1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <linux/module.h>
26 #include <asm/kvm_emulate.h>
35 #define OpImplicit 1ull /* No generic decode */
36 #define OpReg 2ull /* Register */
37 #define OpMem 3ull /* Memory */
38 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
39 #define OpDI 5ull /* ES:DI/EDI/RDI */
40 #define OpMem64 6ull /* Memory, 64-bit */
41 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
42 #define OpDX 8ull /* DX register */
43 #define OpCL 9ull /* CL register (for shifts) */
44 #define OpImmByte 10ull /* 8-bit sign extended immediate */
45 #define OpOne 11ull /* Implied 1 */
46 #define OpImm 12ull /* Sign extended immediate */
47 #define OpMem16 13ull /* Memory operand (16-bit). */
48 #define OpMem32 14ull /* Memory operand (32-bit). */
49 #define OpImmU 15ull /* Immediate operand, zero extended */
50 #define OpSI 16ull /* SI/ESI/RSI */
51 #define OpImmFAddr 17ull /* Immediate far address */
52 #define OpMemFAddr 18ull /* Far address in memory */
53 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
54 #define OpES 20ull /* ES */
55 #define OpCS 21ull /* CS */
56 #define OpSS 22ull /* SS */
57 #define OpDS 23ull /* DS */
58 #define OpFS 24ull /* FS */
59 #define OpGS 25ull /* GS */
60 #define OpMem8 26ull /* 8-bit zero extended memory operand */
62 #define OpBits 5 /* Width of operand field */
63 #define OpMask ((1ull << OpBits) - 1)
66 * Opcode effective-address decode tables.
67 * Note that we only emulate instructions that have at least one memory
68 * operand (excluding implicit stack references). We assume that stack
69 * references and instruction fetches will never occur in special memory
70 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
74 /* Operand sizes: 8-bit operands or specified/overridden size. */
75 #define ByteOp (1<<0) /* 8-bit operands. */
76 /* Destination operand type. */
78 #define ImplicitOps (OpImplicit << DstShift)
79 #define DstReg (OpReg << DstShift)
80 #define DstMem (OpMem << DstShift)
81 #define DstAcc (OpAcc << DstShift)
82 #define DstDI (OpDI << DstShift)
83 #define DstMem64 (OpMem64 << DstShift)
84 #define DstImmUByte (OpImmUByte << DstShift)
85 #define DstDX (OpDX << DstShift)
86 #define DstMask (OpMask << DstShift)
87 /* Source operand type. */
89 #define SrcNone (OpNone << SrcShift)
90 #define SrcReg (OpReg << SrcShift)
91 #define SrcMem (OpMem << SrcShift)
92 #define SrcMem16 (OpMem16 << SrcShift)
93 #define SrcMem32 (OpMem32 << SrcShift)
94 #define SrcImm (OpImm << SrcShift)
95 #define SrcImmByte (OpImmByte << SrcShift)
96 #define SrcOne (OpOne << SrcShift)
97 #define SrcImmUByte (OpImmUByte << SrcShift)
98 #define SrcImmU (OpImmU << SrcShift)
99 #define SrcSI (OpSI << SrcShift)
100 #define SrcImmFAddr (OpImmFAddr << SrcShift)
101 #define SrcMemFAddr (OpMemFAddr << SrcShift)
102 #define SrcAcc (OpAcc << SrcShift)
103 #define SrcImmU16 (OpImmU16 << SrcShift)
104 #define SrcDX (OpDX << SrcShift)
105 #define SrcMem8 (OpMem8 << SrcShift)
106 #define SrcMask (OpMask << SrcShift)
107 #define BitOp (1<<11)
108 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
109 #define String (1<<13) /* String instruction (rep capable) */
110 #define Stack (1<<14) /* Stack instruction (push/pop) */
111 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
112 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
113 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
114 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
115 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
116 #define Sse (1<<18) /* SSE Vector instruction */
117 /* Generic ModRM decode. */
118 #define ModRM (1<<19)
119 /* Destination is only written; never read. */
122 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
123 #define VendorSpecific (1<<22) /* Vendor specific instruction */
124 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
125 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
126 #define Undefined (1<<25) /* No Such Instruction */
127 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
128 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
130 #define PageTable (1 << 29) /* instruction used to write page table */
131 /* Source 2 operand type */
132 #define Src2Shift (30)
133 #define Src2None (OpNone << Src2Shift)
134 #define Src2CL (OpCL << Src2Shift)
135 #define Src2ImmByte (OpImmByte << Src2Shift)
136 #define Src2One (OpOne << Src2Shift)
137 #define Src2Imm (OpImm << Src2Shift)
138 #define Src2ES (OpES << Src2Shift)
139 #define Src2CS (OpCS << Src2Shift)
140 #define Src2SS (OpSS << Src2Shift)
141 #define Src2DS (OpDS << Src2Shift)
142 #define Src2FS (OpFS << Src2Shift)
143 #define Src2GS (OpGS << Src2Shift)
144 #define Src2Mask (OpMask << Src2Shift)
145 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
146 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
147 #define Unaligned ((u64)1 << 42) /* Explicitly unaligned (e.g. MOVDQU) */
148 #define Avx ((u64)1 << 43) /* Advanced Vector Extensions */
150 #define X2(x...) x, x
151 #define X3(x...) X2(x), x
152 #define X4(x...) X2(x), X2(x)
153 #define X5(x...) X4(x), x
154 #define X6(x...) X4(x), X2(x)
155 #define X7(x...) X4(x), X3(x)
156 #define X8(x...) X4(x), X4(x)
157 #define X16(x...) X8(x), X8(x)
163 int (*execute)(struct x86_emulate_ctxt *ctxt);
164 struct opcode *group;
165 struct group_dual *gdual;
166 struct gprefix *gprefix;
168 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
172 struct opcode mod012[8];
173 struct opcode mod3[8];
177 struct opcode pfx_no;
178 struct opcode pfx_66;
179 struct opcode pfx_f2;
180 struct opcode pfx_f3;
183 /* EFLAGS bit definitions. */
184 #define EFLG_ID (1<<21)
185 #define EFLG_VIP (1<<20)
186 #define EFLG_VIF (1<<19)
187 #define EFLG_AC (1<<18)
188 #define EFLG_VM (1<<17)
189 #define EFLG_RF (1<<16)
190 #define EFLG_IOPL (3<<12)
191 #define EFLG_NT (1<<14)
192 #define EFLG_OF (1<<11)
193 #define EFLG_DF (1<<10)
194 #define EFLG_IF (1<<9)
195 #define EFLG_TF (1<<8)
196 #define EFLG_SF (1<<7)
197 #define EFLG_ZF (1<<6)
198 #define EFLG_AF (1<<4)
199 #define EFLG_PF (1<<2)
200 #define EFLG_CF (1<<0)
202 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
203 #define EFLG_RESERVED_ONE_MASK 2
206 * Instruction emulation:
207 * Most instructions are emulated directly via a fragment of inline assembly
208 * code. This allows us to save/restore EFLAGS and thus very easily pick up
209 * any modified flags.
212 #if defined(CONFIG_X86_64)
213 #define _LO32 "k" /* force 32-bit operand */
214 #define _STK "%%rsp" /* stack pointer */
215 #elif defined(__i386__)
216 #define _LO32 "" /* force 32-bit operand */
217 #define _STK "%%esp" /* stack pointer */
221 * These EFLAGS bits are restored from saved value during emulation, and
222 * any changes are written back to the saved value after emulation.
224 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
226 /* Before executing instruction: restore necessary bits in EFLAGS. */
227 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
228 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
229 "movl %"_sav",%"_LO32 _tmp"; " \
232 "movl %"_msk",%"_LO32 _tmp"; " \
233 "andl %"_LO32 _tmp",("_STK"); " \
235 "notl %"_LO32 _tmp"; " \
236 "andl %"_LO32 _tmp",("_STK"); " \
237 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
239 "orl %"_LO32 _tmp",("_STK"); " \
243 /* After executing instruction: write-back necessary bits in EFLAGS. */
244 #define _POST_EFLAGS(_sav, _msk, _tmp) \
245 /* _sav |= EFLAGS & _msk; */ \
248 "andl %"_msk",%"_LO32 _tmp"; " \
249 "orl %"_LO32 _tmp",%"_sav"; "
257 #define ____emulate_2op(ctxt, _op, _x, _y, _suffix, _dsttype) \
259 __asm__ __volatile__ ( \
260 _PRE_EFLAGS("0", "4", "2") \
261 _op _suffix " %"_x"3,%1; " \
262 _POST_EFLAGS("0", "4", "2") \
263 : "=m" ((ctxt)->eflags), \
264 "+q" (*(_dsttype*)&(ctxt)->dst.val), \
266 : _y ((ctxt)->src.val), "i" (EFLAGS_MASK)); \
270 /* Raw emulation: instruction has two explicit operands. */
271 #define __emulate_2op_nobyte(ctxt,_op,_wx,_wy,_lx,_ly,_qx,_qy) \
273 unsigned long _tmp; \
275 switch ((ctxt)->dst.bytes) { \
277 ____emulate_2op(ctxt,_op,_wx,_wy,"w",u16); \
280 ____emulate_2op(ctxt,_op,_lx,_ly,"l",u32); \
283 ON64(____emulate_2op(ctxt,_op,_qx,_qy,"q",u64)); \
288 #define __emulate_2op(ctxt,_op,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
290 unsigned long _tmp; \
291 switch ((ctxt)->dst.bytes) { \
293 ____emulate_2op(ctxt,_op,_bx,_by,"b",u8); \
296 __emulate_2op_nobyte(ctxt, _op, \
297 _wx, _wy, _lx, _ly, _qx, _qy); \
302 /* Source operand is byte-sized and may be restricted to just %cl. */
303 #define emulate_2op_SrcB(ctxt, _op) \
304 __emulate_2op(ctxt, _op, "b", "c", "b", "c", "b", "c", "b", "c")
306 /* Source operand is byte, word, long or quad sized. */
307 #define emulate_2op_SrcV(ctxt, _op) \
308 __emulate_2op(ctxt, _op, "b", "q", "w", "r", _LO32, "r", "", "r")
310 /* Source operand is word, long or quad sized. */
311 #define emulate_2op_SrcV_nobyte(ctxt, _op) \
312 __emulate_2op_nobyte(ctxt, _op, "w", "r", _LO32, "r", "", "r")
314 /* Instruction has three operands and one operand is stored in ECX register */
315 #define __emulate_2op_cl(ctxt, _op, _suffix, _type) \
317 unsigned long _tmp; \
318 _type _clv = (ctxt)->src2.val; \
319 _type _srcv = (ctxt)->src.val; \
320 _type _dstv = (ctxt)->dst.val; \
322 __asm__ __volatile__ ( \
323 _PRE_EFLAGS("0", "5", "2") \
324 _op _suffix " %4,%1 \n" \
325 _POST_EFLAGS("0", "5", "2") \
326 : "=m" ((ctxt)->eflags), "+r" (_dstv), "=&r" (_tmp) \
327 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
330 (ctxt)->src2.val = (unsigned long) _clv; \
331 (ctxt)->src2.val = (unsigned long) _srcv; \
332 (ctxt)->dst.val = (unsigned long) _dstv; \
335 #define emulate_2op_cl(ctxt, _op) \
337 switch ((ctxt)->dst.bytes) { \
339 __emulate_2op_cl(ctxt, _op, "w", u16); \
342 __emulate_2op_cl(ctxt, _op, "l", u32); \
345 ON64(__emulate_2op_cl(ctxt, _op, "q", ulong)); \
350 #define __emulate_1op(ctxt, _op, _suffix) \
352 unsigned long _tmp; \
354 __asm__ __volatile__ ( \
355 _PRE_EFLAGS("0", "3", "2") \
356 _op _suffix " %1; " \
357 _POST_EFLAGS("0", "3", "2") \
358 : "=m" ((ctxt)->eflags), "+m" ((ctxt)->dst.val), \
360 : "i" (EFLAGS_MASK)); \
363 /* Instruction has only one explicit operand (no source operand). */
364 #define emulate_1op(ctxt, _op) \
366 switch ((ctxt)->dst.bytes) { \
367 case 1: __emulate_1op(ctxt, _op, "b"); break; \
368 case 2: __emulate_1op(ctxt, _op, "w"); break; \
369 case 4: __emulate_1op(ctxt, _op, "l"); break; \
370 case 8: ON64(__emulate_1op(ctxt, _op, "q")); break; \
374 #define __emulate_1op_rax_rdx(ctxt, _op, _suffix, _ex) \
376 unsigned long _tmp; \
377 ulong *rax = &(ctxt)->regs[VCPU_REGS_RAX]; \
378 ulong *rdx = &(ctxt)->regs[VCPU_REGS_RDX]; \
380 __asm__ __volatile__ ( \
381 _PRE_EFLAGS("0", "5", "1") \
383 _op _suffix " %6; " \
385 _POST_EFLAGS("0", "5", "1") \
386 ".pushsection .fixup,\"ax\" \n\t" \
387 "3: movb $1, %4 \n\t" \
390 _ASM_EXTABLE(1b, 3b) \
391 : "=m" ((ctxt)->eflags), "=&r" (_tmp), \
392 "+a" (*rax), "+d" (*rdx), "+qm"(_ex) \
393 : "i" (EFLAGS_MASK), "m" ((ctxt)->src.val), \
394 "a" (*rax), "d" (*rdx)); \
397 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
398 #define emulate_1op_rax_rdx(ctxt, _op, _ex) \
400 switch((ctxt)->src.bytes) { \
402 __emulate_1op_rax_rdx(ctxt, _op, "b", _ex); \
405 __emulate_1op_rax_rdx(ctxt, _op, "w", _ex); \
408 __emulate_1op_rax_rdx(ctxt, _op, "l", _ex); \
411 __emulate_1op_rax_rdx(ctxt, _op, "q", _ex)); \
416 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
417 enum x86_intercept intercept,
418 enum x86_intercept_stage stage)
420 struct x86_instruction_info info = {
421 .intercept = intercept,
422 .rep_prefix = ctxt->rep_prefix,
423 .modrm_mod = ctxt->modrm_mod,
424 .modrm_reg = ctxt->modrm_reg,
425 .modrm_rm = ctxt->modrm_rm,
426 .src_val = ctxt->src.val64,
427 .src_bytes = ctxt->src.bytes,
428 .dst_bytes = ctxt->dst.bytes,
429 .ad_bytes = ctxt->ad_bytes,
430 .next_rip = ctxt->eip,
433 return ctxt->ops->intercept(ctxt, &info, stage);
436 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
438 return (1UL << (ctxt->ad_bytes << 3)) - 1;
441 /* Access/update address held in a register, based on addressing mode. */
442 static inline unsigned long
443 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
445 if (ctxt->ad_bytes == sizeof(unsigned long))
448 return reg & ad_mask(ctxt);
451 static inline unsigned long
452 register_address(struct x86_emulate_ctxt *ctxt, unsigned long reg)
454 return address_mask(ctxt, reg);
458 register_address_increment(struct x86_emulate_ctxt *ctxt, unsigned long *reg, int inc)
460 if (ctxt->ad_bytes == sizeof(unsigned long))
463 *reg = (*reg & ~ad_mask(ctxt)) | ((*reg + inc) & ad_mask(ctxt));
466 static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
468 register_address_increment(ctxt, &ctxt->_eip, rel);
471 static u32 desc_limit_scaled(struct desc_struct *desc)
473 u32 limit = get_desc_limit(desc);
475 return desc->g ? (limit << 12) | 0xfff : limit;
478 static void set_seg_override(struct x86_emulate_ctxt *ctxt, int seg)
480 ctxt->has_seg_override = true;
481 ctxt->seg_override = seg;
484 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
486 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
489 return ctxt->ops->get_cached_segment_base(ctxt, seg);
492 static unsigned seg_override(struct x86_emulate_ctxt *ctxt)
494 if (!ctxt->has_seg_override)
497 return ctxt->seg_override;
500 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
501 u32 error, bool valid)
503 ctxt->exception.vector = vec;
504 ctxt->exception.error_code = error;
505 ctxt->exception.error_code_valid = valid;
506 return X86EMUL_PROPAGATE_FAULT;
509 static int emulate_db(struct x86_emulate_ctxt *ctxt)
511 return emulate_exception(ctxt, DB_VECTOR, 0, false);
514 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
516 return emulate_exception(ctxt, GP_VECTOR, err, true);
519 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
521 return emulate_exception(ctxt, SS_VECTOR, err, true);
524 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
526 return emulate_exception(ctxt, UD_VECTOR, 0, false);
529 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
531 return emulate_exception(ctxt, TS_VECTOR, err, true);
534 static int emulate_de(struct x86_emulate_ctxt *ctxt)
536 return emulate_exception(ctxt, DE_VECTOR, 0, false);
539 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
541 return emulate_exception(ctxt, NM_VECTOR, 0, false);
544 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
547 struct desc_struct desc;
549 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
553 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
558 struct desc_struct desc;
560 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
561 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
565 * x86 defines three classes of vector instructions: explicitly
566 * aligned, explicitly unaligned, and the rest, which change behaviour
567 * depending on whether they're AVX encoded or not.
569 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
570 * subject to the same check.
572 static bool insn_aligned(struct x86_emulate_ctxt *ctxt, unsigned size)
574 if (likely(size < 16))
577 if (ctxt->d & Aligned)
579 else if (ctxt->d & Unaligned)
581 else if (ctxt->d & Avx)
587 static int __linearize(struct x86_emulate_ctxt *ctxt,
588 struct segmented_address addr,
589 unsigned size, bool write, bool fetch,
592 struct desc_struct desc;
599 la = seg_base(ctxt, addr.seg) + addr.ea;
600 switch (ctxt->mode) {
601 case X86EMUL_MODE_REAL:
603 case X86EMUL_MODE_PROT64:
604 if (((signed long)la << 16) >> 16 != la)
605 return emulate_gp(ctxt, 0);
608 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
612 /* code segment or read-only data segment */
613 if (((desc.type & 8) || !(desc.type & 2)) && write)
615 /* unreadable code segment */
616 if (!fetch && (desc.type & 8) && !(desc.type & 2))
618 lim = desc_limit_scaled(&desc);
619 if ((desc.type & 8) || !(desc.type & 4)) {
620 /* expand-up segment */
621 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
624 /* exapand-down segment */
625 if (addr.ea <= lim || (u32)(addr.ea + size - 1) <= lim)
627 lim = desc.d ? 0xffffffff : 0xffff;
628 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
631 cpl = ctxt->ops->cpl(ctxt);
634 if (!(desc.type & 8)) {
638 } else if ((desc.type & 8) && !(desc.type & 4)) {
639 /* nonconforming code segment */
642 } else if ((desc.type & 8) && (desc.type & 4)) {
643 /* conforming code segment */
649 if (fetch ? ctxt->mode != X86EMUL_MODE_PROT64 : ctxt->ad_bytes != 8)
651 if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0))
652 return emulate_gp(ctxt, 0);
654 return X86EMUL_CONTINUE;
656 if (addr.seg == VCPU_SREG_SS)
657 return emulate_ss(ctxt, addr.seg);
659 return emulate_gp(ctxt, addr.seg);
662 static int linearize(struct x86_emulate_ctxt *ctxt,
663 struct segmented_address addr,
664 unsigned size, bool write,
667 return __linearize(ctxt, addr, size, write, false, linear);
671 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
672 struct segmented_address addr,
679 rc = linearize(ctxt, addr, size, false, &linear);
680 if (rc != X86EMUL_CONTINUE)
682 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
686 * Fetch the next byte of the instruction being emulated which is pointed to
687 * by ctxt->_eip, then increment ctxt->_eip.
689 * Also prefetch the remaining bytes of the instruction without crossing page
690 * boundary if they are not in fetch_cache yet.
692 static int do_insn_fetch_byte(struct x86_emulate_ctxt *ctxt, u8 *dest)
694 struct fetch_cache *fc = &ctxt->fetch;
698 if (ctxt->_eip == fc->end) {
699 unsigned long linear;
700 struct segmented_address addr = { .seg = VCPU_SREG_CS,
702 cur_size = fc->end - fc->start;
703 size = min(15UL - cur_size,
704 PAGE_SIZE - offset_in_page(ctxt->_eip));
705 rc = __linearize(ctxt, addr, size, false, true, &linear);
706 if (unlikely(rc != X86EMUL_CONTINUE))
708 rc = ctxt->ops->fetch(ctxt, linear, fc->data + cur_size,
709 size, &ctxt->exception);
710 if (unlikely(rc != X86EMUL_CONTINUE))
714 *dest = fc->data[ctxt->_eip - fc->start];
716 return X86EMUL_CONTINUE;
719 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
720 void *dest, unsigned size)
724 /* x86 instructions are limited to 15 bytes. */
725 if (unlikely(ctxt->_eip + size - ctxt->eip > 15))
726 return X86EMUL_UNHANDLEABLE;
728 rc = do_insn_fetch_byte(ctxt, dest++);
729 if (rc != X86EMUL_CONTINUE)
732 return X86EMUL_CONTINUE;
735 /* Fetch next part of the instruction being emulated. */
736 #define insn_fetch(_type, _ctxt) \
737 ({ unsigned long _x; \
738 rc = do_insn_fetch(_ctxt, &_x, sizeof(_type)); \
739 if (rc != X86EMUL_CONTINUE) \
744 #define insn_fetch_arr(_arr, _size, _ctxt) \
745 ({ rc = do_insn_fetch(_ctxt, _arr, (_size)); \
746 if (rc != X86EMUL_CONTINUE) \
751 * Given the 'reg' portion of a ModRM byte, and a register block, return a
752 * pointer into the block that addresses the relevant register.
753 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
755 static void *decode_register(u8 modrm_reg, unsigned long *regs,
760 p = ®s[modrm_reg];
761 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
762 p = (unsigned char *)®s[modrm_reg & 3] + 1;
766 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
767 struct segmented_address addr,
768 u16 *size, unsigned long *address, int op_bytes)
775 rc = segmented_read_std(ctxt, addr, size, 2);
776 if (rc != X86EMUL_CONTINUE)
779 rc = segmented_read_std(ctxt, addr, address, op_bytes);
783 static int test_cc(unsigned int condition, unsigned int flags)
787 switch ((condition & 15) >> 1) {
789 rc |= (flags & EFLG_OF);
791 case 1: /* b/c/nae */
792 rc |= (flags & EFLG_CF);
795 rc |= (flags & EFLG_ZF);
798 rc |= (flags & (EFLG_CF|EFLG_ZF));
801 rc |= (flags & EFLG_SF);
804 rc |= (flags & EFLG_PF);
807 rc |= (flags & EFLG_ZF);
810 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
814 /* Odd condition identifiers (lsb == 1) have inverted sense. */
815 return (!!rc ^ (condition & 1));
818 static void fetch_register_operand(struct operand *op)
822 op->val = *(u8 *)op->addr.reg;
825 op->val = *(u16 *)op->addr.reg;
828 op->val = *(u32 *)op->addr.reg;
831 op->val = *(u64 *)op->addr.reg;
836 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
838 ctxt->ops->get_fpu(ctxt);
840 case 0: asm("movdqu %%xmm0, %0" : "=m"(*data)); break;
841 case 1: asm("movdqu %%xmm1, %0" : "=m"(*data)); break;
842 case 2: asm("movdqu %%xmm2, %0" : "=m"(*data)); break;
843 case 3: asm("movdqu %%xmm3, %0" : "=m"(*data)); break;
844 case 4: asm("movdqu %%xmm4, %0" : "=m"(*data)); break;
845 case 5: asm("movdqu %%xmm5, %0" : "=m"(*data)); break;
846 case 6: asm("movdqu %%xmm6, %0" : "=m"(*data)); break;
847 case 7: asm("movdqu %%xmm7, %0" : "=m"(*data)); break;
849 case 8: asm("movdqu %%xmm8, %0" : "=m"(*data)); break;
850 case 9: asm("movdqu %%xmm9, %0" : "=m"(*data)); break;
851 case 10: asm("movdqu %%xmm10, %0" : "=m"(*data)); break;
852 case 11: asm("movdqu %%xmm11, %0" : "=m"(*data)); break;
853 case 12: asm("movdqu %%xmm12, %0" : "=m"(*data)); break;
854 case 13: asm("movdqu %%xmm13, %0" : "=m"(*data)); break;
855 case 14: asm("movdqu %%xmm14, %0" : "=m"(*data)); break;
856 case 15: asm("movdqu %%xmm15, %0" : "=m"(*data)); break;
860 ctxt->ops->put_fpu(ctxt);
863 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
866 ctxt->ops->get_fpu(ctxt);
868 case 0: asm("movdqu %0, %%xmm0" : : "m"(*data)); break;
869 case 1: asm("movdqu %0, %%xmm1" : : "m"(*data)); break;
870 case 2: asm("movdqu %0, %%xmm2" : : "m"(*data)); break;
871 case 3: asm("movdqu %0, %%xmm3" : : "m"(*data)); break;
872 case 4: asm("movdqu %0, %%xmm4" : : "m"(*data)); break;
873 case 5: asm("movdqu %0, %%xmm5" : : "m"(*data)); break;
874 case 6: asm("movdqu %0, %%xmm6" : : "m"(*data)); break;
875 case 7: asm("movdqu %0, %%xmm7" : : "m"(*data)); break;
877 case 8: asm("movdqu %0, %%xmm8" : : "m"(*data)); break;
878 case 9: asm("movdqu %0, %%xmm9" : : "m"(*data)); break;
879 case 10: asm("movdqu %0, %%xmm10" : : "m"(*data)); break;
880 case 11: asm("movdqu %0, %%xmm11" : : "m"(*data)); break;
881 case 12: asm("movdqu %0, %%xmm12" : : "m"(*data)); break;
882 case 13: asm("movdqu %0, %%xmm13" : : "m"(*data)); break;
883 case 14: asm("movdqu %0, %%xmm14" : : "m"(*data)); break;
884 case 15: asm("movdqu %0, %%xmm15" : : "m"(*data)); break;
888 ctxt->ops->put_fpu(ctxt);
891 static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
893 ctxt->ops->get_fpu(ctxt);
895 case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
896 case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
897 case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
898 case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
899 case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
900 case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
901 case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
902 case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
905 ctxt->ops->put_fpu(ctxt);
908 static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
910 ctxt->ops->get_fpu(ctxt);
912 case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
913 case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
914 case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
915 case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
916 case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
917 case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
918 case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
919 case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
922 ctxt->ops->put_fpu(ctxt);
925 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
928 unsigned reg = ctxt->modrm_reg;
929 int highbyte_regs = ctxt->rex_prefix == 0;
931 if (!(ctxt->d & ModRM))
932 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
938 read_sse_reg(ctxt, &op->vec_val, reg);
950 if (ctxt->d & ByteOp) {
951 op->addr.reg = decode_register(reg, ctxt->regs, highbyte_regs);
954 op->addr.reg = decode_register(reg, ctxt->regs, 0);
955 op->bytes = ctxt->op_bytes;
957 fetch_register_operand(op);
958 op->orig_val = op->val;
961 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
965 int index_reg = 0, base_reg = 0, scale;
966 int rc = X86EMUL_CONTINUE;
969 if (ctxt->rex_prefix) {
970 ctxt->modrm_reg = (ctxt->rex_prefix & 4) << 1; /* REX.R */
971 index_reg = (ctxt->rex_prefix & 2) << 2; /* REX.X */
972 ctxt->modrm_rm = base_reg = (ctxt->rex_prefix & 1) << 3; /* REG.B */
975 ctxt->modrm = insn_fetch(u8, ctxt);
976 ctxt->modrm_mod |= (ctxt->modrm & 0xc0) >> 6;
977 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
978 ctxt->modrm_rm |= (ctxt->modrm & 0x07);
979 ctxt->modrm_seg = VCPU_SREG_DS;
981 if (ctxt->modrm_mod == 3) {
983 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
984 op->addr.reg = decode_register(ctxt->modrm_rm,
985 ctxt->regs, ctxt->d & ByteOp);
989 op->addr.xmm = ctxt->modrm_rm;
990 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
996 op->addr.xmm = ctxt->modrm_rm & 7;
999 fetch_register_operand(op);
1005 if (ctxt->ad_bytes == 2) {
1006 unsigned bx = ctxt->regs[VCPU_REGS_RBX];
1007 unsigned bp = ctxt->regs[VCPU_REGS_RBP];
1008 unsigned si = ctxt->regs[VCPU_REGS_RSI];
1009 unsigned di = ctxt->regs[VCPU_REGS_RDI];
1011 /* 16-bit ModR/M decode. */
1012 switch (ctxt->modrm_mod) {
1014 if (ctxt->modrm_rm == 6)
1015 modrm_ea += insn_fetch(u16, ctxt);
1018 modrm_ea += insn_fetch(s8, ctxt);
1021 modrm_ea += insn_fetch(u16, ctxt);
1024 switch (ctxt->modrm_rm) {
1026 modrm_ea += bx + si;
1029 modrm_ea += bx + di;
1032 modrm_ea += bp + si;
1035 modrm_ea += bp + di;
1044 if (ctxt->modrm_mod != 0)
1051 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1052 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1053 ctxt->modrm_seg = VCPU_SREG_SS;
1054 modrm_ea = (u16)modrm_ea;
1056 /* 32/64-bit ModR/M decode. */
1057 if ((ctxt->modrm_rm & 7) == 4) {
1058 sib = insn_fetch(u8, ctxt);
1059 index_reg |= (sib >> 3) & 7;
1060 base_reg |= sib & 7;
1063 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1064 modrm_ea += insn_fetch(s32, ctxt);
1066 modrm_ea += ctxt->regs[base_reg];
1068 modrm_ea += ctxt->regs[index_reg] << scale;
1069 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1070 if (ctxt->mode == X86EMUL_MODE_PROT64)
1071 ctxt->rip_relative = 1;
1073 modrm_ea += ctxt->regs[ctxt->modrm_rm];
1074 switch (ctxt->modrm_mod) {
1076 if (ctxt->modrm_rm == 5)
1077 modrm_ea += insn_fetch(s32, ctxt);
1080 modrm_ea += insn_fetch(s8, ctxt);
1083 modrm_ea += insn_fetch(s32, ctxt);
1087 op->addr.mem.ea = modrm_ea;
1092 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1095 int rc = X86EMUL_CONTINUE;
1098 switch (ctxt->ad_bytes) {
1100 op->addr.mem.ea = insn_fetch(u16, ctxt);
1103 op->addr.mem.ea = insn_fetch(u32, ctxt);
1106 op->addr.mem.ea = insn_fetch(u64, ctxt);
1113 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1117 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1118 mask = ~(ctxt->dst.bytes * 8 - 1);
1120 if (ctxt->src.bytes == 2)
1121 sv = (s16)ctxt->src.val & (s16)mask;
1122 else if (ctxt->src.bytes == 4)
1123 sv = (s32)ctxt->src.val & (s32)mask;
1125 ctxt->dst.addr.mem.ea += (sv >> 3);
1128 /* only subword offset */
1129 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1132 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1133 unsigned long addr, void *dest, unsigned size)
1136 struct read_cache *mc = &ctxt->mem_read;
1139 int n = min(size, 8u);
1141 if (mc->pos < mc->end)
1144 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, n,
1146 if (rc != X86EMUL_CONTINUE)
1151 memcpy(dest, mc->data + mc->pos, n);
1156 return X86EMUL_CONTINUE;
1159 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1160 struct segmented_address addr,
1167 rc = linearize(ctxt, addr, size, false, &linear);
1168 if (rc != X86EMUL_CONTINUE)
1170 return read_emulated(ctxt, linear, data, size);
1173 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1174 struct segmented_address addr,
1181 rc = linearize(ctxt, addr, size, true, &linear);
1182 if (rc != X86EMUL_CONTINUE)
1184 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1188 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1189 struct segmented_address addr,
1190 const void *orig_data, const void *data,
1196 rc = linearize(ctxt, addr, size, true, &linear);
1197 if (rc != X86EMUL_CONTINUE)
1199 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1200 size, &ctxt->exception);
1203 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1204 unsigned int size, unsigned short port,
1207 struct read_cache *rc = &ctxt->io_read;
1209 if (rc->pos == rc->end) { /* refill pio read ahead */
1210 unsigned int in_page, n;
1211 unsigned int count = ctxt->rep_prefix ?
1212 address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) : 1;
1213 in_page = (ctxt->eflags & EFLG_DF) ?
1214 offset_in_page(ctxt->regs[VCPU_REGS_RDI]) :
1215 PAGE_SIZE - offset_in_page(ctxt->regs[VCPU_REGS_RDI]);
1216 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1220 rc->pos = rc->end = 0;
1221 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1226 memcpy(dest, rc->data + rc->pos, size);
1231 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1232 u16 index, struct desc_struct *desc)
1237 ctxt->ops->get_idt(ctxt, &dt);
1239 if (dt.size < index * 8 + 7)
1240 return emulate_gp(ctxt, index << 3 | 0x2);
1242 addr = dt.address + index * 8;
1243 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1247 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1248 u16 selector, struct desc_ptr *dt)
1250 struct x86_emulate_ops *ops = ctxt->ops;
1252 if (selector & 1 << 2) {
1253 struct desc_struct desc;
1256 memset (dt, 0, sizeof *dt);
1257 if (!ops->get_segment(ctxt, &sel, &desc, NULL, VCPU_SREG_LDTR))
1260 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1261 dt->address = get_desc_base(&desc);
1263 ops->get_gdt(ctxt, dt);
1266 /* allowed just for 8 bytes segments */
1267 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1268 u16 selector, struct desc_struct *desc)
1271 u16 index = selector >> 3;
1274 get_descriptor_table_ptr(ctxt, selector, &dt);
1276 if (dt.size < index * 8 + 7)
1277 return emulate_gp(ctxt, selector & 0xfffc);
1279 addr = dt.address + index * 8;
1280 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1284 /* allowed just for 8 bytes segments */
1285 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1286 u16 selector, struct desc_struct *desc)
1289 u16 index = selector >> 3;
1292 get_descriptor_table_ptr(ctxt, selector, &dt);
1294 if (dt.size < index * 8 + 7)
1295 return emulate_gp(ctxt, selector & 0xfffc);
1297 addr = dt.address + index * 8;
1298 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1302 /* Does not support long mode */
1303 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1304 u16 selector, int seg)
1306 struct desc_struct seg_desc;
1308 unsigned err_vec = GP_VECTOR;
1310 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1313 memset(&seg_desc, 0, sizeof seg_desc);
1315 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1316 || ctxt->mode == X86EMUL_MODE_REAL) {
1317 /* set real mode segment descriptor */
1318 set_desc_base(&seg_desc, selector << 4);
1319 set_desc_limit(&seg_desc, 0xffff);
1323 if (ctxt->mode == X86EMUL_MODE_VM86)
1328 /* NULL selector is not valid for TR, CS and SS */
1329 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1333 /* TR should be in GDT only */
1334 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1337 if (null_selector) /* for NULL selector skip all following checks */
1340 ret = read_segment_descriptor(ctxt, selector, &seg_desc);
1341 if (ret != X86EMUL_CONTINUE)
1344 err_code = selector & 0xfffc;
1345 err_vec = GP_VECTOR;
1347 /* can't load system descriptor into segment selecor */
1348 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1352 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1358 cpl = ctxt->ops->cpl(ctxt);
1363 * segment is not a writable data segment or segment
1364 * selector's RPL != CPL or segment selector's RPL != CPL
1366 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1370 if (!(seg_desc.type & 8))
1373 if (seg_desc.type & 4) {
1379 if (rpl > cpl || dpl != cpl)
1382 /* CS(RPL) <- CPL */
1383 selector = (selector & 0xfffc) | cpl;
1386 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1389 case VCPU_SREG_LDTR:
1390 if (seg_desc.s || seg_desc.type != 2)
1393 default: /* DS, ES, FS, or GS */
1395 * segment is not a data or readable code segment or
1396 * ((segment is a data or nonconforming code segment)
1397 * and (both RPL and CPL > DPL))
1399 if ((seg_desc.type & 0xa) == 0x8 ||
1400 (((seg_desc.type & 0xc) != 0xc) &&
1401 (rpl > dpl && cpl > dpl)))
1407 /* mark segment as accessed */
1409 ret = write_segment_descriptor(ctxt, selector, &seg_desc);
1410 if (ret != X86EMUL_CONTINUE)
1414 ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg);
1415 return X86EMUL_CONTINUE;
1417 emulate_exception(ctxt, err_vec, err_code, true);
1418 return X86EMUL_PROPAGATE_FAULT;
1421 static void write_register_operand(struct operand *op)
1423 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1424 switch (op->bytes) {
1426 *(u8 *)op->addr.reg = (u8)op->val;
1429 *(u16 *)op->addr.reg = (u16)op->val;
1432 *op->addr.reg = (u32)op->val;
1433 break; /* 64b: zero-extend */
1435 *op->addr.reg = op->val;
1440 static int writeback(struct x86_emulate_ctxt *ctxt)
1444 switch (ctxt->dst.type) {
1446 write_register_operand(&ctxt->dst);
1449 if (ctxt->lock_prefix)
1450 rc = segmented_cmpxchg(ctxt,
1452 &ctxt->dst.orig_val,
1456 rc = segmented_write(ctxt,
1460 if (rc != X86EMUL_CONTINUE)
1464 write_sse_reg(ctxt, &ctxt->dst.vec_val, ctxt->dst.addr.xmm);
1467 write_mmx_reg(ctxt, &ctxt->dst.mm_val, ctxt->dst.addr.mm);
1475 return X86EMUL_CONTINUE;
1478 static int em_push(struct x86_emulate_ctxt *ctxt)
1480 struct segmented_address addr;
1482 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], -ctxt->op_bytes);
1483 addr.ea = register_address(ctxt, ctxt->regs[VCPU_REGS_RSP]);
1484 addr.seg = VCPU_SREG_SS;
1486 /* Disable writeback. */
1487 ctxt->dst.type = OP_NONE;
1488 return segmented_write(ctxt, addr, &ctxt->src.val, ctxt->op_bytes);
1491 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1492 void *dest, int len)
1495 struct segmented_address addr;
1497 addr.ea = register_address(ctxt, ctxt->regs[VCPU_REGS_RSP]);
1498 addr.seg = VCPU_SREG_SS;
1499 rc = segmented_read(ctxt, addr, dest, len);
1500 if (rc != X86EMUL_CONTINUE)
1503 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], len);
1507 static int em_pop(struct x86_emulate_ctxt *ctxt)
1509 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1512 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1513 void *dest, int len)
1516 unsigned long val, change_mask;
1517 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1518 int cpl = ctxt->ops->cpl(ctxt);
1520 rc = emulate_pop(ctxt, &val, len);
1521 if (rc != X86EMUL_CONTINUE)
1524 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1525 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1527 switch(ctxt->mode) {
1528 case X86EMUL_MODE_PROT64:
1529 case X86EMUL_MODE_PROT32:
1530 case X86EMUL_MODE_PROT16:
1532 change_mask |= EFLG_IOPL;
1534 change_mask |= EFLG_IF;
1536 case X86EMUL_MODE_VM86:
1538 return emulate_gp(ctxt, 0);
1539 change_mask |= EFLG_IF;
1541 default: /* real mode */
1542 change_mask |= (EFLG_IOPL | EFLG_IF);
1546 *(unsigned long *)dest =
1547 (ctxt->eflags & ~change_mask) | (val & change_mask);
1552 static int em_popf(struct x86_emulate_ctxt *ctxt)
1554 ctxt->dst.type = OP_REG;
1555 ctxt->dst.addr.reg = &ctxt->eflags;
1556 ctxt->dst.bytes = ctxt->op_bytes;
1557 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1560 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1562 int seg = ctxt->src2.val;
1564 ctxt->src.val = get_segment_selector(ctxt, seg);
1566 return em_push(ctxt);
1569 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1571 int seg = ctxt->src2.val;
1572 unsigned long selector;
1575 rc = emulate_pop(ctxt, &selector, ctxt->op_bytes);
1576 if (rc != X86EMUL_CONTINUE)
1579 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1583 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1585 unsigned long old_esp = ctxt->regs[VCPU_REGS_RSP];
1586 int rc = X86EMUL_CONTINUE;
1587 int reg = VCPU_REGS_RAX;
1589 while (reg <= VCPU_REGS_RDI) {
1590 (reg == VCPU_REGS_RSP) ?
1591 (ctxt->src.val = old_esp) : (ctxt->src.val = ctxt->regs[reg]);
1594 if (rc != X86EMUL_CONTINUE)
1603 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1605 ctxt->src.val = (unsigned long)ctxt->eflags;
1606 return em_push(ctxt);
1609 static int em_popa(struct x86_emulate_ctxt *ctxt)
1611 int rc = X86EMUL_CONTINUE;
1612 int reg = VCPU_REGS_RDI;
1614 while (reg >= VCPU_REGS_RAX) {
1615 if (reg == VCPU_REGS_RSP) {
1616 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP],
1621 rc = emulate_pop(ctxt, &ctxt->regs[reg], ctxt->op_bytes);
1622 if (rc != X86EMUL_CONTINUE)
1629 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1631 struct x86_emulate_ops *ops = ctxt->ops;
1638 /* TODO: Add limit checks */
1639 ctxt->src.val = ctxt->eflags;
1641 if (rc != X86EMUL_CONTINUE)
1644 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1646 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
1648 if (rc != X86EMUL_CONTINUE)
1651 ctxt->src.val = ctxt->_eip;
1653 if (rc != X86EMUL_CONTINUE)
1656 ops->get_idt(ctxt, &dt);
1658 eip_addr = dt.address + (irq << 2);
1659 cs_addr = dt.address + (irq << 2) + 2;
1661 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
1662 if (rc != X86EMUL_CONTINUE)
1665 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
1666 if (rc != X86EMUL_CONTINUE)
1669 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
1670 if (rc != X86EMUL_CONTINUE)
1678 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
1680 switch(ctxt->mode) {
1681 case X86EMUL_MODE_REAL:
1682 return emulate_int_real(ctxt, irq);
1683 case X86EMUL_MODE_VM86:
1684 case X86EMUL_MODE_PROT16:
1685 case X86EMUL_MODE_PROT32:
1686 case X86EMUL_MODE_PROT64:
1688 /* Protected mode interrupts unimplemented yet */
1689 return X86EMUL_UNHANDLEABLE;
1693 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
1695 int rc = X86EMUL_CONTINUE;
1696 unsigned long temp_eip = 0;
1697 unsigned long temp_eflags = 0;
1698 unsigned long cs = 0;
1699 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1700 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1701 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1702 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1704 /* TODO: Add stack limit check */
1706 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
1708 if (rc != X86EMUL_CONTINUE)
1711 if (temp_eip & ~0xffff)
1712 return emulate_gp(ctxt, 0);
1714 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1716 if (rc != X86EMUL_CONTINUE)
1719 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
1721 if (rc != X86EMUL_CONTINUE)
1724 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1726 if (rc != X86EMUL_CONTINUE)
1729 ctxt->_eip = temp_eip;
1732 if (ctxt->op_bytes == 4)
1733 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1734 else if (ctxt->op_bytes == 2) {
1735 ctxt->eflags &= ~0xffff;
1736 ctxt->eflags |= temp_eflags;
1739 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1740 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1745 static int em_iret(struct x86_emulate_ctxt *ctxt)
1747 switch(ctxt->mode) {
1748 case X86EMUL_MODE_REAL:
1749 return emulate_iret_real(ctxt);
1750 case X86EMUL_MODE_VM86:
1751 case X86EMUL_MODE_PROT16:
1752 case X86EMUL_MODE_PROT32:
1753 case X86EMUL_MODE_PROT64:
1755 /* iret from protected mode unimplemented yet */
1756 return X86EMUL_UNHANDLEABLE;
1760 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
1765 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1767 rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
1768 if (rc != X86EMUL_CONTINUE)
1772 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
1773 return X86EMUL_CONTINUE;
1776 static int em_grp2(struct x86_emulate_ctxt *ctxt)
1778 switch (ctxt->modrm_reg) {
1780 emulate_2op_SrcB(ctxt, "rol");
1783 emulate_2op_SrcB(ctxt, "ror");
1786 emulate_2op_SrcB(ctxt, "rcl");
1789 emulate_2op_SrcB(ctxt, "rcr");
1791 case 4: /* sal/shl */
1792 case 6: /* sal/shl */
1793 emulate_2op_SrcB(ctxt, "sal");
1796 emulate_2op_SrcB(ctxt, "shr");
1799 emulate_2op_SrcB(ctxt, "sar");
1802 return X86EMUL_CONTINUE;
1805 static int em_not(struct x86_emulate_ctxt *ctxt)
1807 ctxt->dst.val = ~ctxt->dst.val;
1808 return X86EMUL_CONTINUE;
1811 static int em_neg(struct x86_emulate_ctxt *ctxt)
1813 emulate_1op(ctxt, "neg");
1814 return X86EMUL_CONTINUE;
1817 static int em_mul_ex(struct x86_emulate_ctxt *ctxt)
1821 emulate_1op_rax_rdx(ctxt, "mul", ex);
1822 return X86EMUL_CONTINUE;
1825 static int em_imul_ex(struct x86_emulate_ctxt *ctxt)
1829 emulate_1op_rax_rdx(ctxt, "imul", ex);
1830 return X86EMUL_CONTINUE;
1833 static int em_div_ex(struct x86_emulate_ctxt *ctxt)
1837 emulate_1op_rax_rdx(ctxt, "div", de);
1839 return emulate_de(ctxt);
1840 return X86EMUL_CONTINUE;
1843 static int em_idiv_ex(struct x86_emulate_ctxt *ctxt)
1847 emulate_1op_rax_rdx(ctxt, "idiv", de);
1849 return emulate_de(ctxt);
1850 return X86EMUL_CONTINUE;
1853 static int em_grp45(struct x86_emulate_ctxt *ctxt)
1855 int rc = X86EMUL_CONTINUE;
1857 switch (ctxt->modrm_reg) {
1859 emulate_1op(ctxt, "inc");
1862 emulate_1op(ctxt, "dec");
1864 case 2: /* call near abs */ {
1866 old_eip = ctxt->_eip;
1867 ctxt->_eip = ctxt->src.val;
1868 ctxt->src.val = old_eip;
1872 case 4: /* jmp abs */
1873 ctxt->_eip = ctxt->src.val;
1875 case 5: /* jmp far */
1876 rc = em_jmp_far(ctxt);
1885 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
1887 u64 old = ctxt->dst.orig_val64;
1889 if (((u32) (old >> 0) != (u32) ctxt->regs[VCPU_REGS_RAX]) ||
1890 ((u32) (old >> 32) != (u32) ctxt->regs[VCPU_REGS_RDX])) {
1891 ctxt->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1892 ctxt->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1893 ctxt->eflags &= ~EFLG_ZF;
1895 ctxt->dst.val64 = ((u64)ctxt->regs[VCPU_REGS_RCX] << 32) |
1896 (u32) ctxt->regs[VCPU_REGS_RBX];
1898 ctxt->eflags |= EFLG_ZF;
1900 return X86EMUL_CONTINUE;
1903 static int em_ret(struct x86_emulate_ctxt *ctxt)
1905 ctxt->dst.type = OP_REG;
1906 ctxt->dst.addr.reg = &ctxt->_eip;
1907 ctxt->dst.bytes = ctxt->op_bytes;
1908 return em_pop(ctxt);
1911 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
1916 rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes);
1917 if (rc != X86EMUL_CONTINUE)
1919 if (ctxt->op_bytes == 4)
1920 ctxt->_eip = (u32)ctxt->_eip;
1921 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1922 if (rc != X86EMUL_CONTINUE)
1924 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1928 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
1930 /* Save real source value, then compare EAX against destination. */
1931 ctxt->src.orig_val = ctxt->src.val;
1932 ctxt->src.val = ctxt->regs[VCPU_REGS_RAX];
1933 emulate_2op_SrcV(ctxt, "cmp");
1935 if (ctxt->eflags & EFLG_ZF) {
1936 /* Success: write back to memory. */
1937 ctxt->dst.val = ctxt->src.orig_val;
1939 /* Failure: write the value we saw to EAX. */
1940 ctxt->dst.type = OP_REG;
1941 ctxt->dst.addr.reg = (unsigned long *)&ctxt->regs[VCPU_REGS_RAX];
1943 return X86EMUL_CONTINUE;
1946 static int em_lseg(struct x86_emulate_ctxt *ctxt)
1948 int seg = ctxt->src2.val;
1952 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1954 rc = load_segment_descriptor(ctxt, sel, seg);
1955 if (rc != X86EMUL_CONTINUE)
1958 ctxt->dst.val = ctxt->src.val;
1963 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1964 struct desc_struct *cs, struct desc_struct *ss)
1968 memset(cs, 0, sizeof(struct desc_struct));
1969 ctxt->ops->get_segment(ctxt, &selector, cs, NULL, VCPU_SREG_CS);
1970 memset(ss, 0, sizeof(struct desc_struct));
1972 cs->l = 0; /* will be adjusted later */
1973 set_desc_base(cs, 0); /* flat segment */
1974 cs->g = 1; /* 4kb granularity */
1975 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1976 cs->type = 0x0b; /* Read, Execute, Accessed */
1978 cs->dpl = 0; /* will be adjusted later */
1982 set_desc_base(ss, 0); /* flat segment */
1983 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1984 ss->g = 1; /* 4kb granularity */
1986 ss->type = 0x03; /* Read/Write, Accessed */
1987 ss->d = 1; /* 32bit stack segment */
1992 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
1994 u32 eax, ebx, ecx, edx;
1997 return ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx)
1998 && ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
1999 && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
2000 && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
2003 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2005 struct x86_emulate_ops *ops = ctxt->ops;
2006 u32 eax, ebx, ecx, edx;
2009 * syscall should always be enabled in longmode - so only become
2010 * vendor specific (cpuid) if other modes are active...
2012 if (ctxt->mode == X86EMUL_MODE_PROT64)
2017 if (ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx)) {
2019 * Intel ("GenuineIntel")
2020 * remark: Intel CPUs only support "syscall" in 64bit
2021 * longmode. Also an 64bit guest with a
2022 * 32bit compat-app running will #UD !! While this
2023 * behaviour can be fixed (by emulating) into AMD
2024 * response - CPUs of AMD can't behave like Intel.
2026 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
2027 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
2028 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
2031 /* AMD ("AuthenticAMD") */
2032 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
2033 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
2034 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
2037 /* AMD ("AMDisbetter!") */
2038 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
2039 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
2040 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
2044 /* default: (not Intel, not AMD), apply Intel's stricter rules... */
2048 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2050 struct x86_emulate_ops *ops = ctxt->ops;
2051 struct desc_struct cs, ss;
2056 /* syscall is not available in real mode */
2057 if (ctxt->mode == X86EMUL_MODE_REAL ||
2058 ctxt->mode == X86EMUL_MODE_VM86)
2059 return emulate_ud(ctxt);
2061 if (!(em_syscall_is_enabled(ctxt)))
2062 return emulate_ud(ctxt);
2064 ops->get_msr(ctxt, MSR_EFER, &efer);
2065 setup_syscalls_segments(ctxt, &cs, &ss);
2067 if (!(efer & EFER_SCE))
2068 return emulate_ud(ctxt);
2070 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2072 cs_sel = (u16)(msr_data & 0xfffc);
2073 ss_sel = (u16)(msr_data + 8);
2075 if (efer & EFER_LMA) {
2079 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2080 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2082 ctxt->regs[VCPU_REGS_RCX] = ctxt->_eip;
2083 if (efer & EFER_LMA) {
2084 #ifdef CONFIG_X86_64
2085 ctxt->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
2088 ctxt->mode == X86EMUL_MODE_PROT64 ?
2089 MSR_LSTAR : MSR_CSTAR, &msr_data);
2090 ctxt->_eip = msr_data;
2092 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2093 ctxt->eflags &= ~(msr_data | EFLG_RF);
2097 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2098 ctxt->_eip = (u32)msr_data;
2100 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2103 return X86EMUL_CONTINUE;
2106 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2108 struct x86_emulate_ops *ops = ctxt->ops;
2109 struct desc_struct cs, ss;
2114 ops->get_msr(ctxt, MSR_EFER, &efer);
2115 /* inject #GP if in real mode */
2116 if (ctxt->mode == X86EMUL_MODE_REAL)
2117 return emulate_gp(ctxt, 0);
2120 * Not recognized on AMD in compat mode (but is recognized in legacy
2123 if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
2124 && !vendor_intel(ctxt))
2125 return emulate_ud(ctxt);
2127 /* XXX sysenter/sysexit have not been tested in 64bit mode.
2128 * Therefore, we inject an #UD.
2130 if (ctxt->mode == X86EMUL_MODE_PROT64)
2131 return emulate_ud(ctxt);
2133 setup_syscalls_segments(ctxt, &cs, &ss);
2135 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2136 switch (ctxt->mode) {
2137 case X86EMUL_MODE_PROT32:
2138 if ((msr_data & 0xfffc) == 0x0)
2139 return emulate_gp(ctxt, 0);
2141 case X86EMUL_MODE_PROT64:
2142 if (msr_data == 0x0)
2143 return emulate_gp(ctxt, 0);
2147 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2148 cs_sel = (u16)msr_data;
2149 cs_sel &= ~SELECTOR_RPL_MASK;
2150 ss_sel = cs_sel + 8;
2151 ss_sel &= ~SELECTOR_RPL_MASK;
2152 if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
2157 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2158 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2160 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2161 ctxt->_eip = msr_data;
2163 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2164 ctxt->regs[VCPU_REGS_RSP] = msr_data;
2166 return X86EMUL_CONTINUE;
2169 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2171 struct x86_emulate_ops *ops = ctxt->ops;
2172 struct desc_struct cs, ss;
2175 u16 cs_sel = 0, ss_sel = 0;
2177 /* inject #GP if in real mode or Virtual 8086 mode */
2178 if (ctxt->mode == X86EMUL_MODE_REAL ||
2179 ctxt->mode == X86EMUL_MODE_VM86)
2180 return emulate_gp(ctxt, 0);
2182 setup_syscalls_segments(ctxt, &cs, &ss);
2184 if ((ctxt->rex_prefix & 0x8) != 0x0)
2185 usermode = X86EMUL_MODE_PROT64;
2187 usermode = X86EMUL_MODE_PROT32;
2191 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2193 case X86EMUL_MODE_PROT32:
2194 cs_sel = (u16)(msr_data + 16);
2195 if ((msr_data & 0xfffc) == 0x0)
2196 return emulate_gp(ctxt, 0);
2197 ss_sel = (u16)(msr_data + 24);
2199 case X86EMUL_MODE_PROT64:
2200 cs_sel = (u16)(msr_data + 32);
2201 if (msr_data == 0x0)
2202 return emulate_gp(ctxt, 0);
2203 ss_sel = cs_sel + 8;
2208 cs_sel |= SELECTOR_RPL_MASK;
2209 ss_sel |= SELECTOR_RPL_MASK;
2211 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2212 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2214 ctxt->_eip = ctxt->regs[VCPU_REGS_RDX];
2215 ctxt->regs[VCPU_REGS_RSP] = ctxt->regs[VCPU_REGS_RCX];
2217 return X86EMUL_CONTINUE;
2220 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2223 if (ctxt->mode == X86EMUL_MODE_REAL)
2225 if (ctxt->mode == X86EMUL_MODE_VM86)
2227 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2228 return ctxt->ops->cpl(ctxt) > iopl;
2231 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2234 struct x86_emulate_ops *ops = ctxt->ops;
2235 struct desc_struct tr_seg;
2238 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2239 unsigned mask = (1 << len) - 1;
2242 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2245 if (desc_limit_scaled(&tr_seg) < 103)
2247 base = get_desc_base(&tr_seg);
2248 #ifdef CONFIG_X86_64
2249 base |= ((u64)base3) << 32;
2251 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2252 if (r != X86EMUL_CONTINUE)
2254 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2256 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2257 if (r != X86EMUL_CONTINUE)
2259 if ((perm >> bit_idx) & mask)
2264 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2270 if (emulator_bad_iopl(ctxt))
2271 if (!emulator_io_port_access_allowed(ctxt, port, len))
2274 ctxt->perm_ok = true;
2279 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2280 struct tss_segment_16 *tss)
2282 tss->ip = ctxt->_eip;
2283 tss->flag = ctxt->eflags;
2284 tss->ax = ctxt->regs[VCPU_REGS_RAX];
2285 tss->cx = ctxt->regs[VCPU_REGS_RCX];
2286 tss->dx = ctxt->regs[VCPU_REGS_RDX];
2287 tss->bx = ctxt->regs[VCPU_REGS_RBX];
2288 tss->sp = ctxt->regs[VCPU_REGS_RSP];
2289 tss->bp = ctxt->regs[VCPU_REGS_RBP];
2290 tss->si = ctxt->regs[VCPU_REGS_RSI];
2291 tss->di = ctxt->regs[VCPU_REGS_RDI];
2293 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2294 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2295 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2296 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2297 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2300 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2301 struct tss_segment_16 *tss)
2305 ctxt->_eip = tss->ip;
2306 ctxt->eflags = tss->flag | 2;
2307 ctxt->regs[VCPU_REGS_RAX] = tss->ax;
2308 ctxt->regs[VCPU_REGS_RCX] = tss->cx;
2309 ctxt->regs[VCPU_REGS_RDX] = tss->dx;
2310 ctxt->regs[VCPU_REGS_RBX] = tss->bx;
2311 ctxt->regs[VCPU_REGS_RSP] = tss->sp;
2312 ctxt->regs[VCPU_REGS_RBP] = tss->bp;
2313 ctxt->regs[VCPU_REGS_RSI] = tss->si;
2314 ctxt->regs[VCPU_REGS_RDI] = tss->di;
2317 * SDM says that segment selectors are loaded before segment
2320 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2321 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2322 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2323 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2324 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2327 * Now load segment descriptors. If fault happenes at this stage
2328 * it is handled in a context of new task
2330 ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR);
2331 if (ret != X86EMUL_CONTINUE)
2333 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2334 if (ret != X86EMUL_CONTINUE)
2336 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2337 if (ret != X86EMUL_CONTINUE)
2339 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2340 if (ret != X86EMUL_CONTINUE)
2342 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2343 if (ret != X86EMUL_CONTINUE)
2346 return X86EMUL_CONTINUE;
2349 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2350 u16 tss_selector, u16 old_tss_sel,
2351 ulong old_tss_base, struct desc_struct *new_desc)
2353 struct x86_emulate_ops *ops = ctxt->ops;
2354 struct tss_segment_16 tss_seg;
2356 u32 new_tss_base = get_desc_base(new_desc);
2358 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2360 if (ret != X86EMUL_CONTINUE)
2361 /* FIXME: need to provide precise fault address */
2364 save_state_to_tss16(ctxt, &tss_seg);
2366 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2368 if (ret != X86EMUL_CONTINUE)
2369 /* FIXME: need to provide precise fault address */
2372 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2374 if (ret != X86EMUL_CONTINUE)
2375 /* FIXME: need to provide precise fault address */
2378 if (old_tss_sel != 0xffff) {
2379 tss_seg.prev_task_link = old_tss_sel;
2381 ret = ops->write_std(ctxt, new_tss_base,
2382 &tss_seg.prev_task_link,
2383 sizeof tss_seg.prev_task_link,
2385 if (ret != X86EMUL_CONTINUE)
2386 /* FIXME: need to provide precise fault address */
2390 return load_state_from_tss16(ctxt, &tss_seg);
2393 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2394 struct tss_segment_32 *tss)
2396 tss->cr3 = ctxt->ops->get_cr(ctxt, 3);
2397 tss->eip = ctxt->_eip;
2398 tss->eflags = ctxt->eflags;
2399 tss->eax = ctxt->regs[VCPU_REGS_RAX];
2400 tss->ecx = ctxt->regs[VCPU_REGS_RCX];
2401 tss->edx = ctxt->regs[VCPU_REGS_RDX];
2402 tss->ebx = ctxt->regs[VCPU_REGS_RBX];
2403 tss->esp = ctxt->regs[VCPU_REGS_RSP];
2404 tss->ebp = ctxt->regs[VCPU_REGS_RBP];
2405 tss->esi = ctxt->regs[VCPU_REGS_RSI];
2406 tss->edi = ctxt->regs[VCPU_REGS_RDI];
2408 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2409 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2410 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2411 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2412 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
2413 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
2414 tss->ldt_selector = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2417 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2418 struct tss_segment_32 *tss)
2422 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
2423 return emulate_gp(ctxt, 0);
2424 ctxt->_eip = tss->eip;
2425 ctxt->eflags = tss->eflags | 2;
2427 /* General purpose registers */
2428 ctxt->regs[VCPU_REGS_RAX] = tss->eax;
2429 ctxt->regs[VCPU_REGS_RCX] = tss->ecx;
2430 ctxt->regs[VCPU_REGS_RDX] = tss->edx;
2431 ctxt->regs[VCPU_REGS_RBX] = tss->ebx;
2432 ctxt->regs[VCPU_REGS_RSP] = tss->esp;
2433 ctxt->regs[VCPU_REGS_RBP] = tss->ebp;
2434 ctxt->regs[VCPU_REGS_RSI] = tss->esi;
2435 ctxt->regs[VCPU_REGS_RDI] = tss->edi;
2438 * SDM says that segment selectors are loaded before segment
2441 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2442 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2443 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2444 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2445 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2446 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
2447 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
2450 * If we're switching between Protected Mode and VM86, we need to make
2451 * sure to update the mode before loading the segment descriptors so
2452 * that the selectors are interpreted correctly.
2454 * Need to get rflags to the vcpu struct immediately because it
2455 * influences the CPL which is checked at least when loading the segment
2456 * descriptors and when pushing an error code to the new kernel stack.
2458 * TODO Introduce a separate ctxt->ops->set_cpl callback
2460 if (ctxt->eflags & X86_EFLAGS_VM)
2461 ctxt->mode = X86EMUL_MODE_VM86;
2463 ctxt->mode = X86EMUL_MODE_PROT32;
2465 ctxt->ops->set_rflags(ctxt, ctxt->eflags);
2468 * Now load segment descriptors. If fault happenes at this stage
2469 * it is handled in a context of new task
2471 ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2472 if (ret != X86EMUL_CONTINUE)
2474 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2475 if (ret != X86EMUL_CONTINUE)
2477 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2478 if (ret != X86EMUL_CONTINUE)
2480 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2481 if (ret != X86EMUL_CONTINUE)
2483 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2484 if (ret != X86EMUL_CONTINUE)
2486 ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS);
2487 if (ret != X86EMUL_CONTINUE)
2489 ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS);
2490 if (ret != X86EMUL_CONTINUE)
2493 return X86EMUL_CONTINUE;
2496 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2497 u16 tss_selector, u16 old_tss_sel,
2498 ulong old_tss_base, struct desc_struct *new_desc)
2500 struct x86_emulate_ops *ops = ctxt->ops;
2501 struct tss_segment_32 tss_seg;
2503 u32 new_tss_base = get_desc_base(new_desc);
2505 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2507 if (ret != X86EMUL_CONTINUE)
2508 /* FIXME: need to provide precise fault address */
2511 save_state_to_tss32(ctxt, &tss_seg);
2513 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2515 if (ret != X86EMUL_CONTINUE)
2516 /* FIXME: need to provide precise fault address */
2519 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2521 if (ret != X86EMUL_CONTINUE)
2522 /* FIXME: need to provide precise fault address */
2525 if (old_tss_sel != 0xffff) {
2526 tss_seg.prev_task_link = old_tss_sel;
2528 ret = ops->write_std(ctxt, new_tss_base,
2529 &tss_seg.prev_task_link,
2530 sizeof tss_seg.prev_task_link,
2532 if (ret != X86EMUL_CONTINUE)
2533 /* FIXME: need to provide precise fault address */
2537 return load_state_from_tss32(ctxt, &tss_seg);
2540 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2541 u16 tss_selector, int idt_index, int reason,
2542 bool has_error_code, u32 error_code)
2544 struct x86_emulate_ops *ops = ctxt->ops;
2545 struct desc_struct curr_tss_desc, next_tss_desc;
2547 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
2548 ulong old_tss_base =
2549 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
2552 /* FIXME: old_tss_base == ~0 ? */
2554 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2555 if (ret != X86EMUL_CONTINUE)
2557 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2558 if (ret != X86EMUL_CONTINUE)
2561 /* FIXME: check that next_tss_desc is tss */
2564 * Check privileges. The three cases are task switch caused by...
2566 * 1. jmp/call/int to task gate: Check against DPL of the task gate
2567 * 2. Exception/IRQ/iret: No check is performed
2568 * 3. jmp/call to TSS: Check agains DPL of the TSS
2570 if (reason == TASK_SWITCH_GATE) {
2571 if (idt_index != -1) {
2572 /* Software interrupts */
2573 struct desc_struct task_gate_desc;
2576 ret = read_interrupt_descriptor(ctxt, idt_index,
2578 if (ret != X86EMUL_CONTINUE)
2581 dpl = task_gate_desc.dpl;
2582 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2583 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
2585 } else if (reason != TASK_SWITCH_IRET) {
2586 int dpl = next_tss_desc.dpl;
2587 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2588 return emulate_gp(ctxt, tss_selector);
2592 desc_limit = desc_limit_scaled(&next_tss_desc);
2593 if (!next_tss_desc.p ||
2594 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2595 desc_limit < 0x2b)) {
2596 emulate_ts(ctxt, tss_selector & 0xfffc);
2597 return X86EMUL_PROPAGATE_FAULT;
2600 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2601 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2602 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2605 if (reason == TASK_SWITCH_IRET)
2606 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2608 /* set back link to prev task only if NT bit is set in eflags
2609 note that old_tss_sel is not used afetr this point */
2610 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2611 old_tss_sel = 0xffff;
2613 if (next_tss_desc.type & 8)
2614 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
2615 old_tss_base, &next_tss_desc);
2617 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
2618 old_tss_base, &next_tss_desc);
2619 if (ret != X86EMUL_CONTINUE)
2622 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2623 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2625 if (reason != TASK_SWITCH_IRET) {
2626 next_tss_desc.type |= (1 << 1); /* set busy flag */
2627 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2630 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
2631 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
2633 if (has_error_code) {
2634 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2635 ctxt->lock_prefix = 0;
2636 ctxt->src.val = (unsigned long) error_code;
2637 ret = em_push(ctxt);
2643 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2644 u16 tss_selector, int idt_index, int reason,
2645 bool has_error_code, u32 error_code)
2649 ctxt->_eip = ctxt->eip;
2650 ctxt->dst.type = OP_NONE;
2652 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
2653 has_error_code, error_code);
2655 if (rc == X86EMUL_CONTINUE)
2656 ctxt->eip = ctxt->_eip;
2658 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
2661 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned seg,
2662 int reg, struct operand *op)
2664 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2666 register_address_increment(ctxt, &ctxt->regs[reg], df * op->bytes);
2667 op->addr.mem.ea = register_address(ctxt, ctxt->regs[reg]);
2668 op->addr.mem.seg = seg;
2671 static int em_das(struct x86_emulate_ctxt *ctxt)
2674 bool af, cf, old_cf;
2676 cf = ctxt->eflags & X86_EFLAGS_CF;
2682 af = ctxt->eflags & X86_EFLAGS_AF;
2683 if ((al & 0x0f) > 9 || af) {
2685 cf = old_cf | (al >= 250);
2690 if (old_al > 0x99 || old_cf) {
2696 /* Set PF, ZF, SF */
2697 ctxt->src.type = OP_IMM;
2699 ctxt->src.bytes = 1;
2700 emulate_2op_SrcV(ctxt, "or");
2701 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2703 ctxt->eflags |= X86_EFLAGS_CF;
2705 ctxt->eflags |= X86_EFLAGS_AF;
2706 return X86EMUL_CONTINUE;
2709 static int em_call(struct x86_emulate_ctxt *ctxt)
2711 long rel = ctxt->src.val;
2713 ctxt->src.val = (unsigned long)ctxt->_eip;
2715 return em_push(ctxt);
2718 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2724 old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2725 old_eip = ctxt->_eip;
2727 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2728 if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
2729 return X86EMUL_CONTINUE;
2732 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
2734 ctxt->src.val = old_cs;
2736 if (rc != X86EMUL_CONTINUE)
2739 ctxt->src.val = old_eip;
2740 return em_push(ctxt);
2743 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2747 ctxt->dst.type = OP_REG;
2748 ctxt->dst.addr.reg = &ctxt->_eip;
2749 ctxt->dst.bytes = ctxt->op_bytes;
2750 rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
2751 if (rc != X86EMUL_CONTINUE)
2753 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], ctxt->src.val);
2754 return X86EMUL_CONTINUE;
2757 static int em_add(struct x86_emulate_ctxt *ctxt)
2759 emulate_2op_SrcV(ctxt, "add");
2760 return X86EMUL_CONTINUE;
2763 static int em_or(struct x86_emulate_ctxt *ctxt)
2765 emulate_2op_SrcV(ctxt, "or");
2766 return X86EMUL_CONTINUE;
2769 static int em_adc(struct x86_emulate_ctxt *ctxt)
2771 emulate_2op_SrcV(ctxt, "adc");
2772 return X86EMUL_CONTINUE;
2775 static int em_sbb(struct x86_emulate_ctxt *ctxt)
2777 emulate_2op_SrcV(ctxt, "sbb");
2778 return X86EMUL_CONTINUE;
2781 static int em_and(struct x86_emulate_ctxt *ctxt)
2783 emulate_2op_SrcV(ctxt, "and");
2784 return X86EMUL_CONTINUE;
2787 static int em_sub(struct x86_emulate_ctxt *ctxt)
2789 emulate_2op_SrcV(ctxt, "sub");
2790 return X86EMUL_CONTINUE;
2793 static int em_xor(struct x86_emulate_ctxt *ctxt)
2795 emulate_2op_SrcV(ctxt, "xor");
2796 return X86EMUL_CONTINUE;
2799 static int em_cmp(struct x86_emulate_ctxt *ctxt)
2801 emulate_2op_SrcV(ctxt, "cmp");
2802 /* Disable writeback. */
2803 ctxt->dst.type = OP_NONE;
2804 return X86EMUL_CONTINUE;
2807 static int em_test(struct x86_emulate_ctxt *ctxt)
2809 emulate_2op_SrcV(ctxt, "test");
2810 /* Disable writeback. */
2811 ctxt->dst.type = OP_NONE;
2812 return X86EMUL_CONTINUE;
2815 static int em_xchg(struct x86_emulate_ctxt *ctxt)
2817 /* Write back the register source. */
2818 ctxt->src.val = ctxt->dst.val;
2819 write_register_operand(&ctxt->src);
2821 /* Write back the memory destination with implicit LOCK prefix. */
2822 ctxt->dst.val = ctxt->src.orig_val;
2823 ctxt->lock_prefix = 1;
2824 return X86EMUL_CONTINUE;
2827 static int em_imul(struct x86_emulate_ctxt *ctxt)
2829 emulate_2op_SrcV_nobyte(ctxt, "imul");
2830 return X86EMUL_CONTINUE;
2833 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2835 ctxt->dst.val = ctxt->src2.val;
2836 return em_imul(ctxt);
2839 static int em_cwd(struct x86_emulate_ctxt *ctxt)
2841 ctxt->dst.type = OP_REG;
2842 ctxt->dst.bytes = ctxt->src.bytes;
2843 ctxt->dst.addr.reg = &ctxt->regs[VCPU_REGS_RDX];
2844 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
2846 return X86EMUL_CONTINUE;
2849 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2853 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
2854 ctxt->regs[VCPU_REGS_RAX] = (u32)tsc;
2855 ctxt->regs[VCPU_REGS_RDX] = tsc >> 32;
2856 return X86EMUL_CONTINUE;
2859 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
2863 if (ctxt->ops->read_pmc(ctxt, ctxt->regs[VCPU_REGS_RCX], &pmc))
2864 return emulate_gp(ctxt, 0);
2865 ctxt->regs[VCPU_REGS_RAX] = (u32)pmc;
2866 ctxt->regs[VCPU_REGS_RDX] = pmc >> 32;
2867 return X86EMUL_CONTINUE;
2870 static int em_mov(struct x86_emulate_ctxt *ctxt)
2872 memcpy(ctxt->dst.valptr, ctxt->src.valptr, ctxt->op_bytes);
2873 return X86EMUL_CONTINUE;
2876 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
2878 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
2879 return emulate_gp(ctxt, 0);
2881 /* Disable writeback. */
2882 ctxt->dst.type = OP_NONE;
2883 return X86EMUL_CONTINUE;
2886 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
2890 if (ctxt->mode == X86EMUL_MODE_PROT64)
2891 val = ctxt->src.val & ~0ULL;
2893 val = ctxt->src.val & ~0U;
2895 /* #UD condition is already handled. */
2896 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
2897 return emulate_gp(ctxt, 0);
2899 /* Disable writeback. */
2900 ctxt->dst.type = OP_NONE;
2901 return X86EMUL_CONTINUE;
2904 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
2908 msr_data = (u32)ctxt->regs[VCPU_REGS_RAX]
2909 | ((u64)ctxt->regs[VCPU_REGS_RDX] << 32);
2910 if (ctxt->ops->set_msr(ctxt, ctxt->regs[VCPU_REGS_RCX], msr_data))
2911 return emulate_gp(ctxt, 0);
2913 return X86EMUL_CONTINUE;
2916 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
2920 if (ctxt->ops->get_msr(ctxt, ctxt->regs[VCPU_REGS_RCX], &msr_data))
2921 return emulate_gp(ctxt, 0);
2923 ctxt->regs[VCPU_REGS_RAX] = (u32)msr_data;
2924 ctxt->regs[VCPU_REGS_RDX] = msr_data >> 32;
2925 return X86EMUL_CONTINUE;
2928 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
2930 if (ctxt->modrm_reg > VCPU_SREG_GS)
2931 return emulate_ud(ctxt);
2933 ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
2934 return X86EMUL_CONTINUE;
2937 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
2939 u16 sel = ctxt->src.val;
2941 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
2942 return emulate_ud(ctxt);
2944 if (ctxt->modrm_reg == VCPU_SREG_SS)
2945 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2947 /* Disable writeback. */
2948 ctxt->dst.type = OP_NONE;
2949 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
2952 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
2957 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
2958 if (rc == X86EMUL_CONTINUE)
2959 ctxt->ops->invlpg(ctxt, linear);
2960 /* Disable writeback. */
2961 ctxt->dst.type = OP_NONE;
2962 return X86EMUL_CONTINUE;
2965 static int em_clts(struct x86_emulate_ctxt *ctxt)
2969 cr0 = ctxt->ops->get_cr(ctxt, 0);
2971 ctxt->ops->set_cr(ctxt, 0, cr0);
2972 return X86EMUL_CONTINUE;
2975 static int em_vmcall(struct x86_emulate_ctxt *ctxt)
2979 if (ctxt->modrm_mod != 3 || ctxt->modrm_rm != 1)
2980 return X86EMUL_UNHANDLEABLE;
2982 rc = ctxt->ops->fix_hypercall(ctxt);
2983 if (rc != X86EMUL_CONTINUE)
2986 /* Let the processor re-execute the fixed hypercall */
2987 ctxt->_eip = ctxt->eip;
2988 /* Disable writeback. */
2989 ctxt->dst.type = OP_NONE;
2990 return X86EMUL_CONTINUE;
2993 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
2995 struct desc_ptr desc_ptr;
2998 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
2999 &desc_ptr.size, &desc_ptr.address,
3001 if (rc != X86EMUL_CONTINUE)
3003 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3004 /* Disable writeback. */
3005 ctxt->dst.type = OP_NONE;
3006 return X86EMUL_CONTINUE;
3009 static int em_vmmcall(struct x86_emulate_ctxt *ctxt)
3013 rc = ctxt->ops->fix_hypercall(ctxt);
3015 /* Disable writeback. */
3016 ctxt->dst.type = OP_NONE;
3020 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3022 struct desc_ptr desc_ptr;
3025 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3026 &desc_ptr.size, &desc_ptr.address,
3028 if (rc != X86EMUL_CONTINUE)
3030 ctxt->ops->set_idt(ctxt, &desc_ptr);
3031 /* Disable writeback. */
3032 ctxt->dst.type = OP_NONE;
3033 return X86EMUL_CONTINUE;
3036 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3038 ctxt->dst.bytes = 2;
3039 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3040 return X86EMUL_CONTINUE;
3043 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3045 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3046 | (ctxt->src.val & 0x0f));
3047 ctxt->dst.type = OP_NONE;
3048 return X86EMUL_CONTINUE;
3051 static int em_loop(struct x86_emulate_ctxt *ctxt)
3053 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1);
3054 if ((address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) != 0) &&
3055 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3056 jmp_rel(ctxt, ctxt->src.val);
3058 return X86EMUL_CONTINUE;
3061 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3063 if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0)
3064 jmp_rel(ctxt, ctxt->src.val);
3066 return X86EMUL_CONTINUE;
3069 static int em_in(struct x86_emulate_ctxt *ctxt)
3071 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3073 return X86EMUL_IO_NEEDED;
3075 return X86EMUL_CONTINUE;
3078 static int em_out(struct x86_emulate_ctxt *ctxt)
3080 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3082 /* Disable writeback. */
3083 ctxt->dst.type = OP_NONE;
3084 return X86EMUL_CONTINUE;
3087 static int em_cli(struct x86_emulate_ctxt *ctxt)
3089 if (emulator_bad_iopl(ctxt))
3090 return emulate_gp(ctxt, 0);
3092 ctxt->eflags &= ~X86_EFLAGS_IF;
3093 return X86EMUL_CONTINUE;
3096 static int em_sti(struct x86_emulate_ctxt *ctxt)
3098 if (emulator_bad_iopl(ctxt))
3099 return emulate_gp(ctxt, 0);
3101 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3102 ctxt->eflags |= X86_EFLAGS_IF;
3103 return X86EMUL_CONTINUE;
3106 static int em_bt(struct x86_emulate_ctxt *ctxt)
3108 /* Disable writeback. */
3109 ctxt->dst.type = OP_NONE;
3110 /* only subword offset */
3111 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
3113 emulate_2op_SrcV_nobyte(ctxt, "bt");
3114 return X86EMUL_CONTINUE;
3117 static int em_bts(struct x86_emulate_ctxt *ctxt)
3119 emulate_2op_SrcV_nobyte(ctxt, "bts");
3120 return X86EMUL_CONTINUE;
3123 static int em_btr(struct x86_emulate_ctxt *ctxt)
3125 emulate_2op_SrcV_nobyte(ctxt, "btr");
3126 return X86EMUL_CONTINUE;
3129 static int em_btc(struct x86_emulate_ctxt *ctxt)
3131 emulate_2op_SrcV_nobyte(ctxt, "btc");
3132 return X86EMUL_CONTINUE;
3135 static int em_bsf(struct x86_emulate_ctxt *ctxt)
3139 __asm__ ("bsf %2, %0; setz %1"
3140 : "=r"(ctxt->dst.val), "=q"(zf)
3141 : "r"(ctxt->src.val));
3143 ctxt->eflags &= ~X86_EFLAGS_ZF;
3145 ctxt->eflags |= X86_EFLAGS_ZF;
3146 /* Disable writeback. */
3147 ctxt->dst.type = OP_NONE;
3149 return X86EMUL_CONTINUE;
3152 static int em_bsr(struct x86_emulate_ctxt *ctxt)
3156 __asm__ ("bsr %2, %0; setz %1"
3157 : "=r"(ctxt->dst.val), "=q"(zf)
3158 : "r"(ctxt->src.val));
3160 ctxt->eflags &= ~X86_EFLAGS_ZF;
3162 ctxt->eflags |= X86_EFLAGS_ZF;
3163 /* Disable writeback. */
3164 ctxt->dst.type = OP_NONE;
3166 return X86EMUL_CONTINUE;
3169 static bool valid_cr(int nr)
3181 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
3183 if (!valid_cr(ctxt->modrm_reg))
3184 return emulate_ud(ctxt);
3186 return X86EMUL_CONTINUE;
3189 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
3191 u64 new_val = ctxt->src.val64;
3192 int cr = ctxt->modrm_reg;
3195 static u64 cr_reserved_bits[] = {
3196 0xffffffff00000000ULL,
3197 0, 0, 0, /* CR3 checked later */
3204 return emulate_ud(ctxt);
3206 if (new_val & cr_reserved_bits[cr])
3207 return emulate_gp(ctxt, 0);
3212 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
3213 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
3214 return emulate_gp(ctxt, 0);
3216 cr4 = ctxt->ops->get_cr(ctxt, 4);
3217 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3219 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
3220 !(cr4 & X86_CR4_PAE))
3221 return emulate_gp(ctxt, 0);
3228 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3229 if (efer & EFER_LMA)
3230 rsvd = CR3_L_MODE_RESERVED_BITS;
3231 else if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PAE)
3232 rsvd = CR3_PAE_RESERVED_BITS;
3233 else if (ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PG)
3234 rsvd = CR3_NONPAE_RESERVED_BITS;
3237 return emulate_gp(ctxt, 0);
3242 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3244 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
3245 return emulate_gp(ctxt, 0);
3251 return X86EMUL_CONTINUE;
3254 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
3258 ctxt->ops->get_dr(ctxt, 7, &dr7);
3260 /* Check if DR7.Global_Enable is set */
3261 return dr7 & (1 << 13);
3264 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
3266 int dr = ctxt->modrm_reg;
3270 return emulate_ud(ctxt);
3272 cr4 = ctxt->ops->get_cr(ctxt, 4);
3273 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
3274 return emulate_ud(ctxt);
3276 if (check_dr7_gd(ctxt))
3277 return emulate_db(ctxt);
3279 return X86EMUL_CONTINUE;
3282 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
3284 u64 new_val = ctxt->src.val64;
3285 int dr = ctxt->modrm_reg;
3287 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
3288 return emulate_gp(ctxt, 0);
3290 return check_dr_read(ctxt);
3293 static int check_svme(struct x86_emulate_ctxt *ctxt)
3297 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3299 if (!(efer & EFER_SVME))
3300 return emulate_ud(ctxt);
3302 return X86EMUL_CONTINUE;
3305 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
3307 u64 rax = ctxt->regs[VCPU_REGS_RAX];
3309 /* Valid physical address? */
3310 if (rax & 0xffff000000000000ULL)
3311 return emulate_gp(ctxt, 0);
3313 return check_svme(ctxt);
3316 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
3318 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3320 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
3321 return emulate_ud(ctxt);
3323 return X86EMUL_CONTINUE;
3326 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
3328 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3329 u64 rcx = ctxt->regs[VCPU_REGS_RCX];
3331 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
3333 return emulate_gp(ctxt, 0);
3335 return X86EMUL_CONTINUE;
3338 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
3340 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
3341 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
3342 return emulate_gp(ctxt, 0);
3344 return X86EMUL_CONTINUE;
3347 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
3349 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
3350 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
3351 return emulate_gp(ctxt, 0);
3353 return X86EMUL_CONTINUE;
3356 #define D(_y) { .flags = (_y) }
3357 #define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
3358 #define DIP(_y, _i, _p) { .flags = (_y), .intercept = x86_intercept_##_i, \
3359 .check_perm = (_p) }
3361 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
3362 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
3363 #define GD(_f, _g) { .flags = ((_f) | GroupDual), .u.gdual = (_g) }
3364 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
3365 #define II(_f, _e, _i) \
3366 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
3367 #define IIP(_f, _e, _i, _p) \
3368 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i, \
3369 .check_perm = (_p) }
3370 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
3372 #define D2bv(_f) D((_f) | ByteOp), D(_f)
3373 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
3374 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
3375 #define I2bvIP(_f, _e, _i, _p) \
3376 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
3378 #define I6ALU(_f, _e) I2bv((_f) | DstMem | SrcReg | ModRM, _e), \
3379 I2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
3380 I2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
3382 static struct opcode group7_rm1[] = {
3383 DI(SrcNone | ModRM | Priv, monitor),
3384 DI(SrcNone | ModRM | Priv, mwait),
3388 static struct opcode group7_rm3[] = {
3389 DIP(SrcNone | ModRM | Prot | Priv, vmrun, check_svme_pa),
3390 II(SrcNone | ModRM | Prot | VendorSpecific, em_vmmcall, vmmcall),
3391 DIP(SrcNone | ModRM | Prot | Priv, vmload, check_svme_pa),
3392 DIP(SrcNone | ModRM | Prot | Priv, vmsave, check_svme_pa),
3393 DIP(SrcNone | ModRM | Prot | Priv, stgi, check_svme),
3394 DIP(SrcNone | ModRM | Prot | Priv, clgi, check_svme),
3395 DIP(SrcNone | ModRM | Prot | Priv, skinit, check_svme),
3396 DIP(SrcNone | ModRM | Prot | Priv, invlpga, check_svme),
3399 static struct opcode group7_rm7[] = {
3401 DIP(SrcNone | ModRM, rdtscp, check_rdtsc),
3405 static struct opcode group1[] = {
3407 I(Lock | PageTable, em_or),
3410 I(Lock | PageTable, em_and),
3416 static struct opcode group1A[] = {
3417 I(DstMem | SrcNone | ModRM | Mov | Stack, em_pop), N, N, N, N, N, N, N,
3420 static struct opcode group3[] = {
3421 I(DstMem | SrcImm | ModRM, em_test),
3422 I(DstMem | SrcImm | ModRM, em_test),
3423 I(DstMem | SrcNone | ModRM | Lock, em_not),
3424 I(DstMem | SrcNone | ModRM | Lock, em_neg),
3425 I(SrcMem | ModRM, em_mul_ex),
3426 I(SrcMem | ModRM, em_imul_ex),
3427 I(SrcMem | ModRM, em_div_ex),
3428 I(SrcMem | ModRM, em_idiv_ex),
3431 static struct opcode group4[] = {
3432 I(ByteOp | DstMem | SrcNone | ModRM | Lock, em_grp45),
3433 I(ByteOp | DstMem | SrcNone | ModRM | Lock, em_grp45),
3437 static struct opcode group5[] = {
3438 I(DstMem | SrcNone | ModRM | Lock, em_grp45),
3439 I(DstMem | SrcNone | ModRM | Lock, em_grp45),
3440 I(SrcMem | ModRM | Stack, em_grp45),
3441 I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
3442 I(SrcMem | ModRM | Stack, em_grp45),
3443 I(SrcMemFAddr | ModRM | ImplicitOps, em_grp45),
3444 I(SrcMem | ModRM | Stack, em_grp45), N,
3447 static struct opcode group6[] = {
3448 DI(ModRM | Prot, sldt),
3449 DI(ModRM | Prot, str),
3450 DI(ModRM | Prot | Priv, lldt),
3451 DI(ModRM | Prot | Priv, ltr),
3455 static struct group_dual group7 = { {
3456 DI(ModRM | Mov | DstMem | Priv, sgdt),
3457 DI(ModRM | Mov | DstMem | Priv, sidt),
3458 II(ModRM | SrcMem | Priv, em_lgdt, lgdt),
3459 II(ModRM | SrcMem | Priv, em_lidt, lidt),
3460 II(SrcNone | ModRM | DstMem | Mov, em_smsw, smsw), N,
3461 II(SrcMem16 | ModRM | Mov | Priv, em_lmsw, lmsw),
3462 II(SrcMem | ModRM | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
3464 I(SrcNone | ModRM | Priv | VendorSpecific, em_vmcall),
3466 N, EXT(0, group7_rm3),
3467 II(SrcNone | ModRM | DstMem | Mov, em_smsw, smsw), N,
3468 II(SrcMem16 | ModRM | Mov | Priv, em_lmsw, lmsw), EXT(0, group7_rm7),
3471 static struct opcode group8[] = {
3473 I(DstMem | SrcImmByte | ModRM, em_bt),
3474 I(DstMem | SrcImmByte | ModRM | Lock | PageTable, em_bts),
3475 I(DstMem | SrcImmByte | ModRM | Lock, em_btr),
3476 I(DstMem | SrcImmByte | ModRM | Lock | PageTable, em_btc),
3479 static struct group_dual group9 = { {
3480 N, I(DstMem64 | ModRM | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
3482 N, N, N, N, N, N, N, N,
3485 static struct opcode group11[] = {
3486 I(DstMem | SrcImm | ModRM | Mov | PageTable, em_mov),
3490 static struct gprefix pfx_0f_6f_0f_7f = {
3491 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
3494 static struct gprefix pfx_vmovntpx = {
3495 I(0, em_mov), N, N, N,
3498 static struct opcode opcode_table[256] = {
3500 I6ALU(Lock, em_add),
3501 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
3502 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
3504 I6ALU(Lock | PageTable, em_or),
3505 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
3508 I6ALU(Lock, em_adc),
3509 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
3510 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
3512 I6ALU(Lock, em_sbb),
3513 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
3514 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
3516 I6ALU(Lock | PageTable, em_and), N, N,
3518 I6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
3520 I6ALU(Lock, em_xor), N, N,
3522 I6ALU(0, em_cmp), N, N,
3526 X8(I(SrcReg | Stack, em_push)),
3528 X8(I(DstReg | Stack, em_pop)),
3530 I(ImplicitOps | Stack | No64, em_pusha),
3531 I(ImplicitOps | Stack | No64, em_popa),
3532 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
3535 I(SrcImm | Mov | Stack, em_push),
3536 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
3537 I(SrcImmByte | Mov | Stack, em_push),
3538 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
3539 I2bvIP(DstDI | SrcDX | Mov | String, em_in, ins, check_perm_in), /* insb, insw/insd */
3540 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
3544 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
3545 G(DstMem | SrcImm | ModRM | Group, group1),
3546 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
3547 G(DstMem | SrcImmByte | ModRM | Group, group1),
3548 I2bv(DstMem | SrcReg | ModRM, em_test),
3549 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
3551 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
3552 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
3553 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
3554 D(ModRM | SrcMem | NoAccess | DstReg),
3555 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
3558 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
3560 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
3561 I(SrcImmFAddr | No64, em_call_far), N,
3562 II(ImplicitOps | Stack, em_pushf, pushf),
3563 II(ImplicitOps | Stack, em_popf, popf), N, N,
3565 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
3566 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
3567 I2bv(SrcSI | DstDI | Mov | String, em_mov),
3568 I2bv(SrcSI | DstDI | String, em_cmp),
3570 I2bv(DstAcc | SrcImm, em_test),
3571 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
3572 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
3573 I2bv(SrcAcc | DstDI | String, em_cmp),
3575 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
3577 X8(I(DstReg | SrcImm | Mov, em_mov)),
3579 D2bv(DstMem | SrcImmByte | ModRM),
3580 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
3581 I(ImplicitOps | Stack, em_ret),
3582 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
3583 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
3584 G(ByteOp, group11), G(0, group11),
3586 N, N, N, I(ImplicitOps | Stack, em_ret_far),
3587 D(ImplicitOps), DI(SrcImmByte, intn),
3588 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
3590 D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
3593 N, N, N, N, N, N, N, N,
3595 X3(I(SrcImmByte, em_loop)),
3596 I(SrcImmByte, em_jcxz),
3597 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
3598 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
3600 I(SrcImm | Stack, em_call), D(SrcImm | ImplicitOps),
3601 I(SrcImmFAddr | No64, em_jmp_far), D(SrcImmByte | ImplicitOps),
3602 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
3603 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
3605 N, DI(ImplicitOps, icebp), N, N,
3606 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
3607 G(ByteOp, group3), G(0, group3),
3609 D(ImplicitOps), D(ImplicitOps),
3610 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
3611 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
3614 static struct opcode twobyte_table[256] = {
3616 G(0, group6), GD(0, &group7), N, N,
3617 N, I(ImplicitOps | VendorSpecific, em_syscall),
3618 II(ImplicitOps | Priv, em_clts, clts), N,
3619 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
3620 N, D(ImplicitOps | ModRM), N, N,
3622 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
3624 DIP(ModRM | DstMem | Priv | Op3264, cr_read, check_cr_read),
3625 DIP(ModRM | DstMem | Priv | Op3264, dr_read, check_dr_read),
3626 IIP(ModRM | SrcMem | Priv | Op3264, em_cr_write, cr_write, check_cr_write),
3627 IIP(ModRM | SrcMem | Priv | Op3264, em_dr_write, dr_write, check_dr_write),
3629 N, N, N, GP(ModRM | DstMem | SrcReg | Sse | Mov | Aligned, &pfx_vmovntpx),
3632 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
3633 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
3634 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
3635 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
3636 I(ImplicitOps | VendorSpecific, em_sysenter),
3637 I(ImplicitOps | Priv | VendorSpecific, em_sysexit),
3639 N, N, N, N, N, N, N, N,
3641 X16(D(DstReg | SrcMem | ModRM | Mov)),
3643 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3648 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
3653 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
3657 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
3659 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
3660 DI(ImplicitOps, cpuid), I(DstMem | SrcReg | ModRM | BitOp, em_bt),
3661 D(DstMem | SrcReg | Src2ImmByte | ModRM),
3662 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
3664 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
3665 DI(ImplicitOps, rsm),
3666 I(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
3667 D(DstMem | SrcReg | Src2ImmByte | ModRM),
3668 D(DstMem | SrcReg | Src2CL | ModRM),
3669 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
3671 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_cmpxchg),
3672 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
3673 I(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
3674 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
3675 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
3676 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3680 I(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
3681 I(DstReg | SrcMem | ModRM, em_bsf), I(DstReg | SrcMem | ModRM, em_bsr),
3682 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3684 D2bv(DstMem | SrcReg | ModRM | Lock),
3685 N, D(DstMem | SrcReg | ModRM | Mov),
3686 N, N, N, GD(0, &group9),
3687 N, N, N, N, N, N, N, N,
3689 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3691 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3693 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
3710 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
3714 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3720 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
3721 unsigned size, bool sign_extension)
3723 int rc = X86EMUL_CONTINUE;
3727 op->addr.mem.ea = ctxt->_eip;
3728 /* NB. Immediates are sign-extended as necessary. */
3729 switch (op->bytes) {
3731 op->val = insn_fetch(s8, ctxt);
3734 op->val = insn_fetch(s16, ctxt);
3737 op->val = insn_fetch(s32, ctxt);
3740 if (!sign_extension) {
3741 switch (op->bytes) {
3749 op->val &= 0xffffffff;
3757 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
3760 int rc = X86EMUL_CONTINUE;
3764 decode_register_operand(ctxt, op);
3767 rc = decode_imm(ctxt, op, 1, false);
3770 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3774 if ((ctxt->d & BitOp) && op == &ctxt->dst)
3775 fetch_bit_operand(ctxt);
3776 op->orig_val = op->val;
3779 ctxt->memop.bytes = 8;
3783 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3784 op->addr.reg = &ctxt->regs[VCPU_REGS_RAX];
3785 fetch_register_operand(op);
3786 op->orig_val = op->val;
3790 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3792 register_address(ctxt, ctxt->regs[VCPU_REGS_RDI]);
3793 op->addr.mem.seg = VCPU_SREG_ES;
3799 op->addr.reg = &ctxt->regs[VCPU_REGS_RDX];
3800 fetch_register_operand(op);
3804 op->val = ctxt->regs[VCPU_REGS_RCX] & 0xff;
3807 rc = decode_imm(ctxt, op, 1, true);
3814 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
3817 ctxt->memop.bytes = 1;
3820 ctxt->memop.bytes = 2;
3823 ctxt->memop.bytes = 4;
3826 rc = decode_imm(ctxt, op, 2, false);
3829 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
3833 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3835 register_address(ctxt, ctxt->regs[VCPU_REGS_RSI]);
3836 op->addr.mem.seg = seg_override(ctxt);
3841 op->addr.mem.ea = ctxt->_eip;
3842 op->bytes = ctxt->op_bytes + 2;
3843 insn_fetch_arr(op->valptr, op->bytes, ctxt);
3846 ctxt->memop.bytes = ctxt->op_bytes + 2;
3849 op->val = VCPU_SREG_ES;
3852 op->val = VCPU_SREG_CS;
3855 op->val = VCPU_SREG_SS;
3858 op->val = VCPU_SREG_DS;
3861 op->val = VCPU_SREG_FS;
3864 op->val = VCPU_SREG_GS;
3867 /* Special instructions do their own operand decoding. */
3869 op->type = OP_NONE; /* Disable writeback. */
3877 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
3879 int rc = X86EMUL_CONTINUE;
3880 int mode = ctxt->mode;
3881 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
3882 bool op_prefix = false;
3883 struct opcode opcode;
3885 ctxt->memop.type = OP_NONE;
3886 ctxt->memopp = NULL;
3887 ctxt->_eip = ctxt->eip;
3888 ctxt->fetch.start = ctxt->_eip;
3889 ctxt->fetch.end = ctxt->fetch.start + insn_len;
3891 memcpy(ctxt->fetch.data, insn, insn_len);
3894 case X86EMUL_MODE_REAL:
3895 case X86EMUL_MODE_VM86:
3896 case X86EMUL_MODE_PROT16:
3897 def_op_bytes = def_ad_bytes = 2;
3899 case X86EMUL_MODE_PROT32:
3900 def_op_bytes = def_ad_bytes = 4;
3902 #ifdef CONFIG_X86_64
3903 case X86EMUL_MODE_PROT64:
3909 return EMULATION_FAILED;
3912 ctxt->op_bytes = def_op_bytes;
3913 ctxt->ad_bytes = def_ad_bytes;
3915 /* Legacy prefixes. */
3917 switch (ctxt->b = insn_fetch(u8, ctxt)) {
3918 case 0x66: /* operand-size override */
3920 /* switch between 2/4 bytes */
3921 ctxt->op_bytes = def_op_bytes ^ 6;
3923 case 0x67: /* address-size override */
3924 if (mode == X86EMUL_MODE_PROT64)
3925 /* switch between 4/8 bytes */
3926 ctxt->ad_bytes = def_ad_bytes ^ 12;
3928 /* switch between 2/4 bytes */
3929 ctxt->ad_bytes = def_ad_bytes ^ 6;
3931 case 0x26: /* ES override */
3932 case 0x2e: /* CS override */
3933 case 0x36: /* SS override */
3934 case 0x3e: /* DS override */
3935 set_seg_override(ctxt, (ctxt->b >> 3) & 3);
3937 case 0x64: /* FS override */
3938 case 0x65: /* GS override */
3939 set_seg_override(ctxt, ctxt->b & 7);
3941 case 0x40 ... 0x4f: /* REX */
3942 if (mode != X86EMUL_MODE_PROT64)
3944 ctxt->rex_prefix = ctxt->b;
3946 case 0xf0: /* LOCK */
3947 ctxt->lock_prefix = 1;
3949 case 0xf2: /* REPNE/REPNZ */
3950 case 0xf3: /* REP/REPE/REPZ */
3951 ctxt->rep_prefix = ctxt->b;
3957 /* Any legacy prefix after a REX prefix nullifies its effect. */
3959 ctxt->rex_prefix = 0;
3965 if (ctxt->rex_prefix & 8)
3966 ctxt->op_bytes = 8; /* REX.W */
3968 /* Opcode byte(s). */
3969 opcode = opcode_table[ctxt->b];
3970 /* Two-byte opcode? */
3971 if (ctxt->b == 0x0f) {
3973 ctxt->b = insn_fetch(u8, ctxt);
3974 opcode = twobyte_table[ctxt->b];
3976 ctxt->d = opcode.flags;
3978 while (ctxt->d & GroupMask) {
3979 switch (ctxt->d & GroupMask) {
3981 ctxt->modrm = insn_fetch(u8, ctxt);
3983 goffset = (ctxt->modrm >> 3) & 7;
3984 opcode = opcode.u.group[goffset];
3987 ctxt->modrm = insn_fetch(u8, ctxt);
3989 goffset = (ctxt->modrm >> 3) & 7;
3990 if ((ctxt->modrm >> 6) == 3)
3991 opcode = opcode.u.gdual->mod3[goffset];
3993 opcode = opcode.u.gdual->mod012[goffset];
3996 goffset = ctxt->modrm & 7;
3997 opcode = opcode.u.group[goffset];
4000 if (ctxt->rep_prefix && op_prefix)
4001 return EMULATION_FAILED;
4002 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
4003 switch (simd_prefix) {
4004 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
4005 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
4006 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
4007 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
4011 return EMULATION_FAILED;
4014 ctxt->d &= ~(u64)GroupMask;
4015 ctxt->d |= opcode.flags;
4018 ctxt->execute = opcode.u.execute;
4019 ctxt->check_perm = opcode.check_perm;
4020 ctxt->intercept = opcode.intercept;
4023 if (ctxt->d == 0 || (ctxt->d & Undefined))
4024 return EMULATION_FAILED;
4026 if (!(ctxt->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
4027 return EMULATION_FAILED;
4029 if (mode == X86EMUL_MODE_PROT64 && (ctxt->d & Stack))
4032 if (ctxt->d & Op3264) {
4033 if (mode == X86EMUL_MODE_PROT64)
4040 ctxt->op_bytes = 16;
4041 else if (ctxt->d & Mmx)
4044 /* ModRM and SIB bytes. */
4045 if (ctxt->d & ModRM) {
4046 rc = decode_modrm(ctxt, &ctxt->memop);
4047 if (!ctxt->has_seg_override)
4048 set_seg_override(ctxt, ctxt->modrm_seg);
4049 } else if (ctxt->d & MemAbs)
4050 rc = decode_abs(ctxt, &ctxt->memop);
4051 if (rc != X86EMUL_CONTINUE)
4054 if (!ctxt->has_seg_override)
4055 set_seg_override(ctxt, VCPU_SREG_DS);
4057 ctxt->memop.addr.mem.seg = seg_override(ctxt);
4059 if (ctxt->memop.type == OP_MEM && ctxt->ad_bytes != 8)
4060 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
4063 * Decode and fetch the source operand: register, memory
4066 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
4067 if (rc != X86EMUL_CONTINUE)
4071 * Decode and fetch the second source operand: register, memory
4074 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
4075 if (rc != X86EMUL_CONTINUE)
4078 /* Decode and fetch the destination operand: register or memory. */
4079 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
4082 if (ctxt->memopp && ctxt->memopp->type == OP_MEM && ctxt->rip_relative)
4083 ctxt->memopp->addr.mem.ea += ctxt->_eip;
4085 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
4088 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
4090 return ctxt->d & PageTable;
4093 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
4095 /* The second termination condition only applies for REPE
4096 * and REPNE. Test if the repeat string operation prefix is
4097 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
4098 * corresponding termination condition according to:
4099 * - if REPE/REPZ and ZF = 0 then done
4100 * - if REPNE/REPNZ and ZF = 1 then done
4102 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
4103 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
4104 && (((ctxt->rep_prefix == REPE_PREFIX) &&
4105 ((ctxt->eflags & EFLG_ZF) == 0))
4106 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
4107 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
4113 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
4117 ctxt->ops->get_fpu(ctxt);
4118 asm volatile("1: fwait \n\t"
4120 ".pushsection .fixup,\"ax\" \n\t"
4122 "movb $1, %[fault] \n\t"
4125 _ASM_EXTABLE(1b, 3b)
4126 : [fault]"+qm"(fault));
4127 ctxt->ops->put_fpu(ctxt);
4129 if (unlikely(fault))
4130 return emulate_exception(ctxt, MF_VECTOR, 0, false);
4132 return X86EMUL_CONTINUE;
4135 static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
4138 if (op->type == OP_MM)
4139 read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
4142 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
4144 struct x86_emulate_ops *ops = ctxt->ops;
4145 int rc = X86EMUL_CONTINUE;
4146 int saved_dst_type = ctxt->dst.type;
4148 ctxt->mem_read.pos = 0;
4150 if (ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) {
4151 rc = emulate_ud(ctxt);
4155 /* LOCK prefix is allowed only with some instructions */
4156 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
4157 rc = emulate_ud(ctxt);
4161 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
4162 rc = emulate_ud(ctxt);
4166 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
4167 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
4168 rc = emulate_ud(ctxt);
4172 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
4173 rc = emulate_nm(ctxt);
4177 if (ctxt->d & Mmx) {
4178 rc = flush_pending_x87_faults(ctxt);
4179 if (rc != X86EMUL_CONTINUE)
4182 * Now that we know the fpu is exception safe, we can fetch
4185 fetch_possible_mmx_operand(ctxt, &ctxt->src);
4186 fetch_possible_mmx_operand(ctxt, &ctxt->src2);
4187 if (!(ctxt->d & Mov))
4188 fetch_possible_mmx_operand(ctxt, &ctxt->dst);
4191 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4192 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4193 X86_ICPT_PRE_EXCEPT);
4194 if (rc != X86EMUL_CONTINUE)
4198 /* Privileged instruction can be executed only in CPL=0 */
4199 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
4200 rc = emulate_gp(ctxt, 0);
4204 /* Instruction can only be executed in protected mode */
4205 if ((ctxt->d & Prot) && !(ctxt->mode & X86EMUL_MODE_PROT)) {
4206 rc = emulate_ud(ctxt);
4210 /* Do instruction specific permission checks */
4211 if (ctxt->check_perm) {
4212 rc = ctxt->check_perm(ctxt);
4213 if (rc != X86EMUL_CONTINUE)
4217 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4218 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4219 X86_ICPT_POST_EXCEPT);
4220 if (rc != X86EMUL_CONTINUE)
4224 if (ctxt->rep_prefix && (ctxt->d & String)) {
4225 /* All REP prefixes have the same first termination condition */
4226 if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0) {
4227 ctxt->eip = ctxt->_eip;
4232 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
4233 rc = segmented_read(ctxt, ctxt->src.addr.mem,
4234 ctxt->src.valptr, ctxt->src.bytes);
4235 if (rc != X86EMUL_CONTINUE)
4237 ctxt->src.orig_val64 = ctxt->src.val64;
4240 if (ctxt->src2.type == OP_MEM) {
4241 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
4242 &ctxt->src2.val, ctxt->src2.bytes);
4243 if (rc != X86EMUL_CONTINUE)
4247 if ((ctxt->d & DstMask) == ImplicitOps)
4251 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
4252 /* optimisation - avoid slow emulated read if Mov */
4253 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
4254 &ctxt->dst.val, ctxt->dst.bytes);
4255 if (rc != X86EMUL_CONTINUE)
4258 ctxt->dst.orig_val = ctxt->dst.val;
4262 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4263 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4264 X86_ICPT_POST_MEMACCESS);
4265 if (rc != X86EMUL_CONTINUE)
4269 if (ctxt->execute) {
4270 rc = ctxt->execute(ctxt);
4271 if (rc != X86EMUL_CONTINUE)
4280 case 0x40 ... 0x47: /* inc r16/r32 */
4281 emulate_1op(ctxt, "inc");
4283 case 0x48 ... 0x4f: /* dec r16/r32 */
4284 emulate_1op(ctxt, "dec");
4286 case 0x63: /* movsxd */
4287 if (ctxt->mode != X86EMUL_MODE_PROT64)
4288 goto cannot_emulate;
4289 ctxt->dst.val = (s32) ctxt->src.val;
4291 case 0x70 ... 0x7f: /* jcc (short) */
4292 if (test_cc(ctxt->b, ctxt->eflags))
4293 jmp_rel(ctxt, ctxt->src.val);
4295 case 0x8d: /* lea r16/r32, m */
4296 ctxt->dst.val = ctxt->src.addr.mem.ea;
4298 case 0x90 ... 0x97: /* nop / xchg reg, rax */
4299 if (ctxt->dst.addr.reg == &ctxt->regs[VCPU_REGS_RAX])
4303 case 0x98: /* cbw/cwde/cdqe */
4304 switch (ctxt->op_bytes) {
4305 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
4306 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
4307 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
4313 case 0xcc: /* int3 */
4314 rc = emulate_int(ctxt, 3);
4316 case 0xcd: /* int n */
4317 rc = emulate_int(ctxt, ctxt->src.val);
4319 case 0xce: /* into */
4320 if (ctxt->eflags & EFLG_OF)
4321 rc = emulate_int(ctxt, 4);
4323 case 0xd0 ... 0xd1: /* Grp2 */
4326 case 0xd2 ... 0xd3: /* Grp2 */
4327 ctxt->src.val = ctxt->regs[VCPU_REGS_RCX];
4330 case 0xe9: /* jmp rel */
4331 case 0xeb: /* jmp rel short */
4332 jmp_rel(ctxt, ctxt->src.val);
4333 ctxt->dst.type = OP_NONE; /* Disable writeback. */
4335 case 0xf4: /* hlt */
4336 ctxt->ops->halt(ctxt);
4338 case 0xf5: /* cmc */
4339 /* complement carry flag from eflags reg */
4340 ctxt->eflags ^= EFLG_CF;
4342 case 0xf8: /* clc */
4343 ctxt->eflags &= ~EFLG_CF;
4345 case 0xf9: /* stc */
4346 ctxt->eflags |= EFLG_CF;
4348 case 0xfc: /* cld */
4349 ctxt->eflags &= ~EFLG_DF;
4351 case 0xfd: /* std */
4352 ctxt->eflags |= EFLG_DF;
4355 goto cannot_emulate;
4358 if (rc != X86EMUL_CONTINUE)
4362 rc = writeback(ctxt);
4363 if (rc != X86EMUL_CONTINUE)
4367 * restore dst type in case the decoding will be reused
4368 * (happens for string instruction )
4370 ctxt->dst.type = saved_dst_type;
4372 if ((ctxt->d & SrcMask) == SrcSI)
4373 string_addr_inc(ctxt, seg_override(ctxt),
4374 VCPU_REGS_RSI, &ctxt->src);
4376 if ((ctxt->d & DstMask) == DstDI)
4377 string_addr_inc(ctxt, VCPU_SREG_ES, VCPU_REGS_RDI,
4380 if (ctxt->rep_prefix && (ctxt->d & String)) {
4381 struct read_cache *r = &ctxt->io_read;
4382 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1);
4384 if (!string_insn_completed(ctxt)) {
4386 * Re-enter guest when pio read ahead buffer is empty
4387 * or, if it is not used, after each 1024 iteration.
4389 if ((r->end != 0 || ctxt->regs[VCPU_REGS_RCX] & 0x3ff) &&
4390 (r->end == 0 || r->end != r->pos)) {
4392 * Reset read cache. Usually happens before
4393 * decode, but since instruction is restarted
4394 * we have to do it here.
4396 ctxt->mem_read.end = 0;
4397 return EMULATION_RESTART;
4399 goto done; /* skip rip writeback */
4403 ctxt->eip = ctxt->_eip;
4406 if (rc == X86EMUL_PROPAGATE_FAULT)
4407 ctxt->have_exception = true;
4408 if (rc == X86EMUL_INTERCEPTED)
4409 return EMULATION_INTERCEPTED;
4411 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
4415 case 0x09: /* wbinvd */
4416 (ctxt->ops->wbinvd)(ctxt);
4418 case 0x08: /* invd */
4419 case 0x0d: /* GrpP (prefetch) */
4420 case 0x18: /* Grp16 (prefetch/nop) */
4422 case 0x20: /* mov cr, reg */
4423 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
4425 case 0x21: /* mov from dr to reg */
4426 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
4428 case 0x40 ... 0x4f: /* cmov */
4429 ctxt->dst.val = ctxt->dst.orig_val = ctxt->src.val;
4430 if (!test_cc(ctxt->b, ctxt->eflags))
4431 ctxt->dst.type = OP_NONE; /* no writeback */
4433 case 0x80 ... 0x8f: /* jnz rel, etc*/
4434 if (test_cc(ctxt->b, ctxt->eflags))
4435 jmp_rel(ctxt, ctxt->src.val);
4437 case 0x90 ... 0x9f: /* setcc r/m8 */
4438 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
4440 case 0xa4: /* shld imm8, r, r/m */
4441 case 0xa5: /* shld cl, r, r/m */
4442 emulate_2op_cl(ctxt, "shld");
4444 case 0xac: /* shrd imm8, r, r/m */
4445 case 0xad: /* shrd cl, r, r/m */
4446 emulate_2op_cl(ctxt, "shrd");
4448 case 0xae: /* clflush */
4450 case 0xb6 ... 0xb7: /* movzx */
4451 ctxt->dst.bytes = ctxt->op_bytes;
4452 ctxt->dst.val = (ctxt->d & ByteOp) ? (u8) ctxt->src.val
4453 : (u16) ctxt->src.val;
4455 case 0xbe ... 0xbf: /* movsx */
4456 ctxt->dst.bytes = ctxt->op_bytes;
4457 ctxt->dst.val = (ctxt->d & ByteOp) ? (s8) ctxt->src.val :
4458 (s16) ctxt->src.val;
4460 case 0xc0 ... 0xc1: /* xadd */
4461 emulate_2op_SrcV(ctxt, "add");
4462 /* Write back the register source. */
4463 ctxt->src.val = ctxt->dst.orig_val;
4464 write_register_operand(&ctxt->src);
4466 case 0xc3: /* movnti */
4467 ctxt->dst.bytes = ctxt->op_bytes;
4468 ctxt->dst.val = (ctxt->op_bytes == 4) ? (u32) ctxt->src.val :
4469 (u64) ctxt->src.val;
4472 goto cannot_emulate;
4475 if (rc != X86EMUL_CONTINUE)
4481 return EMULATION_FAILED;