,
2287 if (ret == X86EMUL_PROPAGATE_FAULT) {
2288 /* FIXME: need to provide precise fault address */
2289 emulate_pf(ctxt, new_tss_base, err);
2294 return load_state_from_tss16(ctxt, ops, &tss_seg);
2297 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2298 struct x86_emulate_ops *ops,
2299 struct tss_segment_32 *tss)
2301 struct decode_cache *c = &ctxt->decode;
2303 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2305 tss->eflags = ctxt->eflags;
2306 tss->eax = c->regs[VCPU_REGS_RAX];
2307 tss->ecx = c->regs[VCPU_REGS_RCX];
2308 tss->edx = c->regs[VCPU_REGS_RDX];
2309 tss->ebx = c->regs[VCPU_REGS_RBX];
2310 tss->esp = c->regs[VCPU_REGS_RSP];
2311 tss->ebp = c->regs[VCPU_REGS_RBP];
2312 tss->esi = c->regs[VCPU_REGS_RSI];
2313 tss->edi = c->regs[VCPU_REGS_RDI];
2315 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2316 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2317 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2318 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2319 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2320 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2321 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2324 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2325 struct x86_emulate_ops *ops,
2326 struct tss_segment_32 *tss)
2328 struct decode_cache *c = &ctxt->decode;
2331 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
2332 emulate_gp(ctxt, 0);
2333 return X86EMUL_PROPAGATE_FAULT;
2336 ctxt->eflags = tss->eflags | 2;
2337 c->regs[VCPU_REGS_RAX] = tss->eax;
2338 c->regs[VCPU_REGS_RCX] = tss->ecx;
2339 c->regs[VCPU_REGS_RDX] = tss->edx;
2340 c->regs[VCPU_REGS_RBX] = tss->ebx;
2341 c->regs[VCPU_REGS_RSP] = tss->esp;
2342 c->regs[VCPU_REGS_RBP] = tss->ebp;
2343 c->regs[VCPU_REGS_RSI] = tss->esi;
2344 c->regs[VCPU_REGS_RDI] = tss->edi;
2347 * SDM says that segment selectors are loaded before segment
2350 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2351 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2352 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2353 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2354 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2355 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2356 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2359 * Now load segment descriptors. If fault happenes at this stage
2360 * it is handled in a context of new task
2362 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2363 if (ret != X86EMUL_CONTINUE)
2365 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2366 if (ret != X86EMUL_CONTINUE)
2368 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2369 if (ret != X86EMUL_CONTINUE)
2371 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2372 if (ret != X86EMUL_CONTINUE)
2374 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2375 if (ret != X86EMUL_CONTINUE)
2377 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2378 if (ret != X86EMUL_CONTINUE)
2380 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2381 if (ret != X86EMUL_CONTINUE)
2384 return X86EMUL_CONTINUE;
2387 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2388 struct x86_emulate_ops *ops,
2389 u16 tss_selector, u16 old_tss_sel,
2390 ulong old_tss_base, struct desc_struct *new_desc)
2392 struct tss_segment_32 tss_seg;
2394 u32 err, new_tss_base = get_desc_base(new_desc);
2396 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2398 if (ret == X86EMUL_PROPAGATE_FAULT) {
2399 /* FIXME: need to provide precise fault address */
2400 emulate_pf(ctxt, old_tss_base, err);
2404 save_state_to_tss32(ctxt, ops, &tss_seg);
2406 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2408 if (ret == X86EMUL_PROPAGATE_FAULT) {
2409 /* FIXME: need to provide precise fault address */
2410 emulate_pf(ctxt, old_tss_base, err);
2414 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2416 if (ret == X86EMUL_PROPAGATE_FAULT) {
2417 /* FIXME: need to provide precise fault address */
2418 emulate_pf(ctxt, new_tss_base, err);
2422 if (old_tss_sel != 0xffff) {
2423 tss_seg.prev_task_link = old_tss_sel;
2425 ret = ops->write_std(new_tss_base,
2426 &tss_seg.prev_task_link,
2427 sizeof tss_seg.prev_task_link,
2429 if (ret == X86EMUL_PROPAGATE_FAULT) {
2430 /* FIXME: need to provide precise fault address */
2431 emulate_pf(ctxt, new_tss_base, err);
2436 return load_state_from_tss32(ctxt, ops, &tss_seg);
2439 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2440 struct x86_emulate_ops *ops,
2441 u16 tss_selector, int reason,
2442 bool has_error_code, u32 error_code)
2444 struct desc_struct curr_tss_desc, next_tss_desc;
2446 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2447 ulong old_tss_base =
2448 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2451 /* FIXME: old_tss_base == ~0 ? */
2453 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2454 if (ret != X86EMUL_CONTINUE)
2456 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2457 if (ret != X86EMUL_CONTINUE)
2460 /* FIXME: check that next_tss_desc is tss */
2462 if (reason != TASK_SWITCH_IRET) {
2463 if ((tss_selector & 3) > next_tss_desc.dpl ||
2464 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2465 emulate_gp(ctxt, 0);
2466 return X86EMUL_PROPAGATE_FAULT;
2470 desc_limit = desc_limit_scaled(&next_tss_desc);
2471 if (!next_tss_desc.p ||
2472 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2473 desc_limit < 0x2b)) {
2474 emulate_ts(ctxt, tss_selector & 0xfffc);
2475 return X86EMUL_PROPAGATE_FAULT;
2478 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2479 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2480 write_segment_descriptor(ctxt, ops, old_tss_sel,
2484 if (reason == TASK_SWITCH_IRET)
2485 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2487 /* set back link to prev task only if NT bit is set in eflags
2488 note that old_tss_sel is not used afetr this point */
2489 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2490 old_tss_sel = 0xffff;
2492 if (next_tss_desc.type & 8)
2493 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2494 old_tss_base, &next_tss_desc);
2496 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2497 old_tss_base, &next_tss_desc);
2498 if (ret != X86EMUL_CONTINUE)
2501 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2502 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2504 if (reason != TASK_SWITCH_IRET) {
2505 next_tss_desc.type |= (1 << 1); /* set busy flag */
2506 write_segment_descriptor(ctxt, ops, tss_selector,
2510 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2511 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2512 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2514 if (has_error_code) {
2515 struct decode_cache *c = &ctxt->decode;
2517 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2519 c->src.val = (unsigned long) error_code;
2520 emulate_push(ctxt, ops);
2526 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2527 struct x86_emulate_ops *ops,
2528 u16 tss_selector, int reason,
2529 bool has_error_code, u32 error_code)
2531 struct decode_cache *c = &ctxt->decode;
2535 c->dst.type = OP_NONE;
2537 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2538 has_error_code, error_code);
2540 if (rc == X86EMUL_CONTINUE) {
2541 rc = writeback(ctxt, ops);
2542 if (rc == X86EMUL_CONTINUE)
2546 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2549 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2550 int reg, struct operand *op)
2552 struct decode_cache *c = &ctxt->decode;
2553 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2555 register_address_increment(c, &c->regs[reg], df * op->bytes);
2556 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2560 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2563 struct decode_cache *c = &ctxt->decode;
2564 int rc = X86EMUL_CONTINUE;
2565 int saved_dst_type = c->dst.type;
2567 ctxt->decode.mem_read.pos = 0;
2569 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2574 /* LOCK prefix is allowed only with some instructions */
2575 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2580 /* Privileged instruction can be executed only in CPL=0 */
2581 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2582 emulate_gp(ctxt, 0);
2586 if (c->rep_prefix && (c->d & String)) {
2587 ctxt->restart = true;
2588 /* All REP prefixes have the same first termination condition */
2589 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2591 ctxt->restart = false;
2595 /* The second termination condition only applies for REPE
2596 * and REPNE. Test if the repeat string operation prefix is
2597 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2598 * corresponding termination condition according to:
2599 * - if REPE/REPZ and ZF = 0 then done
2600 * - if REPNE/REPNZ and ZF = 1 then done
2602 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2603 (c->b == 0xae) || (c->b == 0xaf)) {
2604 if ((c->rep_prefix == REPE_PREFIX) &&
2605 ((ctxt->eflags & EFLG_ZF) == 0))
2607 if ((c->rep_prefix == REPNE_PREFIX) &&
2608 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2614 if (c->src.type == OP_MEM) {
2615 rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2616 c->src.valptr, c->src.bytes);
2617 if (rc != X86EMUL_CONTINUE)
2619 c->src.orig_val = c->src.val;
2622 if (c->src2.type == OP_MEM) {
2623 rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
2624 &c->src2.val, c->src2.bytes);
2625 if (rc != X86EMUL_CONTINUE)
2629 if ((c->d & DstMask) == ImplicitOps)
2633 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2634 /* optimisation - avoid slow emulated read if Mov */
2635 rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
2636 &c->dst.val, c->dst.bytes);
2637 if (rc != X86EMUL_CONTINUE)
2640 c->dst.orig_val = c->dst.val;
2650 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2652 case 0x06: /* push es */
2653 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2655 case 0x07: /* pop es */
2656 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2657 if (rc != X86EMUL_CONTINUE)
2662 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2664 case 0x0e: /* push cs */
2665 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2669 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2671 case 0x16: /* push ss */
2672 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2674 case 0x17: /* pop ss */
2675 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2676 if (rc != X86EMUL_CONTINUE)
2681 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2683 case 0x1e: /* push ds */
2684 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2686 case 0x1f: /* pop ds */
2687 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2688 if (rc != X86EMUL_CONTINUE)
2693 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2697 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2701 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2705 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2707 case 0x40 ... 0x47: /* inc r16/r32 */
2708 emulate_1op("inc", c->dst, ctxt->eflags);
2710 case 0x48 ... 0x4f: /* dec r16/r32 */
2711 emulate_1op("dec", c->dst, ctxt->eflags);
2713 case 0x50 ... 0x57: /* push reg */
2714 emulate_push(ctxt, ops);
2716 case 0x58 ... 0x5f: /* pop reg */
2718 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2719 if (rc != X86EMUL_CONTINUE)
2722 case 0x60: /* pusha */
2723 rc = emulate_pusha(ctxt, ops);
2724 if (rc != X86EMUL_CONTINUE)
2727 case 0x61: /* popa */
2728 rc = emulate_popa(ctxt, ops);
2729 if (rc != X86EMUL_CONTINUE)
2732 case 0x63: /* movsxd */
2733 if (ctxt->mode != X86EMUL_MODE_PROT64)
2734 goto cannot_emulate;
2735 c->dst.val = (s32) c->src.val;
2737 case 0x68: /* push imm */
2738 case 0x6a: /* push imm8 */
2739 emulate_push(ctxt, ops);
2741 case 0x6c: /* insb */
2742 case 0x6d: /* insw/insd */
2743 c->dst.bytes = min(c->dst.bytes, 4u);
2744 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2746 emulate_gp(ctxt, 0);
2749 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2750 c->regs[VCPU_REGS_RDX], &c->dst.val))
2751 goto done; /* IO is needed, skip writeback */
2753 case 0x6e: /* outsb */
2754 case 0x6f: /* outsw/outsd */
2755 c->src.bytes = min(c->src.bytes, 4u);
2756 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2758 emulate_gp(ctxt, 0);
2761 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2762 &c->src.val, 1, ctxt->vcpu);
2764 c->dst.type = OP_NONE; /* nothing to writeback */
2766 case 0x70 ... 0x7f: /* jcc (short) */
2767 if (test_cc(c->b, ctxt->eflags))
2768 jmp_rel(c, c->src.val);
2770 case 0x80 ... 0x83: /* Grp1 */
2771 switch (c->modrm_reg) {
2792 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2794 case 0x86 ... 0x87: /* xchg */
2796 /* Write back the register source. */
2797 switch (c->dst.bytes) {
2799 *(u8 *) c->src.ptr = (u8) c->dst.val;
2802 *(u16 *) c->src.ptr = (u16) c->dst.val;
2805 *c->src.ptr = (u32) c->dst.val;
2806 break; /* 64b reg: zero-extend */
2808 *c->src.ptr = c->dst.val;
2812 * Write back the memory destination with implicit LOCK
2815 c->dst.val = c->src.val;
2818 case 0x88 ... 0x8b: /* mov */
2820 case 0x8c: /* mov r/m, sreg */
2821 if (c->modrm_reg > VCPU_SREG_GS) {
2825 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2827 case 0x8d: /* lea r16/r32, m */
2828 c->dst.val = c->modrm_ea;
2830 case 0x8e: { /* mov seg, r/m16 */
2835 if (c->modrm_reg == VCPU_SREG_CS ||
2836 c->modrm_reg > VCPU_SREG_GS) {
2841 if (c->modrm_reg == VCPU_SREG_SS)
2842 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2844 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2846 c->dst.type = OP_NONE; /* Disable writeback. */
2849 case 0x8f: /* pop (sole member of Grp1a) */
2850 rc = emulate_grp1a(ctxt, ops);
2851 if (rc != X86EMUL_CONTINUE)
2854 case 0x90: /* nop / xchg r8,rax */
2855 if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
2856 c->dst.type = OP_NONE; /* nop */
2859 case 0x91 ... 0x97: /* xchg reg,rax */
2860 c->src.type = OP_REG;
2861 c->src.bytes = c->op_bytes;
2862 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2863 c->src.val = *(c->src.ptr);
2865 case 0x9c: /* pushf */
2866 c->src.val = (unsigned long) ctxt->eflags;
2867 emulate_push(ctxt, ops);
2869 case 0x9d: /* popf */
2870 c->dst.type = OP_REG;
2871 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2872 c->dst.bytes = c->op_bytes;
2873 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2874 if (rc != X86EMUL_CONTINUE)
2877 case 0xa0 ... 0xa3: /* mov */
2878 case 0xa4 ... 0xa5: /* movs */
2880 case 0xa6 ... 0xa7: /* cmps */
2881 c->dst.type = OP_NONE; /* Disable writeback. */
2882 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2884 case 0xa8 ... 0xa9: /* test ax, imm */
2886 case 0xaa ... 0xab: /* stos */
2887 c->dst.val = c->regs[VCPU_REGS_RAX];
2889 case 0xac ... 0xad: /* lods */
2891 case 0xae ... 0xaf: /* scas */
2892 DPRINTF("Urk! I don't handle SCAS.\n");
2893 goto cannot_emulate;
2894 case 0xb0 ... 0xbf: /* mov r, imm */
2899 case 0xc3: /* ret */
2900 c->dst.type = OP_REG;
2901 c->dst.ptr = &c->eip;
2902 c->dst.bytes = c->op_bytes;
2903 goto pop_instruction;
2904 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2906 c->dst.val = c->src.val;
2908 case 0xcb: /* ret far */
2909 rc = emulate_ret_far(ctxt, ops);
2910 if (rc != X86EMUL_CONTINUE)
2913 case 0xd0 ... 0xd1: /* Grp2 */
2917 case 0xd2 ... 0xd3: /* Grp2 */
2918 c->src.val = c->regs[VCPU_REGS_RCX];
2921 case 0xe4: /* inb */
2924 case 0xe6: /* outb */
2925 case 0xe7: /* out */
2927 case 0xe8: /* call (near) */ {
2928 long int rel = c->src.val;
2929 c->src.val = (unsigned long) c->eip;
2931 emulate_push(ctxt, ops);
2934 case 0xe9: /* jmp rel */
2936 case 0xea: { /* jmp far */
2939 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2941 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
2945 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2949 jmp: /* jmp rel short */
2950 jmp_rel(c, c->src.val);
2951 c->dst.type = OP_NONE; /* Disable writeback. */
2953 case 0xec: /* in al,dx */
2954 case 0xed: /* in (e/r)ax,dx */
2955 c->src.val = c->regs[VCPU_REGS_RDX];
2957 c->dst.bytes = min(c->dst.bytes, 4u);
2958 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2959 emulate_gp(ctxt, 0);
2962 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
2964 goto done; /* IO is needed */
2966 case 0xee: /* out dx,al */
2967 case 0xef: /* out dx,(e/r)ax */
2968 c->src.val = c->regs[VCPU_REGS_RDX];
2970 c->dst.bytes = min(c->dst.bytes, 4u);
2971 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2972 emulate_gp(ctxt, 0);
2975 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
2977 c->dst.type = OP_NONE; /* Disable writeback. */
2979 case 0xf4: /* hlt */
2980 ctxt->vcpu->arch.halt_request = 1;
2982 case 0xf5: /* cmc */
2983 /* complement carry flag from eflags reg */
2984 ctxt->eflags ^= EFLG_CF;
2985 c->dst.type = OP_NONE; /* Disable writeback. */
2987 case 0xf6 ... 0xf7: /* Grp3 */
2988 if (!emulate_grp3(ctxt, ops))
2989 goto cannot_emulate;
2991 case 0xf8: /* clc */
2992 ctxt->eflags &= ~EFLG_CF;
2993 c->dst.type = OP_NONE; /* Disable writeback. */
2995 case 0xfa: /* cli */
2996 if (emulator_bad_iopl(ctxt, ops)) {
2997 emulate_gp(ctxt, 0);
3000 ctxt->eflags &= ~X86_EFLAGS_IF;
3001 c->dst.type = OP_NONE; /* Disable writeback. */
3004 case 0xfb: /* sti */
3005 if (emulator_bad_iopl(ctxt, ops)) {
3006 emulate_gp(ctxt, 0);
3009 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3010 ctxt->eflags |= X86_EFLAGS_IF;
3011 c->dst.type = OP_NONE; /* Disable writeback. */
3014 case 0xfc: /* cld */
3015 ctxt->eflags &= ~EFLG_DF;
3016 c->dst.type = OP_NONE; /* Disable writeback. */
3018 case 0xfd: /* std */
3019 ctxt->eflags |= EFLG_DF;
3020 c->dst.type = OP_NONE; /* Disable writeback. */
3022 case 0xfe: /* Grp4 */
3024 rc = emulate_grp45(ctxt, ops);
3025 if (rc != X86EMUL_CONTINUE)
3028 case 0xff: /* Grp5 */
3029 if (c->modrm_reg == 5)
3035 rc = writeback(ctxt, ops);
3036 if (rc != X86EMUL_CONTINUE)
3040 * restore dst type in case the decoding will be reused
3041 * (happens for string instruction )
3043 c->dst.type = saved_dst_type;
3045 if ((c->d & SrcMask) == SrcSI)
3046 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3047 VCPU_REGS_RSI, &c->src);
3049 if ((c->d & DstMask) == DstDI)
3050 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3053 if (c->rep_prefix && (c->d & String)) {
3054 struct read_cache *rc = &ctxt->decode.io_read;
3055 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3057 * Re-enter guest when pio read ahead buffer is empty or,
3058 * if it is not used, after each 1024 iteration.
3060 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3061 (rc->end != 0 && rc->end == rc->pos))
3062 ctxt->restart = false;
3065 * reset read cache here in case string instruction is restared
3068 ctxt->decode.mem_read.end = 0;
3072 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3076 case 0x01: /* lgdt, lidt, lmsw */
3077 switch (c->modrm_reg) {
3079 unsigned long address;
3081 case 0: /* vmcall */
3082 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3083 goto cannot_emulate;
3085 rc = kvm_fix_hypercall(ctxt->vcpu);
3086 if (rc != X86EMUL_CONTINUE)
3089 /* Let the processor re-execute the fixed hypercall */
3091 /* Disable writeback. */
3092 c->dst.type = OP_NONE;
3095 rc = read_descriptor(ctxt, ops, c->src.ptr,
3096 &size, &address, c->op_bytes);
3097 if (rc != X86EMUL_CONTINUE)
3099 realmode_lgdt(ctxt->vcpu, size, address);
3100 /* Disable writeback. */
3101 c->dst.type = OP_NONE;
3103 case 3: /* lidt/vmmcall */
3104 if (c->modrm_mod == 3) {
3105 switch (c->modrm_rm) {
3107 rc = kvm_fix_hypercall(ctxt->vcpu);
3108 if (rc != X86EMUL_CONTINUE)
3112 goto cannot_emulate;
3115 rc = read_descriptor(ctxt, ops, c->src.ptr,
3118 if (rc != X86EMUL_CONTINUE)
3120 realmode_lidt(ctxt->vcpu, size, address);
3122 /* Disable writeback. */
3123 c->dst.type = OP_NONE;
3127 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3130 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3131 (c->src.val & 0x0f), ctxt->vcpu);
3132 c->dst.type = OP_NONE;
3134 case 5: /* not defined */
3138 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3139 /* Disable writeback. */
3140 c->dst.type = OP_NONE;
3143 goto cannot_emulate;
3146 case 0x05: /* syscall */
3147 rc = emulate_syscall(ctxt, ops);
3148 if (rc != X86EMUL_CONTINUE)
3154 emulate_clts(ctxt->vcpu);
3155 c->dst.type = OP_NONE;
3157 case 0x09: /* wbinvd */
3158 kvm_emulate_wbinvd(ctxt->vcpu);
3159 c->dst.type = OP_NONE;
3161 case 0x08: /* invd */
3162 case 0x0d: /* GrpP (prefetch) */
3163 case 0x18: /* Grp16 (prefetch/nop) */
3164 c->dst.type = OP_NONE;
3166 case 0x20: /* mov cr, reg */
3167 switch (c->modrm_reg) {
3174 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3175 c->dst.type = OP_NONE; /* no writeback */
3177 case 0x21: /* mov from dr to reg */
3178 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3179 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3183 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3184 c->dst.type = OP_NONE; /* no writeback */
3186 case 0x22: /* mov reg, cr */
3187 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3188 emulate_gp(ctxt, 0);
3191 c->dst.type = OP_NONE;
3193 case 0x23: /* mov from reg to dr */
3194 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3195 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3200 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3201 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3202 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3203 /* #UD condition is already handled by the code above */
3204 emulate_gp(ctxt, 0);
3208 c->dst.type = OP_NONE; /* no writeback */
3212 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3213 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3214 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3215 emulate_gp(ctxt, 0);
3218 rc = X86EMUL_CONTINUE;
3219 c->dst.type = OP_NONE;
3223 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3224 emulate_gp(ctxt, 0);
3227 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3228 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3230 rc = X86EMUL_CONTINUE;
3231 c->dst.type = OP_NONE;
3233 case 0x34: /* sysenter */
3234 rc = emulate_sysenter(ctxt, ops);
3235 if (rc != X86EMUL_CONTINUE)
3240 case 0x35: /* sysexit */
3241 rc = emulate_sysexit(ctxt, ops);
3242 if (rc != X86EMUL_CONTINUE)
3247 case 0x40 ... 0x4f: /* cmov */
3248 c->dst.val = c->dst.orig_val = c->src.val;
3249 if (!test_cc(c->b, ctxt->eflags))
3250 c->dst.type = OP_NONE; /* no writeback */
3252 case 0x80 ... 0x8f: /* jnz rel, etc*/
3253 if (test_cc(c->b, ctxt->eflags))
3254 jmp_rel(c, c->src.val);
3255 c->dst.type = OP_NONE;
3257 case 0xa0: /* push fs */
3258 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3260 case 0xa1: /* pop fs */
3261 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3262 if (rc != X86EMUL_CONTINUE)
3267 c->dst.type = OP_NONE;
3268 /* only subword offset */
3269 c->src.val &= (c->dst.bytes << 3) - 1;
3270 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3272 case 0xa4: /* shld imm8, r, r/m */
3273 case 0xa5: /* shld cl, r, r/m */
3274 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3276 case 0xa8: /* push gs */
3277 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3279 case 0xa9: /* pop gs */
3280 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3281 if (rc != X86EMUL_CONTINUE)
3286 /* only subword offset */
3287 c->src.val &= (c->dst.bytes << 3) - 1;
3288 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3290 case 0xac: /* shrd imm8, r, r/m */
3291 case 0xad: /* shrd cl, r, r/m */
3292 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3294 case 0xae: /* clflush */
3296 case 0xb0 ... 0xb1: /* cmpxchg */
3298 * Save real source value, then compare EAX against
3301 c->src.orig_val = c->src.val;
3302 c->src.val = c->regs[VCPU_REGS_RAX];
3303 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3304 if (ctxt->eflags & EFLG_ZF) {
3305 /* Success: write back to memory. */
3306 c->dst.val = c->src.orig_val;
3308 /* Failure: write the value we saw to EAX. */
3309 c->dst.type = OP_REG;
3310 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3315 /* only subword offset */
3316 c->src.val &= (c->dst.bytes << 3) - 1;
3317 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3319 case 0xb6 ... 0xb7: /* movzx */
3320 c->dst.bytes = c->op_bytes;
3321 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3324 case 0xba: /* Grp8 */
3325 switch (c->modrm_reg & 3) {
3338 /* only subword offset */
3339 c->src.val &= (c->dst.bytes << 3) - 1;
3340 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3342 case 0xbe ... 0xbf: /* movsx */
3343 c->dst.bytes = c->op_bytes;
3344 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3347 case 0xc3: /* movnti */
3348 c->dst.bytes = c->op_bytes;
3349 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3352 case 0xc7: /* Grp9 (cmpxchg8b) */
3353 rc = emulate_grp9(ctxt, ops);
3354 if (rc != X86EMUL_CONTINUE)
3361 DPRINTF("Cannot emulate %02x\n", c->b);